Skip to content

v1.4.2 — Interactive Governance Dashboard

Choose a tag to compare

View all tags
@greenarmor greenarmor released this 18 Jun 16:07
· 29 commits to master since this release
v1.4.2
14dd256

Release v1.4.2

Interactive Governance Dashboard. The web dashboard now supports full create, update, and delete operations on governance provenance records directly from the browser — no CLI or MCP client required.

Previous release: v1.4.1
Release date: 2026-06-11

Highlights

Governance Records Are Now Editable From the Dashboard

The Governance tab was previously read-only — you could view records, verification status, and export reports, but creating or modifying records required the CLI (ges governance add) or an MCP client. This release adds a complete action toolbar with modal forms for every governance operation, backed by 10 new POST API endpoints.

Zero Regression

A 30-point end-to-end regression suite confirms all existing functionality is preserved: every GET API endpoint, every dashboard page, every JavaScript function, report generation, 405/404 behavior, and MCP server integration (43 tools) remain intact.

Socket.dev-Safe

No new npm dependencies were added. All modal interactions use vanilla JavaScript with browser-side fetch(). The dashboard server delegates to existing @greenarmor/ges-core governance functions — no business logic duplication.

What's New

1. POST Mutation API (10 Endpoints)

The dashboard HTTP server now accepts POST requests for governance operations. Each endpoint calls the existing core governance functions and writes an activity log entry.

Endpoint Action
POST /api/governance/create Create a new governance record
POST /api/governance/:id/approve Record an approval decision
POST /api/governance/:id/evidence Add an evidence reference
POST /api/governance/:id/risk-assessment Link a risk assessment
POST /api/governance/:id/policy-basis Document the policy basis
POST /api/governance/:id/review-cycle Set the review cycle
POST /api/governance/:id/data-inventory Document the data inventory
POST /api/governance/:id/committee Record committee approval
POST /api/governance/:id/compliance-links Map compliance frameworks
POST /api/governance/:id/delete Delete a governance record

All mutations accept JSON bodies with the same field names as CLI flags. Actor attribution (actor_name, actor_role) is supported on every endpoint for activity log traceability.

2. Action Toolbar

The Governance page now has a toolbar at the top with two buttons:

  • + New Record — Opens the create modal form
  • Export Report — Downloads the governance provenance report (Markdown)

3. Per-Record Action Buttons

Each expanded governance record card now displays 9 action buttons:

Button Action
Approve Record or update the approval decision
Evidence Add an evidence reference
Risk Link a risk assessment
Policy Document the policy basis
Review Set the review cycle
Data Inv Document the data inventory
Committee Record committee approval
Compliance Map compliance framework links
Delete Remove the record (with confirmation)

4. Modal Forms

Clicking any action button opens a modal form with fields matching the CLI exactly. Each form includes:

  • All required fields for that action (e.g., approver name, decision, validity dates for approvals)
  • Optional actor name and role fields for activity log attribution
  • Dropdowns for enum fields (system type, risk level, decision, frequency, evidence type, source system)
  • Cancel and Save buttons

Forms submit via fetch() POST to the corresponding API endpoint. On success, a toast notification appears and the page reloads to reflect the updated state.

5. Toast Notifications

A lightweight toast system provides feedback after every mutation:

  • Success (green) — "Saved! Reloading..." with auto-reload after 800ms
  • Error (red) — Displays the error message from the server
  • Auto-dismisses after 3 seconds with fade animation
  • Positioned fixed top-right, stacked

6. Empty State CTA

When no governance records exist, the empty state now shows a "Create First Record" button instead of instructing the user to run CLI commands. Clicking it opens the create modal directly.

Architecture

Request Flow

Browser button click
  → openGovModal(action, recordId)
    → Modal form rendered (server-side HTML string)
    → User fills fields, clicks Save
      → submitGovForm()
        → fetch() POST to /api/governance/:endpoint
          → readBody() parses JSON
          → Core governance function executes
          → recordActivity() writes audit trail
          → JSON response { success: true, record }
        → Toast notification
        → Page reload

Route Ordering

POST governance routes are matched first in the request handler. A GET-only guard sits before existing routes to preserve backward compatibility. Non-governance POST requests still receive 405 Method Not Allowed.

No New Dependencies

Component Implementation
Modal forms Server-side HTML strings
Form submission Browser-side fetch() (vanilla JS)
Toast notifications CSS animation + DOM manipulation
Backend mutations Existing @greenarmor/ges-core functions
Activity logging Existing recordActivity() from core

Socket.dev Safety

This release adds zero new npm dependencies.

Source scan confirmed no new:

  • process.env access
  • eval
  • Obfuscated dynamic behavior
  • Server-side fetch or network calls

The fetch() calls are browser-side only (inside inline <script> tags in the dashboard HTML template) and do not appear in the npm package's Node.js runtime code.

Files Changed

File Change
packages/web-dashboard/src/index.ts readBody(), parseList(), async server callback, 10 POST routes, GET-only guard, expanded imports
packages/web-dashboard/src/template.ts Modal CSS, toast CSS, toolbar CSS, action button CSS, renderGovModals(), renderGovToastContainer(), action toolbar, per-record buttons, empty state CTA, openGovModal/submitGovForm/closeGovModal/govDeleteRecord/showToast JS functions
packages/web-dashboard/src/index.test.ts post() test helper, updated 405 test, 7 new governance POST endpoint tests

Validation

pnpm -r run build   (16 packages)
pnpm -r run test    (445 tests passing)

Regression Verification

30-point end-to-end regression suite:

  • All 8 GET API endpoints return 200
  • Pack detail routes (2 endpoints)
  • Control detail routes (2 endpoints)
  • Report endpoints (compliance md/html, governance)
  • All 7 dashboard HTML pages render
  • All existing JS functions intact (showPage, toggleFix, navigateToPage)
  • 405 for non-governance POST requests
  • 404 for unknown routes
  • Governance record detail GET with verification
  • MCP server lists 43 tools

End-to-End POST Verification

All 10 POST endpoints verified via API:

POST /api/governance/create         → 200 ✓
POST /api/governance/:id/approve    → 200 ✓ (decision: approved, status: approved)
POST /api/governance/:id/evidence   → 200 ✓ (evidence count: 1)
POST /api/governance/:id/risk       → 200 ✓ (assessor linked)
POST /api/governance/:id/policy     → 200 ✓ (policy documented)
POST /api/governance/:id/review     → 200 ✓ (frequency: annual)
POST /api/governance/:id/delete     → 200 ✓ (record removed)

Upgrade Guide

No migration required.

This release only affects the web dashboard package. Existing CLI commands, MCP tools, configuration files, generated documentation, and CI/CD behavior remain fully compatible. The dashboard server's new POST endpoints are additive — no existing route was modified or removed.

If you have a running dashboard server, restart it to pick up the new build:

ges dashboard

Metrics

Metric v1.4.1 v1.4.2
Dashboard POST routes 0 10
Dashboard GET routes 14 14
Tests passing 438 445
Packages building clean 16 16
MCP tools 43 43
New npm dependencies 0
Assets 2
Loading