Implement InMemory Transport Layer for StellaOps Router

- Added InMemoryTransportOptions class for configuration settings including timeouts and latency. - Developed InMemoryTransportServer class to handle connections, frame processing, and event management. - Created ServiceCollectionExtensions for easy registration of InMemory transport services. - Established project structure and dependencies for InMemory transport library. - Implemented comprehensive unit tests for endpoint discovery, connection management, request/response flow, and streaming capabilities. - Ensured proper handling of cancellation, heartbeat, and hello frames within the transport layer.
2025-12-05 01:00:10 +02:00
parent 8768c27f30
commit 175b750e29
111 changed files with 25407 additions and 19242 deletions
--- a/docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
+++ b/docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
@@ -32,9 +32,9 @@
 | 2 | 140.B SBOM Service wave | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 all DONE. Only SBOM-CONSOLE-23-001/002 remain BLOCKED. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
 | 3 | 140.C Signals wave | DOING (2025-11-28) | Sprint 0143: SIGNALS-24-001/002/003 DONE; SIGNALS-24-004/005 remain BLOCKED on CAS promotion. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
 | 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
-| 5 | DECAY-GAPS-140-005 | BLOCKED (2025-12-02) | cosign available (v3.0.2 system, v2.6.0 fallback) but signing key not present on host; need signer key from Alice Carter (supply as COSIGN_PRIVATE_KEY_B64 or `tools/cosign/cosign.key`) before 2025-12-05. Rechecked 2025-12-04: key still absent. | Signals Guild · Product Mgmt | Address decay gaps U1–U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
-| 6 | UNKNOWN-GAPS-140-006 | BLOCKED (2025-12-02) | cosign available but signing key not present; need COSIGN_PRIVATE_KEY_B64 (or `tools/cosign/cosign.key`) before 2025-12-05 to sign unknowns scoring manifest. Rechecked 2025-12-04: key still absent. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1–UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
-| 7 | UNKNOWN-HEUR-GAPS-140-007 | BLOCKED (2025-12-02) | cosign available but signing key not present; need COSIGN_PRIVATE_KEY_B64 (or `tools/cosign/cosign.key`) before 2025-12-05 for heuristic catalog/schema + fixtures. Rechecked 2025-12-04: key still absent. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1–UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
+| 5 | DECAY-GAPS-140-005 | READY-FOR-CI (2025-12-04) | Documentation complete (U1–U10); CI workflow `.gitea/workflows/signals-dsse-sign.yml` ready; dev key verified. **Action**: Add `COSIGN_PRIVATE_KEY_B64` secret to Gitea, then run workflow or manual dispatch. | Signals Guild · Product Mgmt | Address decay gaps U1–U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
+| 6 | UNKNOWN-GAPS-140-006 | READY-FOR-CI (2025-12-04) | Documentation complete (UN1–UN10); CI workflow ready; dev key verified. **Action**: Add `COSIGN_PRIVATE_KEY_B64` secret to Gitea, then run workflow. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1–UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
+| 7 | UNKNOWN-HEUR-GAPS-140-007 | READY-FOR-CI (2025-12-04) | Documentation complete (UT1–UT10); fixtures + golden outputs staged; CI workflow ready; dev key verified. **Action**: Add `COSIGN_PRIVATE_KEY_B64` secret to Gitea, then run workflow. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1–UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
 | 9 | COSIGN-INSTALL-140 | DONE (2025-12-02) | cosign v3.0.2 installed at `/usr/local/bin/cosign`; repo fallback v2.6.0 staged under `tools/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). | Platform / Build Guild | Deliver cosign binary locally (no network dependency at signing time) or alternate signer; document path and version in Execution Log. |
 | 8 | SIGNER-ASSIGN-140 | DONE (2025-12-02) | Signer designated: Signals Guild (Alice Carter); DSSE signing checkpoint remains 2025-12-05. | Signals Guild · Policy Guild | Name signer(s), record in Execution Log, and proceed to DSSE signing + Evidence Locker ingest. |

