feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context

- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.

docs/modules/ui/README.md

@@ -2,7 +2,11 @@
 
 The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
 
-## Responsibilities
+## Latest updates (2025-11-30)
+- Docs refreshed per `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`; added observability runbook stub and TASKS mirror.
+- Access-control guidance from 2025-11-03 remains valid; ensure Authority scopes are verified before enabling uploads.
+
+## Responsibilities
 - Render real-time status for ingestion, scanning, policy, and exports via SSE.
 - Provide policy editor, SBOM explorer, and advisory views with accessibility compliance.
 - Integrate with Authority for fresh-auth and scope enforcement.
@@ -18,14 +22,16 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt
 - Authority for DPoP-protected calls.
 - Telemetry streams for observability dashboards.
 
-## Operational notes
-- Auth smoke tests in ./operations/auth-smoke.md.
-- Console architecture doc for layout and SSE fan-out.
-- Accessibility and security guides in ../../ui/ & ../../security/.
+## Operational notes
+- Auth smoke tests in `operations/auth-smoke.md`.
+- Observability runbook + dashboard stub in `operations/observability.md` and `operations/dashboards/console-ui-observability.json` (offline import).
+- Console architecture doc for layout and SSE fan-out.
+- Accessibility and security guides in ../../ui/ & ../../security/.
 
-## Related resources
-- ./operations/auth-smoke.md
-- ./console-architecture.md
+## Related resources
+- ./operations/auth-smoke.md
+- ./operations/observability.md
+- ./console-architecture.md
 
 ## Backlog references
 - DOCS-CONSOLE-23-001 … DOCS-CONSOLE-23-003 baseline (done).

docs/modules/ui/TASKS.md

@@ -0,0 +1,9 @@
+# Console UI · TASKS (status mirror)
+
+| Task ID | Status | Owner(s) | Notes / Evidence |
+| --- | --- | --- | --- |
+| CONSOLE UI-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture updated; sprint links and observability references added. |
+| CONSOLE UI-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`. |
+| CONSOLE UI-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana JSON placeholder added under `operations/`. |
+
+> Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both places).

docs/modules/ui/architecture.md

@@ -28,8 +28,9 @@
 * **State**: Angular **Signals** + `@ngrx/signals` store for cross‑page slices.
 * **Transport**: `fetch` + RxJS interop; **SSE** (EventSource) for progress streams.
 * **Build**: Angular CLI + Vite builder.
-* **Testing**: Jest + Testing Library, Playwright for e2e.
-* **Packaging**: Containerized NGINX (immutable assets, ETag + content hashing).
+* **Testing**: Jest + Testing Library, Playwright for e2e.
+* **Packaging**: Containerized NGINX (immutable assets, ETag + content hashing).
+* **Observability docs**: runbook + Grafana JSON stub in `operations/observability.md` and `operations/dashboards/console-ui-observability.json` (offline import).
 
 ---
 

docs/modules/ui/implementation_plan.md

@@ -16,10 +16,15 @@
 - **Epic 6 – Vulnerability Explorer:** surface triage dashboards, findings ledger, and audit exports.
 - **Epic 8 – Advisory AI:** integrate advisory summaries and remediation hints with strict provenance.
 - **Epic 9 – Orchestrator Dashboard:** expose job/source monitoring controls.
-- **Epic 11 – Notifications Studio:** provide notifications workspace with previews and audit trails.
-- Track supporting tasks (e.g., DOCS-CONSOLE-23-001, CONSOLE-OBS-52-001) in ../../TASKS.md.
-
-## Coordination
-- Review ./AGENTS.md before picking up new work.
-- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`.
-- Update this plan whenever scope, dependencies, or guardrails change.
+- **Epic 11 – Notifications Studio:** provide notifications workspace with previews and audit trails.
+- Track supporting tasks (e.g., DOCS-CONSOLE-23-001, CONSOLE-OBS-52-001) in ../../TASKS.md.
+
+## Coordination
+- Review ./AGENTS.md before picking up new work.
+- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`.
+- Update this plan whenever scope, dependencies, or guardrails change.
+
+## Sprint alignment (2025-11-30)
+- Current doc refresh tracked in `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`; statuses mirrored in `docs/modules/ui/TASKS.md`.
+- Observability evidence for latest demo lives in `operations/observability.md` with Grafana JSON stub under `operations/dashboards/`.
+- Keep future doc/ops changes mirrored across sprint, TASKS, and module front doors to prevent drift.

docs/modules/ui/operations/dashboards/console-ui-observability.json

@@ -0,0 +1,6 @@
+{
+  "_note": "Placeholder Grafana dashboard stub for Console UI. Replace panels when metrics endpoints are wired; keep offline-import friendly.",
+  "schemaVersion": 39,
+  "title": "Console UI Observability (stub)",
+  "panels": []
+}

docs/modules/ui/operations/observability.md

@@ -0,0 +1,38 @@
+# Console UI observability runbook (stub · 2025-11-29 demo)
+
+## Dashboards (offline import)
+- Grafana JSON: `docs/modules/ui/operations/dashboards/console-ui-observability.json` (import locally; no external data sources assumed).
+- Panels to include: API latency (p95/p99), error rate, WebSocket/SSE connection count, asset load time, bundle size budget, Core Web Vitals (LCP/FID/CLS), and triage view render time.
+
+## Key metrics
+- `console_ui_http_request_duration_seconds_bucket{route}` — API call latency.
+- `console_ui_http_requests_total{status}` — error rate tracking.
+- `console_ui_websocket_connections` — active live session count.
+- `console_ui_bundle_bytes{chunk}` — bundle size by chunk (ensures offline kit budget).
+- `console_ui_core_web_vitals{metric}` — LCP/FID/CLS gauges.
+- `console_ui_export_duration_seconds_bucket` — export trigger to download completion.
+
+## Logs & traces
+- Correlate by `correlationId` (propagated from API) and `tenant`. Include `feature` (triage, findings, policy) and `route` fields.
+- Traces disabled by default for air-gap; enable by pointing OTLP endpoint to on-prem collector and setting `Telemetry:ExportEnabled=true`.
+
+## Health/diagnostics
+- `/health/liveness` and `/health/readiness` (UI backend) must return 200; readiness checks asset storage + API gateway reachability.
+- `/status` exposes build version, commit, feature flags; ensure it matches the offline bundle manifest when shipping sealed kits.
+- Frontend self-check: open `/health/ui` to verify core bundles are reachable and integrity hashes match manifest.
+
+## Alert hints
+- p99 API latency > 1s for `/api/findings` or `/api/policy`.
+- SSE/WS disconnect rate > 2% over 5m window.
+- Bundle size > 3.5 MB for main chunk after gzip (offline kit budget breach).
+- Core Web Vitals: LCP > 2.5s, CLS > 0.1 on internal demo dataset.
+
+## Offline verification steps
+1) Import Grafana JSON locally; point to Prometheus scrape labeled `console-ui`.
+2) Run `npm run build -- --configuration=production` (or offline kit build) and verify bundle hashes against manifest used by `/health/ui`.
+3) Fetch `/status` and compare commit/version to the static asset manifest embedded in the offline kit.
+
+## Evidence locations
+- Sprint tracker: `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`.
+- Module front doors: `README.md`, `architecture.md`, `implementation_plan.md`.
+- Dashboard stub: `operations/dashboards/console-ui-observability.json`.