feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context

- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.

docs/modules/vuln-explorer/README.md

@@ -2,8 +2,10 @@
 
 Vulnerability Explorer delivers policy-aware triage, investigation, and reporting surfaces for effective findings.
 
-## Latest updates (2025-11-03)
-- Access controls refresh introduced attachment signing tokens and updated scope guidance (`docs/updates/2025-11-03-vuln-explorer-access-controls.md`). Ensure operator runbooks reference the new Authority scopes (`authority-scopes.md`) and security checklist before enabling attachment uploads.
+## Latest updates (2025-11-30)
+- Documentation refresh aligned to sprint 0334: added observability/runbook snapshot and cross-links to OpenAPI draft (`./api.md`) and schemas in `architecture.md`.
+- New offline-friendly observability runbook at `runbooks/observability.md` plus stub Grafana JSON in `runbooks/dashboards/`.
+- Retained 2025-11-03 access-control changes; verify Authority scopes before enabling attachment uploads (`docs/updates/2025-11-03-vuln-explorer-access-controls.md`).
 
 ## Responsibilities
 - Present policy-evaluated findings with advisory, VEX, SBOM, and runtime context.
@@ -22,10 +24,11 @@ Vulnerability Explorer delivers policy-aware triage, investigation, and reportin
 - Scheduler for remediation/verification jobs.
 - Notify for triage notifications.
 
-## Operational notes
-- Audit logging per Epic 6 requirements.
-- Offline-ready CSV/PDF exports with deterministic hashes.
-- Dashboards for MTTR and triage throughput.
+## Operational notes
+- Audit logging per Epic 6 requirements.
+- Offline-ready CSV/PDF exports with deterministic hashes.
+- Dashboards for MTTR and triage throughput.
+- Observability runbook and dashboard stub: see `runbooks/observability.md` and `runbooks/dashboards/vuln-explorer-observability.json` (import locally).
 
 ## Epic alignment
 - Epic 6: Vulnerability Explorer.

docs/modules/vuln-explorer/TASKS.md

@@ -0,0 +1,9 @@
+# Vuln Explorer · TASKS (status mirror)
+
+| Task ID | Status | Owner(s) | Notes / Evidence |
+| --- | --- | --- | --- |
+| VULNERABILITY-EXPLORER-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture updated; OpenAPI/schema/sprint links added; runbook evidence captured. |
+| VULNERABILITY-EXPLORER-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook + dashboard stub added; health/alert guidance documented. |
+| VULNERABILITY-EXPLORER-ENG-0001 | DONE (2025-11-30) | Module Team | Sprint alignment notes added to implementation_plan; task mirror created. |
+
+> Status must mirror `/docs/implplan/SPRINT_0334_0001_0001_docs_modules_vuln_explorer.md` (DOING/DONE/BLOCKED updates go to both files).

docs/modules/vuln-explorer/architecture.md

@@ -55,6 +55,7 @@ CLI mirrors these endpoints (`stella findings list|view|update|export`). Console
 - Logs: structured with `findingId`, `artifactId`, `advisory`, `policyVersion`, `actor`, `actionType`.
 - Audit exports: `audit_log.jsonl` appended whenever state changes; offline bundles include signed audit log and manifest.
 - Compliance: accepted risk requires dual approval and stores justification plus expiry reminders (raised through Notify).
+- Runbook and dashboard stub for demo snapshot: `runbooks/observability.md` and `runbooks/dashboards/vuln-explorer-observability.json` (offline import).
 
