semi implemented and features implemented save checkpoint

docs/features/unchecked/integrations/built-in-container-registry-connectors.md

@@ -0,0 +1,30 @@
+# Built-in Container Registry Connectors (Docker Hub, Harbor, ACR, ECR, GCR, Generic OCI)
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+Six container registry connectors implemented using raw HTTP clients (no cloud SDKs): Docker Hub with rate limiting, Harbor for self-hosted, ACR with Azure AD token exchange, ECR with AWS SigV4, GCR with JWT/OAuth2, and Generic OCI for any compliant registry. All resolve tags to digests.
+
+## Implementation Details
+- **Plugin interface**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IIntegrationConnectorPlugin.cs` -- connector plugin contract
+- **Harbor connector**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.Harbor/HarborConnectorPlugin.cs` -- Harbor self-hosted registry connector
+- **Integration models**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/IntegrationModels.cs` -- registry connection models
+- **Integration enums**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/IntegrationEnums.cs` -- connector type enums (registry types)
+- **Integration core**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/Integration.cs` -- base integration with Vault-type references
+- **Plugin loader**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationPluginLoader.cs` -- dynamic plugin loading
+- **Integration service**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationService.cs` -- integration lifecycle management
+- **Persistence**: `src/Integrations/__Libraries/StellaOps.Integrations.Persistence/PostgresIntegrationRepository.cs`, `IIntegrationRepository.cs`, `IntegrationDbContext.cs`
+- **In-memory connector**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.InMemory/InMemoryConnectorPlugin.cs` -- test connector
+- **Tests**: `src/Integrations/__Tests/StellaOps.Integrations.Tests/IntegrationServiceTests.cs`, `IntegrationPluginLoaderTests.cs`, `StellaOps.Integrations.Plugin.Tests/InMemoryConnectorPluginTests.cs`
+- **Source**: SPRINT_20260110_102_004_INTHUB_registry_connectors.md
+
+## E2E Test Plan
+- [ ] Verify Harbor connector resolves tags to digests
+- [ ] Test plugin loader discovers and loads registry connector plugins
+- [ ] Verify integration service manages connector lifecycle
+- [ ] Test PostgreSQL persistence stores integration configurations
+- [ ] Verify connector handles authentication for each registry type

docs/features/unchecked/integrations/built-in-vault-connectors.md

@@ -0,0 +1,28 @@
+# Built-in Vault Connectors (HashiCorp Vault, Azure Key Vault, AWS Secrets Manager)
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+Three vault connectors using raw HTTP clients: HashiCorp Vault (Token, AppRole, Kubernetes auth), Azure Key Vault (Service Principal, Managed Identity), and AWS Secrets Manager (IAM SigV4). Unified secret resolution interface for integration configuration encryption.
+
+## Implementation Details
+- **Integration core**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/Integration.cs` -- base integration with vault-type references for HashiCorp Vault, Azure Key Vault, AWS Secrets Manager
+- **Integration models**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/IntegrationModels.cs` -- vault connection configuration models
+- **Integration enums**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/IntegrationEnums.cs` -- vault type enumerations
+- **Connector plugin contract**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IIntegrationConnectorPlugin.cs` -- unified secret resolution interface
+- **Integration service**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationService.cs` -- manages vault connector instances
+- **Persistence**: `src/Integrations/__Libraries/StellaOps.Integrations.Persistence/PostgresIntegrationRepository.cs` -- vault configuration persistence
+- **Infrastructure**: `src/Integrations/StellaOps.Integrations.WebService/Infrastructure/Abstractions.cs`, `DefaultImplementations.cs` -- vault-agnostic abstractions
+- **Tests**: `src/Integrations/__Tests/StellaOps.Integrations.Tests/IntegrationServiceTests.cs`
+- **Source**: SPRINT_20260110_102_005_INTHUB_vault_connector.md
+
+## E2E Test Plan
+- [ ] Verify HashiCorp Vault connector authenticates via Token, AppRole, and Kubernetes auth
+- [ ] Test Azure Key Vault connector with Service Principal and Managed Identity
+- [ ] Verify AWS Secrets Manager connector uses IAM SigV4 signing
+- [ ] Test unified secret resolution interface across all vault types
+- [ ] Verify vault credential encryption in persistence layer

docs/features/unchecked/integrations/connector-runtime-with-resilience-patterns.md

