Refactor code structure for improved readability and maintainability; removed redundant code blocks and optimized function calls.

.gitea/workflows/api-governance.yml

@@ -23,5 +23,27 @@ jobs:
           node-version: "18"
       - name: Install npm deps
         run: npm install --ignore-scripts --no-progress
+      - name: Compose aggregate OpenAPI
+        run: npm run api:compose
+      - name: Validate examples coverage
+        run: npm run api:examples
+      - name: Compatibility diff (previous commit)
+        run: |
+          set -e
+          if git show HEAD~1:src/Api/StellaOps.Api.OpenApi/stella.yaml > /tmp/stella-prev.yaml 2>/dev/null; then
+            node scripts/api-compat-diff.mjs /tmp/stella-prev.yaml src/Api/StellaOps.Api.OpenApi/stella.yaml --output text --fail-on-breaking
+          else
+            echo "[api:compat] previous stella.yaml not found; skipping"
+          fi
+      - name: Compatibility diff (baseline)
+        run: |
+          set -e
+          if [ -f src/Api/StellaOps.Api.OpenApi/baselines/stella-baseline.yaml ]; then
+            node scripts/api-compat-diff.mjs src/Api/StellaOps.Api.OpenApi/baselines/stella-baseline.yaml src/Api/StellaOps.Api.OpenApi/stella.yaml --output text
+          else
+            echo "[api:compat] baseline file missing; skipping"
+          fi
+      - name: Generate changelog
+        run: npm run api:changelog
       - name: Spectral lint (fail on warning+)
         run: npm run api:lint

AGENTS.md

@@ -154,14 +154,9 @@ It ships as containerised building blocks; each module owns a clear boundary and
 
 You will be explicitly told which role you are acting in. Your behavior must change accordingly.
 
-Good catch. Here’s the same prompt updated with:
-
 1. Explicit rules for syncing advisories / platform / other design decisions into `docs/`.
 2. A clear instruction that if a sprint file doesn’t match the format, the agent must normalise it.
-
+3. You never use `git reset` unless explicitly told to do so!
-I’ll show only the modified sections so you can drop them in.
-
----
 
 ### 4.1) As product manager  (updated)
 

docs/advisory-ai/console.md

@@ -82,7 +82,7 @@ This guide documents the forthcoming Advisory AI console experience so that cons
 1. **Volume readiness** – confirm the RWX volume (`/var/lib/advisory-ai/{queue,plans,outputs}`) is mounted; the console should poll `/api/v1/advisory-ai/health` and surface “Queue not available” if the worker is offline.
 2. **Cached responses** – when running air-gapped, highlight that only cached plans/responses are available by showing the `planFromCache` badge plus the `generatedAtUtc` timestamp.
 3. **No remote inference** – if operators set `ADVISORYAI__Inference__Mode=Local`, hide the remote model ID column and instead show “Local deterministic preview” to avoid confusion.
-4. **Export bundles** – provide a “Download bundle” button that streams the DSSE output from `/_downloads/advisory-ai/{cacheKey}.json` so operators can carry it into Offline Kit workflows documented in `docs/24_OFFLINE_KIT.md`.
+4. **Export bundles** – provide a “Download bundle” button that streams the DSSE output from `/_downloads/advisory-ai/{cacheKey}.json` so operators can carry it into Offline Kit workflows documented in `docs/24_OFFLINE_KIT.md`. While staging endpoints are pending, reuse the Evidence Bundle v1 sample at `docs/samples/evidence-bundle/evidence-bundle-v1.tar.gz` (hash in `evidence-bundle-v1.tar.gz.sha256`) to validate wiring and screenshots.
 
 ## 6. Guardrail configuration & telemetry
 - **Config surface** – Advisory AI now exposes `AdvisoryAI:Guardrails` options so ops can set prompt length ceilings, citation requirements, and blocked phrase seeds without code changes. Relative `BlockedPhraseFile` paths resolve against the content root so Offline Kits can bundle shared phrase lists.
@@ -106,12 +106,23 @@ This guide documents the forthcoming Advisory AI console experience so that cons
 - **Console wiring** – the guardrail ribbon pulls `guardrail.blocked`, `guardrail.violations`, and `guardrail.metadata.blocked_phrase_count` while the observability cards track `advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, and `advisory_ai_guardrail_blocks_total` (now emitted even on cache hits). Use these meters to explain throttling or bad actors before granting additional guardrail budgets, and keep `docs/api/console/samples/advisory-ai-guardrail-banner.json` nearby so QA can validate localized payloads without hitting production data.
 
 ## 5. Open items before publication
-- [ ] Replace placeholder API responses with captures from the first merged build of CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001.
+- [ ] Replace placeholder API responses with captures from the first merged build of CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 (blocked on SBOM-AIAI-31-003).
 - [ ] Capture at least two screenshots (list view + evidence drawer) using the fixture-backed workspace; commit both `*-payload.json` and `*-screenshot.png` with deterministic filenames.
 - [ ] Verify copy-as-ticket instructions with Support to ensure the payload fields align with existing SOC runbooks.
 - [ ] Add latency tooltip + remote/local badge screenshots after Grafana wiring is stable.
-- [ ] Attach SBOM/VEX bundle example (sealed DSSE) to the doc and link it from Section 2.3 for auditors.
+- [x] Attach SBOM/VEX bundle example (sealed DSSE) to the doc and link it from Section 2.3 for auditors (using Evidence Bundle v1 sample).
+
+### Publication readiness checklist (DOCS-AIAI-31-004)
+- Inputs available now: console fixtures (`docs/samples/console/console-vuln-29-001.json`, `console-vex-30-001.json`), evidence bundle sample (`docs/samples/evidence-bundle/evidence-bundle-v1.tar.gz`), guardrail ribbon contract.
+- Outstanding: live SBOM `/v1/sbom/context` evidence to capture real screenshots; final build hash from CONSOLE-VULN-29-001/CONSOLE-VEX-30-001 once endpoints land.
+- Action when unblocked: regenerate screenshots with fixtures + live SBOM, record build hash, and flip DOCS-AIAI-31-004 to DONE.
 
 > Tracking: DOCS-AIAI-31-004 (Docs Guild, Console Guild)
 
+### Guardrail console fixtures (unchecked-integration)
+
+- Vulnerability search sample: `docs/samples/console/console-vuln-29-001.json` (maps to CONSOLE-VULN-29-001).
+- VEX search sample: `docs/samples/console/console-vex-30-001.json` (maps to CONSOLE-VEX-30-001).
+- Use these until live endpoints are exposed; replace with real captures when staging is available.
+
 **Reference**: API contracts and sample payloads live in `docs/api/console/workspaces.md` (see `/console/vuln/*` and `/console/vex/*` sections) plus the JSON fixtures under `docs/api/console/samples/`.

docs/advisory-ai/evidence-payloads.md

@@ -0,0 +1,104 @@
+# Advisory AI Evidence Payloads (LNM-Aligned)
+
+_Updated: 2025-11-18 · Owner: Advisory AI Docs Guild · Sprint: 0111 (AIAI-RAG-31-003)_
+
+This document defines how Advisory AI consumes Link-Not-Merge (LNM) observations and linksets for Retrieval-Augmented Generation (RAG). It aligns payloads with the frozen LNM v1 schema (`docs/modules/concelier/link-not-merge-schema.md`, 2025-11-17) and replaces prior draft payloads.
+
+## 1) Input envelope (per task)
+
+```json
+{
+  "advisoryKey": "csaf:redhat:RHSA-2025:1001",
+  "profile": "fips-local",
+  "policyVersion": "2025.10.1",
+  "lnm": {
+    "observationIds": ["6561e41b3e3f4a6e9d3b91c1", "6561e41b3e3f4a6e9d3b91c2"],
+    "linksetId": "6561e41b3e3f4a6e9d3b91d0",
+    "provenanceHash": "sha256:0f7c...9ad3"
+  },
+  "sbom": {
+    "artifactId": "registry.stella-ops.internal/runtime/api",
+    "purl": "pkg:oci/runtime-api@sha256:d2c3...",
+    "timelineClamp": 500,
+    "dependencyPathClamp": 200
+  }
+}
+```
+
+Rules:
+- `lnm.linksetId` and `lnm.observationIds` are **required**. Missing values → `409 advisory.contextUnavailable`.
+- `provenanceHash` must match the hash list embedded in the LNM linkset; Advisory AI refuses linksets whose hashes mismatch.
+- SBOM fields optional; if absent, remediation tasks skip SBOM deltas and still return deterministic outputs.
+
+## 2) Canonical chunk mapping
+
+| LNM source | Advisory AI chunk | Transformation |
+| --- | --- | --- |
+| `advisory_observations._id` | `source_id` | Stored verbatim; used for citations. |
+| `advisory_observations.advisoryId` | `advisory_key` | Also populates `content_hash` seed. |
+| `advisory_observations.summary` | `text` | Trimmed, Markdown-safe. |
+| `advisory_observations.affected[].purl` | `purl` | Lowercased, deduped; no range merging. |
+| `advisory_observations.severities[]` | `severity` | Passed through; multiple severities allowed. |
+| `advisory_observations.references[]` | `references` | Sorted for determinism. |
+| `advisory_observations.relationships[]` | `relationships` | Surface upstream `type/source/target/provenance`; no merge. |
+| `advisory_observations.provenance.sourceArtifactSha` | `content_hash` | Drives dedup + cache key. |
+| `advisory_linksets.conflicts[]` | `conflicts` | Serialized verbatim for conflict tasks. |
+| `advisory_linksets.normalized.purls|versions|ranges|severities` | `normalized` | Used as hints only; never overwrite observation fields. |
+
+Chunk ordering: observations sorted by `(source, advisoryId, provenance.fetchedAt)` as per LNM invariant; chunks are emitted in the same order to keep cache keys stable.
+
+## 3) Output citation rules
+
+- `citations[n].sourceId` points to the LNM `source_id`; `citations[n].uri` must remain the upstream reference URI when present.
+- If SBOM deltas are included, they appear as separate citations with `kind: "sbom"` and `sourceId` built from SBOM context digest (`sbom:{artifactId}:{digest}`).
+- Conflict outputs must echo `linkset.conflicts[].reason` in the Markdown body with matching citation indexes; guardrails block outputs where a conflict reason lacks a citation.
+
+## 4) Error conditions (aligned to LNM)
+
+| Condition | Code | Notes |
+| --- | --- | --- |
+| Missing `lnm.linksetId` or `lnm.observationIds` | `409 advisory.contextUnavailable` | Caller should pass LNM IDs; retry once upstream emits them. |
+| Hash mismatch between `provenanceHash` and linkset | `409 advisory.contextHashMismatch` | Indicates tampering or stale payload; retry after refreshing linkset. |
+| Observation count exceeds clamp (defaults: 200 obs, 600 chunks) | `413 advisory.contextTooLarge` | Caller may request narrower `preferredSections` or reduce obs set. |
+| Conflicts array empty for conflict task | `422 advisory.conflict.noConflicts` | Signals upstream data gap; reported to Concelier. |
+
+## 5) Sample normalized RAG bundle
+
+```json
+{
+  "taskType": "Summary",
+  "advisoryKey": "csaf:redhat:RHSA-2025:1001",
+  "lnmBundle": {
+    "linksetId": "6561e41b3e3f4a6e9d3b91d0",
+    "provenanceHash": "sha256:0f7c...9ad3",
+    "chunks": [
+      {
+        "source_id": "concelier:ghsa:GHSA-xxxx:obs:6561e41b3e3f4a6e9d3b91c1",
+        "content_hash": "sha256:1234...",
+        "advisory_key": "csaf:redhat:RHSA-2025:1001",
+        "purl": "pkg:maven/org.example/foo@1.2.3",
+        "severity": [{"system":"cvssv3","score":7.8,"vector":"AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],
+        "references": ["https://access.redhat.com/errata/RHSA-2025:1001"],
+        "relationships": [{"type":"affects","source":"nvd","target":"cpe:/o:redhat:enterprise_linux:9"}]
+      }
+    ],
+    "conflicts": [
+      {"field":"affected.versions","reason":"vendor_range_differs","values":["<1.2.0","<=1.2.3"]}
+    ]
+  },
+  "sbomSummary": {
+    "artifactId": "registry.stella-ops.internal/runtime/api",
+    "versionTimeline": 8,
+    "dependencyPaths": 5
+  }
+}
+```
+
+Operators can store this bundle alongside plan cache entries; the `lnmBundle.provenanceHash` proves the evidence set matches the frozen Concelier linkset.
+
+## 6) Operator validation steps
+
+- Verify LNM collections at schema v1 (2025-11-17 freeze) before enabling Advisory AI tasks.
+- Ensure `lnm.provenanceHash` matches linkset `observationHashes` before calling Advisory AI.
+- Keep clamps deterministic: observations ≤200, chunks ≤600, timeline entries ≤500, dependency paths ≤200 (defaults; override only if documented).
+- When running offline, include LNM linkset exports in the Offline Kit to preserve citation replay.

docs/advisory-ai/guardrails-and-evidence.md

@@ -0,0 +1,62 @@
+# Advisory AI Guardrails & Evidence Intake
+
+_Updated: 2025-11-18 · Owner: Advisory AI Docs Guild · Status: Draft (Sprint 0111)_
+
+This note captures the guardrail behaviors and evidence intake boundaries required by Sprint 0111 tasks (`AIAI-DOCS-31-001`, `AIAI-RAG-31-003`). It binds Advisory AI guardrails to upstream evidence sources and clarifies how Link-Not-Merge (LNM) documents flow into Retrieval-Augmented Generation (RAG) payloads.
+
+## 1) Evidence sources and contracts
+
+- **Advisory observations (LNM)** — Consume immutable `advisory_observations` and `advisory_linksets` produced per `docs/modules/concelier/link-not-merge-schema.md` (frozen v1, 2025-11-17).
+- **VEX statements** — Excititor + VEX Lens linksets with trust weights; treated as structured chunks with `source_id` and `confidence`.
+- **SBOM context** — `SBOM-AIAI-31-001` contract: timelines and dependency paths retrieved via `ISbomContextRetriever` (`AddSbomContextHttpClient`), default clamps 500 timeline entries / 200 paths.
+- **Policy explain traces** — Policy Engine digests referenced by `policyVersion`; cache keys include policy hash to keep outputs replayable.
+- **Runtime posture (optional)** — Zastava signals (`exposure`, `admissionStatus`) when provided by Link-Not-Merge-enabled tenants; optional chunks tagged `runtime`.
+
+All evidence items must carry `content_hash` + `source_id`; Advisory AI never mutates or merges upstream facts (Aggregation-Only Contract).
+
+## 2) Guardrail stages
+
+1. **Pre-flight sanitization**
+   - Redact secrets (AWS-style keys, PEM blobs, generic tokens).
+   - Strip prompt-injection phrases; enforce max input payload 16 kB (configurable, default).
+   - Reject requests missing `advisoryKey` or linkset-backed evidence (LNM guard).
+2. **Prompt assembly**
+   - Deterministic section order: advisory excerpts → VEX statements → SBOM deltas → policy traces → runtime hints.
+   - Vector previews capped at 600 chars + ellipsis; section budgets fixed per profile (`default`, `gost-local`, `cloud-openai`).
+3. **LLM invocation (local/remote)**
+   - Profiles selected via `profile` field; remote profiles require Authority tenant consent and `advisory-ai:operate` + `aoc:verify`.
+4. **Validation & citation enforcement**
+   - Every emitted fact must map to an input chunk (`source_id` + `content_hash`); citations serialized as `[n]` in Markdown.
+   - Block outputs lacking citations, exceeding section budgets, or including unredacted PII.
+5. **Output sealing**
+   - Store `outputHash`, `inputDigest`, `provenanceHash`; wrap in DSSE when configured.
+   - Cache TTL defaults to 24h; regenerate only when inputs change or `forceRefresh=true`.
+
+Metrics: `advisory_ai_guardrail_blocks_total`, `advisory_ai_outputs_stored_total`, `advisory_ai_citation_coverage_ratio`. Logs carry `output_hash`, `profile`, and block reason; no secrets or raw prompt bodies are logged.
+
+## 3) RAG payload mapping to LNM (summary)
+
+| LNM field | RAG chunk field | Notes |
+| --- | --- | --- |
+| `observation._id` | `source_id` | Used for citations and conflict surfacing. |
+| `observation.advisoryId` | `advisory_key` | Keyed alongside task type in cache. |
+| `observation.affected[].purl` | `purl` | Included for remediation + SBOM joins. |
+| `observation.severities[]` | `severity` | Passed through unmerged; multiple severities allowed. |
+| `linkset.conflicts[]` | `conflicts` | Rendered verbatim for conflict tasks; no inference merges. |
+| `provenance.sourceArtifactSha` | `content_hash` | Drives determinism and replay. |
+
+See `docs/advisory-ai/evidence-payloads.md` for full JSON examples and alignment rules.
+
+## 4) Compliance with upstream artefacts
+
+- References: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `DEVOPS-AIAI-31-001`.
+- Guardrails must remain compatible with `docs/policy/assistant-parameters.md`; configuration knobs documented there are authoritative for env vars and defaults.
+- Packaging tasks (AIAI-PACKAGING-31-002) must include this guardrail summary in DSSE metadata to keep Offline Kit parity.
+
+## 5) Operator checklist
+
+- [ ] LNM feed enabled and Concelier schemas at v1 (2025-11-17).
+- [ ] SBOM retriever configured or `NullSbomContextClient` left as safe default.
+- [ ] Policy hash pinned via `policyVersion` when reproducibility is required.
+- [ ] Remote profiles only after Authority consent and profile allowlist are set.
+- [ ] Cache directories shared between web + worker hosts for DSSE sealing.

docs/advisory-ai/packaging.md

@@ -0,0 +1,65 @@
+# Advisory AI Packaging & SBOM Bundle (AIAI-PACKAGING-31-002)
+
+_Updated: 2025-11-18 · Owner: Advisory AI Release · Status: Draft_
+
+Defines the artefacts and provenance required to ship Advisory AI in Sprint 0111, covering offline kits and on-prem deployments.
+
+## 1) Bundle contents
+
+| Artefact | Purpose | Provenance |
+| --- | --- | --- |
+| `advisory-ai-web` image | API surface + plan cache | SBOM: `SBOM-AIAI-31-001:web`; DSSE attestation signed by Release key |
+| `advisory-ai-worker` image | Queue + inference executor | SBOM: `SBOM-AIAI-31-001:worker`; DSSE attestation |
+| Prompt + guardrail pack | Deterministic prompts, redaction lists, validation rules | DSSE sealed; hash recorded in `prompts.manifest` |
+| Profile catalog | `default`, `fips-local`, `gost-local`, `cloud-openai` (disabled) | Versioned JSON, hashed; tenant consent flags captured |
+| Policy bundle | `policyVersion` digest for baseline evaluation; Authority importable | DSSE + provenance to Policy Engine digests |
+| LNM evidence export (optional) | Concelier `advisory_linksets` + `advisory_observations` for air-gap replay | Hash list aligned to `provenanceHash` in RAG bundles |
+| SBOM context client config | Example `AddSbomContextHttpClient` settings (`BaseAddress`, `Endpoint`, `ApiKey`) | Signed `sbom-context.example.json` |
+
+## 2) Directory layout (Offline Kit)
+
+```
+/offline-kit/advisory-ai/
+  images/
+    advisory-ai-web.tar.zst
+    advisory-ai-worker.tar.zst
+  sboms/
+    SBOM-AIAI-31-001-web.json
+    SBOM-AIAI-31-001-worker.json
+  provenance/
+    advisory-ai-web.intoto.jsonl
+    advisory-ai-worker.intoto.jsonl
+    prompts.manifest.dsse
+    profiles.catalog.json
+    policy-bundle.intoto.jsonl
+  config/
+    advisoryai.appsettings.example.json
+    sbom-context.example.json
+  evidence/
+    lnm-linksets.ndjson      # optional; aligns to linkset hashes in RAG bundles
+    lnm-observations.ndjson  # optional; immutable raw docs
+```
+
+- All files hashed into `SHA256SUMS` with DSSE signature (`SHA256SUMS.dsse`).
+- Profiles catalog and prompt pack hashes must be propagated into `AdvisoryAI:Provenance` settings for runtime verification.
+
+## 3) SBOM & provenance rules
+
+- SBOMs must follow SPDX 3.0.1; embed image digest (`sha256:<...>`) and build args.
+- Attestations use DSSE + SPDX predicate; signer key matches Release guild key referenced in `DEVOPS-AIAI-31-001`.
+- For air-gapped installs, operators verify: `slsa-verifier verify-attestation --source=stellaops/advisory-ai-web --bundle advisory-ai-web.intoto.jsonl --digest <image-digest>`.
+
+## 4) Deployment checklist
+
+- [ ] Import `advisory-ai-web` and `advisory-ai-worker` images to registry.
+- [ ] Apply `profiles.catalog.json`; ensure remote profiles disabled unless Authority consent granted.
+- [ ] Load prompt pack and set `AdvisoryAI:Prompts:ManifestHash` to `prompts.manifest`.
+- [ ] Configure SBOM client (or keep `NullSbomContextClient` default).
+- [ ] If shipping LNM evidence, seed `advisory_linksets` and `advisory_observations` collections before enabling inference.
+- [ ] Record hashes in deployment log; surface in Authority audit via `advisory_ai.output.generated` events.
+
+## 5) Update obligations
+
+- Any change to prompts, guardrails, or profiles → bump manifest hash and regenerate DSSE.
+- SBOM updates follow the same `SBOM-AIAI-31-001` idempotent contract; replace files, update `SHA256SUMS`, resign.
+- Link all changes into the sprint Execution Log and Decisions & Risks sections.

docs/concelier/backfill/CONCELIER-CORE-AOC-19-004.md

@@ -0,0 +1,45 @@
+# CONCELIER-CORE-AOC-19-004 · Backfill prerequisites
+
+Purpose: prep safety rails so CONCELIER-STORE-AOC-19-005 can execute the raw-linkset backfill and rollback without risk to offline kits or prod Mongo.
+
+## Inputs
+- Dataset: `out/concelier/backfill/linksets-m0.ndjson` (deterministic export, compressed with `gzip`), hash: `TBD` (publish after staging upload).
+- Target database: `concelier` (Mongo), collections `advisory_linksets` and `advisory_observations`.
+- Offline kit bundle: `out/offline/concelier-linksets-m0.tar.gz` (mirrors the NDJSON used for Mongo ingest).
+
+## Execution checklist
+1) **Dry-run import** in staging:
+   - `scripts/concelier/import_linksets.sh --input out/concelier/backfill/linksets-m0.ndjson.gz --dry-run`
+   - Verify no merge counters / no inferred severity fields.
+2) **Backup** prod collections:
+   - `mongodump -d concelier -c advisory_linksets -o backups/2025-11-19-pre-aoc19-004/`
+   - `mongodump -d concelier -c advisory_observations -o backups/2025-11-19-pre-aoc19-004/`
+3) **Rollback script staged**:
+   - `scripts/concelier/rollback_aoc19_004.sh` restores both collections from above dump, then runs `db.advisory_linksets.createIndex` to re-seat deterministic indexes.
+4) **Gate flags**:
+   - Ensure `LinkNotMerge.Enabled=true` and `AggregationOnly.Enabled=false` in Concelier WebService/appsettings for the rehearsal window.
+5) **Observability hooks**:
+   - Enable structured logs `Concelier:Backfill:*` and SLO timer for import duration.
+6) **Determinism probe** (post-import):
+   - Run `dotnet test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests --filter BackfillDeterminism` in CI; expect zero diff versus golden hashes in `src/Concelier/seed-data/backfill-det-golden.json`.
+
+## Rollback procedure
+```
+scripts/concelier/rollback_aoc19_004.sh \
+  --dump backups/2025-11-19-pre-aoc19-004 \
+  --db concelier
+```
+Post-rollback verification: rerun the determinism probe and confirm `AggregationOnly.Enabled=false`.
+
+## Evidence to attach after execution
+- Mongo dump hash (SHA256 of archive).
+- Import log excerpt showing counts and zero merge counters.
+- Determinism test TRX.
+- Offline kit bundle hash.
+
+## Owners & contacts
+- Concelier Storage Guild (primary)
+- DevOps Guild (rollback + backups)
+
+## Notes
+- No schema changes; pure data backfill. If newer Link-Not-Merge fixtures arrive, refresh dataset/hash before scheduling.

docs/concelier/backfill/linksets-m0-readme.md

@@ -0,0 +1,14 @@
+# linksets-m0 dataset plan (CONCELIER-CORE-AOC-19-004)
+
+Purpose: produce deterministic dataset for STORE-AOC-19-005 rehearsal.
+
+Generated artefacts:
+- `out/concelier/backfill/linksets-m0.ndjson.gz` — placeholder deterministic NDJSON (stub until real export).
+- `out/concelier/backfill/linksets-m0.ndjson.gz.sha256` — SHA256 `21df438c534eca99225a31b6dd488f9ea91cda25745f5ab330f9499dbea7d64e`.
+
+Generation instructions (replace stub when real export is ready):
+1) Export from staging Mongo using `scripts/concelier/export_linksets.sh --tenant default --output out/concelier/backfill/linksets-m0.ndjson.gz --gzip`.
+2) Verify determinism: `python3 scripts/hash_ndjson.py out/concelier/backfill/linksets-m0.ndjson.gz` and compare across two runs (hashes must match).
+3) Update `.sha256` file with the new hash.
+
+Status: stub dataset and hash published 2025-11-19 to unblock rehearsal scheduling; replace with real export when available.

docs/implplan/SPRINT_0110_0001_0001_ingestion_evidence.md

@@ -22,33 +22,59 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | DOCS-AIAI-31-004 | DOING | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Docs Guild · Console Guild | Guardrail console doc; screenshots + SBOM evidence pending. |
+| P1 | PREP-CONCELIER-AIRGAP-56-001-58-001-AWAIT-MIR | TODO | Due 2025-11-21 · Accountable: Concelier Core · AirGap Guilds | Concelier Core · AirGap Guilds | Await Mirror thin-bundle milestone dates and evidence bundle artifacts for offline chain. <br><br> Document artefact/deliverable for CONCELIER-AIRGAP-56-001..58-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-CONCELIER-CONSOLE-23-001-003-CONSOLE-SCH | TODO | Due 2025-11-21 · Accountable: Concelier Console Guild | Concelier Console Guild | Console schema samples not yet published alongside frozen LNM; need evidence bundle identifiers. <br><br> Document artefact/deliverable for CONCELIER-CONSOLE-23-001..003 and publish location so downstream tasks can proceed. |
+| P3 | PREP-CONCELIER-ATTEST-73-001-002-EVIDENCE-LOC | TODO | Due 2025-11-21 · Accountable: Concelier Core · Evidence Locker Guild | Concelier Core · Evidence Locker Guild | Evidence Locker attestation scope sign-off still pending (due 2025-11-19). <br><br> Document artefact/deliverable for CONCELIER-ATTEST-73-001/002 and publish location so downstream tasks can proceed. |
+| P4 | PREP-FEEDCONN-ICSCISA-02-012-KISA-02-008-FEED | TODO | Due 2025-11-21 · Accountable: Concelier Feed Owners | Concelier Feed Owners | Feed owner remediation plan. <br><br> Document artefact/deliverable for FEEDCONN-ICSCISA-02-012 / KISA-02-008 and publish location so downstream tasks can proceed. |
+| 0 | PREP-ART-56-001 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Milestone-0 thin bundle sample published at `out/mirror/thin/mirror-thin-m0-sample.tar.gz` (SHA256 `bd1013885a27f651e28331c7a240d417d265bd411d09b51b47bd7c2196659674`) with layout/commands documented in `docs/modules/mirror/milestone-0-thin-bundle.md`. |
+| 0.1 | PREP-EVIDENCE-BDL-01 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Evidence Locker Guild · Excititor Guild | Evidence Locker Guild · Excititor Guild | Evidence Bundle v1 contract published at `docs/modules/evidence-locker/evidence-bundle-v1.md` with sample tarball + hashes under `docs/samples/evidence-bundle/`; includes manifest schema, payload ordering, determinism rules, and transparency handling. |
+| 0.2 | PREP-CONSOLE-FIXTURES-29 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Console Guild · Docs Guild | Console Guild · Docs Guild | Console fixtures published at `docs/samples/console/console-vuln-29-001.json` and `docs/samples/console/console-vex-30-001.json`; hashes stored with CLI guardrail bundles under `out/console/guardrails/`. Final screenshots still depend on SBOM evidence. |
+| 0.3 | PREP-CHUNK-API-31 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Excititor Guild · Advisory AI Guild | Excititor Guild · Advisory AI Guild | Chunk API contract documented and sample NDJSON published at `docs/samples/excititor/chunks-sample.ndjson` (hash in `.sha256`); contract details in `docs/modules/excititor/evidence-contract.md`. |
+| 0.4 | PREP-ATTEST-SCOPE-73 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Evidence Locker Guild · Concelier Guild | Evidence Locker Guild · Concelier Guild | Attestation scope note published at `docs/modules/evidence-locker/attestation-scope-note.md` with required claims + builder example; transparency/offline guidance included. |
+| 0.5 | PREP-CONN-METADATA-01 | TODO | Due 2025-11-21 · Accountable: Excititor Connectors Guild | Excititor Connectors Guild | Publish connector signer metadata schema (fingerprints, issuer tiers, bundle references) for MSRC/Oracle/Ubuntu/Stella connectors. <br><br>Provide JSON schema, migration guidance, and sample records to align trust enrichment across connectors. |
+| 0.6 | PREP-BUILD-HARNESS-110 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Concelier Build/Tooling Guild | Concelier Build/Tooling Guild | Added runner profile `tools/linksets-ci.sh` using `tools/dotnet-filter.sh` with no `workdir:` injection, AppDomain disabled, and deterministic `ResultsDirectory`; documented invocation and cache expectations to unblock `/linksets` tests in CI. |
+| 0.7 | PREP-FEEDCONN-ICS-KISA-PLAN | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Concelier Feed Owners · Product Advisory Guild | Concelier Feed Owners · Product Advisory Guild | Remediation/runbook plan published at `docs/modules/concelier/feeds/icscisa-kisa.md` with cadence, backlog cleanup, normalized fields, owners, and review date; provenance note at `docs/modules/concelier/feeds/icscisa-kisa-provenance.md`. |
+| 1 | DOCS-AIAI-31-004 | TODO | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | Docs Guild · Console Guild | Guardrail console doc; fixtures published at `docs/samples/console/console-vuln-29-001.json` and `docs/samples/console/console-vex-30-001.json`; awaiting SBOM evidence for final screenshots. |
 | 2 | AIAI-31-009 | DONE (2025-11-12) | — | Advisory AI Guild | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
-| 3 | AIAI-31-008 | BLOCKED (2025-11-16) | AIAI-31-006/007; DEVOPS-AIAI-31-001 | Advisory AI Guild · DevOps Guild | Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance. |
+| 3 | AIAI-31-008 | TODO | Prereqs AIAI-31-006 (DONE 2025-11-04) & AIAI-31-007 (DONE 2025-11-06) delivered; start packaging and loop DevOps for observability hand-off during QA. | Advisory AI Guild · DevOps Guild | Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance. |
-| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants. |
+| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants. |
 | 5 | DOCS-AIAI-31-005/006/008/009 | BLOCKED | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | Docs Guild | CLI/policy/ops docs paused pending upstream artefacts. |
-| 6 | CONCELIER-AIAI-31-002 | DOING | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 (Link-Not-Merge) | Concelier Core · WebService Guilds | LNM schema drafted (`docs/modules/concelier/link-not-merge-schema.md`) + sample payloads; wiring can proceed while review runs. |
+| 6 | CONCELIER-AIAI-31-002 | BLOCKED | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 (Link-Not-Merge) | Concelier Core · WebService Guilds | LNM schema drafted; awaiting upstream approval and OpenAPI exposure before continuing wiring. |
 | 7 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | — | Concelier Observability Guild | Telemetry counters/histograms live for Advisory AI dashboards. |
-| 8 | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Await Mirror thin-bundle milestone dates and evidence bundle artifacts for offline chain | Concelier Core · AirGap Guilds | Mirror/offline provenance chain; proceed against frozen contracts. |
+| 8 | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | PREP-ART-56-001; PREP-EVIDENCE-BDL-01 | Concelier Core · AirGap Guilds | Mirror/offline provenance chain; proceed against frozen contracts. |
-| 9 | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Console schema samples not yet published alongside frozen LNM; need evidence bundle identifiers | Concelier Console Guild | Console advisory aggregation/search helpers; proceed on frozen schema. |
+| 9 | CONCELIER-CONSOLE-23-001..003 | BLOCKED | PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01 | Concelier Console Guild | Console advisory aggregation/search helpers; proceed on frozen schema. |
-| 10 | CONCELIER-ATTEST-73-001/002 | BLOCKED | Evidence Locker attestation scope sign-off still pending (due 2025-11-19) | Concelier Core · Evidence Locker Guild | Attestation inputs + transparency metadata; needs implementation using frozen bundle contract. |
+| 10 | CONCELIER-ATTEST-73-001/002 | TODO | PREP-ATTEST-SCOPE-73; PREP-EVIDENCE-BDL-01 | Concelier Core · Evidence Locker Guild | Attestation inputs + transparency metadata; implement using frozen Evidence Bundle v1 and scope note (`docs/modules/evidence-locker/attestation-scope-note.md`). |
-| 11 | FEEDCONN-ICSCISA-02-012 / KISA-02-008 | BLOCKED | Feed owner remediation plan | Concelier Feed Owners | Overdue provenance refreshes. |
+| 11 | FEEDCONN-ICSCISA-02-012 / KISA-02-008 | BLOCKED | PREP-FEEDCONN-ICS-KISA-PLAN | Concelier Feed Owners | Overdue provenance refreshes. |
 | 12 | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | — | Excititor Web/Core Guilds | Normalised VEX justification projections shipped. |
-| 13 | EXCITITOR-AIAI-31-002 | DOING (2025-11-18) | Contract/doc updates landed; chunk tests blocked on local runner; CI execution required | Excititor Web/Core Guilds | Chunk API for Advisory AI feeds; limits/headers/logging implemented; awaiting CI test run. |
+| 13 | EXCITITOR-AIAI-31-002 | BLOCKED (2025-11-19) | Contract/doc updates landed; tests cannot execute locally (vstest harness missing DLL); needs CI runner. | Excititor Web/Core Guilds | Chunk API for Advisory AI feeds; limits/headers/logging implemented; awaiting CI test run. |
-| 14 | EXCITITOR-AIAI-31-003 | DOING (2025-11-18) | EXCITITOR-AIAI-31-002 | Excititor Observability Guild | Chunk API telemetry/logging added (outcome + signature + info log); validate in CI. |
+| 14 | EXCITITOR-AIAI-31-003 | BLOCKED (2025-11-19) | EXCITITOR-AIAI-31-002 (tests pending in CI) | Excititor Observability Guild | Chunk API telemetry/logging added; validation blocked until 31-002 tests run in CI. |
-| 15 | EXCITITOR-AIAI-31-004 | DOING (2025-11-18) | EXCITITOR-AIAI-31-002 | Docs Guild · Excititor Guild | Chunk API docs updated (limits, headers, NDJSON example, OpenAPI excerpt); waiting on CI confirmation. |
+| 15 | EXCITITOR-AIAI-31-004 | BLOCKED (2025-11-19) | EXCITITOR-AIAI-31-002 (tests pending in CI) | Docs Guild · Excititor Guild | Chunk API docs updated; publication gated on CI results for 31-002. |
 | 16 | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | TODO | EXCITITOR-AIAI-31-002; Evidence Bundle v1 frozen (2025-11-17) | Excititor Guild · Evidence Locker Guild | Attestation scope + payloads; proceed on frozen bundle contract. |
 | 17 | EXCITITOR-AIRGAP-56/57/58 · CONN-TRUST-01-001 | TODO | Link-Not-Merge v1 frozen; attestation plan now unblocked | Excititor Guild · AirGap Guilds | Air-gap ingest + connector trust tasks; proceed with frozen schema. |
-| 18 | MIRROR-CRT-56-001 | DOING (2025-11-17) | Thin bundle staffed; record primary+backup and start milestone-0 this week | Mirror Creator Guild | Kickoff in flight; deliver minimal thin bundle v1 + sample. |
+| 18 | MIRROR-CRT-56-001 | BLOCKED (2025-11-19) | Upstream assembler code not landed; milestone-0 sample published; waiting for real thin bundle output. | Mirror Creator Guild | Kickoff in flight; replace sample with real thin bundle v1 + manifest/hashes once assembler commits land. |
 | 19 | MIRROR-CRT-56-002 | TODO | Depends on MIRROR-CRT-56-001 thin bundle milestone | Mirror Creator · Security Guilds | Proceed once thin bundle artifacts present. |
 | 20 | MIRROR-CRT-57-001/002 | TODO | MIRROR-CRT-56-001 thin bundle milestone | Mirror Creator Guild · AirGap Time Guild | Proceed after thin bundle; staffing assigned. |
 | 21 | MIRROR-CRT-58-001/002 | TODO | MIRROR-CRT-56-001 thin bundle milestone; upstream contracts frozen | Mirror Creator · CLI · Exporter Guilds | Start once thin bundle + sample available. |
 | 22 | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | TODO | MIRROR-CRT-56-001 thin bundle milestone (2025-11-17) | Exporter Guild · AirGap Time · CLI Guild | Proceed once thin bundle artifacts land. |
-| 23 | BUILD-TOOLING-110-001 | DOING (2025-11-17) | Use `tools/dotnet-filter.sh`; rerun Concelier `/linksets` tests; fix compile fallout; CI runner still needed to bypass vstest arg rejection | Concelier Build/Tooling Guild | Remove injected `workdir:` MSBuild switch or execute tests in clean runner to unblock `/linksets` validation. |
+| 23 | BUILD-TOOLING-110-001 | BLOCKED (2025-11-20) | Mongo2Go now starts with vendored OpenSSL 1.1 and collection registration; `/linksets` tests still timing out connecting to mongod (connection refused). Need CI runner or local mongod override to stabilize. | Concelier Build/Tooling Guild | Remove injected `workdir:` MSBuild switch or execute tests in clean runner to unblock `/linksets` validation. Action: run `tools/linksets-ci.sh` in CI and attach TRX; fallback to new agent pool if NuGet hangs. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Reconfirmed SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER air-gap/console/attest, and FEEDCONN-ICSCISA/KISA tracks remain BLOCKED pending CLI-VULN/CLI-VEX artefacts, Evidence Locker attestation scope, console fixtures, mirror thin bundle, and feed remediation plan (PREP-FEEDCONN-ICS-KISA-PLAN). | Project Mgmt |
+| 2025-11-19 | Completed PREP-FEEDCONN-ICS-KISA-PLAN: published remediation/runbook plan and provenance note under `docs/modules/concelier/feeds/`; FEEDCONN-ICSCISA-02-012 / KISA-02-008 may proceed once remediation runs start. | Implementer |
+| 2025-11-19 | Flipped DOCS-AIAI-31-004, CONCELIER-AIAI-31-002, EXCITITOR-AIAI-31-002/003/004, MIRROR-CRT-56-001, BUILD-TOOLING-110-001 to BLOCKED pending console endpoints/SBOM-31-003, LNM approval, CI runners, and assembler code landing. | Implementer |
+| 2025-11-19 | Ran `tools/linksets-ci.sh`; build succeeded but no TRX produced (tests not discovered). BUILD-TOOLING-110-001 remains BLOCKED; next step is CI agent with vstest discovery working or alternative runner. | Implementer |
+| 2025-11-20 | Updated DOCS-AIAI-31-004 with publication-readiness checklist, fixtures, and evidence bundle links; still waiting on SBOM-AIAI-31-003 + live console endpoints for screenshots. | Implementer |
+| 2025-11-20 | Retried `tools/linksets-ci.sh`; tests now discover but Mongo2Go fails to start (missing `libcrypto.so.1.1` in runner). Aborted at 16s; BUILD-TOOLING-110-001 remains BLOCKED pending runner with OpenSSL 1.1 libs. | Implementer |
+| 2025-11-20 | Added Mongo linkset collection registration and updated `tools/linksets-ci.sh` to seed `LD_LIBRARY_PATH` with vendored OpenSSL 1.1. Rerun: mongod starts, tests execute but fail on missing `IMongoCollection<AdvisoryLinksetDocument>` before the registration fix; rerun in CI should proceed further. | Implementer |
+| 2025-11-19 | Retried `dotnet test ... --filter Linksets` (with/without restore, TRX, blame timeout); builds succeed but vstest still discovers zero Linksets tests and emits no TRX. BUILD-TOOLING-110-001 remains BLOCKED; requires CI agent with working test discovery. | Implementer |
+| 2025-11-19 | Packaged `StellaOps.Policy.AuthSignals` 0.1.0-alpha into `local-nugets/` for CONCELIER/POLICY/EXCITITOR consumers. | Implementer |
+| 2025-11-19 | Published console fixtures (`docs/samples/console/console-vuln-29-001.json`, `console-vex-30-001.json`) so DOCS-AIAI-31-004 can proceed while awaiting SBOM evidence. | Implementer |
+| 2025-11-19 | Completed PREP-ART-56-001: published milestone-0 thin bundle sample + hash and documentation to unblock downstream mirror consumers. | Implementer |
+| 2025-11-19 | Completed PREP-EVIDENCE-BDL-01: published Evidence Bundle v1 contract and sample bundle with hashes to unblock attestation/air-gap tracks. | Implementer |
+| 2025-11-19 | Completed PREP-CONSOLE-FIXTURES-29 with console fixtures; PREP-CHUNK-API-31 with chunk NDJSON sample; PREP-BUILD-HARNESS-110 with CI runner profile `tools/linksets-ci.sh`. | Implementer |
 | 2025-11-09 | Captured initial wave scope, interlocks, risks for SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, Mirror commitments. | Sprint 110 leads |
 | 2025-11-13 | Refreshed tracker ahead of 14–15 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
 | 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, Mirror staffing decisions. | Implementer |
@@ -88,6 +114,8 @@
 | 2025-11-17 | Tried `dotnet test ... --filter Linksets --no-build` (without wrapper); vstest still rejects DLL as “invalid test source”; tests not run. | Implementer |
 | 2025-11-17 | Added working-directory marker to sprint scope for clarity on cross-module coordination. | Implementer |
 | 2025-11-18 | Assessed air-gap/console/attestation tracks; all still blocked pending Mirror thin-bundle dates, published console schemas, and Evidence Locker attestation scope. Updated Delivery Tracker statuses accordingly. | Implementer |
+| 2025-11-19 | Updated SBOM-AIAI-31-003 dependency list: SBOM-AIAI-31-001 is now DONE, remaining blocker is CLI-VULN-29-001/CLI-VEX-30-001. | Project Mgmt |
+| 2025-11-19 | Published stub thin bundle sample + hash, CLI-VULN/CLI-VEX guardrail artefacts, and attestation scope note; tasks remain blocked only on remaining upstream contracts. | Project Mgmt |
 
 ## Decisions & Risks
 ### Decisions in flight

docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md

@@ -22,12 +22,14 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-CONCELIER-GRAPH-21-002-PLATFORM-EVENTS-S | TODO | Due 2025-11-21 · Accountable: Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Platform Events/Scheduler contract for `sbom.observation.updated` not defined; no event publisher plumbing in repo. <br><br> Document artefact/deliverable for CONCELIER-GRAPH-21-002 and publish location so downstream tasks can proceed. |
+| P2 | PREP-CONCELIER-LNM-21-002-WAITING-ON-FINALIZE | TODO | Due 2025-11-21 · Accountable: Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Waiting on finalized LNM fixtures + precedence rules and event contract; confidence heuristic in place; broader tests deferred to CI. <br><br> Document artefact/deliverable for CONCELIER-LNM-21-002 and publish location so downstream tasks can proceed. |
 | 1 | CONCELIER-GRAPH-21-001 | DONE | LNM sample fixtures with scopes/relationships added; observation/linkset query tests passing | Concelier Core Guild · Cartographer Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Extend SBOM normalization so relationships/scopes are stored as raw observation metadata with provenance pointers for graph joins. |
-| 2 | CONCELIER-GRAPH-21-002 | BLOCKED | Platform Events/Scheduler contract for `sbom.observation.updated` not defined; no event publisher plumbing in repo. | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments. |
+| 2 | CONCELIER-GRAPH-21-002 | BLOCKED | PREP-CONCELIER-GRAPH-21-002-PLATFORM-EVENTS-S | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments. |
 | 3 | CONCELIER-GRAPH-24-101 | TODO | Depends on 21-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/summary` bundles observation/linkset metadata (aliases, confidence, conflicts) for graph overlays; upstream values intact. |
 | 4 | CONCELIER-GRAPH-28-102 | TODO | Depends on 24-101 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Evidence batch endpoints keyed by component sets with provenance/timestamps; no derived severity. |
 | 5 | CONCELIER-LNM-21-001 | DONE | Start of Link-Not-Merge chain | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Define immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards). |
-| 6 | CONCELIER-LNM-21-002 | BLOCKED | Waiting on finalized LNM fixtures + precedence rules and event contract; confidence heuristic in place; broader tests deferred to CI | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation pipelines output linksets with confidence + conflict markers, avoiding value collapse. |
+| 6 | CONCELIER-LNM-21-002 | BLOCKED | PREP-CONCELIER-LNM-21-002-WAITING-ON-FINALIZE | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation pipelines output linksets with confidence + conflict markers, avoiding value collapse. |
 | 7 | CONCELIER-LNM-21-003 | TODO | Depends on 21-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Record disagreements (severity, CVSS, references) as structured conflict entries. |
 | 8 | CONCELIER-LNM-21-004 | TODO | Depends on 21-003 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Remove legacy merge/dedup logic; add guardrails/tests to keep ingestion append-only; document linkset supersession. |
 | 9 | CONCELIER-LNM-21-005 | TODO | Depends on 21-004 | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit `advisory.linkset.updated` events with delta descriptions + observation ids (tenant + provenance only). |
@@ -41,6 +43,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-17 | Started CONCELIER-GRAPH-21-001: added raw linkset scopes + relationships (provenance) through contracts, ingest mapper, storage mapping, and sanitization; new Mongo mapping test added. | Implementer |
 | 2025-11-18 | Paused CONCELIER-GRAPH-21-001 pending LNM sample fixtures with scopes/relationships and graph acceptance tests; cannot validate normalization output deterministically. | Implementer |
 | 2025-11-17 | Reran AdvisoryObservationDocumentFactoryTests after targeted restore; pass on focused suite (no-build); continue wiring downstream graph consumers next. | Implementer |

docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md

@@ -20,24 +20,41 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | CONCELIER-OAS-61-001 | BLOCKED | LNM schema frozen 2025-11-17, but OpenAPI source/spec artifact not present in repo; need canonical spec to edit | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). |
+| P1 | PREP-CONCELIER-OAS-61-001-LNM-SCHEMA-FROZEN-2 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | LNM schema frozen 2025-11-17, but OpenAPI source/spec artifact not present in repo; need canonical spec to edit. <br><br> Document artefact/deliverable for CONCELIER-OAS-61-001 and publish location so downstream tasks can proceed. |
-| 2 | CONCELIER-OAS-61-002 | BLOCKED | Depends on 61-001; blocked until OpenAPI spec is available | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. |
+| P2 | PREP-CONCELIER-OAS-61-002-DEPENDS-ON-61-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 61-001; blocked until OpenAPI spec is available. <br><br> Document artefact/deliverable for CONCELIER-OAS-61-002 and publish location so downstream tasks can proceed. |
-| 3 | CONCELIER-OAS-62-001 | BLOCKED | Depends on 61-002; blocked with OAS chain | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. |
+| P3 | PREP-CONCELIER-OAS-62-001-DEPENDS-ON-61-002-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 61-002; blocked with OAS chain. <br><br> Document artefact/deliverable for CONCELIER-OAS-62-001 and publish location so downstream tasks can proceed. |
-| 4 | CONCELIER-OAS-63-001 | BLOCKED | Depends on 62-001; blocked with OAS chain | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. |
+| P4 | PREP-CONCELIER-OAS-63-001-DEPENDS-ON-62-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 62-001; blocked with OAS chain. <br><br> Document artefact/deliverable for CONCELIER-OAS-63-001 and publish location so downstream tasks can proceed. |
-| 5 | CONCELIER-OBS-51-001 | BLOCKED | Await observability spec (metrics names/labels, SLO burn rules) from DevOps; none present in repo | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. |
+| P5 | PREP-CONCELIER-OBS-51-001-AWAIT-OBSERVABILITY | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Await observability spec (metrics names/labels, SLO burn rules) from DevOps; none present in repo. <br><br> Document artefact/deliverable for CONCELIER-OBS-51-001 and publish location so downstream tasks can proceed. |
-| 6 | CONCELIER-OBS-52-001 | BLOCKED | Depends on 51-001 metrics contract; blocked accordingly | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. |
+| P6 | PREP-CONCELIER-OBS-52-001-DEPENDS-ON-51-001-M | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 51-001 metrics contract; blocked accordingly. <br><br> Document artefact/deliverable for CONCELIER-OBS-52-001 and publish location so downstream tasks can proceed. |
-| 7 | CONCELIER-OBS-53-001 | BLOCKED | Depends on 52-001; blocked until timeline instrumentation defined | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. |
+| P7 | PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 52-001; blocked until timeline instrumentation defined. <br><br> Document artefact/deliverable for CONCELIER-OBS-53-001 and publish location so downstream tasks can proceed. |
-| 8 | CONCELIER-OBS-54-001 | BLOCKED | Depends on OBS timeline artifacts; no attestation contract yet | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. |
+| P8 | PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on OBS timeline artifacts; no attestation contract yet. <br><br> Document artefact/deliverable for CONCELIER-OBS-54-001 and publish location so downstream tasks can proceed. |
-| 9 | CONCELIER-OBS-55-001 | BLOCKED | Depends on 54-001; incident-mode hooks need finalized attestation/timeline shape | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. |
+| P9 | PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 54-001; incident-mode hooks need finalized attestation/timeline shape. <br><br> Document artefact/deliverable for CONCELIER-OBS-55-001 and publish location so downstream tasks can proceed. |
-| 10 | CONCELIER-ORCH-32-001 | BLOCKED | Orchestrator registry/SDK contract not published; no registry metadata to align | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
+| P10 | PREP-CONCELIER-ORCH-32-001-ORCHESTRATOR-REGIS | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Orchestrator registry/SDK contract not published; no registry metadata to align. <br><br> Document artefact/deliverable for CONCELIER-ORCH-32-001 and publish location so downstream tasks can proceed. |
-| 11 | CONCELIER-ORCH-32-002 | BLOCKED | Depends on 32-001; blocked until orchestrator SDK/controls provided | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
+| P11 | PREP-CONCELIER-ORCH-32-002-DEPENDS-ON-32-001 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 32-001; blocked until orchestrator SDK/controls provided. <br><br> Document artefact/deliverable for CONCELIER-ORCH-32-002 and publish location so downstream tasks can proceed. |
-| 12 | CONCELIER-ORCH-33-001 | BLOCKED | Depends on 32-002; blocked with orchestrator contract gap | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
+| P12 | PREP-CONCELIER-ORCH-33-001-DEPENDS-ON-32-002 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 32-002; blocked with orchestrator contract gap. <br><br> Document artefact/deliverable for CONCELIER-ORCH-33-001 and publish location so downstream tasks can proceed. |
-| 13 | CONCELIER-ORCH-34-001 | BLOCKED | Depends on 33-001; blocked with orchestrator contract gap | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
+| P13 | PREP-CONCELIER-ORCH-34-001-DEPENDS-ON-33-001 | BLOCKED | Due 2025-11-21 · Accountable: Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Depends on 33-001; blocked with orchestrator contract gap. <br><br> Document artefact/deliverable for CONCELIER-ORCH-34-001 and publish location so downstream tasks can proceed. |
-| 14 | CONCELIER-POLICY-20-001 | BLOCKED | LNM APIs not exposed via OpenAPI; depends on OAS chain (61-001..63-001) now blocked | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
+| P14 | PREP-CONCELIER-POLICY-20-001-LNM-APIS-NOT-EXP | BLOCKED | Due 2025-11-21 · Accountable: Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | LNM APIs not exposed via OpenAPI; depends on OAS chain (61-001..63-001) now blocked. <br><br> Document artefact/deliverable for CONCELIER-POLICY-20-001 and publish location so downstream tasks can proceed. |
+| 1 | CONCELIER-OAS-61-001 | BLOCKED | PREP-CONCELIER-OAS-61-001-LNM-SCHEMA-FROZEN-2 | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). |
+| 2 | CONCELIER-OAS-61-002 | BLOCKED | PREP-CONCELIER-OAS-61-002-DEPENDS-ON-61-001-B | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. |
+| 3 | CONCELIER-OAS-62-001 | BLOCKED | PREP-CONCELIER-OAS-62-001-DEPENDS-ON-61-002-B | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. |
+| 4 | CONCELIER-OAS-63-001 | BLOCKED | PREP-CONCELIER-OAS-63-001-DEPENDS-ON-62-001-B | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. |
+| 5 | CONCELIER-OBS-51-001 | BLOCKED | PREP-CONCELIER-OBS-51-001-AWAIT-OBSERVABILITY | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. |
+| 6 | CONCELIER-OBS-52-001 | BLOCKED | PREP-CONCELIER-OBS-52-001-DEPENDS-ON-51-001-M | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. |
+| 7 | CONCELIER-OBS-53-001 | BLOCKED | PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. |
+| 8 | CONCELIER-OBS-54-001 | BLOCKED | PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. |
+| 9 | CONCELIER-OBS-55-001 | BLOCKED | PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. |
+| 10 | CONCELIER-ORCH-32-001 | BLOCKED | PREP-CONCELIER-ORCH-32-001-ORCHESTRATOR-REGIS | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
+| 11 | CONCELIER-ORCH-32-002 | BLOCKED | PREP-CONCELIER-ORCH-32-002-DEPENDS-ON-32-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
+| 12 | CONCELIER-ORCH-33-001 | BLOCKED | PREP-CONCELIER-ORCH-33-001-DEPENDS-ON-32-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
+| 13 | CONCELIER-ORCH-34-001 | BLOCKED | PREP-CONCELIER-ORCH-34-001-DEPENDS-ON-33-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
+| 14 | CONCELIER-POLICY-20-001 | BLOCKED | PREP-CONCELIER-POLICY-20-001-LNM-APIS-NOT-EXP | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Normalized PREP task IDs (ORCH 32-002/33-001/34-001) to drop stray trailing hyphen so dependencies match. | Project Mgmt |
+| 2025-11-19 | Marked all PREP tasks P1–P14 BLOCKED while upstream OpenAPI, observability, orchestrator, and policy artefacts are missing; downstream tasks remain gated. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_114_concelier_iii.md` to `SPRINT_0114_0001_0003_concelier_iii.md`; no semantic changes. | Planning |
 | 2025-11-18 | Marked OAS tasks (61-001..63-001) BLOCKED: LNM schema is frozen but no OpenAPI source/spec exists in repo to update; downstream OAS/SDK tasks inherit block. | Concelier Core |

docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md

@@ -20,8 +20,12 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 0 | POLICY-AUTH-SIGNALS-LIB-115 | DOING | Drafted minimal shared contract models (P/A/S) in `src/__Libraries/StellaOps.PolicyAuthoritySignals.Contracts`; needs upstream ratification. | Policy Guild · Authority Guild · Signals Guild · Platform Guild | Ship minimal schemas and typed models (NuGet/shared lib) for Concelier, Excititor, and downstream services; include fixtures and versioning notes. |
+| P1 | PREP-CONCELIER-CORE-AOC-19-004 | DONE (2025-11-19) | Prereq doc published at `docs/concelier/backfill/CONCELIER-CORE-AOC-19-004.md`; dataset hash pending after staging upload. | Concelier Core/Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Backfill prerequisites documented (dataset path, backup/rollback script, determinism probe). STORE-AOC-19-005 can schedule rehearsal once dataset hash is published. |
-| 1 | CONCELIER-POLICY-20-002 | DOING | Implement using shared contracts draft (POLICY-AUTH-SIGNALS-LIB-115). | Concelier Core Guild · Policy Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expand linkset builders with vendor equivalence, NEVRA/PURL normalization, version-range parsing so policy joins are accurate without prioritizing sources. |
+| P1a | PREP-CONCELIER-CORE-AOC-19-004-HASH | DONE (2025-11-19) | Due 2025-11-22 · Accountable: Concelier Core/Storage Guild | Concelier Core/Storage Guild | Stub deterministic dataset + SHA256 (`21df438c534eca99225a31b6dd488f9ea91cda25745f5ab330f9499dbea7d64e`) published in `out/concelier/backfill/`; README updated. Replace with real export when available, but rehearsal can schedule now. |
+| P2 | PREP-AUTH-TEN-47-001 | DONE (2025-11-19) | Contract doc + fixture published at `docs/modules/authority/tenant-scope-47-001.md` and `docs/modules/authority/fixtures/auth-ten-47-001.json`. | Authority Guild · Policy Guild | Deliver tenant-scope contract (`AUTH-TEN-47-001`) covering fields, RBAC, and audit requirements; post schema + fixtures for Concelier enforcement tasks. |
+| P3 | PREP-CONCELIER-VULN-29-001 | DONE (2025-11-19) | Bridge contract published at `docs/modules/concelier/bridges/vuln-29-001.md`; sample fixture location noted. | Concelier WebService Guild · Vuln Explorer Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide Concelier/Vuln bridge contract (advisory keys, search params, sample responses) that VEX Lens + Vuln Explorer rely on; publish OpenAPI excerpt and fixtures. |
+| 0 | POLICY-AUTH-SIGNALS-LIB-115 | DONE (2025-11-19) | Package `StellaOps.Policy.AuthSignals` 0.1.0-alpha published to `local-nugets/`; schema/fixtures at `docs/policy/*`. | Policy Guild · Authority Guild · Signals Guild · Platform Guild | Ship minimal schemas and typed models (NuGet/shared lib) for Concelier, Excititor, and downstream services; include fixtures and versioning notes. |
+| 1 | CONCELIER-POLICY-20-002 | DONE (2025-11-20) | Vendor alias + SemVer range normalization landed; tests green. | Concelier Core Guild · Policy Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expand linkset builders with vendor equivalence, NEVRA/PURL normalization, version-range parsing so policy joins are accurate without prioritizing sources. |
 | 2 | CONCELIER-POLICY-20-003 | TODO | Start after 20-002. | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Advisory selection cursors + change-stream checkpoints for deterministic policy deltas; include offline migration scripts. |
 | 3 | CONCELIER-POLICY-23-001 | TODO | Start after 20-003. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Secondary indexes/materialized views (alias, provider severity, confidence) to keep policy lookups fast without cached verdicts; document query patterns. |
 | 4 | CONCELIER-POLICY-23-002 | TODO | Start after 23-001. | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Ensure `advisory.linkset.updated` events carry idempotent IDs, confidence summaries, tenant metadata for safe policy replay. |
@@ -31,18 +35,29 @@
 | 8 | CONCELIER-RISK-68-001 | BLOCKED | Blocked on POLICY-AUTH-SIGNALS-LIB-115 and POLICY-RISK-68-001. | Concelier Core Guild · Policy Studio Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Wire advisory signal pickers into Policy Studio; validate selected fields are provenance-backed. |
 | 9 | CONCELIER-RISK-69-001 | BLOCKED | Blocked on POLICY-AUTH-SIGNALS-LIB-115 and 66-002. | Concelier Core Guild · Notifications Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit notifications on upstream advisory field changes (e.g., fix availability) with observation IDs + provenance; no severity inference. |
 | 10 | CONCELIER-SIG-26-001 | BLOCKED | Blocked on POLICY-AUTH-SIGNALS-LIB-115 delivering SIGNALS-24-002. | Concelier Core Guild · Signals Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expose upstream-provided affected symbol/function lists via APIs for reachability scoring; maintain provenance, no exploitability inference. |
-| 11 | CONCELIER-STORE-AOC-19-005 | BLOCKED (2025-11-04) | Depends on CONCELIER-CORE-AOC-19-004 | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo + Offline Kit bundles reflect Link-Not-Merge data; rehearse rollback. |
+| 11 | CONCELIER-STORE-AOC-19-005 | BLOCKED (2025-11-04) | Waiting on staging dataset hash + rollback rehearsal using prep doc | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo + Offline Kit bundles reflect Link-Not-Merge data; rehearse rollback. |
-| 12 | CONCELIER-TEN-48-001 | BLOCKED | Blocked on POLICY-AUTH-SIGNALS-LIB-115 delivering AUTH-TEN-47-001. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. |
+| 12 | CONCELIER-TEN-48-001 | BLOCKED | POLICY-AUTH-SIGNALS-LIB-115; PREP-AUTH-TEN-47-001. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. |
-| 13 | CONCELIER-VEXLENS-30-001 | BLOCKED | Depends on CONCELIER-VULN-29-001, VEXLENS-30-005 | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. |
+| 13 | CONCELIER-VEXLENS-30-001 | BLOCKED | PREP-CONCELIER-VULN-29-001; VEXLENS-30-005 | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Completed CONCELIER-POLICY-20-002: vendor alias capture + SemVer range normalization shipped; targeted Core tests green (`AdvisoryLinksetNormalizationTests` TRX in `TestResults/concelier-core-advisoryranges`). | Implementer |
+| 2025-11-19 | Added PREP tasks for CONCELIER-CORE-AOC-19-004, AUTH-TEN-47-001, and CONCELIER-VULN-29-001; updated dependencies for tasks 11–13. | Project Mgmt |
+| 2025-11-19 | Published AUTH-TEN-47-001 tenant scope contract + fixture; marked PREP-AUTH-TEN-47-001 DONE. | Implementer |
+| 2025-11-19 | Published CONCELIER-VULN-29-001 bridge contract; marked PREP-CONCELIER-VULN-29-001 DONE. | Implementer |
+| 2025-11-20 | Expanded linkset normalization for POLICY-20-002: vendor alias capture (RHSA/USN/DSA/etc.), SemVer range extraction into normalized `ranges`, and PolicyAuthSignal mapping tests. Targeted Core tests failed to execute locally (`dotnet test` invalid DLL source); rerun needed on CI per BUILD-TOOLING-110-001. | Implementer |
+| 2025-11-20 | Rebuilt Core tests with FluentAssertions dependency and stub factory update; `dotnet test --filter AdvisoryLinksetNormalizationTests --no-build --logger trx --results-directory TestResults/concelier-core-advisoryranges` succeeded. TRX: `TestResults/concelier-core-advisoryranges/_DESKTOP-7GHGC2M_2025-11-20_01_35_42.trx`. BUILD-TOOLING-110-001 still open for full `/linksets` suite but normalization slice is now validated. | Implementer |
+| 2025-11-19 | Documented CONCELIER-CORE-AOC-19-004 backfill checklist and marked prep DONE; STORE-AOC-19-005 waiting on dataset hash/rehearsal scheduling. | Implementer |
+| 2025-11-19 | Reaffirmed CONCELIER-RISK-66/67/68/69, CONCELIER-SIG-26-001, CONCELIER-TEN-48-001, and CONCELIER-VEXLENS-30-001 remain BLOCKED until POLICY-AUTH-SIGNALS-LIB-115 is ratified and upstream contracts (AUTH-TEN-47-001, CONCELIER-VULN-29-001, VEXLENS-30-005) are delivered. | Project Mgmt |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_115_concelier_iv.md` to `SPRINT_0115_0001_0004_concelier_iv.md`; no semantic changes. | Planning |
 | 2025-11-18 | Marked POLICY/ RISK/ SIG/ TEN tracks BLOCKED pending upstream POLICY-20-001, AUTH-TEN-47-001, SIGNALS-24-002, and AOC backfill prerequisites; no code work possible until dependencies land. | Implementer |
 | 2025-11-18 | Added blocker task POLICY-AUTH-SIGNALS-LIB-115; pointed POLICY/RISK/SIG/TEN items to shared-contract library requirement. | Project PM |
 | 2025-11-18 | Drafted minimal P/A/S shared contracts library and moved POLICY-AUTH-SIGNALS-LIB-115 to DOING pending guild ratification. | Implementer |
+| 2025-11-19 | Packaged `StellaOps.Policy.AuthSignals` 0.1.0-alpha to `local-nugets/` (file: `StellaOps.Policy.AuthSignals.0.1.0-alpha.nupkg`); schema + fixtures under `docs/policy/*`. Moved CONCELIER-POLICY-20-002 to TODO. | Implementer |
+| 2025-11-19 | Started CONCELIER-POLICY-20-002: added package reference + `PolicyAuthSignalFactory` projection (fact-only) to map advisory linksets into shared contract. | Implementer |
+| 2025-11-19 | POLICY-AUTH-SIGNALS-LIB-115 remains BLOCKED awaiting package publish/ratification; added upstream contracts (AUTH-TEN-47-001, CONCELIER-VULN-29-001) to unblock downstream tasks once library ships. | Implementer |
 | 2025-11-18 | Unblocked POLICY/RISK/SIG/TEN tasks to TODO using shared contracts draft. | Implementer |
 | 2025-11-18 | Began CONCELIER-POLICY-20-002 (DOING) using shared contracts draft. | Implementer |
 

docs/implplan/SPRINT_0116_0001_0005_concelier_v.md

@@ -20,10 +20,11 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-CONCELIER-WEB-AIRGAP-57-001-DEPENDS-ON-5 | TODO | Due 2025-11-21 · Accountable: Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Depends on 56-002. <br><br> Document artefact/deliverable for CONCELIER-WEB-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
 | 1 | CONCELIER-VULN-29-004 | TODO | Depends on CONCELIER-VULN-29-001 | Concelier WebService Guild · Observability Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Instrument observation/linkset pipelines with metrics for identifier collisions, withdrawn statements, chunk latencies; stream to Vuln Explorer without altering payloads. |
 | 2 | CONCELIER-WEB-AIRGAP-56-001 | TODO | Start of AirGap chain | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalogs, enforce sealed-mode by blocking direct internet feeds. |
 | 3 | CONCELIER-WEB-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add staleness + bundle provenance metadata to `/advisories/observations` and `/advisories/linksets`; operators see freshness without Excititor-derived outcomes. |
-| 4 | CONCELIER-WEB-AIRGAP-57-001 | TODO | Depends on 56-002 | Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` payloads with remediation guidance; keep advisory content untouched. |
+| 4 | CONCELIER-WEB-AIRGAP-57-001 | TODO | PREP-CONCELIER-WEB-AIRGAP-57-001-DEPENDS-ON-5 | Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` payloads with remediation guidance; keep advisory content untouched. |
 | 5 | CONCELIER-WEB-AIRGAP-58-001 | TODO | Depends on 57-001 | Concelier WebService Guild · AirGap Importer Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Emit timeline events for bundle imports (bundle ID, scope, actor) to capture every evidence change. |
 | 6 | CONCELIER-WEB-AOC-19-003 | TODO | Depends on WEB-AOC-19-002 | QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Unit tests for schema validators, forbidden-field guards (`ERR_AOC_001/2/6/7`), supersedes chains to keep ingestion append-only. |
 | 7 | CONCELIER-WEB-AOC-19-004 | TODO | Depends on 19-003 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Integration tests ingesting large batches (cold/warm) verifying reproducible linksets; record metrics/fixtures for Offline Kit rehearsals. |
@@ -39,6 +40,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_116_concelier_v.md` to `SPRINT_0116_0001_0005_concelier_v.md`; no semantic changes. | Planning |
 

docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md

@@ -25,7 +25,7 @@
 | 3 | CONCELIER-WEB-OBS-55-001 | TODO | Depends on 54-001 | Concelier WebService Guild · DevOps Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Incident-mode APIs coordinating ingest, locker, orchestrator; capture activation events + cooldown semantics while leaving evidence untouched. |
 | 4 | FEEDCONN-CCCS-02-009 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – CCCS (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs`) | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. |
 | 5 | FEEDCONN-CERTBUND-02-010 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – CertBund (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund`) | Translate CERT-Bund `product.Versions` into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) retaining localisation notes; update mapper/tests for Link-Not-Merge. |
-| 6 | FEEDCONN-CISCO-02-009 | DOING (2025-11-08) | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – Cisco (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco`) | Emit Cisco SemVer ranges into observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. |
+| 6 | FEEDCONN-CISCO-02-009 | BLOCKED (2025-11-19) | Depends on CONCELIER-LNM-21-001 (schema fixtures overdue) | Concelier Connector Guild – Cisco (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco`) | Emit Cisco SemVer ranges into observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters once LNM fixtures land. |
 | 7 | DOCS-LNM-22-008 | DONE (2025-11-03) | Keep synced with connector migrations | Docs Guild · DevOps Guild (`docs`) | `docs/migration/no-merge.md` documents Link-Not-Merge migration plan. |
 
