semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/libraries/canonicalization-version-markers-for-content-addressed-hashing.md
+++ b/docs/features/unchecked/libraries/canonicalization-version-markers-for-content-addressed-hashing.md
@@ -0,0 +1,30 @@
+# Canonicalization Version Markers for Content-Addressed Hashing
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Embeds a `_canonVersion` field (e.g., "stella:canon:v1") in all content-addressed canonical JSON, enabling version-aware hash verification and graceful migration when canonicalization algorithms change. Includes CanonicalizeVersioned<T>, HashVersioned<T> APIs, and backward compatibility with unversioned hashes. Distinct from "Canonical JSON Serialization (RFC 8785)" which is the base serializer; this adds version tracking to it.
+
+## Implementation Details
+- **CanonJson.Versioned**: `src/__Libraries/StellaOps.Canonical.Json/CanonJson.Versioned.cs` -- `CanonicalizeVersioned<T>(obj, version)` embeds `_canonVersion` as the lexicographically first field via underscore prefix; handles non-object roots by wrapping in `{"_canonVersion":"...","_value":...}`; overload with custom `JsonSerializerOptions`; delegates to `WriteElementSorted` for remaining properties sorted by ordinal
+- **CanonVersion**: `src/__Libraries/StellaOps.Canonical.Json/CanonVersion.cs` -- static constants: `V1 = "stella:canon:v1"` (RFC 8785 JCS with ordinal key sorting, no whitespace, UTF-8 without BOM, IEEE 754 numbers, minimal escape sequences); `VersionFieldName = "_canonVersion"`; `Current = V1`; `IsVersioned(ReadOnlySpan<byte>)` checks `VersionedPrefixBytes` prefix (minimum 35 bytes); `ExtractVersion(ReadOnlySpan<byte>)` parses version string from canonical JSON bytes
+- **CanonJson**: `src/__Libraries/StellaOps.Canonical.Json/CanonJson.cs` -- base canonicalization entry point
+- **CanonJson.Hashing**: `src/__Libraries/StellaOps.Canonical.Json/CanonJson.Hashing.cs` -- `HashVersionedPrefixed` for computing content-addressed SHA-256 hashes with version markers
+- **CanonJson.Writer**: `src/__Libraries/StellaOps.Canonical.Json/CanonJson.Writer.cs` -- `WriteElementSorted` for deterministic property ordering
+- **ICanonicalizable**: `src/__Libraries/StellaOps.Canonical.Json/ICanonicalizable.cs` -- interface for types that support canonical serialization
+- **Tests**: `src/__Libraries/StellaOps.Canonical.Json.Tests/`
+- **Source**: SPRINT_8100_0012_0001_canonicalizer_versioning.md
+
+## E2E Test Plan
+- [ ] Verify `CanonicalizeVersioned<T>` produces JSON with `_canonVersion` as the first field
+- [ ] Verify `CanonVersion.IsVersioned` returns true for versioned canonical JSON and false for unversioned
+- [ ] Verify `CanonVersion.ExtractVersion` correctly extracts "stella:canon:v1" from canonical bytes
+- [ ] Test backward compatibility: unversioned hashes are detected via `IsVersioned` returning false
+- [ ] Verify hash stability: same input always produces same versioned canonical JSON bytes
+- [ ] Test non-object root wrapping: primitive values are wrapped in `{"_canonVersion":"...","_value":...}`
+- [ ] Verify custom `JsonSerializerOptions` overload produces consistent results
+- [ ] Test that `_canonVersion` field in input JSON is deduplicated (not written twice)
--- a/docs/features/unchecked/libraries/determinism-gate-testing-infrastructure.md
+++ b/docs/features/unchecked/libraries/determinism-gate-testing-infrastructure.md
@@ -0,0 +1,26 @@
+# Determinism Gate Testing Infrastructure
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Dedicated determinism testing library and TestKit deterministic helpers for CI-gated canonical output verification.