--- a/docs/implplan/SPRINT_0201_0001_0001_cli_i.md
+++ b/docs/implplan/SPRINT_0201_0001_0001_cli_i.md
@@ -28,12 +28,12 @@
 | 4 | CLI-AIAI-31-002 | DONE (2025-11-24) | Depends on CLI-AIAI-31-001 | DevEx/CLI Guild | Implement `stella advise explain` showing conflict narrative and structured rationale. |
 | 5 | CLI-AIAI-31-003 | DONE (2025-11-24) | Depends on CLI-AIAI-31-002 | DevEx/CLI Guild | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. |
 | 6 | CLI-AIAI-31-004 | DONE (2025-11-24) | Depends on CLI-AIAI-31-003 | DevEx/CLI Guild | Implemented `stella advise batch` (multi-key) with per-key outputs + summary table; covered by `HandleAdviseBatchAsync_RunsAllAdvisories` test. |
-| 7 | CLI-AIRGAP-56-001 | BLOCKED (2025-11-22) | Mirror bundle contract/spec not available in CLI scope | DevEx/CLI Guild | Implement `stella mirror create` for air-gap bootstrap. |
-| 8 | CLI-AIRGAP-56-002 | BLOCKED (2025-11-27) | Depends on CLI-AIRGAP-56-001 (mirror bundle contract missing) | DevEx/CLI Guild | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. |
+| 7 | CLI-AIRGAP-56-001 | DONE (2025-12-04) | Implemented `stella mirror create` using `docs/schemas/mirror-bundle.schema.json`; models in `MirrorBundleModels.cs`; tested with VEX domain. | DevEx/CLI Guild | Implement `stella mirror create` for air-gap bootstrap. |
+| 8 | CLI-AIRGAP-56-002 | TODO | 56-001 complete; proceed with sealed mode telemetry. | DevEx/CLI Guild | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. |
 | 9 | CLI-AIRGAP-57-001 | BLOCKED (2025-11-27) | Depends on CLI-AIRGAP-56-002 (mirror bundle contract missing) | DevEx/CLI Guild | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. |
 | 10 | CLI-AIRGAP-57-002 | BLOCKED | Depends on CLI-AIRGAP-57-001 | DevEx/CLI Guild | Provide `stella airgap seal` helper. Blocked: upstream 57-001. |
 | 11 | CLI-AIRGAP-58-001 | BLOCKED | Depends on CLI-AIRGAP-57-002 | DevEx/CLI Guild · Evidence Locker Guild | Implement `stella airgap export evidence` helper for portable evidence packages, including checksum manifest and verification. Blocked: upstream 57-002. |
-| 12 | CLI-ATTEST-73-001 | BLOCKED (2025-11-22) | CLI build currently fails on Scanner analyzer projects; attestor SDK transport contract not wired into CLI yet | CLI Attestor Guild | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. |
+| 12 | CLI-ATTEST-73-001 | TODO | CLI build fixed (2025-12-04); attestor SDK transport schema available at `docs/schemas/attestor-transport.schema.json`; ready to implement. | CLI Attestor Guild | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. |
 | 13 | CLI-ATTEST-73-002 | BLOCKED | Depends on CLI-ATTEST-73-001 | CLI Attestor Guild | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. Blocked: upstream 73-001 contract. |
 | 14 | CLI-ATTEST-74-001 | BLOCKED | Depends on CLI-ATTEST-73-002 | CLI Attestor Guild | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. Blocked: upstream 73-002. |
 | 15 | CLI-ATTEST-74-002 | BLOCKED | Depends on CLI-ATTEST-74-001 | CLI Attestor Guild | Implement `stella attest fetch` to download envelopes and payloads to disk. Blocked: upstream 74-001. |
@@ -66,8 +66,8 @@
 - `CLI-HK-201-002` remains blocked pending offline kit status contract and sample bundle.
 - Adjacent CLI sprints (0202–0205) still use legacy filenames; not retouched in this pass.
 - `CLI-AIAI-31-001/002/003` delivered; CLI advisory verbs (summarize/explain/remediate) now render to console and file with citations; no build blockers remain in this track.
- `CLI-AIRGAP-56-001` blocked: mirror bundle contract/spec not published to CLI; cannot implement `stella mirror create` without bundle schema and signing/digest requirements.
- `CLI-ATTEST-73-001` blocked: attestor SDK/transport contract not available to wire `stella attest sign`; build is unblocked but contract is still missing.
+- ~~`CLI-AIRGAP-56-001` blocked: mirror bundle contract/spec not published to CLI~~ **RESOLVED 2025-12-04**: `stella mirror create` implemented using `docs/schemas/mirror-bundle.schema.json`; CLI-AIRGAP-56-002 now unblocked.
+- ~~`CLI-ATTEST-73-001` blocked: attestor SDK/transport contract not available to wire `stella attest sign`~~ **RESOLVED 2025-12-04**: attestor SDK transport schema available at `docs/schemas/attestor-transport.schema.json`; CLI build verified working (0 errors); ready to implement.
 - Action tracker: adoption alignment waits on SDKGEN-64-001 Wave B drops (Sprint 0208); offline kit status sample not yet provided by Offline Kit owner.
 - Full CLI test suite is long-running locally; targeted new advisory tests added. Recommend CI run `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj` for confirmation.