@@ -0,0 +1,28 @@
+# Connector Runtime with Resilience Patterns (Circuit Breaker, Retry, Rate Limiting, Pooling)
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+Connector runtime managing connector instantiation, connection pooling, retry with exponential backoff, circuit breaker for fault isolation, and per-integration rate limiting. Handles both built-in and plugin connectors uniformly via ConnectorFactory.
+
+## Implementation Details
+- **Integration service**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationService.cs` -- connector runtime managing instantiation and lifecycle
+- **Plugin loader**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationPluginLoader.cs` -- dynamic loading of built-in and plugin connectors
+- **Infrastructure abstractions**: `src/Integrations/StellaOps.Integrations.WebService/Infrastructure/Abstractions.cs` -- circuit breaker, retry, rate limiting interfaces
+- **Default implementations**: `src/Integrations/StellaOps.Integrations.WebService/Infrastructure/DefaultImplementations.cs` -- resilience pattern implementations
+- **Plugin contract**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IIntegrationConnectorPlugin.cs` -- unified connector interface
+- **Integration DTOs**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IntegrationDtos.cs` -- connector data transfer objects
+- **API endpoints**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationEndpoints.cs` -- connector management API
+- **Tests**: `src/Integrations/__Tests/StellaOps.Integrations.Tests/IntegrationServiceTests.cs`, `IntegrationPluginLoaderTests.cs`
+- **Source**: SPRINT_20260110_102_002_INTHUB_connector_runtime.md
+
+## E2E Test Plan
+- [ ] Verify circuit breaker isolates failed connectors
+- [ ] Test retry with exponential backoff recovers from transient failures
+- [ ] Verify per-integration rate limiting prevents API quota exhaustion
+- [ ] Test connection pooling reuses connections efficiently
+- [ ] Verify ConnectorFactory handles both built-in and plugin connectors

docs/features/unchecked/integrations/github-app-connector.md

@@ -0,0 +1,29 @@
+# GitHub App Connector
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+GitHub App connector with authentication, health checks, annotation support, and Code Scanning extensions is fully implemented.
+
+## Implementation Details
+- **Connector plugin**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/GitHubAppConnectorPlugin.cs` -- GitHub App connector with authentication and health checks
+- **Annotation client**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/GitHubAppAnnotationClient.cs` -- PR annotations via GitHub App
+- **Code scanning client**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/GitHubCodeScanningClient.cs`, `IGitHubCodeScanningClient.cs` -- GitHub Code Scanning API
+- **Code scanning extensions**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/GitHubCodeScanningExtensions.cs` -- DI registration
+- **Alert filter**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/AlertFilter.cs` -- code scanning alert filtering
+- **SARIF upload**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/SarifUploadRequest.cs`, `SarifUploadResult.cs`, `SarifUploadStatus.cs` -- SARIF upload models
+- **Processing status**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/ProcessingStatus.cs`
+- **Code scanning alert model**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/CodeScanningAlert.cs`
+- **Tests**: `src/Integrations/__Tests/StellaOps.Integrations.Tests/CodeScanning/GitHubCodeScanningClientTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify GitHub App authenticates using app installation tokens
+- [ ] Test PR annotation creates check runs with finding summaries
+- [ ] Verify Code Scanning API uploads SARIF results
+- [ ] Test alert filtering by severity and rule
+- [ ] Verify health check validates GitHub App connectivity

docs/features/unchecked/integrations/github-code-scanning-upload-client.md

@@ -0,0 +1,29 @@
+# GitHub Code Scanning Upload Client
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+GitHub Code Scanning REST API client is implemented with SARIF upload, processing status polling, alert filtering, and integration with the GitHubApp connector plugin.
+
+## Implementation Details
+- **Code scanning client**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/GitHubCodeScanningClient.cs`, `IGitHubCodeScanningClient.cs` -- SARIF upload and alert retrieval
+- **SARIF upload request**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/SarifUploadRequest.cs` -- upload payload model
+- **SARIF upload result**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/SarifUploadResult.cs` -- upload response model
+- **Upload status**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/SarifUploadStatus.cs` -- upload status tracking
+- **Processing status**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/ProcessingStatus.cs` -- processing state enum
+- **Alert filter**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/AlertFilter.cs` -- alert filtering logic
+- **Alert model**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/CodeScanningAlert.cs` -- alert data model
+- **DI extensions**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/CodeScanning/GitHubCodeScanningExtensions.cs`
+- **Tests**: `src/Integrations/__Tests/StellaOps.Integrations.Tests/CodeScanning/GitHubCodeScanningClientTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify SARIF upload to GitHub Code Scanning API
+- [ ] Test processing status polling until upload is complete
+- [ ] Verify alert filtering returns relevant alerts
+- [ ] Test upload handles large SARIF files (gzip compression)
+- [ ] Verify integration with GitHubApp connector plugin authentication