+
+## Implementation Details
+- **TestKit**: `src/__Libraries/StellaOps.TestKit/` -- comprehensive shared test kit with TestCategories, DeterministicRandom, DeterministicTime, CanonicalJsonAssert, SnapshotAssert, BlastRadiusTestRunner/Validator, ConnectorTestBase hierarchy (HttpFixture, LiveSchema, Resilience, Security), FixtureUpdater, EnvironmentProfile, SkewTestRunner, EvidenceChainAssert/Reporter, IntentAttribute/TestIntents, SchemaVersionMatrix, StabilityMetrics/TestRunner, OTelContractAssert, LogContractAssert, MetricsContractAssert, CacheIdempotencyTests, FlakyToDeterministicPattern, QueryDeterminismTests, StorageConcurrencyTests/IdempotencyTests, WebServiceTestBase
+- **Testing.Determinism**: `src/__Libraries/StellaOps.Testing.Determinism/` -- determinism-specific test infrastructure (referenced but directory may be integrated into TestKit)
+- **Determinism.Abstractions**: `src/__Libraries/StellaOps.Determinism.Abstractions/` -- `IGuidProvider` (SystemGuidProvider/SequentialGuidProvider), `ResolverBoundaryAttribute`, `RequiresCanonicalizationAttribute`, `DeterministicOutputAttribute`, `DeterminismServiceCollectionExtensions` (AddSystemTimeProvider, AddSystemGuidProvider, AddDeterminismDefaults)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify `CanonicalJsonAssert` detects non-deterministic JSON serialization (e.g., unordered keys)
+- [ ] Verify `SnapshotAssert` compares golden snapshots and reports diffs
+- [ ] Test `DeterministicRandom` produces repeatable sequences with same seed
+- [ ] Test `DeterministicTime` provides controlled time progression
+- [ ] Verify `SequentialGuidProvider` returns predictable GUID sequence with counter in last 4 bytes
+- [ ] Test `BlastRadiusTestRunner` validates change scope within expected boundaries
+- [ ] Verify `StorageIdempotencyTests` confirm repeated writes produce identical results
+- [ ] Test `FlakyToDeterministicPattern` converts non-deterministic tests to deterministic equivalents
--- a/docs/features/unchecked/libraries/deterministic-replay-contract.md
+++ b/docs/features/unchecked/libraries/deterministic-replay-contract.md
@@ -0,0 +1,34 @@
+# Deterministic Replay Contract (Feed/Tool/Rule Pinning)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Replay manifests pin feed snapshots, tool versions, rule packs, and scoring inputs with content-addressed hashes. Validation ensures CAS integrity and deterministic sorting.
+
+## Implementation Details
+- **ReplayManifest**: `src/__Libraries/StellaOps.Replay.Core/ReplayManifest.cs` -- core manifest model with versioning
+- **ReplayManifestValidator**: `src/__Libraries/StellaOps.Replay.Core/ReplayManifestValidator.cs` -- multi-partial validation: `.Cas.cs` (CAS reference integrity), `.Graphs.cs` (graph reference validation), `.Sorting.cs` (deterministic sort verification), `.Traces.cs` (trace reference validation), `.Upgrade.cs`/`.Upgrade.Helpers.cs` (manifest version upgrade paths)
+- **ReplayManifestVersions**: `src/__Libraries/StellaOps.Replay.Core/ReplayManifestVersions.cs` -- version constants and migration logic
+- **CasReference/ICasValidator/InMemoryCasValidator**: `src/__Libraries/StellaOps.Replay.Core/CasReference.cs`, `ICasValidator.cs`, `InMemoryCasValidator.cs` -- content-addressed storage validation with CasValidationResult/CasValidationError
+- **PolicySimulationInputLock**: `src/__Libraries/StellaOps.Replay.Core/PolicySimulationInputLock.cs` -- pins policy simulation inputs with content-addressed hashes
+- **PolicySimulationInputLockValidator**: `src/__Libraries/StellaOps.Replay.Core/PolicySimulationInputLockValidator.cs` -- validates pinned input integrity
+- **DeterministicHash**: `src/__Libraries/StellaOps.Replay.Core/DeterministicHash.cs` -- deterministic hash computation for replay verification
+- **DeterminismManifestValidator**: `src/__Libraries/StellaOps.Replay.Core/Validation/DeterminismManifestValidator.cs` -- comprehensive multi-partial validation: `.Core.cs`, `.Inputs.cs`, `.Artifact.cs`, `.CanonicalHash.cs`, `.Toolchain.cs`, `.Verification.cs`, `.Reproducibility.cs`, `.Required.cs`, `.Parse.cs`, `.Regex.cs`
+- **ReplayProof**: `src/__Libraries/StellaOps.Replay.Core/ReplayProof.cs` -- `.Canonical.cs` (canonical serialization), `.Factory.cs` (proof construction), `.Validation.cs` (proof verification)
+- **FeedSnapshotCoordinatorService**: `src/__Libraries/StellaOps.Replay.Core/FeedSnapshotCoordinatorService.cs` -- feed snapshot management: `.Create.cs`, `.Export.cs`, `.Import.cs`, `.Validate.cs`, `.Digest.cs`, `.BundleManifest.cs`, with Zstd compression streams
+- **Tests**: `src/__Libraries/StellaOps.Replay.Core.Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify replay manifest pins all input hashes (feed, tool, rule, scoring)
+- [ ] Test CAS validation detects tampered or missing content-addressed references
+- [ ] Verify deterministic sorting produces identical manifest ordering across runs
+- [ ] Test manifest version upgrade preserves content integrity
+- [ ] Verify PolicySimulationInputLock captures exact policy evaluation parameters
+- [ ] Test DeterminismManifestValidator catches non-reproducible manifests
+- [ ] Verify ReplayProof canonical serialization produces identical bytes for same inputs
+- [ ] Test FeedSnapshotCoordinator export/import round-trip with Zstd compression
--- a/docs/features/unchecked/libraries/distro-specific-version-comparators.md
+++ b/docs/features/unchecked/libraries/distro-specific-version-comparators.md
@@ -0,0 +1,28 @@
+# Distro-Specific Version Comparators
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+All three major distro version comparators implemented: dpkg EVR (Debian/Ubuntu), RPMVERCMP (RHEL/Fedora/SUSE), and APK version models.
