semi implemented and features implemented save checkpoint

CLAUDE.md

@@ -1 +1 @@
-C:/dev/New folder/git.stella-ops.org/AGENTS.md
+AGENTS.md

DROPPED_FEATURES.md

@@ -0,0 +1,301 @@
+# Stella Ops - Dropped / Unimplemented Features
+
+> Features described in product advisories but NOT found in current source code.
+> Generated: 2026-02-07
+> Consolidated: 2026-02-08 (pass 1 reduced 135 to 81; pass 2 reduced 81 to 37)
+> These may have been dropped, deferred, replaced, or renamed.
+
+## Summary
+
+| Category | Count |
+|----------|-------|
+| Not Found (no code evidence) | 8 |
+| Partially Implemented (incomplete) | 29 |
+
+---
+
+## Not Found Features
+
+These features were described in advisories but no matching implementation was found in the current codebase.
+
+### AI Codex / Zastava Companion
+- **Status**: NOT_FOUND
+- **Description**: The advisory AI module exists with policy studio and LatticeRuleGenerator, but the specific "AI Codex" or "Zastava Companion" branding/feature set described in the advisory is not found.
+- **Expected modules**: `src/AdvisoryAI`
+- **Source advisory**: file_09.md - Caching Reachability the Smart Way (09-Dec-2025)
+
+### Advisory Lens (Core Library and UI)
+- **Status**: NOT_FOUND
+- **Description**: Proposed contextual copilot that learns from organizational data to surface explainable suggestions. Includes core library (semantic case matching), UI components (Lens Panel, inline hints, playbook drawer with dry-run preview). Not yet created; sprint tasks all at TODO status.
+- **Expected modules**: `(planned for src/__Libraries/StellaOps.AdvisoryLens, src/Web)`
+- **Source advisory**: file_08.md
+
+### DORA Metrics
+- **Status**: NOT_FOUND
+- **Description**: No DORA metrics implementation found in the frontend or backend source code.
+- **Source advisory**: file_12.md - Designing a Deterministic Vulnerability Scoring Matrix (12-Dec-2025)
+
+### Golden Benchmark Fixtures (Core-10)
+- **Status**: NOT_FOUND
+- **Description**: The advisory describes 10 golden reachability benchmark fixtures (C, Java, .NET, Python, container), but no pre-built fixture datasets were found in the source tree. The ReachGraph service infrastructure exists and GoldenSet tests exist in BinaryIndex, but the specific Core-10 fixture data files are not present.
+- **Source advisory**: 30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md
+
+### Multi-Runtime Reachability Corpus (Go, .NET, Python, Rust)
+- **Status**: NOT_FOUND
+- **Description**: The multi-runtime reachability validation corpus with minimal apps per runtime, EXPECT.yaml ground truth, and runtime trace capture scripts is not implemented as a standalone test corpus.
+- **Expected modules**: `None`
+- **Source advisory**: file_11.md
+
+### Outcome Analytics / Attribution
+- **Status**: NOT_FOUND
+- **Description**: The advisory's vision for outcome analytics with MTTR/MTTA attribution, cohort analysis, and executive reporting is not yet implemented.
+- **Expected modules**: `None found`
+- **Source advisory**: file_07.md
+
+### Point-in-Time Vulnerability Query (As-Of Date)
+- **Status**: NOT_FOUND
+- **Description**: The ability to evaluate vulnerabilities against advisory data as of a specific historical date is not implemented. The replay system tracks inputs but does not provide temporal advisory queries. EPSS replay service has AsOfDate for EPSS scores but not for general vulnerability assessment.
+- **Expected modules**: `None found`
+- **Source advisory**: file_03.md
+
+### Proof-Market Ledger and Adaptive Trust Economics
+- **Status**: NOT_FOUND
+- **Description**: No implementation of a proof marketplace or adaptive trust economics model was found in the source code. This was speculative/research-oriented.
+- **Source advisory**: file_10.md - Smart-Diff and Provenance-Rich Binaries (09-Dec-2025)
+
+---
+
+## Partially Implemented Features
+
+These features have some code but appear incomplete compared to advisory descriptions.
+
+### AI Code Guard (Secrets Scanning + Attribution Check + License Hygiene)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: AI Code Guard has policy signal binding and annotation services. Evidence provider interfaces exist. The advisory's proposed `stella guard run` CLI and full YAML-driven pipeline checks are partially represented through policy signal binding rather than a standalone CLI tool.
+- **Modules**: `src/Integrations, src/Policy`
+- **Evidence**: IAiCodeGuardEvidenceProvider.cs, AiCodeGuardSignalBinder.cs
+
+### Binary Fingerprint Store and Trust Scoring
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Binary analysis commands exist in the CLI with score gating. A full binary fingerprint database with ELF/PE section hashing is partially implemented through existing binary analysis infrastructure.
+- **Modules**: `src/Attestor, src/Cli, src/Doctor, src/Policy`
+- **Evidence**: BinaryAnalysisCommandTests.cs, ScoreGateCommandTests.cs
+
+### CAS for SBOM/VEX/Attestation Artifacts
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Content-addressed identifiers are implemented for proof chain artifacts. EvidenceLocker provides bundle building. Full OCI/MinIO CAS for SBOM/VEX blobs is not fully visible.
+- **Modules**: `src/Attestor, src/EvidenceLocker`
+- **Evidence**: ContentAddressedIdGenerator.cs, GenericContentAddressedId.cs
+
+### Cross-Distro Golden Set for Backport Validation
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Golden set infrastructure exists in BinaryIndex with analysis pipeline and API. The advisory's curated test cases (OpenSSL Heartbleed, sudo Baron Samedit, etc.) may not be fully populated yet.
+- **Modules**: `src/BinaryIndex`
+- **Evidence**: GoldenSetController.cs, GoldenSetAnalysisPipeline.cs
+
+### Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: SigningKeyProfile supports crypto-sovereign configurations. SM2 tests exist. The signing key registry supports multiple profiles. Additional crypto profiles (GOST R 34.10-2012, eIDAS, PQC) were explicitly deferred. Crypto modules exist under src/Cryptography and src/SmRemote but not all backends are fully implemented.
+- **Modules**: `src/Attestor, src/Cryptography, src/SmRemote`
+- **Evidence**: SigningKeyProfile.cs, Sm2AttestorTests.cs, eIDAS plugin with TrustServiceProviderClient
+
+### DSSE Envelope Size Management and Gateway Traversal
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Envelope size awareness exists in EPSS fetcher and delta-sig CLI commands. Bundling and queue options exist with configurable size limits. HMAC-based DSSE envelope signing exists in the scanner worker. No explicit size heuristic check (70-80KB) or automatic payload splitting/chunking logic found. NGINX/WAF gateway configuration is infrastructure-level.
+- **Modules**: `src/Attestor, src/Cli, src/RiskEngine, src/Scanner`
+- **Evidence**: BundlingOptions.cs, RekorQueueOptions.cs, HmacDsseEnvelopeSigner.cs
+
+### DSSE-Signed Exception Objects with Recheck Policy
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Policy exceptions framework with models, repositories, and services exists. DSSE signing infrastructure is available. Full UI exception modal with recheck policy enforcement is partially complete.
+- **Modules**: `src/Attestor, src/Policy`
+- **Evidence**: Policy.Exceptions/ (Models/, Repositories/, Services/), DsseEnvelope.cs
+
+### DSSE-Wrapped Reach-Maps
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Rich graphs and suppression witnesses exist with signing infrastructure available, but a specific "signed reach-map artifact" as a standalone DSSE-wrapped output is not distinctly implemented.
+- **Modules**: `src/Attestor, src/Scanner`
+- **Evidence**: SuppressionWitness.cs, RichGraph.cs
+
+### Deterministic Trust Score and Vulnerability Scoring
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: EWS engine, Determinization system, UnifiedScoreService, and 6-dimension normalizers (RCH/RTS/BKP/XPL/SRC/MIT) provide the scoring foundation. TrustVerdict service and SmartDiff scoring exist. The unified facade combining EWS + Determinization exists as UnifiedScoreService. Specific basis-point fixed-point arithmetic and Score.v1 format are not built as distinct implementations.
+- **Modules**: `src/Attestor, src/Policy, src/RiskEngine, src/Scanner, src/Signals`
+- **Evidence**: UnifiedScoreService.cs, EvidenceWeightedScoreCalculator.cs, ReachabilityNormalizer.cs
+
+### Determinism Hash / Signature Verification in UI
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Proofs and proof-studio UI features exist for browsing proof artifacts. Bundle verification exists in CLI. The compare view has envelope-hashes component. Full inline determinism hash and signature verification status display may be partially wired up.
+- **Modules**: `src/Cli, src/Web`
+- **Evidence**: proof-studio feature directory, BundleVerifyCommand.cs, envelope-hashes.component.ts
+
+### ELF Normalization and Delta Hashing
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Binary normalization pipeline exists with x64 normalization tests and code normalizer AST. Delta signatures table exists in BinaryIndex migrations. The full low-entropy delta signatures with relocation zeroing, NOP canonicalization, and jump table rewriting as described may not be fully implemented.
+- **Modules**: `src/BinaryIndex`
+- **Evidence**: X64NormalizationPipelineTests.cs, CodeNormalizer.Ast.cs, 003_delta_signatures.sql
+
+### Ecosystem Reality Acceptance Test Fixtures
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: SCA fixtures and acceptance packs exist but the advisory called for mapping five specific real-world incidents into deterministic tests. Some catalogue fixtures exist but full incident-to-test mapping is not fully evidenced.
+- **Modules**: `src/Scanner, src/__Tests`
+- **Evidence**: fixtures/sca/catalogue/README.md, acceptance packs, ScaFailureCatalogueTests.cs
+
+### Evidence Coverage Score for AI Gating
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: AI output gating behind evidence quality exists via AIAuthorityClassifier which scores explanation, remediation, VEX draft, and policy draft quality. Specific UX badge component and standalone coverage scoring service are not implemented.
+- **Modules**: `src/Attestor`
+- **Evidence**: AIAuthorityClassifier.*.cs files
+
+### Evidence TTL and staleness policy
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Retention options and lifecycle services exist for evidence expiry, but the advisory noted TTL strategy at 50% coverage.
+- **Modules**: `src/Signals, src/Unknowns`
+- **Evidence**: SignalsRetentionOptions.cs, UnknownsLifecycleService.cs
+
+### Graph Edge Metadata with Reason/Evidence/Provenance
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: EdgeReason and CallgraphEdge models exist in Signals with persistence projection, and EdgeBundle exists in Scanner reachability. However, the Graph module itself does not contain human-readable explanation layer types.
+- **Modules**: `src/Graph, src/Scanner, src/Signals`
+- **Evidence**: EdgeReason.cs, CallgraphEdge.cs, EdgeBundle.cs
+
+### Ground-Truth Corpus with Reachability Tiers (R0-R4)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Golden fixture tests exist for smart-diff and reachability, but the full ground-truth corpus structure (/toys/svc-XX-<name>/ with labels.yaml) was not found.
+- **Modules**: `src/Scanner`
+- **Evidence**: StateComparisonGoldenTests.cs, reachability tests
+
+### MI5 - Performance Budgets (Interaction Response, Animation Frame, LCP)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Lighthouse CI config exists for performance monitoring. Specific interaction response <=100ms, frame budget 16ms, and layout shift <0.05 budgets were not found as explicitly configured thresholds.
+- **Modules**: `src/Web`
+- **Evidence**: .lighthouserc.js
+
+### MI10 - Theme/Contrast Guidance (Light/Dark/HC Tokens)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Color tokens and focus ring styles exist. Theme transition utilities are implemented. Explicit HC (high-contrast) mode tokens with contrast validation were not found as standalone artifacts.
+- **Modules**: `src/Web`
+- **Evidence**: _colors.scss, _interactions.scss
+
+### Mirror Creator
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Mirror creator module exists as a separate directory but appears to have limited implementation compared to the comprehensive AirGap module.
+- **Modules**: `src/Mirror`
+- **Evidence**: `src/Mirror/StellaOps.Mirror.Creator/`
+
+### Noise Ledger (Audit Log of Suppressions)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Suppression witnesses and audit hash logging exist in the backend. CLI audit commands exist. SuppressionAuditLogger exists in Notifier. A dedicated "Noise Ledger" UX component is not present but the concept is implemented across backend services.
+- **Modules**: `src/Attestor, src/Cli, src/Notifier, src/Scanner`
+- **Evidence**: AuditCommandGroup.cs, SuppressionWitness.cs, SuppressionAuditLogger.cs
+
+### Pipeline/Run-Centric View
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Runs feature exists in the frontend with first-signal card components and prefetch services, but a full pipeline-centric view is only partially present.
+- **Modules**: `src/Web`
+- **Evidence**: runs feature directory with first-signal-card
+
+### Provcache Invalidation and Evidence Chunk Paging
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Provcache module exists with Valkey-backed store, write-behind queue, verification key builder. Evidence chunk storage and paged evidence API, signer-aware cache invalidation (SignerSetInvalidator), feed epoch invalidation, lazy evidence fetch, and air-gap export are in various stages. Multiple sprint waves describe this work, with ~90% completion noted.
+- **Modules**: `src/__Libraries/StellaOps.Provcache/, src/Provenance/, src/Attestor/`
+- **Evidence**: ValkeyProvcacheStore tests, WriteBehindQueue tests, VeriKeyBuilder tests
+
+### SBOM Lineage Graph Visualization (Git-like Lane View)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Backend SBOM lineage graph service is fully implemented with controllers, repositories, and persistence. Frontend lineage components (~80% complete per advisory) exist with graph visualization, hover cards, SBOM diff, VEX diff, and compare panels. Components built but some not yet wired to backend APIs.
+- **Modules**: `src/SbomService, src/Web`
+- **Evidence**: LineageController.cs, SbomLineageGraphService.cs, ~41 UI files in features/lineage/
+
+### Score UI Display Enhancement
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: A score comparison component exists in the UI, but the full unified score display with unknowns bands and delta-if-present was marked TODO.
+- **Modules**: `src/Web`
+- **Evidence**: score-comparison.component.ts
+
+### Tier 5 Runtime Trace Evidence (eBPF Production-Grade)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Explicitly listed as future work in the advisory. eBPF-based function call tracing for runtime backport detection was not implemented at production-grade. eBPF probe infrastructure exists in `src/Signals/__Libraries/StellaOps.Signals.Ebpf/` and `src/Zastava/` but is early-stage/experimental, not the production-grade Tier 5 described. eBPF Runtime Signal Integration exists but is not production-ready.
+- **Modules**: `src/Signals, src/Unknowns, src/Zastava`
+- **Evidence**: StellaOps.Signals.Ebpf project, EbpfProbeManager.cs, RuntimeFactsIngestionService.cs
+
+### VEX Findings API with Proof Artifacts
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: VEX verdict models, VEX delta predicates, and VexProofSpineService exist, but the full API contract (GET /vex/findings/:id with proof artifacts) is not visible as a standalone endpoint.
+- **Modules**: `src/Attestor, src/Policy`
+- **Evidence**: VexVerdictSummary.cs, VexVerdictId.cs
+
+### VEX Gate (Inline Gated Action with Evidence Tiers)
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: VEX evidence and decision infrastructure exists (vex-evidence client, vex-decision-modal, evidence-ribbon). The specific VexGateButtonDirective with inline button morphing and tier-based gating was not found. The pattern is partially realized through separate VEX decision modals.
+- **Modules**: `src/Web`
+- **Evidence**: vex-decision-modal.component.ts, vex-evidence.client.ts
+
+### Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles
+- **Status**: PARTIALLY_IMPLEMENTED
+- **Description**: Backend triage service with DB context, reachability subgraph extraction, and proof generation exist. UI triage inbox and queue components are partially complete. Exploit path grouping tests exist.
+- **Modules**: `src/Attestor, src/Scanner, src/Web`
+- **Evidence**: Scanner.Triage/ (Entities, Models, Services), SubgraphExtractor.cs, triage-queue.component.ts
+
+### VexLens Truth Table Tests
+- **Status**: NOT_FOUND
+- **Description**: Systematic truth table tests for VEX lattice merge correctness. The VexLens engine exists but comprehensive truth table test coverage is missing.
+- **Modules**: `src/VexLens`
+- **Source advisory**: file_14.md
+
+---
+
+## Removed in Pass 2 (44 entries removed)
+
+The following entries were removed because they were found to be implemented, duplicated, or not actual features:
+
+**Removed - Actually Implemented:**
+- Base Image Detection and Recommendations: `BaseImageDetector.cs`, `IBaseImageDetector.cs` exist in Scanner.Manifest
+- Delta-If-Present Calculations: `IncludeDeltaIfPresent` implemented in UnifiedScoreModels.cs
+- Multi-scanner Comparative Benchmarking: `CompetitorBenchmarkTests.cs` with F1 precision/recall scoring
+- Time-to-Evidence (TTE) Metric: `TimeToEvidenceMetrics.cs`, `TtePercentileExporter.cs` in Telemetry
+- "Can I Ship?" Case Header: `case-header.component.ts` exists in triage
+- 8-State Reachability Lattice: Full `LatticeState` enum (U/SR/SU/RO/RU/CR/CU/X) plus `ReachabilityLattice.cs` in multiple modules
+- AI Chip Components: Extensive AI chip component family (ai-chip, ai-explain-chip, ai-vex-draft-chip, ai-fix-chip, etc.)
+- Audit Trail "Why am I seeing this?": `verdict-why-summary.component.ts` exists
+- Delta Verdict Attestation Predicate Types: `DeltaVerdictPredicate.cs`, `VexDeltaPredicate.cs`, `SbomDeltaPredicate.cs` all exist
+- Evidence Subgraph UI Visualization: `evidence-subgraph.component.ts`, `evidence-subgraph.service.ts`, `evidence-subgraph.models.ts`
+- Feed Snapshot Coordinator: `FeedSnapshotCoordinatorService` with 15+ partial files fully implemented
+- Policy DSL (stella-dsl@1): `PolicyParser.cs`, `PolicyCompiler.cs`, `DslTokenizer.cs`, `DslCompletionProvider.cs` fully implemented
+- Quota Governance and Circuit Breakers: Multiple circuit breaker implementations across Router, Scanner, Attestor, ReleaseOrchestrator
+- Reachability Core Library: `IReachabilityIndex.cs`, `ReachabilityIndex.cs` exist in StellaOps.Reachability.Core
+- Router Back-Pressure Middleware: `EnvironmentRateLimiter` with Valkey-backed store + circuit breaker fully implemented
+- Score Replay and Verification: `ScoreReplayService.cs`, `ScoreReplayEndpoints.cs`, `ReplayVerifier.cs` all exist
+- OCI Referrers for Evidence Storage: `OciReferrerPushClient.cs`, `OciReferrerDiscovery.cs` extensively implemented
+- DSSE-signed offline scanner update bundles: `OfflineKit*` classes throughout Scanner, ExportCenter, Cli, AirGap
+- Immutable Evidence Storage and Regulatory Alignment: `ComplianceEngine.cs`, `FrameworkMapper.cs`, `ReportGenerator.cs`, `NtiaComplianceReporter.cs`
+- Verdict ladder UI: `verdict-ladder.component.ts`, `verdict-ladder-builder.service.ts`
+- Monthly Bundle Rotation: `BundleRotationJob.cs` in Scheduler
+- MI4 Toast/Snackbar: `toast.service.ts`, `toast-container.component.ts`
+- Baseline Selection Logic: `BaselineSelector.cs`, `BaselineEndpoints.cs`
+- Mirror Contracts (Time Anchor): Extensive `TimeAnchorService.*` in AirGap + `TimeAnchorPolicyService.*`
+- PostgreSQL persistence layer: RLS migrations exist in multiple modules (Scheduler, Policy, Excititor, Authority, Findings)
+- Idempotent Attestation/SBOM Submission APIs: Content-addressed IDs provide idempotency by design
+- Metrics for attestation coverage: `TimeToEvidenceMetrics.cs`, `AttestationCompletenessCalculator.cs`
+- Astra Linux OVAL Feed Connector: Tests show working connector plugin with options and trust defaults
+- SBOM Graph Reachability Overlay: `graph-overlays.component.ts` exists
+- Signals & Runtime Dashboard: `signals.client.ts`, `signals.models.ts` exist
+- VEX Decision Filter with Reachability: Implemented through VexConsensusEngine + reachability facts integration
+- Snapshot Export/Import for Air-Gap: Extensive OfflineBundle and SnapshotBundle infrastructure
+- Vendor comparison / scanner parity tracking: `CompetitorBenchmarkTests.cs` with F1 scoring
+- Unknowns Decay and Triage Queue: `triage-queue.component.ts`, `TriageInboxEndpoints.cs`, `UnknownRanker.cs`
+- Evidence-Weighted Score (EWS) 6-Dimension: Merged with Deterministic Trust Score entry
+
+**Removed - Not Features (process/docs/research items):**
+- CI Lint Hook for Implementor Guidelines: CI infrastructure task, not a product feature
+- MI6 Component-to-Interaction Token Mapping Document: Documentation artifact, not a product feature
+- MI7 Telemetry Schema for ui.micro.* Events: Schema design task, not a product feature
+- Benchmark Harness for FP Reduction: Benchmarking tool, not a product feature
+- DSSE+Rekor Batch Size Benchmarking Tool: Benchmarking tool, not a product feature
+- Comparative Evidence/Suppression Pattern Analysis: Research document influencing design, not a standalone feature
+
+**Removed - Semantic Duplicates (merged into other entries):**
+- DSSE Gateway Traversal: Merged into DSSE Envelope Size Management entry
+- Immutable Advisory Feed Snapshots: Duplicate of Feed Snapshot Coordinator (now removed as implemented)
+- eBPF Runtime Signal Integration: Merged into Tier 5 Runtime Trace Evidence entry
+- EWS Model (6-Dimension Scoring): Merged into Deterministic Trust Score entry

docs-archived/implplan/SPRINT_20260206_021_FE_web_ui_validation_batch1.md

@@ -324,11 +324,24 @@ Route mapping:
 Files changed: `devops/docker/Dockerfile.console`
 Validation: Requires console container rebuild (`docker compose build web-ui`).
 
-#### BUG-001 (Auth state lost on page reload) - BY DESIGN (Feature Gap)
-Root cause: `AuthSessionStore` (`auth-session.store.ts`) uses `signal<AuthSession | null>(null)` — tokens exist only in memory. `persistMetadata()` saves only metadata (subject, expiry, dpop thumbprint, tenant) to sessionStorage, not tokens. On page reload, `sessionSignal` resets to null; tokens are lost.
-Analysis: This is a deliberate security design to prevent XSS-based token theft. However, the implementation lacks the standard complement: silent token refresh. `AuthorityAuthService` has no `tryRestoreSession()`, `silentRefresh()`, or iframe-based re-authorization flow. The service has refresh token capability (`refresh_token` in `TokenResponse` interface) but doesn't persist or use refresh tokens across page reloads.
-Impact: Users must re-authenticate after any full page refresh or direct URL navigation. In Playwright testing, `page.goto()` loses auth state.
-Remediation: Implement silent authorize flow using hidden iframe or stored refresh token. This is a feature enhancement, not a bug fix.
+#### BUG-001 (Auth state lost on page reload) - FIXED (Silent Refresh)
+Root cause: `AuthSessionStore` uses `signal<AuthSession | null>(null)` — tokens exist only in memory. `persistMetadata()` saves only metadata to sessionStorage, not tokens. On page reload, tokens are lost by design (XSS mitigation).
+Fix: Implemented OAuth2 `prompt=none` silent refresh via hidden iframe. On app startup, if persisted session metadata exists (user was previously logged in), a hidden iframe performs an authorization request with `prompt=none`. If the Authority still has an active session cookie, it silently issues a new authorization code which is exchanged for fresh tokens.
+Files changed (Frontend):
+- `src/Web/StellaOps.Web/src/app/core/auth/authority-auth.service.ts` — Added `trySilentRefresh()` and `executeSilentRefresh()` methods. Uses hidden iframe with `prompt=none`, listens for postMessage result, 10s timeout.
+- `src/Web/StellaOps.Web/src/app/features/auth/silent-refresh.component.ts` — NEW. Minimal component loaded inside iframe. Completes token exchange and posts result to parent via postMessage.
+- `src/Web/StellaOps.Web/src/app/app.routes.ts` — Added route `/auth/silent-refresh`.
+- `src/Web/StellaOps.Web/src/app/app.component.ts` — Calls `trySilentRefresh()` on startup.
+- `src/Web/StellaOps.Web/src/app/core/config/app-config.model.ts` — Added optional `silentRefreshRedirectUri` field to `AuthorityConfig`.
+- `src/Web/StellaOps.Web/src/config/config.json` — Added `silentRefreshRedirectUri: "/auth/silent-refresh"`.
+- `src/Web/StellaOps.Web/src/app/app.component.spec.ts` — Updated stub with `trySilentRefresh` method.
+Files changed (Backend):
+- `src/Platform/StellaOps.Platform.WebService/Contracts/EnvironmentSettingsModels.cs` — Added `SilentRefreshRedirectUri` to `EnvironmentAuthoritySettings`.
+- `src/Platform/StellaOps.Platform.WebService/Options/PlatformServiceOptions.cs` — Added `SilentRefreshRedirectUri` property.
+- `src/Platform/StellaOps.Platform.WebService/Services/EnvironmentSettingsComposer.cs` — Propagates new field through compose + scalar overlay.
+- `src/Platform/StellaOps.Platform.WebService/Endpoints/EnvironmentSettingsEndpoints.cs` — Maps field to response DTO.
+Deployment note: The Authority must have `/auth/silent-refresh` registered as an allowed redirect URI for the `stella-ops-ui` client (in addition to `/auth/callback`).
+Validation: Angular build passes (347 tests). Platform .NET build passes (0 warnings).
 