docs/features/unchecked/integrations/integration-concierge.md

@@ -0,0 +1,26 @@
+# Integration Concierge (Setup Wizard + Health)
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+Integration wizard UI, integration hub with detail views, and service-layer models for integration management are implemented in the Angular frontend.
+
+## Implementation Details
+- **Backend API**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationEndpoints.cs` -- REST endpoints for integration management
+- **Integration service**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationService.cs` -- integration lifecycle and configuration
+- **Integration DTOs**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IntegrationDtos.cs` -- data transfer objects for API
+- **Integration models**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/IntegrationModels.cs` -- configuration and health models
+- **Persistence**: `src/Integrations/__Libraries/StellaOps.Integrations.Persistence/PostgresIntegrationRepository.cs` -- integration config persistence
+- **Frontend**: Angular integration hub with wizard UI, detail views, and service-layer models (in `src/Web/StellaOps.Web/src/app/features/integrations/`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify integration wizard guides through connector setup
+- [ ] Test integration hub lists all configured integrations with health status
+- [ ] Verify detail views show connector configuration and diagnostics
+- [ ] Test integration CRUD operations through API
+- [ ] Verify health check results display in UI

docs/features/unchecked/integrations/integration-doctor-checks.md

@@ -0,0 +1,27 @@
+# Integration Doctor Checks (Connectivity, Credentials, Permissions, Rate Limits)
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+Doctor diagnostic checks for integration health: connectivity verification, credential validation, permission checks, and rate limit status monitoring. Generates aggregated health reports across all integrations.
+
+## Implementation Details
+- **Integration service**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationService.cs` -- health check orchestration across all integrations
+- **Infrastructure abstractions**: `src/Integrations/StellaOps.Integrations.WebService/Infrastructure/Abstractions.cs` -- connectivity, credential, permission check interfaces
+- **Integration models**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/IntegrationModels.cs` -- health report models
+- **Plugin contract**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IIntegrationConnectorPlugin.cs` -- plugins implement health check methods
+- **API endpoints**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationEndpoints.cs` -- health check API
+- **Doctor plugin integration**: Cross-module with `src/Doctor/` -- Doctor integration checks reference integration health
+- **Tests**: `src/Integrations/__Tests/StellaOps.Integrations.Tests/IntegrationServiceTests.cs`
+- **Source**: SPRINT_20260110_102_006_INTHUB_doctor_checks.md
+
+## E2E Test Plan
+- [ ] Verify connectivity checks detect unreachable integrations
+- [ ] Test credential validation catches expired or invalid credentials
+- [ ] Verify permission checks identify missing API scopes
+- [ ] Test rate limit monitoring reports quota usage
+- [ ] Verify aggregated health report covers all configured integrations

docs/features/unchecked/integrations/registry-webhook-handlers.md

@@ -0,0 +1,26 @@
+# Registry Webhook Handlers (Docker/Harbor)
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+Webhook handlers for Docker Registry v2 and Harbor image-push events that trigger async gate evaluation. Accepts webhook payloads at `/api/v1/webhooks/registry/*` and queues gate evaluation jobs via an in-memory Channel-based queue with a background worker.
+
+## Implementation Details
+- **API endpoints**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationEndpoints.cs` -- webhook receiver at `/api/v1/webhooks/registry/*`
+- **Integration service**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationService.cs` -- processes webhook payloads and queues gate evaluation
+- **Harbor plugin**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.Harbor/HarborConnectorPlugin.cs` -- Harbor-specific webhook handling
+- **GitHub App plugin**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/GitHubAppConnectorPlugin.cs` -- GitHub webhook processing
+- **Integration DTOs**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IntegrationDtos.cs` -- webhook payload models
+- **WebService program**: `src/Integrations/StellaOps.Integrations.WebService/Program.cs` -- webhook endpoint registration
+- **Source**: SPRINT_20251226_001_BE_cicd_gate_integration.md
+
+## E2E Test Plan
+- [ ] Verify Docker Registry v2 webhook payloads are accepted
+- [ ] Test Harbor image-push webhook triggers gate evaluation
+- [ ] Verify Channel-based queue processes jobs asynchronously
+- [ ] Test webhook authentication validates payload signatures
+- [ ] Verify gate evaluation job queuing under load