+
+## Implementation Details
+- **IVersionComparator**: `src/__Libraries/StellaOps.VersionComparison/IVersionComparator.cs` -- interface with `ComparatorType` property, `Compare(string?, string?)`, and `CompareWithProof(string?, string?)` returning `VersionComparisonResult` (Comparison int, ImmutableArray<string> ProofLines, ComparatorType); `ComparatorType` enum: RpmEvr, Dpkg, Apk, SemVer; result has `IsLessThan`, `IsEqual`, `IsGreaterThan`, `IsGreaterThanOrEqual` helpers
+- **DebianVersionComparer**: `src/__Libraries/StellaOps.VersionComparison/Comparers/DebianVersionComparer.cs` -- singleton implementing `IVersionComparator`, `IComparer<DebianVersion>`, `IComparer<string>`; handles epoch:upstream_version-debian_revision with tilde pre-release support; `CompareSegment` implements dpkg semantics: skip non-alphanumeric (except tilde), tilde sorts before everything, digits sort after letters, numeric segments compared by length then lexicographic; `CompareWithProof` generates human-readable proof lines for each comparison step (epoch, upstream version, debian revision)
+- **RpmVersionComparer**: `src/__Libraries/StellaOps.VersionComparison/Comparers/RpmVersionComparer.cs` -- singleton implementing `IVersionComparator`, `IComparer<RpmVersion>`, `IComparer<string>`; handles epoch, version, release with tilde support; `CompareSegment` uses rpmvercmp semantics: `SkipToNextSegment` (handle tildes), `CompareNumericSegment` (trim leading zeros, compare by length then lexicographic), `CompareAlphaSegment` (ordinal comparison); `CompareWithProof` with detailed proof lines
+- **StringVersionComparer**: `src/__Libraries/StellaOps.VersionComparison/Comparers/StringVersionComparer.cs` -- fallback string comparison
+- **Models**: `src/__Libraries/StellaOps.VersionComparison/Models/` -- `DebianVersion` (Epoch, Version, Revision with TryParse), `RpmVersion` (Epoch, Version, Release with TryParse), `ApkVersion`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify Debian version comparison handles epoch correctly (2:1.0 > 1:2.0)
+- [ ] Test dpkg tilde pre-release: 1.0~beta < 1.0
+- [ ] Verify RPM EVR comparison follows rpmvercmp semantics (numeric vs alpha segments)
+- [ ] Test RPM tilde support: 1.0~rc1 < 1.0
+- [ ] Verify APK version comparison handles APK-specific version schemes
+- [ ] Test proof line generation provides human-readable comparison steps
+- [ ] Verify all comparators handle null/empty versions gracefully
+- [ ] Test `IsGreaterThanOrEqual` for installed >= fixed version checks
--- a/docs/features/unchecked/libraries/doctor-health-check-plugins.md
+++ b/docs/features/unchecked/libraries/doctor-health-check-plugins.md
@@ -0,0 +1,29 @@
+# Doctor Health Check Plugins (Attestation + Verification + Integration)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Doctor plugin system with attestation checks, verification checks, integration checks (registry referrers API, push/pull authorization, credentials), service graph plugin, security plugin, observability plugin, and notification plugin. The advisory itself states "IMPLEMENTED on 2026-01-16".