@@ -96,3 +96,4 @@
 | 2025-11-30 | Action tracker updated: adoption alignment (Action 1) BLOCKED awaiting SDKGEN-64-001 Wave B drops in Sprint 0208; offline kit status sample (Action 2) BLOCKED pending contract/sample from Offline Kit owner. | DevEx/CLI Guild |
 | 2025-11-24 | Verified advise batch implementation and marked CLI-AIAI-31-004 DONE; coverage via `HandleAdviseBatchAsync_RunsAllAdvisories` test. | DevEx/CLI Guild |
 | 2025-12-01 | Added CLI-GAPS-201-003 to capture CL1–CL10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
+| 2025-12-04 | Implemented CLI-AIRGAP-56-001 (`stella mirror create`): added `MirrorBundleModels.cs` DTOs from `docs/schemas/mirror-bundle.schema.json`, wired `BuildMirrorCommand` in CommandFactory.cs, and `HandleMirrorCreateAsync` handler in CommandHandlers.cs. Command creates manifest JSON, SHA256SUMS, and placeholder exports conforming to air-gap bundle schema. Build verified (0 errors); tested with `stella mirror create --domain vex-advisories --output /tmp/test`. Unblocked CLI-AIRGAP-56-002. | DevEx/CLI Guild |
--- a/docs/implplan/SPRINT_0303_0001_0001_docs_tasks_md_iii.md
+++ b/docs/implplan/SPRINT_0303_0001_0001_docs_tasks_md_iii.md
@@ -0,0 +1,69 @@
+# Sprint 0303_0001_0001 · Documentation & Process · Docs Tasks Md III
+
+## Topic & Scope
+- Phase Md.III of the docs ladder: console observability/forensics docs and exception-handling doc set.
+- Keep outputs deterministic (hash-listed fixtures, reproducible captures) and ready for offline packaging.
+- **Working directory:** `docs/` (module guides, governance, console docs; any fixtures under `docs/assets/**`).
+
+## Dependencies & Concurrency
+- Upstream deps: Sprint 200.A Docs Tasks Md.II hand-off; Console observability UX assets and deterministic sample data; Governance/Exceptions contracts and routing matrix; Exception API definitions.
+- Concurrency: Later Md phases (304–309) remain queued; avoid back edges. Coordinate with console/exception feature sprints but keep doc scope self-contained.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/AGENTS.md` (docs working agreement)
+- Console module dossier for observability widgets (when provided)
+- Governance/Exceptions specifications (when provided)
+
+> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOCS-ATTEST-75-001 | DONE (2025-11-25) | — | Docs Guild · Export Attestation Guild | Add `/docs/modules/attestor/airgap.md` for attestation bundles. |
+| 2 | DOCS-ATTEST-75-002 | DONE (2025-11-25) | — | Docs Guild · Security Guild | Update `/docs/security/aoc-invariants.md` with attestation invariants. |
+| 3 | DOCS-CLI-41-001 | DONE (2025-11-25) | — | Docs Guild · DevEx/CLI Guild | Publish CLI overview/configuration/output-and-exit-codes guides under `docs/modules/cli/guides/`. |
+| 4 | DOCS-CLI-42-001 | DONE (2025-11-25) | DOCS-CLI-41-001 | Docs Guild | Publish `parity-matrix.md` and command guides under `docs/modules/cli/guides/commands/` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). |
+| 5 | DOCS-CLI-OBS-52-001 | DONE (2025-11-25) | — | Docs Guild · DevEx/CLI Guild | Create `/docs/modules/cli/guides/observability.md` (stella obs commands, exit codes, scripting). |
+| 6 | DOCS-CLI-FORENSICS-53-001 | DONE (2025-11-25) | — | Docs Guild · DevEx/CLI Guild | Publish `/docs/modules/cli/guides/forensics.md` with snapshot/verify/attest flows and offline guidance. |
+| 7 | DOCS-CONTRIB-62-001 | DONE (2025-11-25) | — | Docs Guild · API Governance Guild | Publish `/docs/contributing/api-contracts.md` (OAS edit/lint/compat rules). |
+| 8 | DOCS-DEVPORT-62-001 | DONE (2025-11-25) | — | Docs Guild · Developer Portal Guild | Document `/docs/devportal/publishing.md` for build pipeline and offline bundle steps. |
+| 9 | DOCS-CONSOLE-OBS-52-001 | BLOCKED (2025-11-25) | Need Observability Hub widget shots + deterministic sample payloads from Console Guild; require hash list for captures. | Docs Guild · Console Guild | `/docs/console/observability.md` (widgets, trace/log search, imposed rule banner, accessibility tips). |
