27 KiB
27 KiB
Pack 5 — Integrations + Administration + moved “Policy Governance” + moved “Trust & Signing”
Below are (1) Mermaid graphs for the menus and for each screen, and (2) an ASCII mock per screen, each preceded by: where it lived before + why it moved. (Where you see “Formerly: …” that’s intended to be shown on-screen under the title as a small breadcrumb/helper label, per your requirement.)
1) Integrations
1.1 Integrations menu graph (Mermaid)
graph TD
IN_ROOT["Integrations (root menu)"] --> IN_OV["Connections (Overview)"]
IN_ROOT --> IN_CATALOG["Catalog / Add Integration"]
IN_ROOT --> IN_SEC_DATA["Security Data Sources (CVE/VEX/Advisories)"]
IN_ROOT --> IN_SENSORS["Sensors & Reachability Sources (Build/Image/Runtime)"]
IN_OV --> IN_DETAIL["Integration Detail"]
IN_DETAIL --> IN_TEST["Test Connection"]
IN_DETAIL --> IN_SYNC["Sync & Health History"]
IN_DETAIL --> IN_PERMS["Scopes / Permissions"]
IN_DETAIL --> IN_IMPACT["Impact Map: Releases, Bundles, SBOM, Approvals, Evidence"]
IN_DETAIL --> IN_ALERTS["Alerts & Routing"]
IN_CATALOG --> IN_ADD["Add Integration Wizard"]
IN_ADD --> IN_DETAIL
IN_SEC_DATA --> IN_FEEDS["Feeds: NVD / OSV / Vendor / Internal"]
IN_FEEDS --> IN_FEED_DETAIL["Feed Detail (sync status, errors, retention)"]
IN_SENSORS --> IN_BUILD["Build Reachability Source"]
IN_SENSORS --> IN_IMAGE["Image/Dover Reachability Source"]
IN_SENSORS --> IN_RUNTIME["Runtime Reachability Source"]
Note: Feed mirroring / airgap bundling stays under Operations → Feeds & Airgap (because that’s “run/operate”), but Integrations must show dependency + impact (“if NVD down, what breaks?”).
1.2 Screen: Integrations → Connections (Overview)
Formerly: Settings → Integrations (/settings/integrations)
Why moved: Integrations are not “settings” in StellaOps—they’re operational dependencies that directly affect release decisions, SBOM freshness, reachability coverage, evidence completeness, and nightly jobs. Making this a root menu also lets the dashboard link to it as a first-class dependency view.
Screen graph (Mermaid)
graph LR
A["Integrations → Connections (Overview)"] --> B["Integration Detail"]
A --> C["Add Integration Wizard"]
A --> D["Security Data Sources"]
A --> E["Sensors & Reachability Sources"]
A --> F["Operations → Nightly Ops Report (jobs impacted)"]
B --> G["Test Connection"]
B --> H["Sync & Health History"]
B --> I["Impact Map"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Integrations ▸ Connections [ + Add Integration ]|
| Formerly: Settings ▸ Integrations |
|--------------------------------------------------------------------------------------------------|
| Status Summary: Connected 6 Degraded 1 Disconnected 1 Filter: [All|SCM|CI/CD|Reg|...] |
|--------------------------------------------------------------------------------------------------|
| NAME / TYPE STATUS LAST OK IMPACT (what breaks if degraded) |
|--------------------------------------------------------------------------------------------------|
| GitHub Enterprise / SCM CONNECTED 5m ago Release Bundles: changelog, repo mapping |
| GitLab SaaS / SCM CONNECTED 2m ago Release Bundles: changelog, repo mapping |
| Jenkins / CI DEGRADED 1h ago Provenance gaps, build reachability stale |
| Harbor / Registry CONNECTED 30m ago Digest resolution, image inventory |
| HashiCorp Vault / Secrets CONNECTED 10m ago Bundle variables (env config), approvals |
| Slack / Notifications CONNECTED - Alerts routing |
| OSV Feed / Feeds CONNECTED 1h ago CVE ingestion (OSV) |
| NVD Feed / Feeds DISCONNECTED ? CVE ingestion (NVD) -> SBOM rescan risk |
|--------------------------------------------------------------------------------------------------|
| Attention: NVD Feed DISCONNECTED → CVE freshness degraded → approvals may switch to "Needs Review"|
| Deep Links: [View Nightly Ops Report] [Go to Feed Mirror & Airgap Ops] |
+--------------------------------------------------------------------------------------------------+
1.3 Screen: Integrations → Integration Detail
Formerly: there was no dedicated “detail page” (tiles only under Settings → Integrations). Why added: You need a single pane that explains scope + health + impact. This is also where you show reachability-source coverage and how this integration feeds Release Bundle Organizer.
