stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c2f13fe588232dd125d2b70ae9ad653b41269d5b
git.stella-ops.org/docs/modules/ui/v2-rewire/pack-05.md
master c2f13fe588 preparation for ui re-shelling
2026-02-18 23:03:07 +02:00

516 lines
27 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Pack 5 — Integrations + Administration + moved “Policy Governance” + moved “Trust & Signing”
Below are **(1) Mermaid graphs** for the **menus** and for **each screen**, and **(2) an ASCII mock** per screen, each preceded by: **where it lived before + why it moved**.
(Where you see “Formerly: …” thats intended to be shown on-screen under the title as a small breadcrumb/helper label, per your requirement.)
---
# 1) Integrations
## 1.1 Integrations menu graph (Mermaid)
```mermaid
graph TD
IN_ROOT["Integrations (root menu)"] --> IN_OV["Connections (Overview)"]
IN_ROOT --> IN_CATALOG["Catalog / Add Integration"]
IN_ROOT --> IN_SEC_DATA["Security Data Sources (CVE/VEX/Advisories)"]
IN_ROOT --> IN_SENSORS["Sensors & Reachability Sources (Build/Image/Runtime)"]
IN_OV --> IN_DETAIL["Integration Detail"]
IN_DETAIL --> IN_TEST["Test Connection"]
IN_DETAIL --> IN_SYNC["Sync & Health History"]
IN_DETAIL --> IN_PERMS["Scopes / Permissions"]
IN_DETAIL --> IN_IMPACT["Impact Map: Releases, Bundles, SBOM, Approvals, Evidence"]
IN_DETAIL --> IN_ALERTS["Alerts & Routing"]
IN_CATALOG --> IN_ADD["Add Integration Wizard"]
IN_ADD --> IN_DETAIL
IN_SEC_DATA --> IN_FEEDS["Feeds: NVD / OSV / Vendor / Internal"]
IN_FEEDS --> IN_FEED_DETAIL["Feed Detail (sync status, errors, retention)"]
IN_SENSORS --> IN_BUILD["Build Reachability Source"]
IN_SENSORS --> IN_IMAGE["Image/Dover Reachability Source"]
IN_SENSORS --> IN_RUNTIME["Runtime Reachability Source"]
```
> Note: **Feed mirroring / airgap bundling** stays under **Operations → Feeds & Airgap** (because thats “run/operate”), but **Integrations** must show **dependency + impact** (“if NVD down, what breaks?”).
---
## 1.2 Screen: Integrations → Connections (Overview)
**Formerly:** `Settings → Integrations` (`/settings/integrations`)
**Why moved:** Integrations are **not “settings”** in StellaOps—theyre **operational dependencies** that directly affect **release decisions**, **SBOM freshness**, **reachability coverage**, **evidence completeness**, and **nightly jobs**. Making this a **root menu** also lets the dashboard link to it as a **first-class dependency view**.
### Screen graph (Mermaid)
```mermaid
graph LR
A["Integrations → Connections (Overview)"] --> B["Integration Detail"]
A --> C["Add Integration Wizard"]
A --> D["Security Data Sources"]
A --> E["Sensors & Reachability Sources"]
A --> F["Operations → Nightly Ops Report (jobs impacted)"]
B --> G["Test Connection"]
B --> H["Sync & Health History"]
B --> I["Impact Map"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Integrations ▸ Connections [ + Add Integration ]|
| Formerly: Settings ▸ Integrations |
|--------------------------------------------------------------------------------------------------|
| Status Summary: Connected 6 Degraded 1 Disconnected 1 Filter: [All|SCM|CI/CD|Reg|...] |
|--------------------------------------------------------------------------------------------------|
| NAME / TYPE STATUS LAST OK IMPACT (what breaks if degraded) |
|--------------------------------------------------------------------------------------------------|
| GitHub Enterprise / SCM CONNECTED 5m ago Release Bundles: changelog, repo mapping |
| GitLab SaaS / SCM CONNECTED 2m ago Release Bundles: changelog, repo mapping |
| Jenkins / CI DEGRADED 1h ago Provenance gaps, build reachability stale |
| Harbor / Registry CONNECTED 30m ago Digest resolution, image inventory |
| HashiCorp Vault / Secrets CONNECTED 10m ago Bundle variables (env config), approvals |
| Slack / Notifications CONNECTED - Alerts routing |
| OSV Feed / Feeds CONNECTED 1h ago CVE ingestion (OSV) |
| NVD Feed / Feeds DISCONNECTED ? CVE ingestion (NVD) -> SBOM rescan risk |
|--------------------------------------------------------------------------------------------------|
| Attention: NVD Feed DISCONNECTED → CVE freshness degraded → approvals may switch to "Needs Review"|
| Deep Links: [View Nightly Ops Report] [Go to Feed Mirror & Airgap Ops] |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.3 Screen: Integrations → Integration Detail