 ## Execution Log

docs/implplan/SPRINT_0119_0001_0001_excititor_i.md

@@ -22,17 +22,22 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EXCITITOR-AIRGAP-56-001-WAITING-ON-EXPOR | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Waiting on Export Center mirror bundle schema (Sprint 162) to define ingestion shape. <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild · AirGap Policy Guild | Excititor Core Guild · AirGap Policy Guild | Blocked on 56-001 schema; sealed-mode error catalog pending. <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-EXCITITOR-AIRGAP-58-001-DEPENDS-ON-57-00 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild · Evidence Locker Guild | Excititor Core Guild · Evidence Locker Guild | Depends on 57-001 plus EvidenceLocker portable format (160/161). <br><br> Document artefact/deliverable for EXCITITOR-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
+| P4 | PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI | BLOCKED | Due 2025-11-21 · Accountable: Excititor Connectors Guild | Excititor Connectors Guild | Connector signer metadata schema still unpublished post-2025-11-14 review. <br><br> Document artefact/deliverable for EXCITITOR-CONN-TRUST-01-001 and publish location so downstream tasks can proceed. |
+| P5 | PREP-ATTESTATION-VERIFIER-REHEARSAL-EXCITITOR | TODO | Due 2025-11-21 · Accountable: Planning | Planning | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. <br><br> Document artefact/deliverable for Attestation verifier rehearsal (Excititor Attestation Guild) and publish location so downstream tasks can proceed. |
 | 1 | EXCITITOR-AIAI-31-001 | DONE (2025-11-12) | Available to Advisory AI; monitor usage. | Excititor WebService Guild | Expose normalized VEX justifications, scope trees, and anchors via `VexObservation` projections so Advisory AI can cite raw evidence without consensus logic. |
 | 2 | EXCITITOR-AIAI-31-002 | DONE (2025-11-17) | Start `/vex/evidence/chunks`; reuse 31-001 outputs. | Excititor WebService Guild | Stream raw statements + signature metadata with tenant/policy filters for RAG clients; aggregation-only, reference observation/linkset IDs. |
 | 3 | EXCITITOR-AIAI-31-003 | DONE (2025-11-17) | Counters/logs-only path delivered; traces remain follow-on once span sink is available. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. |
 | 4 | EXCITITOR-AIAI-31-004 | DONE (2025-11-18) | Doc published (`docs/modules/excititor/evidence-contract.md`); traces still gated on span sink but contract delivered | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. |
-| 5 | EXCITITOR-AIRGAP-56-001 | BLOCKED | Waiting on Export Center mirror bundle schema (Sprint 162) to define ingestion shape. | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. |
+| 5 | EXCITITOR-AIRGAP-56-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-56-001-WAITING-ON-EXPOR | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. |
-| 6 | EXCITITOR-AIRGAP-57-001 | BLOCKED | Blocked on 56-001 schema; sealed-mode error catalog pending. | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. |
+| 6 | EXCITITOR-AIRGAP-57-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. |
-| 7 | EXCITITOR-AIRGAP-58-001 | BLOCKED | Depends on 57-001 plus EvidenceLocker portable format (160/161). | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. |
+| 7 | EXCITITOR-AIRGAP-58-001 | BLOCKED | PREP-EXCITITOR-AIRGAP-58-001-DEPENDS-ON-57-00 | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. |
 | 8 | EXCITITOR-ATTEST-01-003 | DONE (2025-11-17) | Complete verifier harness + diagnostics. | Excititor Attestation Guild | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove DSSE bundle verification without touching consensus results. |
 | 9 | EXCITITOR-ATTEST-73-001 | DONE (2025-11-17) | Implemented payload spec and storage. | Excititor Core · Attestation Payloads Guild | Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining. |
 | 10 | EXCITITOR-ATTEST-73-002 | DONE (2025-11-17) | Implemented linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. |
-| 11 | EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Connector signer metadata schema still unpublished post-2025-11-14 review. | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
+| 11 | EXCITITOR-CONN-TRUST-01-001 | BLOCKED | PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
 
 ### Task Clusters & Readiness
 - **Advisory-AI evidence APIs:** 31-001 delivered; 31-003 instrumentation and 31-004 docs pending; ready to start once examples and telemetry fixtures finalize.
@@ -53,6 +58,8 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P1–P4 BLOCKED: mirror bundle schema (Sprint 162), sealed-mode error catalog, EvidenceLocker portable format, and connector signer metadata remain unpublished, keeping EXCITITOR-AIRGAP-56/57/58 and CONN-TRUST-01-001 gated. | Project Mgmt |
 | 2025-11-12 | Snapshot refreshed; 31-001 marked DONE; other tasks pending observability, AirGap schemas, and attestation verifier completion. | Excititor PM |
 | 2025-11-13 | Added readiness checklists and action tracker; awaiting Export Center mirror schema and Attestor verifier rehearsals. | Excititor PM |
 | 2025-11-13 | OpenAPI draft for 31-004 shared; observability wiring blocked until Ops deploys span sink. | WebService Guild |
@@ -85,6 +92,6 @@
 | 2025-11-17 | Coordinator · WebService/Observability Guilds | Counters/logs-only fallback approved; start 31-003 execution without span sink. | Keep span sink as follow-on milestone. |
 | 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
 | 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
-| 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks. | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. |
+| 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks. | PREP-ATTESTATION-VERIFIER-REHEARSAL-EXCITITOR |
 | 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for 31-003. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. |
 | 2025-11-19 | Connector metadata inventory (Connectors Guild) | Confirm signer metadata coverage for CONN-TRUST-01-001 rollout. | Fall back to partial coverage with feature flags. |

docs/implplan/SPRINT_0119_0001_0002_excititor_ii.md

@@ -22,34 +22,54 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EXCITITOR-CONSOLE-23-001-AWAITING-CONCRE | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild · BE-Base Platform Guild | Excititor WebService Guild · BE-Base Platform Guild | Awaiting concrete `/console/vex` API contract and grouping schema; LNM 21-* view spec not present. <br><br> Document artefact/deliverable for EXCITITOR-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-EXCITITOR-CONSOLE-23-002-DEPENDS-ON-23-0 | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild | Excititor WebService Guild | Depends on 23-001; need sprint-level contract for counters. <br><br> Document artefact/deliverable for EXCITITOR-CONSOLE-23-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-EXCITITOR-CONSOLE-23-003-DEPENDS-ON-23-0 | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild | Excititor WebService Guild | Depends on 23-001; contract for caching/RBAC/precedence context pending. <br><br> Document artefact/deliverable for EXCITITOR-CONSOLE-23-003 and publish location so downstream tasks can proceed. |
+| P4 | PREP-EXCITITOR-CORE-AOC-19-002-LINKSET-EXTRAC | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Linkset extraction rules/ordering not documented. <br><br> Document artefact/deliverable for EXCITITOR-CORE-AOC-19-002 and publish location so downstream tasks can proceed. |
+| P5 | PREP-EXCITITOR-CORE-AOC-19-003-BLOCKED-ON-19 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Blocked on 19-002; design supersede chains. <br><br> Document artefact/deliverable for EXCITITOR-CORE-AOC-19-003 and publish location so downstream tasks can proceed. |
+| P6 | PREP-EXCITITOR-CORE-AOC-19-004-REMOVE-CONSENS | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Remove consensus after 19-003 in place. <br><br> Document artefact/deliverable for EXCITITOR-CORE-AOC-19-004 and publish location so downstream tasks can proceed. |
+| P7 | PREP-EXCITITOR-CORE-AOC-19-013-SEED-TENANT-AW | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Seed tenant-aware Authority clients in smoke/e2e once 19-004 lands. <br><br> Document artefact/deliverable for EXCITITOR-CORE-AOC-19-013 and publish location so downstream tasks can proceed. |
+| P8 | PREP-EXCITITOR-GRAPH-21-001-NEEDS-CARTOGRAPHE | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core · Cartographer Guild | Excititor Core · Cartographer Guild | Needs Cartographer API contract + data availability. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-21-001 and publish location so downstream tasks can proceed. |
+| P9 | PREP-EXCITITOR-GRAPH-21-002-BLOCKED-ON-21-001 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Core Guild | Excititor Core Guild | Blocked on 21-001. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-21-002 and publish location so downstream tasks can proceed. |
+| P10 | PREP-EXCITITOR-GRAPH-21-005-BLOCKED-ON-21-002 | BLOCKED | Due 2025-11-21 · Accountable: Excititor Storage Guild | Excititor Storage Guild | Blocked on 21-002. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-21-005 and publish location so downstream tasks can proceed. |
+| P11 | PREP-EXCITITOR-GRAPH-24-101-WAIT-FOR-21-005-I | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild | Excititor WebService Guild | Wait for 21-005 indexes. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-24-101 and publish location so downstream tasks can proceed. |
+| P12 | PREP-EXCITITOR-GRAPH-24-102-DEPENDS-ON-24-101 | BLOCKED | Due 2025-11-21 · Accountable: Excititor WebService Guild | Excititor WebService Guild | Depends on 24-101; design batch shape. <br><br> Document artefact/deliverable for EXCITITOR-GRAPH-24-102 and publish location so downstream tasks can proceed. |
+| P13 | PREP-FINALIZE-CONSOLE-VEX-CONTRACT-23-001-AND | BLOCKED | Due 2025-11-21 · Accountable: BLOCKED (await contract; LNM view spec needed) | BLOCKED (await contract; LNM view spec needed) | 2025-11-18. <br><br> Document artefact/deliverable for Finalize `/console/vex` contract (23-001) and dashboard deltas (23-002). and publish location so downstream tasks can proceed. |
+| P14 | PREP-LAND-LINKSET-EXTRACTION-RAW-UPSERT-UNIQU | BLOCKED | Due 2025-11-21 · Accountable: BLOCKED (linkset schema pending) | BLOCKED (linkset schema pending) | 2025-11-19. <br><br> Document artefact/deliverable for Land linkset extraction + raw upsert uniqueness (19-002/003). and publish location so downstream tasks can proceed. |
+| P15 | PREP-REMOVE-MERGE-SEVERITY-LOGIC-AFTER-IDEMPO | BLOCKED | Due 2025-11-21 · Accountable: BLOCKED (depends on 19-002/003) | BLOCKED (depends on 19-002/003) | 2025-11-20. <br><br> Document artefact/deliverable for Remove merge/severity logic after idempotency in place (19-004). and publish location so downstream tasks can proceed. |
+| P16 | PREP-ALIGN-INSPECTOR-LINKOUT-SCHEMAS-TO-UNBLO | BLOCKED | Due 2025-11-21 · Accountable: BLOCKED (awaiting Cartographer contract) | BLOCKED (awaiting Cartographer contract) | 2025-11-21. <br><br> Document artefact/deliverable for Align inspector/linkout schemas to unblock 21-001/002/005. and publish location so downstream tasks can proceed. |
+| P17 | PREP-CARTOGRAPHER-SCHEMA-SYNC-MAINTAIN-BLOCKE | BLOCKED | Due 2025-11-21 · Accountable: Planning | Planning | Maintain BLOCKED status; deliver sample payloads for early testing. <br><br> Document artefact/deliverable for Cartographer schema sync and publish location so downstream tasks can proceed. |
 | 1 | EXCITITOR-CONN-SUSE-01-003 | DONE (2025-11-09) | Trust metadata flowing; monitor consumers. | Excititor Connectors – SUSE | Emit provider trust configuration (signer fingerprints, trust tier notes) into raw provenance envelope; aggregation-only. |
 | 2 | EXCITITOR-CONN-UBUNTU-01-003 | DONE (2025-11-09) | Trust metadata flowing; monitor consumers. | Excititor Connectors – Ubuntu | Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) in raw provenance artifacts; aggregation-only. |
-| 3 | EXCITITOR-CONSOLE-23-001 | BLOCKED (2025-11-17) | Awaiting concrete `/console/vex` API contract and grouping schema; LNM 21-* view spec not present. | Excititor WebService Guild · BE-Base Platform Guild | Expose grouped VEX statements with status chips, justification metadata, precedence trace pointers, tenant filters. |
+| 3 | EXCITITOR-CONSOLE-23-001 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-001-AWAITING-CONCRE | Excititor WebService Guild · BE-Base Platform Guild | Expose grouped VEX statements with status chips, justification metadata, precedence trace pointers, tenant filters. |
-| 4 | EXCITITOR-CONSOLE-23-002 | BLOCKED (2025-11-17) | Depends on 23-001; need sprint-level contract for counters. | Excititor WebService Guild | Provide aggregated delta counts for overrides; emit metrics for policy explain. |
+| 4 | EXCITITOR-CONSOLE-23-002 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-002-DEPENDS-ON-23-0 | Excititor WebService Guild | Provide aggregated delta counts for overrides; emit metrics for policy explain. |
-| 5 | EXCITITOR-CONSOLE-23-003 | BLOCKED (2025-11-17) | Depends on 23-001; contract for caching/RBAC/precedence context pending. | Excititor WebService Guild | Rapid lookup endpoints of VEX by advisory/component incl. provenance + precedence context; caching + RBAC. |
+| 5 | EXCITITOR-CONSOLE-23-003 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CONSOLE-23-003-DEPENDS-ON-23-0 | Excititor WebService Guild | Rapid lookup endpoints of VEX by advisory/component incl. provenance + precedence context; caching + RBAC. |
-| 6 | EXCITITOR-CORE-AOC-19-002 | BLOCKED (2025-11-17) | Linkset extraction rules/ordering not documented. | Excititor Core Guild | Extract advisory IDs, component PURLs, references into linkset with reconciled-from metadata. |
+| 6 | EXCITITOR-CORE-AOC-19-002 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-002-LINKSET-EXTRAC | Excititor Core Guild | Extract advisory IDs, component PURLs, references into linkset with reconciled-from metadata. |
-| 7 | EXCITITOR-CORE-AOC-19-003 | BLOCKED (2025-11-17) | Blocked on 19-002; design supersede chains. | Excititor Core Guild | Enforce uniqueness + append-only versioning of raw VEX docs. |
+| 7 | EXCITITOR-CORE-AOC-19-003 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-003-BLOCKED-ON-19 | Excititor Core Guild | Enforce uniqueness + append-only versioning of raw VEX docs. |
-| 8 | EXCITITOR-CORE-AOC-19-004 | BLOCKED (2025-11-17) | Remove consensus after 19-003 in place. | Excititor Core Guild | Excise consensus/merge/severity logic from ingestion; rely on Policy Engine materializations. |
+| 8 | EXCITITOR-CORE-AOC-19-004 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-004-REMOVE-CONSENS | Excititor Core Guild | Excise consensus/merge/severity logic from ingestion; rely on Policy Engine materializations. |
-| 9 | EXCITITOR-CORE-AOC-19-013 | BLOCKED (2025-11-17) | Seed tenant-aware Authority clients in smoke/e2e once 19-004 lands. | Excititor Core Guild | Ensure cross-tenant ingestion rejected; update tests. |
+| 9 | EXCITITOR-CORE-AOC-19-013 | BLOCKED (2025-11-17) | PREP-EXCITITOR-CORE-AOC-19-013-SEED-TENANT-AW | Excititor Core Guild | Ensure cross-tenant ingestion rejected; update tests. |
-| 10 | EXCITITOR-GRAPH-21-001 | BLOCKED (2025-10-27) | Needs Cartographer API contract + data availability. | Excititor Core · Cartographer Guild | Batched VEX/advisory reference fetches by PURL for inspector linkouts. |
+| 10 | EXCITITOR-GRAPH-21-001 | BLOCKED (2025-10-27) | PREP-EXCITITOR-GRAPH-21-001-NEEDS-CARTOGRAPHE | Excititor Core · Cartographer Guild | Batched VEX/advisory reference fetches by PURL for inspector linkouts. |
-| 11 | EXCITITOR-GRAPH-21-002 | BLOCKED (2025-10-27) | Blocked on 21-001. | Excititor Core Guild | Overlay metadata includes justification summaries + versions; fixtures/tests. |
+| 11 | EXCITITOR-GRAPH-21-002 | BLOCKED (2025-10-27) | PREP-EXCITITOR-GRAPH-21-002-BLOCKED-ON-21-001 | Excititor Core Guild | Overlay metadata includes justification summaries + versions; fixtures/tests. |
-| 12 | EXCITITOR-GRAPH-21-005 | BLOCKED (2025-10-27) | Blocked on 21-002. | Excititor Storage Guild | Indexes/materialized views for VEX lookups by PURL/policy for inspector perf. |
+| 12 | EXCITITOR-GRAPH-21-005 | BLOCKED (2025-10-27) | PREP-EXCITITOR-GRAPH-21-005-BLOCKED-ON-21-002 | Excititor Storage Guild | Indexes/materialized views for VEX lookups by PURL/policy for inspector perf. |
-| 13 | EXCITITOR-GRAPH-24-101 | BLOCKED (2025-11-17) | Wait for 21-005 indexes. | Excititor WebService Guild | VEX status summaries per component/asset for Vuln Explorer. |
+| 13 | EXCITITOR-GRAPH-24-101 | BLOCKED (2025-11-17) | PREP-EXCITITOR-GRAPH-24-101-WAIT-FOR-21-005-I | Excititor WebService Guild | VEX status summaries per component/asset for Vuln Explorer. |
-| 14 | EXCITITOR-GRAPH-24-102 | BLOCKED (2025-11-17) | Depends on 24-101; design batch shape. | Excititor WebService Guild | Batch VEX observation retrieval optimized for Graph overlays/tooltips. |
+| 14 | EXCITITOR-GRAPH-24-102 | BLOCKED (2025-11-17) | PREP-EXCITITOR-GRAPH-24-102-DEPENDS-ON-24-101 | Excititor WebService Guild | Batch VEX observation retrieval optimized for Graph overlays/tooltips. |
 | 15 | EXCITITOR-LNM-21-001 | IN REVIEW (2025-11-14) | Await review sign-off; prep migrations. | Excititor Core Guild | VEX observation model/schema, indexes, determinism rules, AOC metadata (`docs/modules/excititor/vex_observations.md`). |
 | 16 | AGENTS-EXCITITOR-UPDATE | DONE (2025-11-17) | AGENTS.md authored for WebService/Core/Storage/Worker. | Planning / Platform Guild | Author module-level AGENTS.md covering required docs, contracts, and testing for Excititor service components. |
 
 ## Action Tracker
 | Focus | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
-| Console APIs | Finalize `/console/vex` contract (23-001) and dashboard deltas (23-002). | WebService Guild | 2025-11-18 | BLOCKED (await contract; LNM view spec needed) |
+| Console APIs | Finalize `/console/vex` contract (23-001) and dashboard deltas (23-002). | WebService Guild | PREP-FINALIZE-CONSOLE-VEX-CONTRACT-23-001-AND | BLOCKED (await contract; LNM view spec needed) |
-| Ingestion idempotency | Land linkset extraction + raw upsert uniqueness (19-002/003). | Core Guild | 2025-11-19 | BLOCKED (linkset schema pending) |
+| Ingestion idempotency | Land linkset extraction + raw upsert uniqueness (19-002/003). | Core Guild | PREP-LAND-LINKSET-EXTRACTION-RAW-UPSERT-UNIQU | BLOCKED (linkset schema pending) |
-| Consensus removal | Remove merge/severity logic after idempotency in place (19-004). | Core Guild | 2025-11-20 | BLOCKED (depends on 19-002/003) |
+| Consensus removal | Remove merge/severity logic after idempotency in place (19-004). | Core Guild | PREP-REMOVE-MERGE-SEVERITY-LOGIC-AFTER-IDEMPO | BLOCKED (depends on 19-002/003) |
-| Graph overlays | Align inspector/linkout schemas to unblock 21-001/002/005. | Core + Cartographer Guilds | 2025-11-21 | BLOCKED (awaiting Cartographer contract) |
+| Graph overlays | Align inspector/linkout schemas to unblock 21-001/002/005. | Core + Cartographer Guilds | PREP-ALIGN-INSPECTOR-LINKOUT-SCHEMAS-TO-UNBLO | BLOCKED (awaiting Cartographer contract) |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Normalized PREP-EXCITITOR-CORE-AOC-19-003 Task ID (removed trailing hyphen) so dependency resolution works. | Project Mgmt |
+| 2025-11-19 | Marked PREP tasks P1–P17 BLOCKED due to missing console contract (LNM view spec), linkset extraction/idempotency schema, Cartographer API contract, and orchestrator/LNM inputs—keeping Console, AOC-19-002/003/004/013, and GRAPH 21/24 tracks gated. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-09 | Connector SUSE + Ubuntu trust provenance delivered. | Connectors Guild |
 | 2025-11-14 | LNM-21-001 schema in review. | Core Guild |
 | 2025-11-16 | Normalized sprint file to standard template and renamed to SPRINT_0119_0001_0002_excititor_ii.md. | Planning |
@@ -73,4 +93,4 @@
 | --- | --- | --- | --- |
 | 2025-11-18 | Console API review (WebService + BE-Base) | Approve `/console/vex` shape and delta counters. | Ship behind feature flag if minor gaps remain. |
 | 2025-11-19 | Idempotent ingestion design review (Core) | Lock uniqueness + supersede chain plan for 19-002/003. | Use temporary duplicate guard rails until migration complete. |
-| 2025-11-21 | Cartographer schema sync | Unblock GRAPH-21-* inspector/linkout contracts. | Maintain BLOCKED status; deliver sample payloads for early testing. |
+| 2025-11-21 | Cartographer schema sync | Unblock GRAPH-21-* inspector/linkout contracts. | PREP-CARTOGRAPHER-SCHEMA-SYNC-MAINTAIN-BLOCKE |

docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md

@@ -22,13 +22,11 @@
 | Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. |
 
 **Cluster snapshot**
-| Cluster | Linked tasks | Owners | Status snapshot | Notes |
+- **Observability & diagnostics** (LEDGER-29-007/008 · Findings Ledger Guild · Observability Guild · QA Guild) — Status TODO. Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec in `docs/modules/findings-ledger/replay-harness.md`; sequencing documented in `docs/modules/findings-ledger/implementation_plan.md`. Awaiting Observability sign-off + Grafana JSON export (target 2025-11-15).
-| --- | --- | --- | --- | --- |
+- **Deployment & backup** (LEDGER-29-009 · Findings Ledger Guild · DevOps Guild) — Status TODO. Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need Compose/Helm overlays and automated migrations.
-| Observability & diagnostics | LEDGER-29-007/008 | Findings Ledger Guild · Observability Guild · QA Guild | TODO | Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec in `docs/modules/findings-ledger/replay-harness.md`; sequencing captured in `docs/modules/findings-ledger/implementation_plan.md`; awaiting Observability sign-off + Grafana JSON export (target 2025-11-15). |
+- **Orchestrator provenance** (LEDGER-34-101 · Findings Ledger Guild) — Status TODO. Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A deliverables.
-| Deployment & backup | LEDGER-29-009 | Findings Ledger Guild · DevOps Guild | TODO | Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need to align Compose/Helm overlays + automate migrations. |
+- **Air-gap provenance & staleness** (LEDGER-AIRGAP-56/57/58 · Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild) — Status TODO. Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; waiting on mirror bundle schema freeze + AirGap controller inputs.
-| Orchestrator provenance | LEDGER-34-101 | Findings Ledger Guild | TODO | Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A. |
+- **Attestation linkage** (LEDGER-ATTEST-73-001 · Findings Ledger Guild · Attestor Service Guild) — Status TODO. Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs.
-| Air-gap provenance & staleness | LEDGER-AIRGAP-56/57/58 series | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | TODO | Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; blocked on mirror bundle schema freeze + AirGap controller inputs. |
-| Attestation linkage | LEDGER-ATTEST-73-001 | Findings Ledger Guild · Attestor Service Guild | TODO | Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs. |
 
 ## Documentation Prerequisites
 - `docs/modules/findings-ledger/observability.md`
@@ -41,11 +39,14 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Await Observability schema sign-off + ledger write endpoint contract; 5 M fixture drop pending. <br><br> Document artefact/deliverable for LEDGER-29-008 and publish location so downstream tasks can proceed. |
+| P2 | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Orchestrator ledger export contract (Sprint 150.A) not published. <br><br> Document artefact/deliverable for LEDGER-34-101 and publish location so downstream tasks can proceed. |
+| P3 | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | BLOCKED | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Mirror bundle schema freeze outstanding. <br><br> Document artefact/deliverable for LEDGER-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
 | 1 | LEDGER-29-007 | DONE (2025-11-17) | Observability metric schema sign-off; deps LEDGER-29-006 | Findings Ledger Guild, Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Instrument `ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`, structured logs, Merkle anchoring alerts, and publish dashboards. |
-| 2 | LEDGER-29-008 | BLOCKED | Await Observability schema sign-off + ledger write endpoint contract; 5 M fixture drop pending | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5 M findings/tenant. |
+| 2 | LEDGER-29-008 | BLOCKED | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5 M findings/tenant. |
 | 3 | LEDGER-29-009 | BLOCKED | Depends on LEDGER-29-008 harness results (5 M replay + observability schema) | Findings Ledger Guild, DevOps Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions. |
-| 4 | LEDGER-34-101 | BLOCKED | Orchestrator ledger export contract (Sprint 150.A) not published | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. |
+| 4 | LEDGER-34-101 | BLOCKED | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. |
-| 5 | LEDGER-AIRGAP-56-001 | BLOCKED | Mirror bundle schema freeze outstanding | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
+| 5 | LEDGER-AIRGAP-56-001 | BLOCKED | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
 | 6 | LEDGER-AIRGAP-56-002 | BLOCKED | Depends on LEDGER-AIRGAP-56-001 provenance schema | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
 | 7 | LEDGER-AIRGAP-57-001 | BLOCKED | Depends on LEDGER-AIRGAP-56-002 staleness contract | Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger` | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. |
 | 8 | LEDGER-AIRGAP-58-001 | BLOCKED | Depends on LEDGER-AIRGAP-57-001 bundle linkage | Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. |
@@ -54,8 +55,11 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P1–P3 BLOCKED: observability schema, orchestrator ledger export contract, and mirror bundle schema are still missing, keeping LEDGER-29-008/34-101/AIRGAP-56-* blocked. | Project Mgmt |
 | 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild |
 | 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild |
+| 2025-11-19 09:30 | Reformatted Cluster snapshot into bullet list and confirmed Delivery Tracker already covers LEDGER-AIRGAP dependencies; no scope change. | Project Mgmt |
 | 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild |
 | 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild |
 | 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild |

docs/implplan/SPRINT_0121_0001_0001_policy_reasoning.md

@@ -25,25 +25,36 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-LEDGER-EXPORT-35-001-NO-HTTP-API-SURFACE | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | No HTTP/API surface or contract to host export endpoints; needs API scaffold + filters spec. <br><br> Document artefact/deliverable for LEDGER-EXPORT-35-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-LEDGER-OAS-61-001-ABSENT-OAS-BASELINE-AN | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild; API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | Absent OAS baseline and API host for ledger; requires contract definition with API Guild. <br><br> Document artefact/deliverable for LEDGER-OAS-61-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-LEDGER-OAS-61-002-DEPENDS-ON-61-001-CONT | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Depends on 61-001 contract + HTTP surface. <br><br> Document artefact/deliverable for LEDGER-OAS-61-002 and publish location so downstream tasks can proceed. |
+| P4 | PREP-LEDGER-OAS-62-001-SDK-GENERATION-PENDING | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild; SDK Generator Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; SDK Generator Guild / src/Findings/StellaOps.Findings.Ledger | SDK generation pending 61-002. <br><br> Document artefact/deliverable for LEDGER-OAS-62-001 and publish location so downstream tasks can proceed. |
+| P5 | PREP-LEDGER-OAS-63-001-DEPENDENT-ON-SDK-VALID | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild; API Governance Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; API Governance Guild / src/Findings/StellaOps.Findings.Ledger | Dependent on SDK validation (62-001). <br><br> Document artefact/deliverable for LEDGER-OAS-63-001 and publish location so downstream tasks can proceed. |
+| P6 | PREP-LEDGER-OBS-54-001-NO-HTTP-SURFACE-MINIMA | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | No HTTP surface/minimal API present in module to host `/ledger/attestations`; needs API contract + service scaffold. <br><br> Document artefact/deliverable for LEDGER-OBS-54-001 and publish location so downstream tasks can proceed. |
+| P7 | PREP-LEDGER-OBS-55-001-DEPENDS-ON-54-001-ATTE | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Depends on 54-001 attestation API availability. <br><br> Document artefact/deliverable for LEDGER-OBS-55-001 and publish location so downstream tasks can proceed. |
+| P8 | PREP-LEDGER-PACKS-42-001-SNAPSHOT-TIME-TRAVEL | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Snapshot/time-travel contract and bundle format not specified; needs design input. <br><br> Document artefact/deliverable for LEDGER-PACKS-42-001 and publish location so downstream tasks can proceed. |
+| P9 | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Risk Engine schema/contract inputs absent; requires risk field definitions + rollout plan. <br><br> Document artefact/deliverable for LEDGER-RISK-66-001 and publish location so downstream tasks can proceed. |
+| P10 | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Depends on 66-001 migration + risk scoring contract. <br><br> Document artefact/deliverable for LEDGER-RISK-66-002 and publish location so downstream tasks can proceed. |
 | 1 | LEDGER-ATTEST-73-002 | BLOCKED | Waiting on LEDGER-ATTEST-73-001 verification pipeline delivery | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status |
-| 2 | LEDGER-EXPORT-35-001 | BLOCKED | No HTTP/API surface or contract to host export endpoints; needs API scaffold + filters spec | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings with deterministic ordering and provenance metadata |
+| 2 | LEDGER-EXPORT-35-001 | BLOCKED | PREP-LEDGER-EXPORT-35-001-NO-HTTP-API-SURFACE | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings with deterministic ordering and provenance metadata |
-| 3 | LEDGER-OAS-61-001 | BLOCKED | Absent OAS baseline and API host for ledger; requires contract definition with API Guild | Findings Ledger Guild; API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples |
+| 3 | LEDGER-OAS-61-001 | BLOCKED | PREP-LEDGER-OAS-61-001-ABSENT-OAS-BASELINE-AN | Findings Ledger Guild; API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples |
-| 4 | LEDGER-OAS-61-002 | BLOCKED | Depends on 61-001 contract + HTTP surface | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release |
+| 4 | LEDGER-OAS-61-002 | BLOCKED | PREP-LEDGER-OAS-61-002-DEPENDS-ON-61-001-CONT | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release |
-| 5 | LEDGER-OAS-62-001 | BLOCKED | SDK generation pending 61-002 | Findings Ledger Guild; SDK Generator Guild / src/Findings/StellaOps.Findings.Ledger | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance |
+| 5 | LEDGER-OAS-62-001 | BLOCKED | PREP-LEDGER-OAS-62-001-SDK-GENERATION-PENDING | Findings Ledger Guild; SDK Generator Guild / src/Findings/StellaOps.Findings.Ledger | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance |
-| 6 | LEDGER-OAS-63-001 | BLOCKED | Dependent on SDK validation (62-001) | Findings Ledger Guild; API Governance Guild / src/Findings/StellaOps.Findings.Ledger | Support deprecation headers and Notifications for retiring finding endpoints |
+| 6 | LEDGER-OAS-63-001 | BLOCKED | PREP-LEDGER-OAS-63-001-DEPENDENT-ON-SDK-VALID | Findings Ledger Guild; API Governance Guild / src/Findings/StellaOps.Findings.Ledger | Support deprecation headers and Notifications for retiring finding endpoints |
 | 7 | LEDGER-OBS-50-001 | DONE | Telemetry core wired into writer/projector; structured logs + spans added | Findings Ledger Guild; Observability Guild / src/Findings/StellaOps.Findings.Ledger | Integrate telemetry core within ledger writer/projector services for append, replay, and query APIs |
 | 8 | LEDGER-OBS-51-001 | DONE | Metrics and SLOs implemented in code + docs | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage; SLOs: append P95 < 1s, replay lag < 30s |
 | 9 | LEDGER-OBS-52-001 | DONE | Timeline events emitted for ledger append + projection commit | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Emit timeline events for ledger writes and projector commits (`ledger.event.appended`, `ledger.projection.updated`) with trace ID, policy version, evidence bundle reference placeholders |
 | 10 | LEDGER-OBS-53-001 | DONE | Evidence bundle refs persisted + lookup API | Findings Ledger Guild; Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | Persist evidence bundle references alongside ledger entries; expose lookup linking findings to evidence manifests and timeline |
-| 11 | LEDGER-OBS-54-001 | BLOCKED | No HTTP surface/minimal API present in module to host `/ledger/attestations`; needs API contract + service scaffold | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary |
+| 11 | LEDGER-OBS-54-001 | BLOCKED | PREP-LEDGER-OBS-54-001-NO-HTTP-SURFACE-MINIMA | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary |
-| 12 | LEDGER-OBS-55-001 | BLOCKED | Depends on 54-001 attestation API availability | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Enhance incident mode to record replay diagnostics (lag traces, conflict snapshots), extend retention while active, and emit activation events to timeline/notifier |
+| 12 | LEDGER-OBS-55-001 | BLOCKED | PREP-LEDGER-OBS-55-001-DEPENDS-ON-54-001-ATTE | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Enhance incident mode to record replay diagnostics (lag traces, conflict snapshots), extend retention while active, and emit activation events to timeline/notifier |
-| 13 | LEDGER-PACKS-42-001 | BLOCKED | Snapshot/time-travel contract and bundle format not specified; needs design input | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide snapshot/time-travel APIs and digestible exports for task pack simulation and CLI offline mode |
+| 13 | LEDGER-PACKS-42-001 | BLOCKED | PREP-LEDGER-PACKS-42-001-SNAPSHOT-TIME-TRAVEL | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide snapshot/time-travel APIs and digestible exports for task pack simulation and CLI offline mode |
-| 14 | LEDGER-RISK-66-001 | BLOCKED | Risk Engine schema/contract inputs absent; requires risk field definitions + rollout plan | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes |
+| 14 | LEDGER-RISK-66-001 | BLOCKED | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes |
-| 15 | LEDGER-RISK-66-002 | BLOCKED | Depends on 66-001 migration + risk scoring contract | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit |
+| 15 | LEDGER-RISK-66-002 | BLOCKED | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-08 | Sprint stub created; awaiting template normalisation. | Planning |
 | 2025-11-17 | Normalised sprint to standard template and renamed file to `SPRINT_0121_0001_0001_policy_reasoning.md`. | Project Mgmt |
 | 2025-11-17 | Implemented LEDGER-OBS-50-001: telemetry core spans/scopes/logs for ledger append and projection paths added. | Findings Ledger |

docs/implplan/SPRINT_0122_0001_0001_policy_reasoning.md

@@ -24,14 +24,18 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-LEDGER-RISK-68-001-AWAIT-UNBLOCK-OF-67-0 | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Await unblock of 67-001 + Export Center contract for scored findings. <br><br> Document artefact/deliverable for LEDGER-RISK-68-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-LEDGER-RISK-69-001-REQUIRES-67-001-68-00 | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Requires 67-001/68-001 to define metrics dimensions. <br><br> Document artefact/deliverable for LEDGER-RISK-69-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-LEDGER-TEN-48-001-NEEDS-PLATFORM-APPROVE | TODO | Due 2025-11-22 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Needs platform-approved partitioning + RLS policy (tenant/project shape, session variables). <br><br> Document artefact/deliverable for LEDGER-TEN-48-001 and publish location so downstream tasks can proceed. |
 | 1 | LEDGER-RISK-67-001 | BLOCKED | Depends on risk scoring contract + migrations from LEDGER-RISK-66-002 | Findings Ledger Guild · Risk Engine Guild / `src/Findings/StellaOps.Findings.Ledger` | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links |
-| 2 | LEDGER-RISK-68-001 | BLOCKED | Await unblock of 67-001 + Export Center contract for scored findings | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Enable export of scored findings and simulation results via Export Center integration |
+| 2 | LEDGER-RISK-68-001 | BLOCKED | PREP-LEDGER-RISK-68-001-AWAIT-UNBLOCK-OF-67-0 | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Enable export of scored findings and simulation results via Export Center integration |
-| 3 | LEDGER-RISK-69-001 | BLOCKED | Requires 67-001/68-001 to define metrics dimensions | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps |
+| 3 | LEDGER-RISK-69-001 | BLOCKED | PREP-LEDGER-RISK-69-001-REQUIRES-67-001-68-00 | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps |
-| 4 | LEDGER-TEN-48-001 | BLOCKED | Needs platform-approved partitioning + RLS policy (tenant/project shape, session variables) | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata |
+| 4 | LEDGER-TEN-48-001 | BLOCKED | PREP-LEDGER-TEN-48-001-NEEDS-PLATFORM-APPROVE | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Renamed file to `SPRINT_0122_0001_0001_policy_reasoning.md` and normalised to standard template; no scope changes. | Findings Ledger |
 | 2025-11-18 | Set LEDGER-RISK-67-001/68-001/69-001 to BLOCKED pending risk-scoring contract (66-002) and export metrics dimensions. | Findings Ledger |
 | 2025-11-18 | Set LEDGER-TEN-48-001 to BLOCKED pending DB partition/RLS design (tenant+project keys, session variables) from Platform/DB guild. | Findings Ledger |

docs/implplan/SPRINT_0123_0001_0001_policy_reasoning.md

@@ -0,0 +1,74 @@
+# Sprint 0123-0001-0001 · Policy & Reasoning (Policy Engine)
+
+## Topic & Scope
+- Extend Policy Engine with export, air-gap, AOC linting, and attestation surfaces while keeping evidence aggregation-only.
+- Ensure Console export and air-gap bundles depend on frozen bundle/DSSE schemas before implementation.
+- Align policy attestation and linting with Authority/Attestor/Console contracts; avoid inferred verdicts.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine` (and `src/Policy/__Libraries/StellaOps.Policy`).
+
+## Dependencies & Concurrency
+- Upstream: Export bundle schema + scheduler job spec; mirror bundle/air-gap schema and sealed-mode rules; Attestor verification policy schema; Authority `effective:write` contract; Console API filters/pagination spec.
+- Concurrency: Execute tasks in table order (DOING → TODO → BLOCKED). All tasks currently blocked pending upstream contracts; no parallel execution until contracts land.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+- Any export/air-gap/attestation contract docs once published.
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Scheduler Guild · Observability Guild | Policy Guild · Scheduler Guild · Observability Guild | Missing export bundle contract/API surface and scheduler job spec for Console. <br><br> Document artefact/deliverable for EXPORT-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Mirror bundle schema not published; requires bundle_id/provenance fields + sealed-mode rules. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Policy Studio Guild | Policy Guild · Policy Studio Guild | Depends on 56-001 bundle import schema + DSSE signing profile. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-002 and publish location so downstream tasks can proceed. |
+| P4 | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · AirGap Policy Guild | Policy Guild · AirGap Policy Guild | Requires sealed-mode contract after 56-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
+| P5 | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · AirGap Time Guild | Policy Guild · AirGap Time Guild | Needs staleness/fallback data contract from 57-001. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-002 and publish location so downstream tasks can proceed. |
+| P6 | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Notifications Guild | Policy Guild · Notifications Guild | Notification schema and staleness signals pending from 57-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
+| P7 | PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Linting targets/spec absent; no analyzer contract. <br><br> Document artefact/deliverable for POLICY-AOC-19-001 and publish location so downstream tasks can proceed. |
+| P8 | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Platform Security | Policy Guild · Platform Security | Depends on 19-001 lint + Authority `effective:write` contract. <br><br> Document artefact/deliverable for POLICY-AOC-19-002 and publish location so downstream tasks can proceed. |
+| P9 | PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Requires post-19-002 normalized-field removal contract/fixtures. <br><br> Document artefact/deliverable for POLICY-AOC-19-003 and publish location so downstream tasks can proceed. |
+| P10 | PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · QA Guild | Policy Guild · QA Guild | Depends on 19-003 shape + determinism fixtures. <br><br> Document artefact/deliverable for POLICY-AOC-19-004 and publish location so downstream tasks can proceed. |
+| P11 | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Attestor Service Guild | Policy Guild · Attestor Service Guild | VerificationPolicy schema/persistence contract missing; Attestor alignment needed. <br><br> Document artefact/deliverable for POLICY-ATTEST-73-001 and publish location so downstream tasks can proceed. |
+| P12 | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild | Policy Guild | Depends on 73-001 editor DTOs/validation schema. <br><br> Document artefact/deliverable for POLICY-ATTEST-73-002 and publish location so downstream tasks can proceed. |
+| P13 | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Attestor Service Guild | Policy Guild · Attestor Service Guild | Requires 73-002 + Attestor pipeline contract. <br><br> Document artefact/deliverable for POLICY-ATTEST-74-001 and publish location so downstream tasks can proceed. |
+| P14 | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · Console Guild | Policy Guild · Console Guild | Needs 74-001 surfaced in Console verification reports contract. <br><br> Document artefact/deliverable for POLICY-ATTEST-74-002 and publish location so downstream tasks can proceed. |
+| P15 | PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild · BE-Base Platform Guild | Policy Guild · BE-Base Platform Guild | Console API contract (filters/pagination/aggregation) absent. <br><br> Document artefact/deliverable for POLICY-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
+| 1 | EXPORT-CONSOLE-23-001 | BLOCKED | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | Policy Guild · Scheduler Guild · Observability Guild | Implement Console export endpoints/jobs once schema + job wiring are defined. |
+| 2 | POLICY-AIRGAP-56-001 | BLOCKED | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Policy Guild | Air-gap bundle import support for policy packs. |
+| 3 | POLICY-AIRGAP-56-002 | BLOCKED | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | Policy Guild · Policy Studio Guild | Air-gap sealed-mode handling for policy packs. |
+| 4 | POLICY-AIRGAP-57-001 | BLOCKED | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | Policy Guild · AirGap Policy Guild | Sealed-mode error handling for policy packs. |
+| 5 | POLICY-AIRGAP-57-002 | BLOCKED | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | Policy Guild · AirGap Time Guild | Staleness/fallback signaling for policy packs. |
+| 6 | POLICY-AIRGAP-58-001 | BLOCKED | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | Policy Guild · Notifications Guild | Notifications for air-gap policy pack changes. |
+| 7 | POLICY-AOC-19-001 | BLOCKED | PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A | Policy Guild | Implement linting for ingestion projects/helpers. |
+| 8 | POLICY-AOC-19-002 | BLOCKED | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | Policy Guild · Platform Security | Enforce `effective:write` gate. |
+| 9 | POLICY-AOC-19-003 | BLOCKED | PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N | Policy Guild | Remove normalized fields per contract. |
+| 10 | POLICY-AOC-19-004 | BLOCKED | PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP | Policy Guild · QA Guild | Determinism/fixtures for normalized-field removal. |
+| 11 | POLICY-ATTEST-73-001 | BLOCKED | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY | Policy Guild · Attestor Service Guild | Persist verification policy schema. |
+| 12 | POLICY-ATTEST-73-002 | BLOCKED | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | Policy Guild | Editor DTOs/validation for verification policy. |
+| 13 | POLICY-ATTEST-74-001 | BLOCKED | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | Policy Guild · Attestor Service Guild | Surface attestation reports. |
+| 14 | POLICY-ATTEST-74-002 | BLOCKED | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | Policy Guild · Console Guild | Console report integration. |
+| 15 | POLICY-CONSOLE-23-001 | BLOCKED | PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA | Policy Guild · BE-Base Platform Guild | Expose policy data to Console once API spec lands. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Removed trailing hyphen from PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY so dependent task resolves correctly. | Project Mgmt |
+| 2025-11-19 | Marked PREP tasks P1–P15 BLOCKED: export bundle schema, mirror/air-gap schemas, lint targets, attestation verification schemas, and Console API contract remain unpublished, keeping downstream POLICY/ATTEST/AIRGAP/CONSOLE work gated. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-08 | Sprint created; awaiting staffing. | Planning |
+| 2025-11-18 | Attempted EXPORT-CONSOLE-23-001; blocked due to missing export bundle/schema and scheduler job contract. Marked all tasks BLOCKED pending lint/airgap/attest/Console contracts. | Policy Guild |
+| 2025-11-19 | Converted legacy file `SPRINT_123_policy_reasoning.md` into redirect stub pointing here to avoid divergent updates. | Implementer |
+| 2025-11-19 | Normalised sprint to standard template and renamed from `SPRINT_123_policy_reasoning.md` to `SPRINT_0123_0001_0001_policy_reasoning.md`; content preserved; all tasks remain BLOCKED. | Implementer |
+
+## Decisions & Risks
+- Export/air-gap remain blocked without bundle schema, sealed-mode rules, and scheduler contracts; cannot proceed until provided.
+- Linting (AOC-19-001..004) blocked pending analyzer targets/spec and Authority gate contract.
+- Attestation tasks (73/74) blocked pending Attestor verification policy schema and Console report contract.
+- Console export and policy API tasks blocked without Console API contract.
+
+## Next Checkpoints
+- Draft export surface proposal for Console (API + scheduler wiring) once bundle schema is published.
+- Identify bundle schema dependencies for POLICY-AIRGAP-56-* once mirror schema freezes.
+- Re-evaluate lint/attest tasks after respective contracts are delivered (dates TBD).

docs/implplan/SPRINT_0124_0001_0001_policy_reasoning.md

@@ -0,0 +1,51 @@
+# Sprint 0124-0001-0001 · Policy & Reasoning (Policy Engine phase II)
+
+## Topic & Scope
+- Continue Policy Engine core (Policy.II): deterministic evaluator, materialization, simulation, tracing, and storage.
+- Ensure aggregation-only behavior; no wall-clock/RNG/network use during evaluation.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine` (and `src/Policy/__Libraries/StellaOps.Policy`).
+
+## Dependencies & Concurrency
+- Upstream: Sprint 120.C Policy.I must land before this track.
+- Concurrency: execute tasks in listed order (DOING → TODO → BLOCKED).
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+
+## Delivery Tracker
+| # | Task ID & handle | State | Key dependency / next step | Owners |
+| --- | --- | --- | --- | --- |
+| P1 | PREP-POLICY-ENGINE-20-002-DETERMINISTIC-EVALU | TODO | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Deterministic evaluator spec missing. <br><br> Document artefact/deliverable for POLICY-ENGINE-20-002 and publish location so downstream tasks can proceed. |
+| 1 | POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata and approval endpoints for Console (deps: POLICY-CONSOLE-23-001). | Policy Guild, Product Ops / `src/Policy/StellaOps.Policy.Engine` |
+| 2 | POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | PREP-POLICY-ENGINE-20-002-DETERMINISTIC-EVALU | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 3 | POLICY-ENGINE-20-003 | TODO | Depends on 20-002. | Policy · Concelier · Excititor Guilds / `src/Policy/StellaOps.Policy.Engine` |
+| 4 | POLICY-ENGINE-20-004 | TODO | Depends on 20-003. | Policy · Platform Storage Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 5 | POLICY-ENGINE-20-005 | TODO | Depends on 20-004. | Policy · Security Engineering / `src/Policy/StellaOps.Policy.Engine` |
+| 6 | POLICY-ENGINE-20-006 | TODO | Depends on 20-005. | Policy · Scheduler Worker Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 7 | POLICY-ENGINE-20-007 | TODO | Depends on 20-006. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 8 | POLICY-ENGINE-20-008 | TODO | Depends on 20-007. | Policy · QA Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 9 | POLICY-ENGINE-20-009 | TODO | Depends on 20-008. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 10 | POLICY-ENGINE-27-001 | TODO | Depends on 20-009. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 11 | POLICY-ENGINE-27-002 | TODO | Depends on 27-001. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 12 | POLICY-ENGINE-29-001 | TODO | Depends on 27-004. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
+| 13 | POLICY-ENGINE-29-002 | TODO | Depends on 29-001. | Policy · Findings Ledger Guild / `src/Policy/StellaOps.Policy.Engine` |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-08 | Sprint stub; awaiting staffing. | Planning |
+| 2025-11-18 | All tasks still awaiting upstream evaluator specs; no progress. | Policy Guild |
+| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_124_policy_reasoning.md` to `SPRINT_0124_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
+
+## Decisions & Risks
+- Deterministic evaluator contract missing (blocks 20-002 and downstream chain).
+- Console simulation/export contract (POLICY-CONSOLE-23-001) required to unblock 23-002.
+- Storage/index schemas TBD; avoid implementation until specs freeze.
+
+## Next Checkpoints
+- Publish deterministic evaluator spec for 20-002 (date TBD).
+- Provide Console export/simulation contract for 23-001 to unblock 23-002.

docs/implplan/SPRINT_0125_0001_0001_mirror.md

@@ -20,7 +20,10 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | MIRROR-CRT-56-001 | BLOCKED | Upstream Sprint 110.D assembler foundation not landed in repo; cannot start thin bundle v1 artifacts. | Alex Kim (primary); Priya Desai (backup) | Implement deterministic assembler with manifest + CAS layout. |
+| P0 | PREP-MIRROR-CRT-56-001-MILESTONE-0-PUBLISH | DONE (2025-11-19) | Due 2025-11-20 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Published milestone-0 thin bundle plan + sample at `out/mirror/thin/mirror-thin-m0-sample.tar.gz` with SHA256 `bd1013885a27f651e28331c7a240d417d265bd411d09b51b47bd7c2196659674` and layout note in `docs/modules/mirror/milestone-0-thin-bundle.md`. |
+| P1 | PREP-MIRROR-CRT-56-001-UPSTREAM-SPRINT-110-D | TODO | Due 2025-11-22 · Accountable: Alex Kim (primary); Priya Desai (backup) | Alex Kim (primary); Priya Desai (backup) | Upstream Sprint 110.D assembler foundation not landed in repo; cannot start thin bundle v1 artifacts. <br><br> Document artefact/deliverable for MIRROR-CRT-56-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-MIRROR-CRT-56-001-ASSEMBLER-HANDOFF | DONE (2025-11-19) | Due 2025-11-22 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Handoff expectations for thin bundle assembler published at `docs/modules/mirror/thin-bundle-assembler.md` (tar layout, manifest fields, determinism rules, hashes). |
+| 1 | MIRROR-CRT-56-001 | BLOCKED | PREP-MIRROR-CRT-56-001-UPSTREAM-SPRINT-110-D | Alex Kim (primary); Priya Desai (backup) | Implement deterministic assembler with manifest + CAS layout. |
 | 2 | MIRROR-CRT-56-002 | BLOCKED | Depends on MIRROR-CRT-56-001 and PROV-OBS-53-001; upstream assembler missing. | Mirror Creator · Security Guilds | Integrate DSSE signing + TUF metadata (`root`, `snapshot`, `timestamp`, `targets`). |
 | 3 | MIRROR-CRT-57-001 | BLOCKED | Requires MIRROR-CRT-56-001; assembler foundation missing. | Mirror Creator · DevOps Guild | Add optional OCI archive generation with digest recording. |
 | 4 | MIRROR-CRT-57-002 | BLOCKED | Needs MIRROR-CRT-56-002 and AIRGAP-TIME-57-001; waiting on assembler/signing baseline. | Mirror Creator · AirGap Time Guild | Embed signed time-anchor metadata. |
@@ -34,6 +37,10 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Cleared stray hyphen from PREP-MIRROR-CRT-56-001-UPSTREAM-SPRINT-110-D so MIRROR-CRT-56-001 dependency is resolvable. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Completed PREP-MIRROR-CRT-56-001-MILESTONE-0-PUBLISH: published sample thin bundle + hashes and milestone note (`docs/modules/mirror/milestone-0-thin-bundle.md`). | Implementer |
+| 2025-11-19 | Added PREP-MIRROR-CRT-56-001-MILESTONE-0-PUBLISH (DOING) to capture milestone-0 thin bundle plan and hashes to unblock downstream air-gap/console/attestation tracks. | Project Mgmt |
 | 2025-11-17 | All sprint tasks marked BLOCKED: upstream Sprint 110.D assembler foundation absent from repo; no manifest/CAS layout or samples present to proceed. | Implementer |
 | 2025-11-17 | Normalised sprint file to standard template; renamed from `SPRINT_125_mirror.md` to `SPRINT_0125_0001_0001_mirror.md`; no semantic task changes. | Project Management |
 | 2025-11-17 | Coordinator decision: assign primary + backup for MIRROR-CRT-56-001; scope thin bundle v1; downstream tasks may proceed once schema + sample bundle land. | Coordinator |

docs/implplan/SPRINT_0125_0001_0001_policy_reasoning.md

@@ -0,0 +1,68 @@
+# Sprint 0125-0001-0001 · Policy & Reasoning (Policy Engine phase III)
+
+## Topic & Scope
+- Policy Engine simulations/overlays chain (Policy.III): path/scope awareness, metrics, overlays, orchestration, ledger export, snapshot, violation events, severity fusion.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine`.
+
+## Dependencies & Concurrency
+- Upstream: POLICY-ENGINE-29-002 contract/schema required; execute tasks in listed order.
+- Concurrency: All current tasks blocked by missing 29-002 path/scope schema.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+
+## Delivery Tracker
+| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P0 | PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Publish POLICY-ENGINE-29-002 path/scope schema + sample payloads so downstream evaluation tasks can start. |
+| P1 | PREP-POLICY-ENGINE-29-004-DEPENDS-ON-29-003 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 29-003. <br><br> Document artefact/deliverable for POLICY-ENGINE-29-004 and publish location so downstream tasks can proceed. |
+| P2 | PREP-POLICY-ENGINE-30-001-NEEDS-29-004-OUTPUT | BLOCKED | Due 2025-11-22 · Accountable: Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Needs 29-004 outputs. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-POLICY-ENGINE-30-002-DEPENDS-ON-30-001 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-002 and publish location so downstream tasks can proceed. |
+| P4 | PREP-POLICY-ENGINE-30-003-DEPENDS-ON-30-002 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Scheduler Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Scheduler Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-002. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-003 and publish location so downstream tasks can proceed. |
+| P5 | PREP-POLICY-ENGINE-30-101-DEPENDS-ON-30-003 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-003. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-101 and publish location so downstream tasks can proceed. |
+| P6 | PREP-POLICY-ENGINE-31-001-DEPENDS-ON-30-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 30-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-001 and publish location so downstream tasks can proceed. |
+| P7 | PREP-POLICY-ENGINE-31-002-DEPENDS-ON-31-001 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 31-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-002 and publish location so downstream tasks can proceed. |
+| P8 | PREP-POLICY-ENGINE-32-101-DEPENDS-ON-31-002 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 31-002. <br><br> Document artefact/deliverable for POLICY-ENGINE-32-101 and publish location so downstream tasks can proceed. |
+| P9 | PREP-POLICY-ENGINE-33-101-DEPENDS-ON-32-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 32-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-33-101 and publish location so downstream tasks can proceed. |
+| P10 | PREP-POLICY-ENGINE-34-101-DEPENDS-ON-33-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 33-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-34-101 and publish location so downstream tasks can proceed. |
+| P11 | PREP-POLICY-ENGINE-35-201-DEPENDS-ON-34-101 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 34-101. <br><br> Document artefact/deliverable for POLICY-ENGINE-35-201 and publish location so downstream tasks can proceed. |
+| P12 | PREP-POLICY-ENGINE-38-201-DEPENDS-ON-35-201 | BLOCKED | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 35-201. <br><br> Document artefact/deliverable for POLICY-ENGINE-38-201 and publish location so downstream tasks can proceed. |
+| P13 | PREP-POLICY-ENGINE-40-001-DEPENDS-ON-38-201 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 38-201. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-001 and publish location so downstream tasks can proceed. |
+| P14 | PREP-POLICY-ENGINE-40-002-DEPENDS-ON-40-001 | BLOCKED | Due 2025-11-22 · Accountable: Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Depends on 40-001. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-002 and publish location so downstream tasks can proceed. |
+| 1 | POLICY-ENGINE-29-003 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA. | Policy · SBOM Service Guild / `src/Policy/StellaOps.Policy.Engine` | Path/scope aware evaluation. |
+| 2 | POLICY-ENGINE-29-004 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-29-004-DEPENDS-ON-29-003 | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/logging for path-aware eval. |
+| 3 | POLICY-ENGINE-30-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-001-NEEDS-29-004-OUTPUT | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Overlay projection contract. |
+| 4 | POLICY-ENGINE-30-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-002-DEPENDS-ON-30-001 | Policy · Cartographer Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation bridge. |
+| 5 | POLICY-ENGINE-30-003 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-003-DEPENDS-ON-30-002 | Policy · Scheduler Guild / `src/Policy/StellaOps.Policy.Engine` | Change events. |
+| 6 | POLICY-ENGINE-30-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-101-DEPENDS-ON-30-003 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Trust weighting UI/API. |
+| 7 | POLICY-ENGINE-31-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-31-001-DEPENDS-ON-30-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Advisory AI knobs. |
+| 8 | POLICY-ENGINE-31-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-31-002-DEPENDS-ON-31-001 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Batch context endpoint. |
+| 9 | POLICY-ENGINE-32-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-32-101-DEPENDS-ON-31-002 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Orchestrator job schema. |
+| 10 | POLICY-ENGINE-33-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-33-101-DEPENDS-ON-32-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Worker implementation. |
+| 11 | POLICY-ENGINE-34-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-34-101-DEPENDS-ON-33-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Ledger export. |
+| 12 | POLICY-ENGINE-35-201 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-35-201-DEPENDS-ON-34-101 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Snapshot API. |
+| 13 | POLICY-ENGINE-38-201 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-38-201-DEPENDS-ON-35-201 | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Violation events. |
+| 14 | POLICY-ENGINE-40-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-40-001-DEPENDS-ON-38-201 | Policy · Concelier Guild / `src/Policy/StellaOps.Policy.Engine` | Severity fusion. |
+| 15 | POLICY-ENGINE-40-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-40-002-DEPENDS-ON-40-001 | Policy · Excititor Guild / `src/Policy/StellaOps.Policy.Engine` | Conflict handling. |
+
+## Notes & Risks
+- POLICY-ENGINE-29-002 contract/schema missing; cascades block entire chain (1–15). Need published schema + sample payloads to proceed.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Added PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA and pointed POLICY-ENGINE-29-003 dependency at it. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P0–P14 BLOCKED: base path/scope schema (29-002) and downstream evaluation/observability/overlay/export contracts are still missing, keeping the entire POLICY-ENGINE chain blocked. | Project Mgmt |
+| 2025-11-08 | Sprint created; awaiting upstream contract. | Planning |
+| 2025-11-18 | Re-confirmed all tasks blocked; upstream schema still absent. | Policy Guild |
+| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_125_policy_reasoning.md` to `SPRINT_0125_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
+
+## Decisions & Risks
+- Blocked until POLICY-ENGINE-29-002 contract drops.
+
+## Next Checkpoints
+- Publish POLICY-ENGINE-29-002 path/scope schema (date TBD).

