feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.

docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack and Guardrails.md

@@ -0,0 +1,20 @@
+# 29-Nov-2025 · Acceptance Tests Pack and Guardrails
+
+**Why now:** Guardrail coverage (AT1–AT10) is required before Md.I ladder can proceed; acceptance packs must be deterministic, signed, and offline-ready.
+
+## Scope
+- Publish acceptance test pack schema + checklist for CI/DB/rew definitions.
+- Bundle deterministic fixtures (pinned seeds, UTC timestamps) with DSSE provenance.
+- Define gating thresholds and replay parity checks for admission/VEX/auth flows.
+
+## Required artefacts (MVP for DONE)
+- Advisory summary (this file) plus checklist stub under `docs/process/` referencing AT1–AT10.
+- Links into sprint tracker row 4 (`SPRINT_0300_0001_0001_documentation_process.md`).
+- Placeholder fixture pack path reserved under `tests/acceptance/packs/guardrails/` (no network).
+
+## Determinism & Offline
+- Freeze scanner/db versions; record in a `inputs.lock` for the pack.
+- All fixtures must be reproducible from seeds; include DSSE envelopes for pack manifests.
+
+## Next actions
+- Add checklist stub and register the pack path; log evidence in sprint Execution Log before 2025-12-08.

docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md

@@ -0,0 +1,19 @@
+# 29-Nov-2025 · CVSS v4.0 Momentum in Vulnerability Management
+
+**Why now:** Vendors (NVD, GitHub, Microsoft, Snyk) are shipping CVSS v4 signals; StellaOps needs awareness to align receipts, reporting, and UI before defaulting to v4 everywhere.
+
+## Scope
+- Brief on adoption signals and compatibility risks when mixing v3.1/v4.
+- Map impacts to receipt schemas (`SPRINT_0190_0001_0001_cvss_v4_receipts.md`).
+- Identify quick UI/reporting deltas required for transparency.
+
+## Required artefacts (MVP for DONE)
+- This briefing plus linkage in `docs/product-advisories/ADVISORY_INDEX.md` (already indexed).
+- Note in sprint Decisions & Risks for CVSS receipts sprints; ensure SPRINT_0300 tracker row 15 records completion.
+
+## Determinism & Offline
+- Keep CVSS vector parsing deterministic; pin scoring library versions in receipts.
+- Avoid live API dependency; rely on mirrored NVD feeds or frozen samples.
+
+## Next actions
+- Cross-link to receipts schema draft; add Execution Log entry when briefing is published.

docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md

@@ -0,0 +1,19 @@
+# 29-Nov-2025 · SBOM to VEX Proof Pipeline Blueprint
+
+**Why now:** The Docs ladder needs a canonical blueprint tying SBOM ingestion to VEX proofs with DSSE/Rekor integration, to unblock downstream module dossier updates.
+
+## Scope
+- Describe DSSE → Rekor v2 → VEX linkage with offline verification steps.
+- Capture diagram/stub scripts for proof generation and verification.
+- Define inputs.lock/idempotency rules and chain hash recipe.
+
+## Required artefacts (MVP for DONE)
+- Diagram placeholder (`docs/diagrams/sbom-vex-blueprint.svg` reserved) and script stub path `docs/scripts/sbom-vex/verify.sh` (offline, deterministic sorting/hashes).
+- Cross-links in `docs/modules/platform/architecture-overview.md` and sprint row 16 completion evidence.
+
+## Determinism & Offline
+- Sorted canonical inputs before hashing; UTC timestamps only when unavoidable, otherwise derive from content.
+- No network calls; use bundled Rekor root + mirror snapshot for verification examples.
+
+## Next actions
+- Land the stub diagram/script placeholders and log completion in the sprint Execution Log.

docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md

@@ -0,0 +1,19 @@
+# 29-Nov-2025 · SCA Failure Catalogue for StellaOps Tests
+
+**Why now:** Recent regressions show noisy or divergent SCA results; we need a deterministic failure catalogue to anchor acceptance tests and fixture packs.
+
+## Scope
+- Document the five observed regressions (credential leak, Trivy offline DB mismatch, SBOM parity drift, Grype version divergence, inconsistent detection).
+- Provide expected signals for acceptance tests and links to fixture locations.
+- Drive remediation task SCA-FIXTURE-GAPS-300-014 (FC1–FC10) in the sprint.
+
+## Required artefacts (MVP for DONE)
+- This catalogue plus a pointer to fixture pack root `tests/fixtures/sca/catalogue/` (to be populated with deterministic seeds + DSSE manifests).
+- Sprint Execution Log entry for row 17 when published.
+
+## Determinism & Offline
+- Fixtures must pin scanner versions and feeds; include `inputs.lock` and DSSE manifest for each case.
+- Results should be normalized (ordering, casing) to avoid flaky comparisons.
+
+## Next actions
+- Create initial fixture directory with README and seed notes; log status in sprint tracker and move row 17 toward DONE.