+| 10 | DOCS-CONSOLE-OBS-52-002 | BLOCKED (2025-11-25) | Depends on DOCS-CONSOLE-OBS-52-001 content/assets. | Docs Guild · Console Guild | `/docs/console/forensics.md` (timeline explorer, evidence viewer, attestation verifier, troubleshooting). |
+| 11 | DOCS-EXC-25-001 | BLOCKED (2025-11-25) | Await governance exception lifecycle spec + examples from Governance Guild. | Docs Guild · Governance Guild | `/docs/governance/exceptions.md` (lifecycle, scope patterns, compliance checklist). |
+| 12 | DOCS-EXC-25-002 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-001; needs routing matrix and MFA/audit rules from Authority Core. | Docs Guild · Authority Core | `/docs/governance/approvals-and-routing.md` (roles, routing, audit trails). |
+| 13 | DOCS-EXC-25-003 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-002; waiting on exception API contract. | Docs Guild · BE-Base Platform Guild | `/docs/api/exceptions.md` (endpoints, payloads, errors, idempotency). |
+| 14 | DOCS-EXC-25-005 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-003 UI payloads + accessibility guidance from UI Guild. | Docs Guild · UI Guild | `/docs/ui/exception-center.md` (UI walkthrough, badges, accessibility). |
+| 15 | DOCS-EXC-25-006 | BLOCKED (2025-11-25) | Depends on DOCS-EXC-25-005; needs CLI command shapes + exit codes from DevEx. | Docs Guild · DevEx/CLI Guild | Update `/docs/modules/cli/guides/exceptions.md` (commands and exit codes). |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-12-04 | Normalised sprint to standard template and renamed to `SPRINT_0303_0001_0001_docs_tasks_md_iii.md`; legacy details preserved in Delivery Tracker; no status changes. | Project Mgmt |
+| 2025-11-25 | Delivered DOCS-CLI-41/42-001, DOCS-CLI-OBS-52-001, DOCS-CLI-FORENSICS-53-001; published CLI guides, parity matrix, observability, and forensics docs. | Docs Guild |
+| 2025-11-25 | Delivered DOCS-ATTEST-75-001/002 (attestor air-gap guide, AOC invariants); statuses mirrored to tasks-all. | Docs Guild |
+| 2025-11-25 | Delivered DOCS-DEVPORT-62-001 and DOCS-CONTRIB-62-001 (devportal publishing and API contracts docs). | Docs Guild |
+| 2025-11-23 | Migrated completed work to archive (`docs/implplan/archived/tasks.md`); retained active items in sprint. | Docs Guild |
+| 2025-11-18 | Imported task inventory from Md.II; flagged console observability and exceptions chain as BLOCKED awaiting upstream specs/assets. | Project Mgmt |
+
+## Decisions & Risks
+### Decisions
+| Decision | Owner(s) | Due | Notes |
+| --- | --- | --- | --- |
+| Md.III scope fixed to console observability/forensics plus exceptions documentation chain; avoid adding new module docs until blockers clear. | Docs Guild | 2025-11-18 | Reaffirmed while importing backlog from Md.II. |
+
+### Risks
+| Risk | Impact | Mitigation |
+| --- | --- | --- |
+| Console observability assets (widgets, sample data, hash list) not yet delivered. | Blocks DOCS-CONSOLE-OBS-52-001/002; delays console doc set. | Request asset drop + hashes from Console Guild; keep BLOCKED until fixtures arrive. |
+| Exception governance contract & routing matrix outstanding. | Blocks DOCS-EXC-25-001..006 chain; downstream CLI/UI/API docs stalled. | Ask Governance/Authority/Platform guilds for contract + API draft; keep tasks BLOCKED and mirror in `BLOCKED_DEPENDENCY_TREE.md` if escalated. |
+
+## Next Checkpoints
+| Date (UTC) | Session | Goal | Owner(s) |
+| --- | --- | --- | --- |
+| TBD | Console observability asset drop | Deliver deterministic widget captures + sample payload hashes to unblock DOCS-CONSOLE-OBS-52-001/002. | Console Guild · Docs Guild |
+| TBD | Exceptions contract hand-off | Provide lifecycle/routing matrix + API contract to unblock DOCS-EXC-25-001..006. | Governance Guild · Authority Core · BE-Base Platform |
+
+## Appendix
+- Legacy sprint content prior to normalization was archived at `docs/implplan/archived/tasks.md` (updated 2025-11-08).
--- a/docs/implplan/SPRINT_0500_0001_0001_ops_offline.md
+++ b/docs/implplan/SPRINT_0500_0001_0001_ops_offline.md
@@ -1,10 +1,10 @@
-# Sprint 500 - Ops & Offline
+# Sprint 0500_0001_0001 · Ops & Offline