**Formerly:** there was no dedicated “detail page” (tiles only under Settings → Integrations).
**Why added:** You need a **single pane** that explains **scope + health + impact**. This is also where you show **reachability-source coverage** and **how this integration feeds Release Bundle Organizer**.
### Screen graph (Mermaid)
```mermaid
graph TD
A["Integration Detail"] --> B["Edit Configuration"]
A --> C["Test Connection"]
A --> D["Sync Now / Re-auth"]
A --> E["Sync & Health History"]
A --> F["Permissions/Scopes"]
A --> G["Impact Map (Releases/Bundles/SBOM/Evidence)"]
A --> H["Alert Routing (who gets paged)"]
A --> I["Related: Ops Nightly Report"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Integrations ▸ Connection Detail: NVD Feed [Edit] [Test] |
| Formerly: Settings ▸ Integrations (tile) |
|--------------------------------------------------------------------------------------------------|
| Status: DISCONNECTED Last Successful Sync: 2026-02-17 01:12 UTC Owner: Security Ops |
| Endpoint: https://... Auth: API Key (expired) |
|--------------------------------------------------------------------------------------------------|
| HEALTH & HISTORY | IMPACT MAP |
|----------------------------------------------|--------------------------------------------------|
| Last 24h: 0 OK / 12 Failures | Dashboards: CVE freshness widget = RED |
| Error: 401 Unauthorized | Nightly jobs: SBOM rescan may fail / partial |
| Retries: exponential backoff | Approvals: policy gates fall back to "manual" |
| [View Full History] | Evidence: missing CVE snapshot for attestations |
|----------------------------------------------|--------------------------------------------------|
| REACHABILITY INPUTS (for findings context) | USED BY RELEASE BUNDLE ORGANIZER |
| Build reachability: N/A | - enriches bundle with "CVE snapshot version" |
| Image/Dover reachability: N/A | - pins vulnerability dataset used for release |
| Runtime reachability: N/A | |
|--------------------------------------------------------------------------------------------------|
| Actions: [Re-authenticate] [Sync Now] [Open Nightly Ops Report filtered to "CVE Feeds"] |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.4 Screen: Integrations → Add Integration Wizard
**Formerly:** `Settings → Integrations → Add Integration` button
**Why kept here:** still valid, but now it sits under a **root Integrations** area and must force the user to confirm **impact mapping** (what features depend on it) and **which regions/environments it supports**.
### Screen graph (Mermaid)
```mermaid
graph LR
A["Add Integration Wizard"] --> B["Choose Type (SCM/CI/Registry/Secrets/Feeds/Notifications/Sensor)"]
B --> C["Configure Endpoint & Auth"]
C --> D["Select Regions/Envs Scope"]
D --> E["Define Impact Map + Owners"]
E --> F["Test Connection"]
F --> G["Create & Go to Detail"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Integrations ▸ Add Integration (Wizard) Step 3 of 6 |
| Formerly: Settings ▸ Integrations ▸ Add Integration |
|--------------------------------------------------------------------------------------------------|
| 1) Type 2) Auth 3) Scope (Regions/Envs) 4) Impact 5) Test 6) Done
|--------------------------------------------------------------------------------------------------|
| Scope (where this integration is valid): |
| Regions: [x] us-east [x] eu-west [ ] ap-south |
| Environments: [x] prod [x] staging [x] dev |
|--------------------------------------------------------------------------------------------------|
| Impact Mapping (required): |
| [x] Release Bundles (changelog / metadata) |
| [x] SBOM ingestion / CVE sync |
| [ ] Approvals routing |
| Owner (pager): security-oncall |
|--------------------------------------------------------------------------------------------------|
| [Back] [Next: Impact Mapping] |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.5 Screen: Integrations → Security Data Sources
**Formerly:** `Settings → Security Data` (no screenshot provided, but it exists in nav)
**Why moved:** This is **operational security data** (feeds, advisory sources, SBOM parsing rules, reachability dataset versions). It belongs next to **Integrations**, because its fundamentally “external dependency + sync + health + impact”.