docs/features/unchecked/integrations/scm-annotation-client-contracts.md

@@ -0,0 +1,24 @@
+# SCM Annotation Client Contracts (PR/MR Comments + Status Checks)
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+Unified SCM annotation contracts for PR/MR comments, status checks, and check runs with evidence link fields, plus GitHub App and GitLab implementations.
+
+## Implementation Details
+- **SCM annotation contracts**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/ScmAnnotationContracts.cs` -- unified interface for PR/MR comments, status checks, and check runs with evidence link fields
+- **GitHub App annotation client**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitHubApp/GitHubAppAnnotationClient.cs` -- GitHub implementation of SCM annotations
+- **GitLab annotation client**: `src/Integrations/__Plugins/StellaOps.Integrations.Plugin.GitLab/GitLabAnnotationClient.cs` -- GitLab implementation of SCM annotations
+- **Integration DTOs**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IntegrationDtos.cs` -- annotation payload models
+- **Source**: SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md
+
+## E2E Test Plan
+- [ ] Verify GitHub App creates PR check runs with finding summaries
+- [ ] Test GitLab annotation posts MR comments with evidence links
+- [ ] Verify status check updates reflect policy evaluation results
+- [ ] Test evidence link fields contain valid URLs to evidence artifacts
+- [ ] Verify annotation contracts handle both pass/fail outcomes

docs/features/unchecked/integrations/toolchain-agnostic-integrations.md

@@ -0,0 +1,30 @@
+# Toolchain-Agnostic Integrations (SCM/CI/Registry)
+
+## Module
+Integrations
+
+## Status
+IMPLEMENTED
+
+## Description
+Plugin-based integration architecture with connector plugins, integration hub UI, and setup wizard is implemented.
+
+## Implementation Details
+- **Plugin contract**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/IIntegrationConnectorPlugin.cs` -- toolchain-agnostic connector interface
+- **Plugin loader**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationPluginLoader.cs` -- dynamic plugin loading for SCM/CI/Registry connectors
+- **Built-in plugins**: GitHub App (`StellaOps.Integrations.Plugin.GitHubApp/`), GitLab (`StellaOps.Integrations.Plugin.GitLab/`), Harbor (`StellaOps.Integrations.Plugin.Harbor/`), InMemory (`StellaOps.Integrations.Plugin.InMemory/`)
+- **Integration service**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationService.cs` -- manages plugin lifecycle
+- **Integration endpoints**: `src/Integrations/StellaOps.Integrations.WebService/IntegrationEndpoints.cs` -- REST API for managing integrations
+- **SCM annotations**: `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/ScmAnnotationContracts.cs` -- SCM-agnostic annotation interface
+- **Integration core**: `src/Integrations/__Libraries/StellaOps.Integrations.Core/` -- `Integration.cs`, `IntegrationModels.cs`, `IntegrationEnums.cs`
+- **Persistence**: `src/Integrations/__Libraries/StellaOps.Integrations.Persistence/PostgresIntegrationRepository.cs`
+- **Frontend**: Integration hub wizard UI and detail views in `src/Web/`
+- **Tests**: `src/Integrations/__Tests/StellaOps.Integrations.Tests/IntegrationServiceTests.cs`, `IntegrationPluginLoaderTests.cs`, `StellaOps.Integrations.Plugin.Tests/InMemoryConnectorPluginTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify plugin loader discovers connectors for SCM, CI, and Registry types
+- [ ] Test GitHub App and GitLab connectors through unified interface
+- [ ] Verify Harbor and InMemory registry connectors work interchangeably
+- [ ] Test integration management API handles all connector types
+- [ ] Verify toolchain-agnostic contract allows adding new connector plugins