 #### BUG-004 (/api/v1/sources 404) - BACKEND MISSING
 Root cause: The SBOM Sources page calls `/api/v1/sources` which returns HTTP 404. This endpoint is either not implemented in the scanner service or not registered in the route configuration.
@@ -522,13 +535,13 @@ Task description:
 | `/analytics` | /console/profile | BLOCKED | `requireAnalyticsViewerGuard` rejects. Missing `analytics:read` scope. |
 | `/policy-studio/packs` | /console/profile | BLOCKED | `requirePolicyViewerGuard` rejects. Missing `policy:read` scope. |
 
-#### Group G: Placeholder/Skeleton Routes
+#### Group G: Data-Dependent Routes (Originally Reported as Placeholder — FALSE POSITIVE)
 | Route | Status | Notes |
 |-------|--------|-------|
-| `/sbom/diff` | PLACEHOLDER | Breadcrumb renders ("Sbom > Diff"). No page content. |
-| `/vex/timeline` | PLACEHOLDER | Breadcrumb renders ("Vex > Timeline"). No page content. |
-| `/workspace/dev` | PLACEHOLDER | Breadcrumb renders ("Workspace > Dev"). No page content. |
-| `/workspace/audit` | PLACEHOLDER | Breadcrumb renders ("Workspace > Audit Log"). No page content. |
+| `/sbom/diff` | PASS (no data) | Full component (~1250 lines): side-by-side SBOM comparison, filters, search, ecosystem filtering. Empty because no SBOM diff data from backend. |
+| `/vex/timeline` | PASS (no data) | Full component (~1060 lines): timeline rows, conflict detection, DSSE verification. Empty because no VEX timeline data from backend. |
+| `/workspace/dev` | PASS (no data) | Full component (813 lines): Evidence Ribbon, Quick-Verify CTA, Findings Rail, GitHub/Jira action stubs. Empty because no artifact digest context. |
+| `/workspace/audit` | PASS (no data) | Full component (991 lines): Review Ribbon, Export Audit-Pack with PQC/PII options, Quiet-Triage lane with signed actions. Empty because no artifact digest context. |
 
 #### Group H: Navigation-Unreachable Routes
 | Route | Status | Notes |
@@ -596,25 +609,28 @@ Tested interactive workflows beyond page rendering — forms, drawers, filters,
 | 2026-02-06 | BUG-002 FIXED: Expanded default OAuth scope in PlatformServiceOptions.cs from 4 scopes to 21 scopes (all read-level module access). Updated frontend config.json fallback with same scopes plus legacy vuln scopes. Both builds pass. Unblocks /orchestrator, /analytics, /policy-studio. | Lead QA Architect |
 | 2026-02-06 | Phase 2 Batch 4 complete: 18 interactive workflows validated. Setup Wizard multi-step flow, Approvals queue with filters/sort, Triage drill-down with VEX Decision drawer and evidence tabs, Doctor diagnostics, dark mode toggle (BUG-005 re-confirmed fixed). All forms validate correctly. All error handling works. | Lead QA Architect |
 | 2026-02-06 | BUG-003 FIXED (two-layer fix): Layer 1 — nginx reverse proxy in `Dockerfile.console` and `nginx-console.conf` with 19 proxy locations for all services in `ApiBaseUrlConfig` (gateway, platform, authority, scanner, policy, concelier, attestor, notify, scheduler, signals, excitor, ledger, vex) + OAuth/OIDC endpoints. Layer 2 — `sub_filter` in envsettings.json location rewrites 14 absolute Docker-internal URLs to relative paths. Layer 3 (defense-in-depth) — `normalizeApiBaseUrls()` in `app-config.service.ts` converts any remaining absolute URLs to relative `/key` paths. Policy proxy uses regex `^/policy/(api|v[0-9]+)/` to avoid colliding with Angular `/policy/exceptions` SPA routes. Hot-patched running container: CORS eliminated across all tested pages (Dashboard, Security, Approvals, Policy Exceptions, Notifications, Release Orchestrator). 342 unit tests pass. | Lead QA Architect |
+| 2026-02-06 | WARN-001 FIXED: Three-layer branding fix: (1) nginx `/console/` proxy to Authority, (2) frontend `tenantId` query param + DTO field mapping, (3) silent error fallback without console.warn. 5 new unit tests in branding.service.spec.ts. | Lead QA Architect |
+| 2026-02-06 | NOTE-001 FIXED: Custom `PageTitleStrategy` auto-generates page titles from URL path segments. Explicit titles added to 6 main routes (Control Plane, Approvals, Security Overview, Analytics, Policy, Settings). Registered as TitleStrategy provider in app.config.ts. | Lead QA Architect |
+| 2026-02-06 | NOTE-003 RECLASSIFIED (False Positive): 4 "skeleton" routes investigated — all are fully-implemented components (813-1250 lines): SbomDiffViewComponent, VexTimelineComponent, DeveloperWorkspaceComponent, AuditorWorkspaceComponent. Appeared empty during testing due to missing backend data, not missing implementation. | Lead QA Architect |
+| 2026-02-06 | BUG-001 FIXED: Implemented OAuth2 `prompt=none` silent refresh. Frontend: `trySilentRefresh()` in AuthorityAuthService creates hidden iframe, SilentRefreshComponent handles callback, route added at `/auth/silent-refresh`. Backend: `silentRefreshRedirectUri` field added to Platform EnvironmentSettings (options, composer, DTO, endpoint). config.json updated. Both Angular (347 tests) and .NET builds pass. | Lead QA Architect |
 
 ## Decisions & Risks
-- BUG-001 (Reclassified: Feature Gap): Auth token stored in memory only by design (XSS mitigation). Missing silent refresh flow means users must re-authenticate on page reload. Enhancement sprint needed to implement iframe-based silent authorize or refresh token persistence.
+- BUG-001 (Severity: Medium, FIXED): Auth token stored in memory only by design (XSS mitigation). Implemented `prompt=none` silent refresh via hidden iframe. On app startup, if the user was previously authenticated (session metadata in sessionStorage), a hidden iframe requests a new auth code from Authority. If Authority session cookie is active, tokens are silently restored. Fallback: if silent refresh fails (no cookie, timeout), user stays unauthenticated gracefully. DPoP key pair persists across reloads via IndexedDB. Deployment requires registering `/auth/silent-refresh` as an allowed redirect URI for the `stella-ops-ui` client at the Authority.
 - BUG-002 (Severity: High, FIXED): Default OAuth scope expanded from 4 to 21 scopes in both PlatformServiceOptions.cs (backend default) and config.json (frontend fallback). Now includes all read-level module scopes. Unblocks /orchestrator, /analytics, /policy-studio and all other scope-gated routes.
 - BUG-003 (Severity: High, FIXED): Console nginx had no reverse proxy — all API calls were cross-origin. Two-layer root cause: (1) missing nginx proxy locations, (2) envsettings.json returned absolute Docker-internal URLs bypassing the proxy. Three-layer fix: (a) 19 nginx proxy locations in `Dockerfile.console` and `nginx-console.conf` for all services, with Docker DNS resolver and prefix stripping; (b) `sub_filter` on envsettings.json rewrites 14 absolute URLs to relative paths at the proxy level; (c) `normalizeApiBaseUrls()` in `app-config.service.ts` as defense-in-depth converts any remaining absolute URLs. Policy location uses regex `^/policy/(api|v[0-9]+)/` to avoid colliding with Angular SPA routes. Files changed: `devops/docker/Dockerfile.console`, `devops/docker/nginx-console.conf` (new), `src/Web/StellaOps.Web/src/app/core/config/app-config.service.ts`, `src/Web/StellaOps.Web/src/app/core/config/app-config.service.spec.ts` (new), `src/Web/StellaOps.Web/src/app/core/config/config.guard.spec.ts` (pre-existing type fix).
 - BUG-004 (Severity: Low, Backend): /api/v1/sources endpoint not implemented. Requires backend development sprint.
 - BUG-005 (Severity: Medium, FIXED): `.theme-transitioning *` universal selector caused layout thrashing. Fixed by scoping to root element only.
 - BUG-006 (Severity: Medium, FIXED): Multiple API calls used doubled path prefix `/api/api/v1/...` instead of `/api/v1/...`. Root cause: `environment.apiBaseUrl` is `/api` but clients appended `/api/v1/...` instead of `/v1/...`. Fixed in 3 files: `integration.service.ts`, `doctor.client.ts`, `binary-resolution.client.ts`.
-- WARN-001 (Severity: Low): "Failed to fetch branding configuration" console warning on every page. Impact: Cosmetic; branding customization unavailable.
-- NOTE-001: Page title does not update per route consistently. Some pages update (AOC Compliance, Agent Fleet, Offline Mode Dashboard) but title persists across subsequent navigations.
+- WARN-001 (Severity: Low, FIXED): "Failed to fetch branding configuration" console warning. Fixed: added nginx `/console/` proxy to Authority, added `tenantId` query param, mapped Authority DTO fields (`displayName`->`title`, `logoUri`->`logoUrl`, `faviconUri`->`faviconUrl`), removed console.warn in error handler. 5 new unit tests.
+- NOTE-001 (FIXED): Page title did not update per route. Fixed: created `PageTitleStrategy` that auto-generates titles from URL paths, added explicit titles to 6 main routes.
 - NOTE-002: ~400 frontend test files excluded in angular.json test configuration. Test coverage significantly reduced.
-- NOTE-003: 4 skeleton routes (/sbom/diff, /vex/timeline, /workspace/dev, /workspace/audit) render breadcrumbs only. Feature implementation pending.
+- NOTE-003 (RECLASSIFIED: False Positive): 4 routes originally reported as "skeleton/placeholder" are actually fully-implemented components (813-1250 lines each). They appeared empty during Playwright testing because backend APIs returned no data and no artifact digest was passed as route context. Components: SbomDiffViewComponent, VexTimelineComponent, DeveloperWorkspaceComponent, AuditorWorkspaceComponent.
 
 ## Next Checkpoints
 - Phase 2 Batches 1-4 ALL DONE: 94+ pages/routes/workflows validated across the entire application.
-- 4 bugs FIXED in this sprint: BUG-002 (scope), BUG-003 (CORS/proxy), BUG-005 (CSS), BUG-006 (API path).
-- Next: Rebuild console container and re-validate API connectivity.
+- 7 bugs/issues FIXED in this sprint: BUG-001 (silent refresh), BUG-002 (scope), BUG-003 (CORS/proxy), BUG-005 (CSS), BUG-006 (API path), WARN-001 (branding), NOTE-001 (page titles).
+- Next: Rebuild console container and re-validate API connectivity. Register `/auth/silent-refresh` as allowed redirect URI for `stella-ops-ui` client at Authority.
 - REMAINING blockers requiring separate sprints:
   - Backend sprint: Sources API for BUG-004, release detail API, witness API.
-  - Feature sprint: Silent auth refresh for BUG-001.
-  - Feature sprint: Implement skeleton pages (sbom/diff, vex/timeline, workspace/dev, workspace/audit).
   - Feature sprint: Exception Queue dedicated view (currently shares triage component).
+  - NOTE-003 CLOSED: Skeleton pages were false positive — all 4 components are fully implemented (813-1250 lines each).

docs/features/README.md

@@ -0,0 +1,136 @@
+# Feature Catalog
+
+Structured inventory of all Stella Ops features, organized for E2E verification tracking.
+
+Generated: 2026-02-08
+
+## Summary
+
+| Directory | Meaning | Count |
+|-----------|---------|-------|
+| `checked/` | Features verified by E2E tests | 0 |
+| `unchecked/` | Implemented features needing E2E verification | 1,057 |
+| `unimplemented/` | Partially implemented features | 99 |
+| `dropped/` | Features not found in source code | 29 |
+| **Total** | | **1,185** |
+
+## How to Use
+
+- **To verify a feature**: Pick a file from `unchecked/<module>/`, follow the E2E Test Plan, and if it passes, move the file to `checked/<module>/`.
+- **To implement a missing feature**: Read a file from `unimplemented/<module>/`, review the "What's Missing" section, implement, then move to `unchecked/`.
+- **To understand what was dropped**: Read files in `dropped/` for context on features that were planned but not implemented.
+
+## Modules by Feature Count
+
+### Large Modules (50+ features)
+
+| Module | Unchecked | Unimplemented | Dropped | Total |
+|--------|-----------|---------------|---------|-------|
+| [Web](unchecked/web/) | 167 | 17 | 4 | 188 |
+| [Attestor](unchecked/attestor/) | 153 | 27 | 2 | 182 |
+| [Scanner](unchecked/scanner/) | 142 | 9 | 0 | 151 |
+| [Cli](unchecked/cli/) | 97 | 7 | 0 | 104 |
+| [Policy](unchecked/policy/) | 76 | 8 | 5 | 89 |
+
+### Medium Modules (10-49 features)
+
+| Module | Unchecked | Unimplemented | Dropped | Total |
+|--------|-----------|---------------|---------|-------|
+| [ReleaseOrchestrator](unchecked/releaseorchestrator/) | 44 | 1 | 0 | 45 |
+| [BinaryIndex](unchecked/binaryindex/) | 41 | 2 | 0 | 43 |
+| [Concelier](unchecked/concelier/) | 34 | 2 | 0 | 36 |
+| [Libraries](unchecked/libraries/) | 24 | 2 | 1 | 27 |
+| [Router](unchecked/router/) | 18 | 0 | 0 | 18 |
+| [Excititor](unchecked/excititor/) | 17 | 0 | 1 | 18 |
+| [Signals](unchecked/signals/) | 13 | 4 | 1 | 18 |
+| [EvidenceLocker](unchecked/evidencelocker/) | 17 | 0 | 0 | 17 |
+| [AdvisoryAI](unchecked/advisoryai/) | 15 | 1 | 1 | 17 |
+| [Orchestrator](unchecked/orchestrator/) | 14 | 1 | 0 | 15 |
+| [Authority](unchecked/authority/) | 12 | 1 | 0 | 13 |
+| [AirGap](unchecked/airgap/) | 9 | 3 | 0 | 12 |
+| [Tests](unchecked/tests/) | 11 | 0 | 2 | 13 |
+| [Integrations](unchecked/integrations/) | 10 | 1 | 0 | 11 |
+| [Zastava](unchecked/zastava/) | 9 | 1 | 0 | 10 |
+
+### Small Modules (<10 features)
+
+| Module | Unchecked | Unimplemented | Dropped | Total |
+|--------|-----------|---------------|---------|-------|
+| [Telemetry](unchecked/telemetry/) | 9 | 0 | 0 | 9 |
+| [ReachGraph](unchecked/reachgraph/) | 7 | 2 | 0 | 9 |
+| [Doctor](unchecked/doctor/) | 8 | 0 | 0 | 8 |
+| [SbomService](unchecked/sbomservice/) | 7 | 1 | 0 | 8 |
+| [Gateway](unchecked/gateway/) | 6 | 2 | 0 | 8 |
+| [TaskRunner](unchecked/taskrunner/) | 7 | 0 | 0 | 7 |
+| [VexLens](unchecked/vexlens/) | 6 | 0 | 1 | 7 |
+| [Notifier](unchecked/notifier/) | 7 | 0 | 0 | 7 |
+| [Findings](unchecked/findings/) | 7 | 0 | 0 | 7 |
+| [Graph](unchecked/graph/) | 6 | 1 | 0 | 7 |
+| [ExportCenter](unchecked/exportcenter/) | 6 | 1 | 0 | 7 |
+| [Plugin](unchecked/plugin/) | 6 | 0 | 0 | 6 |
+| [Platform](unchecked/platform/) | 6 | 0 | 0 | 6 |
+| [Signer](unchecked/signer/) | 6 | 0 | 0 | 6 |
+| [Cryptography](unchecked/cryptography/) | 5 | 0 | 1 | 6 |
+| [Timeline](unchecked/timeline/) | 5 | 0 | 0 | 5 |
+| [Tools](unchecked/tools/) | 4 | 0 | 0 | 4 |
+| [Bench](unchecked/bench/) | 2 | 1 | 1 | 4 |
+| [Scheduler](unchecked/scheduler/) | 3 | 0 | 0 | 3 |
+| [RiskEngine](unchecked/riskengine/) | 2 | 0 | 1 | 3 |
+| [Unknowns](unchecked/unknowns/) | 2 | 1 | 0 | 3 |
+| [Replay](unchecked/replay/) | 2 | 1 | 0 | 3 |
+
+### Single-Feature Modules
+
+| Module | Status |
+|--------|--------|
+| [Aoc](unchecked/aoc/) | Unchecked |
+| [Api](unchecked/api/) | Unchecked (2) |
+| [Analyzers](unchecked/analyzers/) | Unchecked |
+| [DevOps](unchecked/devops/) | Unchecked (2) |
+| [DevPortal](unchecked/devportal/) | Unchecked |
+| [Docs](unchecked/docs/) | Unchecked (2) |
+| [Feedser](unchecked/feedser/) | Unchecked |
+| [Mirror](unimplemented/mirror/) | Unimplemented |
+| [PacksRegistry](unchecked/packsregistry/) | Unchecked |
+| [Provenance](unimplemented/provenance/) | Unimplemented |
+| [RuntimeInstrumentation](unchecked/runtimeinstrumentation/) | Unchecked |
+| [Sdk](unchecked/sdk/) | Unchecked |
+| [SmRemote](unchecked/smremote/) | Unchecked |
+| [VulnExplorer](unchecked/vulnexplorer/) | Unchecked |
+
+## File Format
+
+Each feature file follows a standard template:
+
+### Unchecked (IMPLEMENTED)
+```
+# Feature Name
+## Module / ## Status / ## Description
+## Implementation Details (key files, classes, services)
+## E2E Test Plan (setup, action, verification steps)
+```
+
+### Unimplemented (PARTIALLY_IMPLEMENTED)
+```
+# Feature Name
+## Module / ## Status / ## Description
+## What's Implemented / ## What's Missing
+## Implementation Plan
+```
+
+### Dropped (NOT_FOUND)
+```
+# Feature Name
+## Status / ## Description
+## Why Not Implemented / ## Source / ## Notes
+```
+
+## Source Data
+
+This catalog was built from:
+- 270 product advisories (Phase 1)
+- 1,343 sprint archives (Phase 2)
+- CLI + Web source code scan (Phase 3)
+- Two deduplication passes reducing 1,600 entries to 1,185
+
+See `FEATURE_CATALOG.md` in the repo root for the flat consolidated view.

docs/features/dropped/ci-lint-hook-for-implementor-guidelines.md

@@ -0,0 +1,22 @@
+# CI Lint Hook for Implementor Guidelines
+
+## Status
+NOT_FOUND
+
+## Description
+The advisory called for a CI lint hook stub to enforce guidelines (e.g., docs-touched tagging, schema/versioning control). No automated enforcement tooling was found.
+
+## Why Not Implemented
+- No CI lint hooks, pre-commit hooks, or automated enforcement tooling found under `.gitea/`, `devops/`, or `src/Tools/`
+- CI workflows exist in `.gitea/workflows/` but focus on build/test/deploy, not implementor guideline enforcement
+- No docs-touched tagging or schema versioning control automation found
+- The repo uses `AGENTS.md` files for contributor guidance but enforcement is manual
+- Likely deferred; CI lint hooks are typically a low-priority quality-of-life improvement
+
+## Source
+- Feature matrix scan
+
+## Notes
+- Module: Uncategorized
+- Modules referenced: N/A
+- Could live under `.gitea/hooks/` or `devops/scripts/` when implemented

docs/features/dropped/comparative-evidence-suppression-pattern-analysis.md

@@ -0,0 +1,33 @@
+# Comparative Evidence/Suppression Pattern Analysis
+
+## Module
+Attestor
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Evidence and suppression patterns are implemented in the scanning and VEX override subsystems. The advisory was primarily a research/comparison document; its findings appear to have influenced the VEX override and evidence panel designs rather than producing a standalone feature.
+
+## What's Implemented
+- **VEX Override System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/` -- VexOverridePredicateBuilder, VexOverridePredicateParser, VexOverrideDecision, EvidenceReference -- provides structured suppression with evidence.
+- **Audit Hash Logger**: `__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs` (with `.Validation`) -- audit logging for evidence and suppression actions.
+- **Change Trace Attestation Service**: `ProofChain/ChangeTrace/ChangeTraceAttestationService.cs` -- tracks changes including suppressions.
+- **VEX Delta Tracking**: `Predicates/VexDeltaPredicate.cs`, `VexDeltaChange.cs`, `VexDeltaSummary.cs` -- tracks VEX status transitions.
+
+## What's Missing
+- **Cross-organization pattern analysis**: No service that compares suppression patterns across tenants or organizations to detect anomalous suppression rates.
+- **Suppression pattern dashboard**: No UX component showing suppression trends, outliers, or comparative analysis against baselines.
+- **Suppression quality scoring**: No scoring model that evaluates the quality/legitimacy of suppressions based on evidence strength.
+- **Anomaly detection**: No automated detection of suspicious suppression patterns (e.g., bulk suppressions without evidence, suppressions of critical CVEs).
+
+## Implementation Plan
+- Design a suppression analytics service that aggregates suppression patterns
+- Implement cross-tenant comparison with configurable baselines
+- Add suppression quality scoring based on evidence reference count and type
+- Build anomaly detection rules for suspicious suppression patterns
+- Add dashboard UX components for suppression trend visualization
+- Add tests for pattern analysis, scoring, and anomaly detection
+
+## Related Documentation
+- Source: See feature catalog

docs/features/dropped/dsse-gateway-traversal.md

@@ -0,0 +1,45 @@
+# DSSE Gateway Traversal (mTLS + provenance headers)
+
+## Module
+Scanner
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+HMAC-based DSSE envelope signing exists in the scanner worker for authenticating scan artifacts through gateway proxies. The feature envisions full mTLS gateway traversal with provenance headers injected by middleware, allowing scanner-to-registry and scanner-to-evidence-locker communication through reverse proxies (NGINX, Envoy, WAF) while maintaining attestation chain integrity.
+
+## What's Implemented
+- **HMAC DSSE Envelope Signing**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/HmacDsseEnvelopeSigner.cs` - `HmacDsseEnvelopeSigner` producing HMAC-signed DSSE envelopes for scan artifacts, providing integrity verification during transit through intermediary proxies
+- **DSSE Signing Infrastructure**:
+  - `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.Verification.cs` - DSSE signature verification pipeline used downstream for validating signed envelopes
+  - `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs` - `DsseEnvelope` model representing Dead Simple Signing Envelope structures
+  - `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseSignature.cs` - `DsseSignature` model for individual signatures within envelopes
+
+## What's Missing
+- **Gateway Configuration**: No NGINX/Envoy/WAF gateway configuration templates or middleware for injecting provenance headers (X-Stella-Provenance, X-Stella-Scan-Id) into proxied requests
+- **mTLS Certificate Management**: No scanner-specific mTLS certificate provisioning, rotation, or trust store configuration for gateway traversal
+- **Provenance Header Middleware**: No ASP.NET Core middleware for reading/validating provenance headers on the receiving side (WebService, EvidenceLocker endpoints)
+- **Gateway Health Probes**: No health check endpoints specifically designed for gateway liveness/readiness through proxy chains
+- **Configuration Schema**: No structured configuration for declaring gateway topology (proxy chain depth, intermediate certificate authorities, header propagation rules)
+
+## Implementation Plan
+1. Create `GatewayProvenanceMiddleware` in `StellaOps.Scanner.WebService` that reads and validates X-Stella-Provenance headers from proxied requests
+2. Create `MtlsCertificateProvider` in `StellaOps.Scanner.Worker` for provisioning and rotating scanner client certificates
+3. Add gateway configuration templates (NGINX, Envoy) under `devops/` with provenance header injection rules
+4. Extend `HmacDsseEnvelopeSigner` to embed gateway hop metadata in DSSE envelope payloads
+5. Add integration tests verifying envelope integrity through simulated proxy chains
+6. Add configuration schema for gateway topology in `StellaOps.Scanner.Core`
+
+## E2E Test Plan
+- [ ] Configure a scanner worker behind an NGINX reverse proxy and verify HMAC-signed DSSE envelopes are produced and transit successfully to the evidence locker
+- [ ] Verify provenance headers (X-Stella-Provenance, X-Stella-Scan-Id) are injected by the gateway and validated by the receiving service
+- [ ] Verify mTLS client certificate authentication between scanner worker and gateway proxy
+- [ ] Verify DSSE envelope signature remains valid after traversing a multi-hop proxy chain (scanner -> proxy -> WAF -> service)
+- [ ] Verify gateway health probes report correct status through the proxy chain
+- [ ] Verify the system rejects requests with missing or tampered provenance headers
+
+## Related Documentation
+- Source: See feature catalog
+- Architecture: `docs/modules/scanner/architecture.md`

docs/features/dropped/dsse-rekor-batch-size-benchmarking-tool.md

@@ -0,0 +1,25 @@
+# DSSE+Rekor Batch Size Benchmarking Tool (stella-attest-bench)
+
+## Status
+NOT_FOUND
+
+## Description
+The advisory proposed a dedicated CLI benchmarking tool (stella-attest-bench) to sweep DSSE envelope batch sizes against Rekor and determine optimal defaults. While the underlying DSSE and Rekor infrastructure exists, no dedicated benchmarking/experiment tool was implemented.
+
+## Why Not Implemented
+- No dedicated `stella-attest-bench` CLI tool found
+- The underlying DSSE and Rekor infrastructure is fully implemented in `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`:
+  - `Signing/DsseEnvelope.cs`, `DsseSignature.cs` -- DSSE envelope support
+  - `Rekor/EnhancedRekorProofBuilder.Build.cs`, `EnhancedRekorProofBuilder.Validate.cs` -- Rekor integration
+  - `Rekor/RekorInclusionProof.cs` -- Rekor inclusion proofs
+- The Bench module (`src/Bench/StellaOps.Bench/`) has benchmarking infrastructure (LinkNotMerge scenario runner, JSON/Prometheus reporting) but no DSSE batch size sweeping tool
+- The Bench infrastructure (BenchmarkConfig, BenchmarkJsonWriter, PrometheusWriter) could serve as a foundation for a DSSE batch benchmark
+- This is a low-priority optimization tool; the DSSE+Rekor pipeline works but batch size tuning requires a dedicated experiment harness
+
+## Source
+- Feature matrix scan
+
+## Notes
+- Module: Attestor
+- Modules referenced: N/A
+- Related: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/` (Rekor integration), `src/Bench/` (benchmarking infrastructure)