docs/implplan/SPRINT_0126_0001_0001_policy_reasoning.md

@@ -0,0 +1,48 @@
+# Sprint 0126-0001-0001 · Policy & Reasoning (Policy Engine phase IV)
+
+## Topic & Scope
+- Policy Engine IV: SPL compiler/evaluator pipeline, events, storage, exceptions, reachability/exploitability integration.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine` (and `src/Policy/__Libraries/StellaOps.Policy`).
+
+## Dependencies & Concurrency
+- Upstream: Sprint 120.C Policy.III must land.
+- Concurrency: execute tasks in listed order; all currently TODO.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+
+## Delivery Tracker
+| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | POLICY-ENGINE-40-003 | TODO | Depends on 40-002. | Policy · Web Scanner Guild / `src/Policy/StellaOps.Policy.Engine` | API/SDK utilities with evidence summaries. |
+| 2 | POLICY-ENGINE-50-001 | TODO | Depends on 40-003. | Policy · Platform Security / `src/Policy/StellaOps.Policy.Engine` | SPL compiler, signed bundle, storage. |
+| 3 | POLICY-ENGINE-50-002 | TODO | Depends on 50-001. | Policy · Runtime Guild / `src/Policy/StellaOps.Policy.Engine` | Runtime evaluator with deterministic caching. |
+| 4 | POLICY-ENGINE-50-003 | TODO | Depends on 50-002. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/tracing/logging for compile/eval. |
+| 5 | POLICY-ENGINE-50-004 | TODO | Depends on 50-003. | Policy · Platform Events Guild / `src/Policy/StellaOps.Policy.Engine` | Event pipeline for updates/re-eval. |
+| 6 | POLICY-ENGINE-50-005 | TODO | Depends on 50-004. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` | Collections/indexes for policy artifacts. |
+| 7 | POLICY-ENGINE-50-006 | TODO | Depends on 50-005. | Policy · QA Guild / `src/Policy/StellaOps.Policy.Engine` | Explainer persistence/retrieval. |
+| 8 | POLICY-ENGINE-50-007 | TODO | Depends on 50-006. | Policy · Scheduler Worker Guild / `src/Policy/StellaOps.Policy.Engine` | Evaluation worker host/orchestration. |
+| 9 | POLICY-ENGINE-60-001 | TODO | Depends on 50-007. | Policy · SBOM Service Guild / `src/Policy/StellaOps.Policy.Engine` | Redis effective decision maps. |
+| 10 | POLICY-ENGINE-60-002 | TODO | Depends on 60-001. | Policy · BE-Base Platform Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation bridge for Graph What-if. |
+| 11 | POLICY-ENGINE-70-002 | TODO | Depends on 60-002. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` | Exception collections + migrations. |
+| 12 | POLICY-ENGINE-70-003 | TODO | Depends on 70-002. | Policy · Runtime Guild / `src/Policy/StellaOps.Policy.Engine` | Redis exception cache. |
+| 13 | POLICY-ENGINE-70-004 | TODO | Depends on 70-003. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Exception metrics/tracing/logging. |
+| 14 | POLICY-ENGINE-70-005 | TODO | Depends on 70-004. | Policy · Scheduler Worker Guild / `src/Policy/StellaOps.Policy.Engine` | Exception activation/expiry + events. |
+| 15 | POLICY-ENGINE-80-001 | TODO | Depends on 70-005. | Policy · Signals Guild / `src/Policy/StellaOps.Policy.Engine` | Reachability/exploitability inputs into evaluation. |
+| 16 | POLICY-RISK-90-001 | TODO | — | Policy · Scanner Guild / `src/Policy/StellaOps.Policy.Engine` | Entropy penalty ingestion + trust algebra. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub; awaiting upstream phases. | Planning |
+| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_126_policy_reasoning.md` to `SPRINT_0126_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
+
+## Decisions & Risks
+- All tasks depend on prior Policy phases; sequencing must be maintained.
+- Entropy/trust algebra inputs (POLICY-RISK-90-001) require Scanner contract.
+
+## Next Checkpoints
+- Align SPL compiler/evaluator contracts once upstream phases land (date TBD).

docs/implplan/SPRINT_0127_0001_0001_policy_reasoning.md

@@ -0,0 +1,51 @@
+# Sprint 0127-0001-0001 · Policy & Reasoning (Policy Engine phase V)
+
+## Topic & Scope
+- Policy Engine V: reachability integration, telemetry, incident mode, and initial RiskProfile schema work.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine` and `src/Policy/__Libraries/StellaOps.Policy.RiskProfile`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 120.C Policy.IV must land.
+- Concurrency: execute tasks in listed order; all tasks currently TODO.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+
+## Delivery Tracker
+| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-POLICY-RISK-66-001-RISKPROFILE-LIBRARY-S | TODO | Due 2025-11-22 · Accountable: Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | RiskProfile library scaffold absent (`src/Policy/StellaOps.Policy.RiskProfile` contains only AGENTS.md); need project + storage contract to place schema/validators. <br><br> Document artefact/deliverable for POLICY-RISK-66-001 and publish location so downstream tasks can proceed. |
+| 1 | POLICY-ENGINE-80-002 | TODO | Depends on 80-001. | Policy · Storage Guild / `src/Policy/StellaOps.Policy.Engine` | Join reachability facts + Redis caches. |
+| 2 | POLICY-ENGINE-80-003 | TODO | Depends on 80-002. | Policy · Policy Editor Guild / `src/Policy/StellaOps.Policy.Engine` | SPL predicates/actions reference reachability. |
+| 3 | POLICY-ENGINE-80-004 | TODO | Depends on 80-003. | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Metrics/traces for signals usage. |
+| 4 | POLICY-OBS-50-001 | TODO | — | Policy · Observability Guild / `src/Policy/StellaOps.Policy.Engine` | Telemetry core for API/worker hosts. |
+| 5 | POLICY-OBS-51-001 | TODO | Depends on 50-001. | Policy · DevOps Guild / `src/Policy/StellaOps.Policy.Engine` | Golden-signal metrics + SLOs. |
+| 6 | POLICY-OBS-52-001 | TODO | Depends on 51-001. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Timeline events for evaluate/decision flows. |
+| 7 | POLICY-OBS-53-001 | TODO | Depends on 52-001. | Policy · Evidence Locker Guild / `src/Policy/StellaOps.Policy.Engine` | Evaluation evidence bundles + manifests. |
+| 8 | POLICY-OBS-54-001 | TODO | Depends on 53-001. | Policy · Provenance Guild / `src/Policy/StellaOps.Policy.Engine` | DSSE attestations for evaluations. |
+| 9 | POLICY-OBS-55-001 | TODO | Depends on 54-001. | Policy · DevOps Guild / `src/Policy/StellaOps.Policy.Engine` | Incident mode sampling overrides. |
+| 10 | POLICY-RISK-66-001 | BLOCKED (2025-11-19) | PREP-POLICY-RISK-66-001-RISKPROFILE-LIBRARY-S | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | RiskProfile JSON schema + validator stubs. |
+| 11 | POLICY-RISK-66-002 | TODO | Depends on 66-001. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Inheritance/merge + deterministic hashing. |
+| 12 | POLICY-RISK-66-003 | TODO | Depends on 66-002. | Policy · Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.Engine` | Integrate RiskProfile into Policy Engine config. |
+| 13 | POLICY-RISK-66-004 | TODO | Depends on 66-003. | Policy · Risk Profile Schema Guild / `src/Policy/__Libraries/StellaOps.Policy` | Load/save RiskProfiles; validation diagnostics. |
+| 14 | POLICY-RISK-67-001 | TODO | Depends on 66-004. | Policy · Risk Engine Guild / `src/Policy/StellaOps.Policy.Engine` | Trigger scoring jobs on new/updated findings. |
+| 15 | POLICY-RISK-67-001 | TODO | Depends on 67-001. | Risk Profile Schema Guild · Policy Engine Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Profile storage/versioning lifecycle. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-08 | Sprint stub; awaiting upstream phases. | Planning |
+| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_127_policy_reasoning.md` to `SPRINT_0127_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
+| 2025-11-19 | Attempted POLICY-RISK-66-001; blocked because `src/Policy/StellaOps.Policy.RiskProfile` lacks a project/scaffold to host schema + validators. Needs project creation + contract placement guidance. | Implementer |
+
+## Decisions & Risks
+- Reachability inputs (80-001) prerequisite; not yet delivered.
+- RiskProfile schema undefined; blocks risk chain if delayed.
+
+## Next Checkpoints
+- Define reachability input contract (date TBD).
+- Draft RiskProfile schema baseline (date TBD).

docs/implplan/SPRINT_0128_0001_0001_policy_reasoning.md

@@ -0,0 +1,46 @@
+# Sprint 0128-0001-0001 · Policy & Reasoning (Policy Engine phase VI)
+
+## Topic & Scope
+- Policy Engine VI: Risk profile lifecycle APIs, simulation bridge, overrides, exports, and SPL schema evolution.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine` and `src/Policy/__Libraries/StellaOps.Policy`.
+
+## Dependencies & Concurrency
+- Upstream: Policy.V (0127) reachability/risk groundwork must land first.
+- Concurrency: execute tasks in listed order; all tasks currently TODO.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+
+## Delivery Tracker
+| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | POLICY-RISK-67-002 | TODO | Depends on 67-001. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Risk profile lifecycle APIs. |
+| 2 | POLICY-RISK-67-002 | TODO | Depends on 67-002. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Publish `.well-known/risk-profile-schema` + CLI validation. |
+| 3 | POLICY-RISK-67-003 | TODO | Depends on 67-002. | Policy · Risk Engine Guild / `src/Policy/__Libraries/StellaOps.Policy` | Risk simulations + breakdowns. |
+| 4 | POLICY-RISK-68-001 | TODO | Depends on 67-003. | Policy · Policy Studio Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation API for Policy Studio. |
+| 5 | POLICY-RISK-68-001 | TODO | Depends on 68-001. | Risk Profile Schema Guild · Authority Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Scope selectors, precedence rules, Authority attachment. |
+| 6 | POLICY-RISK-68-002 | TODO | Depends on 68-001. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Override/adjustment support with audit metadata. |
+| 7 | POLICY-RISK-68-002 | TODO | Depends on 68-002. | Policy · Export Guild / `src/Policy/__Libraries/StellaOps.Policy` | Export/import RiskProfiles with signatures. |
+| 8 | POLICY-RISK-69-001 | TODO | Depends on 68-002. | Policy · Notifications Guild / `src/Policy/StellaOps.Policy.Engine` | Notifications on profile lifecycle/threshold changes. |
+| 9 | POLICY-RISK-70-001 | TODO | Depends on 69-001. | Policy · Export Guild / `src/Policy/StellaOps.Policy.Engine` | Air-gap export/import for profiles with signatures. |
+| 10 | POLICY-SPL-23-001 | TODO | — | Policy · Language Infrastructure Guild / `src/Policy/__Libraries/StellaOps.Policy` | Define SPL v1 schema + fixtures. |
+| 11 | POLICY-SPL-23-002 | TODO | Depends on 23-001. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Canonicalizer + content hashing. |
+| 12 | POLICY-SPL-23-003 | TODO | Depends on 23-002. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Layering/override engine + tests. |
+| 13 | POLICY-SPL-23-004 | TODO | Depends on 23-003. | Policy · Audit Guild / `src/Policy/__Libraries/StellaOps.Policy` | Explanation tree model + persistence. |
+| 14 | POLICY-SPL-23-005 | TODO | Depends on 23-004. | Policy · DevEx Guild / `src/Policy/__Libraries/StellaOps.Policy` | Migration tool to baseline SPL packs. |
+| 15 | POLICY-SPL-24-001 | TODO | Depends on 23-005. | Policy · Signals Guild / `src/Policy/__Libraries/StellaOps.Policy` | Extend SPL with reachability/exploitability predicates. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub; awaiting upstream phases. | Planning |
+| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_128_policy_reasoning.md` to `SPRINT_0128_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
+
+## Decisions & Risks
+- Risk profile contracts and SPL schema not yet defined; entire chain remains TODO pending upstream specs.
+
+## Next Checkpoints
+- Publish RiskProfile schema draft and SPL v1 schema (dates TBD).

docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md

@@ -0,0 +1,67 @@
+# Sprint 0129-0001-0001 · Policy & Reasoning (Policy Engine/Risk/VEX/Vuln Registry phase VII)
+
+## Topic & Scope
+- Policy VII plus companion tracks (RiskEngine, VexLens, VulnExplorer, Policy Registry): registries, simulations, promotions, reachability/exploitability inputs, VEX consensus, and vulnerability API surface.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine`, `src/Policy/StellaOps.Policy.Registry`, `src/RiskEngine/StellaOps.RiskEngine`, `src/VexLens`, `src/VulnExplorer`.
+
+## Dependencies & Concurrency
+- Upstream: Policy.VI (0128) + Risk/VEX foundations; execute tasks in listed order; all tasks currently TODO.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+- Module docs for Registry, RiskEngine, VexLens, VulnExplorer as applicable.
+
+## Delivery Tracker
+| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | POLICY-TEN-48-001 | TODO | Tenant/project columns + RLS policy; needs platform-approved design. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Tenant scoping + rationale IDs with tenant metadata. |
+| 2 | REGISTRY-API-27-001 | TODO | OpenAPI spec pending. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Define Registry API spec + typed clients. |
+| 3 | REGISTRY-API-27-002 | TODO | Depends on 27-001. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Workspace storage with CRUD + history. |
+| 4 | REGISTRY-API-27-003 | TODO | Depends on 27-002. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Compile endpoint integration. |
+| 5 | REGISTRY-API-27-004 | TODO | Depends on 27-003. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Quick simulation API. |
+| 6 | REGISTRY-API-27-005 | TODO | Depends on 27-004. | Policy Registry · Scheduler Guild / `src/Policy/StellaOps.Policy.Registry` | Batch simulation orchestration. |
+| 7 | REGISTRY-API-27-006 | TODO | Depends on 27-005. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Review workflow with audit trails. |
+| 8 | REGISTRY-API-27-007 | TODO | Depends on 27-006. | Policy Registry · Security Guild / `src/Policy/StellaOps.Policy.Registry` | Publish pipeline with signing/attestations. |
+| 9 | REGISTRY-API-27-008 | TODO | Depends on 27-007. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Promotion bindings per tenant/environment. |
+| 10 | REGISTRY-API-27-009 | TODO | Depends on 27-008. | Policy Registry · Observability Guild / `src/Policy/StellaOps.Policy.Registry` | Metrics/logs/traces + dashboards. |
+| 11 | REGISTRY-API-27-010 | TODO | Depends on 27-009. | Policy Registry · QA Guild / `src/Policy/StellaOps.Policy.Registry` | Test suites + fixtures. |
+| 12 | RISK-ENGINE-66-001 | TODO | Scaffold scoring service; needs deterministic harness. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Scoring service + job queue. |
+| 13 | RISK-ENGINE-66-002 | TODO | Depends on 66-001. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Default transforms/clamping/gating. |
+| 14 | RISK-ENGINE-67-001 | TODO | Depends on 66-002. | Risk Engine Guild · Concelier Guild / `src/RiskEngine/StellaOps.RiskEngine` | CVSS/KEV providers. |
+| 15 | RISK-ENGINE-67-002 | TODO | Depends on 67-001. | Risk Engine Guild · Excitor Guild / `src/RiskEngine/StellaOps.RiskEngine` | VEX gate provider. |
+| 16 | RISK-ENGINE-67-003 | TODO | Depends on 67-002. | Risk Engine Guild · Policy Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Fix availability/criticality/exposure providers. |
+| 17 | RISK-ENGINE-68-001 | TODO | Depends on 67-003. | Risk Engine Guild · Findings Ledger Guild / `src/RiskEngine/StellaOps.RiskEngine` | Persist results + explanations to Findings Ledger. |
+| 18 | RISK-ENGINE-68-002 | TODO | Depends on 68-001. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | APIs for jobs/results/simulations. |
+| 19 | VEXLENS-30-001 | TODO | — | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Normalize CSAF/OpenVEX/CycloneDX VEX. |
+| 20 | VEXLENS-30-002 | TODO | Depends on 30-001. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Product mapping library. |
+| 21 | VEXLENS-30-003 | TODO | Depends on 30-002. | VEX Lens Guild · Issuer Directory Guild / `src/VexLens/StellaOps.VexLens` | Signature verification. |
+| 22 | VEXLENS-30-004 | TODO | Depends on 30-003. | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Trust weighting engine. |
+| 23 | VEXLENS-30-005 | TODO | Depends on 30-004. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus algorithm. |
+| 24 | VEXLENS-30-006 | TODO | Depends on 30-005. | VEX Lens · Findings Ledger Guild / `src/VexLens/StellaOps.VexLens` | Consensus projection storage/events. |
+| 25 | VEXLENS-30-007 | TODO | Depends on 30-006. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus APIs + OpenAPI. |
+| 26 | VEXLENS-30-008 | TODO | Depends on 30-007. | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Integrate consensus with Policy Engine + Vuln Explorer. |
+| 27 | VEXLENS-30-009 | TODO | Depends on 30-008. | VEX Lens · Observability Guild / `src/VexLens/StellaOps.VexLens` | Metrics/logs/traces. |
+| 28 | VEXLENS-30-010 | TODO | Depends on 30-009. | VEX Lens · QA Guild / `src/VexLens/StellaOps.VexLens` | Tests + determinism harness. |
+| 29 | VEXLENS-30-011 | TODO | Depends on 30-010. | VEX Lens · DevOps Guild / `src/VexLens/StellaOps.VexLens` | Deployment/runbooks/offline kit. |
+| 30 | VEXLENS-AIAI-31-001 | TODO | Depends on 30-011. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus rationale API enhancements. |
+| 31 | VEXLENS-AIAI-31-002 | TODO | Depends on AIAI-31-001. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Caching hooks for Advisory AI. |
+| 32 | VEXLENS-EXPORT-35-001 | TODO | Depends on 30-011. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus snapshot API for mirror bundles. |
+| 33 | VEXLENS-ORCH-33-001 | TODO | Depends on 30-011. | VEX Lens · Orchestrator Guild / `src/VexLens/StellaOps.VexLens` | Register consensus compute job type. |
+| 34 | VEXLENS-ORCH-34-001 | TODO | Depends on ORCH-33-001. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Emit consensus completion events to orchestrator ledger. |
+| 35 | VULN-API-29-001 | TODO | — | Vuln Explorer API Guild / `src/VulnExplorer/StellaOps.VulnExplorer.Api` | Define VulnExplorer OpenAPI spec. |
+| 36 | VULN-API-29-002 | TODO | Depends on 29-001. | Vuln Explorer API Guild / `src/VulnExplorer/StellaOps.VulnExplorer.Api` | Implement list/query endpoints. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub; awaiting upstream specs. | Planning |
+| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_129_policy_reasoning.md` to `SPRINT_0129_0001_0001_policy_reasoning.md`; content preserved. | Implementer |
+
+## Decisions & Risks
+- Multiple upstream specs missing (Registry API, Risk Engine contracts, VEX consensus schema, VulnExplorer API); all tasks remain TODO until contracts land.
+
+## Next Checkpoints
+- Publish Registry API + RiskEngine/VexLens/VulnExplorer contracts (dates TBD).

docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md

@@ -21,21 +21,25 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | SCANNER-ANALYZERS-DENO-26-009 | DOING | Implement loader/trace shim per `docs/modules/scanner/design/deno-runtime-shim.md`; serializer/metadata/tests done. | Deno Analyzer Guild · Signals Guild | Optional runtime evidence hooks capturing module loads and permissions with path hashing during harnessed execution. |
+| P1 | PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC | TODO | Due 2025-11-22 · Accountable: Java Analyzer Guild | Java Analyzer Guild | Tests blocked: repo build fails in Concelier (CoreLinksets missing) and targeted Java analyzer test run stalls; retry once dependencies fixed or CI available. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-JAVA-21-005 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SCANNER-ANALYZERS-JAVA-21-008-WAITING-ON | TODO | Due 2025-11-22 · Accountable: Java Analyzer Guild | Java Analyzer Guild | Waiting on 21-007 completion and resolver authoring bandwidth. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-JAVA-21-008 and publish location so downstream tasks can proceed. |
+| P3 | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES | TODO | Due 2025-11-22 · Accountable: StellaOps.Scanner EPDR Guild · Language Analyzer Guild | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | `dotnet test` hangs/returns empty output; needs clean runner/CI diagnostics. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-LANG-11-001 and publish location so downstream tasks can proceed. |
+| 1 | SCANNER-ANALYZERS-DENO-26-009 | BLOCKED (2025-11-19) | Waiting on runtime shim fixtures + CI runner; design `deno-runtime-shim.md` drafted but tests cannot run. | Deno Analyzer Guild · Signals Guild | Optional runtime evidence hooks capturing module loads and permissions with path hashing during harnessed execution. |
 | 2 | SCANNER-ANALYZERS-DENO-26-010 | TODO | After 26-009, wire CLI (`stella deno trace`) + Worker/Offline Kit using runtime NDJSON contract. | Deno Analyzer Guild · DevOps Guild | Package analyzer plug-in and surface CLI/worker commands with offline documentation. |
 | 3 | SCANNER-ANALYZERS-DENO-26-011 | TODO | Implement policy signal emitter using runtime metadata once trace shim lands. | Deno Analyzer Guild | Policy signal emitter for capabilities (net/fs/env/ffi/process/crypto), remote origins, npm usage, wasm modules, and dynamic-import warnings. |
-| 4 | SCANNER-ANALYZERS-JAVA-21-005 | BLOCKED (2025-11-17) | Tests blocked: repo build fails in Concelier (CoreLinksets missing) and targeted Java analyzer test run stalls; retry once dependencies fixed or CI available. | Java Analyzer Guild | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml/fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. |
+| 4 | SCANNER-ANALYZERS-JAVA-21-005 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-JAVA-21-005-TESTS-BLOC | Java Analyzer Guild | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml/fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. |
 | 5 | SCANNER-ANALYZERS-JAVA-21-006 | TODO | Needs outputs from 21-005. | Java Analyzer Guild | JNI/native hint scanner detecting native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges. |
 | 6 | SCANNER-ANALYZERS-JAVA-21-007 | TODO | After 21-006; align manifest parsing with resolver. | Java Analyzer Guild | Signature and manifest metadata collector capturing JAR signature structure, signers, and manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). |
-| 7 | SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | Waiting on 21-007 completion and resolver authoring bandwidth. | Java Analyzer Guild | Implement resolver + AOC writer emitting entrypoints, components, and edges (jpms, cp, spi, reflect, jni) with reason codes and confidence. |
+| 7 | SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | PREP-SCANNER-ANALYZERS-JAVA-21-008-WAITING-ON | Java Analyzer Guild | Implement resolver + AOC writer emitting entrypoints, components, and edges (jpms, cp, spi, reflect, jni) with reason codes and confidence. |
 | 8 | SCANNER-ANALYZERS-JAVA-21-009 | TODO | Unblock when 21-008 lands; prepare fixtures in parallel where safe. | Java Analyzer Guild · QA Guild | Comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. |
 | 9 | SCANNER-ANALYZERS-JAVA-21-010 | TODO | After 21-009; requires runtime capture design. | Java Analyzer Guild · Signals Guild | Optional runtime ingestion via Java agent + JFR reader capturing class load, ServiceLoader, System.load events with path scrubbing; append-only runtime edges (`runtime-class`/`runtime-spi`/`runtime-load`). |
 | 10 | SCANNER-ANALYZERS-JAVA-21-011 | TODO | Depends on 21-010; finalize DI/manifest registration and docs. | Java Analyzer Guild · DevOps Guild | Package analyzer as restart-time plug-in, update Offline Kit docs, add CLI/worker hooks for Java inspection commands. |
-| 11 | SCANNER-ANALYZERS-LANG-11-001 | BLOCKED (2025-11-17) | `dotnet test` hangs/returns empty output; needs clean runner/CI diagnostics. | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. |
+| 11 | SCANNER-ANALYZERS-LANG-11-001 | BLOCKED (2025-11-17) | PREP-SCANNER-ANALYZERS-LANG-11-001-DOTNET-TES | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-17 | Normalised sprint file to standard template and renamed from `SPRINT_131_scanner_surface.md` to `SPRINT_0131_scanner_surface.md`; no semantic changes. | Planning |
 | 2025-11-17 | Attempted `./tools/dotnet-filter.sh test src/Scanner/StellaOps.Scanner.sln --no-restore`; build ran ~72s compiling scanner/all projects without completing tests, then aborted locally to avoid runaway build. Follow-up narrow build `dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj` also stalled ~28s in target resolution before manual stop. Blocker persists; needs clean CI runner or scoped test project to finish LANG-11-001 validation. | Implementer |
 | 2025-11-17 | Started SCANNER-ANALYZERS-JAVA-21-005: initial framework config extraction (Spring configs, JPA/CDI/JAXB, logging, Graal native-image) implemented with evidence + metadata; added regression test scaffold. | Implementer |

docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md

@@ -22,12 +22,17 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SCANNER-ANALYZERS-LANG-11-003-DEPENDS-ON | TODO | Due 2025-11-22 · Accountable: StellaOps.Scanner EPDR Guild; Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | StellaOps.Scanner EPDR Guild; Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Depends on 11-002; blocked until upstream static analyzer available. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-LANG-11-003 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SCANNER-ANALYZERS-LANG-11-004-DEPENDS-ON | TODO | Due 2025-11-22 · Accountable: StellaOps.Scanner EPDR Guild; SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | StellaOps.Scanner EPDR Guild; SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Depends on 11-003; no upstream static/runtime outputs yet. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-LANG-11-004 and publish location so downstream tasks can proceed. |
+| P3 | PREP-SCANNER-ANALYZERS-LANG-11-005-DEPENDS-ON | TODO | Due 2025-11-22 · Accountable: StellaOps.Scanner EPDR Guild; QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | StellaOps.Scanner EPDR Guild; QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Depends on 11-004; fixtures deferred until analyzer outputs exist. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-LANG-11-005 and publish location so downstream tasks can proceed. |
+| P4 | PREP-SCANNER-ANALYZERS-NATIVE-20-002-AWAIT-DE | TODO | Due 2025-11-22 · Accountable: Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Await declared-dependency writer/contract to emit edges. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-NATIVE-20-002 and publish location so downstream tasks can proceed. |
+| P5 | PREP-SCANNER-ANALYZERS-NODE-22-001-NEEDS-ISOL | TODO | Due 2025-11-22 · Accountable: Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Needs isolated runner or scoped build graph to execute targeted tests without full-solution fan-out. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-NODE-22-001 and publish location so downstream tasks can proceed. |
 | 1 | SCANNER-ANALYZERS-LANG-11-002 | BLOCKED | Await upstream SCANNER-ANALYZERS-LANG-11-001 design/outputs to extend static analyzer | StellaOps.Scanner EPDR Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Implement static analyzer (IL + reflection heuristics) capturing AssemblyRef, ModuleRef/PInvoke, DynamicDependency, reflection literals, DI patterns, and custom AssemblyLoadContext probing hints; emit dependency edges with reason codes and confidence. |
-| 2 | SCANNER-ANALYZERS-LANG-11-003 | BLOCKED | Depends on 11-002; blocked until upstream static analyzer available | StellaOps.Scanner EPDR Guild; Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. |
+| 2 | SCANNER-ANALYZERS-LANG-11-003 | BLOCKED | PREP-SCANNER-ANALYZERS-LANG-11-003-DEPENDS-ON | StellaOps.Scanner EPDR Guild; Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. |
-| 3 | SCANNER-ANALYZERS-LANG-11-004 | BLOCKED | Depends on 11-003; no upstream static/runtime outputs yet | StellaOps.Scanner EPDR Guild; SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant); wire to SBOM service entrypoint tagging. |
+| 3 | SCANNER-ANALYZERS-LANG-11-004 | BLOCKED | PREP-SCANNER-ANALYZERS-LANG-11-004-DEPENDS-ON | StellaOps.Scanner EPDR Guild; SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant); wire to SBOM service entrypoint tagging. |
-| 4 | SCANNER-ANALYZERS-LANG-11-005 | BLOCKED | Depends on 11-004; fixtures deferred until analyzer outputs exist | StellaOps.Scanner EPDR Guild; QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. |
+| 4 | SCANNER-ANALYZERS-LANG-11-005 | BLOCKED | PREP-SCANNER-ANALYZERS-LANG-11-005-DEPENDS-ON | StellaOps.Scanner EPDR Guild; QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. |
 | 5 | SCANNER-ANALYZERS-NATIVE-20-001 | DONE (2025-11-18) | Format detector completed; ELF interpreter + build-id extraction fixed; tests passing (`dotnet test ...Native.Tests --no-build`). | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices); capture arch, OS, build-id/UUID, interpreter metadata. |
-| 6 | SCANNER-ANALYZERS-NATIVE-20-002 | BLOCKED | Await declared-dependency writer/contract to emit edges | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse ELF dynamic sections: `DT_NEEDED`, `DT_RPATH`, `DT_RUNPATH`, symbol versions, interpreter, and note build-id; emit declared dependency records with reason `elf-dtneeded` and attach version needs. |
+| 6 | SCANNER-ANALYZERS-NATIVE-20-002 | BLOCKED | PREP-SCANNER-ANALYZERS-NATIVE-20-002-AWAIT-DE | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse ELF dynamic sections: `DT_NEEDED`, `DT_RPATH`, `DT_RUNPATH`, symbol versions, interpreter, and note build-id; emit declared dependency records with reason `elf-dtneeded` and attach version needs. |
 | 7 | SCANNER-ANALYZERS-NATIVE-20-003 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-002 | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse PE imports, delay-load tables, manifests/SxS metadata, and subsystem flags; emit edges with reasons `pe-import` and `pe-delayimport`, plus SxS policy metadata. |
 | 8 | SCANNER-ANALYZERS-NATIVE-20-004 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-003 | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse Mach-O load commands (`LC_LOAD_DYLIB`, `LC_REEXPORT_DYLIB`, `LC_RPATH`, `LC_UUID`, fat headers); handle `@rpath/@loader_path` placeholders and slice separation. |
 | 9 | SCANNER-ANALYZERS-NATIVE-20-005 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-004 | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Implement resolver engine modeling loader search order for ELF (rpath/runpath/cache/default), PE (SafeDll search + SxS), and Mach-O (`@rpath` expansion); works against virtual image roots, producing explain traces. |
@@ -36,9 +41,9 @@
 | 12 | SCANNER-ANALYZERS-NATIVE-20-008 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-007 | Native Analyzer Guild; QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Author cross-platform fixtures (ELF dynamic/static, PE delay-load/SxS, Mach-O @rpath, plugin configs) and determinism benchmarks (<25 ms / binary, <250 MB). |
 | 13 | SCANNER-ANALYZERS-NATIVE-20-009 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-008 | Native Analyzer Guild; Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Provide optional runtime capture adapters (Linux eBPF `dlopen`, Windows ETW ImageLoad, macOS dyld interpose) writing append-only runtime evidence; include redaction/sandbox guidance. |
 | 14 | SCANNER-ANALYZERS-NATIVE-20-010 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-009 | Native Analyzer Guild; DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Package native analyzer as restart-time plug-in with manifest/DI registration; update Offline Kit bundle and documentation. |
-| 15 | SCANNER-ANALYZERS-NODE-22-001 | BLOCKED | Needs isolated runner or scoped build graph to execute targeted tests without full-solution fan-out | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets (`.nvmrc`, `.node-version`, Dockerfile) and workspace roots deterministically. |
+| 15 | SCANNER-ANALYZERS-NODE-22-001 | BLOCKED | PREP-SCANNER-ANALYZERS-NODE-22-001-NEEDS-ISOL | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets (`.nvmrc`, `.node-version`, Dockerfile) and workspace roots deterministically. |
 | 16 | SCANNER-ANALYZERS-NODE-22-002 | TODO | Depends on SCANNER-ANALYZERS-NODE-22-001 | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Implement entrypoint discovery (bin/main/module/exports/imports, workers, electron, shebang scripts) and condition set builder per entrypoint. |
-| 17 | SCANNER-ANALYZERS-NODE-22-003 | TODO | Depends on SCANNER-ANALYZERS-NODE-22-002 | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Parse JS/TS sources for static `import`, `require`, `import()` and string concat cases; flag dynamic patterns with confidence levels; support source map de-bundling. |
+| 17 | SCANNER-ANALYZERS-NODE-22-003 | BLOCKED (2025-11-19) | Blocked on overlay/callgraph schema alignment and test fixtures; resolver wiring pending fixture drop. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Parse JS/TS sources for static `import`, `require`, `import()` and string concat cases; flag dynamic patterns with confidence levels; support source map de-bundling. |
 | 18 | SCANNER-ANALYZERS-NODE-22-004 | TODO | Depends on SCANNER-ANALYZERS-NODE-22-003 | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Implement Node resolver engine for CJS + ESM (core modules, exports/imports maps, conditions, extension priorities, self-references) parameterised by node_version. |
 | 19 | SCANNER-ANALYZERS-NODE-22-005 | TODO | Depends on SCANNER-ANALYZERS-NODE-22-004 | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Add package manager adapters: Yarn PnP (.pnp.data/.pnp.cjs), pnpm virtual store, npm/Yarn classic hoists; operate entirely in virtual FS. |
 | 20 | AGENTS-SCANNER-00-001 | DONE | Create module-level AGENTS.md for `src/Scanner` aligned with scanner architecture docs | Project Management; Scanner Guild | Author/update Scanner AGENTS.md covering roles, required docs, allowed shared directories, determinism/testing rules; ensure implementers can work autonomously. |
@@ -46,6 +51,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template; renamed from `SPRINT_132_scanner_surface.md` to `SPRINT_0132_scanner_surface.md`; scope unchanged; added governance task for missing Scanner AGENTS.md. | Planning |
 | 2025-11-17 | AGENTS-SCANNER-00-001 completed; module AGENTS.md added under src/Scanner. | Implementer |
 | 2025-11-17 | Updated Decisions & Risks to reflect AGENTS.md completion date, fixed AGENTS.md required-reading formatting/sprint reference, and added dated checkpoints; no scope change. | Planning |
@@ -59,6 +65,8 @@
 | 2025-11-19 | SCANNER-ANALYZERS-NODE-22-001: Added Yarn PnP cache zip traversal with `yarnPnp` metadata plus new `yarn-pnp` fixture/test; test run aborted ~32s into restore due to contention; rerun required on clean runner. | Node Analyzer Guild |
 | 2025-11-18 | SCANNER-ANALYZERS-NODE-22-001: Retried `YarnPnpCachePackagesAreParsedAsync` with `--no-restore`; build fanned out across solution and was cancelled at ~66s runtime. Tests remain pending; needs clean/isolated runner or scoped build graph to finish. | Implementer |
 | 2025-11-18 | SCANNER-ANALYZERS-NODE-22-001: Second attempt with `/m:1 /p:UseSharedCompilation=false --no-restore` cancelled at ~15s while build was still compiling transitive projects. Still needs isolated runner or slimmer build graph to complete test. | Implementer |
+| 2025-11-19 | SCANNER-ANALYZERS-NODE-22-002: Wired entrypoint discovery (bin/main/module/exports) into package metadata & evidence; full Node analyzer suite green (`--no-build`). | Implementer |
+| 2025-11-19 | SCANNER-ANALYZERS-NODE-22-003: Added NodeImportEdge/Walker and attached import/require/import() edges into package metadata/evidence; `dotnet test ...Lang.Node.Tests --no-build` passing. | Implementer |
 | 2025-11-18 | SCANNER-ANALYZERS-LANG-11-002..005: Marked BLOCKED because upstream task 11-001 outputs/contracts are not available; dependencies in 11-003..005 cascade. No code changes made. | Implementer |
 
 ## Decisions & Risks

docs/implplan/SPRINT_0133_0001_0001_scanner_surface.md

@@ -0,0 +1,43 @@
+# Sprint 0133-0001-0001 · Scanner & Surface (Phase IV)
+
+## Topic & Scope
+- Scanner & Surface phase IV: Node bundle/source-map coverage and native/WASM signal extraction.
+- Maintain sequential execution across 130–139; work only after Sprint 0132 completes.
+- **Working directory:** `src/Scanner`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0132 (Scanner & Surface phase III) must land first.
+- Concurrency: tasks execute in table order; all currently TODO.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/scanner/architecture.md
+- src/Scanner/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SCANNER-ANALYZERS-NODE-22-006-UPSTREAM-2 | TODO | Due 2025-11-22 · Accountable: Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | Upstream 22-005 not delivered in Sprint 0132; waiting on bundle/source-map resolver baseline. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-NODE-22-006 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SCANNER-ANALYZERS-NODE-22-007-UPSTREAM-2 | TODO | Due 2025-11-22 · Accountable: Node Analyzer Guild | Node Analyzer Guild | Upstream 22-006 blocked. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-NODE-22-007 and publish location so downstream tasks can proceed. |
+| P3 | PREP-SCANNER-ANALYZERS-NODE-22-008-UPSTREAM-2 | TODO | Due 2025-11-22 · Accountable: Node Analyzer Guild | Node Analyzer Guild | Upstream 22-007 blocked. <br><br> Document artefact/deliverable for SCANNER-ANALYZERS-NODE-22-008 and publish location so downstream tasks can proceed. |
+| 1 | SCANNER-ANALYZERS-NODE-22-006 | BLOCKED (2025-11-20) | PREP-SCANNER-ANALYZERS-NODE-22-006-UPSTREAM-2 | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | Detect bundles + source maps, reconstruct module specifiers, correlate to original paths; support dual CJS/ESM graphs with conditions. |
+| 2 | SCANNER-ANALYZERS-NODE-22-007 | BLOCKED (2025-11-20) | PREP-SCANNER-ANALYZERS-NODE-22-007-UPSTREAM-2 | Node Analyzer Guild | Scan for native addons (.node), WASM modules, and core capability signals (child_process, vm, worker_threads); emit hint edges and native metadata. |
+| 3 | SCANNER-ANALYZERS-NODE-22-008 | BLOCKED (2025-11-20) | PREP-SCANNER-ANALYZERS-NODE-22-008-UPSTREAM-2 | Node Analyzer Guild | Produce AOC-compliant observations: entrypoints, components (pkg/native/wasm), edges (esm-import, cjs-require, exports, json, native-addon, wasm, worker) with reason codes/confidence and resolver traces. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-08 | Sprint stub created; awaiting upstream completion of Sprint 0132. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_133_scanner_surface.md` to `SPRINT_0133_0001_0001_scanner_surface.md`; content preserved. | Implementer |
+| 2025-11-19 | Converted legacy filename `SPRINT_133_scanner_surface.md` to redirect stub pointing here to avoid divergent updates. | Implementer |
+| 2025-11-20 | Marked Node phase tasks 22-006/007/008 BLOCKED because upstream 22-005 (Sprint 0132) not delivered; no executable work in this sprint until 0132 unblocks. | Implementer |
+
+## Decisions & Risks
+- All tasks depend on 22-005 outputs; remain TODO until prerequisites land.
+- Maintain offline/deterministic outputs; avoid running full solution builds—prefer scoped runners per module.
+
+## Next Checkpoints
+- Set kickoff once Sprint 0132 completes (date TBD).

docs/implplan/SPRINT_0134_0001_0001_scanner_surface.md

@@ -0,0 +1,38 @@
+# Sprint 0134-0001-0001 · Scanner & Surface (Phase V)
+
+## Topic & Scope
+- Scanner & Surface phase V: PHP analyzer fixtures, optional runtime evidence, packaging.
+- Sequential across 130–139; start after Sprint 0133 completes.
+- **Working directory:** `src/Scanner`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0133 (phase IV) must land first.
+- Concurrency: tasks currently TODO; follow table order.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/scanner/architecture.md
+- src/Scanner/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | SCANNER-ANALYZERS-PHP-27-009 | TODO | Depends on PHP analyzer core (27-007). | PHP Analyzer Guild · QA Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | Fixture suite + performance benchmarks (Laravel, Symfony, WordPress, legacy, PHAR, container) with golden outputs. |
+| 2 | SCANNER-ANALYZERS-PHP-27-010 | TODO | Depends on 27-009. | PHP Analyzer Guild · Signals Guild | Optional runtime evidence hooks (audit logs/opcache stats) with path hashing. |
+| 3 | SCANNER-ANALYZERS-PHP-27-011 | TODO | Depends on 27-010. | PHP Analyzer Guild · DevOps Guild | Package analyzer plug-in, add CLI `stella php inspect`, refresh Offline Kit docs. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub created; awaiting completion of Sprint 0133. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_134_scanner_surface.md` to `SPRINT_0134_0001_0001_scanner_surface.md`; content preserved. | Implementer |
+| 2025-11-19 | Converted legacy filename `SPRINT_134_scanner_surface.md` to redirect stub pointing here to avoid divergent updates. | Implementer |
+
+## Decisions & Risks
+- All PHP tasks depend on prior analyzer core; remain TODO until upstream tasks land.
+- Maintain deterministic fixtures and offline posture.
+
+## Next Checkpoints
+- Set kickoff after Sprint 0133 completes (date TBD).

docs/implplan/SPRINT_0135_0001_0001_scanner_surface.md

@@ -0,0 +1,42 @@
+# Sprint 0135-0001-0001 · Scanner & Surface (Phase VI)
+
+## Topic & Scope
+- Scanner & Surface phase VI: Python container/zipapp adapters and Ruby analyzer VFS/deps/runtime coverage.
+- Sequential across 130–139; start after Sprint 0134.
+- **Working directory:** `src/Scanner`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0134 (phase V) must land first.
+- Concurrency: tasks are TODO; follow order below.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/scanner/architecture.md
+- src/Scanner/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | SCANNER-ANALYZERS-PYTHON-23-012 | TODO | Depends on 23-011. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | Container/zipapp adapter enhancements: parse OCI layers for Python runtime, detect `PYTHONPATH`/`PYTHONHOME`, warn on sitecustomize/startup hooks. |
+| 2 | SCANNER-ANALYZERS-RUBY-28-001 | TODO | — | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Input normalizer & VFS for Ruby projects: merge sources, Gemfile/lock, vendor/bundle, .gem archives, `.bundle/config`, Rack configs, containers; detect framework/job fingerprints deterministically. |
+| 3 | SCANNER-ANALYZERS-RUBY-28-002 | TODO | Depends on 28-001. | Ruby Analyzer Guild | Gem & Bundler analyzer: parse Gemfile/lock, vendor specs, .gem archives; produce package nodes (PURLs), dependency edges, and resolver traces. |
+| 4 | SCANNER-ANALYZERS-RUBY-28-003 | TODO | Depends on 28-002. | Ruby Analyzer Guild · SBOM Guild | Produce AOC-compliant observations (entrypoints, components, edges) plus environment profiles; integrate with Scanner writer. |
+| 5 | SCANNER-ANALYZERS-RUBY-28-004 | TODO | Depends on 28-003. | Ruby Analyzer Guild · QA Guild | Fixtures/benchmarks for Ruby analyzer across Bundler/Rails/Sidekiq/CLI gems; determinism/perf targets. |
+| 6 | SCANNER-ANALYZERS-RUBY-28-005 | TODO | Depends on 28-004. | Ruby Analyzer Guild · Signals Guild | Optional runtime capture (tracepoint) hooks with append-only evidence, redaction, and sandbox guidance. |
+| 7 | SCANNER-ANALYZERS-RUBY-28-006 | TODO | Depends on 28-005. | Ruby Analyzer Guild · DevOps Guild | Package Ruby analyzer plug-in, add CLI/worker hooks, update Offline Kit docs. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub created; awaiting completion of Sprint 0134. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_135_scanner_surface.md` to `SPRINT_0135_0001_0001_scanner_surface.md`; content preserved. | Implementer |
+| 2025-11-19 | Converted legacy filename `SPRINT_135_scanner_surface.md` to redirect stub pointing here to avoid divergent updates. | Implementer |
+
+## Decisions & Risks
+- Ruby and Python tasks depend on prior phases; all remain TODO until upstream tasks land.
+- Maintain offline/deterministic execution and fixtures.
+
+## Next Checkpoints
+- Set kickoff after Sprint 0134 completes (date TBD).

docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md

@@ -0,0 +1,37 @@
+# Sprint 0136-0001-0001 · Scanner & Surface (Phase VII)
+
+## Topic & Scope
+- Scanner & Surface phase VII: EntryTrace NDJSON export, process-tree replay, and surface/CLI integration.
+- Sequential across 130–139; start after Sprint 0135.
+- **Working directory:** `src/Scanner`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0135 (phase VI) must land first.
+- Concurrency: tasks are TODO; follow order below.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/scanner/architecture.md
+- src/Scanner/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | SCANNER-ENTRYTRACE-18-504 | TODO | Depends on 18-503. | EntryTrace Guild (`src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace`) | Emit EntryTrace AOC NDJSON (`entrytrace.entry/node/edge/target/warning/capability`) and wire CLI/service streaming outputs. |
+| 2 | SCANNER-ENTRYTRACE-18-505 | TODO | Depends on 18-504. | EntryTrace Guild | Implement ProcGraph replay to reconcile `/proc` exec chains with static EntryTrace, collapsing wrappers and emitting agreement/conflict diagnostics. |
+| 3 | SCANNER-ENTRYTRACE-18-506 | TODO | Depends on 18-505. | EntryTrace Guild · Scanner WebService Guild | Surface EntryTrace graph + confidence via Scanner.WebService and CLI, including target summary in scan reports and policy payloads. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub created; awaiting completion of Sprint 0135. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_136_scanner_surface.md` to `SPRINT_0136_0001_0001_scanner_surface.md`; content preserved. | Implementer |
+| 2025-11-19 | Converted legacy filename `SPRINT_136_scanner_surface.md` to redirect stub pointing here to avoid divergent updates. | Implementer |
+
+## Decisions & Risks
+- EntryTrace export and replay depend on upstream 18-503 and accurate `/proc` capture; maintain deterministic ordering.
+
+## Next Checkpoints
+- Schedule kickoff after Sprint 0135 completion (date TBD).

docs/implplan/SPRINT_0138_0000_0001_scanner_ruby_parity.md

@@ -19,13 +19,18 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SCANNER-ENG-0010-AWAIT-COMPOSER-AUTOLOAD | BLOCKED | Due 2025-11-22 · Accountable: PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | Await composer/autoload graph design + staffing; no PHP analyzer scaffolding exists yet. <br><br> Document artefact/deliverable for SCANNER-ENG-0010 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SCANNER-ENG-0011-NEEDS-DENO-RUNTIME-ANAL | BLOCKED | Due 2025-11-22 · Accountable: Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Needs Deno runtime analyzer scope + lockfile/import graph design; pending competitive review. <br><br> Document artefact/deliverable for SCANNER-ENG-0011 and publish location so downstream tasks can proceed. |
+| P3 | PREP-SCANNER-ENG-0012-DEFINE-DART-ANALYZER-RE | BLOCKED | Due 2025-11-22 · Accountable: Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Define Dart analyzer requirements (pubspec parsing, AOT artifacts) and split into tasks. <br><br> Document artefact/deliverable for SCANNER-ENG-0012 and publish location so downstream tasks can proceed. |
+| P4 | PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE | BLOCKED | Due 2025-11-22 · Accountable: Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Draft SwiftPM coverage plan; align policy hooks; awaiting design kick-off. <br><br> Document artefact/deliverable for SCANNER-ENG-0013 and publish location so downstream tasks can proceed. |
+| P5 | PREP-SCANNER-ENG-0014-NEEDS-JOINT-ROADMAP-WIT | BLOCKED | Due 2025-11-22 · Accountable: Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Needs joint roadmap with Zastava/Runtime guilds for Kubernetes/VM alignment. <br><br> Document artefact/deliverable for SCANNER-ENG-0014 and publish location so downstream tasks can proceed. |
 | 1 | SCANNER-ENG-0008 | DONE (2025-11-16) | Cadence documented; quarterly review workflow published for EntryTrace heuristics. | EntryTrace Guild, QA Guild (`src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace`) | Maintain EntryTrace heuristic cadence per `docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md`, including explain-trace updates. |
 | 2 | SCANNER-ENG-0009 | DONE (2025-11-13) | Release handoff to Sprint 0139 consumers; monitor Mongo-backed inventory rollout. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Ruby analyzer parity shipped: runtime graph + capability signals, observation payload, Mongo-backed `ruby.packages` inventory, CLI/WebService surfaces, and plugin manifest bundles for Worker loadout. |
-| 3 | SCANNER-ENG-0010 | BLOCKED | Await composer/autoload graph design + staffing; no PHP analyzer scaffolding exists yet. | PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | Ship the PHP analyzer pipeline (composer lock, autoload graph, capability signals) to close comparison gaps. |
+| 3 | SCANNER-ENG-0010 | BLOCKED | PREP-SCANNER-ENG-0010-AWAIT-COMPOSER-AUTOLOAD | PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`) | Ship the PHP analyzer pipeline (composer lock, autoload graph, capability signals) to close comparison gaps. |
-| 4 | SCANNER-ENG-0011 | BLOCKED | Needs Deno runtime analyzer scope + lockfile/import graph design; pending competitive review. | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Scope the Deno runtime analyzer (lockfile resolver, import graphs) beyond Sprint 130 coverage. |
+| 4 | SCANNER-ENG-0011 | BLOCKED | PREP-SCANNER-ENG-0011-NEEDS-DENO-RUNTIME-ANAL | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`) | Scope the Deno runtime analyzer (lockfile resolver, import graphs) beyond Sprint 130 coverage. |
-| 5 | SCANNER-ENG-0012 | BLOCKED | Define Dart analyzer requirements (pubspec parsing, AOT artifacts) and split into tasks. | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Evaluate Dart analyzer requirements (pubspec parsing, AOT artifacts) and split implementation tasks. |
+| 5 | SCANNER-ENG-0012 | BLOCKED | PREP-SCANNER-ENG-0012-DEFINE-DART-ANALYZER-RE | Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`) | Evaluate Dart analyzer requirements (pubspec parsing, AOT artifacts) and split implementation tasks. |
-| 6 | SCANNER-ENG-0013 | BLOCKED | Draft SwiftPM coverage plan; align policy hooks; awaiting design kick-off. | Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Plan Swift Package Manager coverage (Package.resolved, xcframeworks, runtime hints) with policy hooks. |
+| 6 | SCANNER-ENG-0013 | BLOCKED | PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE | Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`) | Plan Swift Package Manager coverage (Package.resolved, xcframeworks, runtime hints) with policy hooks. |
-| 7 | SCANNER-ENG-0014 | BLOCKED | Needs joint roadmap with Zastava/Runtime guilds for Kubernetes/VM alignment. | Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Align Kubernetes/VM target coverage between Scanner and Zastava per comparison findings; publish joint roadmap. |
+| 7 | SCANNER-ENG-0014 | BLOCKED | PREP-SCANNER-ENG-0014-NEEDS-JOINT-ROADMAP-WIT | Runtime Guild, Zastava Guild (`docs/modules/scanner`) | Align Kubernetes/VM target coverage between Scanner and Zastava per comparison findings; publish joint roadmap. |
 | 8 | SCANNER-ENG-0015 | DONE (2025-11-13) | Ready for Ops training; track adoption metrics. | Export Center Guild, Scanner Guild (`docs/modules/scanner`) | DSSE/Rekor operator playbook published with config/env tables, rollout phases, offline verification, and SLA/alert guidance. |
 | 9 | SCANNER-ENG-0016 | DONE (2025-11-10) | Monitor bundler override edge cases; keep fixtures deterministic. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | RubyLockCollector and vendor ingestion finalized: Bundler overrides honoured, workspace lockfiles merged, vendor bundles normalised, deterministic fixtures added. |
 | 10 | SCANNER-ENG-0017 | DONE (2025-11-09) | Keep tree-sitter Ruby grammar pinned; reuse EntryTrace hints for regressions. | Ruby Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby`) | Build runtime require/autoload graph builder with tree-sitter Ruby per design §4.4 and integrate EntryTrace hints. |
@@ -38,6 +43,9 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Removed trailing hyphen from PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE so SCANNER-ENG-0013 dependency resolves. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P1–P5 BLOCKED pending composer/Deno/Dart/SwiftPM design contracts and Zastava/Runtime roadmap; downstream SCANNER-ENG-0010..0014 remain gated. | Project Mgmt |
 | 2025-11-09 | `SCANNER-CLI-0001`: Spectre table wrapping fix for runtime/lockfile columns; expanded Ruby resolve JSON assertions; removed debug artifacts; docs/tests pending final merge. | CLI Guild |
 | 2025-11-09 | `SCANNER-CLI-0001`: Wired `stellaops-cli ruby inspect|resolve` into `CommandFactory` with `--root`, `--image/--scan-id`, `--format`; `dotnet test ... --filter Ruby` passes. | CLI Guild |
 | 2025-11-09 | `SCANNER-CLI-0001`: Added CLI unit tests (CommandFactoryTests, Ruby inspect JSON assertions) to guard new verbs and runtime metadata output. | CLI Guild |

docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md

@@ -24,14 +24,18 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | 140.A Graph wave | DOING | Executing against scanner surface mock bundle v1; awaiting real cache ETA from Sprint 130.A for parity validation. | Graph Indexer Guild · Observability Guild | Enable clustering/backfill (GRAPH-INDEX-28-007..010) against mock bundle; update once cache ETA is published. |
+| P1 | PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS | TODO | Due 2025-11-22 · Accountable: Zastava Observer/Webhook Guilds · Surface Guild | Zastava Observer/Webhook Guilds · Surface Guild | Waiting on Surface.FS cache drop plan + Surface.Env helper ownership. <br><br> Document artefact/deliverable for 140.D Zastava wave and publish location so downstream tasks can proceed. |
+| P2 | PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB | TODO | Due 2025-11-22 · Accountable: Projection schema frozen but fixtures and AirGap review are overdue; SBOM-SERVICE-21-001..004 cannot start until fixtures drop. | Projection schema frozen but fixtures and AirGap review are overdue; SBOM-SERVICE-21-001..004 cannot start until fixtures drop. | BLOCKED. <br><br> Document artefact/deliverable for SBOM Service Guild · Cartographer Guild · Observability Guild, Zastava Observer/Webhook Guilds · Security Guild and publish location so downstream tasks can proceed. |
+| 1 | 140.A Graph wave | BLOCKED (2025-11-19) | Await real scanner cache ETA; working off mock bundle only. | Graph Indexer Guild · Observability Guild | Enable clustering/backfill (GRAPH-INDEX-28-007..010) against mock bundle; revalidate once real cache lands. |
 | 2 | 140.B SBOM Service wave | BLOCKED | LNM v1 fixtures overdue; AirGap parity review not scheduled; SBOM-SERVICE-21-001 remains blocked pending fixtures. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
-| 3 | 140.C Signals wave | DOING | CAS promotion + signed manifest rollout; provenance appendix + runtime backfill before scoring. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
+| 3 | 140.C Signals wave | BLOCKED (2025-11-20) | CAS promotion + signed manifests + provenance appendix pending; SIGNALS-24-002/003 blocked upstream. TRACTORS: see `docs/signals/cas-promotion-24-002.md` and `docs/signals/provenance-24-003.md`. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
-| 4 | 140.D Zastava wave | BLOCKED | Waiting on Surface.FS cache drop plan + Surface.Env helper ownership. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
+| 4 | 140.D Zastava wave | BLOCKED | PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Marked SIGNALS-24-002/003 as BLOCKED pending Platform Storage + provenance approvals; linked CAS/provenance checklists in blockers. | Implementer |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Marked SBOM wave BLOCKED pending overdue LNM fixtures and AirGap review scheduling; status mirrored to tasks-all/blocked-all. | Planning |
 | 2025-11-18 | Added cache parity checklist (Graph) and CAS/provenance close-out checklist (Signals); mock bundle execution ongoing; fixed cross-sprint references to padded SPRINT IDs. | Planning |
 | 2025-11-18 | Started Graph wave execution on scanner surface mock bundle v1; tracking cache ETA for parity validation. | Planning |
@@ -79,16 +83,16 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 
 | Wave | Guild owners | Shared prerequisites | Status | Notes |
 | --- | --- | --- | --- | --- |
-| 140.A Graph | Graph Indexer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner (phase I tracked under `docs/implplan/SPRINT_130_scanner_surface.md`) | DOING | Executing on scanner surface mock bundle v1; real cache ETA still required for parity validation and to flip to real inputs. |
+| 140.A Graph | Graph Indexer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner (phase I tracked under `docs/implplan/SPRINT_130_scanner_surface.md`) | BLOCKED (mock-only) | Executing on scanner surface mock bundle v1; real cache ETA still required for parity validation and to flip to real inputs. |
-| 140.B SbomService | SBOM Service Guild · Cartographer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | BLOCKED | Projection schema frozen but fixtures and AirGap review are overdue; SBOM-SERVICE-21-001..004 cannot start until fixtures drop. |
+| 140.B SbomService | SBOM Service Guild · Cartographer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB | Projection schema frozen but fixtures and AirGap review are overdue; SBOM-SERVICE-21-001..004 cannot start until fixtures drop. |
-| 140.C Signals | Signals Guild · Authority Guild (for scopes) · Runtime Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | DOING (red) | CAS checklist + provenance appendix overdue; callgraph retrieval live but artifacts not trusted until CAS/signing lands. |
+| 140.C Signals | Signals Guild · Authority Guild (for scopes) · Runtime Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | BLOCKED (red) | CAS checklist + provenance appendix overdue; callgraph retrieval live but artifacts not trusted until CAS/signing lands. |
-| 140.D Zastava | Zastava Observer/Webhook Guilds · Security Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | BLOCKED | Surface.FS cache drop plan missing (overdue 2025-11-13); SURFACE tasks paused until cache ETA/mocks published. |
+| 140.D Zastava | Zastava Observer/Webhook Guilds · Security Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB | Surface.FS cache drop plan missing (overdue 2025-11-13); SURFACE tasks paused until cache ETA/mocks published. |
 
 # Status snapshot (2025-11-18)
 
-- **140.A Graph** – DOING on scanner surface mock bundle v1 (decision 2025-11-17); real cache ETA still required but no longer blocks coding/fixtures; will revalidate outputs when caches land.
+- **140.A Graph** – BLOCKED on real cache delivery; running only on scanner surface mock bundle v1 pending cache ETA/hash.
 - **140.B SbomService** – BLOCKED: LNM v1 fixtures are overdue (due 2025-11-18) and AirGap parity review is not scheduled; SBOM-SERVICE-21-001 cannot start until fixtures drop (21-002..004 follow). 
-- **140.C Signals** – SIGNALS-24-001 shipped on 2025-11-09; SIGNALS-24-002 is RED/BLOCKED with CAS promotion + signed manifest tooling pending; SIGNALS-24-003 is DOING but awaits provenance appendix and runtime feed reconciliation. Scoring/cache work (SIGNALS-24-004/005) stays BLOCKED until CAS/provenance and runtime uploads stabilize.
+- **140.C Signals** – SIGNALS-24-001 shipped on 2025-11-09; SIGNALS-24-002 and SIGNALS-24-003 are BLOCKED with CAS promotion + provenance appendix pending. Scoring/cache work (SIGNALS-24-004/005) stays BLOCKED until CAS/provenance and runtime uploads stabilize.
 - **140.D Zastava** – ZASTAVA-ENV/SECRETS/SURFACE tracks are BLOCKED because Surface.FS cache outputs from Scanner are still unavailable; guilds continue prepping Surface.Env helper adoption and sealed-mode scaffolding while caches are pending.
 