### Screen graph (Mermaid)
```mermaid
graph TD
A["Integrations → Security Data Sources"] --> B["Feeds (NVD/OSV/Vendor/Internal)"]
A --> C["VEX Sources (vendor statements, internal VEX)"]
A --> D["Dataset Versions & Retention"]
B --> E["Feed Detail"]
E --> F["Sync History"]
E --> G["Errors & Remediation"]
E --> H["Used By: Approvals / Evidence snapshots"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Integrations ▸ Security Data Sources |
| Formerly: Settings ▸ Security Data |
|--------------------------------------------------------------------------------------------------|
| DATASETS USED FOR RELEASE DECISIONS (must be auditable) |
|--------------------------------------------------------------------------------------------------|
| Source Type Status Last Sync Dataset Version Used by |
|--------------------------------------------------------------------------------------------------|
| NVD CVE Feed DISCONNECTED - - Approvals, Evidence, SBOM |
| OSV CVE Feed CONNECTED 1h 2026.02.18.01 Approvals, Evidence, SBOM |
| Vendor VEX VEX CONNECTED 24h 2026.02.17 VEX Hub, Findings |
| Internal VEX VEX CONNECTED 5m live VEX Hub, Exceptions |
|--------------------------------------------------------------------------------------------------|
| Controls: [Retention policy] [Dataset snapshot rules] [Export dataset attestation] |
| Cross-links: [Operations ▸ Feed Mirrors] [Operations ▸ Nightly Jobs] |
+--------------------------------------------------------------------------------------------------+
```
---
# 2) Administration
## 2.1 Administration menu graph (Mermaid)
```mermaid
graph TD
ADM_ROOT["Administration (root menu)"] --> ADM_IAM["Identity & Access"]
ADM_ROOT --> ADM_TENANT["Tenant & Branding"]
ADM_ROOT --> ADM_NOTIF["Notifications"]
ADM_ROOT --> ADM_USAGE["Usage & Limits"]
ADM_ROOT --> ADM_SYSTEM["System (Admin-only)"]
ADM_IAM --> ADM_USERS["Users"]
ADM_IAM --> ADM_ROLES["Roles"]
ADM_IAM --> ADM_OAUTH["OAuth Clients"]
ADM_IAM --> ADM_TOKENS["API Tokens"]
ADM_IAM --> ADM_TENANTS["Tenants"]
ADM_NOTIF --> ADM_RULES["Rules"]
ADM_NOTIF --> ADM_CHANNELS["Channels"]
ADM_NOTIF --> ADM_TEMPLATES["Templates"]
ADM_NOTIF --> ADM_LOG["Delivery Log"]
```
---
## 2.2 Screen: Administration → Identity & Access
**Formerly:** `Settings → Identity & Access` (`/settings/admin`)
**Why moved:** This is pure **admin control plane** (users/roles/tokens/tenants). Keeping it out of the release/security nav reduces clutter and avoids “settings dumping ground”.
### Screen graph (Mermaid)
```mermaid
graph LR
A["Administration → Identity & Access"] --> B["Users"]
A --> C["Roles"]
A --> D["OAuth Clients"]
A --> E["API Tokens"]
A --> F["Tenants"]
A --> G["Audit Log (Evidence & Audit)"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Administration ▸ Identity & Access |
| Formerly: Settings ▸ Identity & Access |
| Tabs: [Users] [Roles] [OAuth Clients] [API Tokens] [Tenants] |
|--------------------------------------------------------------------------------------------------|
| Users [ + Add User]|
|--------------------------------------------------------------------------------------------------|
| Name Email Role Status Actions |
|--------------------------------------------------------------------------------------------------|
| alice.johnson alice@company.com Release Admin Active [Edit] [Disable] |
| david.wilson david@company.com Approver Active [Edit] [Disable] |
| ... |
|--------------------------------------------------------------------------------------------------|
| Note: Role "Approver" can approve releases but cannot edit policy baselines. |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.3 Screen: Administration → Tenant & Branding
