docs consolidation work

docs/modules/signer/README.md

@@ -48,6 +48,54 @@ Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSS
 - Sprint 0401: `docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md` (SIGN-VEX-401-018 DONE; AUTH-REACH-401-005 TODO).
 - SIG docs/tasks in ../../TASKS.md (e.g., DOCS-SIG-26-006).
 
+## Implementation Status
+
+### Phase 1 – Core service & PoE (Complete)
+- OpTok validation with Authority DPoP/mTLS tokens and signer.sign scope
+- Proof-of-Entitlement (PoE) introspection with cloud licensing integration
+- Scanner release verification via OCI referrers
+- DSSE signing pipeline: keyless (Fulcio) and keyful (KMS/HSM/FIDO2)
+- KMS key management foundations (KMSI-73-001, KMSI-73-002)
+- DSSE/SLSA BuildDefinition models with canonical JSON (PROV-OBS-53-001/002)
+
+### Phase 2 – Export Center integration (In Progress)
+- CryptoDsseSigner with ICryptoProviderRegistry (keyless + KMS modes)
+- SignerStatementBuilder refactored for StellaOps predicate types
+- PromotionAttestationBuilder with canonicalized payloads (PROV-OBS-53-003)
+- Cosign-compatible DSSE output with provenance manifests
+- Blocking: SIGN-CORE-186-004/005 crypto provider refactoring, replay manifest support
+
+### Phase 3 – Attestor alignment (Not Started)
+- DSSE envelope metadata for Attestor ingestion
+- Extended predicate catalog: stella.ops/vexDecision@v1, stella.ops/graph@v1 (SIGN-VEX-401-018 complete)
+- Helper methods: IsVexRelatedType, IsReachabilityRelatedType, predicate validation
+- Blocking: AUTH-REACH-401-005 predicate definitions, verification library (PROV-OBS-54-001/002)
+
+### Phase 4 – Observability & resilience (Not Started)
+- Metrics: signing latency, PoE failures, quota hits, key usage distribution
+- Structured logs with trace IDs, subject digests, issuer mode, decision outcomes
+- Alerts for PoE outages, key exhaustion, quota breaches, failure spikes
+- CLI commands: stella promotion attest/verify, stella forensic attest show
+
+### Key Acceptance Criteria
+- Signs only requests satisfying OpTok, PoE, quota, scanner provenance checks
+- DSSE outputs verify with standard cosign tooling
+- Export Center receives signed bundles with provenance manifests
+- Audit logs capture every request with tenant, issuer, subject digest, PoE state
+- CLI/Offline workflows verify signatures using Offline Kit trust roots
+
+### Technical Decisions & Risks
+- PoE/entitlement outages: cache last-known entitlement within TTL, emergency bypass with audit
+- Key compromise: hardware-backed keys, rotation cadence, immediate revocation, incident runbook
+- Release verification failures: allowlist for trusted scanner digests, manual approval fallback
+- Determinism: canonicalize JSON, lock timestamp sources, regression tests for DSSE hashing
+
+### Recent Updates (Sprint 0186/0401 · 2025-11-26)
+- CryptoDsseSigner with ES256 signature generation via ICryptoProviderRegistry
+- PredicateTypes catalog extended with VEX/graph predicates
+- Integration tests upgraded with real crypto, fixture predicates (102 tests passing)
+- CryptoPro signer plugin in progress (SEC-CRYPTO-90-020)
+
 ## Epic alignment
 - **Epic 10 – Export Center:** provide signing pipelines, cosign interoperability, and provenance manifests for bundle promotion.
 - **Epic 19 – Attestor Console:** supply DSSE payloads and Proof-of-Entitlement enforcement feeding attestation workflows described in `docs/modules/attestor/`.