stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c2f13fe588232dd125d2b70ae9ad653b41269d5b
git.stella-ops.org/docs/modules/ui/v2-rewire/pack-10.md
master c2f13fe588 preparation for ui re-shelling
2026-02-18 23:03:07 +02:00

410 lines
28 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Pack 10 — Integrations + Security Data Ops (Feeds & AirGap)
Below is the **Mermaid IA for the menus + per-screen navigation graphs**, and then **ASCII mocks for each screen**.
For every screen: **Formerly (old location/name)** + **why this is moved/reshaped**.
---
## 10.1 Menu graph (Mermaid) — Integrations + Feeds/AirGap Ops
```mermaid
flowchart TD
%% ROOT (only the parts this pack touches)
ROOT[Stella Ops Console] --> INT[Integrations]
ROOT --> OPS[Platform Ops]
%% INTEGRATIONS
INT --> INT_HUB[Integrations Hub\n(overview + connectors)]
INT_HUB --> INT_DETAIL[Integration Detail]
INT_HUB --> INT_ADD[Add Integration Wizard]
INT_HUB --> INT_FILTERS[Category Filters\nSCM / CI-CD / Registries / Secrets&Config / Notifications / Security Data]
%% FEEDS & AIRGAP (Platform Ops)
OPS --> FEED_OPS[Feeds & AirGap Ops\n(Security Data Ops)]
FEED_OPS --> FEED_SOURCES[Sources & Freshness]
FEED_OPS --> FEED_MIRRORS[Feed Mirrors]
FEED_OPS --> FEED_AIRGAP[AirGap Bundles]
FEED_OPS --> FEED_LOCKS[Version Locks]
%% Cross-links (2nd-class entry points)
INT_HUB -. "Degraded/Disconnected impact" .-> FEED_SOURCES
FEED_SOURCES -. "Open connector config" .-> INT_DETAIL
FEED_OPS -. "Shows up on Dashboard: Nightly Ops Signals" .-> ROOT
```
Key placement decisions (keeps the reorg “release-first”):
* **Integrations** = “connectors & configuration surface” (what talks to what).
* **Feeds & AirGap Ops** = “operator workflows & determinism controls” (mirrors, airgap bundles, version locks).
This aligns with your ask that **freshness + sync failures are visible**, and that **determinism controls exist without being “third class.”**
---
# 10.2 Screen — Integrations Hub
### Formerly
* **Settings → Integrations** (`/settings/integrations`)
* Also implicitly included “Feeds” (OSV/NVD cards) here.
### Why change
* This is a **first-response triage page**: if approvals are blocked, SBOM scans are stale, or evidence generation fails, the operator needs **a single place** to see **which dependency is degraded and what it impacts**.
* Adds a required concept: **“Impact on Release Control”** (what gates become unreliable if an integration is down).
### Screen graph (Mermaid)
```mermaid
flowchart LR
A[Integrations Hub] -->|click card| B[Integration Detail]
A -->|Add Integration| C[Add Integration Wizard]
A -->|filter: SCM/CI/CD/Registries/Secrets/Feeds| A
A -->|feeds degraded?| D[Feeds & AirGap Ops: Sources]
B -->|view logs| B
B -->|test connection| B
B -->|back| A
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Integrations Hub (Formerly: Settings ▸ Integrations) │
│ Org: Acme Region: All Env Scope: All Window: 30d │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Summary: Connected: 6 Degraded: 1 Disconnected: 1 Last full health check: 02:10 │
│ │
│ Filters: [All] [SCM] [CI/CD] [Registries] [Secrets & Config] [Notifications] [Security Data]│
│ Actions: [+ Add Integration] [Run Health Check] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Needs Attention (Impact on Release Control) │
│ • NVD Feed: DISCONNECTED → CVE freshness unknown → Policy gates may be unreliable │
│ • Jenkins: DEGRADED → Build attestations delayed → Release bundle evidence may lag │
│ • Vault: OK (but token expires in 3d) → Env var resolution risk upcoming │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrations (table view) │
│ ┌──────────────────────┬──────────────┬──────────────┬─────────────┬──────────────────────┐ │
│ │ Name │ Type │ Status │ Last Sync │ Used By │ │
│ ├──────────────────────┼──────────────┼──────────────┼─────────────┼──────────────────────┤ │
│ │ GitHub Enterprise │ SCM │ CONNECTED │ 5m ago │ Bundles, Changelog │ │
│ │ GitLab SaaS │ SCM │ CONNECTED │ 2m ago │ Bundles, Changelog │ │
│ │ Jenkins │ CI/CD │ DEGRADED │ 1h ago │ Attestations, Builds │ │
│ │ Harbor Registry │ Registry │ CONNECTED │ 30m ago │ SBOM ingest, Images │ │
│ │ HashiCorp Vault │ Secrets │ CONNECTED │ 10m ago │ Env vars, Bundles │ │
│ │ Slack │ Notification │ CONNECTED │ - │ Approvals alerts │ │
│ │ OSV Feed │ SecurityData │ CONNECTED │ 1h ago │ Vulnerability scans │ │
│ │ NVD Feed │ SecurityData │ DISCONNECTED │ - │ Vulnerability scans │ │
│ └──────────────────────┴──────────────┴──────────────┴─────────────┴──────────────────────┘ │
│ Hint: click any row/card → Integration Detail │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.3 Screen — Integration Detail
### Formerly
* No dedicated “detail” surface in the screenshots (integrations were mostly **cards**).
This is effectively **new**, but replaces the need to “hunt” across settings + ops pages.
### Why change
* You need **traceability** from an outage → **which releases / gates / bundles / envs are impacted**.
* Enables the missing operational requirement you called out: **nightly job failures due to integration issues** are explainable from the integration itself.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Integration Detail] --> B[Config & Credentials]
A --> C[Health & Logs]
A --> D[Mappings]
A --> E[Permissions/Scopes]
A --> F[Downstream Impact]
C -->|retry connection| C
C -->|open affected jobs| G[Nightly Ops Report (Platform Ops)]
A -->|back| H[Integrations Hub]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Integration Detail: NVD Feed (Formerly: shown as card in Settings ▸ Integrations) │
│ Type: Security Data Source Status: DISCONNECTED Owner: security-team │
│ Region: US-East (toggle) EU-West (toggle) APAC (toggle) │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Overview] [Config] [Health & Logs] [Mappings] [Permissions] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Overview │
│ Last successful sync: — │
│ Freshness SLA: 6h Current freshness: UNKNOWN → Gating risk: HIGH │
│ Used by: Vulnerability scan ingestion, Release gates, Nightly rescans │
│ │
│ Downstream impact │
│ • Approvals & Gates: “CVE freshness” gate → currently degraded │
│ • Nightly SBOM rescan: will flag “data source unavailable” │
│ • Audit bundles: will include “feed freshness unknown” note │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Health & Logs (latest) │
│ 02:11 ERROR connect timeout to nvd.example.gov │
│ 02:11 WARN falling back to OSV only (coverage reduced) │
│ Action: [Retry Connection] [Test DNS] [View Related Nightly Jobs] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.4 Screen — Add Integration Wizard
### Formerly
* **“+ Add Integration”** existed on Settings → Integrations, but without a standardized “impact/mapping” workflow shown.
### Why change
* This wizard becomes the enforcement point for:
* **Region scoping** (your missing “environments per region” theme).
* **Mapping to downstream use** (Release Bundle Organizer, approvals, SBOM ingest, etc.).
* **Secrets hygiene** (Vault/Consul integration must be wired correctly).
### Screen graph (Mermaid)
```mermaid
flowchart LR
S[Add Integration Wizard] --> A[1. Choose Type]
A --> B[2. Configure Connection]
B --> C[3. Scope & Mapping\n(Region/Env/Repos/Targets)]
C --> D[4. Test Connection]
D --> E[5. Save & Initial Sync]
E --> F[Integration Detail]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Add Integration Wizard (Formerly: + Add Integration on Settings ▸ Integrations) │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Step 1/5 — Choose type │
│ [SCM] GitHub / GitLab │
│ [CI/CD] Jenkins / Actions │
│ [Registry] Harbor / ECR / GCR │
│ [Secrets] Vault │
│ [Config] Consul (recommended for bundle vars) │
│ [Notifications] Slack / Email / Webhook │
│ [Security Data] OSV / NVD / CISA │
│ │
│ Next: [Continue] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.5 Screen — Feeds & AirGap Ops (Sources & Freshness)
### Formerly
* **Operations → Feeds** (`/operations/feeds`)
Screen title: **“Feed Mirror & AirGap Operations”**
* Also partially represented as OSV/NVD “Feeds” cards under Settings → Integrations.
### Why change
* This becomes the **operator-grade control surface** for:
* **Freshness** (are CVE sources synced, within SLA?).
* **Determinism** (version locks).
* **AirGap readiness** (bundles).
* It is “second-class” (reachable from Dashboard “Nightly Ops Signals”), not buried.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Feeds & AirGap Ops] --> B[Sources & Freshness]
A --> C[Feed Mirrors]
A --> D[AirGap Bundles]
A --> E[Version Locks]
B -->|open source integration| F[Integration Detail]
B -->|create mirror| C
E -->|lock for release| G[Release Detail\n(Determinism tab)]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops (Formerly: Operations ▸ Feeds → "Feed Mirror & AirGap Operations") │
│ Org: Acme Region: US-East Window: 7d │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Tabs: [Sources & Freshness] [Feed Mirrors] [AirGap Bundles] [Version Locks] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Sources & Freshness │
│ ┌───────────────┬──────────────┬───────────────┬──────────────┬───────────────────────────┐ │
│ │ Source │ Status │ Last Sync │ Freshness SLA │ Notes / Impact │ │
│ ├───────────────┼──────────────┼───────────────┼──────────────┼───────────────────────────┤ │
│ │ OSV │ OK │ 1h ago │ 6h │ Full OK │ │
│ │ NVD │ DISCONNECTED │ — │ 6h │ Approval gating risk HIGH │ │
│ │ CISA KEV │ OK │ 3h ago │ 24h │ OK │ │
│ └───────────────┴──────────────┴───────────────┴──────────────┴───────────────────────────┘ │
│ Actions: [Retry failed sources] [Open Integration Detail] [Create Mirror] │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.6 Screen — Feeds & AirGap Ops (Feed Mirrors)
### Formerly
* Operations → Feeds → **Feed Mirrors** tab.
### Why change
* Keep same capability, but add:
* Region scoping and storage accounting per region.
* A clear connection to **gating data freshness** and **nightly job health**.
### Screen graph (Mermaid)
```mermaid
flowchart LR
A[Feed Mirrors] --> B[Create/Edit Mirror]
A --> C[Mirror Detail]
C -->|force sync| C
C -->|view sync logs| C
A -->|back| D[Feeds & AirGap Ops]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ Feed Mirrors (Formerly: Operations ▸ Feeds ▸ Feed Mirrors) │
│ Region: EU-West │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ KPI: Total Mirrors: 4 Synced: 3 Stale: 1 Errors: 0 Storage: 28GB │
│ Actions: [+ Create Mirror] [Sync All] [Export Mirror Config] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Mirrors │
│ ┌───────────────┬──────────┬───────────────┬───────────┬───────────┬──────────────────────┐ │
│ │ Mirror Name │ Source │ Status │ Last Sync │ Storage │ Actions │ │
│ ├───────────────┼──────────┼───────────────┼───────────┼───────────┼──────────────────────┤ │
│ │ nvd-eu-mirror │ NVD │ STALE (8h) │ 8h ago │ 12GB │ [Sync] [Edit] [Logs] │ │
│ │ osv-eu-mirror │ OSV │ SYNCED │ 1h ago │ 4GB │ [Sync] [Edit] [Logs] │ │
│ │ kev-eu-mirror │ CISA KEV │ SYNCED │ 3h ago │ 1GB │ [Sync] [Edit] [Logs] │ │
│ └───────────────┴──────────┴───────────────┴───────────┴───────────┴──────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.7 Screen — Feeds & AirGap Ops (AirGap Bundles)
### Formerly
* Operations → Feeds → **AirGap Bundles** tab.
### Why change
* This is essential for environments that must prove:
* The release decision was made using a **known dataset snapshot**.
* The bundle contains **feeds + policy pack versions + evidence tooling metadata**.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[AirGap Bundles] --> B[Create AirGap Bundle]
A --> C[Bundle Detail]
C -->|download| C
C -->|verify signatures| C
C -->|pin version locks| D[Version Locks]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ AirGap Bundles (Formerly: Operations ▸ Feeds ▸ AirGap Bundles) │
│ Region: APAC │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Actions: [+ Create Bundle] [Download latest] [Verify bundle] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Bundles │
│ ┌───────────────────┬───────────┬──────────────┬───────────────┬──────────────────────────┐ │
│ │ Bundle Name │ Target Env│ Contents │ Built At │ Actions │ │
│ ├───────────────────┼───────────┼──────────────┼───────────────┼──────────────────────────┤ │
│ │ apac-prod-2026-02- │ Prod │ OSV+NVD+KEV │ 2026-02-18 02: │ [Download] [Verify] │ │
│ │ apac-uat-2026-02- │ UAT │ OSV+KEV │ 2026-02-17 02: │ [Download] [Verify] │ │
│ └───────────────────┴───────────┴──────────────┴───────────────┴──────────────────────────┘ │
│ Notes: Bundle embeds version locks + signing metadata for audit. │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 10.8 Screen — Feeds & AirGap Ops (Version Locks)
### Formerly
* Operations → Feeds → **Version Locks** tab.
### Why change
* Version locks are the core of **reproducible gating**:
* “This approval used NVD snapshot X, OSV snapshot Y.”
* Essential for external audits and internal replay/verify.
### Screen graph (Mermaid)
```mermaid
flowchart LR
A[Version Locks] --> B[Create Lock]
A --> C[Lock Detail]
A --> D[Apply Lock to Region/Env]
A --> E[Apply Lock to Release]
E --> F[Release Detail\nDeterminism tab]
```
### ASCII mock
```text
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ Feeds & AirGap Ops ▸ Version Locks (Formerly: Operations ▸ Feeds ▸ Version Locks) │
│ Region: US-East │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Actions: [+ Create Version Lock] [Apply to Release] [Apply to Env] │
├────────────────────────────────────────────────────────────────────────────────────────────┤
│ Locks │
│ ┌───────────────┬───────────────┬───────────────┬──────────────────────┬───────────────────┐ │
│ │ Lock ID │ Sources │ Created │ Scope │ Actions │ │
│ ├───────────────┼───────────────┼───────────────┼──────────────────────┼───────────────────┤ │
│ │ lock-2026-02-18│ NVD, OSV, KEV │ 2026-02-18 │ US-East / Prod │ [View] [Apply] │ │
│ │ lock-2026-02-17│ OSV, KEV │ 2026-02-17 │ APAC / UAT │ [View] [Apply] │ │
│ └───────────────┴───────────────┴───────────────┴──────────────────────┴───────────────────┘ │
│ Audit note: locks are referenced in Evidence Bundles + Replay/Verify. │
└────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
## What changed vs the *previous* draft (to keep the reorg intact)
* Im keeping **Integrations Hub** under **Integrations** (configuration + dependency map).
* Im placing **Feeds & AirGap Ops** under **Platform Ops** (operator workflows + determinism tooling), but it remains **second-class** because:
* Its linked from **Integrations Hub** (source issues → ops controls),
* and it should be linked from the **Dashboard “Nightly Ops Signals”** card.
---
If you want, I can do **Pack 11** next for the remaining “Settings-class” pages you attached (Usage & Limits, Notifications, Identity & Access, Trust & Signing, System) but **in the new IA**, with the same: **Mermaid menu + per-screen graphs + ASCII mocks + Formerly/Why**.
Reference in New Issue View Git Blame Copy Permalink