Platform QA Report: Full Retest — Post-Sergey Feedback

Date: 2026-03-30

Environment: https://dev.securityv0.com (version dev-c8ad602)

Verdict: Ready for design partner demo — 1 high-severity default sort issue, 4 medium/low items. No blockers for demo flow.

At a Glance

Complete retest of ALL changes since Sergey's March 26 feedback, including 3 new PRs (#231, #242, #243) that landed after the initial March 29 QA. Previous QA found 4 low issues — all now fixed (#236).

Section	PRs	Result	Issues
1. Overview + Trends	#240	PASS	—
2. Findings Smart Defaults	#237, #238, #239	PASS (1 issue)	1 HIGH
3. Finding Detail	#237, #241	PASS	—
4. Cluster Detail	#213, #227	PASS	—
5. Evidence Classification API	#228	PASS (1 issue)	1 MEDIUM
6. Mitigation Tracking	#229	PASS	—
7. Access Path Grouping	#230	PASS	—
8. Attestation & Review API	#231	PASS	—
9. Ownership Assignment	#243	PASS (1 issue)	1 LOW
10. QA Fix Verification	#236	PASS	—
11. Cross-Cutting	All	PASS	—

Totals: 1 HIGH, 1 MEDIUM, 3 LOW across 11 sections.

1. Overview + Trend Indicators (#240)

All metrics load with demo data. Trend arrows show "—" placeholder since demo tenant has only one scan — correct behavior.

Overview with trend indicators

Tooltip confirms: "Trend data available after 2+ scans" appears both as visible text and on hover.

Trend tooltip on hover

Check	Result
Sidebar shows "Access Paths"	PASS
Scan Metrics show trend arrows or placeholder	PASS
Business Metrics show "—" for missing data	PASS
Tooltip explains placeholder	PASS
Console errors	PASS — none

2. Findings List — Smart Defaults + Evidence Badges (#237, #238, #239)

Smart Defaults (#238)

Default view correctly pre-selects status=active. Three preset buttons visible.

Default findings view with presets

"Critical Active" preset filters correctly:

Critical Active preset applied

Cell-click filtering works — clicking a severity badge or type tag filters the list:

Cell-click filtering

Evidence Badges (#237)

"Evidence" column visible between Source and Status. Badges show descriptive labels with color coding:

Evidence badges on findings list

Entity Column (#239)

Entity column shows entity names (not "Workload") with links to /entities/:id. Navigation works.

Check	Result
Default shows active findings	PASS
3 preset buttons visible	PASS
"Critical Active" filters + deselects	PASS
"New This Week" filters to recent	PASS
"High & Active" filters correctly	PASS
Cell-click severity filters	PASS
Cell-click type tag filters	PASS
Evidence column present	PASS
Badge labels readable	PASS
Badge color coding	PASS
Entity column with links	PASS
Descriptions wrap to 2 lines	PASS
Default sort severity-descending	FAIL — see ISSUE-001

3. Finding Detail — Evidence Badge + Inline Path (#237, #241)

Evidence Badge in Header (#237)

Badge visible next to severity in the finding header, with full classification label:

Inline Path Visualization (#241)

For findings with a path_id, the workload → identity → destination chain is shown with blast radius summary:

Inline path visualization

Chain shows role labels and source system
Blast radius: "8 executions (30d) - Domain: finance - Sensitivity: restricted - 3 active findings"
"View full path →" link navigates to /authority-paths/:id
Findings WITHOUT path_id show no visualization (no error)

Evidence Pack (#226 retest)

Recommended Actions above Evidence Pack. Three sections expanded by default. No duplicate remediation.

Evidence Pack sections

Check	Result
Evidence badge in header	PASS
Full label visible	PASS
Color matches classification	PASS
Inline path chain visible	PASS
Blast radius summary	PASS
"View full path →" link	PASS
No-path finding: no error	PASS
Recommended Actions above Evidence Pack	PASS
3 sections expanded by default	PASS

4. Risk Cluster Detail (#213, #227)

Metric card labels fully readable at all 3 viewports — no truncation.