Screen graph (Mermaid)
graph TD
A["Integration Detail"] --> B["Edit Configuration"]
A --> C["Test Connection"]
A --> D["Sync Now / Re-auth"]
A --> E["Sync & Health History"]
A --> F["Permissions/Scopes"]
A --> G["Impact Map (Releases/Bundles/SBOM/Evidence)"]
A --> H["Alert Routing (who gets paged)"]
A --> I["Related: Ops Nightly Report"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Integrations ▸ Connection Detail: NVD Feed [Edit] [Test] |
| Formerly: Settings ▸ Integrations (tile) |
|--------------------------------------------------------------------------------------------------|
| Status: DISCONNECTED Last Successful Sync: 2026-02-17 01:12 UTC Owner: Security Ops |
| Endpoint: https://... Auth: API Key (expired) |
|--------------------------------------------------------------------------------------------------|
| HEALTH & HISTORY | IMPACT MAP |
|----------------------------------------------|--------------------------------------------------|
| Last 24h: 0 OK / 12 Failures | Dashboards: CVE freshness widget = RED |
| Error: 401 Unauthorized | Nightly jobs: SBOM rescan may fail / partial |
| Retries: exponential backoff | Approvals: policy gates fall back to "manual" |
| [View Full History] | Evidence: missing CVE snapshot for attestations |
|----------------------------------------------|--------------------------------------------------|
| REACHABILITY INPUTS (for findings context) | USED BY RELEASE BUNDLE ORGANIZER |
| Build reachability: N/A | - enriches bundle with "CVE snapshot version" |
| Image/Dover reachability: N/A | - pins vulnerability dataset used for release |
| Runtime reachability: N/A | |
|--------------------------------------------------------------------------------------------------|
| Actions: [Re-authenticate] [Sync Now] [Open Nightly Ops Report filtered to "CVE Feeds"] |
+--------------------------------------------------------------------------------------------------+
1.4 Screen: Integrations → Add Integration Wizard
Formerly: Settings → Integrations → Add Integration button
Why kept here: still valid, but now it sits under a root Integrations area and must force the user to confirm impact mapping (what features depend on it) and which regions/environments it supports.
Screen graph (Mermaid)
graph LR
A["Add Integration Wizard"] --> B["Choose Type (SCM/CI/Registry/Secrets/Feeds/Notifications/Sensor)"]
B --> C["Configure Endpoint & Auth"]
C --> D["Select Regions/Envs Scope"]
D --> E["Define Impact Map + Owners"]
E --> F["Test Connection"]
F --> G["Create & Go to Detail"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Integrations ▸ Add Integration (Wizard) Step 3 of 6 |
| Formerly: Settings ▸ Integrations ▸ Add Integration |
|--------------------------------------------------------------------------------------------------|
| 1) Type 2) Auth 3) Scope (Regions/Envs) 4) Impact 5) Test 6) Done
|--------------------------------------------------------------------------------------------------|
| Scope (where this integration is valid): |
| Regions: [x] us-east [x] eu-west [ ] ap-south |
| Environments: [x] prod [x] staging [x] dev |
|--------------------------------------------------------------------------------------------------|
| Impact Mapping (required): |
| [x] Release Bundles (changelog / metadata) |
| [x] SBOM ingestion / CVE sync |
| [ ] Approvals routing |
| Owner (pager): security-oncall |
|--------------------------------------------------------------------------------------------------|
| [Back] [Next: Impact Mapping] |
+--------------------------------------------------------------------------------------------------+
1.5 Screen: Integrations → Security Data Sources
Formerly: Settings → Security Data (no screenshot provided, but it exists in nav)
Why moved: This is operational security data (feeds, advisory sources, SBOM parsing rules, reachability dataset versions). It belongs next to Integrations, because it’s fundamentally “external dependency + sync + health + impact”.