docs/features/dropped/ebpf-runtime-signal-integration.md

@@ -0,0 +1,102 @@
+# eBPF Runtime Signal Integration (Probe Management, Type Granularity, and Tier 5 Evidence)
+
+## Module
+Signals (with cross-module touchpoints in Scanner and Zastava)
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+eBPF signals library project exists with probe, parser, and enrichment infrastructure. Runtime signal ingestion is connected to the Unknowns module. The structure suggests it is in progress but not production-ready. This is the "Tier 5" runtime evidence layer complementing the existing Tiers 1-4 (static analysis, binary fingerprinting, SBOM-based evidence). Includes probe lifecycle management in Zastava and probe-type-aware confidence scoring in Scanner.
+
+## What's Implemented
+- **RuntimeSignalCollector**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs` -- collects runtime signals from eBPF probes
+- **RuntimeEvidenceCollector**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeEvidenceCollector.cs` -- collects runtime evidence from eBPF events
+- **CoreProbeLoader**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/CoreProbeLoader.cs` -- loads core eBPF probes
+- **AirGapProbeLoader**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/AirGapProbeLoader.cs` -- offline/air-gap compatible probe loading
+- **EventParser**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Parsers/EventParser.cs` -- parses raw eBPF events into structured models
+- **RuntimeEventEnricher**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Enrichment/RuntimeEventEnricher.cs` -- enriches runtime events with container/SBOM context
+- **CgroupContainerResolver**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Cgroup/CgroupContainerResolver.cs` -- resolves cgroup paths to container identities
+- **RuntimeEvidenceNdjsonWriter**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Output/RuntimeEvidenceNdjsonWriter.cs` -- writes evidence in NDJSON format
+- **AttestorEvidenceChunkSigner**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Signing/AttestorEvidenceChunkSigner.cs` -- signs evidence chunks for attestation
+- **DotNetEventPipeAgent**: `src/Signals/StellaOps.Signals.RuntimeAgent/DotNetEventPipeAgent.cs` -- .NET EventPipe agent (production-ready for .NET)
+- **Interfaces**: `IRuntimeSignalCollector`, `IEbpfProbeLoader`, `IContainerIdentityResolver`, `IContainerStateProvider`, `IImageDigestResolver`, `ISbomComponentProvider`
+- **Scanner Runtime Trace Ingestion**: `src/Scanner/__Libraries/StellaOps.Scanner.Runtime/Ingestion/TraceIngestionService.cs` -- ingests runtime traces
+- **Scanner Witness Infrastructure**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs` -- runtime-observed function invocations (timestamp, function signature, process context), but currently without a ProbeType discriminator
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs` -- combines static call-graph paths with runtime observations
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs` -- signs runtime witness predicates for attestation
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessPredicateBuilder.cs` -- builds DSSE-signable witness predicates from runtime observations
+- **Zastava Probe Manager**: `src/Zastava/StellaOps.Zastava.Observer/Probes/EbpfProbeManager.cs` -- implements `IProbeManager` and `IAsyncDisposable`; manages eBPF probe lifecycle with `OnContainerStartAsync`/stop hooks; uses `IRuntimeSignalCollector` and `ISignalPublisher`; tracks active probe handles via `ConcurrentDictionary<string, SignalCollectionHandle>`; configurable via `EbpfProbeManagerOptions`
+
+## What's Missing
+
+### Signals (core infrastructure)
+- **Production-grade kernel probe deployment**: No production deployment automation (probe installation, lifecycle management, Helm charts, systemd units)
+- **Kernel-level function entry/exit tracing**: No BTF-backed function entry/exit tracing with accurate call stacks at scale
+- **Performance SLA compliance**: No benchmarking proving low overhead under production workload
+- **Kernel version compatibility matrix**: No detection and fallback strategies for different kernel versions
+- **Cross-platform runtime agents**: Beyond .NET (Java JVMTI, Go delve, Python sys.settrace, Node.js native) not yet built
+- **Runtime backport detection**: No logic comparing runtime traces against known-patched function signatures
+- **Integration testing**: No integration tests with multiple container runtimes (containerd, CRI-O, Podman)
+- **Production monitoring**: No dashboards and alerting for probe health
+
+### Scanner (probe type granularity)
+- **ProbeType Enum**: No `ProbeType` enum (Kprobe, Uprobe, Tracepoint, Usdt, Fentry, RawTracepoint) defined on or associated with `RuntimeObservation`
+- **Probe-Aware Confidence Scoring**: Reachability confidence scoring does not differentiate based on probe attachment type (e.g., uprobe on a specific function is higher fidelity than a kprobe on a syscall)
+- **ProbeType Propagation**: The Signals.Ebpf pipeline does not tag observations with their originating probe type before forwarding to the scanner
+- **Predicate Schema Update**: Witness DSSE predicates do not include probeType in their signed payload schema
+
+### Zastava (probe lifecycle management)
+- No tests for EbpfProbeManager
+- No integration with the Observer's `ContainerLifecycleHostedService` to automatically attach/detach probes
+- No eBPF probe configuration UI or CLI
+- Limited probe types (needs expansion for different kernel hook points)
+- No probe health monitoring or failure recovery
+
+## Implementation Plan
+
+### Phase 1: Core production readiness (Signals)
+- Benchmark eBPF probe overhead in production-like environments with performance SLAs
+- Implement kernel version detection and compatibility matrix with fallback strategies
+- Add integration tests for containerd, CRI-O, and Podman container runtimes
+- Implement probe lifecycle management (hot-reload, graceful degradation)
+- Production deployment automation with Helm charts and systemd units
+
+### Phase 2: Probe type granularity (Scanner)
+1. Define `ProbeType` enum in `StellaOps.Scanner.Reachability/Witnesses/` with values: Kprobe, Uprobe, Tracepoint, Usdt, Fentry, RawTracepoint, Unknown
+2. Add optional `ProbeType` property to `RuntimeObservation`
+3. Update `Signals.Ebpf` pipeline to tag observations with their originating probe type
+4. Update `WitnessPredicateBuilder` to include probeType in signed predicates
+5. Update reachability confidence scoring to apply probe-type-aware weights (uprobe > tracepoint > kprobe)
+
+### Phase 3: Probe management (Zastava)
+- Add unit tests for EbpfProbeManager lifecycle (attach/detach/dispose)
+- Integrate with ContainerLifecycleHostedService for automatic probe management
+- Expand probe types for syscall, network, and filesystem observation
+- Add probe health monitoring with automatic reattachment on failure
+- Add CLI/API for probe configuration management
+
+### Phase 4: Extended runtime agents
+- Add runtime backport detection comparing traces against patched function signatures
+- Implement cross-platform runtime agents for Java, Go, Python
+- Add production monitoring dashboards and alerting
+
+## E2E Test Plan
+- [ ] Collect runtime observations from a uprobe-attached function and verify the ProbeType field is set to `Uprobe`
+- [ ] Collect runtime observations from a kprobe-attached syscall and verify the ProbeType field is set to `Kprobe`
+- [ ] Verify reachability confidence scoring assigns higher weight to uprobe observations than kprobe observations
+- [ ] Verify the witness DSSE predicate payload includes the probeType field and the signature covers it
+- [ ] Verify backward compatibility: observations without ProbeType default to `Unknown`
+- [ ] Verify ProbeType is preserved through the full pipeline: eBPF collection -> signal forwarding -> scanner ingestion -> witness predicate -> reachability score
+- [ ] Verify EbpfProbeManager attaches probes on container start and detaches on container stop
+- [ ] Verify probe health monitoring detects failed probes and triggers reattachment
+
+## Related Documentation
+- Source: See feature catalog
+- Architecture: `docs/modules/scanner/architecture.md`
+
+## Merged From
+- `signals/tier-5-runtime-trace-evidence.md` (previously merged)
+- `scanner/ebpf-probe-type-granularity.md` (merged -- probe type granularity for scanner witness infrastructure)
+- `zastava/ebpf-probe-manager.md` (merged -- eBPF probe lifecycle management in Zastava observer)

docs/features/dropped/ecosystem-reality-acceptance-test-fixtures.md

@@ -0,0 +1,52 @@
+# Ecosystem Reality Acceptance Test Fixtures
+
+## Module
+Scanner
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Maps five specific real-world production incidents (credential leak, offline DB schema mismatch, SBOM parity drift, scanner instability, ecosystem-specific SCA failure) into deterministic acceptance test fixtures. Each fixture reproduces the incident scenario end-to-end with frozen inputs and expected outputs, ensuring the scanner does not regress on previously observed production failures.
+
+## What's Implemented
+- **SCA Failure Catalogue**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/` - Node.js SCA test fixtures covering package resolution edge cases
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/` - Ruby SCA test fixtures covering Gemfile.lock parsing
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/` - Java SCA test fixtures covering Maven/Gradle dependency resolution
+- **SmartDiff Golden Fixtures**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/` - Deterministic golden fixture tests for diff-aware rescanning, covering expected SBOM delta outputs
+- **Determinism Infrastructure**:
+  - Existing test projects use frozen fixture files (JSON SBOMs, lock files, manifest files) as inputs with expected output assertions
+
+## What's Missing
+- **Incident-to-Test Mapping**: No structured mapping from five specific real-world incidents to dedicated test fixtures:
+  1. **Credential Leak Incident**: No fixture reproducing a secret detection false-negative that led to a credential leak in production
+  2. **Offline DB Schema Mismatch**: No fixture reproducing scanner behavior when the offline vulnerability database schema version mismatches the scanner version
+  3. **SBOM Parity Drift**: No fixture reproducing divergence between container-scanned SBOM and source-scanned SBOM for the same artifact
+  4. **Scanner Instability**: No fixture reproducing non-deterministic scanner output across repeated scans of the same image layer
+  5. **Ecosystem SCA Failure**: No fixture reproducing ecosystem-specific SCA resolution failures (e.g., npm optional dependency with missing platform binary)
+- **Incident Metadata**: No `incident.metadata.json` files linking each fixture to its originating production incident (date, severity, root cause, fix)
+- **Acceptance Test Runner**: No dedicated CI job or test category for running ecosystem reality acceptance tests separately from unit tests
+
+## Implementation Plan
+1. Create `src/Scanner/__Tests/StellaOps.Scanner.EcosystemReality.Tests/` project with five incident fixture directories
+2. For each incident, create: `incident.metadata.json` (date, severity, root cause), frozen input fixtures, expected output assertions
+3. Implement credential leak fixture using a container layer with an embedded secret that was previously missed
+4. Implement offline DB schema mismatch fixture with mismatched vuln-db schema version headers
+5. Implement SBOM parity drift fixture with container vs. source scan inputs producing divergent SBOMs
+6. Implement scanner instability fixture verifying byte-identical output across 10 repeated scans
+7. Implement ecosystem SCA failure fixture with npm optional dependency edge case
+8. Add CI job category `ecosystem-reality` for running these acceptance tests
+
+## E2E Test Plan
+- [ ] Run the credential leak incident fixture and verify the scanner now detects the previously-missed embedded secret in the container layer
+- [ ] Run the offline DB schema mismatch fixture and verify the scanner produces a clear error or graceful degradation when vuln-db schema version does not match
+- [ ] Run the SBOM parity drift fixture and verify the scanner flags divergence between container-scanned and source-scanned SBOMs for the same artifact
+- [ ] Run the scanner instability fixture and verify byte-identical SBOM output across 10 repeated scans of the same frozen image layer
+- [ ] Run the ecosystem SCA failure fixture and verify correct handling of npm optional dependencies with missing platform binaries
+- [ ] Verify each fixture includes incident.metadata.json with date, severity, root cause, and link to the originating production incident
+
+## Related Documentation
+- Source: See feature catalog
+- Architecture: `docs/modules/scanner/architecture.md`

docs/features/dropped/evidence-ttl-and-staleness-policy.md

@@ -0,0 +1,35 @@
+# Evidence TTL and staleness policy
+
+## Module
+Signals
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Retention options and lifecycle services exist for evidence expiry, but the advisory noted TTL strategy at 50% coverage.
+
+## What's Implemented
+- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/Options/`
+- **Key Classes**:
+  - `UnknownsDecayService` (`src/Signals/StellaOps.Signals/Services/UnknownsDecayService.cs`) - applies decay to stale unknown findings (related TTL behavior)
+  - `UnknownsDecayOptions` (`src/Signals/StellaOps.Signals/Options/UnknownsDecayOptions.cs`) - configurable decay/TTL thresholds
+  - `NightlyDecayWorker` (`src/Signals/StellaOps.Signals/Services/NightlyDecayWorker.cs`) - scheduled worker for TTL processing
+- **Source**: Feature matrix scan
+
+## What's Missing
+- Comprehensive evidence TTL policy engine covering all evidence types (callgraph, runtime, SBOM correlation, attestation)
+- Per-evidence-type configurable TTL with different retention periods
+- Staleness detection that marks evidence as stale before hard expiry
+- Automated evidence archival workflow (move to cold storage before deletion)
+- TTL policy dashboard showing evidence age distribution and upcoming expirations
+
+## Implementation Plan
+- Implement `EvidenceTtlPolicyEngine` with per-type configurable retention periods
+- Add staleness detection service that marks evidence nearing TTL as stale
+- Implement evidence archival pipeline for cold storage migration
+- Add TTL policy configuration UI and monitoring dashboard
+- Extend `NightlyDecayWorker` to handle evidence expiry across all evidence types
+
+## Related Documentation
+- Source: See feature catalog

docs/features/dropped/golden-benchmark-fixtures.md

@@ -0,0 +1,34 @@
+# Golden Benchmark Fixtures (Core-10)
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+The advisory describes 10 golden reachability benchmark fixtures (C, Java, .NET, Python, container), but no pre-built fixture datasets were found in the source tree. The ReachGraph service infrastructure exists but the specific Core-10 fixture data files are not present.
+
+## Module
+Bench
+
+## What's Implemented
+- **Multi-runtime corpus**: `src/__Tests/reachability/corpus/` (5 runtimes: dotnet, go, java, python, rust)
+- **Additional VEX corpus**: `src/tests/reachability/corpus/` (4 runtimes with OpenVEX files)
+- **Expanded benchmarks**: `src/__Tests/reachability/fixtures/reachbench-2025-expanded/`
+- **Patch oracles**: `src/__Tests/reachability/fixtures/patch-oracles/`
+- **PoE fixtures**: `src/__Tests/reachability/PoE/Fixtures/`
+- **Scoring golden corpus**: `src/__Tests/__Benchmarks/golden-corpus/` (VEX scenarios and severity levels)
+- **Fixture harvester tool**: `src/__Tests/Tools/FixtureHarvester/SbomGoldenCommand.cs`
+- **Corpus management scripts**: `src/__Tests/reachability/scripts/update_corpus_manifest.py`
+- **Fixture tests**: `src/__Tests/reachability/StellaOps.Reachability.FixtureTests/`
+
+## What's Missing
+- The exact advisory-specified "Core-10" named fixture set (10 specific golden reachability benchmark fixtures covering C, Java, .NET, Python, container)
+- Formal Core-10 naming convention and documentation
+- C runtime reachability corpus (only dotnet, go, java, python, rust present)
+
+## Implementation Plan
+- Audit existing fixtures against the Core-10 specification from the advisory
+- Add C runtime corpus if required
+- Formalize Core-10 naming and documentation
+
+## Source
+- Feature matrix scan

docs/features/dropped/metrics-for-attestation-coverage-and-time-to-evidence.md

@@ -0,0 +1,39 @@
+# Metrics for attestation coverage and time-to-evidence
+
+## Module
+Unknowns
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Some metrics services exist but the advisory noted metrics coverage at only 30%.
+
+## What's Implemented
+- **Unknowns Metrics Service**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsMetricsService.cs` -- exposes basic Prometheus/OpenTelemetry metrics for the unknowns queue including queue depth, resolution counts, and SLA breach counts.
+- **Unknowns SLA Monitor Service**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsSlaMonitorService.cs` -- monitors SLA compliance for unknown resolution timelines, providing partial time-to-evidence tracking for the unknowns domain.
+- **Unknowns SLA Health Check**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsSlaHealthCheck.cs` -- health check endpoint reporting unknowns SLA status, contributing to observability but not comprehensive attestation coverage metrics.
+- **Unknown Ranking Model**: `src/Unknowns/__Libraries/StellaOps.Unknowns.Core/Models/UnknownRanking.cs` -- ranking model that includes priority scoring which could inform metrics prioritization.
+
+## What's Missing
+- **Attestation Coverage Metrics**: No metrics track what percentage of release artifacts have complete attestation chains. The unknowns metrics cover queue health but not attestation completeness across the entire pipeline (e.g., "X% of images have SBOM + VEX + provenance attestations").
+- **Time-to-Evidence Metrics**: No end-to-end time-to-evidence metric exists tracking the duration from vulnerability discovery to complete evidence availability (scanner result -> reachability analysis -> VEX decision -> attestation). The SLA monitor tracks unknowns resolution time but not the broader evidence pipeline.
+- **Per-Provider Coverage Breakdown**: No metrics break down attestation coverage by provider/scanner (e.g., "Trivy provides SBOM for 95% of images, reachability analysis covers 60%").
+- **Evidence Freshness Metrics**: No metrics track evidence staleness (e.g., "SBOM is 30 days old, VEX decision is 7 days old") across the artifact estate.
+- **Dashboard Integration**: No pre-built Grafana dashboards or Web UI panels exist for visualizing attestation coverage and time-to-evidence trends.
+- **Cross-Module Metrics Aggregation**: Metrics are siloed per module (Unknowns, Attestor, EvidenceLocker); no aggregation layer combines them into a unified attestation coverage view.
+
+## Implementation Plan
+- Define attestation coverage metrics: per-artifact attestation completeness (SBOM present, VEX present, provenance present, reachability analysis present)
+- Implement a metrics aggregation service that queries Attestor, EvidenceLocker, and Unknowns to compute estate-wide attestation coverage percentages
+- Add time-to-evidence histogram metrics tracking the duration from vulnerability publication to complete evidence chain availability
+- Add per-provider coverage breakdown metrics
+- Add evidence freshness metrics (age of latest SBOM, VEX, provenance per artifact)
+- Build Grafana dashboard templates for attestation coverage and time-to-evidence visualization
+- Target: increase metrics coverage from 30% to 90%+ of the advisory specification
+
+## Related Documentation
+- Unknowns metrics: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsMetricsService.cs`
+- Attestor proof chain: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`
+- Evidence locker: `src/EvidenceLocker/`
+- VexLens (VEX processing): `src/VexLens/`

docs/features/dropped/mi10-theme-contrast-guidance.md

@@ -0,0 +1,41 @@
+# MI10 - Theme/Contrast Guidance (Light/Dark/HC Tokens)
+
+## Module
+Web
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Color tokens and focus ring styles exist. Theme transition utilities are implemented. However, the specific theming doc `docs/modules/ui/micro-theme.md` and explicit HC (high-contrast) mode tokens with 4.5:1/3:1 contrast validation were not found as standalone artifacts.
+
+## What's Implemented
+- Color tokens and focus ring styles exist in the Angular codebase
+- Theme transition utilities are implemented
+- Dark mode support exists
+
+## What's Missing
+- **High-contrast (HC) mode tokens**: No dedicated HC theme with WCAG 4.5:1 (normal text) and 3:1 (large text/icons) validated contrast ratios
+- **Theme specification document**: No `docs/modules/ui/micro-theme.md` formalizing the light/dark/HC token sets
+- **Contrast validation tooling**: No automated CI check validating contrast ratios across all color tokens
+- **HC mode toggle**: No user-facing toggle for high-contrast mode in settings
+
+## Implementation Plan
+- Create HC theme token set with WCAG-validated contrast ratios
+- Add contrast ratio validation CI check using color-contrast tooling
+- Add HC mode toggle to user settings
+- Document theme tokens in `docs/modules/ui/micro-theme.md`
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)

docs/features/dropped/mi4-error-cancel-undo-patterns.md

@@ -0,0 +1,53 @@
+# MI4 - Error/Cancel/Undo Patterns (Snackbar/Toast with Undo)
+
+## Module
+Web
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+i18n keys for toast/undo/undoCountdown patterns exist and snackbar usage is present across components. However, a dedicated centralized snackbar/toast service with the specific 8s undo window and aria-live=polite pattern was not found as a standalone component.
+
+## What's Implemented
+- **Existing components**:
+  - `accordion` (`src/Web/StellaOps.Web/src/app/shared/components/accordion/accordion.component.ts`)
+  - `ai-assist-panel` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-assist-panel.component.ts`)
+  - `ai-authority-badge` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-authority-badge.component.ts`)
+  - `ai-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-chip.component.ts`)
+  - `ai-explain-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-explain-chip.component.ts`)
+  - `ai-exploitability-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-exploitability-chip.component.ts`)
+  - `ai-fix-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-fix-chip.component.ts`)
+  - `ai-needs-evidence-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-needs-evidence-chip.component.ts`)
+  - `ai-summary` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-summary.component.ts`)
+  - `ai-vex-draft-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-vex-draft-chip.component.ts`)
+- **Existing services**:
+  - `replay` (`src/Web/StellaOps.Web/src/app/shared/components/reproduce/replay.service.ts`)
+  - `graph-export` (`src/Web/StellaOps.Web/src/app/shared/services/graph-export.service.ts`)
+  - `plain-language` (`src/Web/StellaOps.Web/src/app/shared/services/plain-language.service.ts`)
+
+## What's Missing
+- **Centralized snackbar/toast service**: No centralized `ToastService` with the specific 8-second undo window, countdown timer, and `aria-live=polite` pattern
+- **Undo action infrastructure**: i18n keys for `toast.undo` and `undoCountdown` exist but no centralized undo action queue that buffers destructive operations for the undo window
+- **Cancel pattern standardization**: No consistent cancel pattern across all modal/drawer interactions (some modals lack cancel confirmation for dirty forms)
+- **Error boundary component**: No centralized error boundary component that catches and displays user-friendly errors with retry actions
+
+## Implementation Plan
+- Create centralized `ToastService` with undo support, 8s countdown, and `aria-live=polite`
+- Implement undo action queue for buffering destructive operations
+- Standardize cancel patterns across modals and drawers
+- Add error boundary component with retry actions
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)

docs/features/dropped/mi5-performance-budgets.md

@@ -0,0 +1,47 @@
+# MI5 - Performance Budgets (Interaction Response, Animation Frame, LCP)
+
+## Module
+Web
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Lighthouse CI config exists for performance monitoring. Specific interaction response <=100ms, frame budget 16ms, and layout shift <0.05 budgets were not found as explicitly configured thresholds in test fixtures.
+
+## What's Implemented
+- **Existing components**:
+  - `extension-slot` (`src/Web/StellaOps.Web/src/app/core/plugins/extension-slots/extension-slot.component.ts`)
+- **Existing services**:
+  - `evidence-panel-metrics` (`src/Web/StellaOps.Web/src/app/core/analytics/evidence-panel-metrics.service.ts`)
+  - `gateway-metrics` (`src/Web/StellaOps.Web/src/app/core/api/gateway-metrics.service.ts`)
+  - `policy-interop` (`src/Web/StellaOps.Web/src/app/core/api/policy-interop.service.ts`)
+  - `reachability-integration` (`src/Web/StellaOps.Web/src/app/core/api/reachability-integration.service.ts`)
+  - `vuln-export-orchestrator` (`src/Web/StellaOps.Web/src/app/core/api/vuln-export-orchestrator.service.ts`)
+
+## What's Missing
+- **Interaction response budget**: No explicitly configured <=100ms interaction response threshold in test fixtures or CI checks
+- **Animation frame budget**: No configured 16ms frame budget validation for animations
+- **Layout shift budget**: No configured <0.05 CLS (Cumulative Layout Shift) threshold enforcement
+- **LCP budget**: No Largest Contentful Paint budget configured in Lighthouse CI or performance tests
+- **Performance regression CI gate**: Lighthouse CI config exists but no CI gate failing builds on budget violations
+
+## Implementation Plan
+- Configure Lighthouse CI budgets: interaction <=100ms, frame 16ms, CLS <0.05, LCP <2.5s
+- Add performance regression CI gate failing on budget violations
+- Add `evidence-panel-metrics.service.ts` integration with performance budgets for key user flows
+- Document performance budgets in frontend architecture docs
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)

docs/features/dropped/mi7-telemetry-schema-for-ui-micro-events.md

@@ -0,0 +1,22 @@
+# MI7 - Telemetry Schema for ui.micro.* Events
+
+## Status
+NOT_FOUND
+
+## Description
+The ui.micro telemetry JSON schema and associated unit test validator were not found. Triage-specific telemetry exists but the generic micro-interaction telemetry schema is missing.
+
+## Why Not Implemented
+- No `ui.micro.*` telemetry JSON schema found in `src/Web/` or `docs/`
+- No dedicated micro-interaction telemetry event system found in the Web UI source
+- The Telemetry module (`src/Telemetry/StellaOps.Telemetry.Core/`) tracks backend metrics (Time-to-Evidence, attestation metrics, scan completion) but not frontend UI micro-events
+- The Web UI does not appear to have an instrumented event bus for tracking fine-grained user interactions
+- This was a documentation + schema deliverable; the generic telemetry infrastructure exists but the UI-specific micro-event schema was never defined
+
+## Source
+- Feature matrix scan
+
+## Notes
+- Module: Web
+- Modules referenced: `src/Web`
+- Related: `src/Telemetry/` (backend telemetry infrastructure)

docs/features/dropped/mi8-deterministic-seeds-snapshots.md

@@ -0,0 +1,40 @@
+# MI8 - Deterministic Seeds/Snapshots (Fixed RNG, Frozen Timestamps)
+
+## Module
+Web
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Deterministic fixture files exist for testing. Storybook preview is configured. However, specific chromatic.disableAnimation parameters and fixed seed exports from a `micro-fixtures.ts` file were not verified.
+
+## What's Implemented
+- **Existing services**:
+  - `determinization` (`src/Web/StellaOps.Web/src/app/core/services/determinization/determinization.service.ts`)
+
+## What's Missing
+- **Fixed RNG seed exports**: No `micro-fixtures.ts` file exporting deterministic seed values for Storybook stories and tests
+- **Frozen timestamps**: No globally-configurable frozen timestamp provider for deterministic date rendering in snapshots
+- **chromatic.disableAnimation**: Storybook preview may not have `chromatic.disableAnimation` configured for consistent visual regression snapshots
+- **Deterministic service integration**: `determinization.service.ts` exists but its usage across all Storybook stories for reproducible snapshots is not confirmed
+
+## Implementation Plan
+- Create `micro-fixtures.ts` with exported seed values and frozen timestamp provider
+- Configure `chromatic.disableAnimation` in Storybook preview config
+- Wire `determinization.service.ts` into all Storybook stories for reproducible rendering
+- Add documentation for deterministic snapshot patterns
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)

docs/features/dropped/mirror-dsse-revision-contract.md

@@ -0,0 +1,30 @@
+# Mirror DSSE Revision Contract
+
+## Module
+AirGap
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Defines the DSSE signing contract revision for mirror bundles, specifying envelope format, digest algorithm choices, and manifest inclusion rules for air-gapped import verification. Implementation is coordination-level (docs + scripts).
+
+## What's Implemented
+- DSSE envelope signing/verification infrastructure: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs`, `DsseSignature.cs`
+- DSSE verification step: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/DsseSignatureVerificationStep.cs`
+- Importer DSSE parsing: `src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/DsseAttestationParser.cs`
+- Bundle library with manifest support: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/`
+- SPDX3 DSSE signing: `src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.*.cs`
+- Source: SPRINT_0150_0001_0001_mirror_dsse.md
+
+## What's Missing
+- The mirror-specific DSSE revision contract (specifying envelope format, digest algorithm choices, manifest inclusion rules for mirror bundles specifically) may need formalization as a versioned contract document
+- Mirror-specific DSSE tests are referenced in TASKS.md files but may not be complete
+
+## Implementation Plan
+- Formalize mirror DSSE contract as versioned specification
+- Add mirror-specific DSSE validation tests
+- Verify digest algorithm choices are consistent across mirror pipeline
+
+## Related Documentation
+- Source: SPRINT_0150_0001_0001_mirror_dsse.md

docs/features/dropped/mirror-orchestrator-hook-event.md

@@ -0,0 +1,31 @@
+# Mirror Orchestrator Hook Event (mirror.ready)
+
+## Module
+AirGap
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Defines the mirror.ready event payload {bundleId, generation, generatedAt, dsseDigest, manifestDigest, location} with optional rekorUUID, enabling CLI and export automation to consume mirror bundle readiness notifications.
+
+## What's Implemented
+- AirGap controller with event hooks: `src/AirGap/StellaOps.AirGap.Controller/` -- state management and endpoints
+- Time hooks: `src/AirGap/StellaOps.AirGap.Time/Hooks/` -- event hooks for time-related operations
+- Bundle catalog model: `src/AirGap/StellaOps.AirGap.Importer/Models/BundleCatalogEntry.cs`, `BundleItem.cs` -- bundle metadata with ID, generation, timestamps
+- Sync library: `src/AirGap/__Libraries/StellaOps.AirGap.Sync/` -- bundle synchronization infrastructure
+- Source: SPRINT_0150_0001_0003_mirror_orch.md
+
+## What's Missing
+- The specific `mirror.ready` event with payload `{bundleId, generation, generatedAt, dsseDigest, manifestDigest, location}` may not be formalized as a named event
+- CLI/export automation consumption of mirror readiness notifications needs verification
+- Optional `rekorUUID` field in event payload needs confirmation
+
+## Implementation Plan
+- Define `mirror.ready` event type in eventing system
+- Implement event publication when mirror bundle is ready
+- Add CLI hook for consuming mirror.ready events
+- Add tests for event payload validation
+
+## Related Documentation
+- Source: SPRINT_0150_0001_0003_mirror_orch.md

docs/features/dropped/multi-scanner-comparative-benchmarking.md

@@ -0,0 +1,23 @@
+# Multi-scanner Comparative Benchmarking
+
+## Status
+NOT_FOUND
+
+## Description
+Advisory describes a benchmarking protocol comparing StellaOps scan results against Trivy/Grype/Snyk with precision/recall metrics. No CLI comparison tool or benchmark harness found.
+
+## Why Not Implemented
+- No dedicated CLI comparison tool or multi-scanner benchmark harness found
+- A `compare.py` script exists at `src/__Tests/__Benchmarks/tools/compare.py` but it appears to be a general comparison utility, not a full multi-scanner benchmarking protocol
+- The Bench module (`src/Bench/`) has benchmarking infrastructure (LinkNotMerge scenarios, Prometheus reporting) but not scanner comparison harnesses
+- Golden corpus exists at `src/__Tests/__Benchmarks/golden-corpus/` with VEX scenarios and severity levels, which could serve as ground truth for scanner comparison
+- The Scanner module has its own benchmark and test infrastructure but does not compare against external scanners (Trivy/Grype/Snyk)
+- This would require external scanner integration which conflicts with the offline-first posture
+
+## Source
+- Feature matrix scan
+
+## Notes
+- Module: Bench
+- Modules referenced: N/A
+- Related: `src/__Tests/__Benchmarks/tools/compare.py` (comparison utility), `src/__Tests/__Benchmarks/golden-corpus/` (ground truth data)

docs/features/dropped/playbook-learning.md

@@ -0,0 +1,37 @@
+# Playbook Learning (Run-to-Patch Pipeline)
+
+## Module
+AdvisoryAI
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Run artifacts and evidence bundles support playbook-related data, but dedicated playbook learning, patch proposal generation, and versioned playbook management are not fully distinct modules yet.
+
+## What's Implemented
+- **Run tracking infrastructure**: `RunService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/RunService.cs`) tracks runs with artifacts and events
+- **Run models**: `Run`, `RunArtifact`, `RunEvent` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/Models/`) capture run outcomes
+- **Run storage**: `InMemoryRunStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/InMemoryRunStore.cs`) persists run data
+- **Evidence bundle assembly**: `EvidenceBundleAssembler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/EvidenceBundleAssembler.cs`) assembles evidence packs from data providers
+- **Remediation planning**: `AiRemediationPlanner` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/AiRemediationPlanner.cs`) generates fix plans
+- **PR generation**: `GitHubPullRequestGenerator`, `GitLabMergeRequestGenerator`, `AzureDevOpsPullRequestGenerator` create PRs from remediation plans
+- **Run API endpoints**: `RunEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/RunEndpoints.cs`) exposes run data
+- **Advisory output persistence**: `AdvisoryOutputStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Outputs/AdvisoryOutputStore.cs`), `FileSystemAdvisoryOutputStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/FileSystemAdvisoryOutputStore.cs`)
+
+## What's Missing
+- **Playbook learning engine**: No dedicated module that analyzes past run outcomes to learn optimal remediation patterns and build reusable playbooks
+- **Versioned playbook management**: No playbook versioning, publishing, or catalog system for sharing learned remediation workflows
+- **Patch proposal generation**: No automated system that generates patch proposals by combining learned patterns from successful past remediations
+- **Feedback loop learning**: No mechanism to feed PR merge/reject outcomes back into the learning engine to improve future recommendations
+- **Playbook template library**: No library of reusable playbook templates (e.g., "upgrade-npm-dependency", "patch-container-base-image") with parameterization
+
+## Implementation Plan
+- Build a playbook learning engine that analyzes successful `Run` outcomes from `RunService`/`InMemoryRunStore`
+- Add versioned playbook model with CRUD operations and a catalog API
+- Implement patch proposal generation by matching current vulnerabilities against learned playbook patterns
+- Add feedback loop from SCM connectors (PR merge/reject events) back to the learning engine
+- Create a playbook template library with parameterized remediation workflows
+
+## Related Documentation
+- Source: Feature matrix scan

docs/features/dropped/proof-market-ledger-and-adaptive-trust-economics.md

@@ -0,0 +1,23 @@
+# Proof-Market Ledger and Adaptive Trust Economics
+
+## Status
+NOT_FOUND
+
+## Description
+No implementation of a proof marketplace or adaptive trust economics model was found in the source code.
+
+## Why Not Implemented
+- No proof marketplace, trust economics model, or adaptive trust ledger found anywhere in `src/`
+- No `ProofMarket`, `TrustEconomics`, or `TrustLedger` modules, namespaces, or classes exist
+- The proof chain system (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`) provides cryptographic proof generation and verification but not a marketplace or economic model
+- The trust verdict system tracks trust levels but not economics
+- This appears to be a research/vision concept with no implementation started
+- Likely deferred indefinitely as it requires novel research into trust economics
+
+## Source
+- Feature matrix scan
+
+## Notes
+- Module: Uncategorized
+- Modules referenced: N/A
+- This is a forward-looking research concept, not a near-term engineering deliverable

docs/features/dropped/runtime-trace-merge.md

@@ -0,0 +1,37 @@
+# Runtime trace merge (eBPF/ETW observed edges)
+
+## Module
+Signals
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Runtime facts ingestion and provenance normalization exist, but full eBPF/ETW trace integration appears to be at the synthetic probe level rather than production-grade runtime tracing.
+
+## What's Implemented
+- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals.RuntimeAgent/`, `src/Signals/__Libraries/StellaOps.Signals.Ebpf/`
+- **Key Classes**:
+  - `RuntimeFactsIngestService` (`src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs`) - ingests runtime facts from agents
+  - `SyntheticRuntimeProbeBuilder` (`src/Signals/StellaOps.Signals/Services/SyntheticRuntimeProbeBuilder.cs`) - builds synthetic runtime probes for testing reachability
+  - `ProcSnapshotDocument` (`src/Signals/StellaOps.Signals/Models/ProcSnapshotDocument.cs`) - process snapshot model for runtime state capture
+  - `ReachabilityLattice` (`src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs`) - merge logic for combining static and runtime evidence
+  - `RuntimeSignalCollector` (`src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs`) - eBPF-based runtime signal collection (experimental)
+- **Source**: Feature matrix scan
+
+## What's Missing
+- Production-grade eBPF trace merging with static callgraph edges
+- ETW (Event Tracing for Windows) trace collection and merge
+- Conflict resolution when runtime traces contradict static analysis
+- Runtime trace deduplication across multiple collection windows
+- Performance profiling of trace merge under high-volume runtime data
+
+## Implementation Plan
+- Implement runtime-to-static edge merge algorithm with conflict resolution strategies
+- Add ETW trace collection agent for Windows container environments
+- Implement trace deduplication with temporal windowing
+- Benchmark merge performance and optimize for high-throughput runtime streams
+- Add integration tests for eBPF and ETW trace merge scenarios
+
+## Related Documentation
+- Source: See feature catalog

docs/features/dropped/scanner-deterministic-regression-test-framework.md

@@ -0,0 +1,54 @@
+# Scanner Deterministic Regression Test Framework
+
+## Module
+Scanner
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+A structured regression test framework with standardized case layout, golden fixture comparison, and dedicated CI job. Each regression case is identified by `SCN-XXXX-slug`, contains frozen inputs and expected outputs, and uses byte-level comparison to detect scanner output drift.
+
+## What's Implemented
+- **Existing Determinism Tests**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/` - Golden fixture tests for SmartDiff comparing actual vs. expected SBOM deltas with frozen inputs
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/` - Deterministic language analyzer tests with frozen package.json/lock files
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/` - Deterministic Ruby analyzer tests with frozen Gemfile.lock fixtures
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/` - Deterministic Java analyzer tests with frozen pom.xml/build.gradle fixtures
+- **Reachability Tests**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/` - Reachability analysis tests with frozen call-graph fixtures and expected classification outputs
+- **Test Infrastructure**:
+  - Existing test projects demonstrate the golden fixture pattern (frozen input -> run analyzer -> compare against expected output) but each project uses its own ad-hoc fixture layout
+
+## What's Missing
+- **Standardized Case Layout**: No `Regression/` directory with `SCN-XXXX-slug/` subdirectories containing:
+  - `case.metadata.json` (case ID, description, scanner version that introduced the regression, severity)
+  - `case.md` (human-readable regression description with root cause analysis)
+  - `input/` (frozen input fixtures: container layers, SBOMs, lock files)
+  - `expected/` (expected output fixtures: SBOMs, reachability results, verdict payloads)
+- **Regression Test Runner**: No unified test runner that discovers all `SCN-XXXX-slug/` cases, runs each through the scanner pipeline, and performs byte-level output comparison
+- **Dedicated CI Job**: No `scanner-regression` CI job that runs regression tests separately from unit tests with clear pass/fail reporting per case
+- **Regression Case Generator**: No tooling to capture a failing scanner scenario and automatically generate a new `SCN-XXXX-slug/` case from it
+- **Drift Detection**: No tooling to detect when scanner output changes (intentionally or unintentionally) and prompt for expected-output updates with review
+
+## Implementation Plan
+1. Create `src/Scanner/__Tests/StellaOps.Scanner.Regression.Tests/` project with case discovery infrastructure
+2. Define `case.metadata.json` schema with fields: caseId, slug, description, introducedInVersion, severity, tags
+3. Create initial regression cases from existing golden fixture tests (migrate 5-10 representative cases)
+4. Implement `RegressionTestRunner` that discovers cases, runs scanner pipeline on inputs, compares outputs byte-by-byte
+5. Add `case-capture` CLI tool that takes a scanner invocation and generates a new case directory with frozen inputs and current outputs
+6. Add `scanner-regression` CI job in `.gitea/workflows/` that runs regression tests and reports per-case pass/fail
+7. Add drift detection that generates a diff report when expected output changes
+
+## E2E Test Plan
+- [ ] Run the regression test runner and verify all `SCN-XXXX-slug/` cases produce output that byte-matches their `expected/` fixtures
+- [ ] Add a new regression case using the case-capture tool and verify it is automatically discovered by the test runner on the next run
+- [ ] Introduce an intentional scanner change that modifies output for one case and verify the regression test runner detects the drift and fails the case
+- [ ] Update the expected output for the changed case and verify the test runner passes again
+- [ ] Verify `case.metadata.json` is validated on test startup (missing required fields cause a clear error)
+- [ ] Verify the CI job produces a per-case pass/fail report with case ID, slug, and failure diff for any failing cases
+- [ ] Verify regression tests run in under 5 minutes for the initial 10-case corpus
+
+## Related Documentation
+- Source: See feature catalog
+- Architecture: `docs/modules/scanner/architecture.md`

docs/features/dropped/time-to-evidence-metric.md

@@ -0,0 +1,31 @@
+# Time-to-Evidence (TTE) Metric
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+The TTE metric (measuring time from finding open to first proof rendered) is not implemented in the frontend or backend.
+
+## Module
+Telemetry
+
+## What's Implemented
+- **TTE metrics collection**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TimeToEvidenceMetrics.cs`
+- **Percentile exporter**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TtePercentileExporter.cs` (P50/P90/P99)
+- **Scan completion integration**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/ScanCompletionMetricsIntegration.cs`
+- **Attestation metrics**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/Metrics/AttestationMetrics.cs`
+- **DI registration**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TelemetryServiceCollectionExtensions.cs`
+- **Baseline tracking**: `src/__Tests/__Benchmarks/baselines/ttfs-baseline.json`
+
+## What's Missing
+- Frontend visualization of TTE metrics (dashboard/chart in Web UI)
+- TTE trend visualization over time
+- Per-finding TTE breakdown in the UI
+
+## Implementation Plan
+- Add TTE dashboard widget to Web UI
+- Show TTE percentile trends over time
+- Include TTE metric in finding detail view
+
+## Source
+- Feature matrix scan

docs/features/unchecked/advisoryai/advisoryai-orchestrator.md

@@ -0,0 +1,34 @@
+# AdvisoryAI Orchestrator (Chat + Workbench + Runs)
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+The AdvisoryAI module provides a chat orchestrator with session management, run tracking (with artifacts and events), and tool routing. Backend web service with chat and run endpoints is operational.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.Worker/`
+- **Key Classes**:
+  - `AdvisoryPipelineOrchestrator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Orchestration/AdvisoryPipelineOrchestrator.cs`) - main pipeline orchestrator coordinating task plans and execution
+  - `AdvisoryPipelineExecutor` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Execution/AdvisoryPipelineExecutor.cs`) - executes advisory pipeline stages
+  - `AdvisoryChatService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/AdvisoryChatService.cs`) - chat session orchestration service
+  - `ConversationService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ConversationService.cs`) - manages conversation state and context
+  - `RunService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/RunService.cs`) - tracks runs with artifacts and events
+  - `InMemoryRunStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/InMemoryRunStore.cs`) - in-memory storage for run data
+  - `AdvisoryChatIntentRouter` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Routing/AdvisoryChatIntentRouter.cs`) - routes chat intents to appropriate handlers
+  - `ChatEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/ChatEndpoints.cs`) - REST endpoints for chat operations
+  - `RunEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/RunEndpoints.cs`) - REST endpoints for run tracking
+  - `AdvisoryTaskWorker` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Worker/Services/AdvisoryTaskWorker.cs`) - background worker processing advisory tasks
+- **Interfaces**: `IAdvisoryPipelineOrchestrator`, `IRunService`, `IRunStore`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Submit a chat message via `ChatEndpoints` and verify `AdvisoryChatService` processes it with correct conversation context
+- [ ] Create a run via `RunEndpoints` and verify `RunService` tracks artifacts and events in `InMemoryRunStore`
+- [ ] Verify `AdvisoryChatIntentRouter` routes different intent types (explain, remediate, policy) to correct handlers
+- [ ] Verify `AdvisoryPipelineOrchestrator` creates and executes task plans with `AdvisoryPipelineExecutor`
+- [ ] Verify `AdvisoryTaskWorker` picks up queued tasks and processes them to completion
+- [ ] Verify conversation context is maintained across multiple messages in the same session via `ConversationService`

docs/features/unchecked/advisoryai/advisoryai-pipeline-with-guardrails.md

@@ -0,0 +1,36 @@
+# AdvisoryAI Pipeline with Guardrails
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Full advisory AI pipeline with guardrails, chat interface, action execution, and idempotency handling. Includes retrieval, structured/vector retrievers, and SBOM context retrieval.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/`
+- **Key Classes**:
+  - `AdvisoryGuardrailPipeline` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Guardrails/AdvisoryGuardrailPipeline.cs`) - guardrail pipeline filtering AI inputs and outputs
+  - `AdvisoryPipelineOrchestrator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Orchestration/AdvisoryPipelineOrchestrator.cs`) - orchestrates pipeline stages with guardrail checks
+  - `AdvisoryPipelineExecutor` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Execution/AdvisoryPipelineExecutor.cs`) - executes pipeline with pre/post guardrails
+  - `AdvisoryStructuredRetriever` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Retrievers/AdvisoryStructuredRetriever.cs`) - retrieves structured advisory data
+  - `AdvisoryVectorRetriever` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Retrievers/AdvisoryVectorRetriever.cs`) - vector-based semantic retrieval
+  - `SbomContextRetriever` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Retrievers/SbomContextRetriever.cs`) - retrieves SBOM context for vulnerability analysis
+  - `ActionExecutor` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionExecutor.cs`) - executes AI-proposed actions
+  - `IdempotencyHandler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/IdempotencyHandler.cs`) - ensures idempotent action execution
+  - `GuardrailAllowlistLoader` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/GuardrailAllowlistLoader.cs`) - loads guardrail allowlists from configuration
+  - `GuardrailPhraseLoader` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/GuardrailPhraseLoader.cs`) - loads guardrail phrase filters
+  - `AdvisoryAiGuardrailOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/AdvisoryAiGuardrailOptions.cs`) - guardrail configuration options
+- **Interfaces**: `IAdvisoryStructuredRetriever`, `IAdvisoryVectorRetriever`, `ISbomContextRetriever`, `IActionExecutor`, `IIdempotencyHandler`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Submit a prompt through `AdvisoryGuardrailPipeline` and verify guardrails filter prohibited content before reaching LLM
+- [ ] Verify `AdvisoryStructuredRetriever` returns relevant CVE/advisory data for a given vulnerability query
+- [ ] Verify `AdvisoryVectorRetriever` performs semantic search and returns ranked results
+- [ ] Verify `SbomContextRetriever` enriches prompts with SBOM component context
+- [ ] Execute an action through `ActionExecutor` and verify `IdempotencyHandler` prevents duplicate execution
+- [ ] Verify `GuardrailAllowlistLoader` and `GuardrailPhraseLoader` correctly load and enforce content filters
+- [ ] Verify the full pipeline flow: retrieval -> guardrail check -> LLM inference -> output guardrail -> response

docs/features/unchecked/advisoryai/ai-action-policy-gate.md

@@ -0,0 +1,31 @@
+# AI Action Policy Gate (K4 Lattice Governance for AI-Proposed Actions)
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Connects AI-proposed actions to the Policy Engine's K4 lattice for governance-aware automation. Moves beyond simple role checks to VEX-aware policy gates with approval workflows, idempotency tracking, and action audit ledger. Enables "AI that acts" with governance guardrails.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/`
+- **Key Classes**:
+  - `ActionPolicyGate` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionPolicyGate.cs`) - evaluates AI-proposed actions against K4 lattice policy rules
+  - `ActionRegistry` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionRegistry.cs`) - registry of available AI actions with metadata and policy requirements
+  - `ActionExecutor` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionExecutor.cs`) - executes approved actions with policy gate checks
+  - `ActionAuditLedger` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionAuditLedger.cs`) - immutable audit trail of all action decisions and executions
+  - `ApprovalWorkflowAdapter` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ApprovalWorkflowAdapter.cs`) - integrates with approval workflows for gated actions
+  - `IdempotencyHandler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/IdempotencyHandler.cs`) - ensures actions are not duplicated
+  - `ActionDefinition` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionDefinition.cs`) - defines an action's capabilities, constraints, and policy metadata
+- **Interfaces**: `IActionPolicyGate`, `IActionRegistry`, `IActionExecutor`, `IActionAuditLedger`, `IApprovalWorkflowAdapter`, `IIdempotencyHandler`, `IGuidGenerator`
+- **Source**: SPRINT_20260109_011_004_BE_policy_action_integration.md
+
+## E2E Test Plan
+- [ ] Register an action in `ActionRegistry` and verify `ActionPolicyGate` evaluates it against K4 lattice policy rules
+- [ ] Submit an action requiring approval and verify `ApprovalWorkflowAdapter` creates an approval request
+- [ ] Execute a gated action after approval and verify `ActionAuditLedger` records the decision, approval, and execution
+- [ ] Submit a duplicate action and verify `IdempotencyHandler` prevents re-execution
+- [ ] Submit an action that violates policy and verify `ActionPolicyGate` rejects it with a policy violation reason
+- [ ] Verify `ActionDefinition` metadata (risk level, required approvals, allowed scopes) is enforced during gate evaluation

docs/features/unchecked/advisoryai/ai-remedy-autopilot-with-multi-scm-pull-request-generation.md

@@ -0,0 +1,37 @@
+# AI Remedy Autopilot with Multi-SCM Pull Request Generation
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+AI-powered remediation service that generates fix plans (dependency bumps, base image upgrades, config changes, backport guidance), then creates PRs automatically across GitHub, GitLab, Azure DevOps, and Gitea via a unified SCM connector plugin architecture. Includes build verification, SBOM delta computation, signed delta verdicts, and fallback to "suggestion-only" when build/tests fail.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.Scm.Plugin.Unified/`
+- **Key Classes**:
+  - `AiRemediationPlanner` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/AiRemediationPlanner.cs`) - AI-driven remediation plan generation
+  - `RemediationDeltaService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/RemediationDeltaService.cs`) - computes SBOM delta for remediation impact
+  - `PrTemplateBuilder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/PrTemplateBuilder.cs`) - builds PR descriptions with evidence and delta info
+  - `GitHubPullRequestGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/GitHubPullRequestGenerator.cs`) - generates PRs on GitHub
+  - `GitLabMergeRequestGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/GitLabMergeRequestGenerator.cs`) - generates MRs on GitLab
+  - `AzureDevOpsPullRequestGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/AzureDevOpsPullRequestGenerator.cs`) - generates PRs on Azure DevOps
+  - `GiteaScmConnector` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/GiteaScmConnector.cs`) - Gitea SCM integration
+  - `GitHubScmConnector` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/GitHubScmConnector.cs`) - GitHub SCM integration
+  - `GitLabScmConnector` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/GitLabScmConnector.cs`) - GitLab SCM integration
+  - `AzureDevOpsScmConnector` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/AzureDevOpsScmConnector.cs`) - Azure DevOps SCM integration
+  - `ScmConnectorCatalog` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/ScmConnectorCatalog.cs`) - catalog of available SCM connectors
+  - `ScmPluginAdapter` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Scm.Plugin.Unified/ScmPluginAdapter.cs`) - unified plugin adapter for SCM operations
+  - `ScmPluginAdapterFactory` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Scm.Plugin.Unified/ScmPluginAdapterFactory.cs`) - factory for creating SCM plugin adapters
+- **Interfaces**: `IRemediationPlanner`, `IPullRequestGenerator`, `IScmConnector`, `IPackageVersionResolver`
+- **Source**: SPRINT_20251226_016_AI_remedy_autopilot.md
+
+## E2E Test Plan
+- [ ] Generate a remediation plan via `AiRemediationPlanner` for a known CVE and verify it includes dependency bump steps
+- [ ] Create a PR via `GitHubPullRequestGenerator` and verify `PrTemplateBuilder` populates the description with evidence
+- [ ] Verify `RemediationDeltaService` computes SBOM delta showing before/after dependency changes
+- [ ] Verify `ScmConnectorCatalog` resolves the correct connector (GitHub, GitLab, AzureDevOps, Gitea) based on repository URL
+- [ ] Verify `ScmPluginAdapter` creates branches, commits changes, and opens PRs through the unified plugin interface
+- [ ] Verify fallback to "suggestion-only" mode when build verification fails after applying the fix

docs/features/unchecked/advisoryai/chat-gateway-with-quotas-and-scrubbing.md

@@ -0,0 +1,35 @@
+# Chat Gateway with Quotas and Scrubbing
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Chat gateway with configurable options (quotas, budgets) and service-layer chat orchestration is implemented.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/`
+- **Key Classes**:
+  - `AdvisoryChatService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/AdvisoryChatService.cs`) - main chat service with quota enforcement
+  - `AdvisoryChatQuotaService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/AdvisoryChatQuotaService.cs`) - per-user/tenant quota tracking and enforcement
+  - `AdvisoryChatOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Options/AdvisoryChatOptions.cs`) - configurable chat options (quotas, budgets, limits)
+  - `GroundingValidator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/GroundingValidator.cs`) - validates AI responses are grounded in evidence
+  - `ChatResponseStreamer` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ChatResponseStreamer.cs`) - streams chat responses with progressive delivery
+  - `ChatPromptAssembler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ChatPromptAssembler.cs`) - assembles prompts with scrubbing and context injection
+  - `ConversationContextBuilder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ConversationContextBuilder.cs`) - builds conversation context with relevant data
+  - `ChatEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/ChatEndpoints.cs`) - REST API endpoints for chat gateway
+  - `RateLimitsService` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Services/RateLimitsService.cs`) - rate limiting for chat API calls
+  - `AuthorizationService` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Services/AuthorizationService.cs`) - authorization checks for chat access
+- **Interfaces**: `IAdvisoryChatInferenceClient`, `IAiConsentStore`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Send chat messages and verify `AdvisoryChatQuotaService` enforces per-user quotas (reject after limit exceeded)
+- [ ] Configure quota limits via `AdvisoryChatOptions` and verify they are applied at runtime
+- [ ] Verify `ChatPromptAssembler` scrubs sensitive data (credentials, tokens) from prompts before sending to LLM
+- [ ] Verify `GroundingValidator` flags responses that lack evidence grounding
+- [ ] Verify `RateLimitsService` rate-limits excessive chat API calls
+- [ ] Verify `ChatResponseStreamer` delivers streaming responses with proper chunking
+- [ ] Verify `AuthorizationService` rejects chat requests from unauthorized users

docs/features/unchecked/advisoryai/deterministic-ai-artifact-replay.md

@@ -0,0 +1,31 @@
+# Deterministic AI Artifact Replay
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Deterministic replay infrastructure for AI artifacts including replay manifests, prompt template versioning, and input artifact hashing for reproducible AI outputs.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Replay/`, `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/`
+- **Key Classes**:
+  - `AIArtifactReplayer` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Replay/AIArtifactReplayer.cs`) - replays AI artifacts with deterministic inputs for verification
+  - `ReplayInputArtifact` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayInputArtifact.cs`) - input artifact model with content-addressed hashing
+  - `ReplayPromptTemplate` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayPromptTemplate.cs`) - versioned prompt templates for replay
+  - `ReplayResult` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayResult.cs`) - replay execution result with comparison data
+  - `ReplayVerificationResult` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayVerificationResult.cs`) - verification of replay output against original
+  - `ReplayStatus` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayStatus.cs`) - replay status tracking
+  - `DeterministicHashVectorEncoder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Vectorization/DeterministicHashVectorEncoder.cs`) - deterministic hash-based vector encoding for reproducibility
+- **Interfaces**: None (uses concrete replay pipeline)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Record an AI inference run and verify `AIArtifactReplayer` can replay it with identical inputs
+- [ ] Verify `ReplayInputArtifact` computes content-addressed hashes that match across replay invocations
+- [ ] Verify `ReplayPromptTemplate` versioning: replay with a v1 template produces the same output as the original v1 run
+- [ ] Verify `ReplayVerificationResult` detects differences when the replay output diverges from the original
+- [ ] Verify `DeterministicHashVectorEncoder` produces identical vectors for identical inputs across runs
+- [ ] Verify replay with temperature=0 and fixed seed produces bit-identical outputs for supported providers

docs/features/unchecked/advisoryai/evidence-first-ai-outputs.md

@@ -0,0 +1,38 @@
+# Evidence-First AI Outputs (Citations, Evidence Packs)
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Evidence bundle assembly with schema-validated JSON, data providers for citations, and evidence pack integration in chat responses is implemented.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/`
+- **Key Classes**:
+  - `EvidenceBundleAssembler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/EvidenceBundleAssembler.cs`) - assembles evidence bundles from multiple data providers
+  - `EvidencePackChatIntegration` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/EvidencePackChatIntegration.cs`) - integrates evidence packs into chat responses
+  - `AttestationIntegration` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/AttestationIntegration.cs`) - links evidence packs to attestation framework
+  - `SbomDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/SbomDataProvider.cs`) - provides SBOM data for evidence bundles
+  - `VexDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/VexDataProvider.cs`) - provides VEX data for evidence bundles
+  - `ReachabilityDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/ReachabilityDataProvider.cs`) - provides reachability scoring data
+  - `PolicyDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/PolicyDataProvider.cs`) - provides policy evaluation data
+  - `ProvenanceDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/ProvenanceDataProvider.cs`) - provides provenance/SLSA data
+  - `FixDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/FixDataProvider.cs`) - provides fix availability data
+  - `BinaryPatchDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/BinaryPatchDataProvider.cs`) - provides binary patch analysis data
+  - `ContextDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/ContextDataProvider.cs`) - provides contextual data
+  - `OpsMemoryDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/OpsMemoryDataProvider.cs`) - provides OpsMemory historical decision data
+  - `EvidencePackEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/EvidencePackEndpoints.cs`) - REST endpoints for evidence pack access
+- **Interfaces**: `IEvidenceBundleAssembler`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Assemble an evidence bundle via `EvidenceBundleAssembler` and verify all data providers contribute relevant sections
+- [ ] Verify `SbomDataProvider` includes component version and license data in the evidence bundle
+- [ ] Verify `VexDataProvider` includes VEX status (affected/not_affected/fixed) for referenced CVEs
+- [ ] Verify `ReachabilityDataProvider` includes reachability scores and call-path evidence
+- [ ] Verify `EvidencePackChatIntegration` attaches evidence pack references to chat responses
+- [ ] Verify `AttestationIntegration` signs evidence packs with attestation metadata
+- [ ] Access evidence packs via `EvidencePackEndpoints` and verify schema-validated JSON output

docs/features/unchecked/advisoryai/evidence-first-citations-in-chat-responses.md

@@ -0,0 +1,31 @@
+# Evidence-First Citations in Chat Responses
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Evidence bundle assembly with citations in chat responses and UI evidence drilldown is implemented.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/`, `src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/`
+- **Key Classes**:
+  - `EvidenceAnchoredExplanationGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/EvidenceAnchoredExplanationGenerator.cs`) - generates explanations anchored to evidence citations
+  - `EvidencePackChatIntegration` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/EvidencePackChatIntegration.cs`) - embeds evidence citations into chat responses
+  - `GroundingValidator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/GroundingValidator.cs`) - validates that AI claims are grounded in cited evidence
+  - `ExplanationPromptTemplates` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/ExplanationPromptTemplates.cs`) - prompt templates for citation-rich explanations
+  - `DefaultExplanationPromptService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/DefaultExplanationPromptService.cs`) - assembles explanation prompts with citation instructions
+  - `InMemoryExplanationStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/InMemoryExplanationStore.cs`) - stores explanation requests and results
+  - `ActionProposalParser` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ActionProposalParser.cs`) - parses action proposals from LLM responses with citation references
+- **Interfaces**: `IExplanationGenerator`, `IExplanationRequestStore`, `IEvidenceRetrievalService`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Generate an explanation via `EvidenceAnchoredExplanationGenerator` and verify it contains citation references to evidence items
+- [ ] Verify `GroundingValidator` rejects explanations that make claims without corresponding evidence citations
+- [ ] Verify `EvidencePackChatIntegration` embeds clickable citation references in chat response markdown
+- [ ] Verify `ExplanationPromptTemplates` instruct the LLM to cite evidence sources in its output
+- [ ] Verify `InMemoryExplanationStore` persists explanation requests and results for later retrieval
+- [ ] Verify `ActionProposalParser` extracts cited evidence IDs from LLM-generated action proposals

docs/features/unchecked/advisoryai/immutable-audit-log-for-ai-interactions.md

@@ -0,0 +1,31 @@
+# Immutable Audit Log for AI Interactions
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+DSSE-signed audit envelope builder for chat interactions with prompts, tool calls, and model fingerprints is implemented.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Audit/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/`
+- **Key Classes**:
+  - `AdvisoryChatAuditEnvelopeBuilder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Audit/AdvisoryChatAuditEnvelopeBuilder.cs`) - builds DSSE-signed audit envelopes for chat interactions
+  - `ChatAuditRecords` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Audit/ChatAuditRecords.cs`) - audit record models (prompts, responses, tool calls, model fingerprints)
+  - `PostgresAdvisoryChatAuditLogger` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/PostgresAdvisoryChatAuditLogger.cs`) - persists audit records to PostgreSQL
+  - `NullAdvisoryChatAuditLogger` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/NullAdvisoryChatAuditLogger.cs`) - no-op audit logger for testing
+  - `AttestationEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/AttestationEndpoints.cs`) - REST endpoints for attestation/audit retrieval
+  - `NullEvidencePackSigner` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Evidence/NullEvidencePackSigner.cs`) - no-op evidence pack signer for development
+  - `AdvisoryPipelineMetrics` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Metrics/AdvisoryPipelineMetrics.cs`) - metrics collection for audit visibility
+- **Interfaces**: None (uses concrete audit pipeline)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Send a chat message and verify `AdvisoryChatAuditEnvelopeBuilder` creates a DSSE-signed envelope containing the prompt, response, and model fingerprint
+- [ ] Verify `ChatAuditRecords` captures tool call invocations with parameters and results
+- [ ] Verify `PostgresAdvisoryChatAuditLogger` persists audit records and they are retrievable via `AttestationEndpoints`
+- [ ] Verify audit envelopes are immutable: attempting to modify a persisted record fails
+- [ ] Verify audit records include model identifier, temperature setting, and token counts
+- [ ] Verify audit log entries are queryable by user, session, and time range

docs/features/unchecked/advisoryai/llm-inference-response-caching.md

@@ -0,0 +1,28 @@
+# LLM Inference Response Caching
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+In-memory LLM inference cache that deduplicates identical prompt+model combinations. Reduces API costs and latency by caching deterministic responses keyed by content hash.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/`
+- **Key Classes**:
+  - `LlmInferenceCache` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmInferenceCache.cs`) - in-memory cache keyed by content hash of prompt+model+parameters
+  - `LlmProviderFactory` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmProviderFactory.cs`) - factory that wraps providers with caching layer
+  - `LlmProviderOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmProviderOptions.cs`) - provider options including cache TTL and size limits
+  - `ProviderBasedAdvisoryInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/ProviderBasedAdvisoryInferenceClient.cs`) - inference client that uses the caching layer
+- **Interfaces**: `ILlmProvider`
+- **Source**: SPRINT_20251226_019_AI_offline_inference.md
+
+## E2E Test Plan
+- [ ] Send identical prompts twice and verify `LlmInferenceCache` returns the cached response on the second call without hitting the LLM
+- [ ] Verify cache keys include model ID and parameters: same prompt with different temperature results in cache miss
+- [ ] Verify cache TTL: cached responses expire after configured duration
+- [ ] Verify cache size limits: when max entries are reached, oldest entries are evicted
+- [ ] Verify cache bypass: non-deterministic requests (temperature > 0) are not cached
+- [ ] Verify `ProviderBasedAdvisoryInferenceClient` correctly integrates caching with the provider pipeline

docs/features/unchecked/advisoryai/llm-provider-plugin-architecture.md

@@ -0,0 +1,40 @@
+# LLM Provider Plugin Architecture (Multi-Provider Inference)
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Pluggable LLM provider architecture with ILlmProvider interface supporting OpenAI, Claude, Gemini, llama.cpp (LlamaServer), and Ollama backends. Includes LlmProviderFactory for runtime selection and configuration validation. Enables sovereign/offline inference by switching to local providers.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/`, `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.Plugin.Unified/`
+- **Key Classes**:
+  - `LlmProviderFactory` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmProviderFactory.cs`) - factory for runtime LLM provider selection
+  - `OpenAiLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/OpenAiLlmProvider.cs`) - OpenAI API provider
+  - `ClaudeLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/ClaudeLlmProvider.cs`) - Anthropic Claude API provider
+  - `GeminiLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/GeminiLlmProvider.cs`) - Google Gemini API provider
+  - `LlamaServerLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlamaServerLlmProvider.cs`) - local llama.cpp server provider
+  - `OllamaLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/OllamaLlmProvider.cs`) - Ollama local inference provider
+  - `LlmProviderOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmProviderOptions.cs`) - provider configuration and validation
+  - `ClaudeInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/ClaudeInferenceClient.cs`) - Claude-specific chat inference client
+  - `OpenAIInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/OpenAIInferenceClient.cs`) - OpenAI-specific chat inference client
+  - `OllamaInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/OllamaInferenceClient.cs`) - Ollama-specific chat inference client
+  - `LocalInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/LocalInferenceClient.cs`) - local model inference client
+  - `LlmPluginAdapter` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Plugin.Unified/LlmPluginAdapter.cs`) - unified plugin adapter for LLM providers
+  - `LlmPluginAdapterFactory` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Plugin.Unified/LlmPluginAdapterFactory.cs`) - factory for creating LLM plugin adapters
+  - `SystemPromptLoader` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/SystemPromptLoader.cs`) - loads system prompts for inference clients
+- **Interfaces**: `ILlmProvider`, `ILlmProviderPlugin`, `IAdvisoryChatInferenceClient`
+- **Source**: SPRINT_20251226_019_AI_offline_inference.md
+
+## E2E Test Plan
+- [ ] Configure `LlmProviderFactory` with multiple providers and verify runtime selection based on configuration
+- [ ] Verify `OpenAiLlmProvider` sends requests to OpenAI API with correct authentication and model parameters
+- [ ] Verify `ClaudeLlmProvider` sends requests to Claude API with correct authentication
+- [ ] Verify `OllamaLlmProvider` connects to local Ollama instance and performs inference
+- [ ] Verify `LlamaServerLlmProvider` connects to local llama.cpp server endpoint
+- [ ] Verify `LlmProviderOptions` validation rejects invalid configurations (missing API keys, invalid endpoints)
+- [ ] Verify `LlmPluginAdapter` provides health checks for configured LLM providers
+- [ ] Verify provider failover: when primary provider is unavailable, factory falls back to secondary

docs/features/unchecked/advisoryai/natural-language-to-policy-rule-compiler.md

@@ -0,0 +1,31 @@
+# Natural Language to Policy Rule Compiler (Policy Studio Copilot)
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+AI-powered natural language to lattice rule translation engine including PolicyIntentType parsing, LatticeRuleGenerator, property-based test synthesizer for generated rules, and PolicyBundleCompiler. Transforms plain-English policy descriptions into formal stella-dsl@1 rules with live preview and conflict visualization.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/`
+- **Key Classes**:
+  - `AiPolicyIntentParser` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/AiPolicyIntentParser.cs`) - parses natural language into structured policy intents using LLM
+  - `LatticeRuleGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/LatticeRuleGenerator.cs`) - generates K4 lattice rules from parsed policy intents
+  - `PropertyBasedTestSynthesizer` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/PropertyBasedTestSynthesizer.cs`) - synthesizes property-based test cases for generated rules
+  - `PolicyBundleCompiler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/PolicyBundleCompiler.cs`) - compiles generated rules into a deployable policy bundle
+  - `PolicyIntent` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/PolicyIntent.cs`) - policy intent model with type, constraints, and conditions
+  - `InMemoryPolicyIntentStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/InMemoryPolicyIntentStore.cs`) - stores policy intents for iterative refinement
+  - `NullPolicyIntentParser` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/NullPolicyIntentParser.cs`) - no-op parser for testing
+- **Interfaces**: `IPolicyIntentParser`, `IPolicyRuleGenerator`, `ITestCaseSynthesizer`
+- **Source**: SPRINT_20251226_017_AI_policy_copilot.md
+
+## E2E Test Plan
+- [ ] Submit a natural language policy description (e.g., "block critical CVEs without a fix") and verify `AiPolicyIntentParser` produces a structured `PolicyIntent`
+- [ ] Verify `LatticeRuleGenerator` translates the intent into valid stella-dsl@1 lattice rules
+- [ ] Verify `PropertyBasedTestSynthesizer` generates test cases that exercise the generated rule's accept/reject boundaries
+- [ ] Verify `PolicyBundleCompiler` compiles rules into a deployable bundle with correct schema version
+- [ ] Verify `InMemoryPolicyIntentStore` supports iterative refinement: modify an intent and regenerate rules
+- [ ] Verify conflict detection: generate two conflicting rules and verify the compiler reports the conflict

docs/features/unchecked/advisoryai/opsmemory-chat-integration.md

@@ -0,0 +1,28 @@
+# OpsMemory-Chat Integration (Decision Memory in AI Conversations)
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Connects OpsMemory institutional decision memory to AdvisoryAI Chat, enabling the AI to surface relevant past decisions during conversations and automatically record new decisions with outcomes for feedback loop learning.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/`
+- **Key Classes**:
+  - `OpsMemoryIntegration` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/OpsMemoryIntegration.cs`) - integrates OpsMemory decision retrieval into chat pipeline
+  - `OpsMemoryLinkResolver` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/OpsMemoryLinkResolver.cs`) - resolves OpsMemory links referenced in chat context
+  - `OpsMemoryDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/OpsMemoryDataProvider.cs`) - data provider that fetches relevant OpsMemory entries for evidence bundles
+  - `ConversationContextBuilder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ConversationContextBuilder.cs`) - includes OpsMemory context in conversation history
+- **Interfaces**: None (uses concrete integration classes)
+- **Source**: SPRINT_20260109_011_002_BE_opsmemory_chat_integration.md
+
+## E2E Test Plan
+- [ ] Ask about a CVE that has a prior decision in OpsMemory and verify `OpsMemoryIntegration` surfaces the past decision in the response
+- [ ] Verify `OpsMemoryDataProvider` includes relevant past decisions in the evidence bundle for chat responses
+- [ ] Verify `OpsMemoryLinkResolver` resolves OpsMemory entry links to their full decision details
+- [ ] Verify `ConversationContextBuilder` enriches prompts with relevant OpsMemory context
+- [ ] Verify new decisions made during chat are recorded back into OpsMemory for future retrieval
+- [ ] Verify OpsMemory integration does not include stale decisions (respects TTL/validity windows)

docs/features/unchecked/advisoryai/sanctioned-tool-registry.md

@@ -0,0 +1,32 @@
+# Sanctioned Tool Registry (Policy-Gated Tool Execution)
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Tool policy system with sanctioned tool registry controlling which AI tools can be invoked, with read-only defaults and confirmation-gated action tools.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/`, `src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/`
+- **Key Classes**:
+  - `AdvisoryChatToolPolicy` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/AdvisoryChatToolPolicy.cs`) - defines which tools are sanctioned, read-only, or require confirmation
+  - `DeterministicToolset` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/DeterministicToolset.cs`) - deterministic tool implementations (version analysis, dependency analysis)
+  - `AdvisoryChatSettingsService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/AdvisoryChatSettingsService.cs`) - manages chat settings including tool policies
+  - `AdvisoryChatSettingsStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/AdvisoryChatSettingsStore.cs`) - persists chat settings and tool policies
+  - `AdvisoryChatSettingsModels` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/AdvisoryChatSettingsModels.cs`) - settings models for tool access levels
+  - `DependencyAnalysisResult` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/DependencyAnalysisResult.cs`) - result model for dependency analysis tool
+  - `SemanticVersion` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/SemanticVersion.cs`) - semantic version parsing for version analysis tool
+  - `SemanticVersionRange` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/SemanticVersionRange.cs`) - version range matching for dependency tools
+- **Interfaces**: `IDeterministicToolset`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Configure `AdvisoryChatToolPolicy` with sanctioned tools and verify only those tools can be invoked during chat
+- [ ] Attempt to invoke a non-sanctioned tool and verify it is rejected with an access denied response
+- [ ] Verify read-only tools execute without confirmation prompts
+- [ ] Verify action tools (write operations) require user confirmation before execution
+- [ ] Verify `DeterministicToolset` provides consistent results for version analysis and dependency analysis
+- [ ] Verify `AdvisoryChatSettingsService` persists tool policy changes via `AdvisoryChatSettingsStore`

docs/features/unchecked/advisoryai/sovereign-offline-ai-inference-with-signed-model-bundles.md

@@ -0,0 +1,35 @@
+# Sovereign/Offline AI Inference with Signed Model Bundles
+
+## Module
+AdvisoryAI
+
+## Status
+IMPLEMENTED
+
+## Description
+Local LLM inference for air-gapped environments via a pluggable provider architecture supporting llama.cpp server, Ollama, OpenAI, Claude, and Gemini. DSSE-signed model bundle management with regional crypto support (eIDAS/FIPS/GOST/SM), digest verification at load time, deterministic output config (temperature=0, fixed seed), inference caching, benchmarking harness, and offline replay verification.
+
+## Implementation Details
+- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/`
+- **Key Classes**:
+  - `SignedModelBundleManager` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/SignedModelBundleManager.cs`) - manages DSSE-signed model bundles with digest verification at load time
+  - `ModelBundle` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/ModelBundle.cs`) - model bundle metadata including hash, signature, and regional crypto info
+  - `LlamaCppRuntime` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlamaCppRuntime.cs`) - llama.cpp local inference runtime
+  - `OnnxRuntime` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/OnnxRuntime.cs`) - ONNX runtime for local model inference
+  - `AdvisoryInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/AdvisoryInferenceClient.cs`) - main inference client with provider routing
+  - `ProviderBasedAdvisoryInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/ProviderBasedAdvisoryInferenceClient.cs`) - provider-based inference with caching
+  - `LlmBenchmark` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmBenchmark.cs`) - benchmarking harness for inference performance
+  - `LocalInferenceOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LocalInferenceOptions.cs`) - configuration for local inference (temperature, seed, context size)
+  - `LocalLlmConfig` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LocalLlmConfig.cs`) - local LLM configuration (model path, quantization, GPU layers)
+  - `LocalChatInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/LocalChatInferenceClient.cs`) - chat-specific local inference client
+- **Interfaces**: `ILocalLlmRuntime`
+- **Source**: SPRINT_20251226_019_AI_offline_inference.md
+
+## E2E Test Plan
+- [ ] Load a signed model bundle via `SignedModelBundleManager` and verify DSSE signature and digest are validated
+- [ ] Verify `SignedModelBundleManager` rejects a model bundle with a tampered digest
+- [ ] Run inference through `LlamaCppRuntime` with temperature=0 and fixed seed and verify deterministic output
+- [ ] Run `LlmBenchmark` and verify it measures tokens/second and latency metrics
+- [ ] Verify `OnnxRuntime` loads and runs inference with an ONNX model
+- [ ] Configure `LocalInferenceOptions` with air-gap settings and verify no external network calls are made
+- [ ] Verify `ProviderBasedAdvisoryInferenceClient` caches deterministic responses and returns cached results on repeat queries

docs/features/unchecked/airgap/air-gap-bundle-system.md

@@ -0,0 +1,28 @@
+# Air-Gap Bundle System (DSSE-Signed Bundle Format with Import/Export)
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Comprehensive air-gap bundle system with DSSE signing and verification, bundle format with schemas/validation/trust snapshots, controller for state management, importer with quarantine-on-failure, atomic feed activation with rollback, file-based and router-based delivery transport, and offline kit validation (monotonicity checking, telemetry metrics). Covers offline update kits (OUK), replay packs, and audit pack export/import.
+
+## Implementation Details
+- **Controller**: `src/AirGap/StellaOps.AirGap.Controller/` -- state management (`AirGapState.cs`, `AirGapStateService.cs`), endpoints (`AirGapEndpoints.cs` with seal/verify), startup options, telemetry
+- **Importer**: `src/AirGap/StellaOps.AirGap.Importer/` -- bundle planning (`BundleImportPlanner.cs`), quarantine on failure (`FileSystemQuarantineService.cs`, `IQuarantineService.cs`), evidence reconciliation (`EvidenceReconciler.cs`, `EvidenceGraph.cs`), SBOM/DSSE parsers, version monotonicity, trust root config, replay verification
+- **Bundle library**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- bundle format, schema validation, trust snapshot management
+- **Sync library**: `src/AirGap/__Libraries/StellaOps.AirGap.Sync/` -- synchronization for bundle delivery
+- **Persistence**: `src/AirGap/__Libraries/StellaOps.AirGap.Persistence/` and `src/AirGap/StellaOps.AirGap.Storage.Postgres/`
+- **Policy**: `src/AirGap/StellaOps.AirGap.Policy/` -- offline verification policy, analyzers
+- **Tests**: Controller, Importer, Persistence, Sync, Time, and Policy tests under `src/AirGap/__Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Test bundle import with valid DSSE-signed bundle, verify state transition
+- [ ] Test quarantine behavior on invalid bundle signature
+- [ ] Test monotonicity check rejects older bundle version
+- [ ] Test evidence reconciliation correctly parses CycloneDx, DSSE attestations
+- [ ] Test atomic feed activation and rollback on failure
+- [ ] Verify bundle import planning produces correct plan

docs/features/unchecked/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots.md

@@ -0,0 +1,25 @@
+# Air-Gap Epistemic Mode with Sealed Startup and Feed Snapshots
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Full epistemic completeness for air-gapped environments: sealed startup validation, feed snapshot repositories, signed mirror connectors, cryptographic binding of knowledge state to scan results, snapshot management, and sealed install enforcement.
+
+## Implementation Details
+- **Sealed startup**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapStartupDiagnosticsHostedService.cs` -- validates sealed state at startup
+- **Startup options**: `src/AirGap/StellaOps.AirGap.Controller/Options/AirGapStartupOptions.cs` -- sealed startup configuration
+- **State management**: `src/AirGap/StellaOps.AirGap.Controller/Domain/AirGapState.cs`, `Services/AirGapStateService.cs`
+- **State stores**: `src/AirGap/StellaOps.AirGap.Controller/Stores/IAirGapStateStore.cs`, `InMemoryAirGapStateStore.cs`
+- **Feed snapshots**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- snapshot management in bundle library
+- **Offline verification**: `src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs`, `OfflineVerificationPolicyLoader.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify sealed startup validation prevents operation with incomplete knowledge state
+- [ ] Test feed snapshot loading and cryptographic binding
+- [ ] Verify state transitions in air-gap controller
+- [ ] Test offline verification policy enforcement

docs/features/unchecked/airgap/deterministic-rekor-receipts-with-offline-verification.md

@@ -0,0 +1,25 @@
+# Deterministic Rekor Receipts with Offline Verification
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Offline Rekor receipt verifier validates checkpoint signatures (ECDSA/Ed25519), Merkle inclusion proofs per RFC 6962, and root hash consistency without live transparency log access. Includes TileProxy for local tile-based transparency log proxy, and mirror snapshot resolution for air-gapped deployments.
+
+## Implementation Details
+- **Rekor proof builder**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.Build.cs`, `EnhancedRekorProofBuilder.Validate.cs`, `EnhancedRekorProofBuilder.cs`
+- **Rekor inclusion proof**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/RekorInclusionProof.cs`
+- **Rekor verification step**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/RekorInclusionVerificationStep.cs`
+- **Replay verification**: `src/AirGap/StellaOps.AirGap.Controller/Services/ReplayVerificationService.cs`
+- **Importer replay**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/ReplayVerificationRequest.cs`, `ReplayDepth.cs`
+- **Merkle proofs**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/DeterministicMerkleTreeBuilder.Proof.cs`, `MerkleProof.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify Rekor receipt offline verification validates checkpoint signatures (ECDSA/Ed25519)
+- [ ] Test Merkle inclusion proof verification per RFC 6962
+- [ ] Test root hash consistency verification without live transparency log
+- [ ] Verify replay verification service works in air-gapped mode

docs/features/unchecked/airgap/deterministic-replay-and-verification-in-air-gap-mode.md

@@ -0,0 +1,25 @@
+# Deterministic Replay and Verification in Air-Gap Mode
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Replay manifests capturing input artifacts, verification results, and media types for deterministic reproducibility. Replay verification service for air-gapped environments. Covers offline cryptography plugins and importer validation.
+
+## Implementation Details
+- **Replay verification service**: `src/AirGap/StellaOps.AirGap.Controller/Services/ReplayVerificationService.cs`
+- **Replay contracts**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/ReplayVerificationRequest.cs`, `ReplayDepth.cs`
+- **Attestor replay**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayInputArtifact.cs`, `ReplayResult.cs`, `ReplayStatus.cs`, `ReplayVerificationResult.cs`, `ReplayPromptTemplate.cs`
+- **Offline crypto**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` and plugin implementations (GOST, eIDAS, SM, FIPS, HSM)
+- **Evidence reconciliation**: `src/AirGap/StellaOps.AirGap.Importer/Reconciliation/` -- EvidenceReconciler, EvidenceGraph, JSON normalizer, attestation/SBOM parsers
+- **Importer validation**: `src/AirGap/StellaOps.AirGap.Importer/Validation/` -- bundle validation
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify replay manifests capture all input artifacts with media types
+- [ ] Test replay verification produces identical results from same inputs
+- [ ] Test evidence reconciliation correctly builds evidence graph
+- [ ] Verify offline crypto plugin signing/verification works without network

docs/features/unchecked/airgap/deterministic-test-harness.md

@@ -0,0 +1,24 @@
+# Deterministic Test Harness (Frozen Time, Seeded RNG, Network Isolation)
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Deterministic testing infrastructure with frozen time providers, deterministic fixtures, and Testcontainers for PostgreSQL isolation across backend and frontend.
+
+## Implementation Details
+- **Test infrastructure**: `src/__Tests/__Libraries/StellaOps.Testing.Chaos/Models.cs` -- chaos/deterministic testing models
+- **AirGap tests**: `src/AirGap/__Tests/` -- Controller, Importer, Persistence, Sync, Time tests
+- **Frozen time**: `src/AirGap/StellaOps.AirGap.Time/` -- time anchor services with frozen time providers, staleness calculation
+- **Time fixtures**: `src/AirGap/StellaOps.AirGap.Time/fixtures/` -- deterministic time test fixtures
+- **Testcontainers**: PostgreSQL isolation via `src/AirGap/StellaOps.AirGap.Storage.Postgres.Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify frozen time providers produce deterministic timestamps
+- [ ] Test seeded RNG produces reproducible results
+- [ ] Verify Testcontainers PostgreSQL isolation works correctly
+- [ ] Test deterministic fixtures produce identical outputs across runs

docs/features/unchecked/airgap/dsse-receipt-schema-for-authority-sbomer-vexer-flows.md

@@ -0,0 +1,25 @@
+# DSSE/Receipt Schema for Authority/Sbomer/Vexer Flows
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+DSSE envelope signing/verification across multiple modules with schema types, SPDX3 integration, and air-gap bundle signing. The receipt schema supports Authority, Sbomer, and Vexer flows.
+
+## Implementation Details
+- **DSSE signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs`, `DsseSignature.cs`, `ProofChainSigner.Verification.cs`
+- **DSSE SPDX3**: `src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Envelope.cs`, `DsseSpdx3Signature.cs`, `DsseSpdx3Signer.SignAsync.cs`, `DsseSpdx3Signer.Verify.cs`
+- **DSSE verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/DsseSignatureVerificationStep.cs`
+- **Importer DSSE parsing**: `src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/DsseAttestationParser.cs`
+- **Receipt models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs`, `VerificationResult.cs`, `VerificationCheck.cs`, `VerificationContext.cs`
+- **Signing profiles**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify DSSE envelope creation for Authority/Sbomer/Vexer flows
+- [ ] Test DSSE signature verification with multiple key profiles
+- [ ] Verify receipt schema captures all required verification checks
+- [ ] Test SPDX3 DSSE integration

docs/features/unchecked/airgap/mirror-time-anchor-contract.md

@@ -0,0 +1,29 @@
+# Mirror Time Anchor Contract
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Defines canonical time-anchor fields (generatedAt UTC ISO-8601, optional sourceClock hint) and staleness computation (now - generatedAt with +/-5s tolerance) for mirror bundles in air-gapped environments.
+
+## Implementation Details
+- **Time anchor module**: `src/AirGap/StellaOps.AirGap.Time/` -- full module with controllers, services, parsing, models, stores, config, hooks, health checks
+- **Time anchor parsing**: `src/AirGap/StellaOps.AirGap.Time/Parsing/` -- token parsing for time anchor extraction
+- **Staleness calculation**: services compute `now - generatedAt` with tolerance handling
+- **HLC merge services**: `src/AirGap/StellaOps.AirGap.Time/Services/` -- Hybrid Logical Clock for multi-node sync
+- **Deterministic time fixtures**: `src/AirGap/StellaOps.AirGap.Time/fixtures/`
+- **Bundle integration**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/` -- TimeAnchorContent, SnapshotBundleWriter.Sections.TimeAnchor, SnapshotBundleReader.Verify.TimeAnchor
+- **Attestor timestamping**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/TimeCorrelationValidator.Validate.cs`, `TimeCorrelationStatus.cs`
+- **Tests**: `src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/` (TimeAnchorLoaderTests, StalenessCalculatorTests, TimeVerificationServiceTests, TimeTokenParserTests, etc.)
+
+## E2E Test Plan
+- [ ] Verify time anchor is embedded in air-gap bundle with correct ISO-8601 format
+- [ ] Verify staleness calculation correctly computes age with +/-5s tolerance
+- [ ] Verify time anchor verification rejects bundles with tampered timestamps
+- [ ] Verify HLC merge produces consistent ordering across multiple nodes
+
+## Related Documentation
+- Source: SPRINT_0150_0001_0002_mirror_time.md

docs/features/unchecked/airgap/offline-kit-metrics-and-diagnostics.md

@@ -0,0 +1,24 @@
+# Offline Kit Metrics and Diagnostics
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Offline kit metrics, telemetry, and startup diagnostics for monitoring air-gap bundle health.
+
+## Implementation Details
+- **Telemetry**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapTelemetry.cs` -- air-gap specific telemetry
+- **Telemetry options**: `src/AirGap/StellaOps.AirGap.Controller/Options/AirGapTelemetryOptions.cs` -- telemetry configuration
+- **Startup diagnostics**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapStartupDiagnosticsHostedService.cs` -- diagnostics at startup
+- **Importer telemetry**: `src/AirGap/StellaOps.AirGap.Importer/Telemetry/` -- import-specific metrics
+- **Status endpoints**: `src/AirGap/StellaOps.AirGap.Controller/Endpoints/Contracts/AirGapStatusResponse.cs` -- status reporting
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify AirGap status endpoint returns correct metrics
+- [ ] Test startup diagnostics detect and report issues
+- [ ] Verify telemetry captures bundle import/export operations
+- [ ] Test importer telemetry tracks import duration and outcomes

docs/features/unchecked/airgap/time-anchoring-for-offline-environments.md

@@ -0,0 +1,32 @@
+# Time Anchoring for Offline Environments
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Time anchoring module with anchor loader, token parser, staleness calculator, and sealed startup validation for air-gapped environments. Includes HLC (Hybrid Logical Clock) merge services for multi-node sync.
+
+## Implementation Details
+- **Time module**: `src/AirGap/StellaOps.AirGap.Time/` -- dedicated time anchoring service
+- **Controllers**: `src/AirGap/StellaOps.AirGap.Time/Controllers/` -- time anchor API controllers
+- **Services**: `src/AirGap/StellaOps.AirGap.Time/Services/` -- HLC merge, staleness calculation, anchor loading
+- **Parsing**: `src/AirGap/StellaOps.AirGap.Time/Parsing/` -- time anchor token parsing
+- **Models**: `src/AirGap/StellaOps.AirGap.Time/Models/` -- time anchor data models
+- **Stores**: `src/AirGap/StellaOps.AirGap.Time/Stores/` -- time anchor state stores
+- **Config**: `src/AirGap/StellaOps.AirGap.Time/Config/` -- time anchor configuration
+- **Hooks**: `src/AirGap/StellaOps.AirGap.Time/Hooks/` -- time-related event hooks
+- **Health**: `src/AirGap/StellaOps.AirGap.Time/Health/` -- time health checks
+- **Fixtures**: `src/AirGap/StellaOps.AirGap.Time/fixtures/` -- deterministic time test data
+- **Tests**: `src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/`
+- **Attestor timestamping**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/TimeCorrelationValidator.Validate.cs`, `TimeCorrelationStatus.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify time anchor loading from sealed bundles
+- [ ] Test token parsing extracts correct anchor timestamps
+- [ ] Test staleness calculator produces correct durations
+- [ ] Verify HLC merge service handles multi-node sync correctly
+- [ ] Test health checks report time anchor status

docs/features/unchecked/airgap/trust-profile-management.md

@@ -0,0 +1,25 @@
+# Trust Profile Management (CLI and Bundle)
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Named trust profiles (global, eu-eidas, us-fips, bg-gov) for configuring TSA chains, signing algorithms, and verification policies per deployment context. Includes CLI commands (stella trust-profile list/apply/show) and bundle-level profile loading. Distinct from the known "Trust Anchor Management" and "Regional Crypto Profiles" which are about crypto algorithms, not deployment-context trust configuration profiles.
+
+## Implementation Details
+- **Bundle trust profiles**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- named trust profile definitions and loading
+- **Trust root config**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/TrustRootConfig.cs` -- trust root configuration for import verification
+- **AirGap policy**: `src/AirGap/StellaOps.AirGap.Policy/` -- policy enforcement for trust profiles, includes analyzers and tests
+- **Offline verification policy**: `src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs`, `OfflineVerificationPolicyLoader.cs`
+- **Trust anchor verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/TrustAnchorVerificationStep.cs`
+- **Source**: SPRINT_20260120_029_AirGap_offline_bundle_contract.md
+
+## E2E Test Plan
+- [ ] Verify CLI `stella trust-profile list` shows available profiles
+- [ ] Test `stella trust-profile apply` switches active profile
+- [ ] Test `stella trust-profile show` displays profile configuration
+- [ ] Verify trust profiles configure correct TSA chains and signing algorithms
+- [ ] Test bundle-level profile loading from bundle metadata

docs/features/unchecked/analyzers/roslyn-analyzer-for-canonicalization-enforcement.md

@@ -0,0 +1,21 @@
+# Roslyn Analyzer for Canonicalization Enforcement (STELLA0100)
+
+## Module
+__Analyzers
+
+## Status
+IMPLEMENTED
+
+## Description
+Custom Roslyn static analyzer (diagnostic STELLA0100) that enforces canonicalization boundaries at compile time. Detects code paths that cross resolver boundaries without proper canonicalization, preventing non-deterministic serialization from leaking into deterministic evaluation pipelines. Includes ResolverBoundaryAttribute for marking boundary methods.
+
+## Implementation Details
+- **Canonicalization Boundary Analyzer**: `src/__Analyzers/StellaOps.Determinism.Analyzers/CanonicalizationBoundaryAnalyzer.cs` -- Roslyn `DiagnosticAnalyzer` registered for C# syntax; reports diagnostic `STELLA0100` when code crosses canonicalization boundaries without proper serialization guards. Analyzes method invocations and property accesses to detect non-deterministic serialization patterns at resolver boundaries.
+- **Analyzer Tests**: `src/__Analyzers/StellaOps.Determinism.Analyzers.Tests/CanonicalizationBoundaryAnalyzerTests.cs` -- unit tests verifying the analyzer correctly reports STELLA0100 diagnostics for boundary violations and does not produce false positives for correctly guarded code.
+
+## E2E Test Plan
+- [ ] Add the `StellaOps.Determinism.Analyzers` package to a test project and verify the STELLA0100 diagnostic is reported when a method crosses a canonicalization boundary without a serialization guard
+- [ ] Verify the analyzer produces no diagnostics for code that correctly uses canonical serializers (e.g., `LedgerCanonicalJsonSerializer`, `Rfc8785JsonCanonicalizer`)
+- [ ] Verify the analyzer integrates with `dotnet build` and causes a build warning (or error if configured via `.editorconfig`) for violations
+- [ ] Verify the analyzer does not report false positives on non-serialization code paths or methods not annotated with `ResolverBoundaryAttribute`
+- [ ] Verify the analyzer works with partial classes and cross-file method calls within the same assembly

docs/features/unchecked/aoc/aoc-roslyn-source-analyzer.md

@@ -0,0 +1,21 @@
+# AOC Roslyn Source Analyzer (Compile-Time Contract Enforcement)
+
+## Module
+Aoc
+
+## Status
+IMPLEMENTED
+
+## Description
+Roslyn source analyzer that enforces ingestion contracts at compile time via diagnostic rules (AOC0001, AOC0002, AOC0003), preventing forbidden field access patterns in AOC-related code.
+
+## Implementation Details
+- **Intent Analyzer**: `src/__Analyzers/StellaOps.TestKit.Analyzers/IntentAnalyzer.cs` -- Roslyn `DiagnosticAnalyzer` that enforces test intent declaration contracts. Reports AOC0001 for missing intent attributes on test methods, AOC0002 for inconsistent intent declarations across test classes, and AOC0003 for intent/naming convention mismatches.
+- **Intent Analyzer Tests**: `src/__Analyzers/StellaOps.TestKit.Analyzers.Tests/IntentAnalyzerTests.cs` -- unit tests verifying the analyzer correctly reports AOC diagnostics for missing or mismatched intent declarations and validates that properly annotated tests produce no diagnostics.
+
+## E2E Test Plan
+- [ ] Add the `StellaOps.TestKit.Analyzers` package to a test project and verify AOC0001 is reported for test methods missing intent attributes
+- [ ] Verify AOC0002 is reported when a test class has inconsistent intent declarations across its test methods
+- [ ] Verify AOC0003 is reported for intent/naming convention mismatches (e.g., a test named `*Integration*` with a unit test intent attribute)
+- [ ] Verify no diagnostics are reported for correctly attributed test methods following the naming convention
+- [ ] Verify the analyzer integrates with `dotnet build` and CI pipelines to catch ingestion contract violations before merge

docs/features/unchecked/api/policy-trace-panel.md

@@ -0,0 +1,28 @@
+# Policy trace panel ("why blocked" / "what would make it pass")
+
+## Module
+Api
+
+## Status
+IMPLEMENTED
+
+## Description
+Block explanation API controller, CLI explain commands, and verdict rationale renderer provide policy trace functionality explaining why artifacts are blocked and what would unblock them.
+
+## Implementation Details
+- **Scoring Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/ScoringEndpoints.cs` -- exposes REST endpoints for querying scored findings with policy trace context, including why a finding is blocked and which evidence would change the outcome.
+- **Evidence Graph Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/EvidenceGraphEndpoints.cs` -- serves evidence graph subgraphs connecting findings to attestations, VEX statements, and policy decisions, showing the trace of what inputs led to the verdict.
+- **Finding Summary Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/FindingSummaryEndpoints.cs` -- returns finding summaries with policy evaluation trace context including rule names, evaluation outcomes, and evidence references.
+- **Finding Scoring Service**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingScoringService.cs` -- computes and caches finding scores combining CVSS, EPSS, VEX, and reachability signals; explains score composition.
+- **Evidence Graph Builder**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/EvidenceGraphBuilder.cs` -- constructs evidence subgraphs from ledger events and attestation pointers for trace visualization.
+- **VEX Consensus Service**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/VexConsensusService.cs` -- aggregates VEX decisions across sources to explain the consensus status.
+- **Policy Evaluation Service**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Policy/PolicyEngineEvaluationService.cs` -- evaluates policy rules against findings and returns detailed trace output explaining each rule's contribution.
+- **Inline Policy Evaluation Service**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Policy/InlinePolicyEvaluationService.cs` -- lightweight inline evaluation for single-finding traces without external policy engine calls.
+- **Tests**: `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/ScoringEndpointsIntegrationTests.cs`, `ScoringAuthorizationTests.cs`, `PolicyEngineEvaluationServiceTests.cs`, `InlinePolicyEvaluationServiceTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/EvidenceGraphBuilderTests.cs`, `FindingScoringServiceTests.cs`
+
+## E2E Test Plan
+- [ ] Submit a finding that fails policy evaluation and query the trace endpoint to verify the response explains which rule blocked it and what evidence is required to pass
+- [ ] Query the evidence graph endpoint for a blocked finding and verify the returned subgraph contains nodes for the finding, its attestations, VEX statements, and policy rules with correct edge relationships
+- [ ] Modify a finding's VEX status to "not_affected" and re-query the trace to verify the explanation updates to reflect the new unblocked status
+- [ ] Verify authorization: attempt to query trace endpoints without the required scope and confirm a 403 response
+- [ ] Verify the inline policy evaluation service returns the same trace results as the full policy engine evaluation service for a simple single-rule scenario

docs/features/unchecked/api/score-api-endpoints.md

@@ -0,0 +1,28 @@
+# Score API Endpoints (/api/v1/score/evaluate, /score/weights)
+
+## Module
+Api
+
+## Status
+IMPLEMENTED
+
+## Description
+The advisory proposed dedicated REST endpoints for score evaluation, weight management, and replay. These were marked TODO (TSF-005, TSF-011) and have not been implemented.
+
+## Implementation Details
+- **Scoring Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/ScoringEndpoints.cs` -- maps scoring-related routes for querying scored findings, score history, and aggregate metrics.
+- **Scored Findings Query Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsQueryService.cs` (implements `IScoredFindingsQueryService`) -- queries findings with their computed scores, supports filtering by severity, status, and component.
+- **Scored Findings Query Models**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsQueryModels.cs` -- query/response models for scored findings queries.
+- **Scored Findings Export Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsExportService.cs` -- exports scored findings as CSV/JSON for reporting and compliance.
+- **Scoring Metrics Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoringMetricsService.cs` -- computes aggregate scoring metrics (mean score, distribution, trend).
+- **Score History Store**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/ScoreHistoryStore.cs` -- persists score snapshots over time for trend analysis.
+- **Scoring Contracts**: `src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/ScoringContracts.cs` -- API DTOs for score requests and responses.
+- **Tests**: `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/ScoredFindingsQueryServiceTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/ScoringEndpointsIntegrationTests.cs`, `ScoringObservabilityTests.cs`
+
+## E2E Test Plan
+- [ ] Query the score API with no filters and verify all findings are returned with their computed scores
+- [ ] Apply severity and component filters and verify only matching findings are returned
+- [ ] Export scored findings as CSV and verify the output contains correct headers and data rows matching the query results
+- [ ] Verify scoring metrics endpoint returns aggregate statistics (count, mean score, percentile distribution)
+- [ ] Verify authorization: confirm the scoring API requires the `findings:read` scope
+- [ ] Verify pagination: query with page size and offset parameters and confirm correct paging behavior

docs/features/unchecked/attestor/adaptive-noise-gating-for-vulnerability-graphs.md

@@ -0,0 +1,25 @@
+# Adaptive Noise Gating for Vulnerability Graphs
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Four-part noise reduction system: (1) Semantic edge deduplication collapsing redundant edges with provenance sets, (2) Proof Strength hierarchy (Authoritative=100 > BinaryProof=80 > StaticAnalysis=60 > Heuristic=40), (3) Stability damping gate preventing flip-flopping verdicts with hysteresis thresholds, (4) Delta sections categorizing changes as New/Resolved/ConfidenceUp/ConfidenceDown/PolicyImpact.
+
+## Implementation Details
+- **ProofChain Graph**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/` -- `InMemoryProofGraphService` (with `.Mutation`, `.Queries`, `.Subgraph` partials) provides the in-memory graph with node/edge deduplication. `ProofGraphEdge` and `ProofGraphEdgeType` define edge semantics including provenance sets. `ProofGraphNode` and `ProofGraphNodeType` classify node types with strength levels.
+- **Delta Verdict System**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs` and `DeltaVerdictPredicate.Budget.cs` implement delta categorization (New/Resolved/ConfidenceUp/ConfidenceDown). `DeltaVerdictChange.cs` and `VerdictDeltaSummary.cs` track per-finding changes.
+- **Evidence Confidence**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.Confidence.cs` computes confidence scores using proof-strength hierarchy. `EvidenceSummary.cs` aggregates evidence with strength weighting.
+- **Change Trace**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers` and `.Mapping` partials) tracks changes over time for stability damping.
+- **Verdict Delta Predicates**: `VerdictFindingChange.cs`, `VerdictRuleChange.cs` categorize changes by policy impact.
+- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/DeltaVerdictStatementTests.cs`, `ChangeTrace/ChangeTracePredicateTests.cs`
+
+## E2E Test Plan
+- [ ] Create a proof graph with redundant edges (same source/target, different provenance) and verify that `InMemoryProofGraphService` deduplicates them into a single edge with merged provenance sets
+- [ ] Submit evidence at different proof-strength tiers (Authoritative, BinaryProof, StaticAnalysis, Heuristic) and verify the `BackportProofGenerator.Confidence` produces correct weighted confidence scores
+- [ ] Generate two consecutive verdict snapshots with minor score fluctuations below the hysteresis threshold and verify that `ChangeTraceAttestationService` suppresses the flip-flop delta
+- [ ] Generate a delta verdict where findings are added, resolved, and confidence-changed, then verify `DeltaVerdictPredicate` categorizes each change correctly (New/Resolved/ConfidenceUp/ConfidenceDown/PolicyImpact)
+- [ ] Query a subgraph via `InMemoryProofGraphService.Subgraph` and verify only reachable nodes from the root are included, with correct edge types

docs/features/unchecked/attestor/ai-assisted-explanation-and-classification.md

@@ -0,0 +1,30 @@
+# AI-Assisted Explanation and Classification
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+AI authority classifier with explanation scoring, citation references, explanation types, and model identifiers. AI artifact verification step integrates into the verification pipeline.
+
+## Implementation Details
+- **AIAuthorityClassifier**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs` (with `.Explanation`, `.ExplanationScore`, `.PolicyDraft`, `.PolicyDraftScore`, `.Remediation`, `.RemediationScore`, `.VexDraft`, `.VexDraftScore` partials) -- classifies AI outputs into `Suggestion`, `EvidenceBacked`, or `AuthorityThreshold` based on citation rate, verified rate, and confidence score.
+- **AIAuthorityThresholds**: `AIAuthorityThresholds.cs` -- configurable thresholds: `MinCitationRate` (default 0.8), `MinConfidenceScore` (default 0.7), `MinVerifiedCitationRate` (default 0.9), `AuthorityThresholdScore` (default 0.95).
+- **AIArtifactAuthority enum**: `AIArtifactAuthority.cs` -- three levels: Suggestion (no evidence), EvidenceBacked (citations verified), AuthorityThreshold (meets auto-processing score).
+- **AIExplanationPredicate**: `AIExplanationPredicate.cs` -- record extending `AIArtifactBasePredicate` with `ExplanationType`, `Content`, `Citations`, `ConfidenceScore`, `CitationRate`, `Subject`, `ContextScope`.
+- **AIExplanationCitation**: `AIExplanationCitation.cs` -- links claims to evidence with `ClaimIndex`, `ClaimText`, `EvidenceId` (sha256 format), `EvidenceType`, `Verified` flag.
+- **AIExplanationType enum**: `AIExplanationType.cs` -- Exploitability, CodePath, PolicyDecision, RiskFactors, RemediationOptions, PlainLanguageSummary, EvidenceChain.
+- **AIModelIdentifier**: `AIModelIdentifier.cs` -- tracks provider/model/version with optional `WeightsDigest` for local models.
+- **Verification Step**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/AIArtifactVerificationStep.cs` (with `.Execute`, `.Classify`, `.Helpers`, `.Summary`, `.VerifyParse`, `.VerifyValidation` partials) -- integrates into `VerificationPipeline` to verify AI artifacts in proof bundles.
+- **Tests**: `__Libraries/StellaOps.Attestor.ProofChain.Tests/AI/AIAuthorityClassifierTests.cs`
+
+## E2E Test Plan
+- [ ] Create an `AIExplanationPredicate` with citation rate >= 0.8, verified rate >= 0.9, and confidence >= 0.7, classify via `AIAuthorityClassifier`, and verify it returns `EvidenceBacked`
+- [ ] Create an explanation with citation rate < 0.8 and verify classifier returns `Suggestion` with appropriate reason messages
+- [ ] Create an explanation with quality score >= 0.95 and verify classifier returns `AuthorityThreshold`
+- [ ] Submit a proof bundle containing AI artifacts through `AIArtifactVerificationStep.ExecuteAsync` and verify all artifacts are validated (parse, schema, classification)
+- [ ] Submit a proof bundle with invalid AI artifacts (malformed predicate) and verify the verification step returns `Passed = false` with error details
+- [ ] Create an `AIExplanationCitation` with `Verified = false` and verify it lowers the verified rate below the threshold, causing the classifier to return `Suggestion`
+- [ ] Verify `AIModelIdentifier.ToString()` produces the canonical `provider:model:version` format

docs/features/unchecked/attestor/ai-authority-classification-engine.md

@@ -0,0 +1,31 @@
+# AI Authority Classification Engine
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Authority classification engine that determines whether AI outputs are evidence-backed (authoritative) or suggestion-only, with configurable thresholds and scoring across multiple artifact types.
+
+## Implementation Details
+- **Core Classifier**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs` -- partial class with `DetermineAuthority()` method that evaluates `citationRate`, `verifiedRate`, `confidenceScore`, and `qualityScore` against configurable thresholds.
+- **Artifact-Specific Scoring**: Partial files implement scoring for each artifact type:
+  - `AIAuthorityClassifier.Explanation.cs` / `AIAuthorityClassifier.ExplanationScore.cs` -- explanation classification and scoring
+  - `AIAuthorityClassifier.PolicyDraft.cs` / `AIAuthorityClassifier.PolicyDraftScore.cs` -- policy draft classification
+  - `AIAuthorityClassifier.Remediation.cs` / `AIAuthorityClassifier.RemediationScore.cs` -- remediation plan classification
+  - `AIAuthorityClassifier.VexDraft.cs` / `AIAuthorityClassifier.VexDraftScore.cs` -- VEX statement draft classification
+- **Authority Levels**: `AIArtifactAuthority.cs` -- `Suggestion` (no evidence backing), `EvidenceBacked` (citations verified, evidence resolvable), `AuthorityThreshold` (auto-processing eligible)
+- **Thresholds Config**: `AIAuthorityThresholds.cs` -- `MinCitationRate` (0.8), `MinConfidenceScore` (0.7), `MinVerifiedCitationRate` (0.9), `AuthorityThresholdScore` (0.95), `RequireResolvableEvidence` (true)
+- **Classification Result**: `AIAuthorityClassificationResult.cs` -- captures authority level, reasons, and individual scores
+- **Evidence Resolution**: Constructor accepts optional `Func<string, bool>` evidence resolver to verify that cited evidence IDs are resolvable
+- **Tests**: `__Libraries/StellaOps.Attestor.ProofChain.Tests/AI/AIAuthorityClassifierTests.cs`
+
+## E2E Test Plan
+- [ ] Classify an explanation with all metrics above thresholds and verify `EvidenceBacked` result with three reason entries (citation rate, verified rate, confidence)
+- [ ] Classify a policy draft with `qualityScore >= 0.95` and verify `AuthorityThreshold` result regardless of other metrics
+- [ ] Classify a remediation plan with `citationRate = 0.5` and verify `Suggestion` result with reason mentioning citation rate below threshold
+- [ ] Classify a VEX draft with an evidence resolver that returns `false` for some evidence IDs and verify the verified rate drops below threshold
+- [ ] Override `AIAuthorityThresholds` with stricter values (e.g., `MinCitationRate = 0.95`) and verify classification changes accordingly
+- [ ] Verify all four artifact-type classifiers (Explanation, PolicyDraft, Remediation, VexDraft) produce correct `AIAuthorityClassificationResult` with type-specific scoring

docs/features/unchecked/attestor/ai-explanation-attestation-types.md

@@ -0,0 +1,29 @@
+# AI Explanation Attestation Types (Zastava Companion Predicates)
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+AI explanation attestation predicates with model identifiers, decoding parameters, and citation support for evidence-grounded AI explanations. Supports deterministic replay.
+
+## Implementation Details
+- **AIExplanationPredicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIExplanationPredicate.cs` -- record type extending `AIArtifactBasePredicate` with fields: `ExplanationType`, `Content` (markdown), `Citations` (list of `AIExplanationCitation`), `ConfidenceScore`, `CitationRate`, `Subject`, `ContextScope`.
+- **AIArtifactBasePredicate**: `AIArtifactBasePredicate.cs` -- base record providing common AI artifact fields including `ModelIdentifier`, `DecodingParameters`, `GeneratedAt` timestamp.
+- **AIModelIdentifier**: `AIModelIdentifier.cs` -- `Provider`, `Model`, `Version`, optional `WeightsDigest` (SHA-256 for local models). Canonical format: `provider:model:version`.
+- **AIDecodingParameters**: `AIDecodingParameters.cs` -- captures generation parameters (temperature, top-p, etc.) for deterministic replay.
+- **AIExplanationCitation**: `AIExplanationCitation.cs` -- links claims to evidence: `ClaimIndex`, `ClaimText`, `EvidenceId` (sha256:hex), `EvidenceType` (sbom/vex/reachability/runtime), `Verified` flag.
+- **AIExplanationType enum**: `AIExplanationType.cs` -- Exploitability, CodePath, PolicyDecision, RiskFactors, RemediationOptions, PlainLanguageSummary, EvidenceChain.
+- **Replay Support**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/` -- `AIArtifactReplayManifest.cs`, `IAIArtifactReplayer.cs`, `ReplayInputArtifact.cs`, `ReplayPromptTemplate.cs`, `ReplayResult.cs`, `ReplayVerificationResult.cs` implement deterministic replay of AI artifacts.
+- **Media Types**: `__Libraries/StellaOps.Attestor.ProofChain/MediaTypes/AIArtifactMediaTypes.cs` -- defines content-type constants for AI artifacts.
+- **Statement**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/AIExplanationStatement.cs` -- wraps the predicate as an in-toto statement.
+
+## E2E Test Plan
+- [ ] Create an `AIExplanationPredicate` with all required fields (explanation type, content, citations, confidence, citation rate, subject) and serialize to JSON, verifying all fields are correctly mapped via `JsonPropertyName` attributes
+- [ ] Deserialize a JSON payload back to `AIExplanationPredicate` and verify round-trip fidelity
+- [ ] Create a replay manifest from an `AIExplanationPredicate` containing `AIDecodingParameters` and verify the manifest captures model identifier and decoding params for reproducibility
+- [ ] Verify `AIExplanationCitation` correctly links claims to evidence by creating citations with mixed `Verified` states and computing citation rate
+- [ ] Create explanations of each `AIExplanationType` (Exploitability, CodePath, PolicyDecision, RiskFactors, RemediationOptions, PlainLanguageSummary, EvidenceChain) and verify type serialization
+- [ ] Wrap predicate in `AIExplanationStatement` and verify it produces a valid in-toto statement with correct predicate type

docs/features/unchecked/attestor/ai-remediation-plan-attestation.md

@@ -0,0 +1,30 @@
+# AI Remediation Plan Attestation
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Predicate types for AI-generated remediation plans including steps, risk assessments, and action types as signed attestation artifacts.
+
+## Implementation Details
+- **AIRemediationPlanPredicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIRemediationPlanPredicate.cs` -- extends `AIArtifactBasePredicate` with remediation-specific fields.
+- **RemediationStep**: `RemediationStep.cs` -- describes a single remediation action with status tracking.
+- **RemediationActionType enum**: `RemediationActionType.cs` -- types of remediation actions (e.g., upgrade, patch, configuration change).
+- **RemediationStepStatus enum**: `RemediationStepStatus.cs` -- tracks step execution status.
+- **RemediationRiskAssessment**: `RemediationRiskAssessment.cs` -- assesses risk impact of applying the remediation.
+- **RemediationVerificationStatus enum**: `RemediationVerificationStatus.cs` -- verification state after remediation application.
+- **Classifier Integration**: `AIAuthorityClassifier.Remediation.cs` classifies remediation plans; `AIAuthorityClassifier.RemediationScore.cs` computes quality scores for evidence-backing determination.
+- **Statement**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/AIRemediationPlanStatement.cs` -- wraps predicate as in-toto statement.
+- **Base Class**: `AIArtifactBasePredicate.cs` provides `ModelIdentifier` (`AIModelIdentifier`), `DecodingParameters` (`AIDecodingParameters`), and timestamp fields inherited by the remediation predicate.
+
+## E2E Test Plan
+- [ ] Create an `AIRemediationPlanPredicate` with multiple `RemediationStep` entries of different `RemediationActionType` values and verify JSON serialization
+- [ ] Create a remediation plan with a `RemediationRiskAssessment` and verify the risk level is correctly captured in the predicate
+- [ ] Classify a remediation plan via `AIAuthorityClassifier.Remediation` with high citation/evidence scores and verify `EvidenceBacked` authority
+- [ ] Classify a remediation plan with low evidence backing and verify `Suggestion` authority
+- [ ] Wrap the predicate in `AIRemediationPlanStatement` and verify it produces a valid in-toto statement
+- [ ] Verify `RemediationStepStatus` progression (e.g., Pending -> InProgress -> Completed) is correctly serialized
+- [ ] Create a remediation plan with `RemediationVerificationStatus` set and verify the verification state persists through serialization

docs/features/unchecked/attestor/asn-1-native-rfc-3161-timestamp-token-parsing.md

@@ -0,0 +1,31 @@
+# ASN.1-Native RFC 3161 Timestamp Token Parsing
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Native ASN.1 parsing of RFC 3161 timestamp tokens using System.Formats.Asn1 (no BouncyCastle dependency). Includes request encoding, response decoding, TstInfo extraction, certificate chain parsing, and signature verification. This is the low-level implementation detail behind the known "RFC-3161 TSA Client" entry.
+
+## Implementation Details
+- **Timestamp Service**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampService.cs` (with `.Helpers`, `.Timestamp`, `.Verify` partials) -- core service handling RFC 3161 timestamp request/response lifecycle.
+- **IAttestationTimestampService**: `IAttestationTimestampService.cs` -- interface for timestamp operations.
+- **Timestamp Policy**: `TimestampPolicy.cs`, `TimestampPolicyEvaluator.cs`, `TimestampPolicyResult.cs` -- policy evaluation for timestamp requirements.
+- **TSA Certificate Validation**: `TsaCertificateStatus.cs` -- certificate chain status. `TstVerificationStatus.cs` -- TstInfo verification result.
+- **Time Correlation**: `TimeCorrelationValidator.cs` (with `.Async`, `.GapChecks`, `.Validate` partials) -- validates timestamp consistency across multiple TSA sources. `TimeCorrelationPolicy.cs`, `TimeCorrelationResult.cs`, `TimeCorrelationStatus.cs` define correlation rules.
+- **Time Consistency**: `TimeConsistencyResult.cs` -- result of cross-TSA time consistency checks.
+- **Multi-Provider Fallback**: `src/Attestor/__Libraries/StellaOps.Attestor.Infrastructure/Timestamping/TsaMultiProvider.cs` -- fallback chain across multiple TSA providers.
+- **Configuration**: `AttestationTimestampOptions.cs`, `AttestationTimestampServiceOptions.cs`, `AttestationTimestampVerificationOptions.cs`, `AttestationTimestampPolicyContext.cs`.
+- **Timestamped Attestation**: `TimestampedAttestation.cs` -- wraps an attestation with its timestamp token.
+- **Tests**: `StellaOps.Attestor/StellaOps.Attestor.Tests/Timestamping/AttestationTimestampServiceTests.cs`, `AttestationTimestampPolicyTests.cs`, `TimeCorrelationValidatorTests.cs`
+
+## E2E Test Plan
+- [ ] Create a timestamp request for a SHA-256 hash via `AttestationTimestampService`, send to a TSA endpoint, and verify the response contains a valid TstInfo with matching hash
+- [ ] Parse an RFC 3161 timestamp token response and verify certificate chain extraction produces valid `TsaCertificateStatus`
+- [ ] Verify a timestamp token signature against the TSA certificate and confirm `TstVerificationStatus` indicates success
+- [ ] Configure `TimeCorrelationValidator` with two TSA sources and verify `TimeConsistencyResult` passes when timestamps are within configured gap tolerance
+- [ ] Configure `TimeCorrelationValidator` with a strict gap threshold and submit timestamps with drift exceeding the threshold, verifying `TimeCorrelationStatus` indicates failure
+- [ ] Test `TsaMultiProvider` fallback by configuring a primary TSA that fails and a secondary that succeeds, verifying the timestamp is obtained from the fallback provider
+- [ ] Create a `TimestampedAttestation` wrapping a DSSE envelope and verify the timestamp token is correctly associated

docs/features/unchecked/attestor/attestable-exception-objects-with-expiries-and-audit-trails.md

@@ -0,0 +1,29 @@
+# Attestable Exception Objects with Expiries and Audit Trails
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Exceptions are modeled as auditable objects with IDs, owners, expiry dates, and audit trails. The exception ledger UI shows active/pending/expiring counts. Signed override badges indicate cryptographic attestation of exceptions.
+
+## Implementation Details
+- **Exception Reference**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/ExceptionRef.cs` -- models exception objects with ID, owner, and expiry metadata.
+- **Budget Exception Entry**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs` -- exception entry within the uncertainty budget system, tracking exception scope and validity period.
+- **Budget System Integration**: `BudgetDefinition.cs`, `BudgetObservation.cs`, `BudgetViolationEntry.cs` -- exceptions integrate with the uncertainty budget to allow controlled risk acceptance.
+- **VEX Override System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs` -- signed VEX overrides serve as attestable exceptions. `VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods` partials) constructs override predicates. `VexOverrideDecision.cs` captures the decision rationale.
+- **Evidence Reference**: `VexOverride/EvidenceReference.cs` -- links exception decisions to supporting evidence.
+- **Audit Trail**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs` (with `.Validation` partial) logs hash-based audit records. `HashAuditRecord.cs` captures individual audit entries. `AuditArtifactTypes.cs` defines auditable artifact types.
+- **Persistence**: `src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/AuditLogEntity.cs` -- database entity for audit log persistence.
+- **DSSE Signing**: Exceptions are signed via `ProofChainSigner` to produce cryptographic attestation (signed override badges).
+
+## E2E Test Plan
+- [ ] Create an exception via `BudgetExceptionEntry` with owner, expiry date, and justification, then verify all fields serialize correctly
+- [ ] Build a `VexOverridePredicate` with `VexOverridePredicateBuilder`, sign it via DSSE, and verify the signed envelope contains the override decision
+- [ ] Create an exception with an expiry date in the past and verify budget evaluation treats it as expired (no longer valid)
+- [ ] Create an exception with a future expiry and verify it is counted as active in the budget check
+- [ ] Log exception creation via `AuditHashLogger` and verify `HashAuditRecord` captures the artifact type, timestamp, and hash
+- [ ] Query audit trail for a specific exception ID and verify the complete history of changes is returned
+- [ ] Verify that `ExceptionRef` correctly links to `EvidenceReference` for evidence-backed exception justification

docs/features/unchecked/attestor/attestable-reachability-slices.md

@@ -0,0 +1,29 @@
+# Attestable reachability slices (DSSE/in-toto signed evidence)
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Reachability witness payloads wrapped in DSSE-signed attestations provide verifiable evidence slices for triage decisions.
+
+## Implementation Details
+- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path` partial) -- defines the witness payload containing call paths from entry points to vulnerable functions.
+- **Witness Path Nodes**: `WitnessPathNode.cs`, `WitnessCallPathNode.cs` -- model individual nodes in the reachability call path.
+- **Witness Evidence Metadata**: `WitnessEvidenceMetadata.cs` -- metadata about the evidence source (scanner, analysis tool, timestamp).
+- **Witness Gate Info**: `WitnessGateInfo.cs` -- gate information for policy evaluation of witness data.
+- **Reachability Witness Statement**: `ReachabilityWitnessStatement.cs` -- wraps witness payload as an in-toto statement with subject and predicate.
+- **Reachability Subgraph**: `ReachabilitySubgraphStatement.cs` -- subgraph attestation for minimal reachability evidence. `ReachabilitySubgraphPredicate.cs` defines the subgraph predicate.
+- **DSSE Signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` (with `.Verification` partial) signs statements. `DsseEnvelope.cs`, `DsseSignature.cs` model the envelope.
+- **Path Witness Predicate Types**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs` -- defines predicate type URIs for path witnesses.
+- **Proof Emitter**: `IProofEmitter.cs` -- interface for emitting signed proofs including reachability slices.
+
+## E2E Test Plan
+- [ ] Create a `ReachabilityWitnessPayload` with a call path containing 3+ nodes from entry point to vulnerable function, wrap in `ReachabilityWitnessStatement`, and verify the statement structure
+- [ ] Sign the witness statement via `ProofChainSigner` and verify the DSSE envelope contains valid signature and payload
+- [ ] Verify the signed reachability slice via `ProofChainSigner.Verification` and confirm signature validation passes
+- [ ] Create a `ReachabilitySubgraphPredicate` with a minimal subgraph (entry point -> intermediate -> sink) and verify it serializes with correct predicate type
+- [ ] Modify the signed envelope payload and verify that signature verification fails (tamper detection)
+- [ ] Create witness payloads with `WitnessEvidenceMetadata` from different analysis tools and verify metadata is preserved in the signed attestation

docs/features/unchecked/attestor/attestation-bundle-verification.md

@@ -0,0 +1,32 @@
+# Attestation Bundle Verification
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Sigstore bundle verification with dedicated verifier and bundler services for validating attestation integrity.
+
+## Implementation Details
+- **Sigstore Bundle Verifier**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Verification/SigstoreBundleVerifier.cs` -- verifies Sigstore bundles including signature validation and transparency log verification.
+- **Bundle Verification Result**: `BundleVerificationResult.cs` -- result model with pass/fail status and detailed error messages.
+- **Sigstore Bundle Model**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Models/SigstoreBundle.cs` -- represents a Sigstore bundle with `VerificationMaterial`, `TransparencyLogEntry`, and `InclusionProof`.
+- **Bundle Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Builder/SigstoreBundleBuilder.cs` -- constructs Sigstore bundles from attestation components.
+- **Bundle Serializer**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Serialization/SigstoreBundleSerializer.cs` -- JSON serialization/deserialization of Sigstore bundles.
+- **Attestation Bundler**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs` -- high-level bundling service implementing `IAttestationBundler`. Aggregates multiple attestations into bundles.
+- **Bundle Aggregator**: `IBundleAggregator.cs` -- interface for aggregating attestations.
+- **Bundle Store**: `IBundleStore.cs` -- persistence interface for bundles.
+- **Org Key Signing**: `Signing/KmsOrgKeySigner.cs` -- signs bundles with organization-level KMS keys.
+- **Verification Engine**: `src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs` -- top-level verification engine that orchestrates bundle and attestation verification.
+- **Tests**: `__Tests/StellaOps.Attestor.Bundle.Tests/SigstoreBundleVerifierTests.cs`, `SigstoreBundleBuilderTests.cs`, `SigstoreBundleSerializerTests.cs`, `__Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs`
+
+## E2E Test Plan
+- [ ] Build a Sigstore bundle via `SigstoreBundleBuilder` with a signed attestation, inclusion proof, and verification material, then verify it via `SigstoreBundleVerifier`
+- [ ] Serialize a `SigstoreBundle` to JSON via `SigstoreBundleSerializer`, deserialize it back, and verify round-trip fidelity
+- [ ] Tamper with the inclusion proof in a bundle and verify `SigstoreBundleVerifier` returns a failed `BundleVerificationResult` with error details
+- [ ] Use `AttestationBundler` to aggregate 3+ attestations into a single bundle and verify the bundle contains all attestation entries
+- [ ] Sign a bundle with `KmsOrgKeySigner` and verify the org-level signature is present in the output
+- [ ] Run `AttestorVerificationEngine` against a valid bundle and verify all verification checks pass
+- [ ] Run `AttestorVerificationEngine` against a bundle with an invalid signature and verify it reports the specific check that failed

docs/features/unchecked/attestor/attestation-determinism-testing.md

@@ -0,0 +1,30 @@
+# Attestation Determinism Testing
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Golden test vectors and determinism verification tests ensuring byte-for-byte reproducibility of attestations, DSSE envelopes, and policy engine evaluations.
+
+## Implementation Details
+- **Golden Samples Tests**: `src/Attestor/__Tests/StellaOps.Attestor.Types.Tests/AttestationGoldenSamplesTests.cs` -- verifies attestations match golden test vectors byte-for-byte.
+- **Attestation Determinism Tests**: `__Tests/StellaOps.Attestor.Types.Tests/Determinism/AttestationDeterminismTests.cs` -- ensures repeated attestation generation produces identical output.
+- **DSSE Envelope Determinism**: `__Tests/StellaOps.Attestor.ProofChain.Tests/Envelope/DsseEnvelopeDeterminismTests.cs` -- verifies DSSE envelope serialization is deterministic.
+- **In-Toto Statement Snapshots**: `__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/InTotoStatementSnapshotTests.cs` -- snapshot tests for in-toto statement serialization stability.
+- **Canonical JSON**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` (with `.DecimalPoint`, `.NumberSerialization`, `.StringNormalization`, `.WriteMethods` partials) -- RFC 8785 canonical JSON serialization ensuring deterministic output.
+- **CycloneDX Determinism**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/CycloneDxDeterminismTests.cs` -- verifies CycloneDX SBOM output is deterministic.
+- **SPDX Determinism**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/SpdxDeterminismTests.cs` -- verifies SPDX SBOM output is deterministic.
+- **Canonical JSON Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/JsonCanonicalizerTests.cs`, `__Tests/StellaOps.Attestor.StandardPredicates.Tests/JsonCanonicalizerTests.cs`
+- **Conformance Tests**: `__Tests/StellaOps.Attestor.Conformance.Tests/` -- `VerificationParityTests.cs`, `InclusionProofParityTests.cs`, `CheckpointParityTests.cs` verify cross-implementation consistency.
+
+## E2E Test Plan
+- [ ] Generate an attestation from identical inputs twice and compare SHA-256 hashes of the serialized output to verify byte-for-byte equality
+- [ ] Serialize a DSSE envelope, deserialize it, re-serialize, and verify the output bytes are identical (idempotent serialization)
+- [ ] Run the RFC 8785 canonicalizer on JSON with out-of-order keys, varied whitespace, and Unicode escapes, then verify the output matches the canonical form
+- [ ] Generate CycloneDX SBOM output from identical inputs on two separate runs and verify SHA-256 hash match
+- [ ] Generate SPDX SBOM output from identical inputs on two separate runs and verify SHA-256 hash match
+- [ ] Verify golden sample test vectors by comparing generated attestation against known-good fixtures stored in the test project
+- [ ] Run conformance parity tests to verify Attestor output matches reference implementations for checkpoint parsing, inclusion proofs, and verification

docs/features/unchecked/attestor/attestation-timestamp-pipeline-with-time-correlation-validation.md

@@ -0,0 +1,30 @@
+# Attestation Timestamp Pipeline with Time Correlation Validation
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Integration of RFC 3161 timestamps into the attestation pipeline with TST-Rekor time correlation validation that detects anti-backdating attempts by cross-referencing TST genTime against Rekor integratedTime. Includes CycloneDx/SPDX timestamp extensions and policy-gated timestamping. No direct match in known features list.
+
+## Implementation Details
+- **Timestamp Service**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampService.cs` (with `.Helpers`, `.Timestamp`, `.Verify` partials) -- core RFC 3161 timestamp request/response pipeline.
+- **Time Correlation Validator**: `TimeCorrelationValidator.cs` (with `.Async`, `.GapChecks`, `.Validate` partials) -- cross-references TST genTime against Rekor integratedTime to detect anti-backdating. `TimeCorrelationPolicy.cs` defines acceptable drift windows. `TimeCorrelationResult.cs` and `TimeCorrelationStatus.cs` capture validation outcomes. `TimeConsistencyResult.cs` aggregates cross-source consistency.
+- **Timestamp Policy**: `TimestampPolicy.cs`, `TimestampPolicyEvaluator.cs`, `TimestampPolicyResult.cs` -- policy-gated timestamping determining when timestamps are required.
+- **CycloneDX Timestamp Extension**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxTimestampExtension.cs` (with `.Extract` partial) -- embeds timestamp tokens into CycloneDX output.
+- **SPDX Timestamp Extension**: `SpdxTimestampExtension.cs` (with `.Extract` partial) -- embeds timestamp tokens into SPDX output.
+- **Rekor Receipt**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/RekorReceipt.cs` -- Rekor receipt model with `integratedTime` for cross-reference.
+- **TSA Multi-Provider**: `src/Attestor/__Libraries/StellaOps.Attestor.Infrastructure/Timestamping/TsaMultiProvider.cs` -- fallback chain across TSA providers.
+- **Configuration**: `AttestationTimestampOptions.cs`, `AttestationTimestampServiceOptions.cs`, `AttestationTimestampVerificationOptions.cs`, `AttestationTimestampPolicyContext.cs`.
+- **Tests**: `StellaOps.Attestor.Tests/Timestamping/AttestationTimestampServiceTests.cs`, `AttestationTimestampPolicyTests.cs`, `TimeCorrelationValidatorTests.cs`, `__Tests/StellaOps.Attestor.StandardPredicates.Tests/TimestampExtensionTests.cs`
+
+## E2E Test Plan
+- [ ] Timestamp an attestation via `AttestationTimestampService`, retrieve the Rekor receipt, and verify `TimeCorrelationValidator` passes when TST genTime and Rekor integratedTime are within the configured drift window
+- [ ] Set a strict `TimeCorrelationPolicy` (e.g., max 5-second drift) and submit a timestamp where genTime differs from integratedTime by 10 seconds, verifying the validator returns a failure `TimeCorrelationStatus`
+- [ ] Evaluate `TimestampPolicyEvaluator` with a policy requiring timestamps for production artifacts and verify it gates appropriately
+- [ ] Generate a CycloneDX SBOM with `CycloneDxTimestampExtension` and verify the timestamp token is embedded in the output
+- [ ] Generate an SPDX SBOM with `SpdxTimestampExtension` and verify the timestamp token is embedded in the output
+- [ ] Extract timestamps from a CycloneDX document and verify the extracted `genTime` matches the original
+- [ ] Test `TsaMultiProvider` fallback by simulating primary TSA timeout and verifying secondary provider is used

docs/features/unchecked/attestor/attestor-conformance-test-suite.md

@@ -0,0 +1,30 @@
+# Attestor Conformance Test Suite
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Conformance test suite verifying Sigstore/Rekor verification parity against reference implementations. Tests inclusion proof verification, checkpoint parsing, and signature validation against known-good test vectors.
+
+## Implementation Details
+- **Conformance Tests**: `src/Attestor/__Tests/StellaOps.Attestor.Conformance.Tests/` -- dedicated conformance test project:
+  - `VerificationParityTests.cs` -- verifies attestation verification produces identical results to reference implementations
+  - `InclusionProofParityTests.cs` -- verifies Merkle inclusion proof verification matches reference
+  - `CheckpointParityTests.cs` -- verifies checkpoint parsing and validation matches reference
+  - `ConformanceTestFixture.cs` -- shared fixture with known-good test vectors
+- **Checkpoint Verification**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/CheckpointSignatureVerifier.cs` -- checkpoint signature verification against reference. Tests: `StellaOps.Attestor.Core.Tests/Verification/CheckpointSignatureVerifierTests.cs`
+- **Merkle Proof Verifier**: `StellaOps.Attestor.Core/Verification/MerkleProofVerifier.cs` -- verifies Merkle inclusion proofs. Tests: `StellaOps.Attestor.Tests/MerkleProofVerifierTests.cs`
+- **Rekor Receipt Verification**: `StellaOps.Attestor.Core/Rekor/RekorReceipt.cs` -- receipt model. `StellaOps.Attestor.Core/Verification/RekorOfflineReceiptVerifier.cs` -- offline receipt verification. Tests: `StellaOps.Attestor.Core.Tests/RekorOfflineReceiptVerifierTests.cs`, `StellaOps.Attestor.Core.Tests/Rekor/RekorReceiptTests.cs`
+- **Checkpoint Divergence**: `StellaOps.Attestor.Core/Rekor/CheckpointDivergenceDetector.cs` -- detects split-world attacks. Tests: `StellaOps.Attestor.Core.Tests/Rekor/CheckpointDivergenceDetectorTests.cs`, `CheckpointDivergenceByzantineTests.cs`
+
+## E2E Test Plan
+- [ ] Run `VerificationParityTests` against known-good Sigstore verification test vectors and verify all pass
+- [ ] Run `InclusionProofParityTests` with reference Merkle proofs and verify computed roots match expected values
+- [ ] Run `CheckpointParityTests` with reference checkpoint data and verify signature validation matches expected outcomes
+- [ ] Verify `CheckpointSignatureVerifier` validates a signed checkpoint against a known public key and returns success
+- [ ] Verify `MerkleProofVerifier` validates an inclusion proof with correct sibling hashes and returns the correct root
+- [ ] Verify `RekorOfflineReceiptVerifier` validates a receipt without network access using embedded inclusion proof
+- [ ] Run `CheckpointDivergenceDetector` with two checkpoints from different Rekor instances showing divergent trees and verify detection

docs/features/unchecked/attestor/auditor-evidence-extraction.md

@@ -0,0 +1,30 @@
+# Auditor Evidence Extraction (Audit Pack / Evidence Pack)
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Exportable evidence packs (audit bundles) containing RVA attestation, policy bundle, knowledge snapshot manifest, referenced evidence artifacts, and verification replay logs for auditor consumption.
+
+## Implementation Details
+- **Evidence Pack Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- constructs complete evidence packs containing all artifacts needed for audit verification.
+- **Evidence Pack Serializer**: `ReleaseEvidencePackSerializer.cs` -- serializes evidence packs to portable format.
+- **Evidence Pack Manifest**: `Models/ReleaseEvidencePackManifest.cs` -- manifest listing all artifacts in the pack with digests.
+- **Verification Replay Log**: `Models/VerificationReplayLog.cs` -- captures the sequence of verification steps for deterministic replay.
+- **Replay Log Builder**: `Services/VerificationReplayLogBuilder.cs` -- builds replay logs during verification. `ReplayLogSerializerContext.cs` -- serialization context.
+- **Archive Store**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/IAttestorArchiveStore.cs`, `AttestorArchiveBundle.cs` -- interface and model for archive storage. `Infrastructure/Storage/S3AttestorArchiveStore.cs`, `NullAttestorArchiveStore.cs` -- S3 and null implementations.
+- **Audit Records**: `StellaOps.Attestor.Core/Audit/AttestorAuditRecord.cs` -- audit record model. `StellaOps.Attestor.Core/Storage/IAttestorAuditSink.cs` -- sink interface.
+- **Tests**: `__Tests/StellaOps.Attestor.EvidencePack.Tests/ReleaseEvidencePackBuilderTests.cs`, `ReleaseEvidencePackManifestTests.cs`, `VerificationReplayLogBuilderTests.cs`
+- **Integration Tests**: `__Tests/StellaOps.Attestor.EvidencePack.IntegrationTests/` -- `EvidencePackGenerationTests.cs`, `OfflineVerificationTests.cs`, `ReproducibilityTests.cs`, `TamperDetectionTests.cs`, `SlsaStrictValidationTests.cs`
+
+## E2E Test Plan
+- [ ] Build a `ReleaseEvidencePackManifest` via `ReleaseEvidencePackBuilder` with SBOM, VEX, attestation, and provenance artifacts, then verify manifest contains entries for each artifact with correct SHA-256 digests
+- [ ] Serialize the evidence pack via `ReleaseEvidencePackSerializer` and verify the output can be deserialized back with all artifacts intact
+- [ ] Build a `VerificationReplayLog` capturing 5+ verification steps and verify the log contains each step in order with timestamps and results
+- [ ] Export the evidence pack, then replay verification using the replay log and verify identical outcomes (reproducibility)
+- [ ] Tamper with an artifact in the exported pack and verify that digest verification detects the modification
+- [ ] Archive an evidence pack to S3 via `S3AttestorArchiveStore` and retrieve it, verifying content integrity
+- [ ] Verify the evidence pack includes all required audit artifacts (attestation chain, policy bundle, knowledge snapshot)

docs/features/unchecked/attestor/auditor-ready-evidence-export-packs.md

@@ -0,0 +1,31 @@
+# Auditor-Ready Evidence Export Packs (SBOM + VEX + Attestation + Provenance)
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Full audit pack export system with verdict replay attestation, evidence bundling, and export center with timeline integration and scheduling.
+
+## Implementation Details
+- **Evidence Pack Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- constructs export-ready evidence packs containing SBOM, VEX, attestation, and provenance artifacts.
+- **Evidence Pack Manifest**: `Models/ReleaseEvidencePackManifest.cs` -- manifest with digest-verified artifact listings.
+- **Evidence Pack Serializer**: `ReleaseEvidencePackSerializer.cs` -- portable serialization format.
+- **Verification Replay Log**: `Models/VerificationReplayLog.cs` -- captures verification steps for replay. `Services/VerificationReplayLogBuilder.cs` -- builds replay logs.
+- **Offline Kit Bundle**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/OfflineKitBundleProvider.cs` -- provides offline-ready bundles for air-gap scenarios.
+- **Attestation Bundler**: `AttestationBundler.cs` -- aggregates attestations. `IBundleStore.cs` -- persistence. `BundlingOptions.cs` -- configuration.
+- **Retention Policy**: `RetentionPolicyEnforcer.cs` -- enforces retention policies on exported packs.
+- **Archive Storage**: `StellaOps.Attestor.Core/Storage/IAttestorArchiveStore.cs` -- archive interface. `S3AttestorArchiveStore.cs` -- S3 implementation.
+- **Offline Bundle**: `StellaOps.Attestor.Core/Offline/AttestorOfflineBundle.cs`, `IAttestorBundleService.cs` -- offline bundle support.
+- **Integration Tests**: `__Tests/StellaOps.Attestor.EvidencePack.IntegrationTests/` -- `EvidencePackGenerationTests.cs`, `OfflineVerificationTests.cs`, `ReproducibilityTests.cs`, `TamperDetectionTests.cs`
+
+## E2E Test Plan
+- [ ] Build a complete evidence export pack containing SBOM (CycloneDX), VEX document, DSSE-signed attestation, and SLSA provenance via `ReleaseEvidencePackBuilder`
+- [ ] Serialize the pack and verify the manifest lists all four artifact types with correct SHA-256 digests
+- [ ] Export an offline kit via `OfflineKitBundleProvider` and verify all required artifacts are included for air-gap verification
+- [ ] Verify the replay log captures the full verification sequence and can be replayed to produce identical results
+- [ ] Test retention policy enforcement by creating a pack older than the retention window and verifying `RetentionPolicyEnforcer` marks it for cleanup
+- [ ] Archive a pack to S3 and retrieve it, verifying all artifacts are intact and digests match the manifest
+- [ ] Tamper with a single artifact in the pack and verify integrity validation detects the modification

docs/features/unchecked/attestor/auto-vex-drafting-attestation.md

@@ -0,0 +1,28 @@
+# Auto-VEX Drafting Attestation
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+VEX draft generation attestation types for AI-generated VEX statements with justifications, enabling lattice-aware merge preview.
+
+## Implementation Details
+- **AIVexDraftPredicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIVexDraftPredicate.cs` -- extends `AIArtifactBasePredicate` with VEX-specific draft fields.
+- **AIVexStatementDraft**: `AIVexStatementDraft.cs` -- individual VEX statement draft with status, justification, and product/vulnerability references.
+- **AIVexJustification**: `AIVexJustification.cs` -- AI-generated justification for VEX status decisions.
+- **Classifier Integration**: `AIAuthorityClassifier.VexDraft.cs` and `AIAuthorityClassifier.VexDraftScore.cs` -- classifies VEX drafts into Suggestion/EvidenceBacked/AuthorityThreshold.
+- **Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AIVexDraftStatement.cs` -- wraps VEX draft as in-toto statement.
+- **VEX Predicate**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexPredicate.cs` -- base VEX predicate. `VexAttestationPredicate.cs` -- VEX attestation predicate.
+- **VEX Override System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/` -- `VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods`), `VexOverridePredicateParser.cs` (with multiple partials) for building and parsing VEX overrides.
+- **VEX Proof Integration**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) and `VexVerdictProofPayload.cs` -- integrates VEX drafts into the proof chain.
+
+## E2E Test Plan
+- [ ] Create an `AIVexDraftPredicate` with multiple `AIVexStatementDraft` entries (not_affected, affected, under_investigation) and verify JSON serialization preserves all fields
+- [ ] Create a VEX draft with `AIVexJustification` containing evidence citations and classify via `AIAuthorityClassifier.VexDraft`, verifying EvidenceBacked authority when citations are sufficient
+- [ ] Wrap the VEX draft in `AIVexDraftStatement` and verify it produces a valid in-toto statement with correct predicate type
+- [ ] Build a `VexOverridePredicate` from an AI-generated draft via `VexOverridePredicateBuilder` and verify the override captures the draft's justification
+- [ ] Parse a serialized VEX override via `VexOverridePredicateParser` and verify all fields round-trip correctly
+- [ ] Integrate a VEX draft into the proof chain via `VexProofIntegrator` and verify the proof payload contains the draft evidence

docs/features/unchecked/attestor/backport-proof-service.md

@@ -0,0 +1,34 @@
+# Backport Proof Service
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+BackportProof library in Concelier and multi-tier BackportProofGenerator in Attestor with confidence scoring, evidence combining, and tier-based proof generation (Tier 1 through 4 plus signature variants).
+
+## Implementation Details
+- **BackportProofGenerator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs` -- orchestrates multi-tier backport proof generation. Partials:
+  - `BackportProofGenerator.Tier1.cs` -- Tier 1: exact version match proofs
+  - `BackportProofGenerator.Tier2.cs` -- Tier 2: advisory-level evidence
+  - `BackportProofGenerator.Tier3.cs` -- Tier 3: heuristic/pattern matching
+  - `BackportProofGenerator.Tier3Signature.cs` -- Tier 3 signature variant with binary signature comparison
+  - `BackportProofGenerator.Tier4.cs` -- Tier 4: lowest confidence, inference-based
+  - `BackportProofGenerator.Confidence.cs` -- confidence scoring across tiers using proof-strength hierarchy
+  - `BackportProofGenerator.CombineEvidence.cs` -- evidence aggregation from multiple tiers
+  - `BackportProofGenerator.Status.cs` -- status tracking for proof generation progress
+  - `BackportProofGenerator.VulnerableUnknown.cs` -- handling of unknown vulnerability status
+- **Evidence Summary**: `EvidenceSummary.cs` -- aggregated evidence output from proof generation.
+- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs`
+
+## E2E Test Plan
+- [ ] Generate a Tier 1 proof for a package with exact version match in advisory data and verify high confidence score (>= 0.9)
+- [ ] Generate a Tier 2 proof using advisory-level evidence (CVE matches package family) and verify moderate confidence score
+- [ ] Generate a Tier 3 proof using binary signature comparison and verify it includes signature match details
+- [ ] Generate a Tier 4 inference-based proof and verify it has the lowest confidence score among all tiers
+- [ ] Combine evidence from Tier 1 and Tier 2 via `CombineEvidence` and verify the combined confidence is higher than either individual tier
+- [ ] Generate a proof for a package with `VulnerableUnknown` status and verify the generator handles it with appropriate uncertainty indicators
+- [ ] Verify `EvidenceSummary` output contains entries from all applicable tiers with per-tier confidence scores
+- [ ] Generate proofs for the same package twice and verify deterministic output (same confidence scores and evidence)

docs/features/unchecked/attestor/binary-diff-predicate-dsse-attestation-for-patch-detection.md

@@ -0,0 +1,31 @@
+# Binary Diff Predicate / DSSE Attestation for Patch Detection
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Complete BinaryDiff predicate implementation with DSSE signing/verification, schema validation, normalization, and serialization for patch detection attestations.
+
+## Implementation Details
+- **BinaryDiff Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build` partial) -- implements `IBinaryDiffPredicateBuilder` to construct binary diff predicates from diff findings.
+- **BinaryDiff Predicate Serializer**: `BinaryDiffPredicateSerializer.cs` (with `.Normalize` partial) -- implements `IBinaryDiffPredicateSerializer` for deterministic serialization with normalization.
+- **DSSE Signing**: `BinaryDiffDsseSigner.cs` -- signs binary diff predicates as DSSE envelopes.
+- **DSSE Verification**: `BinaryDiffDsseVerifier.cs` (with `.Helpers` partial) -- implements `IBinaryDiffDsseVerifier` for verifying signed binary diff attestations.
+- **Schema Validation**: `BinaryDiffSchema.cs` (with `.SchemaJson` partial) -- JSON schema for binary diff predicates. `BinaryDiffSchemaValidationResult.cs` -- validation result model.
+- **Models**: `BinaryDiffModels.cs` -- core diff models. `BinaryDiffSectionModels.cs` -- section-level diff models (ELF/PE sections). `BinaryDiffFinding.cs` -- individual diff finding. `BinaryDiffOptions.cs` -- configuration.
+- **Metadata**: `BinaryDiffMetadataBuilder.cs` -- builds metadata for diff predicates.
+- **DI Registration**: `ServiceCollectionExtensions.cs` -- registers all BinaryDiff services.
+- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- `BinaryDiffPredicateBuilderTests.cs`, `BinaryDiffPredicateSerializerTests.cs`, `BinaryDiffDsseSignerTests.cs`, `BinaryDiffSchemaValidationTests.cs`
+
+## E2E Test Plan
+- [ ] Build a binary diff predicate from a set of `BinaryDiffFinding` entries via `BinaryDiffPredicateBuilder` and verify the predicate contains all findings
+- [ ] Serialize the predicate via `BinaryDiffPredicateSerializer` and verify normalization produces deterministic output (serialize twice, compare bytes)
+- [ ] Sign the serialized predicate via `BinaryDiffDsseSigner` and verify the DSSE envelope is well-formed
+- [ ] Verify the signed envelope via `BinaryDiffDsseVerifier` and confirm verification passes
+- [ ] Tamper with the signed envelope payload and verify `BinaryDiffDsseVerifier` returns failure
+- [ ] Validate a predicate against the JSON schema via `BinaryDiffSchema` and verify it passes
+- [ ] Create a predicate with section-level diffs (`BinaryDiffSectionModels`) for ELF `.text` and `.rodata` sections and verify section details are preserved
+- [ ] Create a predicate missing required fields and verify schema validation catches the error

docs/features/unchecked/attestor/binary-diff-with-deterministic-signatures.md

@@ -0,0 +1,32 @@
+# Binary Diff with Deterministic Signatures
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Binary diff analysis with DSSE-signed evidence output is implemented. The system compares binaries, produces deterministic diff signatures, serializes predicates, and integrates with VEX evidence linking. While the advisory specifically mentions B2R2 IR lifting, the implemented approach uses binary section-level diffing with DSSE attestation.
+
+## Implementation Details
+- **BinaryDiff Predicate System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/` -- full predicate lifecycle:
+  - `BinaryDiffPredicateBuilder.cs` (with `.Build`) -- constructs predicates from diff findings
+  - `BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- deterministic serialization via normalization
+  - `BinaryDiffDsseSigner.cs` -- DSSE envelope signing for deterministic signatures
+  - `BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- signature verification
+  - `BinaryDiffSectionModels.cs` -- section-level diff models for ELF/PE binaries
+- **Evidence Integration**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers` partial) -- generates fingerprint evidence from binary analysis.
+- **Binary Identity**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs` -- binary identity model. `BinaryVulnMatchInfo.cs` -- vulnerability match details.
+- **Binary Fingerprint Predicate**: `BinaryFingerprintEvidencePredicate.cs` -- predicate for fingerprint evidence.
+- **VEX Integration**: `VexProofIntegrator.cs` links binary diff evidence to VEX decisions.
+- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- builder, serializer, signer, schema validation tests
+
+## E2E Test Plan
+- [ ] Perform a binary diff between two versions of a binary and produce a `BinaryDiffPredicateBuilder` output with section-level changes
+- [ ] Serialize the diff predicate via `BinaryDiffPredicateSerializer.Normalize` and verify byte-for-byte determinism across two invocations
+- [ ] Sign the normalized predicate via `BinaryDiffDsseSigner` and verify the DSSE envelope signature is valid
+- [ ] Verify the signed diff evidence via `BinaryDiffDsseVerifier` and confirm integrity
+- [ ] Generate binary fingerprint evidence via `BinaryFingerprintEvidenceGenerator` from a binary with known vulnerability matches and verify `BinaryVulnMatchInfo` is populated
+- [ ] Link binary diff evidence to a VEX decision via `VexProofIntegrator` and verify the proof chain includes the diff artifact
+- [ ] Create diff findings for both ELF and PE section types and verify `BinaryDiffSectionModels` handles both formats

docs/features/unchecked/attestor/binary-fingerprint-evidence-for-reachability-proofs.md

@@ -0,0 +1,29 @@
+# Binary Fingerprint Evidence for Reachability Proofs
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Binary fingerprint evidence generation with identity info, vulnerability match info, and micro-witness binary references provides cryptographic evidence for binary reachability claims.
+
+## Implementation Details
+- **BinaryFingerprintEvidenceGenerator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers` partial) -- generates attestable fingerprint evidence segments from binary vulnerability findings.
+- **BinaryFingerprintEvidencePredicate**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryFingerprintEvidencePredicate.cs` -- predicate type for binary fingerprint evidence in proof bundles.
+- **BinaryIdentityInfo**: `Predicates/BinaryIdentityInfo.cs` -- captures binary identity (path, hash, format, architecture).
+- **BinaryVulnMatchInfo**: `Predicates/BinaryVulnMatchInfo.cs` -- vulnerability match details linking binary to CVE.
+- **Micro-Witness Models**: `MicroWitnessBinaryRef.cs` -- binary reference within micro-witness. `MicroWitnessCveRef.cs` -- CVE reference. `MicroWitnessFunctionEvidence.cs` -- function-level evidence. `MicroWitnessSbomRef.cs` -- SBOM cross-reference. `MicroWitnessTooling.cs` -- analysis tool info. `MicroWitnessVerdicts.cs` -- micro-witness verdicts.
+- **Binary Micro-Witness Predicate**: `BinaryMicroWitnessPredicate.cs` -- complete micro-witness predicate combining binary evidence with reachability data.
+- **Statement**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/BinaryMicroWitnessStatement.cs` -- in-toto statement wrapper.
+- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs`
+
+## E2E Test Plan
+- [ ] Generate binary fingerprint evidence via `BinaryFingerprintEvidenceGenerator` for a binary with known vulnerabilities and verify the output contains `BinaryIdentityInfo` with correct hash and format
+- [ ] Verify `BinaryVulnMatchInfo` correctly links a binary identity to a specific CVE with match confidence
+- [ ] Create a `BinaryMicroWitnessPredicate` with `MicroWitnessBinaryRef`, `MicroWitnessCveRef`, and `MicroWitnessFunctionEvidence` and verify all cross-references are populated
+- [ ] Verify `MicroWitnessSbomRef` correctly links the binary evidence to an SBOM component entry
+- [ ] Wrap the micro-witness predicate in `BinaryMicroWitnessStatement` and verify it produces a valid in-toto statement
+- [ ] Generate evidence for a binary with no vulnerability matches and verify the generator produces an empty/clean evidence set
+- [ ] Verify `MicroWitnessTooling` captures the analysis tool name and version used to generate the evidence

docs/features/unchecked/attestor/binary-fingerprint-evidence-generation.md

@@ -0,0 +1,28 @@
+# Binary Fingerprint Evidence Generation
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Extensive binary fingerprinting with disassembly, delta signatures, fingerprint indexing, and attestable proof generation covering ELF/PE analysis.
+
+## Implementation Details
+- **Evidence Generator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers` partial) -- generates attestable proof segments from binary fingerprint analysis. Produces `BinaryFingerprintEvidencePredicate` payloads.
+- **Binary Identity**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs` -- binary identity (path, hash, format: ELF/PE/Mach-O, architecture).
+- **Vulnerability Matching**: `BinaryVulnMatchInfo.cs` -- links binary identity to CVE matches with confidence.
+- **Micro-Witness Evidence**: `MicroWitnessBinaryRef.cs`, `MicroWitnessFunctionEvidence.cs` -- function-level evidence linking fingerprints to reachability. `MicroWitnessTooling.cs` -- tool metadata.
+- **Binary Diff Integration**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/` -- `BinaryDiffPredicateBuilder.cs`, `BinaryDiffSectionModels.cs` handle section-level diffing for delta signature computation.
+- **Content-Addressed Storage**: fingerprint evidence is content-addressed via `ContentAddressedIdGenerator` from `__Libraries/StellaOps.Attestor.ProofChain/Identifiers/`.
+- **Note**: Actual binary disassembly and fingerprint indexing lives in `src/BinaryIndex/` module; Attestor provides the attestation layer wrapping those results.
+
+## E2E Test Plan
+- [ ] Generate fingerprint evidence from a binary analysis result containing ELF section hashes and verify `BinaryFingerprintEvidencePredicate` captures all section fingerprints
+- [ ] Generate fingerprint evidence from PE binary analysis and verify format-specific sections (.text, .rdata, .rsrc) are represented
+- [ ] Verify the evidence generator produces content-addressed IDs for each fingerprint evidence artifact
+- [ ] Create delta signatures by running the generator on two binary versions and verify the diff captures added/removed/changed sections
+- [ ] Verify `MicroWitnessFunctionEvidence` links specific functions to their fingerprint evidence
+- [ ] Run the generator twice on identical inputs and verify deterministic output (same evidence IDs)
+- [ ] Verify the generated evidence can be embedded in a DSSE-signed attestation via the proof chain signing infrastructure