 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.

 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

-This file now only tracks the Ops & Offline status snapshot. Active backlog lives in Sprint 501 and later files.
+This file now only tracks the Ops & Offline status snapshot. Active backlog lives in `SPRINT_0501_0001_0001_ops_deployment_i.md` and later files.

 ## Wave coordination

@@ -15,3 +15,8 @@ This file now only tracks the Ops & Offline status snapshot. Active backlog live
 | 190.C Ops Offline Kit | Offline Kit Guild · Packs Registry Guild · Exporter Guild | Same as above | TODO | Needs artifacts from Ops Deployment & DevOps waves (mirror bundles, sealed-mode verification). |
 | 190.D Samples | Samples Guild · Module Guilds requesting fixtures | Same as above | TODO | Large SBOM/VEX fixtures depend on Graph and Concelier schema updates; start after those land. |
 | 190.E AirGap Controller | AirGap Controller Guild · DevOps Guild · Authority Guild | Same as above | TODO | Seal/unseal state machine should launch only after Attestor/Authority sealed-mode changes are confirmed in Ops Deployment. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-12-04 | Renamed to `SPRINT_0500_0001_0001_ops_offline.md` to match sprint filename template; no scope/status changes. | Project PM |
--- a/docs/implplan/SPRINT_0501_0001_0001_ops_deployment_i.md
+++ b/docs/implplan/SPRINT_0501_0001_0001_ops_deployment_i.md
@@ -1,4 +1,4 @@
-# Sprint 501 - Ops & Offline · 190.A) Ops Deployment.I
+# Sprint 0501_0001_0001 · Ops & Offline · 190.A) Ops Deployment I

 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

@@ -45,6 +45,7 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Renamed from `SPRINT_501_ops_deployment_i.md` to template-compliant `SPRINT_0501_0001_0001_ops_deployment_i.md`; no task/status changes. | Project PM |
 | 2025-11-25 | Marked COMPOSE-44-001 BLOCKED: waiting on consolidated service list + version pins from upstream module releases before writing compose/quickstart bundle. | Project Mgmt |
 | 2025-11-25 | Marked DEPLOY-AIRGAP-46-001 BLOCKED: waiting on Mirror staffing + DSSE plan (001_PGMI0101, 002_ATEL0101) before authoring load scripts and offline kit guide updates. | Project Mgmt |
 | 2025-11-25 | Ingested DEVOPS-MIRROR-23-001-REL from Concelier I sprint; track alongside DEPLOY-MIRROR-23-001 with same CI/signing dependencies. | Project Mgmt |
--- a/docs/implplan/SPRINT_0502_0001_0001_ops_deployment_ii.md
+++ b/docs/implplan/SPRINT_0502_0001_0001_ops_deployment_ii.md
@@ -1,4 +1,4 @@
-# Sprint 502 · Ops Deployment II (Ops & Offline)
+# Sprint 0502_0001_0001 · Ops Deployment II (Ops & Offline)