Screen graph (Mermaid)
graph TD
A["Integrations → Security Data Sources"] --> B["Feeds (NVD/OSV/Vendor/Internal)"]
A --> C["VEX Sources (vendor statements, internal VEX)"]
A --> D["Dataset Versions & Retention"]
B --> E["Feed Detail"]
E --> F["Sync History"]
E --> G["Errors & Remediation"]
E --> H["Used By: Approvals / Evidence snapshots"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Integrations ▸ Security Data Sources |
| Formerly: Settings ▸ Security Data |
|--------------------------------------------------------------------------------------------------|
| DATASETS USED FOR RELEASE DECISIONS (must be auditable) |
|--------------------------------------------------------------------------------------------------|
| Source Type Status Last Sync Dataset Version Used by |
|--------------------------------------------------------------------------------------------------|
| NVD CVE Feed DISCONNECTED - - Approvals, Evidence, SBOM |
| OSV CVE Feed CONNECTED 1h 2026.02.18.01 Approvals, Evidence, SBOM |
| Vendor VEX VEX CONNECTED 24h 2026.02.17 VEX Hub, Findings |
| Internal VEX VEX CONNECTED 5m live VEX Hub, Exceptions |
|--------------------------------------------------------------------------------------------------|
| Controls: [Retention policy] [Dataset snapshot rules] [Export dataset attestation] |
| Cross-links: [Operations ▸ Feed Mirrors] [Operations ▸ Nightly Jobs] |
+--------------------------------------------------------------------------------------------------+
2) Administration
2.1 Administration menu graph (Mermaid)
graph TD
ADM_ROOT["Administration (root menu)"] --> ADM_IAM["Identity & Access"]
ADM_ROOT --> ADM_TENANT["Tenant & Branding"]
ADM_ROOT --> ADM_NOTIF["Notifications"]
ADM_ROOT --> ADM_USAGE["Usage & Limits"]
ADM_ROOT --> ADM_SYSTEM["System (Admin-only)"]
ADM_IAM --> ADM_USERS["Users"]
ADM_IAM --> ADM_ROLES["Roles"]
ADM_IAM --> ADM_OAUTH["OAuth Clients"]
ADM_IAM --> ADM_TOKENS["API Tokens"]
ADM_IAM --> ADM_TENANTS["Tenants"]
ADM_NOTIF --> ADM_RULES["Rules"]
ADM_NOTIF --> ADM_CHANNELS["Channels"]
ADM_NOTIF --> ADM_TEMPLATES["Templates"]
ADM_NOTIF --> ADM_LOG["Delivery Log"]
2.2 Screen: Administration → Identity & Access
Formerly: Settings → Identity & Access (/settings/admin)
Why moved: This is pure admin control plane (users/roles/tokens/tenants). Keeping it out of the release/security nav reduces clutter and avoids “settings dumping ground”.
Screen graph (Mermaid)
graph LR
A["Administration → Identity & Access"] --> B["Users"]
A --> C["Roles"]
A --> D["OAuth Clients"]
A --> E["API Tokens"]
A --> F["Tenants"]
A --> G["Audit Log (Evidence & Audit)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Administration ▸ Identity & Access |
| Formerly: Settings ▸ Identity & Access |
| Tabs: [Users] [Roles] [OAuth Clients] [API Tokens] [Tenants] |
|--------------------------------------------------------------------------------------------------|
| Users [ + Add User]|
|--------------------------------------------------------------------------------------------------|
| Name Email Role Status Actions |
|--------------------------------------------------------------------------------------------------|
| alice.johnson alice@company.com Release Admin Active [Edit] [Disable] |
| david.wilson david@company.com Approver Active [Edit] [Disable] |
| ... |
|--------------------------------------------------------------------------------------------------|
| Note: Role "Approver" can approve releases but cannot edit policy baselines. |
+--------------------------------------------------------------------------------------------------+
2.3 Screen: Administration → Tenant & Branding
Formerly: Settings → Tenant / Branding (no screenshot provided)
Why moved: Tenant-level admin belongs together with Identity, Usage, Notifications.
