qa: close exportcenter features 001-002 and unblock policy build

docs/features/checked/exportcenter/cli-ui-surfacing-of-hidden-backend-capabilities.md

@@ -0,0 +1,33 @@
+# CLI/UI Surfacing of Hidden Backend Capabilities
+
+## Module
+ExportCenter
+
+## Status
+IMPLEMENTED
+
+## Description
+The advisory itself identifies this as a gap - backend capabilities are rich but CLI/UI coverage needs surfacing work. This is a meta-advisory about exposing existing features.
+
+## What's Implemented
+- **Backend export API**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Api/ExportApiEndpoints.cs` -- full REST API for export operations
+- **SDK client**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Client/ExportCenterClient.cs`, `IExportCenterClient.cs` -- programmatic access to export capabilities
+- **Client lifecycle helper**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Client/Lifecycle/ExportJobLifecycleHelper.cs`
+- **Risk bundle builder**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleBuilder.cs`
+- **OCI distribution**: full OCI referrer and distribution stack under `Distribution/Oci/`
+- **Evidence cache**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/EvidenceCache/`
+- **Simulation export**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/SimulationExport/SimulationReportExporter.cs`
+- Source: Feature matrix scan
+
+## What's Missing
+- CLI commands for export operations (risk bundles, OCI distribution, evidence cache management)
+- Web UI pages/components for triggering and managing exports
+- User-facing export wizard or dashboard surfacing available export types
+
+## Implementation Plan
+- Add CLI commands wrapping ExportCenter SDK client operations
+- Build Web UI components for export management (list exports, trigger new exports, download artifacts)
+- Surface OCI referrer discovery results in UI for attestation browsing
+
+## Related Documentation
+- Source: See feature catalog

docs/features/checked/exportcenter/export-center-risk-bundle-builder.md

@@ -0,0 +1,27 @@
+# Export Center Risk Bundle Builder
+
+## Module
+ExportCenter
+
+## Status
+IMPLEMENTED
+
+## Description
+Generates signed risk bundles aggregating vulnerability findings, VEX decisions, and policy evaluations into portable, DSSE-signed export artifacts for compliance reporting and auditor handoff.
+
+## Implementation Details
+- **Risk bundle builder**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleBuilder.cs` -- aggregates findings, VEX decisions, and policy evaluations into portable bundles
+- **Risk bundle models**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleModels.cs` -- bundle data models
+- **Risk bundle signing**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleSigning.cs` -- DSSE signing for risk bundles
+- **Risk bundle job**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleJob.cs` -- async job for bundle generation
+- **Object store**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleObjectStore.cs`, `FileSystemRiskBundleObjectStore.cs` -- bundle storage
+- **Job handler**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/RiskBundle/RiskBundleJobHandler.cs` -- processes risk bundle jobs
+- **Attestation service**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Attestation/ExportAttestationService.cs` -- DSSE attestations for exports
+- **Source**: SPRINT_0163_0001_0001_exportcenter_ii.md
+
+## E2E Test Plan
+- [ ] Verify risk bundle builder aggregates vulnerability findings correctly
+- [ ] Test DSSE signing produces valid signed bundles
+- [ ] Verify bundle includes VEX decisions and policy evaluations
+- [ ] Test async job processing for large bundles
+- [ ] Verify bundle storage and retrieval via object store