1024px

Cluster detail at 1024px

1280px

Cluster detail at 1280px

1536px

Cluster detail at 1536px with expanded paths

Access Paths table expanded by default (24 paths visible). "Orphaned" terminology used consistently (#236 fix verified).

5. Evidence Classification API (#228)

Check	Result	Detail
`meta.byClassification` populated	PASS	structural_authority: 260, correlated_pattern: 105, observed_absence: 32
Individual findings have classification	PASS	All sampled findings have both fields
`evidence_claim` object complete	PASS	All fields: claim_statement, classification, basis[], business_impact, recommended_action
`?classification=structural_authority` filter	PASS	Returns correct data (see ISSUE-002 on count)
Exposures have classifications	PASS	`evidence_classifications[]` and `primary_classification` present
orphaned_ownership → structural_authority	PASS
scope_drift → correlated_pattern	PASS
dormant_authority → observed_absence	PASS

Full API output: api-output/evidence-classification.json

6. Mitigation Tracking (#229)

Full interactive flow tested with video recording.

Track Button

After Tracking

Tracked badge after click

Tracked Actions Section

Tracked Actions with Proposed status

Status Lifecycle

Status advanced to Assigned

Status advanced to In Progress

Persistence

Actions persist after page reload

Duplicate Prevention

Tracked badge prevents duplicate

Check	Result
Track button visible	PASS
Click → changes to "Tracked"	PASS
Tracked Actions section appears	PASS
Advance: Proposed → Assigned	PASS
Advance: Assigned → In Progress	PASS
Persistence after refresh	PASS
Duplicate prevention	PASS
API: list mitigation actions	PASS
API: summary endpoint	PASS
API: version conflict → 409	PASS

Video: mitigation-tracking-flow.webm

7. Access Path Grouping (#230)

Flat View (Default)

Default flat view

Grouped View

Grouped by identity — 13 groups, 74 paths

Expanded Group

svc-data-pipeline expanded with child paths

Filtered (Orphaned)

Filtered to Orphaned — 6 groups, 25 paths

Check	Result
Default flat view	PASS
Toggle to grouped	PASS
Header "13 of 13 groups (74 paths)"	PASS
svc-data-pipeline: 3 workloads, Cross-workload	PASS
svc-compliance-bot: Orphaned, Cross-workload	PASS
svc-ai-orchestrator: 2 workloads	PASS
[Unbound] Legacy Batch: amber badge	PASS
Expand group → child paths	PASS
Filter works in grouped mode	PASS
Persistence after refresh	PASS
API: grouped endpoint	PASS — 14 surfaces, 75 paths
API: orphaned filter	PASS — 7 surfaces
API: pagination (limit=5)	PASS — has_more=true

8. Attestation & Review Cadence API (#231)

Check	Result	Detail
Create attestation	PASS	201 with context_hash computed
Attestation status	PASS	is_current=true, overdue=false, days_until_due=90
List attestations	PASS	1 returned
Create review cadence	PASS	201, monthly critical review
List cadences	PASS	1 returned
Delete cadence	PASS	HTTP 204

Full API output: api-output/attestation-lifecycle.json

9. Ownership Assignment (#243)

No Owner State

Not assigned + Assign owner button

Assignment Form

Inline form with email, name, team

Assigned

Alice Smith assigned as Platform Owner

Reassigned

Bob Jones replaces Alice

Revoked

Owner revoked with reason

Check	Result
"Not assigned" + "Assign owner" visible	PASS
Inline form: email, name, team	PASS
Submit creates assignment	PASS
"Reassign" and "Revoke" visible	PASS
Reassign replaces owner	PASS
Revoke prompts for reason	PASS
Persistence after refresh	PASS
API: create → active	PASS
API: list active → 1	PASS
API: revoke → revoked	PASS
API: invalid target → TARGET_NOT_FOUND	PASS

Full API output: api-output/ownership-lifecycle.json

10. QA Fix Verification (#236)

Check	Result
"Orphaned" terminology (not "Unowned")	PASS — confirmed across clusters, paths, grouped view
All findings have evidence classification badges	PASS — 51/51 active findings have badges

11. Cross-Cutting

Console Errors

Page	Errors
Overview	0
Clusters	0
Findings	0
Access Paths	0
Graph Explorer	0

Viewport Testing

Overview at 1024px

Overview at 1920px

No layout breakage at either viewport. Sidebar "Access Paths" link navigates correctly.