Screen graph (Mermaid)
graph TD
A["Administration → Tenant & Branding"] --> B["Tenant Profile"]
A --> C["Branding (logo/colors)"]
A --> D["Regions enabled (global config)"]
A --> E["Data retention defaults"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Administration ▸ Tenant & Branding |
| Formerly: Settings ▸ Tenant / Branding |
|--------------------------------------------------------------------------------------------------|
| Tenant Profile | Branding |
|----------------------------------------|----------------------------------------------------------|
| Name: ExampleCorp | Logo: [Upload] |
| Default Region: eu-west | Theme: Light / Dark |
| Enabled Regions: [x] us-east [x] eu-west [ ] ap-south |
| Retention: Evidence 365d, Logs 30d | Product Name: "Stella Ops" / "ExampleOps" |
|--------------------------------------------------------------------------------------------------|
| [Save Changes] |
+--------------------------------------------------------------------------------------------------+
2.4 Screen: Administration → Notifications
Formerly: Settings → Notifications (/settings/notifications)
Why moved: Notification rules are tenant-admin policy. Channels still depend on integrations (Slack/Webhook/Email), so this screen should “consume” those and link back.
Screen graph (Mermaid)
graph LR
A["Administration → Notifications"] --> B["Notification Rules"]
A --> C["Channels"]
A --> D["Templates"]
A --> E["Delivery Log"]
C --> F["Integrations → Slack/Webhook detail"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Administration ▸ Notifications |
| Formerly: Settings ▸ Notifications |
|--------------------------------------------------------------------------------------------------|
| [Notification Rules] [Channels] [Templates] |
|--------------------------------------------------------------------------------------------------|
| Rules | Channels | Templates |
|------------------------------|--------------------------------------------|---------------------|
| + Add Rule | Email ACTIVE | Edit Templates |
| | Slack ACTIVE (via Integrations) | |
| | Webhook NOT CONFIGURED | |
|--------------------------------------------------------------------------------------------------|
| Activity / Delivery Log |
| [View Log] (filter: release approvals, critical findings, feed failures, nightly job failures) |
+--------------------------------------------------------------------------------------------------+
2.5 Screen: Administration → Usage & Limits
Formerly:
Settings → Usage & Limits(/settings/usage)- and
Operations → Quotas(overlapping/duplicated concepts) Why moved & changed: unify into one tenant-level view: consumption + quota config + throttles. Operations can still show “operator quota dashboard”, but admin owns quotas/limits.
Screen graph (Mermaid)
graph TD
A["Administration → Usage & Limits"] --> B["Usage Summary"]
A --> C["Quota Configuration"]
A --> D["Throttle Events (read-only)"]
D --> E["Operations → Quota / Throttle report (detail)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Administration ▸ Usage & Limits |
| Formerly: Settings ▸ Usage & Limits + Operations ▸ Quotas |
|--------------------------------------------------------------------------------------------------|
| Scans Storage Evidence Packets API Requests |
| 6,500/10,000 42GB/100GB 2,800/10,000 15,000/100,000 |
|--------------------------------------------------------------------------------------------------|
| Quota Configuration |
| Configure limits and throttle settings for your tenant. |
| [Configure Quotas] |
|--------------------------------------------------------------------------------------------------|
| Throttle Events (last 24h): none → [View in Operations ▸ Quotas] |
+--------------------------------------------------------------------------------------------------+
2.6 Screen: Administration → System
Formerly: Settings → System (/settings/system)
Why moved: This is strictly admin-only platform control. Also, it must link to operational diagnostics (Ops → Platform Health, Ops → Nightly Jobs, Ops → Dead Letter).