 ## 6) Identity & access integration
 

docs/modules/vuln-explorer/implementation_plan.md

@@ -68,3 +68,8 @@
 - Services, UI/CLI, integrations, exports, and observability deployed with runbooks and Offline Kit parity.
 - Documentation suite (overview, using-console, API, CLI, findings ledger, policy mapping, VEX/SBOM integration, telemetry, security, runbooks, install) updated with imposed rule statement.
 - ./TASKS.md and ../../TASKS.md reflect active progress; compliance checklists appended where required.
+
+## Sprint alignment (2025-11-30)
+- Docs refresh tracked in `docs/implplan/SPRINT_0334_0001_0001_docs_modules_vuln_explorer.md` (Docs/OPS/ENG streams).
+- Observability runbook evidence lives under `runbooks/observability.md` with stub dashboard JSON for offline demos.
+- API/OpenAPI references: `api.md` and `openapi/vuln-explorer.v1.yaml` are the current contract drafts; keep Console/CLI generators synced to these.

docs/modules/vuln-explorer/runbooks/dashboards/vuln-explorer-observability.json

@@ -0,0 +1,6 @@
+{
+  "_note": "Placeholder Grafana dashboard stub for offline import. Populate with panel definitions when metrics endpoints are available; see runbooks/observability.md for expected panels.",
+  "schemaVersion": 39,
+  "title": "Vuln Explorer Observability (stub)",
+  "panels": []
+}

docs/modules/vuln-explorer/runbooks/observability.md

@@ -0,0 +1,38 @@
+# Vuln Explorer observability runbook (demo snapshot · 2025-11-29)
+
+## Dashboards (offline-friendly)
+- Grafana JSON: `docs/modules/vuln-explorer/runbooks/dashboards/vuln-explorer-observability.json` (import locally; no external data sources assumed).
+- Panels: projection lag, open findings by severity/tenant, accepted-risk ageing, API 5xx rate, export duration p95, ledger replay backlog.
+
+## Key metrics
+- `vuln_projection_lag_seconds{tenant}` – seconds between latest ledger event and projector head.
+- `vuln_findings_open_total{severity,tenant}` – count of open findings by severity.
+- `vuln_export_duration_seconds_bucket` – histogram for export job runtime.
+- `vuln_projection_backlog_total` – queued events awaiting projection.
+- `vuln_triage_actions_total{type}` – immutable triage actions (assign, comment, risk_accept, remediation_note).
+- `vuln_api_request_duration_seconds_bucket{route}` – API latency for `GET /v1/findings*` and `POST /v1/reports`.
+
+## Logs & traces
+- Correlate by `correlationId` and `findingId`. Structured fields: `tenant`, `advisoryKey`, `policyVersion`, `projectId`, `route`.
+- Trace exemplar anchors: `traceparent` headers are copied into logs; exporters stay disabled by default for air-gap. Enable by setting `Telemetry:ExportEnabled=true` and pointing to on-prem Tempo/Jaeger.
+
+## Health/diagnostics
+- `/health/liveness` and `/health/readiness` (HTTP 200 expected; readiness checks Mongo + cache reachability).
+- `/status` returns build version, git commit, and enabled features; safe for anonymous fetch in sealed environments.
+- Ledger replay check: `GET /v1/findings?projectionMode=verify` emits `X-Vuln-Projection-Head` for quick consistency probes.
+
+## Alert hints (wire to local Alertmanager or watchdog)
+- Projection lag > 120s for any tenant.
+- API p99 latency > 800ms for `GET /v1/findings` or `POST /v1/reports`.
+- Export failure rate > 2% over 10m window.
+- Accepted-risk approaching expiry within 7d (emit Notify event `vuln.accepted_risk.expiring`).
+
+## Offline verification steps
+1) Import Grafana JSON locally and point to Prometheus scrape job `vuln-explorer`.
+2) Run `stella vuln export --format json --manifest out/manifest.json` and validate hashes using `jq -r '.files[].sha256'` against generated bundle.
+3) Use `curl -s "$BASEURL/status" | jq '{commit,version,features}'` to confirm expected build metadata matches the exported bundle manifest.
+
+## Evidence locations
+- Sprint alignment: `docs/implplan/SPRINT_0334_0001_0001_docs_modules_vuln_explorer.md`.
+- API contract draft: `docs/modules/vuln-explorer/api.md` and OpenAPI at `docs/modules/vuln-explorer/openapi/vuln-explorer.v1.yaml`.
+- Schema references: `docs/modules/vuln-explorer/architecture.md` (ledger model, VEX decision schemas).