Open Items

ISSUE-001: Default findings sort not severity-descending — HIGH

Section: 2 (Findings List)
Problem: Default findings view (status=active) shows medium-severity findings first. Critical active findings exist (51 via "Critical Active" preset) but don't appear at the top.
Expected: Severity-descending sort (critical → high → medium → low) as default
Impact: First impression of the findings list doesn't lead with the most important items
Recommended fix: Set default sort parameter to severity:desc in the findings list page

ISSUE-002: total_count returns page size when classification filter applied — MEDIUM

Section: 5 (Evidence Classification API)
Problem: GET /api/v1/findings?classification=structural_authority returns total_count: 51 (page size) instead of the actual matching count (260 per byClassification facet)
Impact: API consumers can't determine how many findings match a classification filter
Recommended fix: Ensure total_count reflects the filtered total, not the page limit

ISSUE-003: Reassign doesn't auto-revoke previous assignment — LOW

Section: 9 (Ownership Assignment)
Problem: When reassigning from Alice to Bob, then revoking Bob, Alice reappears as owner. Reassign creates a new assignment without revoking the previous one.
Impact: Minor — revoking twice clears correctly. But could confuse audit trail.
Recommended fix: Auto-revoke existing active assignment when a new one is created for the same target

Section: 2 (Findings List)
Problem: Navigating to ?finding_type=no_active_owner shows "All types" in dropdown and returns 0 results, even though findings of that type exist
Impact: Deep links with type filters may not work as expected

ISSUE-005: Exposure title field missing — LOW

Section: 5 (Evidence Classification API)
Problem: GET /api/v1/exposures returns no title field on exposure objects
Impact: Cosmetic — UI may show fallback text

Release Readiness

Not ready for demo
Ready for internal demo
Ready for design partner demo
Ready for broader pilot

Justification: All 11 sections pass with zero critical issues. The HIGH-severity default sort issue (#001) doesn't block the demo — the "Critical Active" preset works correctly and provides the intended view. Evidence classification, mitigation tracking, identity grouping, attestations, and ownership assignment all function as specified. Zero console errors across all pages. The platform tells a clear, deterministic risk story.

Evidence Summary

35 screenshots (annotated) across 11 sections
1 video — mitigation tracking lifecycle flow
3 API output files — evidence classification, attestation lifecycle, ownership lifecycle
0 console errors across 5 pages

At a Glance​

1. Overview + Trend Indicators (#240)​

2. Findings List — Smart Defaults + Evidence Badges (#237, #238, #239)​

Smart Defaults (#238)​

Evidence Badges (#237)​

Entity Column (#239)​

3. Finding Detail — Evidence Badge + Inline Path (#237, #241)​

Evidence Badge in Header (#237)​

Inline Path Visualization (#241)​

Evidence Pack (#226 retest)​

4. Risk Cluster Detail (#213, #227)​

1024px​

1280px​

1536px​

5. Evidence Classification API (#228)​

6. Mitigation Tracking (#229)​

Track Button​

After Tracking​

Tracked Actions Section​

Status Lifecycle​

Persistence​

Duplicate Prevention​

7. Access Path Grouping (#230)​

Flat View (Default)​

Grouped View​

Expanded Group​

Filtered (Orphaned)​

8. Attestation & Review Cadence API (#231)​

9. Ownership Assignment (#243)​

No Owner State​

Assignment Form​

Assigned​

Reassigned​

Revoked​

10. QA Fix Verification (#236)​

11. Cross-Cutting​

Console Errors​

Viewport Testing​

Open Items​

ISSUE-001: Default findings sort not severity-descending — HIGH​

ISSUE-002: total_count returns page size when classification filter applied — MEDIUM​

ISSUE-003: Reassign doesn't auto-revoke previous assignment — LOW​

ISSUE-004: URL finding_type param not reflected in dropdown — LOW​

ISSUE-005: Exposure title field missing — LOW​

Release Readiness​

Evidence Summary​