Skip to content

Business Hub quality pages: requirement registry, STRIDE threat registry, Stephens report cards, dark stages#220

Merged
richard-devbot merged 8 commits into
mainfrom
feat/ui-quality-90-91-97
Jul 6, 2026
Merged

Business Hub quality pages: requirement registry, STRIDE threat registry, Stephens report cards, dark stages#220
richard-devbot merged 8 commits into
mainfrom
feat/ui-quality-90-91-97

Conversation

@richard-devbot

Copy link
Copy Markdown
Owner

Quality-pages slice of the 2026-07-06 UI wave (post-#216 page-module split).

Closes #90
Closes #91
Closes #97
Part of #215

What shipped

Requirements & Traceability (#90) — the page now renders the stage-02 requirement spec as an FR/NFR registry: id, requirement text, category (FURPS+ for NFRs), MoSCoW priority, verification method, and a test-coverage column cross-checked against the stage-08 test report's test_levels.*.requirements_covered (honest "not yet traceable" wherever the chain breaks). The written wont_have list and out_of_scope items render in their own panels — a written won't-have prevents scope disputes. Coverage KPIs are computed from the same data. The per-run traceability chain cards stay. Traceability drift (#74) is deliberately out of scope: this is the static registry only.

Security (#91) — replaces the alert-count heuristic (which its own comment called a first pass until #91) with the real stage-12 threat model of the newest run in scope: STRIDE registry table (severity + DREAD score, threat/category/component, mitigation status), critical/high/medium/low severity heatmap with a STRIDE breakdown strip, mitigation progress + trust-boundary counts, and a release gate driven by open critical/high threats. With no threat model in scope the gate reads unknown — the page never fabricates a "no blocker" verdict.

Run Report Stephens cards (#215 slice) — 09-deployment renders the required cutover block (strategy, rationale, point of no return, options considered); 10-summary renders defect_analysis by Ishikawa cause bucket with the retry rollup and null metrics as "not yet measured"; 11-feedback-loop renders the four-category maintenance taxonomy plus goal-criteria met/unmet. 01-transcript and 03-documentation cards now render their real contract fields.

Dark stages (#97) — two real root causes fixed:

  1. The stage-report collector only looked at the canonical artifacts/stages/<id>/<artifact> path, while several agent contracts still write legacy locations (artifacts/transcript.json, requirement_spec.json, documents/documentation_output.json, the 08/09/10/11 legacy copies, security/threat_model.json). resolveStageArtifactPath now tries canonical first, then the contract-listed fallbacks — paths copied from agents/sdlc/*.md, nothing invented.
  2. The rollup index rehydrated every completed run with stageReports: [], so index-served runs looked stage-less everywhere (including Run Report's stages-reported KPI). Entries now persist stage_reports; INDEX_VERSION bumps to 2 so existing caches self-heal with one rebuild.

On top of that, each Projects & Runs row carries a stage-report strip (n/15 stage reports) with named chips for the historically invisible trio: Brief (01), Docs (03), Feedback (11).

Honest-empty-state stance

Every new panel that lacks data states which stage produces it (02 → requirement_spec.json, 08 → requirement-linked tests, 12 → threat_model.json, 09 → cutover block, 10 → defect analysis, 11 → categorized remediations) instead of rendering blank or optimistic.

Tests

tests/dashboard-quality-pages.test.js (20 new tests) evaluates the real page modules against a DOM stub — fixture-shaped artifacts in, rendered panels out — covering each registry/card and each empty state, plus the legacy-path resolution, the canonical-wins rule, and the index roundtrip. The #216 bundle-compile test stays green.

Verified in the running hub (worktree + extended local fixture run, not committed)

  • Traceability: 3 FR / 2 NFR registry with MoSCoW pills, verification text, tested (acceptance) vs honest gaps, 2/5 coverage KPI, won't-have + out-of-scope panels; empty state without a spec run.
  • Security: 4-threat STRIDE registry sorted by severity, 0/1/2/1 heatmap, "3 of 4 threats have a recorded mitigation", gate "needs review — 1 critical/high open"; scoping to a run without a threat model → "Release gate unknown".
  • Run Report: cutover card (staged + rationale + point of no return), defect analysis (process/tools buckets, cost_usd → not yet measured), maintenance taxonomy (1 corrective), transcript/documentation real fields, 8/15 stages-reported KPI.
  • Projects & Runs: "8/15 stage reports · Brief · Docs · Feedback" strip on the fixture run row; no console errors.