Screen graph (Mermaid)
graph TD
A["Administration → System"] --> B["Health Check (components)"]
A --> C["Doctor (diagnostics)"]
A --> D["SLO Monitoring"]
A --> E["Background Jobs (admin view)"]
E --> F["Operations → Scheduler / Nightly Jobs"]
B --> G["Operations → Platform Health"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Administration ▸ System (Admin only) |
| Formerly: Settings ▸ System |
|--------------------------------------------------------------------------------------------------|
| [Health Check] [Doctor] [SLO Monitoring] |
| All systems operational Run diagnostics View & configure SLOs |
| [View Details] [Run Doctor] [View SLOs] |
|--------------------------------------------------------------------------------------------------|
| [Background Jobs] |
| Monitor and manage background job processing. |
| [View Jobs] → deep link: Operations ▸ Scheduler / Nightly Ops Report |
+--------------------------------------------------------------------------------------------------+
3) Moved into Release Control: “Policy Governance”
3.1 Screen: Release Control → Governance & Policy
Formerly: Settings → Policy Governance (/settings/policy)
Why moved: These rules/baselines define release gates and belong with Release Control (environments, targets, workflows). This is a core function, not a generic setting.
Screen graph (Mermaid)
graph TD
A["Release Control → Governance & Policy"] --> B["Policy Baselines (per env/region)"]
A --> C["Governance Rules (org-wide)"]
A --> D["Policy Simulation"]
A --> E["Exception Workflow"]
E --> F["Security → Exceptions (requests & approvals)"]
C --> G["Approvals / Policy Gates (uses these rules)"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Release Control ▸ Governance & Policy |
| Formerly: Settings ▸ Policy Governance |
|--------------------------------------------------------------------------------------------------|
| [Policy Baselines] [Governance Rules] [Policy Simulation] |
| Create / manage baselines Define org rules for releases Test changes before applying |
| [ + Create Baseline ] [Edit Rules] [Run Simulation] |
|--------------------------------------------------------------------------------------------------|
| [Exception Workflow] |
| Configure how policy exceptions are requested & approved. |
| [Configure Workflow] → deep link: Security ▸ Exceptions |
+--------------------------------------------------------------------------------------------------+
4) Moved into Evidence & Audit: “Trust & Signing”
4.1 Screen: Evidence & Audit → Trust & Signing
Formerly: Settings → Trust & Signing (/settings/trust)
Why moved: Trust & signing is the spine of auditing (DSSE envelopes, Rekor/transparency logs, signing keys, audit log). It should sit with Evidence Bundles / Proof Chains / Replay/Verify.
Screen graph (Mermaid)
graph TD
A["Evidence & Audit → Trust & Signing"] --> B["Signing Keys"]
A --> C["Issuers"]
A --> D["Certificates"]
A --> E["Transparency Log (Rekor config)"]
A --> F["Trust Scoring"]
A --> G["Trust Audit Log"]
A --> H["Evidence Bundles"]
A --> I["Proof Chains"]
ASCII mock
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit ▸ Trust & Signing |
| Formerly: Settings ▸ Trust & Signing |
|--------------------------------------------------------------------------------------------------|
| [Signing Keys] [Issuers] [Certificates] |
| Manage keys for Trusted issuers TLS/signing certs |
| evidence & attests for VEX/attests upload/manage |
| [Manage Keys] [Manage Issuers] [Manage Certificates] |
|--------------------------------------------------------------------------------------------------|
| [Transparency Log] [Trust Scoring] [Audit Log] |
| Configure Rekor logs Scoring policy for artifacts Trust-related audit events |
| [Configure Rekor] [Edit Score Config] [View Audit Log] |
+--------------------------------------------------------------------------------------------------+
What’s next (Pack 6 suggestion)
If you want me to continue immediately, Pack 6 should cover: Operations (Scheduler, Dead Letter, Platform Health, Orchestrator, Feeds & Airgap), and ensure each has:
- Mermaid menu graph
- Mermaid per-screen graph
- ASCII mock with “Formerly …” label
- Explicit surfacing of: nightly SBOM rescans, CVE feed sync health, integration failures, and hybrid reachability freshness.