+
+## Implementation Details
+- **AttestationPlugin**: `src/__Libraries/StellaOps.Doctor.Plugins.Attestation/AttestationPlugin.cs` -- registers attestation health checks with `AttestationCheckBase` base class; `AttestationPluginOptions` for configuration; `AttestationPluginExtensions` for DI registration
+- **Attestation Checks**: `src/__Libraries/StellaOps.Doctor.Plugins.Attestation/` -- `ClockSkewCheck.cs` (NTP clock skew validation), `CosignKeyMaterialCheck.cs` (cosign key material availability), `OfflineBundleCheck.cs` (offline trust bundle freshness), `RekorConnectivityCheck.cs` (Rekor transparency log connectivity)
+- **VerificationPlugin**: `src/__Libraries/StellaOps.Doctor.Plugins.Verification/VerificationPlugin.cs` -- registers verification health checks with `VerificationCheckBase` base class; `VerificationPluginOptions`; `VerificationPluginExtensions`
+- **Verification Checks**: `src/__Libraries/StellaOps.Doctor.Plugins.Verification/` -- `PolicyEngineCheck.cs` (policy engine availability), `SbomValidationCheck.cs` (SBOM validation capability), `SignatureVerificationCheck.cs` (signature verification capability), `TestArtifactPullCheck.cs` (test artifact pull from registry), `VexValidationCheck.cs` (VEX document validation)
+- **Additional Plugins**: `src/__Libraries/StellaOps.Doctor.Plugins.*/` -- AI, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources
+- **Integration Tests**: `src/__Libraries/__Tests/StellaOps.Doctor.Plugins.Integration.Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify AttestationPlugin registers and runs all attestation checks (ClockSkew, CosignKey, OfflineBundle, Rekor)
+- [ ] Test ClockSkewCheck detects NTP drift beyond configured threshold
+- [ ] Verify CosignKeyMaterialCheck validates cosign key availability
+- [ ] Test RekorConnectivityCheck reports connectivity status to transparency log
+- [ ] Verify VerificationPlugin runs PolicyEngine, SbomValidation, SignatureVerification, VexValidation checks
+- [ ] Test TestArtifactPullCheck verifies registry pull/push operations
+- [ ] Verify plugin DI registration via extension methods
+- [ ] Test health check aggregation across all Doctor plugins returns combined status
--- a/docs/features/unchecked/libraries/edge-explanation-types-for-reachgraph.md
+++ b/docs/features/unchecked/libraries/edge-explanation-types-for-reachgraph.md
@@ -0,0 +1,29 @@
+# Edge Explanation Types for ReachGraph (EdgeExplanationType Vocabulary)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Typed edge explanation vocabulary (EdgeExplanationType enum) for ReachGraph edges, enabling structured "why is this edge present" annotations. Includes guard detection, call-site attribution, and deduplication. Enables the "Why Reachable?" UI panel to display human-readable explanations for each hop in a reachability path.
+
+## Implementation Details
+- **EdgeExplanationType**: `src/__Libraries/StellaOps.ReachGraph/Schema/EdgeExplanation.cs` -- enum with JSON string serialization (`JsonStringEnumConverter<EdgeExplanationType>`): `Import` (ES6/Python/using), `DynamicLoad` (require/dlopen/LoadLibrary), `Reflection` (Class.forName/Type.GetType), `Ffi` (JNI/P.Invoke/ctypes), `EnvGuard` (process.env/os.environ), `FeatureFlag` (LaunchDarkly/unleash/custom), `PlatformArch` (process.platform/runtime.GOOS), `TaintGate` (sanitization/validation), `LoaderRule` (PLT/IAT/GOT), `DirectCall` (static/virtual/delegate), `Unknown`
+- **EdgeExplanation**: `src/__Libraries/StellaOps.ReachGraph/Schema/EdgeExplanation.cs` -- record with `Type` (EdgeExplanationType), `Loc` (source location file:line), `Guard` (predicate expression e.g. "FEATURE_X=true"), `Confidence` (double 0.0-1.0), `Metadata` (ImmutableDictionary<string, string> for language-specific data)
+- **ReachGraphEdge**: `src/__Libraries/StellaOps.ReachGraph/Schema/ReachGraphEdge.cs` -- record with `From`, `To`, and `Why` (EdgeExplanation) linking nodes with structured explanations
+- **Edge Deduplication**: `src/__Libraries/StellaOps.ReachGraph/Deduplication/` -- `EdgeDeduplicator.cs`, `DeduplicatedEdge.cs`, `DeduplicatedEdgeBuilder.cs`, `EdgeSemanticKey.cs`/`.Computation.cs`, `IEdgeDeduplicator.cs`, `EdgeDeduplicatorExtensions.cs` for deduplicating edges with same semantic meaning
+- **Canonical Serialization**: `src/__Libraries/StellaOps.ReachGraph/Serialization/CanonicalReachGraphSerializer.cs` -- multi-partial serializer with `.Canonicalize.Core.cs`, `.Canonicalize.Nodes.cs`, `.Dtos.Core.cs`, `.Dtos.Nodes.cs`, `.Dtos.Provenance.cs`, `.FromDto.Core.cs`, `.FromDto.Nodes.cs`, `.Options.cs`
+- **Signing**: `src/__Libraries/StellaOps.ReachGraph/Signing/ReachGraphSignerService.cs` -- `.Sign.cs`, `.Verify.cs`, `.Dsse.cs`, `.Helpers.cs` for DSSE signing of reach graphs
+- **Source**: SPRINT_1227_0012_0001_LB_reachgraph_core.md
+
+## E2E Test Plan
+- [ ] Verify all EdgeExplanationType values serialize to/from JSON strings correctly
+- [ ] Test EdgeExplanation captures source location (Loc), guard predicate, and confidence
+- [ ] Verify edge deduplication merges edges with same semantic key
+- [ ] Test canonical serialization produces deterministic output for same graph
+- [ ] Verify ReachGraphEdge links two nodes with a structured Why explanation
+- [ ] Test DSSE signing and verification of reach graph bundles
+- [ ] Verify confidence scores are within [0.0, 1.0] range
+- [ ] Test metadata dictionary captures language-specific edge attributes
--- a/docs/features/unchecked/libraries/eidas-qualified-timestamp-support.md
+++ b/docs/features/unchecked/libraries/eidas-qualified-timestamp-support.md
@@ -0,0 +1,31 @@
+# eIDAS Qualified Timestamp Support
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Full eIDAS qualified timestamp signing and verification provider with TSP client integration.