**Formerly:** `Settings → Tenant / Branding` (no screenshot provided)
**Why moved:** Tenant-level admin belongs together with Identity, Usage, Notifications.
### Screen graph (Mermaid)
```mermaid
graph TD
A["Administration → Tenant & Branding"] --> B["Tenant Profile"]
A --> C["Branding (logo/colors)"]
A --> D["Regions enabled (global config)"]
A --> E["Data retention defaults"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Administration ▸ Tenant & Branding |
| Formerly: Settings ▸ Tenant / Branding |
|--------------------------------------------------------------------------------------------------|
| Tenant Profile | Branding |
|----------------------------------------|----------------------------------------------------------|
| Name: ExampleCorp | Logo: [Upload] |
| Default Region: eu-west | Theme: Light / Dark |
| Enabled Regions: [x] us-east [x] eu-west [ ] ap-south |
| Retention: Evidence 365d, Logs 30d | Product Name: "Stella Ops" / "ExampleOps" |
|--------------------------------------------------------------------------------------------------|
| [Save Changes] |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.4 Screen: Administration → Notifications
**Formerly:** `Settings → Notifications` (`/settings/notifications`)
**Why moved:** Notification rules are **tenant-admin policy**. Channels still depend on integrations (Slack/Webhook/Email), so this screen should “consume” those and link back.
### Screen graph (Mermaid)
```mermaid
graph LR
A["Administration → Notifications"] --> B["Notification Rules"]
A --> C["Channels"]
A --> D["Templates"]
A --> E["Delivery Log"]
C --> F["Integrations → Slack/Webhook detail"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Administration ▸ Notifications |
| Formerly: Settings ▸ Notifications |
|--------------------------------------------------------------------------------------------------|
| [Notification Rules] [Channels] [Templates] |
|--------------------------------------------------------------------------------------------------|
| Rules | Channels | Templates |
|------------------------------|--------------------------------------------|---------------------|
| + Add Rule | Email ACTIVE | Edit Templates |
| | Slack ACTIVE (via Integrations) | |
| | Webhook NOT CONFIGURED | |
|--------------------------------------------------------------------------------------------------|
| Activity / Delivery Log |
| [View Log] (filter: release approvals, critical findings, feed failures, nightly job failures) |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.5 Screen: Administration → Usage & Limits
**Formerly:**
* `Settings → Usage & Limits` (`/settings/usage`)
* **and** `Operations → Quotas` (overlapping/duplicated concepts)
**Why moved & changed:** unify into one **tenant-level** view: **consumption + quota config + throttles**. Operations can still show “operator quota dashboard”, but **admin owns quotas/limits**.
### Screen graph (Mermaid)
```mermaid
graph TD
A["Administration → Usage & Limits"] --> B["Usage Summary"]
A --> C["Quota Configuration"]
A --> D["Throttle Events (read-only)"]
D --> E["Operations → Quota / Throttle report (detail)"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Administration ▸ Usage & Limits |
| Formerly: Settings ▸ Usage & Limits + Operations ▸ Quotas |
|--------------------------------------------------------------------------------------------------|
| Scans Storage Evidence Packets API Requests |
| 6,500/10,000 42GB/100GB 2,800/10,000 15,000/100,000 |
|--------------------------------------------------------------------------------------------------|
| Quota Configuration |
| Configure limits and throttle settings for your tenant. |
| [Configure Quotas] |
|--------------------------------------------------------------------------------------------------|
| Throttle Events (last 24h): none → [View in Operations ▸ Quotas] |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.6 Screen: Administration → System
**Formerly:** `Settings → System` (`/settings/system`)
**Why moved:** This is strictly **admin-only platform control**. Also, it must link to operational diagnostics (**Ops → Platform Health**, **Ops → Nightly Jobs**, **Ops → Dead Letter**).
