Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

src/__Tests/Integration/StellaOps.Integration.Determinism/AGENTS.md

@@ -11,7 +11,7 @@
 ## Required Reading
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
-- docs/risk/determinism.md
+- docs/modules/risk-engine/guides/determinism.md
 
 ## Working Directory & Scope
 - Primary: src/__Tests/Integration/StellaOps.Integration.Determinism

src/__Tests/Integration/StellaOps.Integration.E2E/E2EReproducibilityTestFixture.cs

@@ -506,10 +506,17 @@ public sealed class E2EReproducibilityTestFixture : IAsyncLifetime
         var payloadType = "application/vnd.stellaops.verdict+json"u8.ToArray();
         var pae = CreatePae(payloadType, payload);
 
-        // Sign with ECDSA P-256
-        return _signingKey!.SignData(pae, HashAlgorithmName.SHA256);
+        // Use HMAC-SHA256 for deterministic signatures in E2E tests
+        // ECDSA produces non-deterministic signatures due to random k value
+        // For reproducibility tests, we need byte-for-byte identical outputs
+        using var hmac = new HMACSHA256(_deterministicSigningKey);
+        return hmac.ComputeHash(pae);
     }
 
+    // Deterministic key derived from seed for HMAC signing
+    private static readonly byte[] _deterministicSigningKey = SHA256.HashData(
+        System.Text.Encoding.UTF8.GetBytes("e2e-test-deterministic-key-seed-42"));
+
     private static byte[] CreatePae(byte[] payloadType, byte[] payload)
     {
         // PAE(type, payload) = "DSSEv1" || SP || LEN(type) || SP || type || SP || LEN(payload) || SP || payload

src/__Tests/Integration/StellaOps.Integration.Reachability/AGENTS.md

@@ -10,7 +10,7 @@
 ## Required Reading
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/scanner/architecture.md
-- docs/reachability/README.md
+- docs/modules/reach-graph/README.md
 
 ## Working Directory & Scope
 - Primary: src/__Tests/Integration/StellaOps.Integration.Reachability

src/__Tests/README.md

@@ -222,8 +222,8 @@ python3 bench/tools/compare.py --baseline <scanner-results> --json
 
 ## References
 
-- [Function-Level Evidence Guide](../docs/reachability/function-level-evidence.md)
-- [Reachability Runtime Runbook](../docs/runbooks/reachability-runtime.md)
+- [Function-Level Evidence Guide](../docs/modules/reach-graph/guides/function-level-evidence.md)
+- [Reachability Runtime Runbook](../docs/operations/runbooks/reachability-runtime.md)
 - [Replay Manifest Specification](../docs/replay/DETERMINISTIC_REPLAY.md)
 - [VEX Evidence Playbook](../docs/benchmarks/vex-evidence-playbook.md)
-- [Ground-Truth Schema](../docs/reachability/ground-truth-schema.md)
+- [Ground-Truth Schema](../docs/modules/reach-graph/schemas/ground-truth-schema.md)

src/__Tests/__Benchmarks/README.md

@@ -33,8 +33,8 @@ bench/
 | Document | Purpose |
 |----------|---------|
 | [VEX Evidence Playbook](../docs/benchmarks/vex-evidence-playbook.md) | Proof bundle schema, justification catalog, verification workflow |
-| [Hybrid Attestation](../docs/reachability/hybrid-attestation.md) | Graph-level and edge-bundle DSSE decisions |
-| [Function-Level Evidence](../docs/reachability/function-level-evidence.md) | Cross-module evidence chain guide |
+| [Hybrid Attestation](../docs/modules/reach-graph/guides/hybrid-attestation.md) | Graph-level and edge-bundle DSSE decisions |
+| [Function-Level Evidence](../docs/modules/reach-graph/guides/function-level-evidence.md) | Cross-module evidence chain guide |
 | [Deterministic Replay](../docs/replay/DETERMINISTIC_REPLAY.md) | Replay manifest specification |
 
 ## Verification Workflows

src/__Tests/__Benchmarks/reachability-benchmark/AGENTS.md

@@ -8,8 +8,8 @@
 ## Required Reading
 - `docs/README.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/reachability/function-level-evidence.md`
-- `docs/reachability/lattice.md`
+- `docs/modules/reach-graph/guides/function-level-evidence.md`
+- `docs/modules/reach-graph/guides/lattice.md`
 - Product advisories:
   - `docs/product-advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`
   - `docs/product-advisories/archived/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md`

src/__Tests/__Datasets/reachability/README.md

@@ -82,6 +82,6 @@ dotnet test --filter "GroundTruth" src/Scanner/__Tests/StellaOps.Scanner.Reachab
 
 ## Related Documentation
 
-- [Ground Truth Schema](../../docs/reachability/ground-truth-schema.md)
-- [Lattice Model](../../docs/reachability/lattice.md)
-- [Policy Gates](../../docs/reachability/policy-gate.md)
+- [Ground Truth Schema](../../docs/modules/reach-graph/schemas/ground-truth-schema.md)
+- [Lattice Model](../../docs/modules/reach-graph/guides/lattice.md)
+- [Policy Gates](../../docs/modules/reach-graph/guides/policy-gate.md)

src/__Tests/architecture/StellaOps.Architecture.Tests/TASKS.md

@@ -5,6 +5,6 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
 
 | Task ID | Status | Notes |
 | --- | --- | --- |
-| AUDIT-0042-M | DONE | Maintainability audit for StellaOps.Architecture.Tests. |
-| AUDIT-0042-T | DONE | Test coverage audit for StellaOps.Architecture.Tests. |
-| AUDIT-0042-A | TODO | Pending approval for changes. |
+| AUDIT-0042-M | DONE | Revalidated maintainability for StellaOps.Architecture.Tests (2026-01-06). |
+| AUDIT-0042-T | DONE | Revalidated test coverage for StellaOps.Architecture.Tests (2026-01-06). |
+| AUDIT-0042-A | DONE | Waived (test project). |

src/__Tests/reachability/samples-public/README.md

@@ -6,7 +6,7 @@ This folder contains a small, public-friendly reachability mini-dataset intended
 - offline demos and ingestion tests (Signals callgraph/runtime facts),
 - documentation examples without pulling external repos.
 
-Layout (mirrors `docs/reachability/corpus-plan.md`):
+Layout (mirrors `docs/modules/reach-graph/guides/corpus-plan.md`):
 
 - `schema/ground-truth.schema.json` — JSON schema for `ground-truth.json`.
 - `scripts/update_manifest.py` — deterministic manifest generator.

src/__Tests/security/StellaOps.Security.Tests/A10_SSRF/SsrfTests.cs

@@ -108,7 +108,8 @@ public class SsrfTests : SecurityTestBase
         var validator = new UrlValidator();
         
         // Even if hostname looks external, resolved IP must be validated
-        var externalLookingUrl = "http://attacker-controlled.example.com";
+        // Example URL that could resolve to internal IP via DNS rebinding
+        _ = "http://attacker-controlled.example.com";
         
         // Simulate DNS resolving to internal IP
         var resolvedIp = IPAddress.Parse("127.0.0.1");
@@ -122,7 +123,8 @@ public class SsrfTests : SecurityTestBase
     {
         // Arrange
         var validator = new UrlValidator();
-        var initialUrl = "https://attacker.com/redirect";
+        // Initial URL redirects to internal metadata endpoint
+        _ = "https://attacker.com/redirect";
         var redirectTarget = "http://169.254.169.254/latest/meta-data/";
 
         // Act - Check if redirect target is safe