+
+## Implementation Details
+- **EidasCryptoProvider**: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS/EidasCryptoProvider.cs` -- main eIDAS crypto plugin
+- **EidasSigner**: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS/EidasSigner.cs` -- signing implementation with `.Export.cs` for key export
+- **LocalEidasProvider**: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS/LocalEidasProvider.cs` -- local eIDAS operations: `.Signing.cs` (local signing), `.Verification.cs` (local verification)
+- **TrustServiceProviderClient**: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS/TrustServiceProviderClient.cs` -- TSP client for qualified timestamps: `.Signing.cs` (request timestamp from TSA), `.Verification.cs` (verify qualified timestamps against EU Trust List)
+- **TspResponses**: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS/TspResponses.cs` -- TSP response models
+- **Configuration**: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS/` -- `EidasOptions.cs`, `EidasKeyConfig.cs`, `LocalSigningOptions.cs`, `TrustedListOptions.cs`, `TspOptions.cs`, `SignatureLevel.cs`
+- **DI Registration**: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS/ServiceCollectionExtensions.cs`
+- **Tests**: `src/__Libraries/StellaOps.Cryptography.Plugin.EIDAS.Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify TSP client can request qualified timestamps from a TSA endpoint
+- [ ] Test timestamp verification against EU Trust List entries
+- [ ] Verify local signing with eIDAS-compliant key material
+- [ ] Test local verification of eIDAS signatures
+- [ ] Verify EidasOptions configures TSA endpoint, key, and signature level correctly
+- [ ] Test TrustServiceProviderClient handles TSP response parsing
+- [ ] Verify qualified timestamp tokens contain correct OIDs
+- [ ] Test DI registration via ServiceCollectionExtensions
--- a/docs/features/unchecked/libraries/evidence-graph-with-validation.md
+++ b/docs/features/unchecked/libraries/evidence-graph-with-validation.md
@@ -0,0 +1,28 @@
+# Evidence Graph with Validation
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Evidence graph model with pre-traversal validation, cycle detection, and policy integration.
+
+## Implementation Details
+- **EvidenceGraph**: `src/__Libraries/StellaOps.Resolver/EvidenceGraph.cs` -- immutable record with `ImmutableArray<Node> Nodes` and `ImmutableArray<Edge> Edges` (both sorted by ID for determinism); content-addressed `GraphDigest` computed via `CanonicalJsonSerializer.SerializeWithDigest`; factory method `Create(nodes, edges)` sorts collections; `AddNode`/`AddEdge` return new immutable instances; `GetInboundEdges`/`GetOutboundEdges` for graph traversal; `NodeIds`/`EdgeIds` lazy computed sorted arrays
+- **GraphValidation**: `src/__Libraries/StellaOps.Resolver/GraphValidation.cs` -- `DefaultGraphValidator` combining cycle detection and implicit data detection; `TarjanCycleDetector` (Tarjan's SCC algorithm, excludes `IsCycleCut` edges from adjacency); `DefaultImplicitDataDetector` catches dangling edge sources/destinations, duplicate NodeIds, duplicate EdgeIds; `GraphValidationResult` record with `IsValid`, `Cycles`, `Errors`, `Warnings`, `ImplicitDataViolations`; `CycleInfo` record with CycleNodes and optional CutEdge; `ImplicitDataViolation` record; `InvalidGraphException` for validation failures
+- **DeterministicResolver**: `src/__Libraries/StellaOps.Resolver/DeterministicResolver.cs` -- 4-phase resolution: (1) Validate graph via `IGraphValidator`, (2) Compute traversal order via `IGraphOrderer`, (3) Evaluate each node with `ITrustLatticeEvaluator` using predecessor verdicts, (4) Compute final digest via `IFinalDigestComputer`; `ResolutionResult` with TraversalSequence, Verdicts, GraphDigest, PolicyDigest, FinalDigest, ResolvedAt, ResolverVersion
+- **TopologicalGraphOrderer**: `src/__Libraries/StellaOps.Resolver/TopologicalGraphOrderer.cs` -- deterministic topological sort for traversal ordering
+- **ResolutionVerifier**: `src/__Libraries/StellaOps.Resolver/ResolutionVerifier.cs` -- verifies resolution results for integrity
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify EvidenceGraph.Create sorts nodes and edges deterministically
+- [ ] Test GraphDigest is content-addressed and changes when nodes/edges change
+- [ ] Verify TarjanCycleDetector finds cycles and identifies IsCycleCut edges
+- [ ] Test DefaultImplicitDataDetector catches dangling edges and duplicate IDs
+- [ ] Verify DeterministicResolver produces identical ResolutionResult for same inputs
+- [ ] Test 4-phase resolution: validate, order, evaluate, digest
+- [ ] Verify immutability: AddNode/AddEdge return new graph instances without mutating original
+- [ ] Test InvalidGraphException contains validation error details
--- a/docs/features/unchecked/libraries/evidence-size-budgets-with-retention-tiers.md
+++ b/docs/features/unchecked/libraries/evidence-size-budgets-with-retention-tiers.md
@@ -0,0 +1,36 @@
+# Evidence Size Budgets with Retention Tiers
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Implements evidence storage budgets with tiered retention (Hot/Warm/Cold/Archive), auto-pruning policies, and usage tracking. Distinct from "Evidence TTL and staleness policy" (expiration) and "DSSE Envelope Size Management" (single envelope sizing). This is a full lifecycle budget management system with compression tiers.