Gates: npm test (675 pass), npm run lint, npm run validate (196 agents), node scripts/security-audit.mjs, git diff --check — all green.

🤖 Generated with Claude Code

richardsongunde and others added 7 commits July 6, 2026 20:20
…cy paths (#97)

The stage-report collector only looked at the canonical
artifacts/stages/<id>/<artifact> path, but several agent contracts still
write legacy locations (01-transcript, 02-requirements/requirement_spec,
03-documentation output, 08/09/10/11 legacy copies, 12 security/). Those
stages rendered as dark in every run view. resolveStageArtifactPath tries
canonical first, then the contract-listed fallbacks — no files move, no
paths invented.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…fect analysis, maintenance taxonomy (#215)

09-deployment renders the required cutover block (strategy, rationale,
point of no return, options considered); 10-summary renders defect_analysis
by Ishikawa cause bucket with retry rollup and honest 'not yet measured'
for null metrics; 11-feedback-loop renders the four-category maintenance
taxonomy (remediation[], issues[].remediation, goal criteria) plus goal
criteria met/unmet. 01-transcript and 03-documentation cards now render
their real contract fields (decisions/open questions; documents_created +
requirement counts + adopted-run docs). Absent artifacts state which stage
produces them instead of rendering blanks.

Tests evaluate the real page modules against a DOM stub (fixture-shaped
artifacts in, rendered panels out) and pin the legacy-path stage-artifact
resolution from the previous commit.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…#90)

The Requirements & Traceability page now renders the stage-02 requirement
spec as a registry table — id, requirement text, category (FURPS+ for
NFRs), MoSCoW priority, verification method — with a test-coverage column
cross-checked against the stage-08 test report's requirements_covered
(honest 'not yet traceable' when the chain breaks). The written won't-have
list and out-of-scope items render in their own panels, and coverage KPIs
are computed from the same data. The per-run traceability chain cards stay.
Empty states say which stage produces the data. Traceability drift (#74)
stays out of scope — this is the static registry only.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The Security page now renders the real stage-12 threat model of the newest
run in scope: STRIDE registry table (severity + DREAD, threat + category +
component, mitigation status), a critical/high/medium/low severity heatmap
with a STRIDE breakdown strip, mitigation progress counts and trust-boundary
count, and a release gate driven by open critical/high threats (plus the
artifact's own release_gate reason). The prior alert-count heuristic — which
its own comment called a first pass until #91 — is gone. With no threat
model in scope the page says stage 12 produces it and reports the release
gate as UNKNOWN rather than claiming no blocker.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ges (#97)

Each row on Projects & Runs now shows how many of the 15 canonical stages
produced an artifact, with named chips for the historically invisible trio:
Brief (01-transcript), Docs (03-documentation) and Feedback
(11-feedback-loop). Combined with the legacy-path artifact resolution and
the real-field stage cards, those stages now appear everywhere other stage
reports already do.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…uns (#97)

liteRunFromEntry rehydrated every completed run with stageReports: [] — so
once a run left the full-parse path, every stage looked dark on run views
(Run Report's stages-reported KPI included). Index entries now carry
stage_reports; INDEX_VERSION bumps to 2 so existing caches self-heal with
one rebuild. Pre-v2 entries degrade to [] instead of crashing. The rollup
test asserts the exported INDEX_VERSION instead of a hardcoded 1.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… defined under the eslint browser/test env

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@richard-devbot, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 42 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f0db6297-eef1-4b01-a496-81d605389132

📥 Commits

Reviewing files that changed from the base of the PR and between fc310c9 and c5fe88b.

📒 Files selected for processing (9)
  • src/observability/dashboard/state/rollup-index.js
  • src/observability/dashboard/state/stage-reports.js
  • src/observability/dashboard/ui/pages/projects-runs.js
  • src/observability/dashboard/ui/pages/run-report.js
  • src/observability/dashboard/ui/pages/security.js
  • src/observability/dashboard/ui/pages/traceability.js
  • src/observability/dashboard/ui/styles.js
  • tests/dashboard-quality-pages.test.js
  • tests/dashboard-rollup-index.test.js
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/ui-quality-90-91-97

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

# Conflicts:
#	src/observability/dashboard/ui/styles.js
@richard-devbot richard-devbot merged commit 5d669bf into main Jul 6, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants