semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/concelier/4-tier-backport-evidence-resolver.md
+++ b/docs/features/unchecked/concelier/4-tier-backport-evidence-resolver.md
@@ -0,0 +1,27 @@
+# 4-Tier Backport Evidence Resolver
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Multi-tier backport evidence resolution with tier precedence, distro mappings, cross-distro OVAL integration, and deterministic backport verdicts.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/`, `src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/`
+- **Key Classes**:
+  - `BackportEvidenceResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/BackportEvidenceResolver.cs`) - multi-tier evidence resolution with tier precedence logic
+  - `BackportStatusService` (`src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/BackportStatusService.cs`) - backport status lookups with version comparison
+  - `FixIndexService` (`src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/FixIndexService.cs`) - O(1) distro patch lookups via fix index
+  - `ProvenanceScopeService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/ProvenanceScopeService.cs`) - provenance scope tracking for backport-aware deduplication
+- **Persistence**: `ProvenanceScopeRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/ProvenanceScopeRepository.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Submit a CVE with known backport status across multiple distros and verify the `BackportEvidenceResolver` returns correct tier-based verdict
+- [ ] Verify tier precedence: Tier 1 evidence (direct patch proof) overrides Tier 2/3/4 evidence
+- [ ] Verify cross-distro resolution: same CVE produces correct backport verdicts for Alpine, Debian, and RedHat simultaneously
+- [ ] Verify deterministic verdicts: identical inputs produce identical backport verdicts across repeated runs
+- [ ] Verify `FixIndexService` returns O(1) lookup performance for known distro patch entries
--- a/docs/features/unchecked/concelier/advisory-connector-architecture.md
+++ b/docs/features/unchecked/concelier/advisory-connector-architecture.md
@@ -0,0 +1,32 @@
+# Advisory Connector Architecture (NVD, OSV, GHSA, Vendor Feeds)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Extensive advisory connector ecosystem with vendor-specific connectors for VMware, Oracle, MSRC, Cisco, Chromium, Apple, plus NVD, OSV, GHSA, RedHat, SUSE, Debian, Alpine, Ubuntu, KEV, EPSS, CERT-FR, CERT-CC, CERT-Bund feeds.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Connector.*`, `src/Concelier/__Connectors/`, `src/Concelier/StellaOps.Concelier.Plugin.Unified/`
+- **Key Classes**:
+  - **Plugin System**: `FeedPluginAdapterFactory`, `FeedPluginAdapter` (`src/Concelier/StellaOps.Concelier.Plugin.Unified/`) - unified plugin adapter for `IConnectorPlugin` implementations
+  - **Orchestration**: `ConnectorRegistrationService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorRegistrationService.cs`) - discovers and registers connector plugins
+  - `ConnectorWorker` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorWorker.cs`) - executes connector ingestion cycles
+  - **Vendor Connectors**: `CiscoConnector`, `VmwareConnector`, `OracleConnector`, `MsrcConnector`, `AppleConnector`, `ChromiumConnector`, `AdobeConnector` (each in `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.*`)
+  - **Feed Connectors**: `NvdConnector`, `OsvConnector`, `GhsaConnector`, `EpssConnector`, `KevConnector`, `CveConnector` (each in `src/Concelier/__Libraries/StellaOps.Concelier.Connector.*`)
+  - **CERT Connectors**: `CertBundConnector`, `CertFrConnector`, `CertCcConnector`, `CertInConnector` (each in `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cert*`)
+  - **Distro Connectors**: `AlpineConnector`, `DebianConnector`, `RedHatConnector`, `SuseConnector`, `UbuntuConnector` (each in `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.*`)
+  - **Regional Connectors**: `AcscConnector`, `KisaConnector`, `JvnConnector`, `IcsCisaConnector`, `KasperskyConnector`, `RuBduConnector`, `RuNkckiConnector`, `AstraConnector`, `StellaOpsMirrorConnector`
+- **Interfaces**: `IFeedConnector`, `IConnectorPlugin`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify `ConnectorRegistrationService` discovers all connector plugins via DI
+- [ ] Trigger a connector ingestion cycle via `ConnectorWorker` for NVD and verify advisories are stored
+- [ ] Verify GHSA connector fetches GitHub Security Advisories and maps to canonical format
+- [ ] Verify EPSS connector fetches exploit prediction scores and associates with CVE IDs
+- [ ] Verify at least one vendor connector (e.g., Cisco) fetches vendor-specific advisories
+- [ ] Verify at least one distro connector (e.g., Debian) fetches distro-specific patch data
--- a/docs/features/unchecked/concelier/advisory-federation-with-delta-bundle-export-import.md
+++ b/docs/features/unchecked/concelier/advisory-federation-with-delta-bundle-export-import.md
@@ -0,0 +1,30 @@
+# Advisory Federation with Delta Bundle Export/Import
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Cursor-based federation system for synchronizing canonical advisories across sites (including air-gapped). Exports ZST-compressed NDJSON delta bundles with DSSE signatures, imports with verification (hash, signature, site policy), merge with conflict detection, and sync ledger for cursor tracking. Supports CLI commands (feedser bundle export/import) and REST API endpoints.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Federation/`, `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`
+- **Key Classes**:
+  - `BundleExportService` (`src/Concelier/__Libraries/StellaOps.Concelier.Federation/Export/BundleExportService.cs`) - exports ZST-compressed NDJSON delta bundles with DSSE signatures
+  - `BundleImportService` (`src/Concelier/__Libraries/StellaOps.Concelier.Federation/Import/BundleImportService.cs`) - imports bundles with verification and conflict detection
+  - `BundleVerifier` (`src/Concelier/__Libraries/StellaOps.Concelier.Federation/Import/BundleVerifier.cs`) - verifies bundle hash and DSSE signatures
+  - `SyncLedgerRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/SyncLedgerRepository.cs`) - cursor-based sync ledger for tracking federation state
+  - `SyncLedgerEntity` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Models/SyncLedgerEntity.cs`) - persistence model for sync ledger entries
+  - `PostgresExportStateStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/PostgresExportStateStore.cs`) - export state tracking
+- **Interfaces**: `IBundleExportService`, `IBundleImportService`, `IBundleVerifier`, `ISyncLedgerRepository`
+- **Source**: SPRINT_8200_0014_0001 + 0002 + 0003
+
+## E2E Test Plan
+- [ ] Export a delta bundle via `BundleExportService` and verify the output is ZST-compressed NDJSON with a DSSE signature
+- [ ] Import the exported bundle via `BundleImportService` and verify all advisories are restored
+- [ ] Verify `BundleVerifier` rejects a bundle with a tampered hash or invalid signature
+- [ ] Verify cursor-based sync: export with cursor, add new advisories, export again, verify only delta is included
+- [ ] Verify `SyncLedgerRepository` tracks cursor positions per remote site
+- [ ] Verify deterministic export: same input produces identical bundle content (excluding timestamps)
--- a/docs/features/unchecked/concelier/advisory-ingestion-with-canonical-deduplication.md
+++ b/docs/features/unchecked/concelier/advisory-ingestion-with-canonical-deduplication.md
@@ -0,0 +1,30 @@
+# Advisory Ingestion with Canonical Deduplication
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Advisory ingestion pipeline with canonical deduplication, linkset observation factory, and raw advisory processing.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/`, `src/Concelier/__Libraries/StellaOps.Concelier.Merge/`, `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`
+- **Key Classes**:
+  - `CanonicalAdvisoryService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Canonical/CanonicalAdvisoryService.cs`) - core canonical advisory management
+  - `CachingCanonicalAdvisoryService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Canonical/CachingCanonicalAdvisoryService.cs`) - caching decorator for canonical advisory lookups
+  - `MergeHashCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashCalculator.cs`) - deterministic semantic merge hash for deduplication
+  - `ConnectorWorker` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorWorker.cs`) - orchestrates advisory ingestion cycles
+  - `AdvisoryRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/AdvisoryRepository.cs`) - raw advisory persistence
+  - `AdvisoryCanonicalRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/AdvisoryCanonicalRepository.cs`) - canonical advisory persistence
+  - `AdvisorySourceEdgeEntity` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Models/AdvisorySourceEdgeEntity.cs`) - source-to-canonical edge tracking
+- **Interfaces**: `ICanonicalAdvisoryService`, `IMergeHashCalculator`, `IAdvisoryRepository`, `IAdvisoryCanonicalRepository`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Ingest the same advisory from two different sources (e.g., NVD and GHSA) and verify they deduplicate to a single canonical advisory
+- [ ] Verify `MergeHashCalculator` produces identical hashes for semantically equivalent advisories from different sources
+- [ ] Verify `AdvisorySourceEdgeEntity` tracks both source edges pointing to the same canonical
+- [ ] Verify `CachingCanonicalAdvisoryService` returns cached results on repeated lookups
+- [ ] Verify new advisories with different CVE IDs produce distinct canonicals
--- a/docs/features/unchecked/concelier/advisory-interest-scoring-service.md
+++ b/docs/features/unchecked/concelier/advisory-interest-scoring-service.md
@@ -0,0 +1,32 @@
+# Advisory Interest Scoring Service
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Learns which advisories matter to an organization by computing interest scores from SBOM intersection, reachability, deployment, VEX status, and age decay signals. Includes background recalculation jobs and stub degradation for low-interest advisories.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Interest/`, `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`
+- **Key Classes**:
+  - `InterestScoringService` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoringService.cs`) - main service computing interest scores from multiple signals
+  - `InterestScoreCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoreCalculator.cs`) - calculates weighted interest scores
+  - `InterestScoreRecalculationJob` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/Jobs/InterestScoreRecalculationJob.cs`) - `BackgroundService` for periodic recalculation
+  - `InterestScoreOptions` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoreOptions.cs`) - configurable weights and thresholds
+  - `InterestScoreWeights` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoreOptions.cs`) - weight configuration for scoring signals
+  - `InterestScoringMetrics` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoringMetrics.cs`) - OpenTelemetry metrics for scoring operations
+  - `InterestScoreRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/InterestScoreRepository.cs`) - PostgreSQL persistence for interest scores
+- **API**: `InterestScoreEndpointExtensions` (`src/Concelier/StellaOps.Concelier.WebService/Extensions/InterestScoreEndpointExtensions.cs`) - REST endpoints for interest score queries
+- **Interfaces**: `IInterestScoringService`, `IInterestScoreRepository`
+- **Source**: SPRINT_8200_0013_0002_CONCEL_interest_scoring.md
+
+## E2E Test Plan
+- [ ] Compute interest score for an advisory that intersects with a deployed SBOM and verify score is high
+- [ ] Compute interest score for an advisory with no SBOM intersection and verify score is low
+- [ ] Verify age decay: recompute score for an older advisory and confirm it decreases over time
+- [ ] Verify `InterestScoreRecalculationJob` runs periodically and updates scores in the repository
+- [ ] Verify configurable weights: adjust `InterestScoreWeights` and confirm scoring output changes accordingly
+- [ ] Verify REST endpoints return interest scores for queried advisories
--- a/docs/features/unchecked/concelier/advisory-mode-formula-for-evidence-weighted-scoring.md
+++ b/docs/features/unchecked/concelier/advisory-mode-formula-for-evidence-weighted-scoring.md
@@ -0,0 +1,26 @@
+# Advisory-Mode Formula for Evidence-Weighted Scoring
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+New FormulaMode enum (Advisory vs Legacy) for the EWS scoring engine that adds CVSS base score, exploit maturity level, and patch proof confidence as first-class scoring dimensions. Includes VEX override logic where authoritative not_affected status forces score to zero. Extends beyond the known "Evidence-Weighted Score (EWS) Model" with new dimensions and formula modes.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Interest/`, `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`
+- **Key Classes**:
+  - `InterestScoreCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoreCalculator.cs`) - scoring calculator with formula mode support
+  - `InterestScoreOptions` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoreOptions.cs`) - formula mode configuration and weight tuning
+  - `VendorRiskSignalExtractor` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/VendorRiskSignalExtractor.cs`) - extracts risk signals from vendor advisories
+  - `PolicyStudioSignalPicker` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/PolicyStudio/PolicyStudioSignalPicker.cs`) - picks signals for policy studio integration
+- **Source**: batch_37/file_05.md
+
+## E2E Test Plan
+- [ ] Compute EWS score in Advisory mode with CVSS base, exploit maturity, and patch proof inputs and verify all dimensions contribute
+- [ ] Compute EWS score in Legacy mode and verify it uses the original formula without new dimensions
+- [ ] Verify VEX override: submit an advisory with authoritative `not_affected` VEX status and verify score is forced to zero
+- [ ] Verify exploit maturity signal: advisory with active exploitation scores higher than one without
+- [ ] Verify patch proof confidence: advisory with confirmed patch proof scores lower (less urgent) than one without
--- a/docs/features/unchecked/concelier/backport-aware-advisory-deduplication-with-provenance-scope.md
+++ b/docs/features/unchecked/concelier/backport-aware-advisory-deduplication-with-provenance-scope.md
@@ -0,0 +1,31 @@
+# Backport-Aware Advisory Deduplication with Provenance Scope
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Enhances canonical advisory deduplication to be backport-aware. Same CVE with different backport status produces correctly differentiated canonicals. Includes provenance_scope tracking, configurable vendor vs. distro precedence lattice, and patch lineage normalization for merge_hash computation.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/`, `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`
+- **Key Classes**:
+  - `MergeHashCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashCalculator.cs`) - merge hash computation with backport-aware normalization
+  - `MergeHashBackfillService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Services/MergeHashBackfillService.cs`) - backfills merge hashes for existing advisories
+  - `MergeHashBackfillJob` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Jobs/MergeHashBackfillJob.cs`) - scheduled job for merge hash backfill
+  - `MergeHashShadowWriteService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashShadowWriteService.cs`) - shadow writes for merge hash validation
+  - `ProvenanceScopeService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/ProvenanceScopeService.cs`) - provenance scope tracking and management
+  - `ProvenanceScopeRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/ProvenanceScopeRepository.cs`) - PostgreSQL persistence for provenance scopes
+  - `ProvenanceScopeEntity` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Models/ProvenanceScopeEntity.cs`) - database entity for provenance scope
+  - `PostgresProvenanceScopeStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/PostgresProvenanceScopeStore.cs`) - store implementation
+- **Interfaces**: `IMergeHashCalculator`, `IProvenanceScopeService`, `IProvenanceScopeRepository`
+- **Source**: SPRINT_8200_0015_0001_CONCEL_backport_integration.md
+
+## E2E Test Plan
+- [ ] Ingest same CVE with different backport status (patched vs unpatched) from two distros and verify they produce distinct canonical advisories
+- [ ] Verify `MergeHashCalculator` differentiates merge hashes when backport status differs for the same CVE
+- [ ] Verify `ProvenanceScopeService` correctly tracks which provenance scope each canonical belongs to
+- [ ] Verify vendor vs. distro precedence: when vendor says "not affected" but distro says "patched", verify the precedence lattice resolves correctly
+- [ ] Verify `MergeHashBackfillService` can retroactively update merge hashes for pre-existing advisories
--- a/docs/features/unchecked/concelier/backport-fixindex-service-with-o-distro-patch-lookups.md
+++ b/docs/features/unchecked/concelier/backport-fixindex-service-with-o-distro-patch-lookups.md
@@ -0,0 +1,26 @@
+# Backport FixIndex Service with O(1) Distro Patch Lookups
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Indexed distro patch lookup service providing O(1) performance for determining whether a specific package version contains a backported fix for a given CVE across multiple distributions.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/`
+- **Key Classes**:
+  - `FixIndexService` (`src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/FixIndexService.cs`) - O(1) indexed lookup for distro patch status
+  - `BackportStatusService` (`src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/BackportStatusService.cs`) - backport status resolution with version comparison
+  - `BackportEvidenceResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/BackportEvidenceResolver.cs`) - multi-tier evidence resolution consuming fix index data
+- **Interfaces**: `IFixIndexService`, `IBackportStatusService`
+- **Source**: SPRINT_20251229_004_002_BE_backport_status_service.md
+
+## E2E Test Plan
+- [ ] Query `FixIndexService` for a known CVE+distro+package combination and verify it returns patch status in O(1)
+- [ ] Verify `BackportStatusService` correctly compares package versions to determine if a backport fix is present
+- [ ] Verify cross-distro lookups: query the same CVE for Alpine, Debian, and RedHat and verify correct fix status for each
+- [ ] Verify index population: ingest distro connector data and verify the fix index is populated
+- [ ] Verify negative case: query for a CVE with no known backport fix and verify "unknown" or "not fixed" status
--- a/docs/features/unchecked/concelier/canonical-advisory-source-edge-schema.md
+++ b/docs/features/unchecked/concelier/canonical-advisory-source-edge-schema.md
@@ -0,0 +1,28 @@
+# Canonical Advisory Source Edge Schema (Database Layer)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Database schema for provenance-scoped canonical advisory deduplication. Stores deduplicated advisories with merge_hash identity and links each to source documents via DSSE-signed source edges. Enables multi-source advisory merge with full provenance tracking.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`, `src/Concelier/__Libraries/StellaOps.Concelier.Merge/`
+- **Key Classes**:
+  - `AdvisorySourceEdgeEntity` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Models/AdvisorySourceEdgeEntity.cs`) - database entity linking canonical advisories to source documents
+  - `AdvisoryCanonicalRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/AdvisoryCanonicalRepository.cs`) - canonical advisory CRUD with merge_hash identity
+  - `AdvisoryRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/AdvisoryRepository.cs`) - raw advisory persistence
+  - `MergeHashCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashCalculator.cs`) - deterministic merge hash for deduplication identity
+  - `ConcelierDbContext` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/EfCore/Context/ConcelierDbContext.cs`) - EF Core context with source edge schema
+  - `ConcelierDataSource` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/ConcelierDataSource.cs`) - PostgreSQL data source configuration
+- **Source**: SPRINT_8200_0012_0002_DB_canonical_source_edge_schema.md
+
+## E2E Test Plan
+- [ ] Insert a canonical advisory with merge_hash and verify it persists in PostgreSQL via `AdvisoryCanonicalRepository`
+- [ ] Insert two source edges linking different raw advisories to the same canonical and verify both edges are retrievable
+- [ ] Verify merge_hash uniqueness: attempting to insert a duplicate merge_hash updates the existing canonical rather than creating a new one
+- [ ] Verify source edge provenance: query a canonical and verify all linked source documents are returned with provenance metadata
+- [ ] Verify schema migration applies cleanly on a fresh database
--- a/docs/features/unchecked/concelier/cccs-advisory-connector.md
+++ b/docs/features/unchecked/concelier/cccs-advisory-connector.md
@@ -0,0 +1,25 @@
+# CCCS Advisory Connector
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Canadian Centre for Cyber Security (CCCS) advisory connector with HTML parsing, raw document mapping, and scheduled job ingestion. The known list has "Cross-Distro Advisory Connectors" and "Advisory Connector Architecture (NVD, OSV, GHSA, Vendor Feeds)" but not CCCS specifically.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/`
+- **Key Classes**:
+  - `CccsConnector` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/CccsConnector.cs`) - `IFeedConnector` implementation for CCCS advisory feed ingestion
+  - `CccsConnectorPlugin` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/CccsConnectorPlugin.cs`) - `IConnectorPlugin` registration for DI discovery
+- **Orchestration**: `ConnectorRegistrationService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorRegistrationService.cs`) - discovers and registers the CCCS plugin
+- **Interfaces**: `IFeedConnector`, `IConnectorPlugin`
+- **Source**: Sprint 0117 (batch_14/file_18.md)
+
+## E2E Test Plan
+- [ ] Trigger CCCS connector ingestion and verify advisory documents are fetched and mapped to canonical format
+- [ ] Verify `CccsConnectorPlugin` is discovered by `ConnectorRegistrationService` during startup
+- [ ] Verify HTML parsing: submit a sample CCCS HTML advisory and verify fields are correctly extracted
+- [ ] Verify scheduled ingestion: confirm the connector runs on its configured schedule via `ConnectorWorker`
--- a/docs/features/unchecked/concelier/cisco-vendor-advisory-connector.md
+++ b/docs/features/unchecked/concelier/cisco-vendor-advisory-connector.md
@@ -0,0 +1,25 @@
+# Cisco Vendor Advisory Connector
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Cisco vendor advisory connector for ingesting Cisco security advisories with provenance-tracked mapping. Not individually listed in the known features.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/`
+- **Key Classes**:
+  - `CiscoConnector` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/CiscoConnector.cs`) - `IFeedConnector` implementation for Cisco PSIRT advisory ingestion
+  - `VndrCiscoConnectorPlugin` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/VndrCiscoConnectorPlugin.cs`) - `IConnectorPlugin` registration for DI discovery
+  - `CiscoRawAdvisory` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/Internal/CiscoRawAdvisory.cs`) - raw Cisco advisory model
+- **Interfaces**: `IFeedConnector`, `IConnectorPlugin`
+- **Source**: Sprint 0117 (batch_14/file_18.md)
+
+## E2E Test Plan
+- [ ] Trigger Cisco connector ingestion and verify Cisco PSIRT advisories are fetched and stored
+- [ ] Verify `VndrCiscoConnectorPlugin` is discovered by `ConnectorRegistrationService` during startup
+- [ ] Verify `CiscoRawAdvisory` correctly maps Cisco-specific fields (advisory ID, CVSS, affected products)
+- [ ] Verify provenance tracking: ingested advisories retain Cisco as the provenance source
--- a/docs/features/unchecked/concelier/concelier-advisory-chunks-api.md
+++ b/docs/features/unchecked/concelier/concelier-advisory-chunks-api.md
@@ -0,0 +1,27 @@
+# Concelier Advisory Chunks API (Paragraph-Anchored)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+REST API endpoint serving paragraph-anchored advisory chunks with tenant enforcement, AdvisoryRead scopes, and filters for sections/formats/limits/minLength. Designed for Advisory AI to pull deterministic paragraph anchors plus source metadata.
+
+## Implementation Details
+- **Modules**: `src/Concelier/StellaOps.Concelier.WebService/`
+- **Key Classes**:
+  - `AdvisoryChunkBuilder` (`src/Concelier/StellaOps.Concelier.WebService/Services/AdvisoryChunkBuilder.cs`) - builds paragraph-anchored chunks from advisory content
+  - `AdvisoryChunkCache` (`src/Concelier/StellaOps.Concelier.WebService/Services/AdvisoryChunkCache.cs`) - in-memory cache for advisory chunks
+  - `MessagingAdvisoryChunkCache` (`src/Concelier/StellaOps.Concelier.WebService/Services/MessagingAdvisoryChunkCache.cs`) - messaging-backed cache implementation
+  - `AdvisoryChunkOptions` (`src/Concelier/StellaOps.Concelier.WebService/Options/ConcelierOptions.cs`) - configuration for chunk sizes, limits, and formats
+- **Interfaces**: `IAdvisoryChunkCache`
+- **Source**: 2025-11-07-concelier-advisory-chunks.md
+
+## E2E Test Plan
+- [ ] Call the advisory chunks endpoint with a valid advisory ID and verify paragraph-anchored chunks are returned
+- [ ] Verify tenant enforcement: request chunks without AdvisoryRead scope and confirm 403 response
+- [ ] Verify section filter: request only specific sections and confirm only matching chunks are returned
+- [ ] Verify minLength filter: set minLength and confirm short paragraphs are excluded
+- [ ] Verify caching: request same advisory chunks twice and confirm second response is served from cache
--- a/docs/features/unchecked/concelier/concelier-deprecation-headers-middleware.md
+++ b/docs/features/unchecked/concelier/concelier-deprecation-headers-middleware.md
@@ -0,0 +1,24 @@
+# Concelier Deprecation Headers Middleware
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+HTTP deprecation headers middleware for Concelier API endpoints, signaling API version lifecycle to consumers. Not in the known list.
+
+## Implementation Details
+- **Modules**: `src/Concelier/StellaOps.Concelier.WebService/Deprecation/`
+- **Key Classes**:
+  - `DeprecationMiddleware` (`src/Concelier/StellaOps.Concelier.WebService/Deprecation/DeprecationMiddleware.cs`) - ASP.NET Core middleware that adds HTTP deprecation headers to responses
+  - `DeprecationMiddlewareExtensions` (`src/Concelier/StellaOps.Concelier.WebService/Deprecation/DeprecationMiddleware.cs`) - extension methods for middleware registration
+  - `DeprecationMiddlewareRegistration` (`src/Concelier/StellaOps.Concelier.WebService/Deprecation/DeprecationMiddleware.cs`) - DI registration helpers
+- **Source**: Sprint 0116 (batch_14/file_17.md)
+
+## E2E Test Plan
+- [ ] Call a deprecated API endpoint and verify the response includes `Deprecation` and `Sunset` HTTP headers
+- [ ] Call a non-deprecated endpoint and verify no deprecation headers are present
+- [ ] Verify the deprecation date format conforms to RFC 7231
+- [ ] Verify middleware registration: confirm `DeprecationMiddleware` is in the ASP.NET Core pipeline
--- a/docs/features/unchecked/concelier/concelier-lnm-linkset-cache-with-telemetry.md
+++ b/docs/features/unchecked/concelier/concelier-lnm-linkset-cache-with-telemetry.md
@@ -0,0 +1,28 @@
+# Concelier LNM Linkset Cache with Telemetry
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+PostgreSQL-backed deterministic cache for Link-Not-Merge advisory linksets with telemetry instrumentation, OpenAPI spec, and deprecation headers. While "Link-Not-Merge Advisory Architecture" is in the known list, this specific linkset caching with persistence and telemetry is a distinct implementation detail.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/`, `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`, `src/Concelier/__Libraries/StellaOps.Concelier.Cache.Valkey/`
+- **Key Classes**:
+  - `LinksetCorrelationService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelationService.cs`) - main service for linkset correlation and caching
+  - `LinksetCorrelationV2` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelationV2.cs`) - V2 algorithm for linkset correlation
+  - `LinksetCorrelation` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelation.cs`) - V1 linkset correlation logic
+  - `ValkeyAdvisoryCacheService` (`src/Concelier/__Libraries/StellaOps.Concelier.Cache.Valkey/ValkeyAdvisoryCacheService.cs`) - Valkey-backed caching layer
+  - `AdvisoryCacheKeys` (`src/Concelier/__Libraries/StellaOps.Concelier.Cache.Valkey/AdvisoryCacheKeys.cs`) - deterministic cache key generation
+- **Interfaces**: `ILinksetCorrelationService`, `IAdvisoryCacheService`
+- **Source**: Sprint 0112 (batch_14/file_13.md)
+
+## E2E Test Plan
+- [ ] Request a linkset for a known CVE and verify the correlation result is returned
+- [ ] Verify caching: request the same linkset twice and confirm the second call is served from cache
+- [ ] Verify telemetry: confirm cache hit/miss metrics are emitted via OpenTelemetry
+- [ ] Verify determinism: identical linkset inputs produce identical cache keys via `AdvisoryCacheKeys`
+- [ ] Verify V2 algorithm: use `LinksetCorrelationV2` and verify improved correlation accuracy over V1
--- a/docs/features/unchecked/concelier/concelier-policy-studio-signal-picker.md
+++ b/docs/features/unchecked/concelier/concelier-policy-studio-signal-picker.md
@@ -0,0 +1,24 @@
+# Concelier Policy Studio Signal Picker
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Policy Studio integration that selects and filters risk signals from advisory data for policy evaluation, including vendor risk signal extraction and fix availability emission. Not in the known list.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/PolicyStudio/`, `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`
+- **Key Classes**:
+  - `PolicyStudioSignalPicker` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/PolicyStudio/PolicyStudioSignalPicker.cs`) - selects and filters risk signals for policy evaluation
+  - `VendorRiskSignalExtractor` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/VendorRiskSignalExtractor.cs`) - extracts risk signals from vendor advisory data
+- **Interfaces**: `IPolicyStudioSignalPicker`
+- **Source**: Sprint 0114-0115 (batch_14/file_15-16.md)
+
+## E2E Test Plan
+- [ ] Provide an advisory with vendor risk data and verify `PolicyStudioSignalPicker` extracts the correct signals
+- [ ] Verify fix availability signal: advisory with a known fix emits a fix-available signal
+- [ ] Verify `VendorRiskSignalExtractor` correctly maps vendor-specific fields to standardized risk signals
+- [ ] Verify signal filtering: configure the picker to exclude certain signal types and confirm they are omitted
--- a/docs/features/unchecked/concelier/concelier-tenant-scoping.md
+++ b/docs/features/unchecked/concelier/concelier-tenant-scoping.md
@@ -0,0 +1,25 @@
+# Concelier Tenant Scoping
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Tenant-scoped advisory data isolation with scope normalization and capabilities endpoint for multi-tenant Concelier deployments. Not in the known list as a Concelier-specific feature.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Tenancy/`
+- **Key Classes**:
+  - `TenantScopeNormalizer` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Tenancy/TenantScopeNormalizer.cs`) - normalizes tenant scope identifiers for consistent isolation
+  - `LinkNotMergeTenantCapabilitiesProvider` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Tenancy/TenantCapabilitiesEndpoint.cs`) - exposes tenant capabilities including LNM support
+  - `TenantScopeException` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Tenancy/TenantScope.cs`) - exception for tenant scope violations
+- **Interfaces**: `ITenantCapabilitiesProvider`
+- **Source**: Sprint 0115 (batch_14/file_16.md)
+
+## E2E Test Plan
+- [ ] Create advisories under tenant A and verify they are not visible to tenant B
+- [ ] Verify `TenantScopeNormalizer` normalizes different scope formats to a canonical form
+- [ ] Verify capabilities endpoint: query tenant capabilities and confirm LNM feature availability is reported
+- [ ] Verify scope violation: attempt cross-tenant access and confirm `TenantScopeException` is thrown
--- a/docs/features/unchecked/concelier/concelier-vendor-risk-signal-provider.md
+++ b/docs/features/unchecked/concelier/concelier-vendor-risk-signal-provider.md
@@ -0,0 +1,24 @@
+# Concelier Vendor Risk Signal Provider
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Extracts vendor-specific risk signals from advisory data, emits fix availability events, and tracks advisory field changes for risk scoring. Not in the known list.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`
+- **Key Classes**:
+  - `VendorRiskSignalExtractor` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/VendorRiskSignalExtractor.cs`) - extracts vendor-specific risk signals (CVSS, exploit maturity, fix availability) from advisory data
+  - `PolicyStudioSignalPicker` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/PolicyStudio/PolicyStudioSignalPicker.cs`) - filters and selects signals for policy evaluation
+- **Interfaces**: `IPolicyStudioSignalPicker`
+- **Source**: Sprint 0115 (batch_14/file_16.md)
+
+## E2E Test Plan
+- [ ] Provide a vendor advisory with CVSS and fix availability and verify `VendorRiskSignalExtractor` produces correct risk signals
+- [ ] Verify fix availability emission: advisory with a fix emits a fix-available signal event
+- [ ] Verify field change tracking: update an advisory field and verify the risk signal reflects the change
+- [ ] Verify signal extraction handles missing fields gracefully (no CVSS, no fix info)
--- a/docs/features/unchecked/concelier/deterministic-semantic-merge-hash-for-advisory-deduplication.md
+++ b/docs/features/unchecked/concelier/deterministic-semantic-merge-hash-for-advisory-deduplication.md
@@ -0,0 +1,29 @@
+# Deterministic Semantic Merge Hash for Advisory Deduplication
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Computes identity-based semantic hash from (CVE + PURL/CPE + version-range + CWE + patch_lineage) for cross-distro advisory deduplication. Includes normalizers (PURL, CPE, version range, CWE, patch lineage), golden corpus validation (Debian/RHEL/SUSE/Alpine), fuzzing tests (1000 random inputs), shadow-write migration mode, and backfill service. Distinct from "Advisory Ingestion with Canonical Deduplication" which is the overall dedup concept; this is the specific merge_hash identity algorithm.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/`, `src/Concelier/__Libraries/StellaOps.Concelier.Merge/Services/`, `src/Concelier/__Libraries/StellaOps.Concelier.Merge/Jobs/`
+- **Key Classes**:
+  - `MergeHashCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashCalculator.cs`) - computes deterministic semantic hash from (CVE + PURL/CPE + version-range + CWE + patch_lineage) with input normalizers
+  - `MergeHashShadowWriteService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashShadowWriteService.cs`) - shadow-write mode for migration validation
+  - `MergeHashBackfillService` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Services/MergeHashBackfillService.cs`) - retroactive backfill of merge hashes for existing advisories
+  - `MergeHashBackfillJob` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Jobs/MergeHashBackfillJob.cs`) - scheduled `IJob` for backfill execution
+- **Interfaces**: `IMergeHashCalculator`
+- **Source**: SPRINT_8200_0012_0001_CONCEL_merge_hash_library.md
+
+## E2E Test Plan
+- [ ] Compute merge hash for two semantically identical advisories from different sources (e.g., Debian and RHEL for same CVE) and verify identical hash output
+- [ ] Verify PURL normalization: different PURL formats for the same package produce the same merge hash
+- [ ] Verify CPE normalization: equivalent CPE strings produce identical hashes
+- [ ] Verify determinism: same input produces the same hash across 1000 repeated computations
+- [ ] Verify golden corpus: validate merge hash against the golden corpus of known Debian/RHEL/SUSE/Alpine advisories
+- [ ] Verify shadow-write mode: enable shadow writes and confirm both old and new hashes are persisted for comparison
+- [ ] Verify backfill: run `MergeHashBackfillJob` and confirm pre-existing advisories receive computed merge hashes
--- a/docs/features/unchecked/concelier/distro-connectors.md
+++ b/docs/features/unchecked/concelier/distro-connectors.md
@@ -0,0 +1,30 @@
+# Distro Connectors (Alpine, Debian, RedHat, SUSE, Ubuntu)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+All major distro connectors for vulnerability feed ingestion (Alpine secdb, Debian security tracker, RHEL errata, SUSE advisories, Ubuntu USN).
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.*/`
+- **Key Classes**:
+  - `AlpineConnector` + `AlpineConnectorPlugin` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Alpine/`) - Alpine secdb feed ingestion
+  - `DebianConnector` + `DebianConnectorPlugin` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Debian/`) - Debian security tracker ingestion
+  - `RedHatConnector` + `RedHatConnectorPlugin` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/`) - RHEL errata and OVAL ingestion
+  - `SuseConnector` + `SuseConnectorPlugin` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Suse/`) - SUSE advisory ingestion
+  - `UbuntuConnector` + `UbuntuConnectorPlugin` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/`) - Ubuntu USN ingestion
+- **Interfaces**: `IFeedConnector`, `IConnectorPlugin`
+- **Orchestration**: `ConnectorRegistrationService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorRegistrationService.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Trigger Alpine connector ingestion and verify Alpine secdb advisories are fetched and stored
+- [ ] Trigger Debian connector ingestion and verify Debian security tracker entries are parsed
+- [ ] Trigger RedHat connector ingestion and verify RHEL errata are mapped to canonical format
+- [ ] Trigger SUSE connector ingestion and verify SUSE advisories are stored
+- [ ] Trigger Ubuntu connector ingestion and verify USN entries are parsed and stored
+- [ ] Verify all 5 distro connectors are discovered by `ConnectorRegistrationService` at startup
--- a/docs/features/unchecked/concelier/distro-fix-database-with-multi-provider-ingestion.md
+++ b/docs/features/unchecked/concelier/distro-fix-database-with-multi-provider-ingestion.md
@@ -0,0 +1,27 @@
+# Distro Fix Database with Multi-Provider Ingestion
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Comprehensive vulnerability feed ingestion from distro (Alpine, Debian, RHEL, SUSE, Ubuntu) and vendor sources with normalization and merge.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/`, `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.*/`, `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`
+- **Key Classes**:
+  - `FixIndexService` (`src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/FixIndexService.cs`) - indexed fix status database populated by distro connectors
+  - `BackportStatusService` (`src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/BackportStatusService.cs`) - multi-distro backport status resolution
+  - `PostgresAdvisoryStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Advisories/PostgresAdvisoryStore.cs`) - advisory persistence with multi-provider merge
+  - `PostgresSourceStateAdapter` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/SourceStateAdapter.cs`) - tracks ingestion state per source provider
+  - **Distro Connectors**: `AlpineConnector`, `DebianConnector`, `RedHatConnector`, `SuseConnector`, `UbuntuConnector` (in `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.*/`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Ingest the same CVE from multiple distro providers and verify the fix database contains entries from all providers
+- [ ] Verify normalization: different distro-specific advisory formats are normalized to a common schema
+- [ ] Verify merge: advisories from different providers for the same CVE are linked to the same canonical
+- [ ] Verify `PostgresSourceStateAdapter` tracks per-provider ingestion cursors for incremental sync
+- [ ] Verify `FixIndexService` is populated with fix entries after distro ingestion completes
--- a/docs/features/unchecked/concelier/epss-feed-connector.md
+++ b/docs/features/unchecked/concelier/epss-feed-connector.md
@@ -0,0 +1,25 @@
+# EPSS Feed Connector (Concelier Three-Stage Pattern)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Concelier connector for EPSS (Exploit Prediction Scoring System) feed ingestion following three-stage Fetch/Parse/Map pattern. Reuses Scanner's EpssCsvStreamParser for CSV parsing, supports ETag conditional requests, air-gap bundle fallback, priority band classification (Critical/High/Medium/Low at 0.70/0.40/0.10 thresholds), and daily scheduled ingestion (10:00 UTC).
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Epss/`
+- **Key Classes**:
+  - `EpssConnector` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Epss/Internal/EpssConnector.cs`) - `IFeedConnector` implementation with three-stage Fetch/Parse/Map pattern
+  - `EpssConnectorPlugin` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Epss/EpssConnectorPlugin.cs`) - `IConnectorPlugin` registration for DI discovery
+- **Interfaces**: `IFeedConnector`, `IConnectorPlugin`
+- **Source**: SPRINT_4000_0002_0001_epss_feed_connector.md
+
+## E2E Test Plan
+- [ ] Trigger EPSS connector ingestion and verify EPSS scores are fetched and stored for CVE IDs
+- [ ] Verify priority band classification: CVEs with EPSS > 0.70 are classified as Critical, 0.40-0.70 as High, 0.10-0.40 as Medium, < 0.10 as Low
+- [ ] Verify ETag conditional requests: second ingestion with unchanged data returns 304 and skips re-parsing
+- [ ] Verify air-gap bundle fallback: configure offline mode and verify ingestion falls back to local bundle
+- [ ] Verify daily scheduled ingestion runs at the configured time
--- a/docs/features/unchecked/concelier/full-sbom-extraction-with-enriched-parsedsbom-model.md
+++ b/docs/features/unchecked/concelier/full-sbom-extraction-with-enriched-parsedsbom-model.md
@@ -0,0 +1,25 @@
+# Full SBOM Extraction with Enriched ParsedSbom Model
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Upgraded SBOM parser that extracts ALL fields from CycloneDX 1.7 and SPDX 3.0.1 (not just PURL/CPE). The enriched ParsedSbom model carries full SBOM data including services, crypto properties, ML model metadata, build/formulation info, compositions, vulnerabilities, and dependencies for downstream consumers (Scanner, Policy, etc.).
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/`
+- **Key Classes**:
+  - `ParsedSbomParser` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs`) - full SBOM extraction from CycloneDX 1.7 and SPDX 3.0.1 with enriched model
+  - `SbomAdvisoryMatcher` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Matching/SbomAdvisoryMatcher.cs`) - matches SBOM components against advisories
+- **Interfaces**: `IParsedSbomParser`, `ISbomAdvisoryMatcher`
+- **Source**: SPRINT_20260119_015_Concelier_sbom_full_extraction.md
+
+## E2E Test Plan
+- [ ] Parse a CycloneDX 1.7 SBOM and verify all fields are extracted (components, services, compositions, vulnerabilities, dependencies)
+- [ ] Parse an SPDX 3.0.1 SBOM and verify enriched model includes packages, relationships, and annotations
+- [ ] Verify crypto properties extraction: SBOM with crypto components has crypto metadata in the ParsedSbom model
+- [ ] Verify ML model metadata: SBOM with ML model components has model metadata extracted
+- [ ] Verify downstream consumption: pass ParsedSbom to `SbomAdvisoryMatcher` and verify advisory matching works with enriched fields
--- a/docs/features/unchecked/concelier/ingestion-telemetry-and-orchestration.md
+++ b/docs/features/unchecked/concelier/ingestion-telemetry-and-orchestration.md
@@ -0,0 +1,29 @@
+# Ingestion Telemetry and Orchestration
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Telemetry instrumentation for ingestion pipeline with OpenTelemetry metrics and orchestration registry for connector management.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/`, `src/Concelier/StellaOps.Concelier.WebService/Diagnostics/`
+- **Key Classes**:
+  - `ConnectorWorker` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorWorker.cs`) - orchestrates connector ingestion cycles with telemetry hooks
+  - `ConnectorWorkerFactory` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorWorker.cs`) - factory for creating connector worker instances
+  - `ConnectorRegistrationService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorRegistrationService.cs`) - connector discovery and registration
+  - `ConnectorMetadata` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorMetadata.cs`) - metadata model for registered connectors
+  - `IngestionMetrics` (`src/Concelier/StellaOps.Concelier.WebService/Diagnostics/IngestionMetrics.cs`) - OpenTelemetry metrics for ingestion operations
+- **Interfaces**: `IConnectorWorker`, `IConnectorWorkerFactory`, `IConnectorRegistrationService`
+- **Registration**: `OrchestrationServiceCollectionExtensions` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/OrchestrationServiceCollectionExtensions.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Start the Concelier web service and verify all registered connectors appear in `ConnectorRegistrationService`
+- [ ] Trigger a connector ingestion cycle and verify `IngestionMetrics` emits advisory count, duration, and error metrics
+- [ ] Verify `ConnectorWorkerFactory` creates workers with correct connector metadata
+- [ ] Verify orchestration: trigger multiple connectors and verify they execute according to their configured schedules
+- [ ] Verify OpenTelemetry export: confirm ingestion metrics are visible in the configured OTel collector
--- a/docs/features/unchecked/concelier/link-not-merge-advisory-architecture.md
+++ b/docs/features/unchecked/concelier/link-not-merge-advisory-architecture.md
@@ -0,0 +1,29 @@
+# Link-Not-Merge Advisory Architecture
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Advisory confirmed that existing Link-Not-Merge model is architecturally superior to proposed Unified Advisory Schema (UAS). Preserves conflict evidence and 3-component trust vector.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/`, `src/Concelier/__Libraries/StellaOps.Concelier.Core/Tenancy/`, `src/Concelier/__Libraries/StellaOps.Concelier.Merge/`
+- **Key Classes**:
+  - `LinksetCorrelationService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelationService.cs`) - correlates advisory linksets preserving source identity
+  - `LinksetCorrelationV2` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelationV2.cs`) - V2 correlation algorithm with improved accuracy
+  - `LinksetCorrelation` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelation.cs`) - V1 correlation logic
+  - `LinkNotMergeTenantCapabilitiesProvider` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Tenancy/TenantCapabilitiesEndpoint.cs`) - tenant capabilities for LNM feature
+  - `MergeHashCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashCalculator.cs`) - merge hash for linking semantically equivalent advisories
+  - `CanonicalAdvisoryService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Canonical/CanonicalAdvisoryService.cs`) - canonical advisory with linked source edges
+- **Interfaces**: `ILinksetCorrelationService`, `ITenantCapabilitiesProvider`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Ingest two advisories from different sources for the same CVE and verify they are linked (not merged) with separate source identities preserved
+- [ ] Verify conflict evidence: ingest conflicting advisories (different CVSS scores for same CVE) and confirm both values are preserved in the linkset
+- [ ] Verify 3-component trust vector: query a linked advisory and confirm trust scores from each source are available
+- [ ] Verify `LinksetCorrelationService` returns all linked sources for a given canonical advisory
+- [ ] Verify tenant capabilities: confirm LNM feature is reported as available via the capabilities endpoint
--- a/docs/features/unchecked/concelier/linkset-correlation-v2-algorithm.md
+++ b/docs/features/unchecked/concelier/linkset-correlation-v2-algorithm.md
@@ -0,0 +1,25 @@
+# Linkset Correlation V2 Algorithm
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+V2 linkset correlation algorithm with graph connectivity scoring, pairwise PURL coverage scoring, typed conflict severities, and reference conflict logic fixes. Has dedicated tests.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/`
+- **Key Classes**:
+  - `LinksetCorrelationV2` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelationV2.cs`) - V2 algorithm with graph connectivity scoring and pairwise PURL coverage
+  - `LinksetCorrelation` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelation.cs`) - V1 correlation for comparison
+  - `LinksetCorrelationService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Linksets/LinksetCorrelationService.cs`) - service layer selecting V1 or V2 algorithm
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Correlate a linkset with multiple overlapping advisories and verify the V2 algorithm produces correct graph connectivity scores
+- [ ] Verify pairwise PURL coverage: two advisories covering the same PURLs score higher than non-overlapping ones
+- [ ] Verify typed conflict severities: conflicting CVSS scores produce appropriately typed severity levels
+- [ ] Verify reference conflict logic: conflicting reference URLs are handled without errors
+- [ ] Compare V1 vs V2 results: run both algorithms on the same input and verify V2 produces improved correlation accuracy
--- a/docs/features/unchecked/concelier/plugin-system-with-di-signing-and-version-attributes.md
+++ b/docs/features/unchecked/concelier/plugin-system-with-di-signing-and-version-attributes.md
@@ -0,0 +1,27 @@
+# Plugin System with DI, Signing, and Version Attributes
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Plugin architecture using IDependencyInjectionRoutine and ServiceBinding attributes for dependency injection, with isolated AssemblyLoadContext loading. Cosign signature verification and StellaPluginVersion attributes are defined.
+
+## Implementation Details
+- **Modules**: `src/Concelier/StellaOps.Concelier.Plugin.Unified/`, `src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/`
+- **Key Classes**:
+  - `FeedPluginAdapterFactory` (`src/Concelier/StellaOps.Concelier.Plugin.Unified/FeedPluginAdapterFactory.cs`) - factory creating plugin adapters from `IConnectorPlugin` implementations
+  - `FeedPluginAdapter` (`src/Concelier/StellaOps.Concelier.Plugin.Unified/FeedPluginAdapter.cs`) - unified adapter wrapping plugin connectors
+  - `ConnectorRegistrationService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/ConnectorRegistrationService.cs`) - DI-based plugin discovery and registration
+  - Each connector has an `IConnectorPlugin` implementation (e.g., `NvdConnectorPlugin`, `GhsaConnectorPlugin`, `VmwareConnectorPlugin`, etc.)
+- **Interfaces**: `IConnectorPlugin`, `IFeedConnector`, `IConnectorRegistrationService`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify plugin discovery: all `IConnectorPlugin` implementations are found via DI at startup
+- [ ] Verify `FeedPluginAdapterFactory` creates adapters for each discovered plugin
+- [ ] Verify isolated loading: plugin assemblies load in isolated `AssemblyLoadContext` without leaking into the host
+- [ ] Verify version attributes: query a loaded plugin and confirm `StellaPluginVersion` metadata is accessible
+- [ ] Verify registration service: `ConnectorRegistrationService` exposes metadata for all registered plugins
--- a/docs/features/unchecked/concelier/postgresql-as-system-of-record.md
+++ b/docs/features/unchecked/concelier/postgresql-as-system-of-record.md
@@ -0,0 +1,28 @@
+# PostgreSQL as System of Record (with JSONB)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+PostgreSQL is universally adopted as the system of record across all persistence-bearing modules via Npgsql/NpgsqlDataSource.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/`
+- **Key Classes**:
+  - `ConcelierDataSource` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/ConcelierDataSource.cs`) - NpgsqlDataSource wrapper for Concelier
+  - `ConcelierDbContext` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/EfCore/Context/ConcelierDbContext.cs`) - EF Core context for Concelier tables
+  - `PostgresDocumentStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/DocumentStore.cs`) - JSONB document store for advisory data
+  - `PostgresAdvisoryStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Advisories/PostgresAdvisoryStore.cs`) - advisory persistence via Npgsql
+  - `PostgresSourceStateAdapter` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/SourceStateAdapter.cs`) - source state tracking via Npgsql
+- **Interfaces**: `IDocumentStore`, `IAdvisoryStore`, `ISourceStateStore`, `IStorageDocumentStore`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify Concelier connects to PostgreSQL via `ConcelierDataSource` and can read/write advisories
+- [ ] Verify JSONB storage: store a canonical advisory with nested JSON and retrieve it with full fidelity
+- [ ] Verify `PostgresDocumentStore` supports document-level operations (get, put, delete)
+- [ ] Verify EF Core context: `ConcelierDbContext` migrations apply cleanly on a fresh PostgreSQL instance
+- [ ] Verify connection pooling: multiple concurrent requests share NpgsqlDataSource connections efficiently
--- a/docs/features/unchecked/concelier/postgresql-storage-layer.md
+++ b/docs/features/unchecked/concelier/postgresql-storage-layer.md
@@ -0,0 +1,32 @@
+# PostgreSQL Storage Layer (Proof Evidence Repositories)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Three PostgreSQL repository implementations backed by Dapper/Npgsql. Database schema defines 6 tables across 3 schemas (vuln: distro_advisories, changelog_evidence, patch_evidence, patch_signatures; feedser: binary_fingerprints; attestor: proof_blobs) with 18 indices including GIN indices for CVE array queries and composite indices for CVE+package lookups.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/`
+- **Key Classes**:
+  - `AdvisoryRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/AdvisoryRepository.cs`) - raw advisory CRUD with GIN index support
+  - `AdvisoryCanonicalRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/AdvisoryCanonicalRepository.cs`) - canonical advisory persistence
+  - `PostgresDtoStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/PostgresDtoStore.cs`) - DTO storage layer
+  - `PostgresChangeHistoryStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/PostgresChangeHistoryStore.cs`) - advisory change history tracking
+  - `PostgresPsirtFlagStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/PostgresPsirtFlagStore.cs`) - PSIRT flag persistence
+  - `PostgresJpFlagStore` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/PostgresJpFlagStore.cs`) - JP flag persistence
+  - `InterestScoreRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/InterestScoreRepository.cs`) - interest score persistence
+  - `FeedSnapshotRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/FeedSnapshotRepository.cs`) - feed snapshot persistence
+  - `SyncLedgerRepository` (`src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/SyncLedgerRepository.cs`) - federation sync ledger
+- **Interfaces**: `IAdvisoryRepository`, `IAdvisoryCanonicalRepository`, `IDtoStore`, `IChangeHistoryStore`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify CVE array query: insert advisories with multiple CVE IDs and query using GIN index-backed CVE array search
+- [ ] Verify composite index: query by CVE+package combination and confirm efficient lookup
+- [ ] Verify change history: update an advisory and confirm `PostgresChangeHistoryStore` records the change
+- [ ] Verify all 6 tables are created during schema migration across the 3 schemas (vuln, feedser, attestor)
+- [ ] Verify `SyncLedgerRepository` persists and retrieves federation sync cursors
--- a/docs/features/unchecked/concelier/sbom-advisory-intersection-matching-and-learning.md
+++ b/docs/features/unchecked/concelier/sbom-advisory-intersection-matching-and-learning.md
@@ -0,0 +1,27 @@
+# SBOM-Advisory Intersection Matching and Learning
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+SBOM registration and learning system that finds which canonical advisories affect an organization's components. Matches by PURL and CPE, triggers interest score updates, and supports incremental delta SBOM matching. Provides POST /api/v1/learn/sbom endpoint and auto-learning from scan events.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/`, `src/Concelier/__Libraries/StellaOps.Concelier.Interest/`
+- **Key Classes**:
+  - `SbomAdvisoryMatcher` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Matching/SbomAdvisoryMatcher.cs`) - matches SBOM components against canonical advisories by PURL and CPE
+  - `ParsedSbomParser` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs`) - parses SBOMs for component extraction
+  - `InterestScoringService` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoringService.cs`) - triggered to update interest scores after SBOM matching
+  - `InterestScoreCalculator` (`src/Concelier/__Libraries/StellaOps.Concelier.Interest/InterestScoreCalculator.cs`) - recalculates interest based on SBOM intersection
+- **Interfaces**: `ISbomAdvisoryMatcher`, `IParsedSbomParser`, `IInterestScoringService`
+- **Source**: SPRINT_8200_0013_0003_SCAN_sbom_intersection_scoring.md
+
+## E2E Test Plan
+- [ ] Submit an SBOM via the learn endpoint and verify advisories affecting its components are identified
+- [ ] Verify PURL matching: SBOM with a component matching an advisory PURL produces a match
+- [ ] Verify CPE matching: SBOM with a component matching an advisory CPE produces a match
+- [ ] Verify interest score update: after SBOM learning, affected advisories have their interest scores recalculated
+- [ ] Verify incremental delta: submit an updated SBOM with new components and verify only the delta is processed
--- a/docs/features/unchecked/concelier/source-intelligence-parsing.md
+++ b/docs/features/unchecked/concelier/source-intelligence-parsing.md
@@ -0,0 +1,26 @@
+# Source Intelligence Parsing (Changelog + Patch Header)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Source intelligence parsing for Tier 2 and Tier 3 evidence collection. Includes changelog parsing (debian/changelog, RPM changelog), patch header parsing, and integration with upstream advisory sources (Debian Security Tracker, Red Hat Errata).
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/`, `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.*/`
+- **Key Classes**:
+  - `BackportEvidenceResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/BackportEvidenceResolver.cs`) - resolves backport evidence from changelog and patch header sources
+  - `BackportStatusService` (`src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/BackportStatusService.cs`) - backport status determination from parsed source intelligence
+  - `DebianConnector` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Debian/DebianConnector.cs`) - ingests Debian Security Tracker data
+  - `RedHatConnector` (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/RedHatConnector.cs`) - ingests Red Hat Errata data
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Parse a debian/changelog file and verify CVE fix entries are correctly extracted as Tier 2 evidence
+- [ ] Parse an RPM changelog and verify patch entries are extracted
+- [ ] Parse patch headers and verify commit references and CVE links are extracted as Tier 3 evidence
+- [ ] Verify integration: Debian Security Tracker data feeds into `BackportEvidenceResolver` for backport verdict
+- [ ] Verify Red Hat Errata integration: errata data provides evidence for backport status determination
--- a/docs/features/unchecked/concelier/valkey-advisory-cache-service.md
+++ b/docs/features/unchecked/concelier/valkey-advisory-cache-service.md
@@ -0,0 +1,27 @@
+# Valkey Advisory Cache Service
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Valkey (Redis-compatible) caching layer for canonical advisories with TTL policies based on interest score, PURL index lookups, hot set ranking, and p99 < 20ms read target. Includes cache warmup, metrics, and fallback mode.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Cache.Valkey/`
+- **Key Classes**:
+  - `ValkeyAdvisoryCacheService` (`src/Concelier/__Libraries/StellaOps.Concelier.Cache.Valkey/ValkeyAdvisoryCacheService.cs`) - Valkey-backed cache with TTL policies, PURL index, and hot set ranking
+  - `AdvisoryCacheKeys` (`src/Concelier/__Libraries/StellaOps.Concelier.Cache.Valkey/AdvisoryCacheKeys.cs`) - deterministic cache key generation for advisory lookups
+  - `CachingCanonicalAdvisoryService` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Canonical/CachingCanonicalAdvisoryService.cs`) - caching decorator wrapping the canonical advisory service
+- **Interfaces**: `IAdvisoryCacheService`
+- **Source**: SPRINT_8200_0013_0001_GW_valkey_advisory_cache.md
+
+## E2E Test Plan
+- [ ] Store a canonical advisory in Valkey and retrieve it, verifying p99 read latency is < 20ms
+- [ ] Verify TTL policy: high-interest advisories have longer TTLs than low-interest ones
+- [ ] Verify PURL index lookup: query by PURL and verify matching advisories are returned from cache
+- [ ] Verify hot set ranking: frequently accessed advisories are promoted in the hot set
+- [ ] Verify cache warmup: on startup, verify high-interest advisories are pre-loaded into cache
+- [ ] Verify fallback mode: disable Valkey and confirm the service falls back to direct PostgreSQL queries
--- a/docs/features/unchecked/concelier/vex-conflict-resolution.md
+++ b/docs/features/unchecked/concelier/vex-conflict-resolution.md
@@ -0,0 +1,28 @@
+# VEX conflict resolution (side-by-side merge with provenance)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+VEX conflict resolver and consensus engine merge statements from multiple sources with rationale models explaining merge outcomes.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/`
+- **Key Classes**:
+  - `VexConflictResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs`) - resolves conflicts between VEX statements from multiple sources with provenance-based precedence
+  - `VexConsumptionReporter` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs`) - reports VEX consumption outcomes and merge rationale
+  - `VexConsumptionPolicyLoader` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs`) - loads VEX consumption policies defining merge rules
+  - `VexConsumptionPolicyDefaults` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicy.cs`) - default merge policy configuration
+  - `VexConsumptionOptions` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs`) - options for VEX consumption behavior
+- **Interfaces**: `IVexConflictResolver`, `IVexConsumptionReporter`, `IVexConsumptionPolicyLoader`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Submit two conflicting VEX statements (affected vs not_affected) for the same CVE+product and verify the resolver produces a merged outcome with rationale
+- [ ] Verify provenance-based precedence: vendor VEX statement takes precedence over community source
+- [ ] Verify `VexConsumptionReporter` emits a report explaining why one statement won over another
+- [ ] Verify policy-based resolution: load a custom merge policy and confirm it changes the resolution outcome
+- [ ] Verify side-by-side preservation: both original statements remain accessible after merge
--- a/docs/features/unchecked/concelier/vex-consumption-from-sbom-documents.md
+++ b/docs/features/unchecked/concelier/vex-consumption-from-sbom-documents.md
@@ -0,0 +1,28 @@
+# VEX Consumption from SBOM Documents (Embedded VEX Extraction)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+Extracts embedded VEX statements from CycloneDX and SPDX SBOMs, evaluates per-statement trust based on source provenance and evidence quality, resolves conflicts when multiple VEX sources disagree, and generates consumption reports. This is distinct from the known "VEX Multi-Source Consensus Engine" which merges standalone VEX documents; this feature specifically processes VEX embedded within SBOM documents.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/`, `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/`
+- **Key Classes**:
+  - `VexConsumptionReporter` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs`) - generates consumption reports from extracted VEX statements
+  - `VexConsumptionPolicyLoader` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs`) - loads trust and precedence policies for VEX evaluation
+  - `VexConflictResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs`) - resolves conflicts between embedded VEX statements
+  - `VexConsumptionOptions` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs`) - configuration for VEX consumption behavior
+  - `ParsedSbomParser` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs`) - extracts embedded VEX from CycloneDX and SPDX SBOMs
+- **Interfaces**: `IVexConsumptionReporter`, `IVexConsumptionPolicyLoader`, `IVexConflictResolver`
+- **Source**: SPRINT_20260119_020_Concelier_vex_consumption.md
+
+## E2E Test Plan
+- [ ] Parse a CycloneDX SBOM with embedded VEX statements and verify all VEX entries are extracted
+- [ ] Parse an SPDX SBOM with embedded VEX and verify extraction works across formats
+- [ ] Verify per-statement trust evaluation: VEX from a vendor SBOM receives higher trust than from a third-party
+- [ ] Verify conflict resolution: two embedded VEX statements with conflicting status for the same CVE are resolved with rationale
+- [ ] Verify consumption report: `VexConsumptionReporter` generates a report listing all consumed VEX statements with trust scores
--- a/docs/features/unchecked/concelier/vex-distribution-network.md
+++ b/docs/features/unchecked/concelier/vex-distribution-network.md
@@ -0,0 +1,29 @@
+# VEX Distribution Network (Moat Score 3-4)
+
+## Module
+Concelier
+
+## Status
+IMPLEMENTED
+
+## Description
+32 advisory connectors covering national CERTs, distro security trackers, vendor advisories, ICS sources, and general vulnerability databases.
+
+## Implementation Details
+- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.Connector.*/`, `src/Concelier/__Connectors/`
+- **Key Connectors** (32 total, each implementing `IFeedConnector` + `IConnectorPlugin`):
+  - **National CERTs**: `CertBundConnector` (Germany), `CertFrConnector` (France), `CertCcConnector` (US), `CertInConnector` (India), `CccsConnector` (Canada), `AcscConnector` (Australia), `KisaConnector` (Korea), `JvnConnector` (Japan), `RuBduConnector` (Russia BDU), `RuNkckiConnector` (Russia NKCKI)
+  - **General Vulnerability DBs**: `NvdConnector`, `OsvConnector`, `GhsaConnector`, `CveConnector`, `KevConnector`, `EpssConnector`
+  - **Distro Security Trackers**: `AlpineConnector`, `DebianConnector`, `RedHatConnector`, `SuseConnector`, `UbuntuConnector`
+  - **Vendor Advisories**: `CiscoConnector`, `VmwareConnector`, `OracleConnector`, `MsrcConnector`, `AppleConnector`, `ChromiumConnector`, `AdobeConnector`
+  - **ICS Sources**: `IcsCisaConnector`, `KasperskyConnector`
+  - **Regional/Special**: `AstraConnector`, `StellaOpsMirrorConnector`
+- **Orchestration**: `ConnectorRegistrationService`, `ConnectorWorker` (`src/Concelier/__Libraries/StellaOps.Concelier.Core/Orchestration/`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify all 32 connectors are discovered and registered by `ConnectorRegistrationService` at startup
+- [ ] Trigger ingestion for at least one connector from each category (national CERT, general DB, distro, vendor, ICS) and verify advisories are stored
+- [ ] Verify connector count: query the registration service and confirm 32 connectors are registered
+- [ ] Verify scheduled ingestion: confirm connectors run on their configured schedules without manual intervention
+- [ ] Verify air-gap support: configure a connector in offline mode and verify it falls back to local bundle