+
+## Implementation Details
+- **EvidenceBudgetService**: `src/__Libraries/StellaOps.Evidence/EvidenceBudgetService.cs` -- multi-partial implementation: `.Usage.cs` (track per-tenant/per-type usage against budgets), `.Status.cs` (budget status reporting), `.Prune.cs` (auto-pruning based on retention policies)
+- **IEvidenceBudgetService**: `src/__Libraries/StellaOps.Evidence/IEvidenceBudgetService.cs` -- interface for budget management
+- **EvidenceBudget**: `src/__Libraries/StellaOps.Evidence/EvidenceBudget.cs` -- budget configuration model
+- **BudgetCheckResult/BudgetStatus**: `src/__Libraries/StellaOps.Evidence/BudgetCheckResult.cs`, `BudgetStatus.cs` -- budget check outcomes
+- **RetentionPolicy**: `src/__Libraries/StellaOps.Evidence/RetentionPolicy.cs` -- per-tier retention configuration
+- **RetentionTier**: `src/__Libraries/StellaOps.Evidence/RetentionTier.cs` -- tier enum (Hot/Warm/Cold/Archive)
+- **RetentionTierManager**: `src/__Libraries/StellaOps.Evidence/RetentionTierManager.cs` -- multi-partial: `.CurrentTier.cs` (determine current tier), `.Migrate.cs` (migrate between tiers), `.Compress.cs` (tier-specific compression), `.Audit.cs` (audit trail for migrations)
+- **IRetentionTierManager/IArchiveStorage**: `src/__Libraries/StellaOps.Evidence/IRetentionTierManager.cs`, `IArchiveStorage.cs` -- interfaces
+- **TierMigrationResult/MigratedItem**: `src/__Libraries/StellaOps.Evidence/TierMigrationResult.cs`, `MigratedItem.cs` -- migration tracking
+- **UsageStats/PruneResult**: `src/__Libraries/StellaOps.Evidence/UsageStats.cs`, `PruneResult.cs` -- reporting models
+- **EvidenceItem/EvidenceType**: `src/__Libraries/StellaOps.Evidence/EvidenceItem.cs`, `EvidenceType.cs` -- evidence models
+- **CompressionLevel/BudgetExceededAction**: `src/__Libraries/StellaOps.Evidence/CompressionLevel.cs`, `BudgetExceededAction.cs` -- configuration enums
+- **Validation**: `src/__Libraries/StellaOps.Evidence/` -- `EvidenceIndexValidator.cs`, `IEvidenceIndexValidator.cs`, `SchemaLoader.cs`, `ValidationError.cs`, `ValidationResult.cs`
+- **Source**: SPRINT_7000_0004_0002_evidence_size_budgets.md
+
+## E2E Test Plan
+- [ ] Verify budget tracking reports accurate usage per tenant and evidence type
+- [ ] Test budget exceeded action triggers auto-pruning of oldest items
+- [ ] Verify retention tier migration (Hot -> Warm -> Cold -> Archive) with compression
+- [ ] Test RetentionTierManager applies tier-specific compression ratios
+- [ ] Verify PruneResult reports number of items pruned and space reclaimed
+- [ ] Test budget status API returns current usage vs. configured limits
+- [ ] Verify tier migration audit trail records all migrations
+- [ ] Test evidence index validation catches schema violations
--- a/docs/features/unchecked/libraries/iguidprovider-determinism-abstraction-library.md
+++ b/docs/features/unchecked/libraries/iguidprovider-determinism-abstraction-library.md
@@ -0,0 +1,28 @@
+# IGuidProvider Determinism Abstraction Library
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+New `StellaOps.Determinism.Abstractions` library providing `IGuidProvider` and `SystemGuidProvider`/`SequentialGuidProvider` for deterministic GUID generation. Includes DI extensions and `ResolverBoundaryAttribute`. Sprint completed systematic refactoring across 21 tasks injecting `TimeProvider` and `IGuidProvider` into all modules (~1526+ instances replaced).
