git.stella-ops.org/docs/qa/console-ui-qa-strategy.md

# Console UI QA Strategy

## Goal
- Produce QA work that proves Stella Ops can be operated to release with confidence.
- Focus downstream agents on route truth, tab truth, evidence linkage, and corrective-action handoffs instead of generic visual review.
- Turn runtime findings into concrete test and fix work under `src/Web/StellaOps.Web/`.

## Required Reading
- `docs/product/release-with-confidence-product-card.md`
- `docs/qa/console-ui-traversal-map.md`
- `docs/qa/feature-checks/FLOW.md`
- `docs/UI_GUIDE.md`
- `src/Web/AGENTS.md`

## Preconditions
1. Start the Web app and required local services before any UI verification.
2. Use authenticated QA sessions. For local-source passes, seed the persisted auth keys used by `AuthSessionStore`:
   - `stellaops.auth.session.full`
   - `stellaops.auth.session.info`
   - `stellaops:wasEverAuth`
3. Do not rely on `window.__stellaopsTestSession` as the only bootstrap path. The current live guard contract is storage-based.
4. If running against the live frontdoor instead of the local source server, export `STELLAOPS_FRONTDOOR_PASSWORD` or `STELLAOPS_ADMIN_PASS` before starting the run.
5. Do not write transient Playwright output into a watched Angular source path during a live `ng serve` pass unless rebuild churn is acceptable. Prefer a temp directory or write once after the traversal completes.

## What Counts As A Pass
- The route lands on the correct canonical page or canonical child route.
- The page clearly states what surface the operator is on.
- The page preserves release, evidence, policy, or admin context instead of silently collapsing into another workspace.
- Every visible tab lands on a truthful state with distinct route or content identity.
- Empty states tell the operator what is missing and what action to take next.
- Primary CTAs lead to the owning corrective workflow.

## What Counts As A Failure
- Redirects that lose authority, tenant, or base-url context.
- Evidence routes that silently become unrelated Ops pages without preserving evidence identity.
- Pages with no stable page identity in the main surface.
- Tabs that render but do not change route or state in a way the operator can understand.
- Placeholder or empty content presented without an explanation of what data or action is missing.
- Broken admin or setup handoffs that prevent the operator from reaching the owning page.

## Execution Order
1. Resolve active route and redirect defects first.
2. Verify Release Control and Release Policies next.
3. Verify Security next.
4. Verify Evidence and Ops next.
5. Verify Setup and Admin last.

This order is intentional. A polished admin page does not compensate for ambiguous release, policy, or evidence truth.

## Route-Family Checks

### Release Control
| Entry route | Seek for | Required interactions | Failure signals |
| --- | --- | --- | --- |
| `/environments/overview` | clear environment readiness ownership | load page, verify the main panel is not just nav chrome, check whether topology or readiness content exists | missing top-level page identity or only shell text |
| `/releases` | release list anchored to versions or bundles | verify sort and filter chips, empty-state truth, drill into release identity when possible | page title only, no release context in main panel |
| `/releases/deployments` | deployment state and approval queue visibility | switch visible state filters, confirm counts and state labels remain coherent | filters that do not change visible state or route |
| `/releases/bundles` | digest-first bundle identity and validation context | verify bundle states, digest-oriented copy, and bundle creation handoff if present | tag-first copy or missing digest and evidence context |
| `/releases/promotions` | promotion queue and readiness | verify page state and empty-state guidance | generic list shell without promotion meaning |
| `/releases/approvals` | approvals segmented by decision state | click all tabs: Pending, Approved, Rejected, Expiring, My Team | tabs render but do not change state or route |

### Release Policies
| Entry route | Seek for | Required interactions | Failure signals |
| --- | --- | --- | --- |
| `/ops/policy/packs` | release policy entry surface | confirm the page has main-panel identity and is not only nav chrome | title exists but no main-panel page identity |
| `/ops/policy/governance` | governance ownership | click Governance, VEX & Exceptions, Simulation, Audit; confirm route changes and headings follow | cross-links present but content stays ambiguous |
| `/ops/policy/vex` | VEX conflict and exception truth | click local VEX tabs such as Search, Stats, Consensus, Explorer, Conflicts, Exceptions | VEX surface lacks distinct page state or operator action |
| `/ops/policy/simulation` | what-if and promotion-gate simulation | click Shadow Mode, Promotion Gate, Test & Validate, Pre-Promotion Review, Effective Policies, Exceptions | simulation tabs do not expose a reviewable scenario or result state |