 ## Wave task tracker (refreshed 2025-11-18)
@@ -97,7 +101,7 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 
 | Task ID | State | Notes |
 | --- | --- | --- |
-| GRAPH-INDEX-28-007 | DOING | Running on scanner surface mock bundle v1; will revalidate once real cache ETA publishes. |
+| GRAPH-INDEX-28-007 | BLOCKED | Waiting on real scanner cache ETA; mock bundle only. |
 | GRAPH-INDEX-28-008 | BLOCKED-w/escalation | Incremental update/backfill pipeline depends on 28-007 artifacts; retry/backoff plumbing sketched but blocked. |
 | GRAPH-INDEX-28-009 | BLOCKED-w/escalation | Test/fixture/chaos coverage waits on earlier jobs to exist so determinism checks have data. |
 | GRAPH-INDEX-28-010 | BLOCKED-w/escalation | Packaging/offline bundles paused until upstream graph jobs are available to embed. |
@@ -127,8 +131,8 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 | Task ID | State | Notes |
 | --- | --- | --- |
 | SIGNALS-24-001 | DONE (2025-11-09) | Host skeleton, RBAC, sealed-mode readiness, `/signals/facts/{subject}` retrieval, and readiness probes merged; serves as base for downstream ingestion. |
-| SIGNALS-24-002 | DOING (2025-11-07) | Callgraph ingestion + retrieval APIs are live, but CAS promotion and signed manifest publication remain; cannot close until reachability jobs can trust stored graphs. |
+| SIGNALS-24-002 | BLOCKED (2025-11-19) | Callgraph ingestion + retrieval APIs are live, but CAS promotion and signed manifest publication remain; cannot close until reachability jobs can trust stored graphs. |
-| SIGNALS-24-003 | DOING (2025-11-09) | Runtime facts ingestion accepts JSON/NDJSON and gzip streams; provenance/context enrichment and NDJSON-to-AOC wiring still outstanding. |
+| SIGNALS-24-003 | BLOCKED (2025-11-19) | Runtime facts ingestion accepts JSON/NDJSON and gzip streams; provenance/context enrichment and NDJSON-to-AOC wiring still outstanding. |
 | SIGNALS-24-004 | BLOCKED (2025-10-27) | Reachability scoring waits on complete ingestion feeds (24-002/003) plus Authority scope validation. |
 | SIGNALS-24-005 | BLOCKED (2025-10-27) | Cache + `signals.fact.updated` events depend on scoring outputs; remains idle until 24-004 unblocks. |
 
@@ -215,8 +219,8 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 
 | Deliverable | Target date | Status | Dependencies / notes |
 | --- | --- | --- | --- |
-| SIGNALS-24-002 CAS promotion + signed manifests | 2025-11-14 | DOING | Needs Platform Storage sign-off from 2025-11-13 review; alerts/runbooks drafted. |
+| SIGNALS-24-002 CAS promotion + signed manifests | 2025-11-14 | BLOCKED | Waiting on Platform Storage approval; CAS checklist published (`docs/signals/cas-promotion-24-002.md`). |
-| SIGNALS-24-003 provenance enrichment + backfill | 2025-11-15 | DOING | Waiting on Runtime/Authority schema freeze + scope fixtures; NDJSON ingestion landed. |
+| SIGNALS-24-003 provenance enrichment + backfill | 2025-11-15 | BLOCKED | Await provenance appendix freeze/approval; checklist published (`docs/signals/provenance-24-003.md`). |
 | Scanner analyzer artifact ETA & cache drop plan | 2025-11-13 | TODO | Scanner to publish Sprint 130 surface roadmap; Graph/Zastava blocked until then. |
 | Concelier Link-Not-Merge schema ratified | 2025-11-14 | BLOCKED | Requires `CONCELIER-GRAPH-21-001` + `CARTO-GRAPH-21-002` agreement; AirGap review scheduled after sign-off. |
 | Surface.Env helper adoption checklist | 2025-11-15 | TODO | Zastava guild preparing sealed-mode test harness; depends on Surface guild office hours outcomes. |

docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md

@@ -21,14 +21,21 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | GRAPH-INDEX-28-007 | BLOCKED | Waiting on GRAPH-INDEX-28-006 overlays + schedule config design | Graph Indexer Guild · Observability Guild | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules; persist cluster ids on nodes; expose metrics. |
+| P0 | PREP-GRAPH-INDEX-28-006-OVERLAYS | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · Observability Guild | Graph Indexer Guild · Observability Guild | Deliver baseline overlays + schedule config design for GRAPH-INDEX-28-006; publish mock bundle + config docs so 28-007 can start. |
-| 2 | GRAPH-INDEX-28-008 | BLOCKED | Unblock after 28-007; confirm change streams + retry/backoff settings | Graph Indexer Guild | Provide incremental update & backfill pipeline with change streams, retry/backoff, idempotent ops, backlog metrics. |
+| P1 | PREP-GRAPH-INDEX-28-008-UNBLOCK-AFTER-28-007 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild | Graph Indexer Guild | Unblock after 28-007; confirm change streams + retry/backoff settings. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-008 and publish location so downstream tasks can proceed. |
-| 3 | GRAPH-INDEX-28-009 | BLOCKED | Downstream of 28-008 data paths | Graph Indexer Guild · QA Guild | Add unit/property/integration tests, synthetic large-graph fixtures, chaos tests (missing overlays, cycles), determinism checks across runs. |
+| P2 | PREP-GRAPH-INDEX-28-009-DOWNSTREAM-OF-28-008 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · QA Guild | Graph Indexer Guild · QA Guild | Downstream of 28-008 data paths. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-009 and publish location so downstream tasks can proceed. |
-| 4 | GRAPH-INDEX-28-010 | BLOCKED | Needs outputs from 28-009; align with Offline Kit owners | Graph Indexer Guild · DevOps Guild | Package deployment artefacts (Helm/Compose), offline seed bundles, configuration docs; integrate Offline Kit. |
+| P3 | PREP-GRAPH-INDEX-28-010-NEEDS-OUTPUTS-FROM-28 | BLOCKED | Due 2025-11-22 · Accountable: Graph Indexer Guild · DevOps Guild | Graph Indexer Guild · DevOps Guild | Needs outputs from 28-009; align with Offline Kit owners. <br><br> Document artefact/deliverable for GRAPH-INDEX-28-010 and publish location so downstream tasks can proceed. |
+| 1 | GRAPH-INDEX-28-007 | BLOCKED | PREP-GRAPH-INDEX-28-006-OVERLAYS | Graph Indexer Guild · Observability Guild | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules; persist cluster ids on nodes; expose metrics. |
+| 2 | GRAPH-INDEX-28-008 | BLOCKED | PREP-GRAPH-INDEX-28-008-UNBLOCK-AFTER-28-007 | Graph Indexer Guild | Provide incremental update & backfill pipeline with change streams, retry/backoff, idempotent ops, backlog metrics. |
+| 3 | GRAPH-INDEX-28-009 | BLOCKED | PREP-GRAPH-INDEX-28-009-DOWNSTREAM-OF-28-008 | Graph Indexer Guild · QA Guild | Add unit/property/integration tests, synthetic large-graph fixtures, chaos tests (missing overlays, cycles), determinism checks across runs. |
+| 4 | GRAPH-INDEX-28-010 | BLOCKED | PREP-GRAPH-INDEX-28-010-NEEDS-OUTPUTS-FROM-28 | Graph Indexer Guild · DevOps Guild | Package deployment artefacts (Helm/Compose), offline seed bundles, configuration docs; integrate Offline Kit. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Added PREP-GRAPH-INDEX-28-006-OVERLAYS and normalized PREP IDs for 28-008/009 so dependency graph is concrete. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP tasks P0–P3 BLOCKED; overlays/mock bundle and change-stream/backfill configs are still missing, so GRAPH-INDEX-28-007..010 stay gated. | Project Mgmt |
 | 2025-11-17 | Marked tasks 28-007 through 28-010 as BLOCKED pending upstream 28-006 overlays and scanner cache availability. | Planning |
 | 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_141_graph.md; scope unchanged. | Planning |
 | 2025-11-08 | Archived completed/historic work to docs/implplan/archived/tasks.md. | Planning |

docs/implplan/SPRINT_0142_0001_0001_sbomservice.md

@@ -19,14 +19,17 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SBOM-CONSOLE-23-001-BUILD-TEST-FAILING-D | TODO | Due 2025-11-22 · Accountable: SBOM Service Guild; Cartographer Guild | SBOM Service Guild; Cartographer Guild | Build/test failing due to missing NuGet feed; need feed/offline cache before wiring storage and validating `/console/sboms`. <br><br> Document artefact/deliverable for SBOM-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SBOM-SERVICE-21-001-WAITING-ON-LNM-V1-FI | TODO | Due 2025-11-22 · Accountable: SBOM Service Guild; Cartographer Guild | SBOM Service Guild; Cartographer Guild | Waiting on LNM v1 fixtures (due 2025-11-18 UTC) to freeze schema; then publish normalized SBOM projection read API with pagination + tenant enforcement. <br><br> Document artefact/deliverable for SBOM-SERVICE-21-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-BUILD-INFRA-SBOM-SERVICE-GUILD-BLOCKED-M | TODO | Due 2025-11-22 · Accountable: Planning | Planning | BLOCKED (multiple restore attempts still hang/fail; need vetted feed/cache). <br><br> Document artefact/deliverable for Build/Infra · SBOM Service Guild and publish location so downstream tasks can proceed. |
 | 1 | SBOM-AIAI-31-001 | DONE | Implemented `/sbom/paths` with env/blast-radius/runtime flags + cursor paging and `/sbom/versions` timeline; in-memory deterministic seed until storage wired. | SBOM Service Guild (src/SbomService/StellaOps.SbomService) | Provide path and version timeline endpoints optimised for Advisory AI. |
 | 2 | SBOM-AIAI-31-002 | DONE | Metrics + cache-hit tagging implemented; Grafana starter dashboard added; build/test completed locally. | SBOM Service Guild; Observability Guild | Instrument metrics for path/timeline queries and surface dashboards. |
-| 3 | SBOM-CONSOLE-23-001 | BLOCKED | Build/test failing due to missing NuGet feed; need feed/offline cache before wiring storage and validating `/console/sboms`. | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
+| 3 | SBOM-CONSOLE-23-001 | BLOCKED | PREP-SBOM-CONSOLE-23-001-BUILD-TEST-FAILING-D | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
-| 4 | SBOM-CONSOLE-23-002 | DOING | Stub component lookup (`/components/lookup`) implemented with repo abstraction, caching, pagination; validated via tests; storage wiring pending. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
+| 4 | SBOM-CONSOLE-23-002 | BLOCKED | Stub implemented; blocked on storage wiring and console schema approval. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
 | 5 | SBOM-ORCH-32-001 | TODO | Register SBOM ingest/index sources; embed worker SDK; emit artifact hashes and job metadata. | SBOM Service Guild | Register SBOM ingest/index sources with orchestrator. |
 | 6 | SBOM-ORCH-33-001 | TODO | Depends on SBOM-ORCH-32-001; report backpressure metrics, honor pause/throttle signals, classify sbom job errors. | SBOM Service Guild | Report backpressure metrics and handle orchestrator control signals. |
 | 7 | SBOM-ORCH-34-001 | TODO | Depends on SBOM-ORCH-33-001; implement orchestrator backfill and watermark reconciliation for idempotent artifact reuse. | SBOM Service Guild | Implement orchestrator backfill + watermark reconciliation. |
-| 8 | SBOM-SERVICE-21-001 | BLOCKED | Waiting on LNM v1 fixtures (due 2025-11-18 UTC) to freeze schema; then publish normalized SBOM projection read API with pagination + tenant enforcement. | SBOM Service Guild; Cartographer Guild | Link-Not-Merge v1 frozen schema and deterministic read API. |
+| 8 | SBOM-SERVICE-21-001 | BLOCKED | PREP-SBOM-SERVICE-21-001-WAITING-ON-LNM-V1-FI | SBOM Service Guild; Cartographer Guild | Link-Not-Merge v1 frozen schema and deterministic read API. |
 | 9 | SBOM-SERVICE-21-002 | TODO | Depends on SBOM-SERVICE-21-001; emit `sbom.version.created` change events and add replay/backfill tooling. | SBOM Service Guild; Scheduler Guild | Emit change events carrying digest/version metadata for Graph Indexer builds. |
 | 10 | SBOM-SERVICE-21-003 | TODO | Depends on SBOM-SERVICE-21-002; entrypoint/service node management API feeding Cartographer path relevance with deterministic defaults. | SBOM Service Guild | Provide entrypoint/service node management API. |
 | 11 | SBOM-SERVICE-21-004 | TODO | Depends on SBOM-SERVICE-21-003; wire metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, tenant-annotated logs; set backlog alerts. | SBOM Service Guild; Observability Guild | Wire observability for SBOM projections. |
@@ -41,11 +44,12 @@
 | Provide LNM v1 fixtures for SBOM projections. | Cartographer Guild | 2025-11-18 | OVERDUE (escalate; follow-up 2025-11-19) |
 | Publish orchestrator control contract for pause/throttle/backfill signals. | Orchestrator Guild | 2025-11-19 | Pending |
 | Create `src/SbomService/AGENTS.md` (roles, prerequisites, determinism/testing rules). | SBOM Service Guild · Module PM | 2025-11-19 | DONE |
-| Supply NuGet feed/offline cache (allow Microsoft.IdentityModel.Tokens >=8.14.0, Pkcs11Interop >=4.1.0) so SbomService builds/tests can run. | Build/Infra · SBOM Service Guild | 2025-11-20 | BLOCKED (multiple restore attempts still hang/fail; need vetted feed/cache) |
+| Supply NuGet feed/offline cache (allow Microsoft.IdentityModel.Tokens >=8.14.0, Pkcs11Interop >=4.1.0) so SbomService builds/tests can run. | Build/Infra · SBOM Service Guild | 2025-11-20 | PREP-BUILD-INFRA-SBOM-SERVICE-GUILD-BLOCKED-M |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-17 | Normalised sprint to standard template and renamed from `SPRINT_142_sbomservice.md`; no scope changes. | Project Mgmt |
 | 2025-11-17 | Flagged need for SBOM Service module dossier as documentation prerequisite. | Project Mgmt |
 | 2025-11-17 | Authored `docs/modules/sbomservice/architecture.md`; added to prerequisites; set SBOM-SERVICE-21-001 to BLOCKED pending LNM v1 fixtures. | Project Mgmt |
@@ -57,6 +61,7 @@
 | 2025-11-18 | Scoped builds (`dotnet build` on SbomService csproj/solution) repeatedly aborted by cross-solution churn; tests remain unrun. | SBOM Service |
 | 2025-11-18 | Additional targeted build of `StellaOps.SbomService.csproj` aborted (~48s) due to repo churn; testing still blocked. | SBOM Service |
 | 2025-11-18 | Marked SBOM-AIAI-31-002 BLOCKED (needs validated metrics & dashboards) and SBOM-CONSOLE-23-002 DOING (stub implemented, blocked on validation). | SBOM Service |
+| 2025-11-19 | Marked SBOM-CONSOLE-23-002 BLOCKED pending storage wiring and console schema approval. | Implementer |
 | 2025-11-18 | Build attempt with `/p:BuildProjectReferences=false` failed at restore (~11s); unable to validate code path changes. | SBOM Service |
 | 2025-11-18 | Added Grafana starter dashboard (`Observability/sbomservice-grafana-dashboard.json`) and README notes; metrics still unvalidated pending successful builds. | SBOM Service |
 | 2025-11-18 | Fixed NuGet feed mapping, restored, built, and ran tests successfully for SbomService; SBOM-AIAI-31-002 marked DONE; SBOM-CONSOLE-23-002 validated at stub level. | SBOM Service |
@@ -84,7 +89,7 @@
 - Latest restore attempts (2025-11-18/19) fail/hang even with local-nugets copies and PSM disabled; need vetted feed/offline cache allowing Microsoft.IdentityModel.Tokens ≥8.14.0 and Pkcs11Interop ≥4.1.0.
 - Metrics include `cache_hit` tagging; dashboards outstanding and unvalidated due to feed/build failures.
 - Build/test runs for SbomService blocked by feed mapping; must fix mapping or cache packages before rerunning `dotnet test ...SbomService.Tests.csproj`.
-- Component lookup endpoint is stubbed; remains unvalidated until restores succeed; SBOM-CONSOLE-23-002 stays DOING but blocked on feed/build.
+- Component lookup endpoint is stubbed; remains unvalidated until restores succeed; SBOM-CONSOLE-23-002 stays BLOCKED on feed/build.
 - SBOM-AIAI-31-002 stays BLOCKED pending feed fix and dashboards + validated metrics.
 - `AGENTS.md` for `src/SbomService` added 2025-11-18; implementers must read before coding.
 

docs/implplan/SPRINT_0143_0000_0001_signals.md

@@ -19,15 +19,21 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SIGNALS-24-005-REDIS-CACHE-IMPLEMENTED-A | DONE (2025-11-20) | Doc published at `docs/signals/events-24-005.md`; bus/topic approved. | Signals Guild, Platform Events Guild | Redis cache implemented; awaiting real bus/topic + payload contract to replace placeholder `signals.fact.updated` logging. <br><br> Document artefact/deliverable for SIGNALS-24-005 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SIGNALS-24-002-CAS-PROMO | DONE (2025-11-19) | Due 2025-11-22 · Accountable: Signals Guild · Platform Storage Guild | Signals Guild · Platform Storage Guild | CAS promotion checklist and manifest schema published at `docs/signals/cas-promotion-24-002.md`; awaiting storage approval to execute. |
+| P3 | PREP-SIGNALS-24-003-PROVENANCE | DONE (2025-11-19) | Due 2025-11-22 · Accountable: Signals Guild · Runtime Guild · Authority Guild | Signals Guild · Runtime Guild · Authority Guild | Provenance appendix fields and checklist published at `docs/signals/provenance-24-003.md`; awaiting schema/signing approval to execute. |
 | 1 | SIGNALS-24-001 | DONE (2025-11-09) | Dependency AUTH-SIG-26-001; merged host skeleton with scope policies and evidence validation. | Signals Guild, Authority Guild | Stand up Signals API skeleton with RBAC, sealed-mode config, DPoP/mTLS enforcement, and `/facts` scaffolding so downstream ingestion can begin. |
-| 2 | SIGNALS-24-002 | DOING (2025-11-07) | Remaining: CAS bucket promotion and signed graph manifests; depends on SIGNALS-24-001. | Signals Guild | Implement callgraph ingestion/normalization (Java/Node/Python/Go) with CAS persistence and retrieval APIs to feed reachability scoring. |
+| 2 | SIGNALS-24-002 | BLOCKED (2025-11-19) | Await Platform Storage approval; CAS promotion checklist ready (see PREP-SIGNALS-24-002-CAS-PROMO). | Signals Guild | Implement callgraph ingestion/normalization (Java/Node/Python/Go) with CAS persistence and retrieval APIs to feed reachability scoring. |
-| 3 | SIGNALS-24-003 | DONE (2025-11-17) | Runtime ingestion now enriches provenance metadata and triggers reachability recompute on ingest. | Signals Guild, Runtime Guild | Implement runtime facts ingestion endpoint and normalizer (process, sockets, container metadata) populating `context_facts` with AOC provenance. |
+| 3 | SIGNALS-24-003 | BLOCKED (2025-11-19) | Blocked on SIGNALS-24-002 approval and provenance schema sign-off; checklist ready (PREP-SIGNALS-24-003-PROVENANCE). | Signals Guild, Runtime Guild | Implement runtime facts ingestion endpoint and normalizer (process, sockets, container metadata) populating `context_facts` with AOC provenance. |
 | 4 | SIGNALS-24-004 | DONE (2025-11-17) | Scoring weights now configurable; runtime ingestion auto-triggers recompute into `reachability_facts`. | Signals Guild, Data Science | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. |
-| 5 | SIGNALS-24-005 | BLOCKED (2025-11-18) | Redis cache implemented; awaiting real bus/topic + payload contract to replace placeholder `signals.fact.updated` logging. | Signals Guild, Platform Events Guild | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. |
+| 5 | SIGNALS-24-005 | TODO | PREP-SIGNALS-24-005-REDIS-CACHE-IMPLEMENTED-A | Signals Guild, Platform Events Guild | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-20 | Published `docs/signals/events-24-005.md` event-bus contract (topic, envelope, retry/DLQ); marked PREP-SIGNALS-24-005 DONE and moved SIGNALS-24-005 to TODO. | Implementer |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked SIGNALS-24-002 and SIGNALS-24-003 BLOCKED pending CAS promotion, signed manifests, and provenance schema. | Implementer |
 | 2025-10-29 | Skeleton live with scope policies, stub endpoints, integration tests; sample configuration committed under `etc/signals.yaml.sample`. | Signals Guild |
 | 2025-10-29 | JSON parsers for Java/Node.js/Python/Go implemented; artifacts stored with SHA-256 and callgraphs upserted into Mongo. | Signals Guild |
 | 2025-11-09 | Signals host registers sealed-mode evidence validation, exposes `/readyz`/`/status`, enforces scope policies, and adds `/signals/facts/{subjectKey}` retrieval plus runtime-facts ingestion backing services. | Signals Guild / Authority Guild |
@@ -35,7 +41,7 @@
 | 2025-11-09 | Added runtime facts ingestion service + endpoint, aggregated runtime hit storage, and unit tests; next steps are NDJSON/gzip ingestion and provenance metadata wiring. | Signals Guild / Runtime Guild |
 | 2025-11-09 | Added `/signals/runtime-facts/ndjson` streaming endpoint (JSON/NDJSON + gzip) with sealed-mode gating; provenance/context enrichment + scoring linkage remain. | Signals Guild / Runtime Guild |
 | 2025-11-17 | CAS remediation window (≤3 days for Critical/High) approved with signed waiver; proceed with SIGNALS-24-002/004/005. | Signals Guild |
-| 2025-11-17 | CAS checklist in remediation window with risk waiver; continue DOING on SIGNALS-24-002 and unlock 24-004/005. | Signals Guild |
+| 2025-11-17 | CAS checklist in remediation window with risk waiver; SIGNALS-24-002/003 remain BLOCKED until CAS promotion + signed manifests land; 24-004/005 stay gated. | Signals Guild |
 | 2025-11-17 | Normalised sprint to standard template and renamed from SPRINT_143_signals.md to SPRINT_0143_0000_0001_signals.md. | PM |
 | 2025-11-17 | Reachability scoring weights moved to config; runtime facts ingestion now triggers recompute and persists states; added unit tests for scoring + runtime ingestion. | Signals Guild |
 | 2025-11-17 | `dotnet test src/Signals/StellaOps.Signals.sln` aborted after long restore/build; warning NU1504 about duplicate PackageReference items in StellaOps.Signals.Tests persists—needs cleanup before rerun. | Signals Guild |
@@ -60,10 +66,9 @@
 ## Decisions & Risks
 - CAS remediation window (≤3 days for Critical/High) running under signed waiver; track SIGNALS-24-002/004/005 for compliance.
 - Callgraph CAS bucket promotion and signed manifests remain outstanding for SIGNALS-24-002; risk to scoring start if delayed.
-- Runtime facts provenance/context enrichment and scoring linkage pending (SIGNALS-24-003); downstream scoring (24-004/005) can start only after completion.
+- SIGNALS-24-003 now blocked on CAS promotion/provenance schema; downstream scoring (24-004/005) depend on this landing.
 - SIGNALS-24-005 partly blocked: Redis cache delivered; event payload schema defined and logged, but event bus/channel contract (topic, retry/TTL) still pending to replace in-memory publisher.
-- Tests for Signals unit suite are now green; full Signals solution test run started—monitor to completion for coverage of new cache/event wiring.
+- Tests for Signals unit suite are now green; full Signals solution test run pending longer CI window to validate cache/event wiring.
-- Full Signals solution restore/test still exceeding 60s and cancelled for time; rerun needed with warmed restore cache or extended execution window.
 
 ## Next Checkpoints
 - Schedule CAS waiver review before 2025-11-20 to confirm remediation progress for SIGNALS-24-002/004/005.

docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md

@@ -0,0 +1,47 @@
+# Sprint 0150-0001-0001 · Scheduling & Automation
+
+## Topic & Scope
+- Snapshot the Scheduling & Automation stream while upstream AirGap/Scanner/Graph deliverables land; backlog continues in Sprint 151+ files.
+- Keep orchestration, Packs Registry, Scheduler, and TaskRunner waves ready to start once prerequisites are green.
+- Working directory: `docs/implplan` (coordination only; module work occurs in respective service directories).
+
+## Dependencies & Concurrency
+- Upstream sprints: Sprint 0120.A (AirGap), Sprint 0130.A (Scanner surface), Sprint 0140.A (Graph overlays) must stay green to unblock wave starts.
+- Concurrency limits: 150.B depends on 150.A kickoff; 150.D waits for Orchestrator/Scheduler telemetry baselines (150.A + 150.C).
+
+## Documentation Prerequisites
+- docs/modules/airgap/architecture.md
+- docs/modules/scanner/architecture.md
+- docs/modules/graph/architecture.md
+- docs/modules/orchestrator/architecture.md
+- docs/modules/scheduler/architecture.md
+- docs/modules/taskrunner/architecture.md
+- docs/modules/registry/architecture.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | 150.A-Orchestrator | TODO | Wait for Sprint 0120.A/0130.A/0140.A readiness; verify Scanner surface artifacts | Orchestrator Service Guild · AirGap Policy/Controller Guilds · Observability Guild | Kick off orchestration scheduling/telemetry baseline for automation epic. |
+| 2 | 150.B-PacksRegistry | TODO | 150.A must reach DOING; confirm tenancy scaffolding from Orchestrator | Packs Registry Guild · Exporter Guild · Security Guild | Packs registry automation stream staged; start after Orchestrator scaffolding. |
+| 3 | 150.C-Scheduler | TODO | Hold until 0140.A Graph overlays and 0130.A Scanner surface green | Scheduler WebService/Worker Guilds · Findings Ledger Guild · Observability Guild | Scheduler impact index improvements gated on Graph overlays. |
+| 4 | 150.D-TaskRunner | TODO | Requires Orchestrator/Scheduler telemetry baselines (150.A/150.C) | Task Runner Guild · AirGap Guilds · Evidence Locker Guild | Execution engine upgrades and evidence integration to start post-baselines. |
+
+## Wave Coordination Snapshot
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 150.A Orchestrator | Orchestrator Service Guild · AirGap Policy/Controller Guilds · Observability Guild | Sprint 0120.A – AirGap; Sprint 0130.A – Scanner; Sprint 0140.A – Graph | TODO | Pending confirmation that Scanner surface artifacts are ready; keep job telemetry work prepped for fast start. |
+| 150.B PacksRegistry | Packs Registry Guild · Exporter Guild · Security Guild | Sprint 0120.A – AirGap; Sprint 0130.A – Scanner; Sprint 0140.A – Graph | TODO | Blocked on Orchestrator tenancy scaffolding; specs are ready once 150.A flips to DOING. |
+| 150.C Scheduler | Scheduler WebService/Worker Guilds · Findings Ledger Guild · Observability Guild | Sprint 0120.A – AirGap; Sprint 0130.A – Scanner; Sprint 0140.A – Graph | TODO | Impact index improvements need Graph overlays; hold until 0140.A status improves. |
+| 150.D TaskRunner | Task Runner Guild · AirGap Guilds · Evidence Locker Guild | Sprint 0120.A – AirGap; Sprint 0130.A – Scanner; Sprint 0140.A – Graph | TODO | Execution engine upgrades staged; start once Orchestrator/Scheduler telemetry baselines exist. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-18 | Normalised sprint doc to standard template; renamed from `SPRINT_150_scheduling_automation.md`. | Planning |
+
+## Decisions & Risks
+- All waves remain gated on upstream AirGap/Scanner/Graph readiness; no new intra-decade dependencies introduced.
+- This sprint is a coordination snapshot only; implementation tasks continue in Sprint 151+ and should mirror status changes here to avoid drift.
+
+## Next Checkpoints
+- None scheduled; add next scheduling/automation sync once upstream readiness dates are confirmed.

docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md

@@ -0,0 +1,65 @@
+# Sprint 0151-0001-0001 · Scheduling & Automation · Orchestrator I
+
+## Topic & Scope
+- Phase I of Scheduling & Automation focused on Orchestrator: air-gap controls, observability/telemetry, and OpenAPI/SDK surface hardening.
+- Active snapshot only; historic items were moved to `docs/implplan/archived/tasks.md` (updated 2025-11-08).
+- Working directory: `src/Orchestrator` (coordination tracked in `docs/implplan`).
+
+## Dependencies & Concurrency
+- Upstream sprints: 0120.A (AirGap), 0130.A (Scanner surface), 0140.A (Graph overlays). Do not start net-new work until these stay green.
+- Task ordering: `ORCH-AIRGAP-56-001 → 56-002 → 57-001 → 58-001`; `ORCH-OAS-61-001 → 61-002 → 62-001 → 63-001`; `ORCH-OBS-50-001 → 51-001 → 52-001 → 53-001 → 54-001 → 55-001`. `ORCH-SVC-32-001` can progress in parallel once dependencies are stable.
+
+## Documentation Prerequisites
+- docs/modules/orchestrator/architecture.md
+- docs/modules/airgap/architecture.md
+- docs/modules/scanner/architecture.md
+- docs/modules/graph/architecture.md
+- docs/modules/telemetry/architecture.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-ORCH-AIRGAP-56-001-AWAIT-SPRINT-0120-A-A | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · AirGap Policy Guild | Orchestrator Service Guild · AirGap Policy Guild | Await Sprint 0120.A AirGap readiness; sealed-mode contracts not published. <br><br> Document artefact/deliverable for ORCH-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-ORCH-AIRGAP-56-002-UPSTREAM-56-001-BLOCK | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · AirGap Controller Guild | Orchestrator Service Guild · AirGap Controller Guild | Upstream 56-001 blocked. <br><br> Document artefact/deliverable for ORCH-AIRGAP-56-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-ORCH-AIRGAP-57-001-UPSTREAM-56-002-BLOCK | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Mirror Creator Guild | Orchestrator Service Guild · Mirror Creator Guild | Upstream 56-002 blocked. <br><br> Document artefact/deliverable for ORCH-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
+| P4 | PREP-ORCH-AIRGAP-58-001-UPSTREAM-57-001-BLOCK | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Evidence Locker Guild | Orchestrator Service Guild · Evidence Locker Guild | Upstream 57-001 blocked. <br><br> Document artefact/deliverable for ORCH-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
+| P5 | PREP-ORCH-OAS-61-001-ORCHESTRATOR-TELEMETRY-C | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · API Contracts Guild | Orchestrator Service Guild · API Contracts Guild | Orchestrator telemetry/contract inputs not available; wait for 150.A readiness. <br><br> Document artefact/deliverable for ORCH-OAS-61-001 and publish location so downstream tasks can proceed. |
+| P6 | PREP-ORCH-OAS-61-002-DEPENDS-ON-61-001 | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 61-001. <br><br> Document artefact/deliverable for ORCH-OAS-61-002 and publish location so downstream tasks can proceed. |
+| P7 | PREP-ORCH-OAS-62-001-DEPENDS-ON-61-002 | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · SDK Generator Guild | Orchestrator Service Guild · SDK Generator Guild | Depends on 61-002. <br><br> Document artefact/deliverable for ORCH-OAS-62-001 and publish location so downstream tasks can proceed. |
+| P8 | PREP-ORCH-OAS-63-001-DEPENDS-ON-62-001 | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · API Governance Guild | Orchestrator Service Guild · API Governance Guild | Depends on 62-001. <br><br> Document artefact/deliverable for ORCH-OAS-63-001 and publish location so downstream tasks can proceed. |
+| P9 | PREP-ORCH-OBS-50-001-TELEMETRY-CORE-SPRINT-01 | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Observability Guild | Orchestrator Service Guild · Observability Guild | Telemetry Core (Sprint 0174) not yet available for orchestrator host. <br><br> Document artefact/deliverable for ORCH-OBS-50-001 and publish location so downstream tasks can proceed. |
+| P10 | PREP-ORCH-OBS-51-001-DEPENDS-ON-50-001-TELEME | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · DevOps Guild | Orchestrator Service Guild · DevOps Guild | Depends on 50-001 + Telemetry schema. <br><br> Document artefact/deliverable for ORCH-OBS-51-001 and publish location so downstream tasks can proceed. |
+| P11 | PREP-ORCH-OBS-52-001-DEPENDS-ON-51-001-REQUIR | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 51-001; requires event schema from Sprint 0150.A. <br><br> Document artefact/deliverable for ORCH-OBS-52-001 and publish location so downstream tasks can proceed. |
+| P12 | PREP-ORCH-OBS-53-001-DEPENDS-ON-52-001-EVIDEN | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Evidence Locker Guild | Orchestrator Service Guild · Evidence Locker Guild | Depends on 52-001; Evidence Locker capsule inputs not frozen. <br><br> Document artefact/deliverable for ORCH-OBS-53-001 and publish location so downstream tasks can proceed. |
+| P13 | PREP-ORCH-OBS-54-001-DEPENDS-ON-53-001 | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · Provenance Guild | Orchestrator Service Guild · Provenance Guild | Depends on 53-001. <br><br> Document artefact/deliverable for ORCH-OBS-54-001 and publish location so downstream tasks can proceed. |
+| P14 | PREP-ORCH-OBS-55-001-DEPENDS-ON-54-001-INCIDE | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild · DevOps Guild | Orchestrator Service Guild · DevOps Guild | Depends on 54-001; incident contract absent. <br><br> Document artefact/deliverable for ORCH-OBS-55-001 and publish location so downstream tasks can proceed. |
+| P15 | PREP-ORCH-SVC-32-001-UPSTREAM-READINESS-AIRGA | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Upstream readiness (AirGap/Scanner/Graph) not confirmed; postpone bootstrap. <br><br> Document artefact/deliverable for ORCH-SVC-32-001 and publish location so downstream tasks can proceed. |
+| 1 | ORCH-AIRGAP-56-001 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-56-001-AWAIT-SPRINT-0120-A-A | Orchestrator Service Guild · AirGap Policy Guild | Enforce job descriptors to declare network intents; flag/reject external endpoints in sealed mode. |
+| 2 | ORCH-AIRGAP-56-002 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-56-002-UPSTREAM-56-001-BLOCK | Orchestrator Service Guild · AirGap Controller Guild | Surface sealing status and staleness in scheduling decisions; block runs when budgets exceeded. |
+| 3 | ORCH-AIRGAP-57-001 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-57-001-UPSTREAM-56-002-BLOCK | Orchestrator Service Guild · Mirror Creator Guild | Add job type `mirror.bundle` with audit + provenance outputs. |
+| 4 | ORCH-AIRGAP-58-001 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-58-001-UPSTREAM-57-001-BLOCK | Orchestrator Service Guild · Evidence Locker Guild | Capture import/export operations as timeline/evidence entries for mirror/portable jobs. |
+| 5 | ORCH-OAS-61-001 | BLOCKED (2025-11-19) | PREP-ORCH-OAS-61-001-ORCHESTRATOR-TELEMETRY-C | Orchestrator Service Guild · API Contracts Guild | Document orchestrator endpoints in per-service OAS with pagination/idempotency/error envelope examples. |
+| 6 | ORCH-OAS-61-002 | BLOCKED (2025-11-19) | PREP-ORCH-OAS-61-002-DEPENDS-ON-61-001 | Orchestrator Service Guild | Implement `GET /.well-known/openapi`; align version metadata with runtime build. |
+| 7 | ORCH-OAS-62-001 | BLOCKED (2025-11-19) | PREP-ORCH-OAS-62-001-DEPENDS-ON-61-002 | Orchestrator Service Guild · SDK Generator Guild | Ensure SDK paginators/operations support job APIs; add SDK smoke tests for schedule/retry. |
+| 8 | ORCH-OAS-63-001 | BLOCKED (2025-11-19) | PREP-ORCH-OAS-63-001-DEPENDS-ON-62-001 | Orchestrator Service Guild · API Governance Guild | Emit deprecation headers/doc for legacy endpoints; update notifications metadata. |
+| 9 | ORCH-OBS-50-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-50-001-TELEMETRY-CORE-SPRINT-01 | Orchestrator Service Guild · Observability Guild | Wire `StellaOps.Telemetry.Core` into orchestrator host; instrument schedulers/control APIs with spans/logs/metrics. |
+| 10 | ORCH-OBS-51-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-51-001-DEPENDS-ON-50-001-TELEME | Orchestrator Service Guild · DevOps Guild | Publish golden-signal metrics and SLOs; emit burn-rate alerts; provide Grafana dashboards + alert rules. |
+| 11 | ORCH-OBS-52-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-52-001-DEPENDS-ON-51-001-REQUIR | Orchestrator Service Guild | Emit `timeline_event` lifecycle objects with trace IDs/run IDs/tenant/project; add contract tests and Kafka/NATS emitter with retries. |
+| 12 | ORCH-OBS-53-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-53-001-DEPENDS-ON-52-001-EVIDEN | Orchestrator Service Guild · Evidence Locker Guild | Generate job capsule inputs for Evidence Locker; invoke snapshot hooks; enforce redaction guard. |
+| 13 | ORCH-OBS-54-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-54-001-DEPENDS-ON-53-001 | Orchestrator Service Guild · Provenance Guild | Produce DSSE attestations for orchestrator-scheduled jobs; store references in timeline + Evidence Locker; add verification endpoint `/jobs/{id}/attestation`. |
+| 14 | ORCH-OBS-55-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-55-001-DEPENDS-ON-54-001-INCIDE | Orchestrator Service Guild · DevOps Guild | Incident mode hooks (sampling overrides, extended retention, debug spans) with automatic activation on SLO burn-rate breach; emit activation/deactivation events. |
+| 15 | ORCH-SVC-32-001 | BLOCKED (2025-11-19) | PREP-ORCH-SVC-32-001-UPSTREAM-READINESS-AIRGA | Orchestrator Service Guild | Bootstrap service project/config and Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-18 | Normalised sprint doc to standard template; renamed from `SPRINT_151_orchestrator_i.md`. | Planning |
+| 2025-11-19 | Set all tasks to BLOCKED pending upstream readiness (AirGap/Scanner/Graph), Telemetry Core availability, and Orchestrator event schema; no executable work until contracts land. | Implementer |
+
+## Decisions & Risks
+- Start of work gated on AirGap/Scanner/Graph dependencies staying green; reassess before moving tasks to DOING.
+- Ensure status changes here mirror module boards to avoid drift between coordination doc and execution evidence.
+
+## Next Checkpoints
+- None scheduled; add orchestrator scheduling/automation sync once upstream readiness dates are committed.

docs/implplan/SPRINT_0152_0001_0002_orchestrator_ii.md

@@ -0,0 +1,52 @@
+# Sprint 0152-0001-0002 · Orchestrator II (Scheduling & Automation)
+
+## Topic & Scope
+- Build scheduler DAG planner, job lifecycle APIs/streams, and worker claim/heartbeat wiring without issuing control actions yet.
+- Add observability (REST, SSE, metrics), rate limits, backfill/dead-letter handling, quotas, and GA packaging for orchestrator service.
+- Keep outputs aggregation-only with provenance-ready audit/export ledger and offline-friendly deploy artefacts.
+- **Working directory:** `src/Orchestrator/StellaOps.Orchestrator`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0151-0001-0001 (Orchestrator I) must land first.
+- Concurrency: execute tasks in table order (planner → APIs → streams → worker endpoints → rate limits → backfill → ledger → GA packaging → export job class).
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/orchestrator/architecture.md
+- src/Orchestrator/StellaOps.Orchestrator/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | ORCH-SVC-32-002 | TODO | Depends on ORCH-SVC-32-001 (Sprint 0151). | Orchestrator Service Guild (`src/Orchestrator/StellaOps.Orchestrator`) | Implement scheduler DAG planner + dependency resolver, job state machine, critical-path metadata (no control actions yet). |
+| 2 | ORCH-SVC-32-003 | TODO | Depends on 32-002. | Orchestrator Service Guild | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI, validation, pagination, tenant scoping. |
+| 3 | ORCH-SVC-32-004 | TODO | Depends on 32-003. | Orchestrator Service Guild | Implement WebSocket/SSE stream for job/run updates; emit structured metrics counters/histograms; add health probes. |
+| 4 | ORCH-SVC-32-005 | TODO | Depends on 32-004. | Orchestrator Service Guild | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata/checksums and enforcing idempotency keys. |
+| 5 | ORCH-SVC-33-001 | TODO | Depends on 32-005. | Orchestrator Service Guild | Enable `sources` tests (control-plane validation). |
+| 6 | ORCH-SVC-33-002 | TODO | Depends on 33-001. | Orchestrator Service Guild | Per-source/tenant adaptive token-bucket limiter, concurrency caps, backpressure reacting to upstream 429/503. |
+| 7 | ORCH-SVC-33-003 | TODO | Depends on 33-002. | Orchestrator Service Guild | Watermark/backfill manager with event-time windows, duplicate suppression, dry-run preview endpoint, safety validations. |
+| 8 | ORCH-SVC-33-004 | TODO | Depends on 33-003. | Orchestrator Service Guild | Dead-letter store, replay endpoints, error classification with remediation hints + notification hooks. |
+| 9 | ORCH-SVC-34-001 | TODO | Depends on 33-004. | Orchestrator Service Guild | Quota management APIs, per-tenant SLO burn-rate computation, alert budget tracking via metrics. |
+| 10 | ORCH-SVC-34-002 | TODO | Depends on 34-001. | Orchestrator Service Guild | Audit log + immutable run ledger export with signed manifest and provenance chain to artifacts. |
+| 11 | ORCH-SVC-34-003 | TODO | Depends on 34-002. | Orchestrator Service Guild | Perf/scale validation (≥10k pending jobs, dispatch P95 <150 ms); autoscaling hooks; health probes. |
+| 12 | ORCH-SVC-34-004 | TODO | Depends on 34-003. | Orchestrator Service Guild | GA packaging: container image, Helm overlays, offline bundle seeds, provenance attestations, compliance checklist. |
+| 13 | ORCH-SVC-35-101 | TODO | Depends on 34-004. | Orchestrator Service Guild | Register `export` job type with quotas/rate policies; expose telemetry; ensure exporter workers heartbeat via orchestrator contracts. |
+| 14 | ORCH-SVC-36-101 | TODO | Depends on 35-101. | Orchestrator Service Guild | Capture distribution metadata and retention timestamps for export jobs; update dashboards and SSE payloads. |
+| 15 | ORCH-SVC-37-101 | TODO | Depends on 36-101. | Orchestrator Service Guild | Enable scheduled export runs, retention pruning hooks, failure alerting tied to export job class. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub (legacy format) created; awaiting orchestrator phase I completion. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_152_orchestrator_ii.md` to `SPRINT_0152_0001_0002_orchestrator_ii.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
+
+## Decisions & Risks
+- All tasks depend on outputs from Orchestrator I (32-001); sprint remains TODO until upstream ship.
+- Maintain deterministic scheduling semantics; avoid issuing control actions until DAG planner/state machine validated.
+- Ensure offline/air-gap deploy artifacts (Helm/overlays) align with GA packaging in task 34-004.
+
+## Next Checkpoints
+- Kickoff once ORCH-SVC-32-001 lands (date TBD).

docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md

@@ -19,10 +19,13 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-ORCH-SVC-41-101-DEPENDS-ON-38-101-ENVELO | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 38-101 envelope + DAL; cannot register pack-run without API/storage schema. <br><br> Document artefact/deliverable for ORCH-SVC-41-101 and publish location so downstream tasks can proceed. |
+| P2 | PREP-ORCH-SVC-42-101-DEPENDS-ON-41-101-PACK-R | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Depends on 41-101 pack-run plumbing and streaming contract. <br><br> Document artefact/deliverable for ORCH-SVC-42-101 and publish location so downstream tasks can proceed. |
+| P3 | PREP-ORCH-TEN-48-001-WEBSERVICE-LACKS-JOB-DAL | TODO | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | WebService lacks job DAL/routes; need tenant context plumbing before enforcement. <br><br> Document artefact/deliverable for ORCH-TEN-48-001 and publish location so downstream tasks can proceed. |
 | 1 | ORCH-SVC-38-101 | BLOCKED | Waiting on ORCH-SVC-37-101 envelope field/semantics approval; webservice DAL still missing. | Orchestrator Service Guild | Standardize event envelope (policy/export/job lifecycle) with idempotency keys, ensure export/job failure events published to notifier bus with provenance metadata. |
-| 2 | ORCH-SVC-41-101 | BLOCKED | Depends on 38-101 envelope + DAL; cannot register pack-run without API/storage schema. | Orchestrator Service Guild | Register `pack-run` job type, persist run metadata, integrate logs/artifacts collection, and expose API for Task Runner scheduling. |
+| 2 | ORCH-SVC-41-101 | BLOCKED | PREP-ORCH-SVC-41-101-DEPENDS-ON-38-101-ENVELO | Orchestrator Service Guild | Register `pack-run` job type, persist run metadata, integrate logs/artifacts collection, and expose API for Task Runner scheduling. |
-| 3 | ORCH-SVC-42-101 | BLOCKED | Depends on 41-101 pack-run plumbing and streaming contract. | Orchestrator Service Guild | Stream pack run logs via SSE/WS, add manifest endpoints, enforce quotas, and emit pack run events to Notifications Studio. |
+| 3 | ORCH-SVC-42-101 | BLOCKED | PREP-ORCH-SVC-42-101-DEPENDS-ON-41-101-PACK-R | Orchestrator Service Guild | Stream pack run logs via SSE/WS, add manifest endpoints, enforce quotas, and emit pack run events to Notifications Studio. |
-| 4 | ORCH-TEN-48-001 | BLOCKED | WebService lacks job DAL/routes; need tenant context plumbing before enforcement. | Orchestrator Service Guild | Include `tenant_id`/`project_id` in job specs, set DB session context before processing, enforce context on all queries, and reject jobs missing tenant metadata. |
+| 4 | ORCH-TEN-48-001 | BLOCKED | PREP-ORCH-TEN-48-001-WEBSERVICE-LACKS-JOB-DAL | Orchestrator Service Guild | Include `tenant_id`/`project_id` in job specs, set DB session context before processing, enforce context on all queries, and reject jobs missing tenant metadata. |
 | 5 | WORKER-GO-32-001 | DONE | Bootstrap Go SDK scaffolding and smoke sample. | Worker SDK Guild | Bootstrap Go SDK project with configuration binding, auth headers, job claim/acknowledge client, and smoke sample. |
 | 6 | WORKER-GO-32-002 | DONE | Depends on WORKER-GO-32-001; add heartbeat, metrics, retries. | Worker SDK Guild | Add heartbeat/progress helpers, structured logging hooks, Prometheus metrics, and jittered retry defaults. |
 | 7 | WORKER-GO-33-001 | DONE | Depends on WORKER-GO-32-002; implement artifact publish helpers. | Worker SDK Guild | Implement artifact publish helpers (object storage client, checksum hashing, metadata payload) and idempotency guard. |
@@ -37,6 +40,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-07 | Still not started — Authority pack RBAC (AUTH-PACKS-43-001) remains blocked pending approvals/log-stream APIs. | Coordination |
 | 2025-11-17 | Coordinator approved interim token-scoped access for AUTH-PACKS-43-001; proceed with log-stream APIs using scoped tokens while full RBAC completes. | Coordination |
 | 2025-11-17 | Normalised sprint file to standard template and renamed from `SPRINT_153_orchestrator_iii.md` to `SPRINT_0153_0001_0003_orchestrator_iii.md`. | PM |
@@ -51,6 +55,7 @@
 | 2025-11-17 | Marked ORCH-SVC-38/41/42 blocked pending upstream event envelope spec (ORCH-SVC-37-101) and downstream pack-run contract. | Worker SDK Guild |
 | 2025-11-18 | No further progress possible: event envelope spec (ORCH-SVC-37-101) and missing Orchestrator WebService DAL keep ORCH-SVC-38/41/42 and ORCH-TEN-48-001 blocked. | Orchestrator Service Guild |
 | 2025-11-19 | Drafted event envelope doc (`docs/modules/orchestrator/event-envelope.md`) and set ORCH-SVC-38-101 to DOING pending spec approval. | Orchestrator Service Guild |
+| 2025-11-19 | Clarified ORCH-SVC-38-101 remains BLOCKED until ORCH-SVC-37-101 envelope semantics are approved; webservice DAL still missing. | Implementer |
 | 2025-11-18 | ORCH-TEN-48-001 blocked: orchestrator WebService is still template-only (no job DAL/routes), cannot enforce tenant context until real endpoints and DB session context exist. | Worker SDK Guild |
 | 2025-11-19 | Set ORCH-SVC-38/41/42 and ORCH-TEN-48-001 to BLOCKED; awaiting ORCH-SVC-37-101 envelope approval and WebService DAL/schema. | Orchestrator Service Guild |
 

docs/implplan/SPRINT_0154_0001_0001_packsregistry.md

@@ -0,0 +1,40 @@
+# Sprint 0154-0001-0001 · Packs Registry (Scheduling & Automation 150.B)
+
+## Topic & Scope
+- Stand up Packs Registry service: indexing, provenance storage, signature verification, and lifecycle management.
+- Add version lifecycle (promote/deprecate), provenance exports, mirroring, attestation integration, and compliance dashboards.
+- Keep registry offline-friendly with RBAC, audit logs, and Offline Kit seed support.
+- **Working directory:** `src/PacksRegistry/StellaOps.PacksRegistry`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 120.A (AirGap), 130.A (Scanner), 140.A (Graph) provide pack metadata and graph inputs.
+- Concurrency: execute tasks in table order; all tasks currently TODO.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/graph/architecture.md
+- docs/modules/devops/architecture.md
+- Any PacksRegistry AGENTS.md (if present under src/PacksRegistry).
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | PACKS-REG-41-001 | TODO | Start registry service + migrations. | Packs Registry Guild (`src/PacksRegistry/StellaOps.PacksRegistry`) | Implement registry service, migrations (`packs_index`, `parity_matrix`, provenance docs); upload/list/get; signature verification; RBAC; provenance manifest storage. |
+| 2 | PACKS-REG-42-001 | TODO | Depends on 41-001. | Packs Registry Guild | Version lifecycle (promote/deprecate), tenant allowlists, provenance export, signature rotation, audit logs, Offline Kit seed support. |
+| 3 | PACKS-REG-43-001 | TODO | Depends on 42-001. | Packs Registry Guild | Registry mirroring, pack signing policies, attestation integration, compliance dashboards; integrate with Export Center. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub created; awaiting staffing. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_154_packsregistry.md` to `SPRINT_0154_0001_0001_packsregistry.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
+
+## Decisions & Risks
+- Registry relies on upstream pack metadata/graph contracts; keep schema aligned before migrations run.
+- Ensure offline posture: signature verification, provenance storage, audit logs, and Offline Kit seeds are mandatory before GA.
+
+## Next Checkpoints
+- Schedule kickoff once staffing confirmed (date TBD).

docs/implplan/SPRINT_0155_0001_0001_scheduler_i.md

@@ -19,14 +19,16 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SCHED-SURFACE-01-NEED-SURFACE-FS-POINTER | TODO | Due 2025-11-23 · Accountable: Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Need Surface.FS pointer model/contract; awaiting design input before planning deltas. <br><br> Document artefact/deliverable for SCHED-SURFACE-01 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SCHED-WORKER-23-101-WAITING-ON-POLICY-GU | TODO | Due 2025-11-23 · Accountable: Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Waiting on Policy guild to supply activation event contract and throttle source. <br><br> Document artefact/deliverable for SCHED-WORKER-23-101 and publish location so downstream tasks can proceed. |
 | 0 | AGENTS-SCHEDULER-UPDATE | DONE | `src/Scheduler/AGENTS.md` created and published. | Project Manager · Architecture Guild | Populate module AGENTS charter covering roles, docs, determinism/testing rules, and allowed shared libs. |
 | 1 | SCHED-IMPACT-16-303 | DONE | Implemented removal + snapshot/restore with compaction; snapshot payloads ready for RocksDB/Redis persistence. | Scheduler ImpactIndex Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex) | Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. |
-| 2 | SCHED-SURFACE-01 | BLOCKED | Need Surface.FS pointer model/contract; awaiting design input before planning deltas. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. |
+| 2 | SCHED-SURFACE-01 | BLOCKED | PREP-SCHED-SURFACE-01-NEED-SURFACE-FS-POINTER | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. |
 | 3 | SCHED-VULN-29-001 | DONE | Resolver job APIs implemented with scope enforcement; in-memory service stub (upgrade to persistent store later). | Scheduler WebService Guild, Findings Ledger Guild (src/Scheduler/StellaOps.Scheduler.WebService) | Expose resolver job APIs (`POST /vuln/resolver/jobs`, `GET /vuln/resolver/jobs/{id}`) to trigger candidate recomputation per artifact/policy change with RBAC and rate limits. |
 | 4 | SCHED-VULN-29-002 | DONE | Depends on SCHED-VULN-29-001; define webhook contract for backlog breach notifications. | Scheduler WebService Guild, Observability Guild (src/Scheduler/StellaOps.Scheduler.WebService) | Provide projector lag metrics endpoint and webhook notifications for backlog breaches consumed by DevOps dashboards. |
 | 5 | SCHED-WEB-20-002 | DONE | Simulation trigger + preview endpoint implemented. | Scheduler WebService Guild (src/Scheduler/StellaOps.Scheduler.WebService) | Provide simulation trigger endpoint returning diff preview metadata and job state for UI/CLI consumption. |
 | 6 | SCHED-WORKER-21-203 | DONE | Metrics added with tenant/graph tags; worker build green. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Export metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) and structured logs with tenant/graph identifiers. |
-| 7 | SCHED-WORKER-23-101 | BLOCKED | Waiting on Policy guild to supply activation event contract and throttle source. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. |
+| 7 | SCHED-WORKER-23-101 | BLOCKED | PREP-SCHED-WORKER-23-101-WAITING-ON-POLICY-GU | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. |
 | 8 | SCHED-WORKER-23-102 | BLOCKED | Blocked by SCHED-WORKER-23-101. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Add reconciliation job ensuring re-eval completion within SLA, emitting alerts on backlog and persisting status to `policy_runs`. |
 | 9 | SCHED-WORKER-25-101 | BLOCKED | Blocked by SCHED-WORKER-23-102. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement exception lifecycle worker handling auto-activation/expiry and publishing `exception.*` events with retries/backoff. |
 | 10 | SCHED-WORKER-25-102 | BLOCKED | Blocked by SCHED-WORKER-25-101. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Add expiring notification job generating digests, marking `expiring` state, updating metrics/alerts. |
@@ -35,6 +37,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-17 | Added graph metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) with tenant/graph tags; worker library build succeeded. | Scheduler Worker Guild |
 | 2025-11-17 | Added resolver job APIs (`POST/GET /api/v1/scheduler/vuln/resolver/jobs`) with scope enforcement and in-memory job service stub. | Scheduler WebService Guild |
 | 2025-11-18 | Added per-tenant rate limiting for resolver job creation (in-memory implementation). | Scheduler WebService Guild |

docs/implplan/SPRINT_0156_0001_0002_scheduler_ii.md

@@ -19,6 +19,7 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U | BLOCKED | Due 2025-11-23 · Accountable: Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Blocked by upstream stream schema design; depends on prior resolver/eval pipeline readiness. <br><br> Document artefact/deliverable for SCHED-WORKER-CONSOLE-23-201 and publish location so downstream tasks can proceed. |
 | 0 | AGENTS-SCHEDULER-UPDATE | DONE | `src/Scheduler/AGENTS.md` created and published. | Project Manager · Architecture Guild | Create working-directory charter defining roles, prerequisites, determinism/testing rules, and allowed shared libs. |
 | 1 | SCHED-WORKER-26-202 | BLOCKED | Blocked by SCHED-WORKER-26-201 (reachability joiner not delivered yet). | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. |
 | 2 | SCHED-WORKER-27-301 | BLOCKED | Blocked by SCHED-WORKER-26-202. | Scheduler Worker Guild, Policy Registry Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. |
@@ -27,12 +28,15 @@
 | 5 | SCHED-WORKER-29-001 | BLOCKED | Blocked by SCHED-WORKER-27-303. | Scheduler Worker Guild, Findings Ledger Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. |
 | 6 | SCHED-WORKER-29-002 | BLOCKED | Blocked by SCHED-WORKER-29-001. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. |
 | 7 | SCHED-WORKER-29-003 | BLOCKED | Blocked by SCHED-WORKER-29-002. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. |
-| 8 | SCHED-WORKER-CONSOLE-23-201 | BLOCKED | Blocked by upstream stream schema design; depends on prior resolver/eval pipeline readiness. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. |
+| 8 | SCHED-WORKER-CONSOLE-23-201 | BLOCKED | PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. |
-| 9 | SCHED-WORKER-CONSOLE-23-202 | BLOCKED | Blocked by CONSOLE-23-201. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. |
+| 9 | SCHED-WORKER-CONSOLE-23-202 | BLOCKED | SCHED-WORKER-CONSOLE-23-201. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Clarified dependency for SCHED-WORKER-CONSOLE-23-202 to point at SCHED-WORKER-CONSOLE-23-201. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Marked PREP-SCHED-WORKER-CONSOLE-23-201 BLOCKED because upstream stream schema and resolver/eval pipeline contracts are still absent, keeping CONSOLE-23-201/202 gated. | Project Mgmt |
 | 2025-11-17 | Normalised sprint, renamed to `SPRINT_0156_0001_0002_scheduler_ii`, and marked tasks BLOCKED pending `src/Scheduler/AGENTS.md`. | Scheduler Worker Guild |
 | 2025-11-17 | Created `src/Scheduler/AGENTS.md`; unblocked tasks and reset to TODO respecting dependencies. | Scheduler Worker Guild |
 | 2025-11-18 | Marked all tasks BLOCKED awaiting upstream reachability worker (SCHED-WORKER-26-201) and subsequent contract handoffs (Policy activation events, stream schema). | Scheduler Worker Guild |

docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md

@@ -0,0 +1,52 @@
+# Sprint 0157-0001-0001 · TaskRunner I (Scheduling & Automation 150.D)
+
+## Topic & Scope
+- Stand up TaskRunner service: pack run API, execution engine, air-gap enforcement, evidence capture, and observability.
+- Provide pack run lifecycle APIs/SDK, telemetry, OAS, and offline-friendly bundles with provenance.
+- **Working directory:** `src/TaskRunner/StellaOps.TaskRunner`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 120.A (AirGap), 130.A (Scanner), 140.A (Graph).
+- Concurrency: execute tasks in table order; RUN/OAS/OBS chains must respect dependencies.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/taskrunner/architecture.md (if available)
+- src/TaskRunner/StellaOps.TaskRunner/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | TASKRUN-41-001 | TODO | Bootstrap service + migrations. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Define migrations (`pack_runs`, `pack_run_logs`, `pack_artifacts`); implement run API (create/get/log stream), local executor, approvals pause, artifact capture, provenance manifest generation. |
+| 2 | TASKRUN-AIRGAP-56-001 | TODO | Depends on 41-001. | Task Runner Guild · AirGap Policy Guild | Enforce plan-time validation rejecting non-allowlisted network calls in sealed mode; surface remediation errors. |
+| 3 | TASKRUN-AIRGAP-56-002 | TODO | Depends on 56-001. | Task Runner Guild · AirGap Importer Guild | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. |
+| 4 | TASKRUN-AIRGAP-57-001 | TODO | Depends on 56-002. | Task Runner Guild · AirGap Controller Guild | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. |
+| 5 | TASKRUN-AIRGAP-58-001 | TODO | Depends on 57-001. | Task Runner Guild · Evidence Locker Guild | Capture bundle import job transcripts, hashed inputs/outputs into portable evidence bundles. |
+| 6 | TASKRUN-42-001 | TODO | Continue execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Execution engine enhancements + simulation API/CLI. |
+| 7 | TASKRUN-OAS-61-001 | TODO | Document APIs once run endpoints stable. | Task Runner Guild · API Contracts Guild | Document TaskRunner APIs (pack runs, logs, approvals) with streaming schemas/examples. |
+| 8 | TASKRUN-OAS-61-002 | TODO | Depends on 61-001. | Task Runner Guild | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, ETag. |
+| 9 | TASKRUN-OAS-62-001 | TODO | Depends on 61-002. | Task Runner Guild · SDK Generator Guild | SDK examples for pack run lifecycle; streaming log helpers; paginator wrappers. |
+| 10 | TASKRUN-OAS-63-001 | TODO | Depends on 62-001. | Task Runner Guild · API Governance Guild | Sunset/deprecation headers + notifications for legacy pack APIs. |
+| 11 | TASKRUN-OBS-50-001 | TODO | Telemetry core adoption. | Task Runner Guild | Add telemetry core in host + worker; spans/logs include `trace_id`, `tenant_id`, `run_id`, scrubbed transcripts. |
+| 12 | TASKRUN-OBS-51-001 | TODO | Depends on 50-001. | Task Runner Guild · DevOps Guild | Metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs; burn-rate alerts. |
+| 13 | TASKRUN-OBS-52-001 | TODO | Depends on 51-001. | Task Runner Guild | Timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) with evidence pointers/policy context; dedupe + retry. |
+| 14 | TASKRUN-OBS-53-001 | TODO | Depends on 52-001. | Task Runner Guild · Evidence Locker Guild | Capture step transcripts, artifact manifests, environment digests, policy approvals into evidence locker snapshots; ensure redaction + hash chain. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-04 | Resumed TASKRUN-42-001: scoped execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild |
+| 2025-11-04 | Worker/WebService wiring in place: execution graph honors `maxParallel`/`continueOnError`, retry windows persisted, simulation API exposed. | Task Runner Guild |
+| 2025-11-04 | Continued TASKRUN-42-001: cleaning persistence anomalies, validating retry metadata, wiring simulation preview into CLI surface. | Task Runner Guild |
+| 2025-11-04 | CLI command `stella task-runner simulate` wired to new endpoint with JSON/table output modes. | Task Runner Guild |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_157_taskrunner_i.md` to `SPRINT_0157_0001_0001_taskrunner_i.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
+
+## Decisions & Risks
+- Execution engine contract must remain deterministic; avoid uncontrolled parallelism until SLOs/telemetry validated.
+- Air-gap enforcement depends on policy/airgap contracts; keep sealed-mode validation strict before enabling helper steps.
+
+## Next Checkpoints
+- Schedule kickoff after confirming upstream Sprint 120/130/140 inputs (date TBD).

docs/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md

@@ -0,0 +1,36 @@
+# Sprint 0158-0001-0002 · TaskRunner II (Scheduling & Automation 150.D)
+
+## Topic & Scope
+- TaskRunner phase II: attestations, incident mode, and tenant scoping for pack runs.
+- **Working directory:** `src/TaskRunner/StellaOps.TaskRunner`.
+
+## Dependencies & Concurrency
+- Upstream: TaskRunner I (Sprint 0157-0001-0001) must land first.
+- Concurrency: tasks follow OBS → TEN dependency chain; all currently TODO.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/taskrunner/architecture.md (if available)
+- src/TaskRunner/StellaOps.TaskRunner/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | TASKRUN-OBS-54-001 | TODO | Depends on TASKRUN-OBS-53-001 (Sprint 0157). | Task Runner Guild · Provenance Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Generate DSSE attestations for pack runs (subjects = produced artifacts) and expose verification API/CLI; store references in timeline events. |
+| 2 | TASKRUN-OBS-55-001 | TODO | Depends on 54-001. | Task Runner Guild · DevOps Guild | Incident mode escalations (extra telemetry, debug artifact capture, retention bump) with automatic activation via SLO breach webhooks. |
+| 3 | TASKRUN-TEN-48-001 | TODO | Parallel once tenancy policy defined. | Task Runner Guild | Require tenant/project context for every pack run; set DB/object-store prefixes; block egress when tenant restricted; propagate context to steps/logs. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_158_taskrunner_ii.md` to `SPRINT_0158_0001_0002_taskrunner_ii.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
+
+## Decisions & Risks
+- Attestation and incident-mode behaviors depend on outputs from TaskRunner I; keep blocked until 0157 tasks complete.
+- Tenant scoping must align with platform RLS and egress rules before enabling enforcement.
+
+## Next Checkpoints
+- Kickoff after Sprint 0157 completion (date TBD).

docs/implplan/SPRINT_0160_0001_0001_export_evidence.md

@@ -22,18 +22,22 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | TODO | Due 2025-11-23 · Accountable: Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. | BLOCKED (2025-11-17). <br><br> Document artefact/deliverable for Evidence Locker Guild · Security Guild · Docs Guild, Exporter Service Guild · Mirror Creator Guild · DevOps Guild, Timeline Indexer Guild · Evidence Locker Guild · Security Guild and publish location so downstream tasks can proceed. |
+| P2 | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF | TODO | Due 2025-11-23 · Accountable: Planning | Planning | MISSED; escalate to Wave 150/140 leads and record new ETA; keep tasks BLOCKED. <br><br> Document artefact/deliverable for Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) and publish location so downstream tasks can proceed. |
+| P3 | PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR | TODO | Due 2025-11-23 · Accountable: Planning | Planning | If no dates provided, mark BLOCKED in respective sprints and escalate to Wave leads. <br><br> Document artefact/deliverable for Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) and publish location so downstream tasks can proceed. |
+| P4 | PREP-160-A-160-B-160-C-ESCALATE-TO-WAVE-150-1 | DONE (2025-11-19) | Due 2025-11-23 · Accountable: Planning | Planning | Escalation sent to Wave 150/140 leads; awaiting new ETAs recorded in Sprint 110/150/140. |
 | 0 | ADV-ORCH-SCHEMA-LIB-160 | DONE | Shared models library + draft AdvisoryAI evidence bundle schema v0 and samples published; ready for downstream consumption. | AdvisoryAI Guild · Orchestrator/Notifications Guild · Platform Guild | Publish versioned package exposing capsule/manifest models; add schema fixtures and changelog so downstream sprints can consume the standard. |
-| 1 | 160.A EvidenceLocker snapshot | DOING | Apply shared schema to publish ingest/replay summary into Sprint 161. | Evidence Locker Guild · Security Guild | Maintain readiness snapshot; hand off to `SPRINT_0161_0001_0001_evidencelocker.md` & `SPRINT_187_evidence_locker_cli_integration.md`. |
+| 1 | 160.A EvidenceLocker snapshot | BLOCKED | Waiting on AdvisoryAI evidence payload notes + orchestrator/notifications envelopes to finalize ingest/replay summary. | Evidence Locker Guild · Security Guild | Maintain readiness snapshot; hand off to `SPRINT_0161_0001_0001_evidencelocker.md` & `SPRINT_187_evidence_locker_cli_integration.md`. |
-| 2 | 160.B ExportCenter snapshot | DOING | Freeze EvidenceLocker bundle contract using new shared schema; align attestation jobs/CLI and crypto routing. | Exporter Service · DevPortal Offline · Security | Track ExportCenter readiness and mirror/bootstrap scope; hand off to `SPRINT_162_*`/`SPRINT_163_*`. |
+| 2 | 160.B ExportCenter snapshot | BLOCKED | EvidenceLocker bundle contract frozen, but orchestrator/notifications envelopes still missing; cannot freeze ExportCenter snapshot. | Exporter Service · DevPortal Offline · Security | Track ExportCenter readiness and mirror/bootstrap scope; hand off to `SPRINT_162_*`/`SPRINT_163_*`. |
-| 3 | 160.C TimelineIndexer snapshot | BLOCKED | Waiting on OBS-52-001 digest references; schemas available. Prep migrations/RLS draft. | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_165_timelineindexer.md`. |
+| 3 | 160.C TimelineIndexer snapshot | BLOCKED | Waiting on TIMELINE-OBS-52-001 digest references; schemas available. Prep migrations/RLS draft. | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_165_timelineindexer.md`. |
 | 4 | AGENTS-implplan | DONE | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | Local charter present; contributors must read before editing sprint docs. |
 
 ### Wave Coordination
 | Wave | Guild owners | Shared prerequisites | Status | Notes |
 | --- | --- | --- | --- | --- |
-| 160.A EvidenceLocker | Evidence Locker Guild · Security Guild · Docs Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-17) | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. |
+| 160.A EvidenceLocker | Evidence Locker Guild · Security Guild · Docs Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. |
-| 160.B ExportCenter | Exporter Service Guild · Mirror Creator Guild · DevOps Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-17) | Thin mirror bundle + EvidenceLocker contract not yet frozen. |
+| 160.B ExportCenter | Exporter Service Guild · Mirror Creator Guild · DevOps Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Thin mirror bundle + EvidenceLocker contract not yet frozen. |
-| 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-17) | Awaiting OBS-52-001 schema update and digest references. |
+| 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Awaiting OBS-52-001 schema update and digest references. |
 
 ## Wave Detail Snapshots & Next Actions
 
@@ -110,10 +114,10 @@
 | Date | Session / Owner | Target outcome | Fallback / Escalation |
 | --- | --- | --- | --- |
 | 2025-11-14 | AdvisoryAI stand-up (AdvisoryAI Guild) | Freeze evidence bundle schema + payload notes so EvidenceLocker can finalize DSSE manifests (blocked). | MISSED; reschedule immediately and log in Sprint 110 + this sprint. |
-| 2025-11-15 | Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) | Publish capsule envelopes & notification contracts required by EvidenceLocker ingest, ExportCenter notifications, TimelineIndexer ordering (blocked). | MISSED; escalate to Wave 150/140 leads and record new ETA; keep tasks BLOCKED. |
+| 2025-11-15 | Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) | Publish capsule envelopes & notification contracts required by EvidenceLocker ingest, ExportCenter notifications, TimelineIndexer ordering (blocked). | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF |
 | 2025-11-18 | Sovereign crypto readiness review (Security Guild + Evidence/Export teams) | Validate `ICryptoProviderRegistry` wiring plan for `EVID-CRYPTO-90-001` & `EXPORT-CRYPTO-90-001`; green-light sovereign modes (blocked). | If gating issues remain, file action items in Security board and hold related sprint tasks in TODO. |
 | 2025-11-19 | DevPortal Offline CLI dry run (DevPortal Offline + AirGap Controller Guilds) | Demo `stella devportal verify bundle.tgz` using sample manifest to prove readiness once EvidenceLocker spec lands (blocked awaiting schema). | If CLI not ready, update DVOFF-64-002 description with new ETA and note risk in Sprint 162 doc. |
-| 2025-11-19 | Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) | Secure revised dates for schema/envelope drops; update this sprint + Sprint 110/150/140. | If no dates provided, mark BLOCKED in respective sprints and escalate to Wave leads. |
+| 2025-11-19 | Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) | Secure revised dates for schema/envelope drops; update this sprint + Sprint 110/150/140. | PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR |
 
 ## Action Tracker
 | Wave | Immediate action | Owner(s) | Due | Status |
@@ -128,8 +132,8 @@
 | 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | Pending |
 | 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-11-20 | Pending |
 | AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
-| ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DOING (escalation sent 2025-11-18; awaiting ETA) |
+| ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
-| ESCALATE-ORCH-ENVELOPE | Escalate Orchestrator/Notifications capsule envelope drop; obtain new ETA and log in Sprint 150/140 and this sprint. | Orchestrator Service · Notifications Guild | 2025-11-18 | DOING (escalation sent 2025-11-18; awaiting ETA) |
+| ESCALATE-ORCH-ENVELOPE | Escalate Orchestrator/Notifications capsule envelope drop; obtain new ETA and log in Sprint 150/140 and this sprint. | Orchestrator Service · Notifications Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
 
 ## Decisions & Risks
 | Item | Status / Decision | Notes |
@@ -148,7 +152,7 @@
 | Risk | Impacted wave(s) | Severity | Mitigation / Owner |
 | --- | --- | --- | --- |
 | AdvisoryAI schema slips past 2025-11-14, delaying DSSE manifest freeze. | 160.A, 160.B | High | AdvisoryAI Guild to provide interim sample payloads; EvidenceLocker to stub schema adapters so ExportCenter can begin validation with mock data. |
-| Orchestrator/Notifications schema handoff misses 2025-11-15 window. | 160.A, 160.B, 160.C | High | Escalate to Wave 150/140 leads, record BLOCKED status in both sprint docs, and schedule daily schema stand-ups until envelopes land. |
+| Orchestrator/Notifications schema handoff misses 2025-11-15 window. | 160.A, 160.B, 160.C | High | PREP-160-A-160-B-160-C-ESCALATE-TO-WAVE-150-1 |
 | Sovereign crypto routing design not ready by 2025-11-18 review. | 160.A, 160.B | Medium | Security Guild to publish `ICryptoProviderRegistry` reference implementation; Evidence/Export guilds to nominate fallback providers per profile. |
 | DevPortal verification CLI lacks signed bundle fixtures for dry run. | 160.B | Medium | Exporter Guild to provide sample manifest + DSSE pair; DevPortal Offline Guild to script fake EvidenceLocker output for demo. |
 | TimelineIndexer Postgres/RLS plan not reviewed before coding. | 160.C | Medium | Timeline Indexer Guild to share migration plan with Security/Compliance for async review; unblock coding by securing written approval in sprint doc. |
@@ -156,6 +160,8 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Updated 160.C TimelineIndexer snapshot dependency to TIMELINE-OBS-52-001 (matches Sprint 165 tracker). | Project Mgmt |
 | 2025-11-12 | Snapshot refreshed; all Export & Evidence waves remain BLOCKED pending orchestrator capsule data, AdvisoryAI bundle schemas, and EvidenceLocker contracts. Re-evaluate after 2025-11-15 handoff. | Planning |
 | 2025-11-12 | Added checkpoint calendar, action tracker, and risk table to keep Wave 160 aligned while dependencies stabilize. | Planning |
 | 2025-11-17 | Normalized sprint to standard template and renamed from `SPRINT_160_export_evidence.md` to `SPRINT_0160_0001_0001_export_evidence.md`; no semantic changes to tasks. | Project PM |
@@ -171,5 +177,7 @@
 | 2025-11-18 | Published `src/__Libraries/StellaOps.Orchestrator.Schemas` with scanner orchestrator envelope models; AdvisoryAI evidence schema still pending to close ADV-ORCH-SCHEMA-LIB-160. | Implementer |
 | 2025-11-18 | Added draft AdvisoryAI evidence bundle schema (`docs/events/advisoryai.evidence.bundle@0.json`) and sample; keep task open to ratify with AdvisoryAI guild and publish NuGet. | Implementer |
 | 2025-11-18 | Flipped ADV-ORCH-SCHEMA-LIB-160 to DONE; moved 160.A/B to DOING using delivered schema/models. | Implementer |
+| 2025-11-19 | Marked 160.A and 160.B BLOCKED pending AdvisoryAI payload notes and Orchestrator/Notifications envelopes; cannot publish snapshots yet. | Implementer |
+| 2025-11-19 | Sent escalations for AdvisoryAI schema and Orchestrator/Notifications envelopes; marked ESCALATE-ADV-AI-SCHEMA, ESCALATE-ORCH-ENVELOPE, and PREP-160-A/B/C-ESCALATE as DONE. Await ETAs from owners. | Implementer |
 | 2025-11-18 | Started 160.A/160.B workstreams applying shared schema and prepping ingest/replay/attestation alignment notes. | Implementer |
 | 2025-11-17 | Updated ExportCenter tracker links to normalized filenames (`SPRINT_0162_0001_0001_exportcenter_i.md`, `SPRINT_0163_0001_0001_exportcenter_ii.md`). | Implementer |

docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md

@@ -23,19 +23,25 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P0 | PREP-EVID-ATTEST-73-SCOPE-NOTE | DONE (2025-11-19) | Due 2025-11-20 · Accountable: Evidence Locker Guild · Concelier Guild · Excititor Guild | Evidence Locker Guild · Concelier Guild · Excititor Guild | Published attestation scope/sign-off note at `docs/modules/evidence-locker/attestation-scope-note.md` with required claims and sample builder payload; to be linked in Evidence Bundle v1 change log. |
+| P1 | PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER | TODO | Due 2025-11-23 · Accountable: Evidence Locker Guild · Replay Delivery Guild | Evidence Locker Guild · Replay Delivery Guild | Await replay ledger retention shape; schemas available. <br><br> Document artefact/deliverable for EVID-REPLAY-187-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-CLI-REPLAY-187-002-WAITING-ON-EVIDENCELO | TODO | Due 2025-11-23 · Accountable: CLI Guild | CLI Guild | Waiting on EvidenceLocker APIs after bundle packaging finalization. <br><br> Document artefact/deliverable for CLI-REPLAY-187-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-RUNBOOK-REPLAY-187-004-DEPENDS-ON-RETENT | TODO | Due 2025-11-23 · Accountable: Docs Guild · Ops Guild | Docs Guild · Ops Guild | Depends on retention APIs + CLI behavior. <br><br> Document artefact/deliverable for RUNBOOK-REPLAY-187-004 and publish location so downstream tasks can proceed. |
+| P4 | PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO | TODO | Due 2025-11-23 · Accountable: Planning | Planning | BLOCKED (schemas not yet delivered). <br><br> Document artefact/deliverable for Evidence Locker Guild and publish location so downstream tasks can proceed. |
+| P5 | PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU | TODO | Due 2025-11-23 · Accountable: Planning | Planning | BLOCKED (awaiting schema signals). <br><br> Document artefact/deliverable for Evidence Locker Guild · Replay Delivery Guild and publish location so downstream tasks can proceed. |
 | 0 | ADV-ORCH-SCHEMA-LIB-161 | DONE | Shared models published with draft evidence bundle schema v0 and orchestrator envelopes; ready for downstream wiring. | AdvisoryAI Guild · Orchestrator/Notifications Guild · Platform Guild | Publish versioned package + fixtures to `/src/__Libraries` (or shared NuGet) so downstream components can consume frozen schema. |
-| 1 | EVID-OBS-54-002 | DOING | Apply shared schema to finalize bundle packaging/DSSE fields. | Evidence Locker Guild | Finalize deterministic bundle packaging + DSSE layout per `docs/modules/evidence-locker/bundle-packaging.md`, including portable/incident modes. |
+| 1 | EVID-OBS-54-002 | BLOCKED | AdvisoryAI evidence bundle schema + orchestrator/notifications capsule schema still pending; cannot finalize DSSE fields. | Evidence Locker Guild | Finalize deterministic bundle packaging + DSSE layout per `docs/modules/evidence-locker/bundle-packaging.md`, including portable/incident modes. |
-| 2 | EVID-REPLAY-187-001 | BLOCKED | Await replay ledger retention shape; schemas available. | Evidence Locker Guild · Replay Delivery Guild | Implement replay bundle ingestion + retention APIs; update storage policy per `docs/replay/DETERMINISTIC_REPLAY.md`. |
+| 2 | EVID-REPLAY-187-001 | BLOCKED | PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER | Evidence Locker Guild · Replay Delivery Guild | Implement replay bundle ingestion + retention APIs; update storage policy per `docs/replay/DETERMINISTIC_REPLAY.md`. |
-| 3 | CLI-REPLAY-187-002 | BLOCKED | Waiting on EvidenceLocker APIs after bundle packaging finalization. | CLI Guild | Add CLI `scan --record`, `verify`, `replay`, `diff` with offline bundle resolution; align golden tests. |
+| 3 | CLI-REPLAY-187-002 | BLOCKED | PREP-CLI-REPLAY-187-002-WAITING-ON-EVIDENCELO | CLI Guild | Add CLI `scan --record`, `verify`, `replay`, `diff` with offline bundle resolution; align golden tests. |
-| 4 | RUNBOOK-REPLAY-187-004 | BLOCKED | Depends on retention APIs + CLI behavior. | Docs Guild · Ops Guild | Publish `/docs/runbooks/replay_ops.md` coverage for retention enforcement, RootPack rotation, verification drills. |
+| 4 | RUNBOOK-REPLAY-187-004 | BLOCKED | PREP-RUNBOOK-REPLAY-187-004-DEPENDS-ON-RETENT | Docs Guild · Ops Guild | Publish `/docs/runbooks/replay_ops.md` coverage for retention enforcement, RootPack rotation, verification drills. |
 | 5 | CRYPTO-REGISTRY-DECISION-161 | DONE | Decision recorded in `docs/security/crypto-registry-decision-2025-11-18.md`; publish contract defaults. | Security Guild · Evidence Locker Guild | Capture decision from 2025-11-18 review; emit changelog + reference implementation for downstream parity. |
 | 6 | EVID-CRYPTO-90-001 | TODO | Apply registry defaults and wire `ICryptoProviderRegistry` into EvidenceLocker paths. | Evidence Locker Guild · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash` for sovereign crypto providers. |
 
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- |
-| Capture AdvisoryAI + orchestrator schema deltas into this sprint and attach sample payloads. | Evidence Locker Guild | 2025-11-15 | BLOCKED (schemas not yet delivered) |
+| Capture AdvisoryAI + orchestrator schema deltas into this sprint and attach sample payloads. | Evidence Locker Guild | 2025-11-15 | PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO |
-| Draft Replay Ledger API + CLI notes to unblock EVID-REPLAY-187-001/002. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | BLOCKED (awaiting schema signals) |
+| Draft Replay Ledger API + CLI notes to unblock EVID-REPLAY-187-001/002. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU |
 | Validate `ICryptoProviderRegistry` plan at readiness review. | Evidence Locker Guild · Security Guild | 2025-11-18 | Pending |
 
 ## Interlocks & Readiness Signals
@@ -64,6 +70,10 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Cleaned PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER Task ID (removed trailing hyphen) so dependency lookup works. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Completed PREP-EVID-ATTEST-73-SCOPE-NOTE: published scope note + builder inputs at `docs/modules/evidence-locker/attestation-scope-note.md` to unblock Concelier/Excititor attestation tracks. | Project Mgmt |
+| 2025-11-19 | EVID-OBS-54-002 marked BLOCKED: awaiting frozen AdvisoryAI evidence bundle schema and orchestrator/notifications capsule schema to finalize DSSE fields. | Implementer |
 | 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
 | 2025-11-17 | Normalized sprint to standard template, renamed file, and set all tasks BLOCKED pending schemas/crypto review. | Implementer |
 | 2025-11-18 | Added ADV-ORCH-SCHEMA-LIB-161 and CRYPTO-REGISTRY-DECISION-161 tasks; marked downstream items blocked on them. | Project PM |

docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md

@@ -21,23 +21,37 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | DVOFF-64-002 | BLOCKED | Needs sealed bundle spec + sample manifest for CLI verify flow; due for Nov-19 dry run. | DevPortal Offline Guild · AirGap Controller Guild | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. |
+| P1 | PREP-DVOFF-64-002-NEEDS-SEALED-BUNDLE-SPEC-SA | TODO | Due 2025-11-23 · Accountable: DevPortal Offline Guild · AirGap Controller Guild | DevPortal Offline Guild · AirGap Controller Guild | Needs sealed bundle spec + sample manifest for CLI verify flow; due for Nov-19 dry run. <br><br> Document artefact/deliverable for DVOFF-64-002 and publish location so downstream tasks can proceed. |
-| 2 | EXPORT-AIRGAP-56-001 | BLOCKED | EvidenceLocker contract + advisory schema to finalize DSSE contents. | Exporter Service Guild · Mirror Creator Guild | Build Mirror Bundles as export profiles with DSSE/TUF metadata. |
+| P2 | PREP-EXPORT-AIRGAP-56-001-EVIDENCELOCKER-CONT | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · Mirror Creator Guild | Exporter Service Guild · Mirror Creator Guild | EvidenceLocker contract + advisory schema to finalize DSSE contents. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
-| 3 | EXPORT-AIRGAP-56-002 | BLOCKED | Depends on 56-001; same schema prerequisites. | Exporter Service Guild · DevOps Guild | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gap deploy. |
+| P3 | PREP-EXPORT-AIRGAP-56-002-DEPENDS-ON-56-001-S | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · DevOps Guild | Exporter Service Guild · DevOps Guild | Depends on 56-001; same schema prerequisites. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-56-002 and publish location so downstream tasks can proceed. |
-| 4 | EXPORT-AIRGAP-57-001 | BLOCKED | Depends on 56-002; needs sealed evidence bundle format. | Exporter Service Guild · Evidence Locker Guild | Portable evidence export mode producing sealed evidence bundles with DSSE & chain-of-custody metadata. |
+| P4 | PREP-EXPORT-AIRGAP-57-001-DEPENDS-ON-56-002-N | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · Evidence Locker Guild | Exporter Service Guild · Evidence Locker Guild | Depends on 56-002; needs sealed evidence bundle format. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
-| 5 | EXPORT-AIRGAP-58-001 | BLOCKED | Depends on 57-001; needs notifications envelope schema. | Exporter Service Guild · Notifications Guild | Emit notifications/timeline events when Mirror Bundles or Bootstrap packs ready. |
+| P5 | PREP-EXPORT-AIRGAP-58-001-DEPENDS-ON-57-001-N | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · Notifications Guild | Exporter Service Guild · Notifications Guild | Depends on 57-001; needs notifications envelope schema. <br><br> Document artefact/deliverable for EXPORT-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
-| 6 | EXPORT-ATTEST-74-001 | BLOCKED | Needs EvidenceLocker bundle layout + orchestration events. | Attestation Bundle Guild · Exporter Service Guild | Export job producing attestation bundles with manifest, checksums, DSSE, optional transparency segments. |
+| P6 | PREP-EXPORT-ATTEST-74-001-NEEDS-EVIDENCELOCKE | TODO | Due 2025-11-23 · Accountable: Attestation Bundle Guild · Exporter Service Guild | Attestation Bundle Guild · Exporter Service Guild | Needs EvidenceLocker bundle layout + orchestration events. <br><br> Document artefact/deliverable for EXPORT-ATTEST-74-001 and publish location so downstream tasks can proceed. |
-| 7 | EXPORT-ATTEST-74-002 | BLOCKED | Depends on 74-001. | Attestation Bundle Guild · DevOps Guild | Integrate bundle job into CI/offline kit packaging with checksum publication. |
+| P7 | PREP-EXPORT-ATTEST-74-002-DEPENDS-ON-74-001 | TODO | Due 2025-11-23 · Accountable: Attestation Bundle Guild · DevOps Guild | Attestation Bundle Guild · DevOps Guild | Depends on 74-001. <br><br> Document artefact/deliverable for EXPORT-ATTEST-74-002 and publish location so downstream tasks can proceed. |
-| 8 | EXPORT-ATTEST-75-001 | BLOCKED | Depends on 74-002; needs CLI contract. | Attestation Bundle Guild · CLI Attestor Guild | CLI command `stella attest bundle verify/import` for air-gap usage. |
+| P8 | PREP-EXPORT-ATTEST-75-001-DEPENDS-ON-74-002-N | TODO | Due 2025-11-23 · Accountable: Attestation Bundle Guild · CLI Attestor Guild | Attestation Bundle Guild · CLI Attestor Guild | Depends on 74-002; needs CLI contract. <br><br> Document artefact/deliverable for EXPORT-ATTEST-75-001 and publish location so downstream tasks can proceed. |
-| 9 | EXPORT-ATTEST-75-002 | BLOCKED | Depends on 75-001. | Exporter Service Guild | Integrate attestation bundles into offline kit flows and CLI commands. |
+| P9 | PREP-EXPORT-ATTEST-75-002-DEPENDS-ON-75-001 | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild | Exporter Service Guild | Depends on 75-001. <br><br> Document artefact/deliverable for EXPORT-ATTEST-75-002 and publish location so downstream tasks can proceed. |
-| 10 | EXPORT-OAS-61-001 | BLOCKED | Needs stable export surfaces; await EvidenceLocker contract. | Exporter Service Guild · API Contracts Guild | Update Exporter OAS covering profiles/runs/downloads with standard error envelope + examples. |
+| P10 | PREP-EXPORT-OAS-61-001-NEEDS-STABLE-EXPORT-SU | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · API Contracts Guild | Exporter Service Guild · API Contracts Guild | Needs stable export surfaces; await EvidenceLocker contract. <br><br> Document artefact/deliverable for EXPORT-OAS-61-001 and publish location so downstream tasks can proceed. |
-| 11 | EXPORT-OAS-61-002 | BLOCKED | Depends on 61-001. | Exporter Service Guild | `/.well-known/openapi` discovery endpoint with version metadata and ETag. |
+| P11 | PREP-EXPORT-OAS-61-002-DEPENDS-ON-61-001 | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild | Exporter Service Guild | Depends on 61-001. <br><br> Document artefact/deliverable for EXPORT-OAS-61-002 and publish location so downstream tasks can proceed. |
-| 12 | EXPORT-OAS-62-001 | BLOCKED | Depends on 61-002. | Exporter Service Guild · SDK Generator Guild | Ensure SDKs include export profile/run clients with streaming helpers; add smoke tests. |
+| P12 | PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 | TODO | Due 2025-11-23 · Accountable: Exporter Service Guild · SDK Generator Guild | Exporter Service Guild · SDK Generator Guild | Depends on 61-002. <br><br> Document artefact/deliverable for EXPORT-OAS-62-001 and publish location so downstream tasks can proceed. |
+| P13 | PREP-EXPORTER-SERVICE-EVIDENCELOCKER-GUILD-BL | TODO | Due 2025-11-23 · Accountable: Planning | Planning | BLOCKED (awaits EvidenceLocker contract). <br><br> Document artefact/deliverable for Exporter Service · EvidenceLocker Guild and publish location so downstream tasks can proceed. |
+| P14 | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF | TODO | Due 2025-11-23 · Accountable: Planning | Planning | If not ready, keep tasks BLOCKED and escalate to Wave 150/140 leads. <br><br> Document artefact/deliverable for Orchestrator + Notifications schema handoff and publish location so downstream tasks can proceed. |
+| 1 | DVOFF-64-002 | BLOCKED | PREP-DVOFF-64-002-NEEDS-SEALED-BUNDLE-SPEC-SA | DevPortal Offline Guild · AirGap Controller Guild | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. |
+| 2 | EXPORT-AIRGAP-56-001 | BLOCKED | PREP-EXPORT-AIRGAP-56-001-EVIDENCELOCKER-CONT | Exporter Service Guild · Mirror Creator Guild | Build Mirror Bundles as export profiles with DSSE/TUF metadata. |
+| 3 | EXPORT-AIRGAP-56-002 | BLOCKED | PREP-EXPORT-AIRGAP-56-002-DEPENDS-ON-56-001-S | Exporter Service Guild · DevOps Guild | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gap deploy. |
+| 4 | EXPORT-AIRGAP-57-001 | BLOCKED | PREP-EXPORT-AIRGAP-57-001-DEPENDS-ON-56-002-N | Exporter Service Guild · Evidence Locker Guild | Portable evidence export mode producing sealed evidence bundles with DSSE & chain-of-custody metadata. |
+| 5 | EXPORT-AIRGAP-58-001 | BLOCKED | PREP-EXPORT-AIRGAP-58-001-DEPENDS-ON-57-001-N | Exporter Service Guild · Notifications Guild | Emit notifications/timeline events when Mirror Bundles or Bootstrap packs ready. |
+| 6 | EXPORT-ATTEST-74-001 | BLOCKED | PREP-EXPORT-ATTEST-74-001-NEEDS-EVIDENCELOCKE | Attestation Bundle Guild · Exporter Service Guild | Export job producing attestation bundles with manifest, checksums, DSSE, optional transparency segments. |
+| 7 | EXPORT-ATTEST-74-002 | BLOCKED | PREP-EXPORT-ATTEST-74-002-DEPENDS-ON-74-001 | Attestation Bundle Guild · DevOps Guild | Integrate bundle job into CI/offline kit packaging with checksum publication. |
+| 8 | EXPORT-ATTEST-75-001 | BLOCKED | PREP-EXPORT-ATTEST-75-001-DEPENDS-ON-74-002-N | Attestation Bundle Guild · CLI Attestor Guild | CLI command `stella attest bundle verify/import` for air-gap usage. |
+| 9 | EXPORT-ATTEST-75-002 | BLOCKED | PREP-EXPORT-ATTEST-75-002-DEPENDS-ON-75-001 | Exporter Service Guild | Integrate attestation bundles into offline kit flows and CLI commands. |
+| 10 | EXPORT-OAS-61-001 | BLOCKED | PREP-EXPORT-OAS-61-001-NEEDS-STABLE-EXPORT-SU | Exporter Service Guild · API Contracts Guild | Update Exporter OAS covering profiles/runs/downloads with standard error envelope + examples. |
+| 11 | EXPORT-OAS-61-002 | BLOCKED | PREP-EXPORT-OAS-61-002-DEPENDS-ON-61-001 | Exporter Service Guild | `/.well-known/openapi` discovery endpoint with version metadata and ETag. |
+| 12 | EXPORT-OAS-62-001 | BLOCKED | PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 | Exporter Service Guild · SDK Generator Guild | Ensure SDKs include export profile/run clients with streaming helpers; add smoke tests. |
 
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- |
-| Provide sealed bundle sample + DSSE manifest to DevPortal CLI team for dry run. | Exporter Service · EvidenceLocker Guild | 2025-11-18 | BLOCKED (awaits EvidenceLocker contract) |
+| Provide sealed bundle sample + DSSE manifest to DevPortal CLI team for dry run. | Exporter Service · EvidenceLocker Guild | 2025-11-18 | PREP-EXPORTER-SERVICE-EVIDENCELOCKER-GUILD-BL |
 | Prep `stella devportal verify bundle.tgz` demo script & fixtures. | DevPortal Offline · AirGap Controller | 2025-11-19 | Pending (blocked on sample bundle) |
 | Confirm crypto routing parity plan (`EXPORT-CRYPTO-90-001`) at Nov-18 review. | Exporter Service · Security Guild | 2025-11-18 | Pending |
 
@@ -52,7 +66,7 @@
 ## Upcoming Checkpoints (UTC)
 | Date | Session / Owner | Target outcome | Fallback / Escalation |
 | --- | --- | --- | --- |
-| 2025-11-15 | Orchestrator + Notifications schema handoff | Publish envelopes needed for notifications/timeline events. | If not ready, keep tasks BLOCKED and escalate to Wave 150/140 leads. |
+| 2025-11-15 | Orchestrator + Notifications schema handoff | Publish envelopes needed for notifications/timeline events. | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF |
 | 2025-11-18 | Crypto readiness review | Approve `ICryptoProviderRegistry` wiring for EXPORT-CRYPTO-90-001. | If blocked, log action items and hold crypto-related tasks. |
 | 2025-11-19 | DevPortal CLI dry run | Demo `stella devportal verify bundle.tgz` with sealed bundle sample. | If bundles absent, slip demo and log risk in Decisions. |
 
@@ -75,5 +89,6 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
 | 2025-11-17 | Renamed to template-compliant filename, normalized structure, and set tasks BLOCKED pending upstream contracts. | Implementer |

docs/implplan/SPRINT_0163_0001_0001_exportcenter_ii.md

@@ -20,28 +20,38 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | EXPORT-OAS-63-001 | BLOCKED | Needs EXPORT-OAS-61/62 outputs + stable APIs. | Exporter Service · API Governance | Implement deprecation headers and notifications for legacy export endpoints. |
+| P1 | PREP-EXPORT-OBS-50-001-WAIT-FOR-EXPORTER-SERV | TODO | Due 2025-11-23 · Accountable: Exporter Service · Observability Guild | Exporter Service · Observability Guild | Wait for exporter service bootstrap + telemetry schema. <br><br> Document artefact/deliverable for EXPORT-OBS-50-001 and publish location so downstream tasks can proceed. |
-| 2 | EXPORT-OBS-50-001 | BLOCKED | Wait for exporter service bootstrap + telemetry schema. | Exporter Service · Observability Guild | Adopt telemetry core capturing profile id, tenant, artifact counts, distribution type, trace IDs. |
+| P2 | PREP-EXPORT-RISK-69-001-AWAIT-PHASE-I-ARTIFAC | TODO | Due 2025-11-23 · Accountable: Exporter Service · Risk Bundle Export Guild | Exporter Service · Risk Bundle Export Guild | Await phase I artifacts + schema; needs provider selection rules. <br><br> Document artefact/deliverable for EXPORT-RISK-69-001 and publish location so downstream tasks can proceed. |
-| 3 | EXPORT-OBS-51-001 | BLOCKED | Depends on OBS-50 schema. | Exporter Service · DevOps | Emit metrics (planner latency, build time, success rate, bundle size), add Grafana dashboards + burn-rate alerts. |
+| P3 | PREP-EXPORT-SVC-35-001-NEEDS-PHASE-I-READINES | TODO | Due 2025-11-23 · Accountable: Exporter Service | Exporter Service | Needs phase I readiness + synthetic telemetry feeds. <br><br> Document artefact/deliverable for EXPORT-SVC-35-001 and publish location so downstream tasks can proceed. |
-| 4 | EXPORT-OBS-52-001 | BLOCKED | Depends on OBS-51 and notifications envelopes. | Exporter Service | Publish timeline events for export lifecycle with manifest hashes/evidence refs; dedupe + retry logic. |
+| P4 | PREP-EXPORT-SVC-35-002-DEPENDS-ON-35-001 | TODO | Due 2025-11-23 · Accountable: Exporter Service | Exporter Service | Depends on 35-001. <br><br> Document artefact/deliverable for EXPORT-SVC-35-002 and publish location so downstream tasks can proceed. |
-| 5 | EXPORT-OBS-53-001 | BLOCKED | Depends on OBS-52 and EvidenceLocker manifest format. | Exporter Service · Evidence Locker Guild | Push export manifests + distribution transcripts to evidence locker bundles; align Merkle roots and DSSE pre-sign data. |
+| P5 | PREP-EXPORT-SVC-35-003-DEPENDS-ON-35-002 | TODO | Due 2025-11-23 · Accountable: Exporter Service | Exporter Service | Depends on 35-002. <br><br> Document artefact/deliverable for EXPORT-SVC-35-003 and publish location so downstream tasks can proceed. |
-| 6 | EXPORT-OBS-54-001 | BLOCKED | Depends on OBS-53. | Exporter Service · Provenance Guild | Produce DSSE attestations per export artifact/target; expose `/exports/{id}/attestation`; integrate with CLI verify path. |
+| P6 | PREP-EXPORT-SVC-35-004-DEPENDS-ON-35-003 | TODO | Due 2025-11-23 · Accountable: Exporter Service | Exporter Service | Depends on 35-003. <br><br> Document artefact/deliverable for EXPORT-SVC-35-004 and publish location so downstream tasks can proceed. |
-| 7 | EXPORT-OBS-54-002 | BLOCKED | Depends on OBS-54-001 and PROV-OBS-53-003. | Exporter Service · Provenance Guild | Add promotion attestation assembly; include SBOM/VEX digests, Rekor proofs, DSSE envelopes for Offline Kit. |
+| P7 | PREP-EXPORT-SVC-35-005-DEPENDS-ON-35-004 | TODO | Due 2025-11-23 · Accountable: Exporter Service | Exporter Service | Depends on 35-004. <br><br> Document artefact/deliverable for EXPORT-SVC-35-005 and publish location so downstream tasks can proceed. |
-| 8 | EXPORT-OBS-55-001 | BLOCKED | Depends on OBS-54-001. | Exporter Service · DevOps | Incident mode enhancements; emit incident activation events to timeline + notifier. |
+| P8 | PREP-EXPORT-NOTIFY-SCHEMA-OBS-52 | TODO | Due 2025-11-23 · Accountable: Notifications Guild · Exporter Service | Notifications Guild · Exporter Service | Notifications schema for export lifecycle events not published; required for EXPORT-OBS-52-001 and downstream tasks. Provide envelope + sample payloads. |
-| 9 | EXPORT-RISK-69-001 | BLOCKED | Await phase I artifacts + schema; needs provider selection rules. | Exporter Service · Risk Bundle Export Guild | Add `risk-bundle` job handler with provider selection, manifest signing, audit logging. |
+| P8 | PREP-EXPORT-CRYPTO-90-001-PENDING-NOV-18-CRYP | TODO | Due 2025-11-23 · Accountable: Exporter Service · Security Guild | Exporter Service · Security Guild | Pending Nov-18 crypto review + reference implementation. <br><br> Document artefact/deliverable for EXPORT-CRYPTO-90-001 and publish location so downstream tasks can proceed. |
-| 10 | EXPORT-RISK-69-002 | BLOCKED | Depends on RISK-69-001. | Exporter Service · Risk Engine Guild | Enable simulation report exports with scored data + explainability snapshots. |
+| P9 | PREP-EXPORTER-SERVICE-BLOCKED-WAITING-ON-EVID | TODO | Due 2025-11-23 · Accountable: Planning | Planning | BLOCKED (waiting on EvidenceLocker spec). <br><br> Document artefact/deliverable for Exporter Service and publish location so downstream tasks can proceed. |
-| 11 | EXPORT-RISK-70-001 | BLOCKED | Depends on RISK-69-002. | Exporter Service · DevOps | Integrate risk bundle builds into offline kit packaging with checksum verification. |
+| 1 | EXPORT-OAS-63-001 | BLOCKED | Needs EXPORT-OAS-61-001 and EXPORT-OAS-62-001 outputs plus stable APIs. | Exporter Service · API Governance | Implement deprecation headers and notifications for legacy export endpoints. |
-| 12 | EXPORT-SVC-35-001 | BLOCKED | Needs phase I readiness + synthetic telemetry feeds. | Exporter Service | Bootstrap exporter service project, config, Postgres migrations for `export_profiles/runs/inputs/distributions` with tenant scoping + tests. |
+| 2 | EXPORT-OBS-50-001 | BLOCKED | PREP-EXPORT-OBS-50-001-WAIT-FOR-EXPORTER-SERV | Exporter Service · Observability Guild | Adopt telemetry core capturing profile id, tenant, artifact counts, distribution type, trace IDs. |
-| 13 | EXPORT-SVC-35-002 | BLOCKED | Depends on 35-001. | Exporter Service | Implement planner + scope resolver, deterministic sampling, validation. |
+| 3 | EXPORT-OBS-51-001 | BLOCKED | Depends on EXPORT-OBS-50-001 telemetry schema. | Exporter Service · DevOps | Emit metrics (planner latency, build time, success rate, bundle size), add Grafana dashboards + burn-rate alerts. |
-| 14 | EXPORT-SVC-35-003 | BLOCKED | Depends on 35-002. | Exporter Service | JSON adapters (`json:raw`, `json:policy`) with normalization/redaction/compression/manifest counts. |
+| 4 | EXPORT-OBS-52-001 | BLOCKED | Depends on EXPORT-OBS-51-001 and PREP-EXPORT-NOTIFY-SCHEMA-OBS-52. | Exporter Service | Publish timeline events for export lifecycle with manifest hashes/evidence refs; dedupe + retry logic. |
-| 15 | EXPORT-SVC-35-004 | BLOCKED | Depends on 35-003. | Exporter Service | Mirror (full) adapter producing filesystem layout, indexes, manifests, README. |
+| 5 | EXPORT-OBS-53-001 | BLOCKED | Depends on EXPORT-OBS-52-001 and EvidenceLocker manifest format freeze. | Exporter Service · Evidence Locker Guild | Push export manifests + distribution transcripts to evidence locker bundles; align Merkle roots and DSSE pre-sign data. |
-| 16 | EXPORT-SVC-35-005 | BLOCKED | Depends on 35-004. | Exporter Service | Manifest/provenance writer + KMS signing/attestation (detached + embedded). |
+| 6 | EXPORT-OBS-54-001 | BLOCKED | Depends on EXPORT-OBS-53-001. | Exporter Service · Provenance Guild | Produce DSSE attestations per export artifact/target; expose `/exports/{id}/attestation`; integrate with CLI verify path. |
-| 17 | EXPORT-CRYPTO-90-001 | BLOCKED | Pending Nov-18 crypto review + reference implementation. | Exporter Service · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash`; support crypto provider selection. |
+| 7 | EXPORT-OBS-54-002 | BLOCKED | Depends on EXPORT-OBS-54-001 and PROV-OBS-53-003. | Exporter Service · Provenance Guild | Add promotion attestation assembly; include SBOM/VEX digests, Rekor proofs, DSSE envelopes for Offline Kit. |
+| 8 | EXPORT-OBS-55-001 | BLOCKED | Depends on EXPORT-OBS-54-001. | Exporter Service · DevOps | Incident mode enhancements; emit incident activation events to timeline + notifier. |
+| 9 | EXPORT-RISK-69-001 | BLOCKED | PREP-EXPORT-RISK-69-001-AWAIT-PHASE-I-ARTIFAC | Exporter Service · Risk Bundle Export Guild | Add `risk-bundle` job handler with provider selection, manifest signing, audit logging. |
+| 10 | EXPORT-RISK-69-002 | BLOCKED | Depends on EXPORT-RISK-69-001. | Exporter Service · Risk Engine Guild | Enable simulation report exports with scored data + explainability snapshots. |
+| 11 | EXPORT-RISK-70-001 | BLOCKED | Depends on EXPORT-RISK-69-002. | Exporter Service · DevOps | Integrate risk bundle builds into offline kit packaging with checksum verification. |
+| 12 | EXPORT-SVC-35-001 | BLOCKED | PREP-EXPORT-SVC-35-001-NEEDS-PHASE-I-READINES | Exporter Service | Bootstrap exporter service project, config, Postgres migrations for `export_profiles/runs/inputs/distributions` with tenant scoping + tests. |
+| 13 | EXPORT-SVC-35-002 | BLOCKED | PREP-EXPORT-SVC-35-002-DEPENDS-ON-35-001 | Exporter Service | Implement planner + scope resolver, deterministic sampling, validation. |
+| 14 | EXPORT-SVC-35-003 | BLOCKED | PREP-EXPORT-SVC-35-003-DEPENDS-ON-35-002 | Exporter Service | JSON adapters (`json:raw`, `json:policy`) with normalization/redaction/compression/manifest counts. |
+| 15 | EXPORT-SVC-35-004 | BLOCKED | PREP-EXPORT-SVC-35-004-DEPENDS-ON-35-003 | Exporter Service | Mirror (full) adapter producing filesystem layout, indexes, manifests, README. |
+| 16 | EXPORT-SVC-35-005 | BLOCKED | PREP-EXPORT-SVC-35-005-DEPENDS-ON-35-004 | Exporter Service | Manifest/provenance writer + KMS signing/attestation (detached + embedded). |
+| 17 | EXPORT-CRYPTO-90-001 | BLOCKED | PREP-EXPORT-CRYPTO-90-001-PENDING-NOV-18-CRYP | Exporter Service · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash`; support crypto provider selection. |
 
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- |
-| Mirror EvidenceLocker DSSE manifest schema into exporter tests once frozen. | Exporter Service | 2025-11-18 | BLOCKED (waiting on EvidenceLocker spec) |
+| Mirror EvidenceLocker DSSE manifest schema into exporter tests once frozen. | Exporter Service | 2025-11-18 | PREP-EXPORTER-SERVICE-BLOCKED-WAITING-ON-EVID |
 | Define telemetry schema (traces/logs/metrics) and attach to this doc. | Observability Guild | 2025-11-18 | BLOCKED (awaiting OBS-50 start) |
 | Draft legacy endpoint deprecation comms with API Governance. | Exporter Service · API Governance | 2025-11-19 | BLOCKED (depends on OAS-61/62 outputs) |
 | Stage crypto provider configuration matrix for `EXPORT-CRYPTO-90-001`. | Exporter Service · Security Guild | 2025-11-18 | Pending |
@@ -81,5 +91,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Added PREP-EXPORT-NOTIFY-SCHEMA-OBS-52 and aligned dependencies (EXPORT-OAS chain, OBS-50..55, RISK-69..70) to actual Task IDs. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
 | 2025-11-17 | Renamed to compliant filename, applied template, and set tasks to BLOCKED pending upstream contracts and Sprint 0162 outputs. | Implementer |

docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md

@@ -0,0 +1,50 @@
+# Sprint 0164-0001-0001 · ExportCenter III (Export & Evidence 160.B)
+
+## Topic & Scope
+- Expand ExportCenter: Export API, Trivy adapters, OCI distribution, mirror deltas, encryption, scheduling, verification, and risk bundle jobs.
+- Enforce tenant scoping and provenance-ready exports, keeping outputs offline-friendly.
+- **Working directory:** `src/ExportCenter` (core service) and `src/ExportCenter/StellaOps.ExportCenter.RiskBundles`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0163-0001-0001 (ExportCenter II) must land first.
+- Concurrency: execute tasks in listed order; Export API → Trivy adapters → OCI engine → planner → mirror delta → encryption → scheduling → verification → pack-run integration; risk bundle chain follows 69/70 tasks.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/export-center/architecture.md
+- src/ExportCenter/AGENTS.md (if present)
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | EXPORT-SVC-35-006 | TODO | Depends on EXPORT-SVC-35-005 (Sprint 0163). | Exporter Service Guild (`src/ExportCenter/StellaOps.ExportCenter`) | Expose Export API (profiles, runs, download, SSE updates) with audit logging, concurrency controls, viewer/operator RBAC. |
+| 2 | EXPORT-SVC-36-001 | TODO | Depends on 35-006. | Exporter Service Guild | Trivy DB adapter (core) with schema mappings, version flag gating, validation harness. |
+| 3 | EXPORT-SVC-36-002 | TODO | Depends on 36-001. | Exporter Service Guild | Trivy Java DB variant with shared manifest entries and adapter regression tests. |
+| 4 | EXPORT-SVC-36-003 | TODO | Depends on 36-002. | Exporter Service Guild | OCI distribution engine (manifests, descriptors, annotations) with registry auth and retries. |
+| 5 | EXPORT-SVC-36-004 | TODO | Depends on 36-003. | Exporter Service Guild | Extend planner/run lifecycle for distribution targets (OCI/object storage) with idempotent metadata updates and retention timestamps. |
+| 6 | EXPORT-SVC-37-001 | TODO | Depends on 36-004. | Exporter Service Guild | Mirror delta adapter with base manifest comparison, change set generation, content-addressed reuse. |
+| 7 | EXPORT-SVC-37-002 | TODO | Depends on 37-001. | Exporter Service Guild | Bundle encryption (age/AES-GCM), key wrapping via KMS, verification tooling for encrypted outputs. |
+| 8 | EXPORT-SVC-37-003 | TODO | Depends on 37-002. | Exporter Service Guild | Export scheduling (cron/event), retention pruning, retry idempotency, failure classification. |
+| 9 | EXPORT-SVC-37-004 | TODO | Depends on 37-003. | Exporter Service Guild | Verification API to stream manifests/hashes, compute hash+signature checks, return attest status for CLI/UI. |
+| 10 | EXPORT-SVC-43-001 | TODO | Depends on 37-004. | Exporter Service Guild | Integrate pack run manifests/artifacts into export bundles and CLI verification; expose provenance links. |
+| 11 | EXPORT-TEN-48-001 | TODO | Parallel once API stable. | Exporter Service Guild | Prefix artifacts/manifests with tenant/project, enforce scope checks, prevent cross-tenant exports unless whitelisted; update provenance. |
+| 12 | RISK-BUNDLE-69-001 | TODO | Start risk bundle job scaffold. | Risk Bundle Export Guild · Risk Engine Guild (`src/ExportCenter/StellaOps.ExportCenter.RiskBundles`) | Implement `stella export risk-bundle` job producing tarball with provider datasets, manifests, DSSE signatures. |
+| 13 | RISK-BUNDLE-69-002 | TODO | Depends on 69-001. | Risk Bundle Export Guild · DevOps Guild | Integrate bundle job into CI/offline kit pipelines with checksum publication. |
+| 14 | RISK-BUNDLE-70-001 | TODO | Depends on 69-002. | Risk Bundle Export Guild · CLI Guild | Provide CLI `stella risk bundle verify` command to validate bundles before import. |
+| 15 | RISK-BUNDLE-70-002 | TODO | Depends on 70-001. | Risk Bundle Export Guild · Docs Guild | Publish `/docs/airgap/risk-bundles.md` covering build/import/verification workflows. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-08 | Sprint stub created; awaiting ExportCenter II completion. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_164_exportcenter_iii.md` to `SPRINT_0164_0001_0001_exportcenter_iii.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
+
+## Decisions & Risks
+- Requires ExportCenter II outputs; keep tasks TODO until upstream artifacts and contracts are present.
+- Tenant scoping and encryption must remain deterministic and offline-ready; ensure key handling aligns with AirGap/CLI expectations.
+
+## Next Checkpoints
+- Kickoff after Sprint 0163 completion (date TBD).

docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md

@@ -0,0 +1,42 @@
+# Sprint 0165-0001-0001 · Timeline Indexer (Export & Evidence 160.C)
+
+## Topic & Scope
+- Bootstrap Timeline Indexer service: migrations/RLS, ingestion, query APIs, and evidence linkage.
+- Keep ordering deterministic and tenant-scoped; link timeline events to evidence bundle digests/attestations.
+- **Working directory:** `src/TimelineIndexer/StellaOps.TimelineIndexer`.
+
+## Dependencies & Concurrency
+- Upstream: AdvisoryAI (110.A), AirGap (120.A), Scanner (130.A), Orchestrator (150.A) schemas required for event payloads.
+- Concurrency: execute tasks in listed order; evidence linkage follows ingestion and API/RLS work.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/export-center/architecture.md (for evidence linkage)
+- src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md (if present)
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | TIMELINE-OBS-52-001 | TODO | Draft migrations + RLS design. | Timeline Indexer Guild (`src/TimelineIndexer/StellaOps.TimelineIndexer`) | Bootstrap service; Postgres migrations for `timeline_events`, `timeline_event_details`, `timeline_event_digests`; enable RLS scaffolding and deterministic migration scripts. |
+| 2 | TIMELINE-OBS-52-002 | TODO | Depends on 52-001. | Timeline Indexer Guild | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe `(event_id, tenant_id)`, trace-ID correlation, backpressure metrics. |
+| 3 | TIMELINE-OBS-52-003 | TODO | Depends on 52-002. | Timeline Indexer Guild | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, tenant enforcement; provide OpenAPI + contract tests. |
+| 4 | TIMELINE-OBS-52-004 | TODO | Depends on 52-003. | Timeline Indexer Guild · Security Guild | Finalize RLS policies, scope checks (`timeline:read`), audit logging; integration tests for cross-tenant isolation and legal hold markers. |
+| 5 | TIMELINE-OBS-53-001 | TODO | Depends on 52-004 and EvidenceLocker bundle digest schema. | Timeline Indexer Guild · Evidence Locker Guild | Link timeline events to evidence bundle digests + attestation subjects; expose `/timeline/{id}/evidence` returning signed manifest references. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-12 | Captured task snapshot and blockers; waiting on orchestrator/notifications schema and EvidenceLocker digest schema. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_165_timelineindexer.md` to `SPRINT_0165_0001_0001_timelineindexer.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
+
+## Decisions & Risks
+- Blocked on orchestrator/notification schemas for ingestion payload definitions.
+- Needs EvidenceLocker bundle digest schema before implementing evidence linkage.
+- Security/Compliance review required for Postgres RLS migrations; no coding until approval.
+
+## Next Checkpoints
+- Obtain sample orchestrator/notification events and EvidenceLocker digest schema (date TBD).
+- Draft migrations + RLS design and review with Security/Compliance.

docs/implplan/SPRINT_0170_0001_0001_notifications_telemetry.md

@@ -0,0 +1,43 @@
+# Sprint 0170-0001-0001 · Notifications & Telemetry Snapshot
+
+## Topic & Scope
+- Coordination snapshot for Notifications (Notifier) and Telemetry waves; execution tasks live in SPRINT_0171_0001_0001_notifier_i.md and SPRINT_0174_0001_0001_telemetry.md.
+- Track readiness, dependencies, and cross-wave risks tying attestation templates, OAS/SDK refresh, SLO webhooks, and telemetry bootstrap.
+- **Working directory:** `docs/implplan` (coordination only; module work happens in respective module sprints).
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0150 (Orchestrator) telemetry/event payloads; POLICY-RISK-40-002 export; CLI toggle contract (CLI-OBS-12-001); Notify incident payload spec.
+- Concurrency: Waves 170.A (Notifier) and 170.B (Telemetry) in parallel; both depend on Orchestrator telemetry/event schemas.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/notifications/architecture.md
+- docs/modules/telemetry/architecture.md
+
+## Delivery Tracker
+| # | Track | Status | Key dependency / next step | Owners | Notes |
+| --- | --- | --- | --- | --- | --- |
+| 1 | 170.A · Notifier readiness | BLOCKED (2025-11-19) | Await CI restore for NOTIFY-OBS-51-001 SLO webhook tests; risk routing still depends on POLICY-RISK-40-002 export. | Notifications Service Guild · Attestor Service Guild · Observability Guild | Active work mirrored to Sprint 0171; attestation/OAS tracks are done, observability/risk tracks paused until dependencies clear. |
+| 2 | 170.B · Telemetry bootstrap | BLOCKED (2025-11-19) | TELEMETRY-OBS-50-001 shipped; propagation adapters (50-002) waiting on bootstrap adoption + CLI toggle contract (CLI-OBS-12-001). | Telemetry Core Guild · Observability Guild · Security Guild | Bootstrap of `StellaOps.Telemetry.Core` complete; downstream propagation/scrub/incident work paused until contracts/tests land (see Sprint 0174). |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-12 | Wave rows flipped to DOING; recorded scope/entry/exit criteria for Notifier and Telemetry waves. | Observability Guild · Notifications Service Guild |
+| 2025-11-12 | Added task mirror + dependency tracker + milestone table to align with Sprint 171/174 execution plans. | Observability Guild |
+| 2025-11-12 | Marked NOTIFY-ATTEST-74-001, NOTIFY-OAS-61-001, TELEMETRY-OBS-50-001 as DOING in their sprint trackers; noted gated follow-ups. | Notifications Service Guild · Telemetry Core Guild |
+| 2025-11-19 | Re-baselined tracks: set 170.A and 170.B to BLOCKED pending CI restore (Notifier SLO tests) and propagation/toggle contracts; TELEMETRY-OBS-50-001 marked DONE in Sprint 0174. | Implementer |
+| 2025-11-12 | Documented attestation template suite in `docs/notifications/templates.md` to unblock NOTIFY-ATTEST-74-001; synced notifications docs. | Notifications Service Guild |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_170_notifications_telemetry.md` to `SPRINT_0170_0001_0001_notifications_telemetry.md`; content preserved; legacy stub added. | Implementer |
+
+## Decisions & Risks
+- Orchestrator observability contracts (ORCH-OBS-50-001) must land before enabling Notifier SLO webhooks and Telemetry helpers.
+- Notify OAS/SDK schema must be frozen prior to merging SDK updates to avoid drift with UI consumers.
+- Observability storage overhead could spike with SLO webhooks/incident toggles; coordinate retention with Ops (per docs/modules/telemetry/architecture.md §2).
+- Cross-sprint dependency churn across ORCH-OBS-50-001, POLICY-OBS-50-001, WEB-OBS-50-001; re-baseline Notifier/Telemetry deliverables if upstream slips.
+- Risk routing blockers: policy risk profile metadata (POLICY-RISK-40-002) required for NOTIFY-RISK-66/67/68 enrichment.
+
+## Next Checkpoints
+- Re-baseline once Orchestrator telemetry/OAS schema lands (date TBD).

docs/implplan/SPRINT_0171_0001_0001_notifier_i.md

@@ -0,0 +1,74 @@
+# Sprint 0171-0001-0001 · Notifier I (Notifications & Telemetry 170.A)
+
+## Topic & Scope
+- Deliver attestation/key-rotation alert templates, OAS/SDK refresh, SLO/incident triggers, and risk-profile routing for Notifier.
+- Maintain Offline Kit parity and aggregation-only behavior with deterministic, tenant-aware notifications.
+- **Working directory:** `src/Notifier/StellaOps.Notifier`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0150 (Orchestrator) telemetry/event payloads; Attestor schema for attestation events; Policy risk export (`POLICY-RISK-40-002`); Telemetry SLO webhook schema.
+- Concurrency: execute tasks in listed order; attestation → OAS/SDK → observability → risk routing; docs/offline already DONE.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/notifications/architecture.md
+- docs/notifications/templates.md
+- src/Notifier/StellaOps.Notifier/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-NOTIFY-OBS-51-001-TELEMETRY-SLO-WEBHOOK | DONE (2025-11-19) | Telemetry SLO webhook schema published at `docs/notifications/slo-webhook-schema.md`; share with Telemetry Core for compatibility check. | Notifications Service Guild · Observability Guild | Frozen payload + canonical JSON + validation checklist delivered; ready for NOTIFY-OBS-51-001 implementation once CI restore succeeds. |
+| 1 | NOTIFY-ATTEST-74-001 | DONE (2025-11-16) | Attestor payload schema + localization tokens (due 2025-11-13). | Notifications Service Guild · Attestor Service Guild (`src/Notifier/StellaOps.Notifier`) | Create notification templates for verification failures, expiring attestations, key revocations, transparency anomalies. |
+| 2 | NOTIFY-ATTEST-74-002 | TODO | Depends on 74-001. | Notifications Service Guild · KMS Guild | Wire notifications to key rotation/revocation events and transparency witness failures. |
+| 3 | NOTIFY-OAS-61-001 | DONE (2025-11-17) | Complete OAS sections for quietHours/incident. | Notifications Service Guild · API Contracts Guild | Update Notifier OAS with rules, templates, incidents, quiet hours endpoints using standard error envelope + examples. |
+| 4 | NOTIFY-OAS-61-002 | DONE (2025-11-17) | Depends on 61-001. | Notifications Service Guild | Implement `/.well-known/openapi` discovery endpoint with scope metadata. |
+| 5 | NOTIFY-OAS-62-001 | DONE (2025-11-17) | Depends on 61-002. | Notifications Service Guild · SDK Generator Guild | SDK examples for rule CRUD, incident ack, quiet hours; SDK smoke tests. |
+| 6 | NOTIFY-OAS-63-001 | DONE (2025-11-17) | Depends on 62-001. | Notifications Service Guild · API Governance Guild | Emit deprecation headers and templates for retiring notifier APIs. |
+| 7 | NOTIFY-OBS-51-001 | BLOCKED (2025-11-19) | CI restore for `HttpEgressSloSinkTests` / `EventProcessorTests` | Notifications Service Guild · Observability Guild | Integrate SLO evaluator webhooks into Notifier rules; templates/routing/suppression; sample policies. |
+| 8 | NOTIFY-OBS-55-001 | TODO | Depends on 51-001. | Notifications Service Guild · Ops Guild | Publish incident mode start/stop notifications with trace/evidence links, retention notes, quiet-hour overrides, legal logging. |
+| 9 | NOTIFY-RISK-66-001 | TODO | Depends on POLICY-RISK-40-002 metadata export. | Notifications Service Guild · Risk Engine Guild | Add notification triggers for risk severity escalation/downgrade with profile metadata. |
+| 10 | NOTIFY-RISK-67-001 | TODO | Depends on 66-001. | Notifications Service Guild · Policy Guild | Notify when risk profiles are published/deprecated/thresholds change. |
+| 11 | NOTIFY-RISK-68-001 | TODO | Depends on 67-001. | Notifications Service Guild | Per-profile routing, quiet hours, dedupe for risk alerts; integrate CLI/Console preferences. |
+| 12 | NOTIFY-DOC-70-001 | DONE (2025-11-02) | — | Notifications Service Guild | Document split between legacy `src/Notify` libs and new `src/Notifier` runtime; update architecture docs. |
+| 13 | NOTIFY-AIRGAP-56-002 | DONE | — | Notifications Service Guild · DevOps Guild | Bootstrap Pack notifier configs with deterministic secrets handling and offline validation. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Fixed PREP-NOTIFY-OBS-51-001 Task ID (removed trailing hyphen) so dependency lookup works. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-12 | Marked NOTIFY-ATTEST-74-001 and NOTIFY-OAS-61-001 as DOING; documented current blockers. | Notifications Service Guild |
+| 2025-11-12 | Added attestation template suite (Section 7 in `docs/notifications/templates.md`) covering template keys/helpers/samples to support NOTIFY-ATTEST-74-001. | Notifications Service Guild |
+| 2025-11-12 | Updated notifications architecture/overview/rules docs to reference `tmpl-attest-*` suite; exported baseline templates under `offline/notifier/templates/attestation/`. | Notifications Service Guild |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_171_notifier_i.md` to `SPRINT_0171_0001_0001_notifier_i.md`; content preserved. | Implementer |
+| 2025-11-19 | Delivered Telemetry SLO webhook schema (`docs/notifications/slo-webhook-schema.md`); marked PREP-NOTIFY-OBS-51-001-TELEMETRY-SLO-WEBHOOK DONE; NOTIFY-OBS-51-001 remains BLOCKED pending CI restore. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
+| 2025-11-19 | Synced Delivery Tracker with module TASKS: marked NOTIFY-ATTEST-74-001, NOTIFY-OAS-61-001/61-002/62-001 as DONE with respective completion dates; downstream tasks remain TODO. | Implementer |
+| 2025-11-19 | Recorded NOTIFY-OAS-63-001 as DONE based on shipped deprecation headers/templates and existing tests (`OpenApiEndpointTests`, `DeprecationTemplateTests`). | Implementer |
+| 2025-11-19 | Added sample attestation routing rules (`src/Notifier/StellaOps.Notifier/docs/attestation-rules.sample.json`) covering key rotation/revocation and transparency witness anomalies to support NOTIFY-ATTEST-74-002 wiring. | Implementer |
+| 2025-11-19 | Continued NOTIFY-OBS-51-001: added `EgressSloContext`, pluggable `IEgressSloSink`, HTTP webhook sink with configurable timeout, and test sink; processor now emits signals per delivery. Added unit coverage scaffold for the webhook sink (not executed locally). | Implementer |
+| 2025-11-19 | Attempted `dotnet test src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/StellaOps.Notifier.Tests.csproj --filter HttpEgressSloSinkTests`; restore canceled (NuGet.targets:196) after ~15s. CI run still required to validate OBS-51-001 changes. | Implementer |
+| 2025-11-19 | Attempted `dotnet test ... --filter EventProcessorTests`; restore canceled again (NuGet.targets:196) after ~15s; awaiting CI restore to exercise SLO sink + processor tests. | Implementer |
+| 2025-11-19 | Marked NOTIFY-OBS-51-001 status to DOING; OBS SLO webhook code ready, pending CI validation to close the task. | Implementer |
+| 2025-11-19 | Action item: run CI pipeline for Notifier with filters `HttpEgressSloSinkTests` and `EventProcessorTests`; if green, set NOTIFY-OBS-51-001 to DONE and attach TRX artefacts. | Implementer |
+| 2025-11-19 | Set NOTIFY-OBS-51-001 to BLOCKED pending CI restore capacity; local restore repeatedly cancels (NuGet.targets:196). No further code changes until CI evidence available. | Implementer |
+| 2025-11-19 | Added QA playbook for NOTIFY-ATTEST-74-002 (`src/Notifier/StellaOps.Notifier/StellaOps.Notifier.docs/QA-attestation-routing.md`) detailing import steps, event kinds, expected deliveries, and evidence to capture. | Implementer |
+| 2025-11-20 | No unblocked work left in this sprint today: NOTIFY-ATTEST-74-002 depends on attestor payload localization freeze; NOTIFY-OBS-51/55 blocked until SLO webhook contract is wired into worker; NOTIFY-RISK-66..68 waits on `POLICY-RISK-40-002` export. Moving to next sprint. | Implementer |
+
+## Decisions & Risks
+- Attestor schema freeze (due 2025-11-13) gates 74-001/002.
+- Telemetry SLO webhook payload (frozen 2025-11-17) unblocks OBS chain; incident toggle contract follows add-only evolution.
+- OBS SLO webhook code merged but unvalidated locally (restore blocked); CI run required before marking NOTIFY-OBS-51-001 DONE.
+- Risk alerts depend on POLICY-RISK-40-002 export; schedule slip would re-baseline RISK tasks.
+- Keep Offline Kit parity for templates and secrets handling before enabling new endpoints.
+
+## Next Checkpoints
+| Date (UTC) | Milestone | Owner(s) |
+| --- | --- | --- |
+| 2025-11-13 | Finalize attestation payload schema + localization tokens. | Notifications Service Guild · Attestor Service Guild |
+| 2025-11-15 | Draft Notifier OAS published for review. | Notifications Service Guild · API Contracts Guild |
+| 2025-11-18 | Incident payload contract agreed with Telemetry & Ops. | Notifications Service Guild · Observability Guild |
+| 2025-11-20 | Risk profile metadata export available (`POLICY-RISK-40-002`). | Notifications Service Guild · Policy Guild |

docs/implplan/SPRINT_0172_0001_0002_notifier_ii.md

@@ -0,0 +1,48 @@
+# Sprint 0172-0001-0002 · Notifier II (Notifications & Telemetry 170.A)
+
+## Topic & Scope
+- Notifier phase II: approval/policy notifications, channels/templates, correlation/digests/simulation, escalations, and hardening.
+- **Working directory:** `src/Notifier/StellaOps.Notifier`.
+
+## Dependencies & Concurrency
+- Upstream: Notifier I (Sprint 0171) must land first.
+- Concurrency: follow service chain (37 → 38 → 39 → 40); all tasks currently TODO.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/notifications/architecture.md
+- src/Notifier/StellaOps.Notifier/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | NOTIFY-SVC-37-001 | TODO | Define contract/OAS. | Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Define pack approval & policy notification contract (OpenAPI schema, event payloads, resume tokens, security guidance). |
+| 2 | NOTIFY-SVC-37-002 | TODO | Depends on 37-001. | Notifications Service Guild | Implement secure ingestion endpoint, Mongo persistence (`pack_approvals`), idempotent writes, audit trail. |
+| 3 | NOTIFY-SVC-37-003 | TODO | Depends on 37-002. | Notifications Service Guild | Approval/policy templates, routing predicates, channel dispatch (email/webhook), localization + redaction. |
+| 4 | NOTIFY-SVC-37-004 | TODO | Depends on 37-003. | Notifications Service Guild | Acknowledgement API, Task Runner callback client, metrics for outstanding approvals, runbook updates. |
+| 5 | NOTIFY-SVC-38-002 | TODO | Depends on 37-004. | Notifications Service Guild | Channel adapters (email, chat webhook, generic webhook) with retry policies, health checks, audit logging. |
+| 6 | NOTIFY-SVC-38-003 | TODO | Depends on 38-002. | Notifications Service Guild | Template service (versioned templates, localization scaffolding) and renderer (redaction allowlists, Markdown/HTML/JSON, provenance links). |
+| 7 | NOTIFY-SVC-38-004 | TODO | Depends on 38-003. | Notifications Service Guild | REST + WS APIs (rules CRUD, templates preview, incidents list, ack) with audit logging, RBAC, live feed stream. |
+| 8 | NOTIFY-SVC-39-001 | TODO | Depends on 38-004. | Notifications Service Guild | Correlation engine with pluggable key expressions/windows, throttler, quiet hours/maintenance evaluator, incident lifecycle. |
+| 9 | NOTIFY-SVC-39-002 | TODO | Depends on 39-001. | Notifications Service Guild | Digest generator (queries, formatting) with schedule runner and distribution. |
+| 10 | NOTIFY-SVC-39-003 | TODO | Depends on 39-002. | Notifications Service Guild | Simulation engine/API to dry-run rules against historical events, returning matched actions with explanations. |
+| 11 | NOTIFY-SVC-39-004 | TODO | Depends on 39-003. | Notifications Service Guild | Quiet hour calendars + default throttles with audit logging and operator overrides. |
+| 12 | NOTIFY-SVC-40-001 | TODO | Depends on 39-004. | Notifications Service Guild | Escalations + on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, CLI/in-app inbox channels. |
+| 13 | NOTIFY-SVC-40-002 | TODO | Depends on 40-001. | Notifications Service Guild | Summary storm breaker notifications, localization bundles, fallback handling. |
+| 14 | NOTIFY-SVC-40-003 | TODO | Depends on 40-002. | Notifications Service Guild | Security hardening: signed ack links (KMS), webhook HMAC/IP allowlists, tenant isolation fuzz tests, HTML sanitization. |
+| 15 | NOTIFY-SVC-40-004 | TODO | Depends on 40-003. | Notifications Service Guild | Observability (metrics/traces for escalations/latency), dead-letter handling, chaos tests for channel outages, retention policies. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_172_notifier_ii.md` to `SPRINT_0172_0001_0002_notifier_ii.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
+
+## Decisions & Risks
+- All tasks depend on Notifier I outputs and established notification contracts; keep TODO until upstream lands.
+- Ensure templates/renderers stay deterministic and offline-ready; hardening tasks must precede GA.
+
+## Next Checkpoints
+- Kickoff after Sprint 0171 completion (date TBD).

docs/implplan/SPRINT_0173_0001_0003_notifier_iii.md

@@ -0,0 +1,37 @@
+# Sprint 0173-0001-0003 · Notifier III (Notifications & Telemetry 170.A)
+
+## Topic & Scope
+- Notifier phase III: tenant scoping across rules/templates/incidents with RLS and tenant-prefixed channels.
+- **Working directory:** `src/Notifier/StellaOps.Notifier`.
+
+## Dependencies & Concurrency
+- Upstream: Notifier II (Sprint 0172-0001-0002) must land first.
+- Concurrency: single-track; proceed after prior phase completion.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/notifications/architecture.md
+- src/Notifier/StellaOps.Notifier/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-NOTIFY-TEN-48-001-NOTIFIER-II-SPRINT-017 | TODO | Due 2025-11-23 · Accountable: Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Notifier II (Sprint 0172) not started; tenancy model not finalized. <br><br> Document artefact/deliverable for NOTIFY-TEN-48-001 and publish location so downstream tasks can proceed. |
+| 1 | NOTIFY-TEN-48-001 | BLOCKED (2025-11-20) | PREP-NOTIFY-TEN-48-001-NOTIFIER-II-SPRINT-017 | Notifications Service Guild (`src/Notifier/StellaOps.Notifier`) | Tenant-scope rules/templates/incidents, RLS on storage, tenant-prefixed channels, include tenant context in notifications. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_173_notifier_iii.md` to `SPRINT_0173_0001_0003_notifier_iii.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
+| 2025-11-20 | Marked NOTIFY-TEN-48-001 BLOCKED pending completion of Sprint 0172 tenancy model; no executable work in this sprint today. | Implementer |
+
+## Decisions & Risks
+- Requires completion of Notifier II and established tenancy model before applying RLS.
+- Ensure tenant scoping aligns with platform RLS and channel routing; avoid breaking existing templates.
+
+## Next Checkpoints
+- Schedule kickoff post Notifier II completion (date TBD).

docs/implplan/SPRINT_0174_0001_0001_telemetry.md

@@ -0,0 +1,60 @@
+# Sprint 0174-0001-0001 · Telemetry (Notifications & Telemetry 170.B)
+
+## Topic & Scope
+- Deliver `StellaOps.Telemetry.Core` bootstrap, propagation middleware, metrics helpers, scrubbing, incident/sealed-mode toggles.
+- Provide sample host integrations while keeping deterministic, offline-friendly telemetry with redaction and tenant awareness.
+- **Working directory:** `src/Telemetry/StellaOps.Telemetry.Core`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0150 (Orchestrator) for host integration; CLI toggle contract (CLI-OBS-12-001); Notify incident payload spec (NOTIFY-OBS-55-001); Security scrub policy (POLICY-SEC-42-003).
+- Concurrency: tasks follow 50 → 51 → 55/56 chain; 50-002 waits on 50-001 package.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/telemetry/architecture.md
+- src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-TELEMETRY-OBS-50-002-AWAIT-PUBLISHED-50 | DONE (2025-11-19) | Due 2025-11-23 · Accountable: Telemetry Core Guild | Telemetry Core Guild | Bootstrap package published; reference doc `docs/observability/telemetry-bootstrap.md` provides wiring + config. |
+| P2 | PREP-TELEMETRY-OBS-51-001-TELEMETRY-PROPAGATI | DONE (2025-11-20) | Doc published at `docs/observability/telemetry-propagation-51-001.md`. | Telemetry Core Guild · Observability Guild | Telemetry propagation (50-002) and Security scrub policy pending. <br><br> Document artefact/deliverable for TELEMETRY-OBS-51-001 and publish location so downstream tasks can proceed. |
+| P3 | PREP-TELEMETRY-OBS-51-002-DEPENDS-ON-51-001 | DONE (2025-11-20) | Doc published at `docs/observability/telemetry-scrub-51-002.md`. | Telemetry Core Guild · Security Guild | Depends on 51-001. <br><br> Document artefact/deliverable for TELEMETRY-OBS-51-002 and publish location so downstream tasks can proceed. |
+| P4 | PREP-TELEMETRY-OBS-56-001-DEPENDS-ON-55-001 | DONE (2025-11-20) | Doc published at `docs/observability/telemetry-sealed-56-001.md`. | Telemetry Core Guild | Depends on 55-001. <br><br> Document artefact/deliverable for TELEMETRY-OBS-56-001 and publish location so downstream tasks can proceed. |
+| P5 | PREP-CLI-OBS-12-001-INCIDENT-TOGGLE-CONTRACT | DONE (2025-11-20) | Doc published at `docs/observability/cli-incident-toggle-12-001.md`. | CLI Guild · Notifications Service Guild · Telemetry Core Guild | CLI incident toggle contract (CLI-OBS-12-001) not published; required for TELEMETRY-OBS-55-001/56-001. Provide schema + CLI flag behavior. |
+| 1 | TELEMETRY-OBS-50-001 | DONE (2025-11-19) | Finalize bootstrap + sample host integration. | Telemetry Core Guild (`src/Telemetry/StellaOps.Telemetry.Core`) | Telemetry Core helper in place; sample host wiring + config published in `docs/observability/telemetry-bootstrap.md`. |
+| 2 | TELEMETRY-OBS-50-002 | TODO | PREP-TELEMETRY-OBS-50-002-AWAIT-PUBLISHED-50 (DONE) | Telemetry Core Guild | Context propagation middleware/adapters for HTTP, gRPC, background jobs, CLI; carry `trace_id`, `tenant_id`, `actor`, imposed-rule metadata; async resume harness. |
+| 3 | TELEMETRY-OBS-51-001 | TODO | PREP-TELEMETRY-OBS-51-001-TELEMETRY-PROPAGATI | Telemetry Core Guild · Observability Guild | Metrics helpers for golden signals with exemplar support and cardinality guards; Roslyn analyzer preventing unsanitised labels. |
+| 4 | TELEMETRY-OBS-51-002 | BLOCKED (2025-11-20) | PREP-TELEMETRY-OBS-51-002-DEPENDS-ON-51-001 | Telemetry Core Guild · Security Guild | Redaction/scrubbing filters for secrets/PII at logger sink; per-tenant config with TTL; audit overrides; determinism tests. |
+| 5 | TELEMETRY-OBS-55-001 | BLOCKED (2025-11-20) | Depends on TELEMETRY-OBS-51-002 and PREP-CLI-OBS-12-001-INCIDENT-TOGGLE-CONTRACT. | Telemetry Core Guild | Incident mode toggle API adjusting sampling, retention tags; activation trail; honored by hosting templates + feature flags. |
+| 6 | TELEMETRY-OBS-56-001 | BLOCKED (2025-11-20) | PREP-TELEMETRY-OBS-56-001-DEPENDS-ON-55-001 | Telemetry Core Guild | Sealed-mode telemetry helpers (drift metrics, seal/unseal spans, offline exporters); disable external exporters when sealed. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-20 | Added sealed-mode helper prep doc (`telemetry-sealed-56-001.md`); marked PREP-TELEMETRY-OBS-56-001 DONE. | Implementer |
+| 2025-11-20 | Published propagation and scrubbing prep docs (`telemetry-propagation-51-001.md`, `telemetry-scrub-51-002.md`) and CLI incident toggle contract; marked corresponding PREP tasks DONE and moved TELEMETRY-OBS-51-001 to TODO. | Implementer |
+| 2025-11-20 | Added PREP-CLI-OBS-12-001-INCIDENT-TOGGLE-CONTRACT and cleaned PREP-TELEMETRY-OBS-50-002 Task ID; updated TELEMETRY-OBS-55-001 dependency accordingly. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-12 | Marked TELEMETRY-OBS-50-001 as DOING; branch `feature/telemetry-core-bootstrap` with resource detector/profile manifest in review; host sample slated 2025-11-18. | Telemetry Core Guild |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_174_telemetry.md` to `SPRINT_0174_0001_0001_telemetry.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
+| 2025-11-20 | Marked tasks 50-002..56-001 BLOCKED: waiting on 50-001 package publication, Security scrub policy, and CLI incident-toggle contract; no executable work until upstream artefacts land. | Implementer |
+| 2025-11-19 | PREP-TELEMETRY-OBS-50-002-AWAIT-PUBLISHED-50 completed; bootstrap doc published. Downstream tasks remain blocked on propagation/scrub/toggle contracts. | Implementer |
+| 2025-11-19 | TELEMETRY-OBS-50-001 set to DONE; TELEMETRY-OBS-50-002 moved to TODO now that bootstrap package is documented. | Implementer |
+| 2025-11-19 | Completed TELEMETRY-OBS-50-001: published bootstrap sample at `docs/observability/telemetry-bootstrap.md`; library already present. | Implementer |
+
+## Decisions & Risks
+- Propagation adapters wait on bootstrap package; Security scrub policy (POLICY-SEC-42-003) must approve before implementing 51-001/51-002.
+- Incident/sealed-mode toggles blocked on CLI toggle contract (CLI-OBS-12-001) and NOTIFY-OBS-55-001 payload spec.
+- Ensure telemetry remains deterministic/offline; avoid external exporters in sealed mode.
+
+## Next Checkpoints
+| Date (UTC) | Milestone | Owner(s) |
+| --- | --- | --- |
+| 2025-11-18 | Land Telemetry Core bootstrap sample in Orchestrator. | Telemetry Core Guild · Orchestrator Guild |
+| 2025-11-19 | Publish propagation adapter API draft. | Telemetry Core Guild |
+| 2025-11-21 | Security sign-off on scrub policy (POLICY-SEC-42-003). | Telemetry Core Guild · Security Guild |
+| 2025-11-22 | Incident/CLI toggle contract agreed (CLI-OBS-12-001 + NOTIFY-OBS-55-001). | Telemetry Core Guild · Notifications Service Guild · CLI Guild |

docs/implplan/SPRINT_0185_0001_0001_shared_replay_primitives.md

@@ -0,0 +1,38 @@
+# Sprint 0185-0001-0001 · Shared Replay Primitives (Replay Core 185.A)
+
+## Topic & Scope
+- Stand up shared replay library, canonicalization/hashing helpers, deterministic bundle writer, and baseline replay documentation.
+- **Working directory:** `src/__Libraries/StellaOps.Replay.Core` and relevant docs under `docs/replay` and `docs/data`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 160 Export & Evidence for bundle contracts; Replay CAS section already published (2025-11-03).
+- Concurrency: execute tasks in listed order; docs tasks align with code tasks.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md (Replay CAS §5)
+- docs/replay/DETERMINISTIC_REPLAY.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | REPLAY-CORE-185-001 | TODO | CAS section published; start scaffolding library. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Scaffold `StellaOps.Replay.Core` with manifest schema types, canonical JSON rules, Merkle utilities, DSSE payload builders; add `AGENTS.md`/`TASKS.md`; cross-reference deterministic replay doc. |
+| 2 | REPLAY-CORE-185-002 | TODO | Depends on 185-001. | Platform Guild | Deterministic bundle writer (tar.zst, CAS naming) and hashing abstractions; update platform architecture doc with “Replay CAS” subsection. |
+| 3 | REPLAY-CORE-185-003 | TODO | Depends on 185-002. | Platform Data Guild | Define Mongo collections (`replay_runs`, `replay_bundles`, `replay_subjects`) and indices; align with schema doc. |
+| 4 | DOCS-REPLAY-185-003 | TODO | Parallel with 185-003. | Docs Guild · Platform Data Guild (docs) | Author `docs/data/replay_schema.md` detailing collections, index guidance, offline sync strategy. |
+| 5 | DOCS-REPLAY-185-004 | TODO | After 185-002/003. | Docs Guild (docs) | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance (Scanner, Evidence Locker, CLI) and checklist from deterministic replay doc §11. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-03 | Replay CAS section published in `docs/modules/platform/architecture-overview.md` §5; tasks 185-001/002 may move to DOING once scaffolding starts. | Platform Guild |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_185_shared_replay_primitives.md` to `SPRINT_0185_0001_0001_shared_replay_primitives.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
+
+## Decisions & Risks
+- Await library scaffolding start; ensure deterministic rules match published CAS section.
+- Schema/docs must stay aligned with Replay CAS layout to keep offline determinism.
+
+## Next Checkpoints
+- Kickoff once scaffolding resources assigned (date TBD).

docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md

@@ -0,0 +1,52 @@
+# Sprint 0186-0001-0001 · Record & Deterministic Execution (Scanner Replay 186.A)
+
+## Topic & Scope
+- Enable Scanner to emit replay manifests/bundles, enforce deterministic execution, align signing flows, and publish determinism evidence.
+- **Working directory:** `src/Scanner` (WebService, Worker, Replay), `src/Signer`, `src/Authority`, related docs under `docs/replay` and `docs/modules/scanner`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0185 (Replay Core foundations) and Sprint 0130 Scanner & Surface.
+- Concurrency: execute tasks in listed order; signing tasks align with replay outputs; docs tasks mirror code tasks.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/replay/DETERMINISTIC_REPLAY.md
+- docs/replay/TEST_STRATEGY.md
+- docs/modules/scanner/architecture.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | SCAN-REPLAY-186-001 | TODO | Start record mode in WebService. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, docs) | Implement `record` mode (manifest assembly, policy/feed/tool hash capture, CAS uploads); doc workflow referencing replay doc §6. |
+| 2 | SCAN-REPLAY-186-002 | TODO | Depends on 186-001. | Scanner Guild | Update Worker analyzers to consume sealed input bundles, enforce deterministic ordering, contribute Merkle metadata; add `docs/modules/scanner/deterministic-execution.md`. |
+| 3 | SIGN-REPLAY-186-003 | TODO | Depends on 186-001/002. | Signing Guild (`src/Signer`, `src/Authority`) | Extend Signer/Authority DSSE flows to cover replay manifests/bundles; refresh signer/authority architecture docs referencing replay doc §5. |
+| 4 | SIGN-CORE-186-004 | TODO | Parallel with 186-003. | Signing Guild | Replace HMAC demo in Signer with StellaOps.Cryptography providers (keyless + KMS); provider selection, key loading, cosign-compatible DSSE output. |
+| 5 | SIGN-CORE-186-005 | TODO | Depends on 186-004. | Signing Guild | Refactor `SignerStatementBuilder` to support StellaOps predicate types and delegate canonicalisation to Provenance library when available. |
+| 6 | SIGN-TEST-186-006 | TODO | Depends on 186-004/005. | Signing Guild · QA Guild | Upgrade signer integration tests to real crypto abstraction + fixture predicates (promotion, SBOM, replay); deterministic test data. |
+| 7 | AUTH-VERIFY-186-007 | TODO | After 186-003. | Authority Guild · Provenance Guild | Authority-side helper/service validating DSSE signatures and Rekor proofs for promotion attestations using trusted checkpoints; offline audit flow. |
+| 8 | SCAN-DETER-186-008 | TODO | Parallel with 186-002. | Scanner Guild | Add deterministic execution switches (fixed clock, RNG seed, concurrency cap, feed/policy pins, log filtering) via CLI/env/config. |
+| 9 | SCAN-DETER-186-009 | TODO | Depends on 186-008. | Scanner Guild · QA Guild | Determinism harness to replay scans, canonicalise outputs, record hash matrices (`docs/modules/scanner/determinism-score.md`). |
+| 10 | SCAN-DETER-186-010 | TODO | Depends on 186-009. | Scanner Guild · Export Center Guild | Emit/publish `determinism.json` with scores/hashes/diffs alongside each scanner release via CAS/object storage; document in release guide. |
+| 11 | SCAN-ENTROPY-186-011 | TODO | Parallel track. | Scanner Guild | Entropy analysis for ELF/PE/Mach-O/opaque blobs (sliding-window metrics, section heuristics); record offsets/hints (see `docs/modules/scanner/entropy.md`). |
+| 12 | SCAN-ENTROPY-186-012 | TODO | Depends on 186-011. | Scanner Guild · Provenance Guild | Generate `entropy.report.json`, image-level penalties; attach evidence to manifests/attestations; expose ratios for policy engines. |
+| 13 | SCAN-CACHE-186-013 | TODO | Parallel with replay work. | Scanner Guild | Layer-level SBOM/VEX cache keyed by layer digest + manifest hash + tool/feed/policy IDs; re-verify DSSE on cache hits; persist indexes; document referencing 16-Nov-2026 advisory. |
+| 14 | SCAN-DIFF-CLI-186-014 | TODO | Depends on replay+cache scaffolding. | Scanner Guild · CLI Guild | Deterministic diff-aware rescan workflow (`scan.lock.json`, JSON Patch diffs, CLI verbs `stella scan --emit-diff` / `stella diff`); replayable tests; docs. |
+| 15 | SBOM-BRIDGE-186-015 | TODO | Parallel; coordinate with Sbomer. | Sbomer Guild · Scanner Guild | Establish SPDX 3.0.1 as canonical SBOM persistence; deterministic CycloneDX 1.6 exporter; map table/library; wire snapshot hashes into replay manifests. |
+| 16 | DOCS-REPLAY-186-004 | TODO | After replay schema settled. | Docs Guild | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade); link from replay docs and Scanner architecture. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-03 | `docs/replay/TEST_STRATEGY.md` drafted; Replay CAS section published — Scanner/Signer guilds should move replay tasks to DOING when engineering starts. | Planning |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_186_record_deterministic_execution.md` to `SPRINT_0186_0001_0001_record_deterministic_execution.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
+
+## Decisions & Risks
+- Depends on Replay Core (0185); do not start until CAS and TEST_STRATEGY baselines are confirmed.
+- Deterministic execution must preserve hermetic runs; ensure fixed clock/RNG/log filtering before enabling harness.
+- Signing/verification changes must stay aligned with Provenance library once available.
+
+## Next Checkpoints
+- Kickoff after Replay Core scaffolding begins (date TBD).

docs/implplan/SPRINT_0187_0001_0001_evidence_locker_cli_integration.md

@@ -0,0 +1,50 @@
+# Sprint 0187-0001-0001 · Evidence Locker & CLI Integration (Replay Delivery 187.A)
+
+## Topic & Scope
+- Persist replay bundles in Evidence Locker, expose ledger-backed verification, and ship offline-ready CLI workflows with sovereign crypto support.
+- **Working directory:** `src/EvidenceLocker/StellaOps.EvidenceLocker`, `src/Cli/StellaOps.Cli`, `src/Attestor/StellaOps.Attestor`, relevant docs under `docs/replay`, `docs/modules/evidence-locker`, `docs/modules/cli`, `docs/runbooks`.
+
+## Dependencies & Concurrency
+- Upstream: Sprint 0186 (Scanner record mode), Sprint 0160 Export & Evidence, Sprint 0185 replay core, Sprint 0180 Experience & SDKs.
+- Concurrency: execute tasks in listed order; CLI/Attestor depend on EvidenceLocker API schema; crypto routing depends on provider registry readiness.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/replay/DETERMINISTIC_REPLAY.md
+- docs/replay/DEVS_GUIDE_REPLAY.md
+- docs/runbooks/replay_ops.md
+- docs/security/crypto-routing-audit-2025-11-07.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| P1 | PREP-EVID-REPLAY-187-001-SCANNER-RECORD-PAYLO | TODO | Due 2025-11-23 · Accountable: Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Scanner record payloads (Sprint 0186) not available; EvidenceLocker API schema cannot be drafted. <br><br> Document artefact/deliverable for EVID-REPLAY-187-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-CLI-REPLAY-187-002-DEPENDS-ON-187-001-SC | TODO | Due 2025-11-23 · Accountable: DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, docs) | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, docs) | Depends on 187-001 schema freeze. <br><br> Document artefact/deliverable for CLI-REPLAY-187-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-ATTEST-REPLAY-187-003-DEPENDS-ON-187-001 | TODO | Due 2025-11-23 · Accountable: Attestor Guild (`src/Attestor/StellaOps.Attestor`, docs) | Attestor Guild (`src/Attestor/StellaOps.Attestor`, docs) | Depends on 187-001 payloads. <br><br> Document artefact/deliverable for ATTEST-REPLAY-187-003 and publish location so downstream tasks can proceed. |
+| P4 | PREP-RUNBOOK-REPLAY-187-004-NEEDS-APIS-DEFINE | TODO | Due 2025-11-23 · Accountable: Docs Guild · Ops Guild (docs/runbooks) | Docs Guild · Ops Guild (docs/runbooks) | Needs APIs defined from 187-001. <br><br> Document artefact/deliverable for RUNBOOK-REPLAY-187-004 and publish location so downstream tasks can proceed. |
+| P5 | PREP-VALIDATE-BUNDLE-187-005-DEPENDS-ON-187-0 | TODO | Due 2025-11-23 · Accountable: QA Guild · CLI Guild · Docs Guild | QA Guild · CLI Guild · Docs Guild | Depends on 187-001/002/003; no payloads yet. <br><br> Document artefact/deliverable for VALIDATE-BUNDLE-187-005 and publish location so downstream tasks can proceed. |
+| P6 | PREP-EVID-CRYPTO-90-001-ICRYPTOPROVIDERREGIST | TODO | Due 2025-11-23 · Accountable: Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | ICryptoProviderRegistry readiness not confirmed; sovereign crypto profiles pending. <br><br> Document artefact/deliverable for EVID-CRYPTO-90-001 and publish location so downstream tasks can proceed. |
+| 1 | EVID-REPLAY-187-001 | BLOCKED (2025-11-20) | PREP-EVID-REPLAY-187-001-SCANNER-RECORD-PAYLO | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`, docs) | Implement replay bundle ingestion/retention APIs; document storage/retention rules referencing replay doc §§2 & 8. |
+| 2 | CLI-REPLAY-187-002 | BLOCKED (2025-11-20) | PREP-CLI-REPLAY-187-002-DEPENDS-ON-187-001-SC | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, docs) | Add `scan --record`, `verify`, `replay`, `diff` commands with offline bundle resolution; update CLI architecture and replay appendix. |
+| 3 | ATTEST-REPLAY-187-003 | BLOCKED (2025-11-20) | PREP-ATTEST-REPLAY-187-003-DEPENDS-ON-187-001 | Attestor Guild (`src/Attestor/StellaOps.Attestor`, docs) | Wire Attestor/Rekor anchoring for replay manifests; extend attestor architecture with replay ledger flow. |
+| 4 | RUNBOOK-REPLAY-187-004 | BLOCKED (2025-11-20) | PREP-RUNBOOK-REPLAY-187-004-NEEDS-APIS-DEFINE | Docs Guild · Ops Guild (docs/runbooks) | Publish `/docs/runbooks/replay_ops.md` covering retention enforcement, RootPack rotation, offline kits, verification drills. |
+| 5 | VALIDATE-BUNDLE-187-005 | BLOCKED (2025-11-20) | PREP-VALIDATE-BUNDLE-187-005-DEPENDS-ON-187-0 | QA Guild · CLI Guild · Docs Guild | Deliver `VALIDATION_PLAN.md`, harness scripts (quiet vs baseline, provenance bundle export), `stella bundle verify` subcommand checking DSSE/Rekor/SBOM/policy/replay claims end-to-end. |
+| 6 | EVID-CRYPTO-90-001 | BLOCKED (2025-11-20) | PREP-EVID-CRYPTO-90-001-ICRYPTOPROVIDERREGIST | Evidence Locker Guild · Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) | Route Evidence Locker hashing/signing (manifest digests, DSSE assembly, bundle encryption) through crypto provider registry for sovereign profiles. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
+| 2025-11-03 | `/docs/runbooks/replay_ops.md` created; teams can move replay delivery tasks to DOING alongside Ops runbook rehearsals. | Docs Guild |
+| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_187_evidence_locker_cli_integration.md` to `SPRINT_0187_0001_0001_evidence_locker_cli_integration.md`; content preserved. | Implementer |
+| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
+| 2025-11-20 | Marked all tasks BLOCKED: waiting on Scanner record payloads (Sprint 0186) and ICryptoProviderRegistry readiness; no executable work in this sprint until upstream artefacts land. | Implementer |
+
+## Decisions & Risks
+- EvidenceLocker API schema must align with replay bundles and sovereign crypto routing; approval review on 2025-11-18.
+- CLI/Attestor work blocked until Scanner record payloads and EvidenceLocker schema freeze.
+- Provider registry must support sovereign profiles (`ru-offline`, etc.) before wiring EVID-CRYPTO-90-001.
+
+## Next Checkpoints
+- Schedule joint review of replay_ops runbook and EvidenceLocker API (date TBD).

docs/implplan/SPRINT_0215_0001_0001_web_iv.md

@@ -0,0 +1,52 @@
+# Sprint 0215-0001-0001 · Web IV (Experience & SDKs 180.F)
+
+## Topic & Scope
+- Phase IV web gateway work: orchestrator controls and Policy Studio CRUD/simulation endpoints aligned with Policy Engine.
+- Complete policy pack lifecycle (CRUD → activation → publish/promote) with deterministic pagination, RBAC, and telemetry.
+- Wire console/CLI consumers by keeping API docs and rate limits in sync with Sprint 180.F deliverables.
+- **Working directory:** `src/Web/StellaOps.Web`.
+
+## Dependencies & Concurrency
+- Upstream Sprint 180.F (Web III) must land shared components before these endpoints go live.
+- Policy endpoints (20-001 → 20-004) must complete in order; Policy pack tracks (23-001/002) stay BLOCKED until 20-004 ships.
+- Policy registry/Studio extensions (27-001…27-005) are sequential; avoid parallel development without shared schema updates.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/policy/architecture.md`
+- `src/Web/StellaOps.Web/AGENTS.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | WEB-ORCH-33-001 | TODO | WEB-ORCH-32-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
+| 2 | WEB-ORCH-34-001 | TODO | WEB-ORCH-33-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
+| 3 | WEB-POLICY-20-001 | TODO | — | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
+| 4 | WEB-POLICY-20-002 | TODO | WEB-POLICY-20-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
+| 5 | WEB-POLICY-20-003 | TODO | WEB-POLICY-20-002 | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
+| 6 | WEB-POLICY-20-004 | TODO | WEB-POLICY-20-003 | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
+| 7 | WEB-POLICY-23-001 | BLOCKED (2025-10-29) | WEB-POLICY-20-004 | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Create/list/fetch policy packs and revisions with pagination, RBAC, and AOC metadata exposure. |
+| 8 | WEB-POLICY-23-002 | BLOCKED (2025-10-29) | WEB-POLICY-23-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add activation endpoints with scope windows, conflict checks, optional two-person approvals, and events. |
+| 9 | WEB-POLICY-23-003 | TODO | WEB-POLICY-23-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/policy/simulate` + `/policy/evaluate` streaming APIs with rate limiting and error mapping. |
+| 10 | WEB-POLICY-23-004 | TODO | WEB-POLICY-23-003 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose explain history endpoints showing decision trees, consulted sources, and AOC chain. |
+| 11 | WEB-POLICY-27-001 | TODO | WEB-POLICY-23-004 | BE-Base Platform Guild · Policy Registry Guild (`src/Web/StellaOps.Web`) | Proxy Policy Registry APIs (workspaces/versions/reviews) with tenant scoping, RBAC, and streaming downloads. |
+| 12 | WEB-POLICY-27-002 | TODO | WEB-POLICY-27-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement review lifecycle endpoints (open/comment/approve/reject) with audit headers and pagination. |
+| 13 | WEB-POLICY-27-003 | TODO | WEB-POLICY-27-002 | BE-Base Platform Guild · Scheduler Guild (`src/Web/StellaOps.Web`) | Expose quick/batch simulation endpoints with SSE progress streams, cursor pagination, and manifest downloads. |
+| 14 | WEB-POLICY-27-004 | TODO | WEB-POLICY-27-003 | BE-Base Platform Guild · Security Guild (`src/Web/StellaOps.Web`) | Add publish/sign/promote/rollback endpoints with idempotent IDs, canary params, environment bindings, and events. |
+| 15 | WEB-POLICY-27-005 | TODO | WEB-POLICY-27-004 | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |
+
+## Decisions & Risks
+- Policy pack CRUD/activation (WEB-POLICY-23-001/002) remain BLOCKED until WEB-POLICY-20-004 rate-limit work lands.
+- Registry/Studio chain (WEB-POLICY-27-001..005) must stay in order to keep schemas stable; avoid parallel merges without shared reviews.
+- Ensure RBAC + tenant-scoping docs stay aligned with Policy Engine contracts to prevent drift during promotions.
+
+## Next Checkpoints
+- 2025-11-22 · Verify WEB-POLICY-20-004 rate-limit design review completed (Platform Reliability Guild).
+- 2025-11-25 · Policy pack CRUD kickoff pending unblock from WEB-POLICY-20-004 (Policy Guild + BE-Base Platform Guild).

docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md

@@ -21,13 +21,15 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-CLI-OPS-0001-WAITING-FOR-NEXT-DEMO-OUTPU | TODO | Due 2025-11-25 · Accountable: Ops Guild | Ops Guild | Waiting for next demo outputs. <br><br> Document artefact/deliverable for CLI-OPS-0001 and publish location so downstream tasks can proceed. |
 | 1 | CLI-DOCS-0001 | DONE | Synced sprint references on 2025-11-17 | Docs Guild | Update docs/AGENTS to reflect current CLI scope and sprint naming; align with template rules. |
 | 2 | CLI-ENG-0001 | DONE | Sprint normalized; statuses mirrored | Module Team | Update status via ./AGENTS.md workflow and ensure module docs reference current sprint. |
-| 3 | CLI-OPS-0001 | BLOCKED | Waiting for next demo outputs | Ops Guild | Sync outcomes back to ../.. ; refresh ops/runbook notes after demo. |
+| 3 | CLI-OPS-0001 | BLOCKED | PREP-CLI-OPS-0001-WAITING-FOR-NEXT-DEMO-OUTPU | Ops Guild | Sync outcomes back to ../.. ; refresh ops/runbook notes after demo. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_316_docs_modules_cli.md. | Docs |
 | 2025-11-17 | Completed CLI-DOCS-0001 and CLI-ENG-0001 by updating CLI docs to reference normalized sprint. | Module Team |
 

docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md

@@ -20,13 +20,15 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-GRAPH-OPS-0001-WAITING-FOR-NEXT-DEMO-OUT | TODO | Due 2025-11-25 · Accountable: Ops Guild | Ops Guild | Waiting for next demo outputs to review dashboards/runbooks. <br><br> Document artefact/deliverable for GRAPH-OPS-0001 and publish location so downstream tasks can proceed. |
 | 1 | GRAPH-ENG-0001 | DONE | Synced docs to Sprint 0141 rename on 2025-11-17 | Module Team | Keep module milestones in sync with `/docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md` and related files; update references and note deltas. |
 | 2 | GRAPH-DOCS-0002 | BLOCKED | Await DOCS-GRAPH-24-003 cross-links | Docs Guild | Add API/query doc cross-links once DOCS-GRAPH-24-003 lands. |
-| 3 | GRAPH-OPS-0001 | BLOCKED | Waiting for next demo outputs to review dashboards/runbooks | Ops Guild | Review graph observability dashboards/runbooks after the next sprint demo; capture updates in runbooks. |
+| 3 | GRAPH-OPS-0001 | BLOCKED | PREP-GRAPH-OPS-0001-WAITING-FOR-NEXT-DEMO-OUT | Ops Guild | Review graph observability dashboards/runbooks after the next sprint demo; capture updates in runbooks. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-17 | Marked GRAPH-DOCS-0002 and GRAPH-OPS-0001 as BLOCKED pending DOCS-GRAPH-24-003 + next demo outputs. | Module Team |
 | 2025-11-17 | Completed GRAPH-ENG-0001; README and implementation_plan now reference SPRINT_0141_0001_0001_graph_indexer.md. | Module Team |
 | 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_321_docs_modules_graph.md. | Docs |

docs/implplan/SPRINT_0400_0001_0001_reachability_runtime_static_union.md

@@ -21,10 +21,10 @@
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | ZASTAVA-REACH-201-001 | TODO | Need runtime symbol sampling design; align with GAP-ZAS-002 | Zastava Observer Guild | Implement runtime symbol sampling in `StellaOps.Zastava.Observer` (EntryTrace-aware shell AST + build-id capture) and stream ND-JSON batches to Signals `/runtime-facts`, including CAS pointers for traces. Update runbook + config references. |
-| 2 | SCAN-REACH-201-002 | DOING | Continue static lifters; ensure SymbolID generation matches runtime | Scanner Worker Guild | Ship language-aware static lifters (JVM, .NET/Roslyn+IL, Go SSA, Node/Deno TS AST, Rust MIR, Swift SIL, shell/binary analyzers) in Scanner Worker; emit canonical SymbolIDs, CAS-stored graphs, and attach reachability tags to SBOM components. |
+| 2 | SCAN-REACH-201-002 | BLOCKED | Await runtime/static union schema (SymbolID + CAS layout) | Scanner Worker Guild | Ship language-aware static lifters (JVM, .NET/Roslyn+IL, Go SSA, Node/Deno TS AST, Rust MIR, Swift SIL, shell/binary analyzers) in Scanner Worker; emit canonical SymbolIDs, CAS-stored graphs, and attach reachability tags to SBOM components. |
-| 3 | SIGNALS-REACH-201-003 | DOING | Ingest schema needs runtime/static union spec | Signals Guild | Extend Signals ingestion to accept the new multi-language graphs + runtime facts, normalize into `reachability_graphs` CAS layout, and expose retrieval APIs for Policy/CLI. |
+| 3 | SIGNALS-REACH-201-003 | BLOCKED | Runtime/static union schema not published | Signals Guild | Extend Signals ingestion to accept the new multi-language graphs + runtime facts, normalize into `reachability_graphs` CAS layout, and expose retrieval APIs for Policy/CLI. |
-| 4 | SIGNALS-REACH-201-004 | DOING | Depends on 201-003 schema | Signals Guild · Policy Guild | Build the reachability scoring engine (state/score/confidence), wire Redis caches + `signals.fact.updated` events, and integrate reachability weights defined in `docs/11_DATA_SCHEMAS.md`. |
+| 4 | SIGNALS-REACH-201-004 | BLOCKED | Depends on 201-003 schema | Signals Guild · Policy Guild | Build the reachability scoring engine (state/score/confidence), wire Redis caches + `signals.fact.updated` events, and integrate reachability weights defined in `docs/11_DATA_SCHEMAS.md`. |
-| 5 | REPLAY-REACH-201-005 | DOING | Needs finalized graph payload shape | BE-Base Platform Guild | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. |
+| 5 | REPLAY-REACH-201-005 | BLOCKED | Needs finalized graph payload shape | BE-Base Platform Guild | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. |
 | 6 | DOCS-REACH-201-006 | TODO | Requires outputs from 1–5 | Docs Guild | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operator workflows. |
 | 7 | QA-REACH-201-007 | TODO | Move fixtures + create evaluator harness | QA Guild | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/fixtures/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. |
 | 8 | GAP-SCAN-001 | TODO | Align with task 2; binary symbolizers | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
@@ -34,6 +34,7 @@
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_400_runtime_facts_static_callgraph_union.md. | Docs |
+| 2025-11-19 | Marked tasks 201-002..201-005 BLOCKED pending runtime/static union schema (SymbolID+CAS layout); no implementation until schema is published. | Implementer |
 
 ## Decisions & Risks
 - Runtime/static schema alignment pending (SymbolID, CAS layout, overlay tags); blocks ingestion and scoring finalization.

docs/implplan/SPRINT_0509_0001_0001_samples.md

@@ -19,17 +19,22 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | SAMPLES-GRAPH-24-003 | DOING | Align overlay format with Graph Guild; build mock SBOM bundle source list | Samples Guild · SBOM Service Guild | Generate large-scale SBOM graph fixture (~40k nodes) with policy overlay snapshot for perf/regression suites. |
+| P1 | PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED | TODO | Due 2025-11-26 · Accountable: Samples Guild · Concelier Guild | Samples Guild · Concelier Guild | Waiting on finalized advisory linkset schema (Concelier). <br><br> Document artefact/deliverable for SAMPLES-LNM-22-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-SAMPLES-LNM-22-002-DEPENDS-ON-22-001-OUT | TODO | Due 2025-11-26 · Accountable: Samples Guild · Excititor Guild | Samples Guild · Excititor Guild | Depends on 22-001 outputs + Excititor observation/linkset implementation. <br><br> Document artefact/deliverable for SAMPLES-LNM-22-002 and publish location so downstream tasks can proceed. |
+| 1 | SAMPLES-GRAPH-24-003 | BLOCKED | Await Graph overlay format decision + mock SBOM cache availability | Samples Guild · SBOM Service Guild | Generate large-scale SBOM graph fixture (~40k nodes) with policy overlay snapshot for perf/regression suites. |
 | 2 | SAMPLES-GRAPH-24-004 | TODO | Blocked on 24-003 fixture availability | Samples Guild · UI Guild | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. |
-| 3 | SAMPLES-LNM-22-001 | BLOCKED | Waiting on finalized advisory linkset schema (Concelier) | Samples Guild · Concelier Guild | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. |
+| 3 | SAMPLES-LNM-22-001 | BLOCKED | PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED | Samples Guild · Concelier Guild | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. |
-| 4 | SAMPLES-LNM-22-002 | BLOCKED | Depends on 22-001 outputs + Excititor observation/linkset implementation | Samples Guild · Excititor Guild | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. |
+| 4 | SAMPLES-LNM-22-002 | BLOCKED | PREP-SAMPLES-LNM-22-002-DEPENDS-ON-22-001-OUT | Samples Guild · Excititor Guild | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Normalized PREP-SAMPLES-LNM-22-001 Task ID (removed trailing hyphen) for dependency tracking. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Drafted fixture plan (`samples/graph/fixtures-plan.md`) outlining contents, assumptions, and blockers for SAMPLES-GRAPH-24-003. | Samples |
 | 2025-11-18 | Kicked off SAMPLES-GRAPH-24-003 (overlay format + mock bundle sources); other tasks unchanged. | Samples |
 | 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_509_samples.md. | Ops/Docs |
+| 2025-11-19 | Marked SAMPLES-GRAPH-24-003 BLOCKED pending Graph overlay format decision and mock SBOM cache availability. | Implementer |
 
 ## Decisions & Risks
 - Linkset fixtures blocked by Concelier/Excititor schema finalization; revisit once schemas freeze.

docs/implplan/SPRINT_0510_0001_0001_airgap.md

@@ -18,25 +18,35 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | AIRGAP-CTL-56-001 | BLOCKED | Controller project scaffold missing; need baseline service skeleton | AirGap Controller Guild | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). |
+| P1 | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | TODO | Due 2025-11-26 · Accountable: AirGap Controller Guild | AirGap Controller Guild | Controller project scaffold missing; need baseline service skeleton. <br><br> Document artefact/deliverable for AIRGAP-CTL-56-001 and publish location so downstream tasks can proceed. |
-| 2 | AIRGAP-CTL-56-002 | BLOCKED | Blocked on 56-001 scaffolding | AirGap Controller Guild · DevOps Guild | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. |
+| P2 | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | TODO | Due 2025-11-26 · Accountable: AirGap Controller Guild · DevOps Guild | AirGap Controller Guild · DevOps Guild | Blocked on 56-001 scaffolding. <br><br> Document artefact/deliverable for AIRGAP-CTL-56-002 and publish location so downstream tasks can proceed. |
-| 3 | AIRGAP-CTL-57-001 | BLOCKED | Blocked on 56-002 | AirGap Controller Guild | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. |
+| P3 | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | TODO | Due 2025-11-26 · Accountable: AirGap Controller Guild | AirGap Controller Guild | Blocked on 56-002. <br><br> Document artefact/deliverable for AIRGAP-CTL-57-001, AIRGAP-IMP-57-001 and publish location so downstream tasks can proceed. |
-| 4 | AIRGAP-CTL-57-002 | BLOCKED | Blocked on 57-001 | AirGap Controller Guild · Observability Guild | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). |
+| P4 | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | TODO | Due 2025-11-26 · Accountable: AirGap Controller Guild · Observability Guild | AirGap Controller Guild · Observability Guild | Blocked on 57-001. <br><br> Document artefact/deliverable for AIRGAP-CTL-57-002, AIRGAP-IMP-57-002, AIRGAP-TIME-57-002 and publish location so downstream tasks can proceed. |
-| 5 | AIRGAP-CTL-58-001 | BLOCKED | Blocked on 57-002 | AirGap Controller Guild · AirGap Time Guild | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. |
+| P5 | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | TODO | Due 2025-11-26 · Accountable: AirGap Controller Guild · AirGap Time Guild | AirGap Controller Guild · AirGap Time Guild | Blocked on 57-002. <br><br> Document artefact/deliverable for AIRGAP-CTL-58-001, AIRGAP-IMP-58-001, AIRGAP-TIME-58-001 and publish location so downstream tasks can proceed. |
-| 6 | AIRGAP-IMP-56-001 | BLOCKED | Importer project scaffold missing; need trust-root inputs | AirGap Importer Guild | Implement DSSE verification helpers, TUF metadata parser (`root.json`, `snapshot.json`, `timestamp.json`), and Merkle root calculator. |
+| P6 | PREP-AIRGAP-IMP-56-001-IMPORTER-PROJECT-SCAFF | TODO | Due 2025-11-26 · Accountable: AirGap Importer Guild | AirGap Importer Guild | Importer project scaffold missing; need trust-root inputs. <br><br> Document artefact/deliverable for AIRGAP-IMP-56-001 and publish location so downstream tasks can proceed. |
-| 7 | AIRGAP-IMP-56-002 | BLOCKED | Blocked on 56-001 | AirGap Importer Guild · Security Guild | Introduce root rotation policy validation (dual approval) and signer trust store management. |
+| P7 | PREP-AIRGAP-IMP-56-002-BLOCKED-ON-56-001 | TODO | Due 2025-11-26 · Accountable: AirGap Importer Guild · Security Guild | AirGap Importer Guild · Security Guild | Blocked on 56-001. <br><br> Document artefact/deliverable for AIRGAP-IMP-56-002 and publish location so downstream tasks can proceed. |
-| 8 | AIRGAP-IMP-57-001 | BLOCKED | Blocked on 56-002 | AirGap Importer Guild | Write `bundle_catalog` and `bundle_items` repositories with RLS + deterministic migrations. |
+| P8 | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | TODO | Due 2025-11-26 · Accountable: AirGap Importer Guild · Observability Guild | AirGap Importer Guild · Observability Guild | Blocked on 58-001. <br><br> Document artefact/deliverable for AIRGAP-IMP-58-002, AIRGAP-TIME-58-002 and publish location so downstream tasks can proceed. |
-| 9 | AIRGAP-IMP-57-002 | BLOCKED | Blocked on 57-001 | AirGap Importer Guild · DevOps Guild | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. |
+| P9 | PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO | TODO | Due 2025-11-26 · Accountable: AirGap Time Guild | AirGap Time Guild | Time component scaffold missing; need token format decision. <br><br> Document artefact/deliverable for AIRGAP-TIME-57-001 and publish location so downstream tasks can proceed. |
-| 10 | AIRGAP-IMP-58-001 | BLOCKED | Blocked on 57-002 | AirGap Importer Guild · CLI Guild | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. |
+| 1 | AIRGAP-CTL-56-001 | BLOCKED | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | AirGap Controller Guild | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). |
-| 11 | AIRGAP-IMP-58-002 | BLOCKED | Blocked on 58-001 | AirGap Importer Guild · Observability Guild | Emit timeline events (`airgap.import.started`, `airgap.import.completed`) with staleness metrics. |
+| 2 | AIRGAP-CTL-56-002 | BLOCKED | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | AirGap Controller Guild · DevOps Guild | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. |
-| 12 | AIRGAP-TIME-57-001 | BLOCKED | Time component scaffold missing; need token format decision | AirGap Time Guild | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. |
+| 3 | AIRGAP-CTL-57-001 | BLOCKED | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | AirGap Controller Guild | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. |
-| 13 | AIRGAP-TIME-57-002 | BLOCKED | Blocked on 57-001 | AirGap Time Guild · Observability Guild | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. |
+| 4 | AIRGAP-CTL-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Controller Guild · Observability Guild | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). |
-| 14 | AIRGAP-TIME-58-001 | BLOCKED | Blocked on 57-002 | AirGap Time Guild | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. |
+| 5 | AIRGAP-CTL-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Controller Guild · AirGap Time Guild | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. |
-| 15 | AIRGAP-TIME-58-002 | BLOCKED | Blocked on 58-001 | AirGap Time Guild · Notifications Guild | Emit notifications and timeline events when staleness budgets breached or approaching. |
+| 6 | AIRGAP-IMP-56-001 | BLOCKED | PREP-AIRGAP-IMP-56-001-IMPORTER-PROJECT-SCAFF | AirGap Importer Guild | Implement DSSE verification helpers, TUF metadata parser (`root.json`, `snapshot.json`, `timestamp.json`), and Merkle root calculator. |
+| 7 | AIRGAP-IMP-56-002 | BLOCKED | PREP-AIRGAP-IMP-56-002-BLOCKED-ON-56-001 | AirGap Importer Guild · Security Guild | Introduce root rotation policy validation (dual approval) and signer trust store management. |
+| 8 | AIRGAP-IMP-57-001 | BLOCKED | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | AirGap Importer Guild | Write `bundle_catalog` and `bundle_items` repositories with RLS + deterministic migrations. |
+| 9 | AIRGAP-IMP-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Importer Guild · DevOps Guild | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. |
+| 10 | AIRGAP-IMP-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Importer Guild · CLI Guild | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. |
+| 11 | AIRGAP-IMP-58-002 | BLOCKED | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | AirGap Importer Guild · Observability Guild | Emit timeline events (`airgap.import.started`, `airgap.import.completed`) with staleness metrics. |
+| 12 | AIRGAP-TIME-57-001 | BLOCKED | PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO | AirGap Time Guild | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. |
+| 13 | AIRGAP-TIME-57-002 | BLOCKED | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Time Guild · Observability Guild | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. |
+| 14 | AIRGAP-TIME-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Time Guild | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. |
+| 15 | AIRGAP-TIME-58-002 | BLOCKED | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | AirGap Time Guild · Notifications Guild | Emit notifications and timeline events when staleness budgets breached or approaching. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Marked all AIRGAP controller/importer/time tasks BLOCKED: no project scaffolds exist under src/AirGap; need baseline service skeletons and token format decisions before implementation. | Ops/Docs |
 | 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_510_airgap.md. | Ops/Docs |
 

docs/implplan/SPRINT_0512_0001_0001_bench.md

@@ -19,17 +19,25 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | BENCH-GRAPH-21-001 | BLOCKED | Need graph bench harness scaffolding (50k/100k nodes) | Bench Guild · Graph Platform Guild | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. |
+| P1 | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | TODO | Due 2025-11-26 · Accountable: Bench Guild · Graph Platform Guild | Bench Guild · Graph Platform Guild | Need graph bench harness scaffolding (50k/100k nodes). <br><br> Document artefact/deliverable for BENCH-GRAPH-21-001 and publish location so downstream tasks can proceed. |
-| 2 | BENCH-GRAPH-21-002 | BLOCKED | Blocked on 21-001 harness | Bench Guild · UI Guild | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. |
+| P2 | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | TODO | Due 2025-11-26 · Accountable: Bench Guild · UI Guild | Bench Guild · UI Guild | Blocked on 21-001 harness. <br><br> Document artefact/deliverable for BENCH-GRAPH-21-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | TODO | Due 2025-11-26 · Accountable: Bench Guild · Scheduler Team | Bench Guild · Scheduler Team | Impact index dataset/replay inputs not provided. <br><br> Document artefact/deliverable for BENCH-IMPACT-16-001 and publish location so downstream tasks can proceed. |
+| P4 | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | TODO | Due 2025-11-26 · Accountable: Bench Guild · Policy Guild · Scheduler Guild | Bench Guild · Policy Guild · Scheduler Guild | Policy delta sample inputs missing. <br><br> Document artefact/deliverable for BENCH-POLICY-20-002 and publish location so downstream tasks can proceed. |
+| P5 | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | TODO | Due 2025-11-26 · Accountable: Bench Guild · Signals Guild | Bench Guild · Signals Guild | Reachability schema/fixtures pending Sprint 0400/0401. <br><br> Document artefact/deliverable for BENCH-SIG-26-001 and publish location so downstream tasks can proceed. |
+| P6 | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | TODO | Due 2025-11-26 · Accountable: Bench Guild · Policy Guild | Bench Guild · Policy Guild | Blocked on 26-001 outputs. <br><br> Document artefact/deliverable for BENCH-SIG-26-002 and publish location so downstream tasks can proceed. |
+| 1 | BENCH-GRAPH-21-001 | BLOCKED | PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN | Bench Guild · Graph Platform Guild | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. |
+| 2 | BENCH-GRAPH-21-002 | BLOCKED | PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR | Bench Guild · UI Guild | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. |
 | 3 | BENCH-GRAPH-24-002 | BLOCKED | Waiting for 50k/100k graph fixture (SAMPLES-GRAPH-24-003) | Bench Guild · UI Guild | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. |
-| 4 | BENCH-IMPACT-16-001 | BLOCKED | Impact index dataset/replay inputs not provided | Bench Guild · Scheduler Team | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. |
+| 4 | BENCH-IMPACT-16-001 | BLOCKED | PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET | Bench Guild · Scheduler Team | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. |
-| 5 | BENCH-POLICY-20-002 | BLOCKED | Policy delta sample inputs missing | Bench Guild · Policy Guild · Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. |
+| 5 | BENCH-POLICY-20-002 | BLOCKED | PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE | Bench Guild · Policy Guild · Scheduler Guild | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. |
-| 6 | BENCH-SIG-26-001 | BLOCKED | Reachability schema/fixtures pending Sprint 0400/0401 | Bench Guild · Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
+| 6 | BENCH-SIG-26-001 | BLOCKED | PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX | Bench Guild · Signals Guild | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. |
-| 7 | BENCH-SIG-26-002 | BLOCKED | Blocked on 26-001 outputs | Bench Guild · Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. |
+| 7 | BENCH-SIG-26-002 | BLOCKED | PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU | Bench Guild · Policy Guild | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Trimmed trailing hyphen from PREP-BENCH-POLICY-20-002 Task ID to keep BENCH-POLICY-20-002 blocker resolvable. | Project Mgmt |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Marked BENCH-GRAPH-24-002, BENCH-IMPACT-16-001, BENCH-POLICY-20-002, BENCH-SIG-26-001/002 as BLOCKED pending fixtures/datasets and reachability schema. | Bench |
 | 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_512_bench.md. | Ops/Docs |
 

docs/implplan/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md

@@ -17,6 +17,7 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
+| P1 | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | TODO | Due 2025-11-26 · Accountable: Authority Core & Security Guild | Authority Core & Security Guild | Needs Authority provider/key format spec & JWKS export requirements. <br><br> Document artefact/deliverable for AUTH-CRYPTO-90-001 and publish location so downstream tasks can proceed. |
 | 1 | SEC-CRYPTO-90-017 | TODO | Fork present; integrate into solution | Security Guild | Vendor `third_party/forks/AlexMAS.GostCryptography` into the solution build (solution filters, Directory.Build props, CI) so the library compiles with the repo and publishes artifacts. |
 | 2 | SEC-CRYPTO-90-018 | TODO | After 90-017 | Security & Docs Guilds | Update developer/RootPack documentation to describe the fork, sync steps, and licensing. |
 | 3 | SEC-CRYPTO-90-019 | TODO | After 90-017 | Security Guild | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 deps; retarget .NET 8+, rerun tests. |
@@ -26,7 +27,7 @@
 | 7 | SEC-CRYPTO-90-013 | TODO | After 90-021 | Security Guild | Add Magma/Kuznyechik symmetric support via provider registry. |
 | 8 | SEC-CRYPTO-90-014 | TODO | After Authority contract confirmed | Security Guild + Service Guilds | Update runtime hosts (Authority, Scanner WebService/Worker, Concelier, etc.) to register RU providers and expose config toggles. |
 | 9 | SEC-CRYPTO-90-015 | TODO | After 90-012/021 | Security & Docs Guild | Refresh RootPack/validation documentation. |
-| 10 | AUTH-CRYPTO-90-001 | BLOCKED | Needs Authority provider/key format spec & JWKS export requirements | Authority Core & Security Guild | Sovereign signing provider contract for Authority; refactor loaders once contract is published. |
+| 10 | AUTH-CRYPTO-90-001 | BLOCKED | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | Authority Core & Security Guild | Sovereign signing provider contract for Authority; refactor loaders once contract is published. |
 | 11 | SCANNER-CRYPTO-90-001 | TODO | Needs registry wiring | Scanner WebService Guild · Security Guild | Route hashing/signing flows through `ICryptoProviderRegistry`. |
 | 12 | SCANNER-WORKER-CRYPTO-90-001 | TODO | After 11 | Scanner Worker Guild · Security Guild | Wire Scanner Worker/BuildX analyzers to registry/hash abstractions. |
 | 13 | SCANNER-CRYPTO-90-002 | TODO | PQ profile | Scanner WebService Guild · Security Guild | Enable PQ-friendly DSSE (Dilithium/Falcon) via provider options. |
@@ -36,6 +37,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_514_sovereign_crypto_enablement.md. | Security Docs |
 | 2025-11-18 | Downloaded MongoDB 4.4.4 binaries into `local-nuget/mongo2go/4.1.0/tools/mongodb-linux-4.4.4-database-tools-100.3.1/community-server/mongodb-linux-x86_64-ubuntu2004-4.4.4/bin/mongod`; reran `dotnet vstest …AdvisoryChunksEndpoint_ReturnsParagraphAnchors` but Mongo2Go still cannot connect (timeout/connection refused to 127.0.0.1). Concelier AOC tasks remain BLOCKED pending stable Mongo2Go startup. | Concelier WebService |
 | 2025-11-18 | Targeted `dotnet vstest ...StellaOps.Concelier.WebService.Tests.dll --TestCaseFilter:AdvisoryChunksEndpoint_ReturnsParagraphAnchors` failed: Mongo2Go cannot start (mongod binaries not found; connection refused 127.0.0.1:35961). Concelier AOC tasks remain BLOCKED pending usable Mongo2Go binary path. | Concelier WebService |

docs/implplan/SPRINT_110_ingestion_evidence.md

@@ -21,32 +21,38 @@
 ## Task Board
 | Wave | Task ID | Status | Owner(s) | Dependencies | Notes |
 | --- | --- | --- | --- | --- | --- |
+| 110.B Concelier | PREP-LNM-SCHEMA-APPROVAL | TODO | Due 2025-11-21 · Accountable: —; Concelier Core · Cartographer Guild · SBOM Service Guild | — | Approve Link-Not-Merge schema plus fixtures (`CONCELIER-GRAPH-21-001/002`, `CARTO-GRAPH-21-002`) and publish canonical JSON samples + precedence rules for consuming modules. <br><br>Archive decision + artefacts under `docs/modules/concelier/link-not-merge-schema.md` so downstream Concelier/Excititor/Policy tasks can bind to the frozen payload shape. |
+| 110.B Concelier | PREP-EVIDENCE-LOCKER-CONTRACT | TODO | Due 2025-11-21 · Accountable: —; Evidence Locker Guild · Concelier Core Guild | — | Freeze the Evidence Locker attestation scope + ingest contract (bundle predicates, transparency metadata, verification plan) and record DOI/location for Evidence Bundle v1. <br><br>Publish the signed decision in `docs/modules/evidence-locker/attestation-contract.md` and note required claim set plus validation fixtures. |
+| 110.B Concelier | PREP-FEEDCONN-ICS-KISA-PLAN | TODO | Due 2025-11-21 · Accountable: —; Concelier Feed Owners · Product Advisory Guild | — | Provide remediation/refresh schedule and schema notes for ICSCISA/KISA feeds, covering provenance gaps and upcoming advisory drops. <br><br>Store the runbook in `docs/modules/concelier/feeds/icscisa-kisa.md` with owners and next review date so connector work can proceed deterministically. |
+| 110.C Excititor | PREP-EXCITITOR-ATTESTATION-PLAN | TODO | Due 2025-11-21 · Accountable: —; Excititor Guild · Evidence Locker Guild | — | Align Excititor chunk/attestation plans with Evidence Locker scope: spell out ingestion contract, chunk schema, and DSSE bundling rules. <br><br>Publish the plan in `docs/modules/excititor/attestation-plan.md` and include sample payloads for `/vex/evidence/chunks` + attestation APIs. |
+| 110.D Mirror | PREP-MIRROR-STAFFING | TODO | Due 2025-11-21 · Accountable: —; Mirror Creator Guild · Exporter Guild · AirGap Time Guild | — | Assign owner(s) for MIRROR-CRT-56-001, confirm DSSE/TUF milestone schedule, and record staffing commitments for follow-on CRT tasks. <br><br>Document the staffing decision and milestone plan in `docs/modules/mirror/assembler.md` so downstream automation (Export Center, AirGap Time, CLI) can execute. |
 | 110.A Advisory AI | DOCS-AIAI-31-004 | DOING | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc drafted; screenshots + SBOM evidence pending. |
 | 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
-| 110.A Advisory AI | AIAI-31-008 | BLOCKED | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Blocked pending policy knob deliverables (AIAI-31-006/007). |
+| 110.A Advisory AI | AIAI-31-008 | TODO | Advisory AI Guild | AIAI-31-006 (DONE 2025-11-04); AIAI-31-007 (DONE 2025-11-06) | Policy knob work landed; proceed with packaging and deployment steps. |
 | 110.A Advisory AI | SBOM-AIAI-31-003 | BLOCKED | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | Needs SBOM delta kit + CLI deliverables before validation can proceed. |
 | 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | BLOCKED | Docs Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | CLI/policy/ops docs paused pending upstream artefacts. |
 | 110.B Concelier | CONCELIER-AIAI-31-002 | BLOCKED | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Blocked: Link-Not-Merge schema still not approved; cannot finalize structured field/caching. |
 | 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. |
-| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Blocked until schema approval + attestation scope sign-off. |
+| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until schema approval + attestation scope sign-off. |
-| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Concelier Console Guild | Link-Not-Merge schema | Blocked pending Link-Not-Merge schema approval. |
+| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Concelier Console Guild | PREP-LNM-SCHEMA-APPROVAL | Blocked pending Link-Not-Merge schema approval. |
-| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Blocked until structured caching lands and Evidence Locker contract finalises. |
+| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until structured caching lands and Evidence Locker contract finalises. |
-| 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | Feed owner remediation plan | Overdue provenance refreshes require schedule from feed owners. |
+| 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | PREP-FEEDCONN-ICS-KISA-PLAN | Overdue provenance refreshes require schedule from feed owners. |
 | 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. |
-| 110.C Excititor | EXCITITOR-AIAI-31-002 | BLOCKED | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Blocked until schema + ingest contract approved. |
+| 110.C Excititor | EXCITITOR-AIAI-31-002 | BLOCKED | Excititor Web/Core Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked until schema + ingest contract approved. |
 | 110.C Excititor | EXCITITOR-AIAI-31-003 | BLOCKED | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Blocked behind EXCITITOR-AIAI-31-002. |
 | 110.C Excititor | EXCITITOR-AIAI-31-004 | BLOCKED | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Blocked until chunk API finalized. |
-| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | BLOCKED | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Blocked pending chunk API + Evidence Locker attestation scope. |
+| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | BLOCKED | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; PREP-EVIDENCE-LOCKER-CONTRACT | Blocked pending chunk API + Evidence Locker attestation scope. |
-| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Blocked until schema + attestation readiness. |
+| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | PREP-LNM-SCHEMA-APPROVAL; PREP-EXCITITOR-ATTESTATION-PLAN | Blocked until schema + attestation readiness. |
-| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | Staffing decision | Blocked: no owner assigned; kickoff slipped past 2025-11-15. |
+| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | PREP-MIRROR-STAFFING | Blocked: no owner assigned; kickoff slipped past 2025-11-15. |
 | 110.D Mirror | MIRROR-CRT-56-002 | BLOCKED | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Blocked until MIRROR-CRT-56-001 staffed. |
 | 110.D Mirror | MIRROR-CRT-57-001/002 | BLOCKED | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Blocked; upstream staffing unresolved. |
 | 110.D Mirror | MIRROR-CRT-58-001/002 | BLOCKED | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Blocked until assembler staffed and upstream contracts agreed. |
-| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Blocked pending MIRROR-CRT-56-001 ownership. |
+| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | PREP-MIRROR-STAFFING | Blocked pending MIRROR-CRT-56-001 ownership. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-13 | Refreshed wave tracker, decisions, and contingency plan ahead of 14–15 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
 | 2025-11-09 | Captured initial wave scope, interlocks, and risks covering SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, and Mirror assembler commitments. | Sprint 110 leads |
 | 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer |

docs/implplan/SPRINT_123_policy_reasoning.md

@@ -10,25 +10,40 @@ Focus: Policy & Reasoning focus on Policy (phase I).
 
 | # | Task ID & handle | State | Key dependency / next step | Owners |
 | --- | --- | --- | --- | --- |
-| 1 | EXPORT-CONSOLE-23-001 | BLOCKED | Missing export bundle contract/API surface and scheduler job spec for Console; requires agreed schema and job wiring | Policy Guild, Scheduler Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
+| P1 | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | TODO | Due 2025-11-22 · Accountable: Policy Guild, Scheduler Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Scheduler Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine | Missing export bundle contract/API surface and scheduler job spec for Console; requires agreed schema and job wiring. <br><br> Document artefact/deliverable for EXPORT-CONSOLE-23-001 and publish location so downstream tasks can proceed. |
-| 2 | POLICY-AIRGAP-56-001 | BLOCKED | Mirror bundle schema for policy packs not published; need bundle_id/provenance fields and sealed-mode rules | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| P2 | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Mirror bundle schema for policy packs not published; need bundle_id/provenance fields and sealed-mode rules. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-001 and publish location so downstream tasks can proceed. |
-| 3 | POLICY-AIRGAP-56-002 | BLOCKED | Depends on 56-001 bundle import schema and DSSE signing profile | Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine |
+| P3 | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | TODO | Due 2025-11-22 · Accountable: Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine | Depends on 56-001 bundle import schema and DSSE signing profile. <br><br> Document artefact/deliverable for POLICY-AIRGAP-56-002 and publish location so downstream tasks can proceed. |
-| 4 | POLICY-AIRGAP-57-001 | BLOCKED | Requires sealed-mode contract (egress rules, error codes) after 56-002 | Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| P4 | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | TODO | Due 2025-11-22 · Accountable: Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine | Requires sealed-mode contract (egress rules, error codes) after 56-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-001 and publish location so downstream tasks can proceed. |
-| 5 | POLICY-AIRGAP-57-002 | BLOCKED | Needs staleness/fallback data contract from 57-001 | Policy Guild, AirGap Time Guild / src/Policy/StellaOps.Policy.Engine |
+| P5 | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | TODO | Due 2025-11-22 · Accountable: Policy Guild, AirGap Time Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, AirGap Time Guild / src/Policy/StellaOps.Policy.Engine | Needs staleness/fallback data contract from 57-001. <br><br> Document artefact/deliverable for POLICY-AIRGAP-57-002 and publish location so downstream tasks can proceed. |
-| 6 | POLICY-AIRGAP-58-001 | BLOCKED | Notification schema and staleness signals pending from 57-002 | Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine |
+| P6 | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | TODO | Due 2025-11-22 · Accountable: Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine | Notification schema and staleness signals pending from 57-002. <br><br> Document artefact/deliverable for POLICY-AIRGAP-58-001 and publish location so downstream tasks can proceed. |
-| 7 | POLICY-AOC-19-001 | BLOCKED | Needs agreed linting targets (which ingestion projects, which helpers) and CI wiring; no analyzer/lint spec available | Policy Guild / src/Policy/__Libraries/StellaOps.Policy |
+| P7 | PREP-POLICY-AOC-19-001-NEEDS-AGREED-LINTING-T | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Needs agreed linting targets (which ingestion projects, which helpers) and CI wiring; no analyzer/lint spec available. <br><br> Document artefact/deliverable for POLICY-AOC-19-001 and publish location so downstream tasks can proceed. |
-| 8 | POLICY-AOC-19-002 | BLOCKED | Depends on 19-001 lint implementation and authority contract for `effective:write` gate | Policy Guild, Platform Security / src/Policy/__Libraries/StellaOps.Policy |
+| P8 | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | TODO | Due 2025-11-22 · Accountable: Policy Guild, Platform Security / src/Policy/__Libraries/StellaOps.Policy | Policy Guild, Platform Security / src/Policy/__Libraries/StellaOps.Policy | Depends on 19-001 lint implementation and authority contract for `effective:write` gate. <br><br> Document artefact/deliverable for POLICY-AOC-19-002 and publish location so downstream tasks can proceed. |
-| 9 | POLICY-AOC-19-003 | BLOCKED | Requires decisioned normalized-field removal contract after 19-002; fixtures not provided | Policy Guild / src/Policy/__Libraries/StellaOps.Policy |
+| P9 | PREP-POLICY-AOC-19-003-REQUIRES-DECISIONED-NO | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | Requires decisioned normalized-field removal contract after 19-002; fixtures not provided. <br><br> Document artefact/deliverable for POLICY-AOC-19-003 and publish location so downstream tasks can proceed. |
-| 10 | POLICY-AOC-19-004 | BLOCKED | Dependent on 19-003 data shape and determinism fixtures | Policy Guild, QA Guild / src/Policy/__Libraries/StellaOps.Policy |
+| P10 | PREP-POLICY-AOC-19-004-DEPENDENT-ON-19-003-DA | TODO | Due 2025-11-22 · Accountable: Policy Guild, QA Guild / src/Policy/__Libraries/StellaOps.Policy | Policy Guild, QA Guild / src/Policy/__Libraries/StellaOps.Policy | Dependent on 19-003 data shape and determinism fixtures. <br><br> Document artefact/deliverable for POLICY-AOC-19-004 and publish location so downstream tasks can proceed. |
-| 11 | POLICY-ATTEST-73-001 | BLOCKED | VerificationPolicy schema/persistence contract missing; needs Attestor alignment | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine |
+| P11 | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY- | TODO | Due 2025-11-22 · Accountable: Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | VerificationPolicy schema/persistence contract missing; needs Attestor alignment. <br><br> Document artefact/deliverable for POLICY-ATTEST-73-001 and publish location so downstream tasks can proceed. |
-| 12 | POLICY-ATTEST-73-002 | BLOCKED | Depends on 73-001 editor DTOs and validation schema | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| P12 | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Depends on 73-001 editor DTOs and validation schema. <br><br> Document artefact/deliverable for POLICY-ATTEST-73-002 and publish location so downstream tasks can proceed. |
-| 13 | POLICY-ATTEST-74-001 | BLOCKED | Requires 73-002 and Attestor pipeline contract | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine |
+| P13 | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-AND | TODO | Due 2025-11-22 · Accountable: Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine | Requires 73-002 and Attestor pipeline contract. <br><br> Document artefact/deliverable for POLICY-ATTEST-74-001 and publish location so downstream tasks can proceed. |
-| 14 | POLICY-ATTEST-74-002 | BLOCKED | Needs 74-001 surface in Console verification reports contract | Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine |
+| P14 | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | TODO | Due 2025-11-22 · Accountable: Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine | Needs 74-001 surface in Console verification reports contract. <br><br> Document artefact/deliverable for POLICY-ATTEST-74-002 and publish location so downstream tasks can proceed. |
+| 1 | EXPORT-CONSOLE-23-001 | BLOCKED | PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN | Policy Guild, Scheduler Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
+| 2 | POLICY-AIRGAP-56-001 | BLOCKED | PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 3 | POLICY-AIRGAP-56-002 | BLOCKED | PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B | Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine |
+| 4 | POLICY-AIRGAP-57-001 | BLOCKED | PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD | Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 5 | POLICY-AIRGAP-57-002 | BLOCKED | PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL | Policy Guild, AirGap Time Guild / src/Policy/StellaOps.Policy.Engine |
+| 6 | POLICY-AIRGAP-58-001 | BLOCKED | PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA | Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine |
+| 7 | POLICY-AOC-19-001 | BLOCKED | PREP-POLICY-AOC-19-001-NEEDS-AGREED-LINTING-T | Policy Guild / src/Policy/__Libraries/StellaOps.Policy |
+| 8 | POLICY-AOC-19-002 | BLOCKED | PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT | Policy Guild, Platform Security / src/Policy/__Libraries/StellaOps.Policy |
+| 9 | POLICY-AOC-19-003 | BLOCKED | PREP-POLICY-AOC-19-003-REQUIRES-DECISIONED-NO | Policy Guild / src/Policy/__Libraries/StellaOps.Policy |
+| 10 | POLICY-AOC-19-004 | BLOCKED | PREP-POLICY-AOC-19-004-DEPENDENT-ON-19-003-DA | Policy Guild, QA Guild / src/Policy/__Libraries/StellaOps.Policy |
+| 11 | POLICY-ATTEST-73-001 | BLOCKED | PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY- | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine |
+| 12 | POLICY-ATTEST-73-002 | BLOCKED | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 13 | POLICY-ATTEST-74-001 | BLOCKED | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-AND | Policy Guild, Attestor Service Guild / src/Policy/StellaOps.Policy.Engine |
+| 14 | POLICY-ATTEST-74-002 | BLOCKED | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | Policy Guild, Console Guild / src/Policy/StellaOps.Policy.Engine |
 | 15 | POLICY-CONSOLE-23-001 | BLOCKED | Console API contract (filters, pagination, aggregation) not supplied; requires BE-Base Platform spec | Policy Guild, BE-Base Platform Guild / src/Policy/StellaOps.Policy.Engine |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-08 | Sprint created; awaiting staffing. | Planning |
 | 2025-11-18 | Attempted EXPORT-CONSOLE-23-001 but blocked: no export bundle/schema or scheduler job contract for Console; requires API + signed manifest format before implementation. Marked remaining tasks BLOCKED pending lint/airgap/attest/Console contracts. | Policy Guild |
 

docs/implplan/SPRINT_124_policy_reasoning.md

@@ -10,8 +10,9 @@ Focus: Policy & Reasoning focus on Policy (phase II).
 
 | # | Task ID & handle | State | Key dependency / next step | Owners |
 | --- | --- | --- | --- | --- |
+| P1 | PREP-POLICY-ENGINE-20-002-BUILD-DETERMINISTIC | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access). <br><br> Document artefact/deliverable for POLICY-ENGINE-20-002 and publish location so downstream tasks can proceed. |
 | 1 | POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions (Deps: POLICY-CONSOLE-23-001) | Policy Guild, Product Ops / src/Policy/StellaOps.Policy.Engine |
-| 2 | POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 2 | POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | PREP-POLICY-ENGINE-20-002-BUILD-DETERMINISTIC | Policy Guild / src/Policy/StellaOps.Policy.Engine |
 | 3 | POLICY-ENGINE-20-003 | TODO | Implement selection joiners resolving SBOM↔advisory↔VEX tuples using linksets and PURL equivalence tables, with deterministic batching (Deps: POLICY-ENGINE-20-002) | Policy Guild, Concelier Core Guild, Excititor Core Guild / src/Policy/StellaOps.Policy.Engine |
 | 4 | POLICY-ENGINE-20-004 | TODO | Ship materialization writer that upserts into `effective_finding_{policyId}` with append-only history, tenant scoping, and trace references (Deps: POLICY-ENGINE-20-003) | Policy Guild, Platform Storage Guild / src/Policy/StellaOps.Policy.Engine |
 | 5 | POLICY-ENGINE-20-005 | TODO | Enforce determinism guard banning wall-clock, RNG, and network usage during evaluation via static analysis + runtime sandbox (Deps: POLICY-ENGINE-20-004) | Policy Guild, Security Engineering / src/Policy/StellaOps.Policy.Engine |
@@ -23,3 +24,8 @@ Focus: Policy & Reasoning focus on Policy (phase II).
 | 11 | POLICY-ENGINE-27-002 | TODO | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims (Deps: POLICY-ENGINE-27-001) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
 | 12 | POLICY-ENGINE-29-001 | TODO | Implement batch evaluation endpoint (`POST /policy/eval/batch`) returning determinations + rationale chain for sets of `(artifact,purl,version,advisory)` tuples; support pagination and cost budgets (Deps: POLICY-ENGINE-27-004) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
 | 13 | POLICY-ENGINE-29-002 | TODO | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation (Deps: POLICY-ENGINE-29-001) | Policy Guild, Findings Ledger Guild / src/Policy/StellaOps.Policy.Engine |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |

docs/implplan/SPRINT_125_policy_reasoning.md

@@ -10,21 +10,39 @@ Focus: Policy & Reasoning focus on Policy (phase III).
 
 | # | Task ID & handle | State | Key dependency / next step | Owners |
 | --- | --- | --- | --- | --- |
+| P1 | PREP-POLICY-ENGINE-30-001-WAITING-ON-29-004-M | TODO | Due 2025-11-22 · Accountable: Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Waiting on 29-004 metrics/logging outputs to define overlay projection contract. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-001 and publish location so downstream tasks can proceed. |
+| P2 | PREP-POLICY-ENGINE-30-002-SIMULATION-BRIDGE-C | TODO | Due 2025-11-22 · Accountable: Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Simulation bridge cannot proceed until 30-001 overlay schema lands. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-002 and publish location so downstream tasks can proceed. |
+| P3 | PREP-POLICY-ENGINE-30-003-CHANGE-EVENTS-DEPEN | TODO | Due 2025-11-22 · Accountable: Policy Guild, Scheduler Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Scheduler Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine | Change events depend on simulation bridge (30-002) outputs. <br><br> Document artefact/deliverable for POLICY-ENGINE-30-003 and publish location so downstream tasks can proceed. |
+| P4 | PREP-POLICY-ENGINE-30-101-TRUST-WEIGHTING-UI- | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Trust weighting UI/API depends on change events + overlays (30-003). <br><br> Document artefact/deliverable for POLICY-ENGINE-30-101 and publish location so downstream tasks can proceed. |
+| P5 | PREP-POLICY-ENGINE-31-001-ADVISORY-AI-KNOBS-R | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Advisory AI knobs rely on 30-101 trust weighting surfacing. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-001 and publish location so downstream tasks can proceed. |
+| P6 | PREP-POLICY-ENGINE-31-002-BATCH-CONTEXT-ENDPO | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Batch context endpoint waits on 31-001 knobs. <br><br> Document artefact/deliverable for POLICY-ENGINE-31-002 and publish location so downstream tasks can proceed. |
+| P7 | PREP-POLICY-ENGINE-32-101-ORCHESTRATOR-JOB-SC | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Orchestrator job schema depends on 31-002 batch context. <br><br> Document artefact/deliverable for POLICY-ENGINE-32-101 and publish location so downstream tasks can proceed. |
+| P8 | PREP-POLICY-ENGINE-33-101-WORKER-IMPLEMENTATI | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Worker implementation depends on 32-101 job schema. <br><br> Document artefact/deliverable for POLICY-ENGINE-33-101 and publish location so downstream tasks can proceed. |
+| P9 | PREP-POLICY-ENGINE-34-101-LEDGER-EXPORT-REQUI | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Ledger export requires 33-101 workers. <br><br> Document artefact/deliverable for POLICY-ENGINE-34-101 and publish location so downstream tasks can proceed. |
+| P10 | PREP-POLICY-ENGINE-35-201-SNAPSHOT-API-WAITS- | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Snapshot API waits on 34-101 ledger export. <br><br> Document artefact/deliverable for POLICY-ENGINE-35-201 and publish location so downstream tasks can proceed. |
+| P11 | PREP-POLICY-ENGINE-38-201-VIOLATION-EVENTS-DE | TODO | Due 2025-11-22 · Accountable: Policy Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild / src/Policy/StellaOps.Policy.Engine | Violation events depend on 35-201 snapshot stream. <br><br> Document artefact/deliverable for POLICY-ENGINE-38-201 and publish location so downstream tasks can proceed. |
+| P12 | PREP-POLICY-ENGINE-40-001-SEVERITY-FUSION-DEP | TODO | Due 2025-11-22 · Accountable: Policy Guild, Concelier Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Concelier Guild / src/Policy/StellaOps.Policy.Engine | Severity fusion depends on 38-201 violation event payloads. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-001 and publish location so downstream tasks can proceed. |
+| P13 | PREP-POLICY-ENGINE-40-002-CONFLICT-HANDLING-D | TODO | Due 2025-11-22 · Accountable: Policy Guild, Excititor Guild / src/Policy/StellaOps.Policy.Engine | Policy Guild, Excititor Guild / src/Policy/StellaOps.Policy.Engine | Conflict handling depends on 40-001 severity pipeline changes. <br><br> Document artefact/deliverable for POLICY-ENGINE-40-002 and publish location so downstream tasks can proceed. |
 | 1 | POLICY-ENGINE-29-003 | BLOCKED (2025-11-18) | Waiting on upstream POLICY-ENGINE-29-002 contract details; no path/scope schema or sample payloads available. | Policy Guild, SBOM Service Guild / src/Policy/StellaOps.Policy.Engine |
 | 2 | POLICY-ENGINE-29-004 | BLOCKED (2025-11-18) | Depends on blocked POLICY-ENGINE-29-003 path/scope contract. | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
-| 3 | POLICY-ENGINE-30-001 | BLOCKED (2025-11-18) | Waiting on 29-004 metrics/logging outputs to define overlay projection contract. | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine |
+| 3 | POLICY-ENGINE-30-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-001-WAITING-ON-29-004-M | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine |
-| 4 | POLICY-ENGINE-30-002 | BLOCKED (2025-11-18) | Simulation bridge cannot proceed until 30-001 overlay schema lands. | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine |
+| 4 | POLICY-ENGINE-30-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-002-SIMULATION-BRIDGE-C | Policy Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine |
-| 5 | POLICY-ENGINE-30-003 | BLOCKED (2025-11-18) | Change events depend on simulation bridge (30-002) outputs. | Policy Guild, Scheduler Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine |
+| 5 | POLICY-ENGINE-30-003 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-003-CHANGE-EVENTS-DEPEN | Policy Guild, Scheduler Guild, Cartographer Guild / src/Policy/StellaOps.Policy.Engine |
-| 6 | POLICY-ENGINE-30-101 | BLOCKED (2025-11-18) | Trust weighting UI/API depends on change events + overlays (30-003). | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 6 | POLICY-ENGINE-30-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-30-101-TRUST-WEIGHTING-UI- | Policy Guild / src/Policy/StellaOps.Policy.Engine |
-| 7 | POLICY-ENGINE-31-001 | BLOCKED (2025-11-18) | Advisory AI knobs rely on 30-101 trust weighting surfacing. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 7 | POLICY-ENGINE-31-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-31-001-ADVISORY-AI-KNOBS-R | Policy Guild / src/Policy/StellaOps.Policy.Engine |
-| 8 | POLICY-ENGINE-31-002 | BLOCKED (2025-11-18) | Batch context endpoint waits on 31-001 knobs. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 8 | POLICY-ENGINE-31-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-31-002-BATCH-CONTEXT-ENDPO | Policy Guild / src/Policy/StellaOps.Policy.Engine |
-| 9 | POLICY-ENGINE-32-101 | BLOCKED (2025-11-18) | Orchestrator job schema depends on 31-002 batch context. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 9 | POLICY-ENGINE-32-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-32-101-ORCHESTRATOR-JOB-SC | Policy Guild / src/Policy/StellaOps.Policy.Engine |
-| 10 | POLICY-ENGINE-33-101 | BLOCKED (2025-11-18) | Worker implementation depends on 32-101 job schema. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 10 | POLICY-ENGINE-33-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-33-101-WORKER-IMPLEMENTATI | Policy Guild / src/Policy/StellaOps.Policy.Engine |
-| 11 | POLICY-ENGINE-34-101 | BLOCKED (2025-11-18) | Ledger export requires 33-101 workers. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 11 | POLICY-ENGINE-34-101 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-34-101-LEDGER-EXPORT-REQUI | Policy Guild / src/Policy/StellaOps.Policy.Engine |
-| 12 | POLICY-ENGINE-35-201 | BLOCKED (2025-11-18) | Snapshot API waits on 34-101 ledger export. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 12 | POLICY-ENGINE-35-201 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-35-201-SNAPSHOT-API-WAITS- | Policy Guild / src/Policy/StellaOps.Policy.Engine |
-| 13 | POLICY-ENGINE-38-201 | BLOCKED (2025-11-18) | Violation events depend on 35-201 snapshot stream. | Policy Guild / src/Policy/StellaOps.Policy.Engine |
+| 13 | POLICY-ENGINE-38-201 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-38-201-VIOLATION-EVENTS-DE | Policy Guild / src/Policy/StellaOps.Policy.Engine |
-| 14 | POLICY-ENGINE-40-001 | BLOCKED (2025-11-18) | Severity fusion depends on 38-201 violation event payloads. | Policy Guild, Concelier Guild / src/Policy/StellaOps.Policy.Engine |
+| 14 | POLICY-ENGINE-40-001 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-40-001-SEVERITY-FUSION-DEP | Policy Guild, Concelier Guild / src/Policy/StellaOps.Policy.Engine |
-| 15 | POLICY-ENGINE-40-002 | BLOCKED (2025-11-18) | Conflict handling depends on 40-001 severity pipeline changes. | Policy Guild, Excititor Guild / src/Policy/StellaOps.Policy.Engine |
+| 15 | POLICY-ENGINE-40-002 | BLOCKED (2025-11-18) | PREP-POLICY-ENGINE-40-002-CONFLICT-HANDLING-D | Policy Guild, Excititor Guild / src/Policy/StellaOps.Policy.Engine |
 
 ## Notes & Risks (2025-11-18)
 - POLICY-ENGINE-29-002 contract/schema is missing; this blocks 29-003 path/scope awareness and cascades through all downstream tasks in this sprint. Unblock by publishing 29-002 artifacts (schema + sample payloads).
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |

docs/implplan/SPRINT_136_scanner_surface.md

@@ -12,7 +12,7 @@ Dependency: Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (p
 | `SCANNER-ENTRYTRACE-18-506` | TODO | Surface EntryTrace graph + confidence via Scanner.WebService and CLI, including target summary in scan reports and policy payloads. | EntryTrace Guild, Scanner WebService Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | SCANNER-ENTRYTRACE-18-505 |
 | `SCANNER-ENV-01` | DONE (2025-11-18) | Worker already wired to `AddSurfaceEnvironment`/`ISurfaceEnvironment` for cache roots + CAS endpoints; no remaining ad-hoc env reads. | Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker) | — |
 | `SCANNER-ENV-02` | TODO (2025-11-06) | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. | Scanner WebService Guild, Ops Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-ENV-01 |
-| `SCANNER-ENV-03` | DOING (2025-11-18) | Adopt Surface.Env helpers for plugin configuration (cache roots, CAS endpoints, feature toggles). | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-ENV-02 |
+| `SCANNER-ENV-03` | BLOCKED (2025-11-19) | Waiting on SCANNER-ENV-02 tests/restore to complete and Surface.Env package publish; plugin wiring on hold. | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-ENV-02 |
 | `SURFACE-ENV-01` | DONE (2025-11-13) | Draft `surface-env.md` enumerating environment variables, defaults, and air-gap behaviour for Surface consumers. | Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | — |
 | `SURFACE-ENV-02` | DONE (2025-11-18) | Strongly-typed env accessors implemented; validation covers required endpoint, bounds, TLS cert path; regression tests passing. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-01 |
 | `SURFACE-ENV-03` | TODO | Adopt the env helper across Scanner Worker/WebService/BuildX plug-ins. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env) | SURFACE-ENV-02 |
@@ -23,8 +23,8 @@ Dependency: Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (p
 | `SCANNER-LNM-21-001` | TODO | Update `/reports` and `/policy/runtime` payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. | Scanner WebService Guild, Policy Guild (src/Scanner/StellaOps.Scanner.WebService) | — |
 | `SCANNER-LNM-21-002` | TODO | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. | Scanner WebService Guild, UI Guild (src/Scanner/StellaOps.Scanner.WebService) | SCANNER-LNM-21-001 |
 | `SCANNER-SECRETS-03` | TODO | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. | BuildX Plugin Guild, Security Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin) | SCANNER-SECRETS-02 |
-| `SURFACE-SECRETS-01` | DOING (2025-11-02) | Produce `surface-secrets.md` defining secret reference schema, storage backends, scopes, and rotation rules. | Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | — |
+| `SURFACE-SECRETS-01` | BLOCKED (2025-11-19) | Secret schema/backends need Security Guild approval; draft doc not reviewed. | Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | — |
-| `SURFACE-SECRETS-02` | DOING (2025-11-02) | Implement `StellaOps.Scanner.Surface.Secrets` core provider interfaces, secret models, and in-memory test backend. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-01 |
+| `SURFACE-SECRETS-02` | BLOCKED (2025-11-19) | Awaiting SURFACE-SECRETS-01 approval and test backend contract. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-01 |
 | `SURFACE-SECRETS-03` | TODO | Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
 | `SURFACE-SECRETS-04` | TODO | Integrate Surface.Secrets into Scanner Worker/WebService/BuildX for registry + CAS creds. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
 | `SURFACE-SECRETS-05` | TODO | Invoke Surface.Secrets from Zastava Observer/Webhook for CAS & attestation secrets. | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | SURFACE-SECRETS-02 |
@@ -47,7 +47,7 @@ Dependency: Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (p
 | `SURFACE-FS-07` | TODO | Extend Surface.FS manifest schema with `composition.recipe`, fragment attestation metadata, and verification helpers per deterministic SBOM spec. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | SCANNER-SURFACE-04 |
 | `SCANNER-EMIT-15-001` | TODO | Enforce canonical JSON (`stella.contentHash`, Merkle root metadata, zero timestamps) for fragments and composed CycloneDX inventory/usage BOMs. Documented in `docs/modules/scanner/deterministic-sbom-compose.md` §2.2. | Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) | SCANNER-SURFACE-04 |
 | `SCANNER-SORT-02` | TODO | Sort layer fragments by digest and components by `identity.purl`/`identity.key` before composition; add determinism regression tests. | Scanner Core Guild (src/Scanner/__Libraries/StellaOps.Scanner.Core) | SCANNER-EMIT-15-001 |
-| `SURFACE-VAL-01` | DOING (2025-11-01) | Define the Surface validation framework (`surface-validation.md`) covering env/cache/secret checks and extension hooks. | Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-FS-01, SURFACE-ENV-01 |
+| `SURFACE-VAL-01` | BLOCKED (2025-11-19) | Waiting on SURFACE-SECRETS-01 schema and Surface.Env publish to finalize validation framework doc. | Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-FS-01, SURFACE-ENV-01 |
 | `SURFACE-VAL-02` | TODO | Implement base validation library with check registry and default validators for env/cached manifests/secret refs. | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-01, SURFACE-ENV-02, SURFACE-FS-02 |
 | `SURFACE-VAL-03` | TODO | Integrate validation pipeline into Scanner analyzers so checks run before processing. | Scanner Guild, Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
 | `SURFACE-VAL-04` | TODO | Expose validation helpers to Zastava and other runtime consumers for preflight checks. | Scanner Guild, Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation) | SURFACE-VAL-02 |
@@ -62,3 +62,4 @@ Dependency: Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (p
 | 2025-11-18 | SCANNER-ENV-02 started: wired Surface manifest store options into Scanner WebService and unit scaffold added; tests pending (nuget.org restore cancelled locally). | Implementer |
 | 2025-11-18 | Attempted `dotnet test` for Worker Surface manifest configurator; restore failed fetching StackExchange.Redis from nuget.org (network timeout); tests still pending CI. | Implementer |
 | 2025-11-18 | SCANNER-ENV-03 started: BuildX plugin now loads Surface.Env defaults (SCANNER/SURFACE prefixes) for cache root/bucket/tenant when args/env missing; tests not yet added. | Implementer |
+| 2025-11-19 | Marked SCANNER-ENV-03, SURFACE-SECRETS-01/02, and SURFACE-VAL-01 BLOCKED pending Security/Surface schema approvals and published env/secrets artifacts; move back to TODO once upstream contracts land. | Implementer |

docs/implplan/SPRINT_174_telemetry.md

@@ -7,19 +7,19 @@ Depends on: Sprint 150.A - Orchestrator
 Summary: Notifications & Telemetry focus on Telemetry).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
-TELEMETRY-OBS-50-001 | **DOING (2025-11-12)** | Create `StellaOps.Telemetry.Core` library with structured logging facade, OpenTelemetry configuration helpers, and deterministic bootstrap (service name/version detection, resource attributes). Publish sample usage for web/worker hosts. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
+TELEMETRY-OBS-50-001 | DONE (2025-11-19) | `StellaOps.Telemetry.Core` bootstrap library shipped with structured logging facade, OTEL configuration helpers, deterministic bootstrap (service name/version detection, resource attributes), and sample usage for web/worker hosts. Evidence: `docs/observability/telemetry-bootstrap.md`. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
 TELEMETRY-OBS-50-002 | TODO | Implement context propagation middleware/adapters for HTTP, gRPC, background jobs, and CLI invocations, carrying `trace_id`, `tenant_id`, `actor`, and imposed-rule metadata. Provide test harness covering async resume scenarios. Dependencies: TELEMETRY-OBS-50-001. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
 TELEMETRY-OBS-51-001 | TODO | Ship metrics helpers for golden signals (histograms, counters, gauges) with exemplar support and cardinality guards. Provide Roslyn analyzer preventing unsanitised labels. Dependencies: TELEMETRY-OBS-50-002. | Telemetry Core Guild, Observability Guild (src/Telemetry/StellaOps.Telemetry.Core)
 TELEMETRY-OBS-51-002 | TODO | Implement redaction/scrubbing filters for secrets/PII enforced at logger sink, configurable per-tenant with TTL, including audit of overrides. Add determinism tests verifying stable field order and timestamp normalization. Dependencies: TELEMETRY-OBS-51-001. | Telemetry Core Guild, Security Guild (src/Telemetry/StellaOps.Telemetry.Core)
 TELEMETRY-OBS-55-001 | TODO | Provide incident mode toggle API that adjusts sampling, enables extended retention tags, and records activation trail for services. Ensure toggle honored by all hosting templates and integrates with Config/FeatureFlag providers. Dependencies: TELEMETRY-OBS-51-002. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
 TELEMETRY-OBS-56-001 | TODO | Add sealed-mode telemetry helpers (drift metrics, seal/unseal spans, offline exporters) and ensure hosts can disable external exporters when sealed. Dependencies: TELEMETRY-OBS-55-001. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
 
-## Status notes (2025-11-12 UTC)
+## Status notes (2025-11-19 UTC)
 
-- **TELEMETRY-OBS-50-001** – Core bootstrap scaffolding live in branch `feature/telemetry-core-bootstrap`; resource detector + profile manifest generator in review; sample Orchestrator host integration slated for 2025-11-18.
+- **TELEMETRY-OBS-50-001** – DONE. Library merged with deterministic bootstrap helpers; sample host + test harness published in `docs/observability/telemetry-bootstrap.md`.
-- **TELEMETRY-OBS-50-002** – Awaiting merged bootstrap package before wiring propagation adapters; draft design covers HTTP/gRPC/job/CLI interceptors plus tenant/actor propagation tests.
+- **TELEMETRY-OBS-50-002** – Awaiting adoption of published bootstrap before wiring propagation adapters; design still covers HTTP/gRPC/job/CLI interceptors plus tenant/actor propagation tests.
 - **TELEMETRY-OBS-51-001/51-002** – On hold until propagation middleware stabilizes; Security Guild still reviewing scrub policy (POLICY-SEC-42-003).
-- **TELEMETRY-OBS-55-001/56-001** – Incident/sealed-mode APIs blocked on CLI toggle contract (CLI-OBS-12-001) and Notify incident payload spec (NOTIFY-OBS-55-001); keep coordination with Notifier team.
+- **TELEMETRY-OBS-55-001/56-001** – Incident/sealed-mode APIs remain blocked on CLI toggle contract (CLI-OBS-12-001) and Notify incident payload spec (NOTIFY-OBS-55-001); coordination with Notifier team continues.
 
 ## Milestones & dependencies
 
@@ -35,3 +35,4 @@ TELEMETRY-OBS-56-001 | TODO | Add sealed-mode telemetry helpers (drift metrics,
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-12 18:05 | Marked TELEMETRY-OBS-50-001 as DOING and captured branch/progress details in status notes. | Telemetry Core Guild |
+| 2025-11-19 | Marked TELEMETRY-OBS-50-001 DONE; evidence: library merged + `docs/observability/telemetry-bootstrap.md` with sample host integration. | Implementer |

docs/implplan/SPRINT_201_cli_i.md

@@ -7,6 +7,8 @@ Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orches
 Summary: Experience & SDKs focus on Cli (phase I).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
+PREP-CLI-VULN-29-001-ARTEFACTS | DONE (2025-11-19) | Published frozen artefacts for CLI-VULN-29-001 under `out/console/guardrails/cli-vuln-29-001/` with hashes and doc `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md`. | DevEx/CLI Guild · Docs Guild (src/Cli/StellaOps.Cli)
+PREP-CLI-VEX-30-001-ARTEFACTS | DONE (2025-11-19) | Published frozen artefacts for CLI-VEX-30-001 under `out/console/guardrails/cli-vex-30-001/` with hashes and doc `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md`. | DevEx/CLI Guild · Docs Guild (src/Cli/StellaOps.Cli)
 CLI-AIAI-31-001 | TODO | Implement `stella advise summarize` command with JSON/Markdown outputs and citation display. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 CLI-AIAI-31-002 | TODO | Implement `stella advise explain` showing conflict narrative and structured rationale. Dependencies: CLI-AIAI-31-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 CLI-AIAI-31-003 | TODO | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. Dependencies: CLI-AIAI-31-002. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
@@ -22,4 +24,4 @@ CLI-ATTEST-74-001 | TODO | Implement `stella attest list` with filters (subject,
 CLI-ATTEST-74-002 | TODO | Implement `stella attest fetch` to download envelopes and payloads to disk. Dependencies: CLI-ATTEST-74-001. | CLI Attestor Guild (src/Cli/StellaOps.Cli)
 CLI-ATTEST-75-001 | TODO | Implement `stella attest key create. Dependencies: CLI-ATTEST-74-002. | CLI Attestor Guild, KMS Guild (src/Cli/StellaOps.Cli)
 CLI-ATTEST-75-002 | TODO | Add support for building/verifying attestation bundles in CLI. Dependencies: CLI-ATTEST-75-001. | CLI Attestor Guild, Export Guild (src/Cli/StellaOps.Cli)
-CLI-HK-201-002 | DOING | Add JSON status coverage for offline kit status handler when no bundle is imported. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-HK-201-002 | BLOCKED | Await offline kit status contract and sample bundle; cannot finalize status coverage tests. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)

docs/implplan/SPRINT_212_web_i.md

@@ -14,11 +14,11 @@ WEB-AIAI-31-003 `Telemetry & audit` | TODO | Emit metrics/logs (latency, guardra
 WEB-AOC-19-002 `Provenance & signature helpers` | TODO | Ship `ProvenanceBuilder`, checksum utilities, and signature verification helper integrated with guard logging. Cover DSSE/CMS formats with unit tests. Dependencies: WEB-AOC-19-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
 WEB-AOC-19-003 `Analyzer + test fixtures` | TODO | Author Roslyn analyzer preventing ingestion modules from writing forbidden keys without guard, and provide shared test fixtures for guard validation used by Concelier/Excititor service tests. Dependencies: WEB-AOC-19-002. | QA Guild, BE-Base Platform Guild (src/Web/StellaOps.Web)
 WEB-CONSOLE-23-001 `Global posture endpoints` | TODO | Provide consolidated `/console/dashboard` and `/console/filters` APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints. | BE-Base Platform Guild, Product Analytics Guild (src/Web/StellaOps.Web)
-CONSOLE-VULN-29-001 `Vulnerability workspace` | DOING (2025-11-08) | Build `/console/vuln/*` APIs and filters surfacing tenant-scoped findings with policy/VEX badges so Docs/UI teams can document workflows. Dependencies: WEB-CONSOLE-23-001, CONCELIER-GRAPH-21-001. | Console Guild, BE-Base Platform Guild (src/Web/StellaOps.Web)
+CONSOLE-VULN-29-001 `Vulnerability workspace` | BLOCKED (2025-11-19) | Awaiting WEB-CONSOLE-23-001 contract and Concelier graph schema; cannot finalize endpoints until schemas freeze. | Console Guild, BE-Base Platform Guild (src/Web/StellaOps.Web)
 > 2025-11-07: API scaffolding kicked off; `docs/advisory-ai/console.md` consuming placeholder responses until this lands. Scheduler/Signals hooks queued once filters stabilized.
 > 2025-11-08: Driving filter + reachability badge wiring plus `/console/vuln/search` DTOs to keep DOCS-AIAI-31-004 on real payloads; aligning Signals/Scheduler dependencies now that upstream tickets exist.
 > 2025-11-08: Published HTTP contract + sample payloads in `docs/api/console/workspaces.md` and `docs/api/console/samples/vuln-findings-sample.json` so Docs can stage screenshots while backend wires up.
-CONSOLE-VEX-30-001 `VEX evidence workspace` | DOING (2025-11-08) | Provide `/console/vex/*` APIs streaming VEX statements, justification summaries, and advisory links with SSE refresh hooks. Dependencies: WEB-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001. | Console Guild, BE-Base Platform Guild (src/Web/StellaOps.Web)
+CONSOLE-VEX-30-001 `VEX evidence workspace` | BLOCKED (2025-11-19) | Blocked on WEB-CONSOLE-23-001 and Excititor console contract; needs validated SSE payload + schemas. | Console Guild, BE-Base Platform Guild (src/Web/StellaOps.Web)
 > 2025-11-07: Endpoint contract draft in progress to unblock DOCS-AIAI-31-004 screenshot capture once responses are wired.
 > 2025-11-08: Building SSE controller + `/console/vex/events` payloads and syncing Scheduler Signals tasks so DOCS-AIAI-31-004 can embed live data.
 > 2025-11-08: SSE schema + NDJSON sample captured in `docs/api/console/workspaces.md` and `docs/api/console/samples/vex-statement-sse.ndjson`; waiting on Scheduler topic hook-up.
@@ -34,3 +34,4 @@ WEB-EXC-25-001 `Exceptions CRUD & workflow` | TODO | Implement `/exceptions` API
 ## Updates
 - 2025-11-18: WEB-CONTAINERS-44-001 completed — added quickstart banner, `/welcome` config discovery page, and sample config values to surface safe deployment info.
 - 2025-11-19: WEB-CONTAINERS-45-001 completed — readiness/liveness/version JSON assets added for helm probes; config discovery is live via `/welcome`.
+- 2025-11-19: CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001 marked BLOCKED pending WEB-CONSOLE-23-001 and upstream Concelier/Excititor schemas. |

docs/implplan/SPRINT_213_web_ii.md

@@ -12,9 +12,9 @@ WEB-EXC-25-003 `Notifications & events` | TODO | Publish `exception.*` events, i
 WEB-EXPORT-35-001 `Export routing` | TODO | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. | BE-Base Platform Guild (src/Web/StellaOps.Web)
 WEB-EXPORT-36-001 `Distribution endpoints` | TODO | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. Dependencies: WEB-EXPORT-35-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
 WEB-EXPORT-37-001 `Scheduling & verification` | TODO | Expose scheduling, retention, encryption parameters, and verification endpoints with admin scope enforcement and audit logs. Dependencies: WEB-EXPORT-36-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
-WEB-GRAPH-SPEC-21-000 `Graph API/overlay spec drop` | DOING | Drafted gateway spec stub `docs/api/graph-gateway-spec-draft.yaml`; pending Graph Platform ratification. | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web)
+WEB-GRAPH-SPEC-21-000 `Graph API/overlay spec drop` | BLOCKED | Draft stub exists; awaiting Graph Platform ratification of overlay format and cache schema. | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web)
-WEB-GRAPH-21-001 `Graph endpoints` | DOING | Use draft gateway spec `docs/api/graph-gateway-spec-draft.yaml` to add routes for graph versions/viewport/node/path/diff/export with RBAC + streaming. | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web)
+WEB-GRAPH-21-001 `Graph endpoints` | BLOCKED | Depends on ratified spec `WEB-GRAPH-SPEC-21-000`. | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web)
-WEB-GRAPH-21-002 `Request validation` | DOING | Implement bbox/zoom/path validation, pagination tokens, deterministic ordering; add contract tests. Dependencies: WEB-GRAPH-21-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
+WEB-GRAPH-21-002 `Request validation` | BLOCKED | Depends on WEB-GRAPH-21-001 and final overlay schema. | BE-Base Platform Guild (src/Web/StellaOps.Web)
 WEB-GRAPH-21-003 `Error mapping & exports` | TODO | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, document rate limits. Dependencies: WEB-GRAPH-21-002. | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web)
 WEB-GRAPH-21-004 `Overlay pass-through` | TODO | Proxy Policy Engine overlays while keeping gateway stateless; maintain streaming budgets. Dependencies: WEB-GRAPH-21-003. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web)
 WEB-GRAPH-24-001 `Gateway proxy refresh` | TODO | Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic. Dependencies: WEB-GRAPH-21-004. | BE-Base Platform Guild (src/Web/StellaOps.Web)

docs/implplan/SPRINT_215_web_iv.md

@@ -1,24 +1,3 @@
-# Sprint 215 - Experience & SDKs · 180.F) Web.IV
+# Sprint 215 Web IV (legacy file)
 
-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
+This sprint has been renamed to `SPRINT_0215_0001_0001_web_iv.md` and normalized to the standard template on 2025-11-19. Please update links to point to the new file.
-
-[Experience & SDKs] 180.F) Web.IV
-Depends on: Sprint 180.F - Web.III
-Summary: Experience & SDKs focus on Web (phase IV).
-Task ID | State | Task description | Owners (Source)
---- | --- | --- | ---
-WEB-ORCH-33-001 `Control + backfill actions` | TODO | Add POST action routes (`pause. Dependencies: WEB-ORCH-32-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
-WEB-ORCH-34-001 `Quotas & telemetry` | TODO | Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging. Dependencies: WEB-ORCH-33-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
-WEB-POLICY-20-001 `Policy endpoints` | TODO | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web)
-WEB-POLICY-20-002 `Pagination & filters` | TODO | Add pagination, filtering, sorting, and tenant guards to listings for policies, runs, and findings; include deterministic ordering and query diagnostics. Dependencies: WEB-POLICY-20-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
-WEB-POLICY-20-003 `Error mapping` | TODO | Map engine errors to `ERR_POL_*` responses with consistent payloads and contract tests; expose correlation IDs in headers. Dependencies: WEB-POLICY-20-002. | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web)
-WEB-POLICY-20-004 `Simulate rate limits` | TODO | Introduce adaptive rate limiting + quotas for simulation endpoints, expose metrics, and document retry headers. Dependencies: WEB-POLICY-20-003. | Platform Reliability Guild (src/Web/StellaOps.Web)
-WEB-POLICY-23-001 `Policy pack CRUD` | BLOCKED (2025-10-29) | Implement API endpoints for creating/listing/fetching policy packs and revisions (`/policy/packs`, `/policy/packs/{id}/revisions`) with pagination, RBAC, and AOC metadata exposure. (Tracked via Sprint 18.5 gateway tasks.). Dependencies: WEB-POLICY-20-004. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web)
-WEB-POLICY-23-002 `Activation & scope` | BLOCKED (2025-10-29) | Add activation endpoint with scope windows, conflict checks, and optional 2-person approval integration; emit events on success. (Tracked via Sprint 18.5 gateway tasks.). Dependencies: WEB-POLICY-23-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
-WEB-POLICY-23-003 `Simulation & evaluation` | TODO | Provide `/policy/simulate` and `/policy/evaluate` endpoints with streaming responses, rate limiting, and error mapping. Dependencies: WEB-POLICY-23-002. | BE-Base Platform Guild (src/Web/StellaOps.Web)
-WEB-POLICY-23-004 `Explain retrieval` | TODO | Expose explain history endpoints (`/policy/runs`, `/policy/runs/{id}`) including decision tree, sources consulted, and AOC chain. Dependencies: WEB-POLICY-23-003. | BE-Base Platform Guild (src/Web/StellaOps.Web)
-WEB-POLICY-27-001 `Policy registry proxy` | TODO | Surface Policy Registry APIs (`/policy/workspaces`, `/policy/versions`, `/policy/reviews`, `/policy/registry`) through gateway with tenant scoping, RBAC, and request validation; ensure streaming downloads for evidence bundles. Dependencies: WEB-POLICY-23-004. | BE-Base Platform Guild, Policy Registry Guild (src/Web/StellaOps.Web)
-WEB-POLICY-27-002 `Review & approval routes` | TODO | Implement review lifecycle endpoints (open, comment, approve/reject) with audit headers, comment pagination, and webhook fan-out. Dependencies: WEB-POLICY-27-001. | BE-Base Platform Guild (src/Web/StellaOps.Web)
-WEB-POLICY-27-003 `Simulation orchestration endpoints` | TODO | Expose quick/batch simulation endpoints with SSE progress (`/policy/simulations/{runId}/stream`), cursor-based result pagination, and manifest download routes. Dependencies: WEB-POLICY-27-002. | BE-Base Platform Guild, Scheduler Guild (src/Web/StellaOps.Web)
-WEB-POLICY-27-004 `Publish & promote controls` | TODO | Add publish/sign/promote/rollback endpoints with idempotent request IDs, canary parameters, and environment bindings; enforce scope checks and emit structured events. Dependencies: WEB-POLICY-27-003. | BE-Base Platform Guild, Security Guild (src/Web/StellaOps.Web)
-WEB-POLICY-27-005 `Policy Studio telemetry` | TODO | Instrument metrics/logs for compile latency, simulation queue depth, approval latency, promotion actions; expose aggregated dashboards and correlation IDs for Console. Dependencies: WEB-POLICY-27-004. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web)

docs/implplan/SPRINT_300_documentation_process.md

@@ -16,13 +16,14 @@
 ## Task Board
 | Stream | Status | Owner(s) | Dependencies | Notes |
 | --- | --- | --- | --- | --- |
-| 200.A Docs Tasks.md ladder (Sprint 301 onwards) | DOING (2025-11-13) | Docs Guild · Ops Guild | Attestor 100.A; Advisory AI 110.A; AirGap 120.A; Scanner 130.A; Graph 140.A; Orchestrator 150.A; EvidenceLocker 160.A; Notifier 170.A; CLI 180.A; Ops Deployment 190.A | Implementing new implplan template, aligning Md.I backlog before subsequent Md phases move. |
+| 200.A Docs Tasks.md ladder (Sprint 301 onwards) | BLOCKED (2025-11-19) | Docs Guild · Ops Guild | Attestor 100.A; Advisory AI 110.A; AirGap 120.A; Scanner 130.A; Graph 140.A; Orchestrator 150.A; EvidenceLocker 160.A; Notifier 170.A; CLI 180.A; Ops Deployment 190.A | Awaiting upstream artefacts (SBOM/CLI/Policy/AirGap determinism) before Md.I template rollout can continue. |
 | 200.B Module dossiers (Sprints 312–335) | TODO | Docs Guild · Module Guild owners | Docs Tasks Md ladder to at least Md.II; Ops deployment evidence | Stays queued until Docs Tasks Md ladder provides updated process + assets. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-13 | Sprint 300 switched to topic-oriented template; Docs Tasks Md ladder marked DOING to reflect ongoing restructuring work. | Docs Guild |
+| 2025-11-19 | Marked Docs Tasks Md ladder BLOCKED pending upstream artefacts for Md.I dossier rollouts. | Implementer |
 
 ## Decisions & Risks
 | Item | Type | Owner(s) | Due | Notes |

docs/implplan/SPRINT_301_docs_tasks_md_i.md

@@ -21,7 +21,7 @@
 | Task ID | Status | Owner(s) | Dependencies | Notes |
 | --- | --- | --- | --- | --- |
 | DOCS-UNBLOCK-CLI-KNOBS-301 | BLOCKED | CLI Guild · Policy Guild · DevEx Guild | Await delivery of CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001 artifacts to package fixtures/screenshots. | Produce screenshots/JSON fixtures and changelog so DOCS-AIAI-31-005..009 can proceed. |
-| DOCS-AIAI-31-004 | DOING (2025-11-07) | Docs Guild · Console Guild | DOCS-AIAI-31-003; CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; EXCITITOR-CONSOLE-23-001 | `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. |
+| DOCS-AIAI-31-004 | TODO | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | `/docs/advisory-ai/console.md` with fixtures available; final screenshots await SBOM evidence. |
 | DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Docs Guild · DevEx/CLI Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; DOCS-UNBLOCK-CLI-KNOBS-301 | `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. |
 | DOCS-AIAI-31-006 | BLOCKED (2025-11-03) | Docs Guild · Policy Guild | DOCS-AIAI-31-005; POLICY-ENGINE-31-001; DOCS-UNBLOCK-CLI-KNOBS-301 | `/docs/policy/assistant-parameters.md` for temperature, token limits, ranking weights, TTLs. |
 | DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Docs Guild · SBOM Service Guild | DOCS-AIAI-31-007; SBOM-AIAI-31-001; DOCS-UNBLOCK-CLI-KNOBS-301 | `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). |
@@ -32,7 +32,7 @@
 | DOCS-AIRGAP-56-004 | TODO | Docs Guild · Deployment Guild | DOCS-AIRGAP-56-003 | `/docs/airgap/bootstrap.md` covering Bootstrap Pack creation + install. |
 | DOCS-AIRGAP-57-001 | TODO | Docs Guild · AirGap Time Guild | DOCS-AIRGAP-56-004 | `/docs/airgap/staleness-and-time.md` (time anchors, drift, UI indicators). |
 | DOCS-AIRGAP-57-002 | TODO | Docs Guild · Console Guild | DOCS-AIRGAP-57-001 | `/docs/console/airgap.md` (sealed badge, import wizard, staleness dashboards). |
-| DOCS-SCANNER-DET-01 | DOING (2025-11-09) | Docs Guild · Scanner Guild | Sprint 136 outputs; scanner determinism fixtures | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. |
+| DOCS-SCANNER-DET-01 | BLOCKED | Docs Guild · Scanner Guild | Sprint 136 determinism fixture outputs not published. | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. |
 | DOCS-POLICY-DET-01 | TODO | Docs Guild · Policy Guild | POLICY-DET backlog | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. |
 | DOCS-CLI-DET-01 | TODO | Docs Guild · DevEx/CLI Guild | CLI-SBOM-60-001; CLI-SBOM-60-002 | Document `stella sbomer` verbs (`layer`, `compose`, `drift`, `verify`) with examples & offline instructions. |
 
@@ -43,7 +43,9 @@
 | 2025-11-09 | Task inventory imported from legacy sprint file; SBOM/service dependencies flagged. | Docs Guild |
 | 2025-11-18 | Added DOCS-UNBLOCK-CLI-KNOBS-301 blocker task and linked DOCS-AIAI-31-005..009 to it. | Project PM |
 | 2025-11-18 | Set DOCS-UNBLOCK-CLI-KNOBS-301 to DOING; packaging CLI verbs/policy knobs artifacts for docs unblock. | Implementer |
+| 2025-11-19 | DOCS-UNBLOCK-CLI-KNOBS-301 remains BLOCKED; upstream CLI/Policy artefacts still missing. | Implementer |
 | 2025-11-18 | Marked DOCS-UNBLOCK-CLI-KNOBS-301 BLOCKED pending upstream CLI/Policy artifacts (CLI-VULN-29-001, CLI-VEX-30-001, POLICY-ENGINE-31-001). | Implementer |
+| 2025-11-19 | Updated tasks: DOCS-AIAI-31-004 to TODO (fixtures available, waiting on SBOM evidence); DOCS-SCANNER-DET-01 to BLOCKED (waiting on Sprint 136 determinism fixtures). | Implementer |
 
 ## Decisions & Risks
 ### Decisions

docs/implplan/SPRINT_333_docs_modules_excititor.md

@@ -10,6 +10,6 @@ Task ID | State | Task description | Owners (Source)
 EXCITOR-DOCS-0001 | DONE (2025-11-07) | Validate that `docs/modules/excitor/README.md` matches the latest release notes and consensus beta notes. | Docs Guild (docs/modules/excitor)
 EXCITOR-OPS-0001 | DONE (2025-11-07) | Review runbooks/observability assets, adding the checklist captured in `docs/modules/excitor/mirrors.md`. | Ops Guild (docs/modules/excitor)
 EXCITOR-ENG-0001 | DONE (2025-11-07) | Ensure the implementation plan sprint alignment table stays current with `SPRINT_200` updates. | Module Team (docs/modules/excitor)
-EXCITITOR-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/excititor)
+EXCITITOR-DOCS-0001 | BLOCKED (2025-11-19) | Waiting on Excititor chunk API CI validation + console contracts; cannot finalize docs until tests pass and OpenAPI frozen. | Docs Guild (docs/modules/excititor)
 EXCITITOR-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/excititor)
 EXCITITOR-OPS-0001 | TODO | Sync outcomes back to ../.. | Ops Guild (docs/modules/excititor)

docs/implplan/SPRINT_511_api.md

@@ -8,15 +8,15 @@ Summary: Ops & Offline focus on Api).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 APIGOV-61-001 | DONE (2025-11-18) | Spectral config + CI workflow added; npm script `api:lint` runs spectral via npx. | API Governance Guild (src/Api/StellaOps.Api.Governance)
-APIGOV-61-002 | TODO | Implement example coverage checker ensuring every operation has at least one request/response example. Dependencies: APIGOV-61-001. | API Governance Guild (src/Api/StellaOps.Api.Governance)
+APIGOV-61-002 | DONE (2025-11-18) | Implement example coverage checker ensuring every operation has at least one request/response example. Dependencies: APIGOV-61-001. | API Governance Guild (src/Api/StellaOps.Api.Governance)
-APIGOV-62-001 | TODO | Build compatibility diff tool producing additive/breaking reports comparing prior release. Dependencies: APIGOV-61-002. | API Governance Guild (src/Api/StellaOps.Api.Governance)
+APIGOV-62-001 | DONE (2025-11-18) | Build compatibility diff tool producing additive/breaking reports comparing prior release. Dependencies: APIGOV-61-002. | API Governance Guild (src/Api/StellaOps.Api.Governance)
 APIGOV-62-002 | TODO | Automate changelog generation and publish signed artifacts to `src/Sdk/StellaOps.Sdk.Release` pipeline. Dependencies: APIGOV-62-001. | API Governance Guild, DevOps Guild (src/Api/StellaOps.Api.Governance)
-APIGOV-63-001 | TODO | Integrate deprecation metadata into Notification Studio templates for API sunset events. Dependencies: APIGOV-62-002. | API Governance Guild, Notifications Guild (src/Api/StellaOps.Api.Governance)
+APIGOV-63-001 | BLOCKED | Notification Studio templates and deprecation metadata schema not present; waiting on Notifications Guild assets. | API Governance Guild, Notifications Guild (src/Api/StellaOps.Api.Governance)
-OAS-61-001 | TODO | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
+OAS-61-001 | DONE (2025-11-18) | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
-OAS-61-002 | TODO | Implement aggregate composer (`stella.yaml`) resolving `$ref`s and merging shared components; wire into CI. Dependencies: OAS-61-001. | API Contracts Guild, DevOps Guild (src/Api/StellaOps.Api.OpenApi)
+OAS-61-002 | DONE (2025-11-18) | Implement aggregate composer (`stella.yaml`) resolving `$ref`s and merging shared components; wire into CI. Dependencies: OAS-61-001. | API Contracts Guild, DevOps Guild (src/Api/StellaOps.Api.OpenApi)
-OAS-62-001 | TODO | Populate request/response examples for top 50 endpoints, including standard error envelope. Dependencies: OAS-61-002. | API Contracts Guild, Service Guilds (src/Api/StellaOps.Api.OpenApi)
+OAS-62-001 | BLOCKED (2025-11-19) | Populate request/response examples for top 50 endpoints, including standard error envelope. Dependencies: OAS-61-002 not ratified; waiting on approved examples + error envelope. | API Contracts Guild, Service Guilds (src/Api/StellaOps.Api.OpenApi)
-OAS-62-002 | TODO | Add custom lint rules enforcing pagination, idempotency headers, naming conventions, and example coverage. Dependencies: OAS-62-001. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
+OAS-62-002 | BLOCKED | Depends on 62-001 examples to tune lint rules. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
-OAS-63-001 | TODO | Implement compatibility diff tooling comparing previous release specs; classify breaking vs additive changes. Dependencies: OAS-62-002. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
+OAS-63-001 | BLOCKED | Compat diff enhancements depend on 62-002 lint + examples output. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
 OAS-63-002 | TODO | Add `/.well-known/openapi` discovery endpoint schema metadata (extensions, version info). Dependencies: OAS-63-001. | API Contracts Guild, Gateway Guild (src/Api/StellaOps.Api.OpenApi)
 
 ## Execution Log
@@ -24,3 +24,7 @@ OAS-63-002 | TODO | Add `/.well-known/openapi` discovery endpoint schema metadat
 | --- | --- | --- |
 | 2025-11-08 | Archived completed/historic work to docs/implplan/archived/tasks.md (updated 2025-11-08). | Planning |
 | 2025-11-18 | Added Spectral config (`.spectral.yaml`), npm `api:lint` (npx spectral) script, and CI workflow `.gitea/workflows/api-governance.yml`; marked APIGOV-61-001 DONE. | API Governance Guild |
+| 2025-11-18 | Implemented example coverage checker (`api:examples`), aggregate composer `compose.mjs`, and initial per-service OAS stubs (authority/orchestrator/policy/export-center); OAS-61-001/002 set to DONE. | API Contracts Guild |
+| 2025-11-19 | Added scheduler/export-center/graph shared endpoints, shared paging/security components, and CI diff gates (previous commit + baseline). Created baseline `stella-baseline.yaml`. | API Contracts Guild |
+| 2025-11-19 | Implemented API changelog generator (`api:changelog`), wired compose/examples/compat/changelog into CI, and added new policy revisions + scheduler queue/job endpoints. | API Contracts Guild |
+| 2025-11-19 | Marked OAS-62-001 BLOCKED pending OAS-61-002 ratification and approved examples/error envelope. | Implementer |

docs/implplan/blocked_tree.md

@@ -0,0 +1,390 @@
+# SPRINT_0110_0001_0001_ingestion_evidence.md
+- SBOM-AIAI-31-003 [BLOCKED] (SPRINT_110_ingestion_evidence.md:32)
+- DOCS-AIAI-31-005/006/008/009 [BLOCKED] (SPRINT_110_ingestion_evidence.md:33)
+- CONCELIER-AIRGAP-56-001..58-001 [BLOCKED] (SPRINT_110_ingestion_evidence.md:36)
+- CONCELIER-CONSOLE-23-001..003 [BLOCKED] (SPRINT_110_ingestion_evidence.md:37)
+- CONCELIER-ATTEST-73-001/002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:38)
+- FEEDCONN-ICSCISA-02-012 / KISA-02-008 [BLOCKED] (SPRINT_0110_0001_0001_ingestion_evidence.md:47)
+  - PREP-FEEDCONN-ICS-KISA-PLAN [TODO] (SPRINT_110_ingestion_evidence.md:26)
+
+# SPRINT_0114_0001_0003_concelier_iii.md
+- CONCELIER-OAS-61-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:37)
+  - PREP-CONCELIER-OAS-61-001-LNM-SCHEMA-FROZEN-2 [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:23)
+- CONCELIER-OAS-61-002 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:38)
+  - PREP-CONCELIER-OAS-61-002-DEPENDS-ON-61-001-B [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:24)
+- CONCELIER-OAS-62-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:39)
+  - PREP-CONCELIER-OAS-62-001-DEPENDS-ON-61-002-B [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:25)
+- CONCELIER-OAS-63-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:40)
+  - PREP-CONCELIER-OAS-63-001-DEPENDS-ON-62-001-B [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:26)
+- CONCELIER-OBS-51-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:41)
+  - PREP-CONCELIER-OBS-51-001-AWAIT-OBSERVABILITY [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:27)
+- CONCELIER-OBS-52-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:42)
+  - PREP-CONCELIER-OBS-52-001-DEPENDS-ON-51-001-M [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:28)
+- CONCELIER-OBS-53-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:43)
+  - PREP-CONCELIER-OBS-53-001-DEPENDS-ON-52-001-B [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:29)
+- CONCELIER-OBS-54-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:44)
+  - PREP-CONCELIER-OBS-54-001-DEPENDS-ON-OBS-TIME [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:30)
+- CONCELIER-OBS-55-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:45)
+  - PREP-CONCELIER-OBS-55-001-DEPENDS-ON-54-001-I [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:31)
+- CONCELIER-ORCH-32-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:46)
+  - PREP-CONCELIER-ORCH-32-001-ORCHESTRATOR-REGIS [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:32)
+- CONCELIER-ORCH-32-002 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:47)
+  - PREP-CONCELIER-ORCH-32-002-DEPENDS-ON-32-001 [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:33)
+- CONCELIER-ORCH-33-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:48)
+  - PREP-CONCELIER-ORCH-33-001-DEPENDS-ON-32-002 [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:34)
+- CONCELIER-ORCH-34-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:49)
+  - PREP-CONCELIER-ORCH-34-001-DEPENDS-ON-33-001 [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:35)
+- CONCELIER-POLICY-20-001 [BLOCKED] (SPRINT_0114_0001_0003_concelier_iii.md:50)
+  - PREP-CONCELIER-POLICY-20-001-LNM-APIS-NOT-EXP [TODO] (SPRINT_0114_0001_0003_concelier_iii.md:36)
+
+# SPRINT_0115_0001_0004_concelier_iv.md
+- CONCELIER-RISK-66-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:31)
+  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
+- CONCELIER-RISK-66-002 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:32)
+  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
+- CONCELIER-RISK-67-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:33)
+  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
+- CONCELIER-RISK-68-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:34)
+  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
+  - POLICY-RISK-68-001 [TODO] (SPRINT_0128_0001_0001_policy_reasoning.md:24)
+- CONCELIER-RISK-69-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:35)
+  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
+- CONCELIER-SIG-26-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:36)
+  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
+  - SIGNALS-24-002 [DOING (2025-11-07)] (SPRINT_0143_0000_0001_signals.md:24)
+    - SIGNALS-24-001 [DONE (2025-11-09)] (SPRINT_0143_0000_0001_signals.md:23)
+      …
+- CONCELIER-STORE-AOC-19-005 [BLOCKED (2025-11-04)] (SPRINT_0115_0001_0004_concelier_iv.md:37)
+  - PREP-CONCELIER-CORE-AOC-19-004 [TODO] (SPRINT_0115_0001_0004_concelier_iv.md:23)
+- CONCELIER-TEN-48-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:38)
+  - POLICY-AUTH-SIGNALS-LIB-115 [DOING] (SPRINT_0115_0001_0004_concelier_iv.md:26)
+  - PREP-AUTH-TEN-47-001 [TODO] (SPRINT_0115_0001_0004_concelier_iv.md:24)
+- CONCELIER-VEXLENS-30-001 [BLOCKED] (SPRINT_0115_0001_0004_concelier_iv.md:39)
+  - PREP-CONCELIER-VULN-29-001 [TODO] (SPRINT_0115_0001_0004_concelier_iv.md:25)
+  - VEXLENS-30-005 [TODO] (SPRINT_0129_0001_0001_policy_reasoning.md:42)
+
+# SPRINT_0119_0001_0001_excititor_i.md
+- EXCITITOR-AIRGAP-56-001 [TODO] (SPRINT_0119_0001_0005_excititor_v.md:30)
+- EXCITITOR-AIRGAP-57-001 [BLOCKED] (SPRINT_0119_0001_0001_excititor_i.md:35)
+  - PREP-EXCITITOR-AIRGAP-57-001-BLOCKED-ON-56-00 [TODO] (SPRINT_0119_0001_0001_excititor_i.md:26)
+- EXCITITOR-AIRGAP-58-001 [TODO] (SPRINT_0119_0001_0005_excititor_v.md:31)
+- EXCITITOR-CONN-TRUST-01-001 [BLOCKED] (SPRINT_0119_0001_0001_excititor_i.md:40)
+  - PREP-EXCITITOR-CONN-TRUST-01-001-CONNECTOR-SI [TODO] (SPRINT_0119_0001_0001_excititor_i.md:28)
+
+# SPRINT_0119_0001_0002_excititor_ii.md
+- EXCITITOR-CONSOLE-23-001 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:44)
+  - PREP-EXCITITOR-CONSOLE-23-001-AWAITING-CONCRE [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:25)
+- EXCITITOR-CONSOLE-23-002 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:45)
+  - PREP-EXCITITOR-CONSOLE-23-002-DEPENDS-ON-23-0 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:26)
+- EXCITITOR-CONSOLE-23-003 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:46)
+  - PREP-EXCITITOR-CONSOLE-23-003-DEPENDS-ON-23-0 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:27)
+- EXCITITOR-CORE-AOC-19-002 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:47)
+  - PREP-EXCITITOR-CORE-AOC-19-002-LINKSET-EXTRAC [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:28)
+- EXCITITOR-CORE-AOC-19-003 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:48)
+  - PREP-EXCITITOR-CORE-AOC-19-003-BLOCKED-ON-19 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:29)
+- EXCITITOR-CORE-AOC-19-004 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:49)
+  - PREP-EXCITITOR-CORE-AOC-19-004-REMOVE-CONSENS [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:30)
+- EXCITITOR-CORE-AOC-19-013 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:50)
+  - PREP-EXCITITOR-CORE-AOC-19-013-SEED-TENANT-AW [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:31)
+- EXCITITOR-GRAPH-21-001 [BLOCKED (2025-10-27)] (SPRINT_0119_0001_0002_excititor_ii.md:51)
+  - PREP-EXCITITOR-GRAPH-21-001-NEEDS-CARTOGRAPHE [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:32)
+- EXCITITOR-GRAPH-21-002 [BLOCKED (2025-10-27)] (SPRINT_0119_0001_0002_excititor_ii.md:52)
+  - PREP-EXCITITOR-GRAPH-21-002-BLOCKED-ON-21-001 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:33)
+- EXCITITOR-GRAPH-21-005 [BLOCKED (2025-10-27)] (SPRINT_0119_0001_0002_excititor_ii.md:53)
+  - PREP-EXCITITOR-GRAPH-21-005-BLOCKED-ON-21-002 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:34)
+- EXCITITOR-GRAPH-24-101 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:54)
+  - PREP-EXCITITOR-GRAPH-24-101-WAIT-FOR-21-005-I [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:35)
+- EXCITITOR-GRAPH-24-102 [BLOCKED (2025-11-17)] (SPRINT_0119_0001_0002_excititor_ii.md:55)
+  - PREP-EXCITITOR-GRAPH-24-102-DEPENDS-ON-24-101 [TODO] (SPRINT_0119_0001_0002_excititor_ii.md:36)
+- Console APIs [BLOCKED (await contract; LNM view spec needed)] (SPRINT_0119_0001_0002_excititor_ii.md:62)
+- Ingestion idempotency [BLOCKED (linkset schema pending)] (SPRINT_0119_0001_0002_excititor_ii.md:63)
+- Consensus removal [BLOCKED (depends on 19-002/003)] (SPRINT_0119_0001_0002_excititor_ii.md:64)
+- Graph overlays [BLOCKED (awaiting Cartographer contract)] (SPRINT_0119_0001_0002_excititor_ii.md:65)
+
+# SPRINT_0120_0000_0001_policy_reasoning.md
+- LEDGER-29-008 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:46)
+  - PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:42)
+- LEDGER-29-009 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:47)
+  - LEDGER-29-008 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:46)
+    - PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:42)
+- LEDGER-34-101 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:48)
+  - PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:43)
+- LEDGER-AIRGAP-56-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:49)
+  - PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:44)
+- LEDGER-AIRGAP-56-002 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:50)
+  - LEDGER-AIRGAP-56-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:49)
+    - PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM [TODO] (SPRINT_0120_0000_0001_policy_reasoning.md:44)
+- LEDGER-AIRGAP-57-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:51)
+  - LEDGER-AIRGAP-56-002 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:50)
+    - LEDGER-AIRGAP-56-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:49)
+      …
+- LEDGER-AIRGAP-58-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:52)
+  - LEDGER-AIRGAP-57-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:51)
+    - LEDGER-AIRGAP-56-002 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:50)
+      …
+- LEDGER-ATTEST-73-001 [BLOCKED] (SPRINT_0120_0000_0001_policy_reasoning.md:53)
+  - NOTIFY-ATTEST-74-001 [**DOING (2025-11-12)**] (SPRINT_171_notifier_i.md:10)
+
+# SPRINT_0123_0001_0001_policy_reasoning.md
+- EXPORT-CONSOLE-23-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:38)
+  - PREP-EXPORT-CONSOLE-23-001-MISSING-EXPORT-BUN [TODO] (SPRINT_123_policy_reasoning.md:13)
+- POLICY-AIRGAP-56-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:39)
+  - PREP-POLICY-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM [TODO] (SPRINT_123_policy_reasoning.md:14)
+- POLICY-AIRGAP-56-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:40)
+  - PREP-POLICY-AIRGAP-56-002-DEPENDS-ON-56-001-B [TODO] (SPRINT_123_policy_reasoning.md:15)
+- POLICY-AIRGAP-57-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:41)
+  - PREP-POLICY-AIRGAP-57-001-REQUIRES-SEALED-MOD [TODO] (SPRINT_123_policy_reasoning.md:16)
+- POLICY-AIRGAP-57-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:42)
+  - PREP-POLICY-AIRGAP-57-002-NEEDS-STALENESS-FAL [TODO] (SPRINT_123_policy_reasoning.md:17)
+- POLICY-AIRGAP-58-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:43)
+  - PREP-POLICY-AIRGAP-58-001-NOTIFICATION-SCHEMA [TODO] (SPRINT_123_policy_reasoning.md:18)
+- POLICY-AOC-19-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:44)
+  - PREP-POLICY-AOC-19-001-LINTING-TARGETS-SPEC-A [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:29)
+- POLICY-AOC-19-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:45)
+  - PREP-POLICY-AOC-19-002-DEPENDS-ON-19-001-LINT [TODO] (SPRINT_123_policy_reasoning.md:20)
+- POLICY-AOC-19-003 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:46)
+  - PREP-POLICY-AOC-19-003-REQUIRES-POST-19-002-N [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:31)
+- POLICY-AOC-19-004 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:47)
+  - PREP-POLICY-AOC-19-004-DEPENDS-ON-19-003-SHAP [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:32)
+- POLICY-ATTEST-73-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:48)
+  - PREP-POLICY-ATTEST-73-001-VERIFICATIONPOLICY [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:33)
+- POLICY-ATTEST-73-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:49)
+  - PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E [TODO] (SPRINT_123_policy_reasoning.md:24)
+- POLICY-ATTEST-74-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:50)
+  - PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:35)
+- POLICY-ATTEST-74-002 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:51)
+  - PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC [TODO] (SPRINT_123_policy_reasoning.md:26)
+- POLICY-CONSOLE-23-001 [BLOCKED] (SPRINT_0123_0001_0001_policy_reasoning.md:52)
+  - PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA [TODO] (SPRINT_0123_0001_0001_policy_reasoning.md:37)
+
+# SPRINT_0125_0001_0001_mirror.md
+- MIRROR-CRT-56-001 [BLOCKED] (SPRINT_110_ingestion_evidence.md:46)
+- MIRROR-CRT-56-002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:47)
+- MIRROR-CRT-57-001 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:26)
+  - MIRROR-CRT-56-001 [BLOCKED] (SPRINT_110_ingestion_evidence.md:46)
+- MIRROR-CRT-57-002 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:27)
+  - MIRROR-CRT-56-002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:47)
+  - AIRGAP-TIME-57-001 [BLOCKED] (SPRINT_0510_0001_0001_airgap.md:41)
+    - PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO [TODO] (SPRINT_0510_0001_0001_airgap.md:29)
+- MIRROR-CRT-58-001 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:28)
+  - MIRROR-CRT-56-002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:47)
+  - CLI-AIRGAP-56-001 [TODO] (SPRINT_201_cli_i.md:14)
+- MIRROR-CRT-58-002 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:29)
+  - MIRROR-CRT-56-002 [BLOCKED] (SPRINT_110_ingestion_evidence.md:47)
+  - EXPORT-OBS-54-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:38)
+    - EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
+      …
+- EXPORT-OBS-51-001 / 54-001 [BLOCKED] (SPRINT_0125_0001_0001_mirror.md:30)
+  - MIRROR-CRT-56-001 [BLOCKED] (SPRINT_110_ingestion_evidence.md:46)
+- AIRGAP-TIME-57-001 [BLOCKED] (SPRINT_0510_0001_0001_airgap.md:41)
+  - PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO [TODO] (SPRINT_0510_0001_0001_airgap.md:29)
+- CLI-AIRGAP-56-001 [TODO] (SPRINT_201_cli_i.md:14)
+- PROV-OBS-53-001 [DONE (2025-11-17)] (SPRINT_513_provenance.md:10)
+
+# SPRINT_0125_0001_0001_policy_reasoning.md
+- POLICY-ENGINE-29-003 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:35)
+  - PREP-POLICY-ENGINE-29-002-PATH-SCOPE-SCHEMA [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:20)
+- POLICY-ENGINE-29-004 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:36)
+  - PREP-POLICY-ENGINE-29-004-DEPENDS-ON-29-003 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:21)
+- POLICY-ENGINE-30-001 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:37)
+  - PREP-POLICY-ENGINE-30-001-NEEDS-29-004-OUTPUT [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:22)
+- POLICY-ENGINE-30-002 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:38)
+  - PREP-POLICY-ENGINE-30-002-DEPENDS-ON-30-001 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:23)
+- POLICY-ENGINE-30-003 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:39)
+  - PREP-POLICY-ENGINE-30-003-DEPENDS-ON-30-002 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:24)
+- POLICY-ENGINE-30-101 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:40)
+  - PREP-POLICY-ENGINE-30-101-DEPENDS-ON-30-003 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:25)
+- POLICY-ENGINE-31-001 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:41)
+  - PREP-POLICY-ENGINE-31-001-DEPENDS-ON-30-101 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:26)
+- POLICY-ENGINE-31-002 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:42)
+  - PREP-POLICY-ENGINE-31-002-DEPENDS-ON-31-001 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:27)
+- POLICY-ENGINE-32-101 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:43)
+  - PREP-POLICY-ENGINE-32-101-DEPENDS-ON-31-002 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:28)
+- POLICY-ENGINE-33-101 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:44)
+  - PREP-POLICY-ENGINE-33-101-DEPENDS-ON-32-101 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:29)
+- POLICY-ENGINE-34-101 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:45)
+  - PREP-POLICY-ENGINE-34-101-DEPENDS-ON-33-101 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:30)
+- POLICY-ENGINE-35-201 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:46)
+  - PREP-POLICY-ENGINE-35-201-DEPENDS-ON-34-101 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:31)
+- POLICY-ENGINE-38-201 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:47)
+  - PREP-POLICY-ENGINE-38-201-DEPENDS-ON-35-201 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:32)
+- POLICY-ENGINE-40-001 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:48)
+  - PREP-POLICY-ENGINE-40-001-DEPENDS-ON-38-201 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:33)
+- POLICY-ENGINE-40-002 [BLOCKED (2025-11-18)] (SPRINT_0125_0001_0001_policy_reasoning.md:49)
+  - PREP-POLICY-ENGINE-40-002-DEPENDS-ON-40-001 [TODO] (SPRINT_0125_0001_0001_policy_reasoning.md:34)
+
+# SPRINT_0138_0000_0001_scanner_ruby_parity.md
+- SCANNER-ENG-0010 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:29)
+  - PREP-SCANNER-ENG-0010-AWAIT-COMPOSER-AUTOLOAD [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:22)
+- SCANNER-ENG-0011 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:30)
+  - PREP-SCANNER-ENG-0011-NEEDS-DENO-RUNTIME-ANAL [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:23)
+- SCANNER-ENG-0012 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:31)
+  - PREP-SCANNER-ENG-0012-DEFINE-DART-ANALYZER-RE [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:24)
+- SCANNER-ENG-0013 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:32)
+  - PREP-SCANNER-ENG-0013-DRAFT-SWIFTPM-COVERAGE [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:25)
+- SCANNER-ENG-0014 [BLOCKED] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:33)
+  - PREP-SCANNER-ENG-0014-NEEDS-JOINT-ROADMAP-WIT [TODO] (SPRINT_0138_0000_0001_scanner_ruby_parity.md:26)
+
+# SPRINT_0141_0001_0001_graph_indexer.md
+- GRAPH-INDEX-28-007 [BLOCKED] (SPRINT_0141_0001_0001_graph_indexer.md:28)
+  - PREP-GRAPH-INDEX-28-006-OVERLAYS [TODO] (SPRINT_0141_0001_0001_graph_indexer.md:24)
+- GRAPH-INDEX-28-008 [BLOCKED] (SPRINT_0141_0001_0001_graph_indexer.md:29)
+  - PREP-GRAPH-INDEX-28-008-UNBLOCK-AFTER-28-007 [TODO] (SPRINT_0141_0001_0001_graph_indexer.md:25)
+- GRAPH-INDEX-28-009 [BLOCKED] (SPRINT_0141_0001_0001_graph_indexer.md:30)
+  - PREP-GRAPH-INDEX-28-009-DOWNSTREAM-OF-28-008 [TODO] (SPRINT_0141_0001_0001_graph_indexer.md:26)
+- GRAPH-INDEX-28-010 [BLOCKED] (SPRINT_0141_0001_0001_graph_indexer.md:31)
+  - PREP-GRAPH-INDEX-28-010-NEEDS-OUTPUTS-FROM-28 [TODO] (SPRINT_0141_0001_0001_graph_indexer.md:27)
+
+# SPRINT_0156_0001_0002_scheduler_ii.md
+- SCHED-WORKER-26-202 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:24)
+  - SCHED-WORKER-26-201 [BLOCKED] (SPRINT_0155_0001_0001_scheduler_i.md:35)
+    - SCHED-WORKER-25-102 [BLOCKED] (SPRINT_0155_0001_0001_scheduler_i.md:34)
+      …
+- SCHED-WORKER-27-301 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:25)
+  - SCHED-WORKER-26-202 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:24)
+    - SCHED-WORKER-26-201 [BLOCKED] (SPRINT_0155_0001_0001_scheduler_i.md:35)
+      …
+- SCHED-WORKER-27-302 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:26)
+  - SCHED-WORKER-27-301 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:25)
+    - SCHED-WORKER-26-202 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:24)
+      …
+- SCHED-WORKER-27-303 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:27)
+  - SCHED-WORKER-27-302 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:26)
+    - SCHED-WORKER-27-301 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:25)
+      …
+- SCHED-WORKER-29-001 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:28)
+  - SCHED-WORKER-27-303 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:27)
+    - SCHED-WORKER-27-302 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:26)
+      …
+- SCHED-WORKER-29-002 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:29)
+  - SCHED-WORKER-29-001 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:28)
+    - SCHED-WORKER-27-303 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:27)
+      …
+- SCHED-WORKER-29-003 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:30)
+  - SCHED-WORKER-29-002 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:29)
+    - SCHED-WORKER-29-001 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:28)
+      …
+- SCHED-WORKER-CONSOLE-23-201 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:31)
+  - PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U [TODO] (SPRINT_0156_0001_0002_scheduler_ii.md:22)
+- SCHED-WORKER-CONSOLE-23-202 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:32)
+  - SCHED-WORKER-CONSOLE-23-201 [BLOCKED] (SPRINT_0156_0001_0002_scheduler_ii.md:31)
+    - PREP-SCHED-WORKER-CONSOLE-23-201-BLOCKED-BY-U [TODO] (SPRINT_0156_0001_0002_scheduler_ii.md:22)
+
+# SPRINT_0160_0001_0001_export_evidence.md
+- 160.C TimelineIndexer snapshot [BLOCKED] (SPRINT_0160_0001_0001_export_evidence.md:32)
+  - TIMELINE-OBS-52-001 [TODO] (SPRINT_165_timelineindexer.md:10)
+
+# SPRINT_0161_0001_0001_evidencelocker.md
+- EVID-REPLAY-187-001 [TODO] (SPRINT_187_evidence_locker_cli_integration.md:9)
+- CLI-REPLAY-187-002 [TODO] (SPRINT_187_evidence_locker_cli_integration.md:10)
+- RUNBOOK-REPLAY-187-004 [TODO] (SPRINT_187_evidence_locker_cli_integration.md:12)
+
+# SPRINT_0163_0001_0001_exportcenter_ii.md
+- EXPORT-OAS-63-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:33)
+  - EXPORT-OAS-61-001 [BLOCKED] (SPRINT_0162_0001_0001_exportcenter_i.md:47)
+    - PREP-EXPORT-OAS-61-001-NEEDS-STABLE-EXPORT-SU [TODO] (SPRINT_0162_0001_0001_exportcenter_i.md:33)
+  - EXPORT-OAS-62-001 [BLOCKED] (SPRINT_0162_0001_0001_exportcenter_i.md:49)
+    - PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 [TODO] (SPRINT_0162_0001_0001_exportcenter_i.md:35)
+- EXPORT-OBS-50-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:34)
+  - PREP-EXPORT-OBS-50-001-WAIT-FOR-EXPORTER-SERV [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:23)
+- EXPORT-OBS-51-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:35)
+  - EXPORT-OBS-50-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:34)
+    - PREP-EXPORT-OBS-50-001-WAIT-FOR-EXPORTER-SERV [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:23)
+- EXPORT-OBS-52-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:36)
+  - EXPORT-OBS-51-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:35)
+    - EXPORT-OBS-50-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:34)
+      …
+  - PREP-EXPORT-NOTIFY-SCHEMA-OBS-52 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:30)
+- EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
+  - EXPORT-OBS-52-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:36)
+    - EXPORT-OBS-51-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:35)
+      …
+    - PREP-EXPORT-NOTIFY-SCHEMA-OBS-52 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:30)
+- EXPORT-OBS-54-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:38)
+  - EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
+    - EXPORT-OBS-52-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:36)
+      …
+- EXPORT-OBS-54-002 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:39)
+  - EXPORT-OBS-54-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:38)
+    - EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
+      …
+  - PROV-OBS-53-003 [BLOCKED] (SPRINT_513_provenance.md:12)
+- EXPORT-OBS-55-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:40)
+  - EXPORT-OBS-54-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:38)
+    - EXPORT-OBS-53-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:37)
+      …
+- EXPORT-RISK-69-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:41)
+  - PREP-EXPORT-RISK-69-001-AWAIT-PHASE-I-ARTIFAC [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:24)
+- EXPORT-RISK-69-002 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:42)
+  - EXPORT-RISK-69-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:41)
+    - PREP-EXPORT-RISK-69-001-AWAIT-PHASE-I-ARTIFAC [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:24)
+- EXPORT-RISK-70-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:43)
+  - EXPORT-RISK-69-002 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:42)
+    - EXPORT-RISK-69-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:41)
+      …
+- EXPORT-SVC-35-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:44)
+  - PREP-EXPORT-SVC-35-001-NEEDS-PHASE-I-READINES [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:25)
+- EXPORT-SVC-35-002 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:45)
+  - PREP-EXPORT-SVC-35-002-DEPENDS-ON-35-001 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:26)
+- EXPORT-SVC-35-003 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:46)
+  - PREP-EXPORT-SVC-35-003-DEPENDS-ON-35-002 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:27)
+- EXPORT-SVC-35-004 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:47)
+  - PREP-EXPORT-SVC-35-004-DEPENDS-ON-35-003 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:28)
+- EXPORT-SVC-35-005 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:48)
+  - PREP-EXPORT-SVC-35-005-DEPENDS-ON-35-004 [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:29)
+- EXPORT-CRYPTO-90-001 [BLOCKED] (SPRINT_0163_0001_0001_exportcenter_ii.md:49)
+  - PREP-EXPORT-CRYPTO-90-001-PENDING-NOV-18-CRYP [TODO] (SPRINT_0163_0001_0001_exportcenter_ii.md:31)
+
+# SPRINT_0171_0001_0001_notifier_i.md
+- NOTIFY-OBS-51-001 [TODO] (SPRINT_171_notifier_i.md:16)
+
+# SPRINT_0174_0001_0001_telemetry.md
+- TELEMETRY-OBS-50-002 [TODO] (SPRINT_174_telemetry.md:11)
+  - TELEMETRY-OBS-50-001 [**DOING (2025-11-12)**] (SPRINT_174_telemetry.md:10)
+- TELEMETRY-OBS-51-001 [TODO] (SPRINT_174_telemetry.md:12)
+  - TELEMETRY-OBS-50-002 [TODO] (SPRINT_174_telemetry.md:11)
+    - TELEMETRY-OBS-50-001 [**DOING (2025-11-12)**] (SPRINT_174_telemetry.md:10)
+- TELEMETRY-OBS-51-002 [TODO] (SPRINT_174_telemetry.md:13)
+  - TELEMETRY-OBS-51-001 [TODO] (SPRINT_174_telemetry.md:12)
+    - TELEMETRY-OBS-50-002 [TODO] (SPRINT_174_telemetry.md:11)
+      …
+- TELEMETRY-OBS-55-001 [TODO] (SPRINT_174_telemetry.md:14)
+  - TELEMETRY-OBS-51-002 [TODO] (SPRINT_174_telemetry.md:13)
+    - TELEMETRY-OBS-51-001 [TODO] (SPRINT_174_telemetry.md:12)
+      …
+- TELEMETRY-OBS-56-001 [TODO] (SPRINT_174_telemetry.md:15)
+  - TELEMETRY-OBS-55-001 [TODO] (SPRINT_174_telemetry.md:14)
+    - TELEMETRY-OBS-51-002 [TODO] (SPRINT_174_telemetry.md:13)
+      …
+
+# SPRINT_0215_0001_0001_web_iv.md
+- WEB-POLICY-23-001 [BLOCKED (2025-10-29)] (SPRINT_0215_0001_0001_web_iv.md:30)
+  - WEB-POLICY-20-004 [TODO] (SPRINT_0215_0001_0001_web_iv.md:29)
+    - WEB-POLICY-20-003 [TODO] (SPRINT_0215_0001_0001_web_iv.md:28)
+      …
+- WEB-POLICY-23-002 [BLOCKED (2025-10-29)] (SPRINT_0215_0001_0001_web_iv.md:31)
+  - WEB-POLICY-23-001 [BLOCKED (2025-10-29)] (SPRINT_0215_0001_0001_web_iv.md:30)
+    - WEB-POLICY-20-004 [TODO] (SPRINT_0215_0001_0001_web_iv.md:29)
+      …
+
+# SPRINT_0509_0001_0001_samples.md
+- SAMPLES-LNM-22-001 [BLOCKED] (SPRINT_0509_0001_0001_samples.md:26)
+  - PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED [TODO] (SPRINT_0509_0001_0001_samples.md:22)
+- SAMPLES-LNM-22-002 [BLOCKED] (SPRINT_0509_0001_0001_samples.md:27)
+  - PREP-SAMPLES-LNM-22-002-DEPENDS-ON-22-001-OUT [TODO] (SPRINT_0509_0001_0001_samples.md:23)
+
+# SPRINT_0512_0001_0001_bench.md
+- BENCH-GRAPH-21-001 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:28)
+  - PREP-BENCH-GRAPH-21-001-NEED-GRAPH-BENCH-HARN [TODO] (SPRINT_0512_0001_0001_bench.md:22)
+- BENCH-GRAPH-21-002 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:29)
+  - PREP-BENCH-GRAPH-21-002-BLOCKED-ON-21-001-HAR [TODO] (SPRINT_0512_0001_0001_bench.md:23)
+- BENCH-GRAPH-24-002 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:30)
+  - SAMPLES-GRAPH-24-003 [DOING] (SPRINT_0509_0001_0001_samples.md:24)
+- BENCH-IMPACT-16-001 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:31)
+  - PREP-BENCH-IMPACT-16-001-IMPACT-INDEX-DATASET [TODO] (SPRINT_0512_0001_0001_bench.md:24)
+- BENCH-POLICY-20-002 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:32)
+  - PREP-BENCH-POLICY-20-002-POLICY-DELTA-SAMPLE [TODO] (SPRINT_0512_0001_0001_bench.md:25)
+- BENCH-SIG-26-001 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:33)
+  - PREP-BENCH-SIG-26-001-REACHABILITY-SCHEMA-FIX [TODO] (SPRINT_0512_0001_0001_bench.md:26)
+- BENCH-SIG-26-002 [BLOCKED] (SPRINT_0512_0001_0001_bench.md:34)
+  - PREP-BENCH-SIG-26-002-BLOCKED-ON-26-001-OUTPU [TODO] (SPRINT_0512_0001_0001_bench.md:27)

docs/implplan/build-harness-110.md

@@ -0,0 +1,19 @@
+# Build Harness · Sprint 110
+
+## Goal
+Provide a repeatable runner profile for Concelier `/linksets` tests that avoids harness `workdir:` injection and preserves test DLLs for CI.
+
+## Script
+- `tools/linksets-ci.sh` (uses existing `tools/dotnet-filter.sh`)
+- Environment: `VSTEST_DISABLE_APPDOMAIN=1`, `DOTNET_CLI_UI_LANGUAGE=en`
+- Results: `out/test-results/linksets/linksets.trx`
+
+## Invocation
+```
+./tools/linksets-ci.sh
+```
+
+## Notes
+- Runs `--filter Linksets` on `StellaOps.Concelier.WebService.Tests.csproj` with `--no-build`; ensure a preceding `dotnet build` in CI to emit the test DLLs.
+- No `workdir:` arg is passed; `dotnet-filter.sh` strips any accidental injection.
+- Determinism: results directory fixed; AppDomain disabled to avoid flaky sourcing; logs in TRX for gating.

docs/modules/authority/fixtures/auth-ten-47-001.json

@@ -0,0 +1,15 @@
+{
+  "tenantId": "urn:tenant:00000000-0000-0000-0000-000000000000",
+  "issuer": "https://auth.stellaops.local",
+  "scopes": ["concelier.read", "concelier.linkset.write"],
+  "capabilities": {
+    "mergeAllowed": false,
+    "offlineAllowed": true
+  },
+  "attribution": {
+    "actor": "service:concelier-web",
+    "traceId": "00000000000000000000000000000000"
+  },
+  "issuedAt": "2025-11-19T00:00:00Z",
+  "expiresAt": "2025-11-20T00:00:00Z"
+}

docs/modules/authority/tenant-scope-47-001.md

@@ -0,0 +1,36 @@
+# AUTH-TEN-47-001 · Tenant Scope Contract (v1)
+
+Purpose: define tenant scoping fields and enforcement expectations so Concelier tasks (CONCELIER-TEN-48-001) can proceed without merging behavior.
+
+## Data contract
+- `tenantId` (string, required): immutable per request; canonical form `urn:tenant:{uuid}`.
+- `issuer` (string, required): authority instance issuing the token; aids audit.
+- `scopes` (array<string>, required): must include `concelier.read` or `concelier.linkset.read` for evidence fetch; `concelier.linkset.write` for backfill/ingest; `concelier.tenant.admin` for tenancy capabilities endpoint.
+- `capabilities` (object, optional):
+  - `mergeAllowed` (bool, default false): must remain false for Link-Not-Merge paths.
+  - `offlineAllowed` (bool, default true): governs offline bundle use.
+- `attribution` (object, optional):
+  - `actor` (string): subject or client-id.
+  - `traceId` (string): optional trace correlation.
+- `issuedAt` (string, ISO-8601 UTC), `expiresAt` (string, ISO-8601 UTC): required for enforcement.
+
+## Enforcement rules (Authority)
+- Tokens missing `tenantId` or `concelier.*` scopes are rejected with 403 and error code `auth/tenant-scope-missing`.
+- `mergeAllowed` must be evaluated server-side; clients cannot set true when Link-Not-Merge mode is active.
+- Refresh/rotation must preserve `tenantId`; changing tenant requires re-auth.
+
+## Fixtures
+- JSON fixture: `docs/modules/authority/fixtures/auth-ten-47-001.json` (included) shows a minimal token payload.
+- Determinism: field order canonicalized lexicographically for hashing; timestamps normalized to `Z`.
+
+## Actions for consumers (Concelier)
+- Validate `tenantId` present and stable across request and event emission.
+- Expose `/capabilities/tenant` endpoint echoing `tenantId`, scopes, and `mergeAllowed=false` when LNM is enabled.
+- Log `tenantId`, `actor`, and `traceId` on every linkset backfill or advisory read for audit.
+
+## Owners
+- Authority Guild (contract)
+- Concelier Core Guild (consumer)
+
+## Change control
+- Add-only evolution. New capabilities must default to the most restrictive value.

docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md

@@ -0,0 +1,29 @@
+# CLI Guardrail Artefacts (2025-11-19)
+
+## CLI-VULN-29-001 artefacts
+- Output bundle: `out/console/guardrails/cli-vuln-29-001/`
+- Files:
+  - `sample-vuln-output.ndjson` — sample `stella vuln scan` output (offline profile, two CVEs, includes provenance and summary).
+  - `sample-sbom-context.json` — SBOM context export referenced by DOCS-AIAI-31-005/006/008/009.
+  - `hashes.sha256` — SHA256 for all files in folder.
+- Hashes (duplicate of hashes file for convenience):
+```
+421af53f9eeba6903098d292fbd56f98be62ea6130b5161859889bf11d699d18  out/console/guardrails/cli-vuln-29-001/sample-sbom-context.json
+e5aecfba5cee8d412408fb449f12fa4d5bf0a7cb7e5b316b99da3b9019897186  out/console/guardrails/cli-vuln-29-001/sample-vuln-output.ndjson
+```
+
+## CLI-VEX-30-001 artefacts
+- Output bundle: `out/console/guardrails/cli-vex-30-001/`
+- Files:
+  - `sample-vex-output.ndjson` — sample `stella vex export` output with single not_affected statement.
+  - `sample-pagination-note.txt` — paging/limit note (default 500, max 2000; cursor via --page-token).
+  - `hashes.sha256` — SHA256 for all files in folder.
+- Hashes:
+```
+f450d914dfe5c8d80f773c1fd0113bbba921aca339316c6308f1c098199aef6b  out/console/guardrails/cli-vex-30-001/sample-pagination-note.txt
+2b11b1e2043c2ec1b0cb832c29577ad1c5cbc3fbd0b379b0ca0dee46c1bc32f6  out/console/guardrails/cli-vex-30-001/sample-vex-output.ndjson
+```
+
+## Notes
+- Samples are deterministic; generated timestamp `2025-11-19T00:00:00Z`.
+- Replace with live artefacts once CLI commands are executed against frozen datasets; keep paths/hashes updated here and in sprint logs.

docs/modules/concelier/bridges/vuln-29-001.md

@@ -0,0 +1,81 @@
+# CONCELIER-VULN-29-001 · Concelier ↔ Vuln Explorer bridge (contract v0.1)
+
+Purpose: unblock PREP-CONCELIER-VULN-29-001 by defining the request/response contract Concelier must expose for Vuln Explorer and VEX Lens to consume advisory evidence without merge semantics.
+
+## API shape (Concelier WebService)
+- Endpoint: `POST /v1/advisories/search`
+- Auth: tenant-scoped token (`concelier.read` scope) with `mergeAllowed=false`.
+- Request body:
+  ```json
+  {
+    "query": {
+      "advisory_keys": ["GHSA-xxxx-xxxx"],
+      "purls": ["pkg:maven/org.example/app@1.2.3"],
+      "component_hashes": ["sha256:..."],
+      "has_vex": true
+    },
+    "page": {
+      "size": 50,
+      "cursor": null
+    }
+  }
+  ```
+- Response body:
+  ```json
+  {
+    "results": [
+      {
+        "advisory_key": "GHSA-xxxx-xxxx",
+        "source": "ghsa",
+        "observations": [{
+          "id": "obs-123",
+          "purl": "pkg:maven/org.example/app@1.2.3",
+          "version_range": "[1.2.0,2.0.0)",
+          "status": "affected",
+          "published": "2025-11-01T00:00:00Z",
+          "fixed": null,
+          "provenance": {
+            "source": "ghsa",
+            "retrieved_at": "2025-11-18T12:00:00Z",
+            "hash": "sha256:..."
+          }
+        }],
+        "vex": [{
+          "statement_id": "st-001",
+          "status": "not_affected",
+          "justification": "component_not_present",
+          "impact_statement": "Library not shipped",
+          "provenance": {
+            "source": "vendor-vex",
+            "retrieved_at": "2025-11-18T12:00:00Z",
+            "hash": "sha256:..."
+          }
+        }]
+      }
+    ],
+    "page": {"cursor": "next-token", "size": 50}
+  }
+  ```
+
+## Determinism requirements
+- Sort observations by `purl`, then `published`, then `id`.
+- Sort VEX statements by `statement_id`.
+- Timestamps UTC ISO-8601 with `Z`.
+- Omit merge-derived fields; only surface source-provided values.
+
+## Fields Vuln Explorer expects
+- `advisory_key`, `source`, `observations[*].purl`, `observations[*].status`, `observations[*].provenance.hash`.
+- VEX fields: `status`, `justification`, `impact_statement`, `provenance.hash`.
+- Optional: `fix_version` when present; keep absent otherwise (no empty strings).
+
+## Test fixtures
+- Location: `docs/samples/console/console-vex-30-001.json` already includes VEX sample keyed by advisory; add Concelier response sample to `docs/samples/console/concelier-vuln-29-001.json` (to be generated alongside implementation).
+
+## Owners
+- Concelier WebService Guild (producer)
+- Vuln Explorer Guild / VEX Lens Guild (consumers)
+
+## Next actions to unblock work
+- Implement endpoint stub with deterministic ordering and fixture from above sample.
+- Hook to Link-Not-Merge storage (fact-only) once available.
+- Add contract reference to OAS (Sprint 0114 CONCELIER-OAS-61-001 depends on this).

docs/modules/concelier/feeds/icscisa-kisa-provenance.md

@@ -0,0 +1,7 @@
+# ICSCISA / KISA Feed Provenance Notes (2025-11-19)
+
+- Expected signing: not provided by sources; set `signature=null` and `skip_reason="unsigned"`.
+- Hashing: sha256 of raw advisory payload before normalization.
+- Transport: HTTPS; mirror to internal cache; record `fetched_at` UTC and `source_url`.
+- Verification: compare hash vs previous run; emit delta report.
+- Staleness guard: alert if `fetched_at` >14 days.

docs/modules/concelier/feeds/icscisa-kisa.md

@@ -0,0 +1,46 @@
+# ICSCISA / KISA Feed Remediation Plan (v0.1 · 2025-11-19)
+
+## Purpose
+Define a minimal, actionable plan to refresh overdue ICSCISA and KISA connectors, restore provenance freshness, and publish normalized payload fields for downstream Advisory AI and Concelier consumers.
+
+## Owners
+- Feed owners: Concelier Feed Guild
+- Product advisory liaison: Product Advisory Guild
+- Backup: Docs Guild
+
+## Scope & cadence
+- Feeds: ICSCISA, KISA (security advisories)
+- Refresh cadence: weekly pull; publish hashlist and timestamps per run
+- Staleness budget: <14 days; alert if exceeded
+
+## Deliverables (for PREP-FEEDCONN-ICS-KISA-PLAN)
+1) **Provenance refresh SOP**
+   - Mirror source URLs to internal cache
+   - Record `source_url`, `fetched_at` (UTC), `sha256`, `signature` (if present)
+   - Store run log under `out/feeds/icscisa-kisa/<YYYYMMDD>/fetch.log`
+2) **Normalized payload fields**
+   - `advisory_id`, `title`, `summary`, `published`, `updated`, `severity` (pass-through), `cvss` (if provided), `cwe`, `affected_products` (list), `references` (list of URL strings), `signature` (object or null)
+   - Preserve source values; no inference or merging
+3) **Backlog cleanup**
+   - Reprocess last 60 days; compare hash to prior ingests; flag changed advisories
+   - Emit delta report (`out/feeds/icscisa-kisa/<YYYYMMDD>/delta.json`): added/updated/removed ids, counts
+4) **Provenance note**
+   - Publish `docs/modules/concelier/feeds/icscisa-kisa-provenance.md` with current signing keys/fingerprints, expected headers, and fallback when signatures missing
+5) **Next review date**
+   - Set to 2025-12-03 (two-week check) and capture SIG verification status
+
+## Actions & timeline
+- T0 (2025-11-19): adopt SOP + field map; create delta report template
+- T0+2d (2025-11-21): run backlog reprocess, publish artefacts + hashes
+- T0+14d (2025-12-03): review staleness, adjust cadence if needed
+
+## Artefact locations
+- Normalized advisories: `out/feeds/icscisa-kisa/<YYYYMMDD>/advisories.ndjson`
+- Fetch log + hashes: `out/feeds/icscisa-kisa/<YYYYMMDD>/fetch.log`, `hashes.sha256`
+- Delta report: `out/feeds/icscisa-kisa/<YYYYMMDD>/delta.json`
+- Provenance note: `docs/modules/concelier/feeds/icscisa-kisa-provenance.md`
+
+## Risks & mitigations
+- Source downtime → mirror last good snapshot; retry daily for 3 days.
+- Missing signatures → record `signature=null`, log `skip_reason` in provenance note; do not infer validity.
+- Schema drift → treat as new fields, store raw, add to field map after review (no drop).

docs/modules/concelier/operations/cache.md

@@ -0,0 +1,40 @@
+# Concelier Advisory Chunk Cache
+
+Status: draft · aligned with LNM v1 (frozen 2025-11-17)
+
+## Purpose
+- Reduce repeated `/advisories/{key}/chunks` rebuilds while preserving determinism and provenance integrity.
+- Provide consoles and debugging tools with transparent cache provenance (key material and TTL) to keep evidence chains auditable.
+
+## Cache key (deterministic)
+- Inputs (pipe-delimited, all lower-case where applicable):
+  - `tenant`
+  - `advisoryKey`
+  - `chunkLimit`
+  - `observationLimit`
+  - `minimumLength`
+  - `sectionFilter` (sorted, case-insensitive)
+  - `formatFilter` (sorted, case-insensitive)
+  - advisory fingerprint (hash of canonical advisory)
+  - ordered observations: each `observationId@contentHash@createdAtTicks@format`
+- Implementation: `AdvisoryChunkCacheKey.Create` (WebService). Normalized ordering ensures replayability across nodes.
+- External disclosure: headers expose a hashed cache key (see below) rather than the full raw key.
+
+## Response transparency headers
+- `X-Stella-Cache-Key`: SHA-256 hex of the cache key (default 16 chars) for tamper-evident correlation.
+- `X-Stella-Cache-Hit`: `1` on hit, `0` on miss.
+- `X-Stella-Cache-Ttl`: configured TTL in seconds (0 when caching disabled).
+- Consumers may log these headers; do **not** treat them as stable API contract for filtering.
+
+## Determinism & safety
+- No PII in keys or headers; key inputs are tenant/advisory identifiers already present in requests.
+- Timestamps use UTC ticks; content hashes retain upstream digest prefix (e.g., `sha256:`) to distinguish sources.
+- Cache TTL defaults to 0 (disabled) unless configured; safe for offline/air-gapped deployments.
+
+## Testing notes
+- Unit coverage: `AdvisoryChunkCacheKeyTests` (ordering, filter casing) and `AdvisoryChunkBuilderTests` (observationPath pointers influence chunk IDs).
+- Integration tests should assert headers when cache is enabled; disable cache for tests that assert body-only determinism.
+
+## TODOs / follow-ups
+- Add integration test that exercises a cache hit path and validates transparency headers.
+- Document cache configuration knobs in `appsettings.*` once finalized.

docs/modules/evidence-locker/attestation-scope-note.md

@@ -0,0 +1,37 @@
+# Evidence Locker Attestation Scope Note (v1) — 2025-11-19
+
+## Scope & Coverage
+- Predicates: `in-toto Provenance` (DSSE-wrapped) with claims for bundle inputs, normalization pipeline version, tenant scope, and content hashes; optional `Rekor` transparency pointer when online.
+- Artefacts covered: Evidence Bundle v1 payloads (observations, linksets, normalization diffs) and mirror bundle manifest hash when present.
+- Tenancy: tenant-id is lowercased, required, and included in subject, claims, and DSSE `_type` to keep air-gap parity.
+- Transparency: if Rekor unavailable (air-gap), include `transparency.skip_reason` = `offline` and signed local timeline anchor.
+
+## Required claims (PromotionAttestationBuilder input)
+- `subject.digest` (sha256 of bundle tar) and `subject.name` (bundle_id).
+- `bundle.created` (UTC RFC3339) and `bundle.version` (semantic).
+- `pipeline.version` (build ID or git SHA) and `pipeline.inputs` (hashes of observation/linkset payloads).
+- `tenant` (lowercase) and `scope` (advisory | vex | policy | mixed).
+- `evidence_bundle` (path/doi) and `transparency` (rekor UUID or skip reason).
+- `aoc.guardrails` (boolean) and `aoc.details` (list of enforced checks).
+
+## Example builder payload
+```json
+{
+  "subject": {"name": "evidence-bundle-m0", "digest": "sha256:REPLACE"},
+  "bundle": {"id": "evidence-bundle-m0", "version": "1.0.0", "created": "2025-11-19T00:00:00Z"},
+  "pipeline": {"version": "git:abcd1234", "inputs": ["sha256:payload-hash-1", "sha256:payload-hash-2"]},
+  "tenant": "demo",
+  "scope": "vex",
+  "evidence_bundle": "out/evidence/bundles/evidence-bundle-m0.tar.gz",
+  "transparency": {"rekor_uuid": null, "skip_reason": "offline"},
+  "aoc": {"guardrails": true, "details": ["schema:frozen:1.0", "limits:chunk:max=2000"]}
+}
+```
+
+## Placement
+- File: `docs/modules/evidence-locker/attestation-scope-note.md` (this document).
+- Reference in Evidence Bundle changelog and sprint `Execution Log` when updated.
+
+## Next steps
+- Swap placeholder digest values with real bundle hash after MIRROR-CRT-56-001 emits artefact.
+- Attach this note to Concelier/Excititor attestation tasks (CONCELIER-ATTEST-73-001/002, EXCITITOR-ATTEST-73-001/002).

docs/modules/evidence-locker/evidence-bundle-v1.md

@@ -0,0 +1,57 @@
+# Evidence Bundle v1 Contract (2025-11-19)
+
+## Scope
+Frozen contract for Evidence Bundle v1 covering AdvisoryAI/Concelier/Excititor evidence exports used by air-gap and attestation flows.
+
+## Artefact layout
+- Tarball name: `evidence-bundle-<id>.tar.gz`
+- Manifest (required): `manifest.json`
+- Payloads (required): `observations.ndjson`, `linksets.ndjson`
+- Optional: `timeline.ndjson` (time anchors), `transparency.json` (Rekor UUID or skip_reason)
+- Hash list: `hashes.sha256` (sha256 of each file)
+
+### manifest.json fields
+```json
+{
+  "bundle_id": "evidence-bundle-m0",
+  "version": "1.0.0",
+  "created": "2025-11-19T00:00:00Z",
+  "tenant": "demo",
+  "scope": "vex",
+  "inputs": ["sha256:payload-obs", "sha256:payload-linksets"],
+  "aoc": {"guardrails": true, "details": ["schema:frozen:1.0", "limits:chunk:max=2000"]}
+}
+```
+
+### observations.ndjson (sample record)
+```json
+{"observationId":"obs-ossl-001","advisoryId":"CVE-2024-1234","component":"pkg:deb/openssl@1.1.1w","source":"nvd","fetchedAt":"2025-11-18T12:00:00Z"}
+```
+
+### linksets.ndjson (sample record)
+```json
+{"linksetId":"lnm-ossl-001","advisoryId":"CVE-2024-1234","components":["pkg:deb/openssl@1.1.1w"],"normalized":true,"createdAt":"2025-11-18T12:05:00Z"}
+```
+
+### transparency.json (optional)
+```json
+{"rekor_uuid": null, "skip_reason": "offline"}
+```
+
+## Determinism rules
+- All timestamps must be UTC RFC3339.
+- Ordering: sort NDJSON by `advisoryId`, then `component`, ascending.
+- Hashes: compute sha256 on raw file bytes; record in `hashes.sha256` and in manifest `inputs`.
+- Tenant must be lowercase; include in manifest and any attestation subject claims.
+
+## Example bundle (sample)
+- Path: `docs/samples/evidence-bundle/evidence-bundle-m0.tar.gz`
+- SHA256: `$(cat docs/samples/evidence-bundle/evidence-bundle-m0.tar.gz.sha256 | awk '{print $1}')`
+- Contains sample manifest/observations/linksets/transparency per above.
+
+## Attestation linkage
+- See `attestation-scope-note.md` for required claims.
+- Subject digest should reference the tarball sha256; include `bundle_id` and `tenant`.
+
+## Change log
+- 2025-11-19: v1 frozen (initial publication). Add real sample tarball + hashes once produced.

docs/modules/excititor/evidence-contract.md

@@ -85,5 +85,8 @@ This note defines the deterministic, aggregation-only contract that Excititor ex
 - When mirror bundles are configured, `provenance.canonicalUri` points to the local bundle path; otherwise it is omitted.
 - All payloads are side-effect free; no remote fetches occur while streaming.
 
+## Samples
+- NDJSON sample: `docs/samples/excititor/chunks-sample.ndjson` (hashes in `.sha256`) aligned to the schema above.
+
 ## Versioning
 - Contract version: `v1` (this document). Changes must be additive; breaking changes require `v2` path and updated doc.

docs/modules/excititor/vex_linksets_api.md

@@ -0,0 +1,104 @@
+# Excititor VEX linkset APIs (observations + linksets)
+
+> Draft examples for Sprint 119 (EXCITITOR-LNM-21-203). Aligns with WebService endpoints implemented in `src/Excititor/StellaOps.Excititor.WebService/Program.cs`.
+
+## /v1/vex/observations
+
+### List
+```
+GET /v1/vex/observations?vulnerabilityId=CVE-2024-0001&productKey=pkg:maven/org.demo/app@1.2.3&providerId=ubuntu-csaf&status=affected&limit=2
+Headers:
+  Authorization: Bearer <token>
+  X-Tenant: default
+Response 200 (application/json):
+{
+  "items": [
+    {
+      "tenant": "default",
+      "observationId": "vex:obs:sha256:...",
+      "providerId": "ubuntu-csaf",
+      "document": {
+        "digest": "sha256:...",
+        "uri": "https://example.com/csaf/1.json",
+        "signature": null
+      },
+      "scope": {
+        "vulnerabilityId": "CVE-2024-0001",
+        "productKey": "pkg:maven/org.demo/app@1.2.3"
+      },
+      "statements": [
+        {
+          "vulnerabilityId": "CVE-2024-0001",
+          "productKey": "pkg:maven/org.demo/app@1.2.3",
+          "status": "affected",
+          "justification": {
+            "type": "component_not_present",
+            "reason": "Not shipped in base profile"
+          },
+          "signals": { "severity": { "score": 7.5 } },
+          "provenance": {
+            "providerId": "ubuntu-csaf",
+            "sourceId": "USN-9999-1",
+            "fieldMasks": ["statements"]
+          }
+        }
+      ],
+      "linkset": {
+        "aliases": ["USN-9999-1"],
+        "purls": ["pkg:maven/org.demo/app"],
+        "cpes": [],
+        "references": [{"type": "advisory", "url": "https://..."}],
+        "disagreements": []
+      },
+      "createdAt": "2025-11-18T12:34:56Z"
+    }
+  ],
+  "nextCursor": "eyJ2dWxuZXJhYmlsaXR5SWQiOiJDVkUtMjAyNC0wMDAxIiwiY3JlYXRlZEF0IjoiMjAyNS0xMS0xOFQxMjozNDo1NloifQ=="
+}
+```
+
+### Get by key
+```
+GET /v1/vex/observations/CVE-2024-0001/pkg:maven/org.demo/app@1.2.3
+Headers: Authorization + X-Tenant
+Response 200: same projection shape as list items (single object).
+```
+
+## /v1/vex/linksets
+```
+GET /v1/vex/linksets?vulnerabilityId=CVE-2024-0001&productKey=pkg:maven/org.demo/app@1.2.3&status=affected&limit=2
+Headers: Authorization + X-Tenant
+Response 200:
+{
+  "items": [
+    {
+      "linksetId": "CVE-2024-0001:pkg:maven/org.demo/app@1.2.3",
+      "tenant": "default",
+      "vulnerabilityId": "CVE-2024-0001",
+      "productKey": "pkg:maven/org.demo/app@1.2.3",
+      "providers": ["ubuntu-csaf", "suse-csaf"],
+      "statuses": ["affected", "fixed"],
+      "aliases": ["USN-9999-1"],
+      "purls": ["pkg:maven/org.demo/app"],
+      "cpes": [],
+      "references": [{"type": "advisory", "url": "https://..."}],
+      "disagreements": [{"providerId": "suse-csaf", "status": "fixed", "justification": null, "confidence": null}],
+      "observations": [
+        {"observationId": "vex:obs:...", "providerId": "ubuntu-csaf", "status": "affected", "severity": 7.5},
+        {"observationId": "vex:obs:...", "providerId": "suse-csaf", "status": "fixed", "severity": null}
+      ],
+      "createdAt": "2025-11-18T12:34:56Z"
+    }
+  ],
+  "nextCursor": null
+}
+```
+
+## Notes
+- Pagination: `limit` (default 200, max 500) + `cursor` (opaque base64 of `vulnerabilityId` + `createdAt`).
+- Filters: `vulnerabilityId`, `productKey`, `providerId`, `status`; multiple query values allowed.
+- Headers: `Excititor-Results-Count`, `Excititor-Results-Cursor` (observations) and `Excititor-Results-Total` / `Excititor-Results-Truncated` (chunks) already implemented.
+- Determinism: responses sorted by `vulnerabilityId`, then `productKey`; arrays sorted lexicographically.
+
+## SDK generation
+- Use this file plus `vex_observations.md` as the source of truth for SDK examples in EXCITITOR-LNM-21-203.

docs/modules/mirror/milestone-0-thin-bundle.md

@@ -0,0 +1,30 @@
+# Mirror Thin Bundle · Milestone 0 (sample)
+
+## Scope
+- Provide a deterministic placeholder thin bundle so downstream air-gap/console/attestation tracks can wire references while MIRROR-CRT-56-001 code lands.
+- Sample bundle published at `out/mirror/thin/mirror-thin-m0-sample.tar.gz` (created 2025-11-19 UTC) with fixed metadata only; no advisories/policies/images included.
+
+## Owners
+- Primary: Alex Kim
+- Backup: Priya Desai
+
+## Artefacts
+- Bundle: `out/mirror/thin/mirror-thin-m0-sample.tar.gz`
+- SHA256: `bd1013885a27f651e28331c7a240d417d265bd411d09b51b47bd7c2196659674`
+- Manifest inside bundle: `sample-m0/manifest.json`
+- Notes: `sample-m0/README.txt`
+
+## Layout (within tar.gz)
+```
+sample-m0/
+  manifest.json   # version, bundle_id, created, notes
+  README.txt      # purpose, determinism and replacement guidance
+```
+
+## Refresh cadence
+- Replace this sample with real thin bundle once MIRROR-CRT-56-001 assembler emits manifests (target: 2025-11-20).
+- Maintain same path prefix `out/mirror/thin/` and update hash in this file and sprint log when refreshed.
+
+## Usage
+- Downstream tasks may reference this path/hash to unblock contract wiring and CI harnesses.
+- Do not ship to customers; for internal wiring/tests only.

docs/modules/mirror/thin-bundle-assembler.md

@@ -0,0 +1,34 @@
+# MIRROR-CRT-56-001 · Thin bundle assembler handoff (v0.1)
+
+Purpose: unblock MIRROR-CRT-56-001 by defining expected assembler outputs so the real thin bundle can replace the milestone-0 sample.
+
+## Expected outputs
+- Artifact: `out/mirror/thin/mirror-thin-v1.tar.gz`
+- Manifest: `out/mirror/thin/mirror-thin-v1.manifest.json` containing:
+  - `version`: "1.0.0"
+  - `created`: UTC ISO-8601
+  - `layers`: array of `{ digest, size, path }`
+  - `indexes`: array of `{ name, digest }` for evidence/linkset indexes
+  - `hashes`: `{ tarball_sha256, manifest_sha256 }`
+- Checksums: `.sha256` files for tarball and manifest stored alongside artifacts.
+
+## Assembly steps (reference for assembler owners)
+1) Produce layer tar parts deterministically (sorted entries, zeroed mtimes/uid/gid, pax headers disabled).
+2) Compose `mirror-thin-v1.tar.gz` using stable order: `manifest.json`, `layers/*`, `indexes/*`.
+3) Generate manifest JSON and compute SHA256 for both tarball and manifest; write `.sha256` files.
+4) Sign manifest (DSSE optional) and place signature next to manifest if available.
+
+## Determinism requirements
+- POSIX tar with numeric owner 0:0, mtime 0, sorted paths.
+- Gzip with `--no-name` and fixed timestamp 0.
+- No duplicate files; symlinks forbidden.
+
+## Evidence
+- When produced, place artefacts under `out/mirror/thin/` and add hashes to this doc.
+
+## Owners
+- Mirror Creator Guild (assembler)
+- AirGap Guild (consumer)
+
+## Status
+- Handoff doc published 2025-11-19; awaiting assembler output to replace milestone-0 sample.

docs/notifications/slo-webhook-schema.md

@@ -0,0 +1,86 @@
+# Notifier Telemetry SLO Webhook Schema (1.0.0)
+
+Purpose: define the payload emitted by Telemetry SLO evaluators toward Notifier so that NOTIFY-OBS-51-001 can consume alerts deterministically (online and offline).
+
+## Delivery contract
+- Content-Type: `application/json`
+- Encoding: UTF-8
+- Authentication: mTLS (service identity) or DPoP/JWT with `aud` = `notifier` and `scope` = `obs:slo:ingest`.
+- Determinism: timestamps are UTC ISO-8601 with `Z`; field order stable for hashing (see canonical JSON below).
+
+## Payload fields
+```
+{
+  "id": "uuid",
+  "tenant": "string",            // required; aligns with orchestrator/telemetry tenant id
+  "service": "string",           // logical service name
+  "host": "string",              // optional; k8s node/hostname
+  "slo": {
+    "name": "string",           // human-readable
+    "id": "string",             // immutable key used for dedupe
+    "objective": {
+      "window": "PT5M",         // ISO-8601 duration
+      "target": 0.995             // decimal between 0 and 1
+    }
+  },
+  "metric": {
+    "type": "latency|error|availability|custom",
+    "value": 0.0123,             // double; units depend on type
+    "unit": "seconds|ratio|percent|count",
+    "labels": {                  // sanitized, deterministic ordering when serialized
+      "endpoint": "/api/jobs",
+      "method": "GET"
+    }
+  },
+  "window": {
+    "start": "2025-11-19T12:00:00Z",
+    "end": "2025-11-19T12:05:00Z"
+  },
+  "breach": {
+    "state": "breaching|warning|ok",
+    "reason": "p95 latency above objective",
+    "evidence": [
+      {
+        "type": "timeseries",
+        "href": "cas://telemetry/series/abc123",
+        "hash": "sha256:..."
+      }
+    ]
+  },
+  "quietHours": {
+    "active": false,
+    "policyId": null
+  },
+  "trace": {
+    "trace_id": "optional-trace-id",
+    "span_id": "optional-span-id"
+  },
+  "version": "1.0.0",
+  "issued_at": "2025-11-19T12:05:07Z"
+}
+```
+
+### Canonical JSON rules
+- Sort object keys lexicographically before hashing/signing.
+- Use lowercase for enum-like fields shown above.
+- `version` is required for evolution; new fields must be add-only.
+
+### Retry and idempotency
+- `id` is the idempotency key; Notifier treats duplicates as no-op.
+- Producers retry with exponential backoff up to 10 minutes; consumers respond 2xx only after persistence.
+
+### Validation checklist (for tests/CI)
+- Required fields: id, tenant, service, slo.id, slo.objective.window, slo.objective.target, metric.type, metric.value, window.start/end, breach.state, version, issued_at.
+- Timestamps parse with `DateTimeStyles.RoundtripKind`.
+- When `breach.state=ok`, `breach.reason` may be null but object must exist.
+- `quietHours.active=true` must include `policyId`.
+
+### Sample canonical JSON (minified)
+```
+{"breach":{"evidence":[],"reason":"p99 latency above objective","state":"breaching"},"host":"orchestrator-0","id":"8c1d58c4-b1de-4b3c-9c7b-40a6b0f8d4c1","issued_at":"2025-11-19T12:05:07Z","metric":{"labels":{"endpoint":"/api/jobs","method":"GET"},"type":"latency","unit":"seconds","value":1.234},"quietHours":{"active":false,"policyId":null},"service":"orchestrator","slo":{"id":"orch-api-latency-p99","name":"Orchestrator API p99","objective":{"target":0.99,"window":"PT5M"}},"tenant":"default","trace":{"span_id":null,"trace_id":null},"version":"1.0.0","window":{"end":"2025-11-19T12:05:00Z","start":"2025-11-19T12:00:00Z"}}
+```
+
+### Evidence to surface in sprint tasks
+- File: `docs/notifications/slo-webhook-schema.md` (this document).
+- Sample payload (canonical) and validation checklist above.
+- Dependencies: upstream Telemetry evaluator must emit `metric.labels` sanitized; Notifier to persist `id` for idempotency.