### Screen graph (Mermaid)
```mermaid
graph TD
A["Administration → System"] --> B["Health Check (components)"]
A --> C["Doctor (diagnostics)"]
A --> D["SLO Monitoring"]
A --> E["Background Jobs (admin view)"]
E --> F["Operations → Scheduler / Nightly Jobs"]
B --> G["Operations → Platform Health"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Administration ▸ System (Admin only) |
| Formerly: Settings ▸ System |
|--------------------------------------------------------------------------------------------------|
| [Health Check] [Doctor] [SLO Monitoring] |
| All systems operational Run diagnostics View & configure SLOs |
| [View Details] [Run Doctor] [View SLOs] |
|--------------------------------------------------------------------------------------------------|
| [Background Jobs] |
| Monitor and manage background job processing. |
| [View Jobs] → deep link: Operations ▸ Scheduler / Nightly Ops Report |
+--------------------------------------------------------------------------------------------------+
```
---
# 3) Moved into Release Control: “Policy Governance”
## 3.1 Screen: Release Control → Governance & Policy
**Formerly:** `Settings → Policy Governance` (`/settings/policy`)
**Why moved:** These rules/baselines **define release gates** and belong with **Release Control** (environments, targets, workflows). This is a *core* function, not a generic setting.
### Screen graph (Mermaid)
```mermaid
graph TD
A["Release Control → Governance & Policy"] --> B["Policy Baselines (per env/region)"]
A --> C["Governance Rules (org-wide)"]
A --> D["Policy Simulation"]
A --> E["Exception Workflow"]
E --> F["Security → Exceptions (requests & approvals)"]
C --> G["Approvals / Policy Gates (uses these rules)"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Release Control ▸ Governance & Policy |
| Formerly: Settings ▸ Policy Governance |
|--------------------------------------------------------------------------------------------------|
| [Policy Baselines] [Governance Rules] [Policy Simulation] |
| Create / manage baselines Define org rules for releases Test changes before applying |
| [ + Create Baseline ] [Edit Rules] [Run Simulation] |
|--------------------------------------------------------------------------------------------------|
| [Exception Workflow] |
| Configure how policy exceptions are requested & approved. |
| [Configure Workflow] → deep link: Security ▸ Exceptions |
+--------------------------------------------------------------------------------------------------+
```
---
# 4) Moved into Evidence & Audit: “Trust & Signing”
## 4.1 Screen: Evidence & Audit → Trust & Signing
**Formerly:** `Settings → Trust & Signing` (`/settings/trust`)
**Why moved:** Trust & signing is the **spine of auditing** (DSSE envelopes, Rekor/transparency logs, signing keys, audit log). It should sit with **Evidence Bundles / Proof Chains / Replay/Verify**.
### Screen graph (Mermaid)
```mermaid
graph TD
A["Evidence & Audit → Trust & Signing"] --> B["Signing Keys"]
A --> C["Issuers"]
A --> D["Certificates"]
A --> E["Transparency Log (Rekor config)"]
A --> F["Trust Scoring"]
A --> G["Trust Audit Log"]
A --> H["Evidence Bundles"]
A --> I["Proof Chains"]
```
### ASCII mock
```
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit ▸ Trust & Signing |
| Formerly: Settings ▸ Trust & Signing |
|--------------------------------------------------------------------------------------------------|
| [Signing Keys] [Issuers] [Certificates] |
| Manage keys for Trusted issuers TLS/signing certs |
| evidence & attests for VEX/attests upload/manage |
| [Manage Keys] [Manage Issuers] [Manage Certificates] |
|--------------------------------------------------------------------------------------------------|
| [Transparency Log] [Trust Scoring] [Audit Log] |
| Configure Rekor logs Scoring policy for artifacts Trust-related audit events |
| [Configure Rekor] [Edit Score Config] [View Audit Log] |
+--------------------------------------------------------------------------------------------------+
```
---
## Whats next (Pack 6 suggestion)
If you want me to continue immediately, Pack 6 should cover: **Operations** (Scheduler, Dead Letter, Platform Health, Orchestrator, Feeds & Airgap), and ensure each has:
* Mermaid menu graph
* Mermaid per-screen graph
* ASCII mock with “Formerly …” label
* Explicit surfacing of: **nightly SBOM rescans**, **CVE feed sync health**, **integration failures**, and **hybrid reachability freshness**.
Reference in New Issue View Git Blame Copy Permalink