docs/product-advisories/29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md

@@ -0,0 +1,20 @@
+# 29-Nov-2025 · StellaOps – Mid-Level .NET Onboarding (Quick Start)
+
+**Why now:** The Docs ladder needs a deterministic, offline-ready quickstart to unblock module dossier refreshes and align mid-level .NET contributors with DSSE/VEX requirements.
+
+## Scope
+- Provide a 1–2 day runway for mid-level .NET engineers to become productive on StellaOps.
+- Emphasise determinism, offline posture, DSSE/in-toto usage, and the canonical data model.
+- Pair this advisory with the living guide at `docs/onboarding/dev-quickstart.md`.
+
+## Required artefacts (MVP for DONE)
+- Update `docs/onboarding/dev-quickstart.md` with deterministic/offline steps, DSSE/key-handling, and DB matrix pointers.
+- Cross-links in `docs/README.md` and `docs/modules/platform/architecture-overview.md` to the quickstart.
+- Sprint tracker: `docs/implplan/SPRINT_0300_0001_0001_documentation_process.md` row 3 marked DONE with Execution Log proof.
+
+## Determinism & Offline
+- Use fixed seeds and pinned toolchain versions for any sample commands.
+- Avoid live network calls; prefer cached feeds/mirrors and note mirror paths.
+
+## Next actions
+- Land the cross-link updates and note completion in the sprint Execution Log.

docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md

@@ -0,0 +1,18 @@
+# 30-Nov-2025 · Comparative Evidence Patterns for Stella Ops
+
+**Why now:** UX and data-model decisions need a grounded comparison of evidence/suppression patterns across major vendors.
+
+## Scope
+- Summarise how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, audit/export.
+- Feed UX/data-model decisions for VEX, evidence views, and export policies.
+- Drives task 23 (EVIDENCE + suppression pattern sync) in sprint tracker.
+
+## Required artefacts (MVP)
+- This brief plus links to any UI or schema follow-ups once drafted.
+- Sprint tracker row 23 updated when evidence is logged.
+
+## Determinism & Offline
+- Keep examples deterministic; no live API calls in comparisons; cite cached docs/artefacts where needed.
+
+## Next actions
+- Add schema/UX notes to module docs when ready; log completion in Execution Log.

docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md

@@ -0,0 +1,18 @@
+# 30-Nov-2025 · Ecosystem Reality Test Cases for StellaOps
+
+**Why now:** Real incidents (credential leak, offline DB schema mismatch, SBOM parity drift, scanner instability) must translate into deterministic acceptance tests.
+
+## Scope
+- Document the five incidents and expected signals.
+- Map each to acceptance tests and fixture paths (`tests/fixtures/sca/catalogue/`).
+- Drives ECOSYS-FIXTURES-GAPS-300-017 (ET1–ET10).
+
+## Required artefacts (MVP)
+- This advisory plus fixture root path and acceptance test references.
+- Sprint tracker row 21 updated when evidence lands.
+
+## Determinism & Offline
+- Fixtures must pin tool versions and feeds; no live network.
+
+## Next actions
+- Populate fixtures and acceptance specs; log in sprint Execution Log when added.

docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md

@@ -0,0 +1,18 @@
+# 30-Nov-2025 · Implementor Guidelines for Stella Ops
+
+**Why now:** Contributors need an enforceable checklist that ties SRS, release playbook, and determinism/offline requirements into a CI-enforced guardrail.
+
+## Scope
+- Operational checklist for code and docs changes; mandates determinism, offline posture, provenance, and boundary rules.
+- Intended to drive lint/CI that enforces `docs touched → docs: n/a` tagging, schema/versioning control, and perf/quota expectations.
+
+## Required artefacts (MVP)
+- Checklist mapped into `docs/process/implementor-guidelines.md` (to be created/expanded in sprints 18/19 tasks).
+- CI lint hook stub path declared (e.g., `tools/lint/implementor-guidelines.sh`).
+- Sprint tracker row 18 marked DONE once linked and logged.
+
+## Determinism & Offline
+- Prefer reproducible seeds, pinned toolchain versions, and no live network in examples.
+
+## Next actions
+- Add the checklist doc and CI stub; link from sprint Decisions & Risks where relevant.

docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md

@@ -0,0 +1,18 @@
+# 30-Nov-2025 · Rekor Receipt Checklist for Stella Ops
+
+**Why now:** Rekor receipts must be deterministic, tenant-scoped, and verifiable offline for Authority/Sbomer/Vexer flows.
+
+## Scope
+- Field-level ownership map for receipts and bundles.
+- Offline verifier expectations and mirror snapshot rules.
+- DSSE/receipt schema pointers to be consumed by Authority/Sbomer/Vexer modules.
+
+## Required artefacts (MVP)
+- Checklist page (this file) and cross-link in module docs when schemas land.
+- Sprint sync rows in `SPRINT_0300_0001_0001_documentation_process.md` and `SPRINT_0314_0001_0001_docs_modules_authority.md`.
+
+## Determinism & Offline
+- Bundle TSA/time anchors with receipts; prefer mirror snapshots; avoid live log fetches in examples.
+
+## Next actions
+- Publish schema draft and offline verifier stub; update module dossiers accordingly.

docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md

@@ -0,0 +1,16 @@
+# 30-Nov-2025 · Standup Sprint Kickstarters
+
+**Why now:** Day-0 unblockers accelerate sprint readiness and reduce blocker latency for Docs ladder and downstream modules.
+
+## Scope
+- Three kickstarter tasks (scanner regressions, Postgres slice, DSSE/Rekor sweep) with ticket names/owners.
+- Alignment with sprint template and readiness checklist expectations.
+
+## Required artefacts (MVP)
+- This advisory; sprint tracker row 22 updated; readiness checklist ties into `docs/implplan/README.md` template.
+
+## Determinism & Offline
+- Keep examples and scripts offline-friendly; pin tool versions.
+
+## Next actions
+- Add readiness checklist snippets to sprint template; log completion in Execution Log when linked.

docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md

@@ -0,0 +1,17 @@
+# 30-Nov-2025 · Unknowns Decay & Triage Heuristics
+
+**Why now:** Stale “unknown” findings create noise; we need deterministic decay and triage rules with UI/export artifacts.
+
+## Scope
+- Define confidence decay card, triage queue UI, and export artifacts for planning.
+- Map to runtime signals sprint (`SPRINT_0140_0001_0001_runtime_signals.md`) and docs tracker row 20.
+
+## Required artefacts (MVP)
+- This brief plus references to UnknownsRegistry docs (to be expanded).
+- UI/export snapshot expectations and deterministic decay logic description.
+
+## Determinism & Offline
+- Decay windows and thresholds must be deterministic; exports should be reproducible without live dependencies.
+
+## Next actions
+- Land UI mock/export schema; link into sprint Decisions & Risks and module docs once available.

docs/product-advisories/ADVISORY_INDEX.md

@@ -31,6 +31,15 @@ These are the authoritative advisories to reference for implementation:
 - **Gaps:** `31-Nov-2025 FINDINGS.md` (FC1–FC10 remediation task SCA-FIXTURE-GAPS-300-014)
 - **Status:** Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites.
 
+### Acceptance Tests Pack & Guardrails
+- **Canonical:** `29-Nov-2025 - Acceptance Tests Pack and Guardrails.md`
+- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker)
+- **Related Docs:**
+  - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack and Guardrails.md` (this briefing)
+  - `docs/process/acceptance-guardrails-checklist.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012)
+- **Status:** Defines deterministic, signed acceptance packs with replay parity checks and CI gating thresholds for admission/VEX/auth flows.
+
 ### Mid-Level .NET Onboarding (Quick Start)
 - **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md`
 - **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker)

docs/product-advisories/archived/AR-REVIVE-PLAN.md

@@ -0,0 +1,8 @@
+# Archived Advisories Revival Plan (Stub)
+
+Use with sprint task 13 (ARCHIVED-GAPS-300-020).
+
+- TODO: List candidate archived advisories to revive (SBOM-Provenance-Spine, VB reachability, etc.).
+- TODO: Decide canonical schemas/recipes (provenance, reachability, PURL/Build-ID).
+- TODO: Document determinism seeds/SLOs, redaction/isolation rules, changelog/signing approach.
+- TODO: Mark supersedes/duplicates and PostgreSQL storage blueprint guardrails.