### Security
| Entry route | Seek for | Required interactions | Failure signals |
| --- | --- | --- | --- |
| `/security/images` | security posture attached to a release or image selection | click Summary, Findings, SBOM, Reachability, VEX, Evidence | tabs break context or the empty state hides what must be selected |
| `/security/risk` | risk budget and verdict truth | verify Current Verdict, Side-by-Side Risk Diff, Exception Workflow | metrics or exceptions render as placeholders without explanation |
| `/security/advisory-sources` | source freshness and feed ownership | confirm the page has page-level identity and feed-specific actions or state | route title only, no main-panel identity |
| `/triage/artifacts` | vulnerability triage work surface | confirm page identity, queue or state controls, and drill-in affordances | route resolves but only shell text is present |

### Evidence
| Entry route | Seek for | Required interactions | Failure signals |
| --- | --- | --- | --- |
| `/evidence/overview` | evidence-specific landing page | confirm whether aliasing to Ops > Audit is intentional and understandable to an operator | silent collapse into Audit with no Evidence identity |
| `/evidence/audit-log` | audit-event search and log review | exercise search and pagination controls if available | search and log surface lacks audit identity |
| `/evidence/verify-replay` | replay request, replay queue, quick verify | click visible replay controls, confirm mismatch and empty-state copy is truthful | replay surface exists but offers no actionable next step |
| `/evidence/exports` | export ownership and workflow | verify page identity and export actions | route title only, no export-specific surface |
| `/evidence/capsules` | proof-bundle and capsule ownership | confirm whether this intentionally maps to Audit > Bundles or incorrectly loses capsule identity | route lands in Audit with no capsule language |

### Ops
| Entry route | Seek for | Required interactions | Failure signals |
| --- | --- | --- | --- |
| `/ops/operations/jobengine` | execution control plane | click Runs, Schedules, Workers and verify state changes | tabs render but do not alter the visible slice |
| `/ops/operations/feeds-airgap` | feed and offline readiness | verify the page is not mislabeled as generic dashboard content | "About this page" points to the wrong workspace or no feed identity exists |
| `/ops/operations/doctor` | diagnostics ownership | confirm service-health and drift checks appear in the main panel | title exists but no diagnostic identity or actions |
| `/ops/operations/audit` | audit workspace | click All Events, Timeline, Correlations, Exports, Bundles | tabs do not preserve audit context |
| `/ops/scripts` | operator scripts and filtering | exercise visible language and visibility filters | filters do not affect state or are mislabeled |

### Setup And Admin
| Entry route | Seek for | Required interactions | Failure signals |
| --- | --- | --- | --- |
| `/setup` | setup workspace overview | verify each tile links to the owning setup route | setup overview lists areas but handoffs are broken |
| `/setup/integrations` | integration ownership | confirm page identity and integration-specific actions | route title only, no integration surface |
| `/setup/trust-signing` | trust and signing canonical child route | click Signing Keys, Trusted Issuers, Certificates, Audit | keys child route is fine, but parent trust identity must remain obvious |
| `/setup/identity-providers` | identity-provider CRUD surface | verify list and create affordances | page lands but cannot express current state or next step |
| `/setup/tenant-branding` | tenant and branding ownership | confirm page identity and editable controls | route title only, no branding-specific surface |
| `/console-admin/*` | admin deep links | verify redirects keep the correct origin and page ownership | redirects drop the port or base URL or land on the wrong setup page |

## Retained Automation Requirements
- Any manual route or tab discovered during QA must become retained Playwright coverage before the feature area is considered stable.
- New or corrected tests must follow the current route contract, not the retired standalone Evidence sidebar expectation.
- Admin-route coverage must explicitly assert the final URL origin so port-dropping redirects are caught.
- Evidence-route coverage must assert whether a route is intentionally aliased or whether it must preserve standalone Evidence identity.

## Downstream Sprint Split
- `SPRINT_20260421_005_FE_console_route_identity_and_redirect_truth.md`
- `SPRINT_20260421_006_FE_release_and_security_console_behavioral_qa.md`
- `SPRINT_20260421_007_FE_evidence_ops_setup_admin_console_behavioral_qa.md`

These sprints are intentionally small enough that another agent can verify and fix within `src/Web/StellaOps.Web/` without re-deriving the product model.