+
+## Implementation Details
+- **IGuidProvider**: `src/__Libraries/StellaOps.Determinism.Abstractions/IGuidProvider.cs` -- interface with single `Guid NewGuid()` method; `SystemGuidProvider` (sealed, singleton `Instance`, delegates to `Guid.NewGuid()`); `SequentialGuidProvider` (sealed, thread-safe via `Interlocked.Increment`, embeds counter in last 4 bytes of base GUID, `Reset()` method for test reuse)
+- **DeterminismServiceCollectionExtensions**: `src/__Libraries/StellaOps.Determinism.Abstractions/DeterminismServiceCollectionExtensions.cs` -- `AddSystemTimeProvider()` registers `TimeProvider.System` singleton; `AddSystemGuidProvider()` registers `SystemGuidProvider` as `IGuidProvider` singleton; `AddDeterminismDefaults()` registers both (recommended for production)
+- **ResolverBoundaryAttribute**: `src/__Libraries/StellaOps.Determinism.Abstractions/ResolverBoundaryAttribute.cs` -- `[ResolverBoundary]` marks methods/classes as resolver boundaries requiring canonicalization; properties: `RequireNfc` (NFC normalization), `RequireOrdering` (collection ordering, default true), `Description`; STELLA0100 analyzer enforces RFC 8785 JCS within marked scopes
+- **RequiresCanonicalizationAttribute**: same file -- alias attribute with `Scheme` property (default "RFC8785")
+- **DeterministicOutputAttribute**: same file -- marks methods producing deterministic output; properties: `HashAlgorithm` (default "SHA256"), `IsSigned`
+- **Source**: batch_51/file_13.md
+
+## E2E Test Plan
+- [ ] Verify `SystemGuidProvider.NewGuid()` returns unique GUIDs (non-deterministic, for production)
+- [ ] Verify `SequentialGuidProvider` returns predictable sequence with counter in last 4 bytes
+- [ ] Test `SequentialGuidProvider.Reset()` restarts counter from zero
+- [ ] Verify `AddDeterminismDefaults()` registers both TimeProvider and IGuidProvider in DI container
+- [ ] Test `ResolverBoundaryAttribute` can be applied to methods and classes
+- [ ] Verify `SequentialGuidProvider` is thread-safe (concurrent calls produce unique GUIDs)
+- [ ] Test that `TryAddSingleton` prevents double registration when called multiple times
+- [ ] Verify `DeterministicOutputAttribute` captures hash algorithm and signing flag
--- a/docs/features/unchecked/libraries/ocsp-crl-certificate-status-provider.md
+++ b/docs/features/unchecked/libraries/ocsp-crl-certificate-status-provider.md
@@ -0,0 +1,28 @@
+# OCSP/CRL Certificate Status Provider
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Full OCSP client and CRL fetcher for certificate revocation checking, as specified in the advisory.
+
+## Implementation Details
+- **OcspClient**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus/OcspClient.cs` -- RFC 6960 OCSP client: `CheckStatusAsync(certificate, issuer, options)` extracts OCSP responder URL from AIA extension (OID 1.3.6.1.5.5.7.1.1), generates ASN.1 DER OCSP request with CertID (SHA-256 issuer name hash + issuer key hash + serial number), supports optional nonce (OID 1.3.6.1.5.5.7.48.1.2), uses GET for requests <= 255 bytes / POST for larger; parses `BasicOCSPResponse` with tbsResponseData (producedAt, certStatus: good[0]/revoked[1]/unknown[2], thisUpdate, nextUpdate); caches good responses per thumbprint; `ParseStapledResponse` for pre-fetched OCSP responses
+- **CrlFetcher**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus/CrlFetcher.cs` -- CRL distribution point fetching and revocation checking
+- **CertificateStatusProvider**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus/CertificateStatusProvider.cs` -- unified provider combining OCSP and CRL status checks
+- **CertificateStatusServiceCollectionExtensions**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus/CertificateStatusServiceCollectionExtensions.cs` -- DI registration
+- **Abstractions**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus.Abstractions/` -- `CertificateStatusResult` (Status, Source, ProducedAt, ThisUpdate, NextUpdate, ResponderUrl, RawOcspResponse, revocation details), `RevocationStatus` enum (Good, Revoked, Unknown), `RevocationSource` enum (Ocsp, Crl), `RevocationReason` enum, `CertificateStatusOptions` (EnableCaching, IncludeOcspNonce, RequestTimeout, MaxOcspAge)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify OCSP client generates valid ASN.1 DER request with correct CertID
+- [ ] Test OCSP nonce inclusion when IncludeOcspNonce is enabled
+- [ ] Verify GET method is used for small requests (<= 255 bytes) and POST for larger
+- [ ] Test OCSP response parsing detects good, revoked, and unknown certificate status
+- [ ] Verify revoked status includes revocation time and reason
+- [ ] Test response caching for good certificates with nextUpdate expiry
+- [ ] Verify CRL fetcher retrieves and parses CRL distribution point data
+- [ ] Test unified CertificateStatusProvider combines OCSP and CRL results
--- a/docs/features/unchecked/libraries/policy-lock-generator.md
+++ b/docs/features/unchecked/libraries/policy-lock-generator.md
@@ -0,0 +1,29 @@
+# Policy Lock Generator (Verdict Reproducibility)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Generates deterministic policy lock files that pin the exact policy rules, versions, and evaluation parameters used to produce a verdict. Ensures verdicts can be reproduced identically by capturing the full policy context alongside the CGS hash.