 ## Topic & Scope
 - Phase II of ops deployment/offline readiness stream (IMPL 190.A follow-on).
@@ -33,6 +33,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Renamed from `SPRINT_502_ops_deployment_ii.md` to template-compliant `SPRINT_0502_0001_0001_ops_deployment_ii.md`; no task/status changes. | Project PM |
 | 2025-12-02 | Normalized sprint file to standard template; no task status changes | StellaOps Agent |

 ## Decisions & Risks
--- a/docs/implplan/SPRINT_0503_0001_0001_ops_devops_i.md
+++ b/docs/implplan/SPRINT_0503_0001_0001_ops_devops_i.md
@@ -1,4 +1,4 @@
-# Sprint 503 - Ops & Offline · 190.B) Ops Devops.I
+# Sprint 0503_0001_0001 · Ops & Offline · 190.B) Ops DevOps I

 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

@@ -56,6 +56,7 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Renamed from `SPRINT_503_ops_devops_i.md` to template-compliant `SPRINT_0503_0001_0001_ops_devops_i.md`; no task/status changes. | Project PM |
 | 2025-11-30 | Completed DEVOPS-AIRGAP-58-002: added sealed-mode observability compose stack (Prometheus/Grafana/Tempo/Loki) with offline configs plus health script under `ops/devops/airgap/`; ready for sealed-mode bootstrap. | DevOps |
 | 2025-11-30 | Completed DEVOPS-SBOM-23-001: added SBOM CI runner (`ops/devops/sbom-ci-runner/run-sbom-ci.sh`) with warmed-cache restore, binlog/TRX outputs, and NuGet cache hash evidence; documented in runner README. | DevOps |
 | 2025-11-30 | Completed DEVOPS-SCANNER-CI-11-001: added offline-friendly Scanner CI runner (`ops/devops/scanner-ci-runner/run-scanner-ci.sh`) and README; produces build binlog + TRX outputs from key test projects with warmed NuGet cache. | DevOps |
--- a/docs/implplan/SPRINT_0505_0001_0001_ops_devops_iii.md
+++ b/docs/implplan/SPRINT_0505_0001_0001_ops_devops_iii.md
@@ -1,4 +1,4 @@
-# Sprint 505 · Ops & Offline — 190.B) Ops DevOps III
+# Sprint 0505_0001_0001 · Ops & Offline — 190.B) Ops DevOps III

 ## Topic & Scope
 - Phase III of Ops & Offline stream (IMPL 190.B), following Ops DevOps II.
@@ -49,6 +49,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Renamed from `SPRINT_505_ops_devops_iii.md` to template-compliant `SPRINT_0505_0001_0001_ops_devops_iii.md`; no status changes. | Project PM |
 | 2025-11-24 | Completed DEVOPS-OAS-61-001/002: added OAS CI workflow `.gitea/workflows/oas-ci.yml` (compose, lint, examples, compat diff, contract tests, aggregate spec upload). | Implementer |
 | 2025-11-24 | Completed DEVOPS-OPENSSL-11-001: copied OpenSSL 1.1 shim into all test outputs via shared Directory.Build.props; Authority Mongo2Go tests pass. | Implementer |
 | 2025-12-02 | Normalized sprint file to standard template; preserved task statuses and dependencies. | StellaOps Agent |
--- a/docs/implplan/SPRINT_0506_0001_0001_ops_devops_iv.md
+++ b/docs/implplan/SPRINT_0506_0001_0001_ops_devops_iv.md
@@ -1,4 +1,4 @@
-# Sprint 506 · Ops DevOps IV (Ops & Offline 190.B)
+# Sprint 0506_0001_0001 · Ops DevOps IV (Ops & Offline 190.B)

