Business Hub quality pages: requirement registry, STRIDE threat registry, Stephens report cards, dark stages#220
Conversation
…cy paths (#97) The stage-report collector only looked at the canonical artifacts/stages/<id>/<artifact> path, but several agent contracts still write legacy locations (01-transcript, 02-requirements/requirement_spec, 03-documentation output, 08/09/10/11 legacy copies, 12 security/). Those stages rendered as dark in every run view. resolveStageArtifactPath tries canonical first, then the contract-listed fallbacks — no files move, no paths invented. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…fect analysis, maintenance taxonomy (#215) 09-deployment renders the required cutover block (strategy, rationale, point of no return, options considered); 10-summary renders defect_analysis by Ishikawa cause bucket with retry rollup and honest 'not yet measured' for null metrics; 11-feedback-loop renders the four-category maintenance taxonomy (remediation[], issues[].remediation, goal criteria) plus goal criteria met/unmet. 01-transcript and 03-documentation cards now render their real contract fields (decisions/open questions; documents_created + requirement counts + adopted-run docs). Absent artifacts state which stage produces them instead of rendering blanks. Tests evaluate the real page modules against a DOM stub (fixture-shaped artifacts in, rendered panels out) and pin the legacy-path stage-artifact resolution from the previous commit. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…#90) The Requirements & Traceability page now renders the stage-02 requirement spec as a registry table — id, requirement text, category (FURPS+ for NFRs), MoSCoW priority, verification method — with a test-coverage column cross-checked against the stage-08 test report's requirements_covered (honest 'not yet traceable' when the chain breaks). The written won't-have list and out-of-scope items render in their own panels, and coverage KPIs are computed from the same data. The per-run traceability chain cards stay. Empty states say which stage produces the data. Traceability drift (#74) stays out of scope — this is the static registry only. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The Security page now renders the real stage-12 threat model of the newest run in scope: STRIDE registry table (severity + DREAD, threat + category + component, mitigation status), a critical/high/medium/low severity heatmap with a STRIDE breakdown strip, mitigation progress counts and trust-boundary count, and a release gate driven by open critical/high threats (plus the artifact's own release_gate reason). The prior alert-count heuristic — which its own comment called a first pass until #91 — is gone. With no threat model in scope the page says stage 12 produces it and reports the release gate as UNKNOWN rather than claiming no blocker. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ges (#97) Each row on Projects & Runs now shows how many of the 15 canonical stages produced an artifact, with named chips for the historically invisible trio: Brief (01-transcript), Docs (03-documentation) and Feedback (11-feedback-loop). Combined with the legacy-path artifact resolution and the real-field stage cards, those stages now appear everywhere other stage reports already do. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…uns (#97) liteRunFromEntry rehydrated every completed run with stageReports: [] — so once a run left the full-parse path, every stage looked dark on run views (Run Report's stages-reported KPI included). Index entries now carry stage_reports; INDEX_VERSION bumps to 2 so existing caches self-heal with one rebuild. Pre-v2 entries degrade to [] instead of crashing. The rollup test asserts the exported INDEX_VERSION instead of a hardcoded 1. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… defined under the eslint browser/test env Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Warning Review limit reached
Next review available in: 42 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (9)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
# Conflicts: # src/observability/dashboard/ui/styles.js
Quality-pages slice of the 2026-07-06 UI wave (post-#216 page-module split).
Closes #90
Closes #91
Closes #97
Part of #215
What shipped
Requirements & Traceability (#90) — the page now renders the stage-02 requirement spec as an FR/NFR registry: id, requirement text, category (FURPS+ for NFRs), MoSCoW priority, verification method, and a test-coverage column cross-checked against the stage-08 test report's
test_levels.*.requirements_covered(honest "not yet traceable" wherever the chain breaks). The writtenwont_havelist andout_of_scopeitems render in their own panels — a written won't-have prevents scope disputes. Coverage KPIs are computed from the same data. The per-run traceability chain cards stay. Traceability drift (#74) is deliberately out of scope: this is the static registry only.Security (#91) — replaces the alert-count heuristic (which its own comment called a first pass until #91) with the real stage-12 threat model of the newest run in scope: STRIDE registry table (severity + DREAD score, threat/category/component, mitigation status), critical/high/medium/low severity heatmap with a STRIDE breakdown strip, mitigation progress + trust-boundary counts, and a release gate driven by open critical/high threats. With no threat model in scope the gate reads unknown — the page never fabricates a "no blocker" verdict.
Run Report Stephens cards (#215 slice) — 09-deployment renders the required
cutoverblock (strategy, rationale, point of no return, options considered); 10-summary rendersdefect_analysisby Ishikawa cause bucket with the retry rollup and null metrics as "not yet measured"; 11-feedback-loop renders the four-category maintenance taxonomy plus goal-criteria met/unmet. 01-transcript and 03-documentation cards now render their real contract fields.Dark stages (#97) — two real root causes fixed:
artifacts/stages/<id>/<artifact>path, while several agent contracts still write legacy locations (artifacts/transcript.json,requirement_spec.json,documents/documentation_output.json, the 08/09/10/11 legacy copies,security/threat_model.json).resolveStageArtifactPathnow tries canonical first, then the contract-listed fallbacks — paths copied fromagents/sdlc/*.md, nothing invented.stageReports: [], so index-served runs looked stage-less everywhere (including Run Report's stages-reported KPI). Entries now persiststage_reports;INDEX_VERSIONbumps to 2 so existing caches self-heal with one rebuild.On top of that, each Projects & Runs row carries a stage-report strip (
n/15 stage reports) with named chips for the historically invisible trio: Brief (01), Docs (03), Feedback (11).Honest-empty-state stance
Every new panel that lacks data states which stage produces it (02 → requirement_spec.json, 08 → requirement-linked tests, 12 → threat_model.json, 09 → cutover block, 10 → defect analysis, 11 → categorized remediations) instead of rendering blank or optimistic.
Tests
tests/dashboard-quality-pages.test.js(20 new tests) evaluates the real page modules against a DOM stub — fixture-shaped artifacts in, rendered panels out — covering each registry/card and each empty state, plus the legacy-path resolution, the canonical-wins rule, and the index roundtrip. The #216 bundle-compile test stays green.Verified in the running hub (worktree + extended local fixture run, not committed)
tested (acceptance)vs honest gaps, 2/5 coverage KPI, won't-have + out-of-scope panels; empty state without a spec run.cost_usd→ not yet measured), maintenance taxonomy (1 corrective), transcript/documentation real fields, 8/15 stages-reported KPI.Gates:
npm test(675 pass),npm run lint,npm run validate(196 agents),node scripts/security-audit.mjs,git diff --check— all green.🤖 Generated with Claude Code