 ## Topic & Scope
 - Ops & Offline focus on DevOps phase IV: incident automation, orchestrator observability, policy CI, signing/SDK pipelines, and mirror signing.
@@ -49,6 +49,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Renamed from `SPRINT_506_ops_devops_iv.md` to template-compliant `SPRINT_0506_0001_0001_ops_devops_iv.md`; no status changes. | Project PM |
 | 2025-12-03 | Normalised sprint file to standard template; preserved all tasks/logs; no status changes. | Planning |
 | 2025-11-25 | DEVOPS-CI-110-001 runner published at `ops/devops/ci-110-runner/`; initial TRX slices stored under `ops/devops/artifacts/ci-110/20251125T030557Z/`. | DevOps |
 | 2025-11-25 | MIRROR-CRT-56-CI-001 completed: CI signing script emits milestone hash summary, enforces DSSE/TUF/time-anchor steps, uploads `milestone.json` via `mirror-sign.yml`. | DevOps |
--- a/docs/implplan/SPRINT_0507_0001_0001_ops_devops_v.md
+++ b/docs/implplan/SPRINT_0507_0001_0001_ops_devops_v.md
@@ -1,4 +1,4 @@
-# Sprint 507 · Ops DevOps V (Ops & Offline 190.B)
+# Sprint 0507_0001_0001 · Ops DevOps V (Ops & Offline 190.B)

 ## Topic & Scope
 - Ops & Offline phase V: tenant audit/chaos, VEX Lens/Vuln Explorer CI+observability, hardened Docker images, SBOM/attestations, and Surface.Env/Surface.Secrets rollout.
@@ -33,6 +33,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Renamed from `SPRINT_507_ops_devops_v.md` to template-compliant `SPRINT_0507_0001_0001_ops_devops_v.md`; no status changes. | Project PM |
 | 2025-12-03 | Completed DEVOPS-TEN-49-001: added tenant recording/alert rules, k6 load harness, chaos runbook/script, and deploy README import steps. | DevOps |
 | 2025-12-03 | Completed DOCKER-44-001: service build matrix + build-all helper, console Dockerfile/healthcheck, APP_BINARY-ready hardened template. | DevOps |
 | 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
--- a/docs/implplan/SPRINT_0508_0001_0001_ops_offline_kit.md
+++ b/docs/implplan/SPRINT_0508_0001_0001_ops_offline_kit.md
@@ -1,4 +1,4 @@
-# Sprint 508 · Ops Offline Kit (Ops & Offline 190.C)
+# Sprint 0508_0001_0001 · Ops Offline Kit (Ops & Offline 190.C)

 ## Topic & Scope
 - Package offline kit with CLI/task packs, orchestrator/export/notifier bundles, container bundles, Surface.Secrets, and registry mirror assets.
@@ -30,6 +30,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Renamed from `SPRINT_508_ops_offline_kit.md` to template-compliant `SPRINT_0508_0001_0001_ops_offline_kit.md`; no status changes. | Project PM |
 | 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
 | 2025-11-26 | Wired Offline Kit packaging to include CLI binaries, Task Runner bootstrap config, and task-pack docs; updated `test_build_offline_kit.py`; marked CLI-PACKS-43-002 DONE. | Implementer |
 | 2025-11-26 | Added container bundle pickup (release/containers/images) and mirrored registry doc copy; offline kit test coverage updated; marked OFFLINE-CONTAINERS-46-001 DONE. | Implementer |
--- a/docs/implplan/SPRINT_303_docs_tasks_md_iii.md
+++ b/docs/implplan/SPRINT_303_docs_tasks_md_iii.md
@@ -1,34 +0,0 @@
-# Sprint 303 - Documentation & Process · 200.A) Docs Tasks.Md.III
-
-> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
-
-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
-
-[Documentation & Process] 200.A) Docs Tasks.Md.III
-Depends on: Sprint 200.A - Docs Tasks.Md.II
-Summary: Documentation & Process focus on Docs Tasks (phase Md.III).
-Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
-DOCS-ATTEST-75-001 | DONE (2025-11-25) | Add `/docs/modules/attestor/airgap.md` for attestation bundles. Dependencies: DOCS-ATTEST-74-004. | Docs Guild, Export Attestation Guild (docs)
-DOCS-ATTEST-75-002 | DONE (2025-11-25) | Update `/docs/security/aoc-invariants.md` with attestation invariants. Dependencies: DOCS-ATTEST-75-001. | Docs Guild, Security Guild (docs)
-DOCS-CLI-41-001 | DONE (2025-11-25) | Publish `/docs/modules/cli/guides/overview.md`, `/docs/modules/cli/guides/configuration.md`, `/docs/modules/cli/guides/output-and-exit-codes.md` with imposed rule statements. | Docs Guild, DevEx/CLI Guild (docs)
-DOCS-CLI-42-001 | DONE (2025-11-25) | Publish `/docs/modules/cli/guides/parity-matrix.md` and command guides under `/docs/modules/cli/guides/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). Dependencies: DOCS-CLI-41-001. | Docs Guild (docs)
-DOCS-CLI-FORENSICS-53-001 | DONE (2025-11-25) | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Docs Guild, DevEx/CLI Guild (docs)
-DOCS-CLI-OBS-52-001 | DONE (2025-11-25) | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Docs Guild, DevEx/CLI Guild (docs)
-DOCS-CONSOLE-OBS-52-001 | BLOCKED (2025-11-25) | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Docs Guild, Console Guild (docs)
-DOCS-CONSOLE-OBS-52-002 | BLOCKED (2025-11-25) | Publish `/docs/console/forensics.md` covering timeline explorer, evidence viewer, attestation verifier, imposed rule banner, and troubleshooting. Dependencies: DOCS-CONSOLE-OBS-52-001. | Docs Guild, Console Guild (docs)
-DOCS-CONTRIB-62-001 | DONE (2025-11-25) | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | Docs Guild, API Governance Guild (docs)
-DOCS-DEVPORT-62-001 | DONE (2025-11-25) | Document `/docs/devportal/publishing.md` for build pipeline, offline bundle steps. | Docs Guild, Developer Portal Guild (docs)
-DOCS-EXC-25-001 | BLOCKED (2025-11-25) | Author `/docs/governance/exceptions.md` covering lifecycle, scope patterns, examples, compliance checklist. | Docs Guild, Governance Guild (docs)
-DOCS-EXC-25-002 | BLOCKED (2025-11-25) | Publish `/docs/governance/approvals-and-routing.md` detailing roles, routing matrix, MFA rules, audit trails. Dependencies: DOCS-EXC-25-001. | Docs Guild, Authority Core (docs)
-DOCS-EXC-25-003 | BLOCKED (2025-11-25) | Create `/docs/api/exceptions.md` with endpoints, payloads, errors, idempotency notes. Dependencies: DOCS-EXC-25-002. | Docs Guild, BE-Base Platform Guild (docs)
-DOCS-EXC-25-005 | BLOCKED (2025-11-25) | Write `/docs/ui/exception-center.md` with UI walkthrough, badges, accessibility, shortcuts. Dependencies: DOCS-EXC-25-003. | Docs Guild, UI Guild (docs)
-DOCS-EXC-25-006 | BLOCKED (2025-11-25) | Update `/docs/modules/cli/guides/exceptions.md` covering command usage and exit codes. Dependencies: DOCS-EXC-25-005. | Docs Guild, DevEx/CLI Guild (docs)
-
-Update log:
- 2025-11-25 · DOCS-ATTEST-75-001/002 delivered: added attestor air-gap guide and AOC attestation invariants; statuses mirrored to tasks-all.
- 2025-11-25 · DOCS-CLI-41-001 delivered: added CLI overview/configuration/output-and-exit-codes guides under `docs/modules/cli/guides/`; status mirrored to tasks-all.
- 2025-11-25 · DOCS-CLI-42-001 delivered: parity matrix plus command guides for policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth added under `docs/modules/cli/guides/commands/`; status mirrored to tasks-all.
- 2025-11-25 · DOCS-CLI-OBS-52-001 and DOCS-CLI-FORENSICS-53-001 delivered: added `observability.md` and `forensics.md` under `docs/modules/cli/guides/`; statuses mirrored to tasks-all.
- 2025-11-25 · DOCS-DEVPORT-62-001 delivered: new `docs/devportal/publishing.md` covering build/publish (online/offline), manifests, checksums, deployment targets, and release checklist; status mirrored to tasks-all.
- 2025-11-25 · DOCS-CONTRIB-62-001 delivered: added `docs/contributing/api-contracts.md` with OAS edit workflow, lint/compat/changelog steps, offline bundle guidance, and release checklist; status mirrored to tasks-all.