+
+## Implementation Details
+- **PolicyLockGenerator**: `src/__Libraries/StellaOps.Verdict/PolicyLockGenerator.cs` -- implements `IPolicyLockGenerator`; `GenerateAsync(policyId)` creates `PolicyLock` with SchemaVersion "1.0", auto-generated PolicyVersion from ID + timestamp, rule hashes dict, EngineVersion "1.0.0"; `GenerateForVersionAsync(policyId, version)` pins specific version; `ValidateAsync(policyLock)` checks SchemaVersion, PolicyVersion, EngineVersion, non-empty RuleHashes, future timestamp detection (5min tolerance), hash format validation ("sha256:" + 64 hex chars); `ComputeRuleHash` uses SHA256 of canonical JSON `{definition, version}` with prefix "sha256:"; uses injected `TimeProvider` for deterministic timestamps
+- **IPolicyLockGenerator**: `src/__Libraries/StellaOps.Verdict/IPolicyLockGenerator.cs` -- interface: GenerateAsync, GenerateForVersionAsync, ValidateAsync
+- **PolicyLock**: record with SchemaVersion, PolicyVersion, RuleHashes (IReadOnlyDictionary<string, string>), EngineVersion, GeneratedAt
+- **PolicyLockValidation**: record with IsValid, ErrorMessage, MismatchedRules
+- **VerdictBuilderService**: `src/__Libraries/StellaOps.Verdict/VerdictBuilderService.cs` -- integrates with PolicyLockGenerator
+- **VerdictServiceCollectionExtensions**: `src/__Libraries/StellaOps.Verdict/VerdictServiceCollectionExtensions.cs` -- DI registration
+- **Source**: SPRINT_20251229_001_001_BE_cgs_infrastructure.md
+
+## E2E Test Plan
+- [ ] Verify GenerateAsync creates PolicyLock with non-empty RuleHashes dictionary
+- [ ] Test ComputeRuleHash produces deterministic SHA-256 hash in "sha256:{hex}" format
+- [ ] Verify ValidateAsync detects missing required fields (SchemaVersion, PolicyVersion, EngineVersion)
+- [ ] Test future timestamp detection (GeneratedAt > now + 5 minutes fails validation)
+- [ ] Verify ValidateAsync catches invalid hash format (non-hex, wrong length)
+- [ ] Test GenerateForVersionAsync pins exact version string in PolicyLock
+- [ ] Verify same policy input produces identical PolicyLock (deterministic)
+- [ ] Test TimeProvider injection enables deterministic timestamp generation in tests
--- a/docs/features/unchecked/libraries/provenance-cache-with-verikey-composite-hash.md
+++ b/docs/features/unchecked/libraries/provenance-cache-with-verikey-composite-hash.md
@@ -0,0 +1,31 @@
+# Provenance Cache (Provcache) with VeriKey Composite Hash
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Provenance Cache (Provcache) backend with VeriKey composite hash (source + SBOM + VEX + policy + signer + time window), DecisionDigest canonicalized evaluation output, Valkey read-through with Postgres write-behind, and Policy Engine integration for cache-accelerated decisions.
+
+## Implementation Details
+- **VeriKeyBuilder**: `src/__Libraries/StellaOps.Provcache/VeriKeyBuilder.cs` -- fluent builder for composite provenance identity key: `VeriKey = SHA256(source_hash || sbom_hash || vex_hash_set_hash || merge_policy_hash || signer_set_hash || time_window)`; multi-partial: `.Source.cs`, `.Sbom.cs`, `.Vex.cs`, `.Policy.cs`, `.Signer.cs`, `.TimeWindow.cs`, `.Hashing.cs`, `.Build.cs`; each component ensures cache invalidation when relevant inputs change
+- **DecisionDigestBuilder**: `src/__Libraries/StellaOps.Provcache/DecisionDigestBuilder.cs` -- builder for canonicalized evaluation output digest; multi-partial: `.VeriKey.cs`, `.Verdict.cs`, `.Proof.cs`, `.ReplaySeed.cs`, `.Timestamps.cs`, `.TrustScore.cs`, `.Hashing.cs`, `.Build.cs`; uses `ProvcacheOptions` and `TimeProvider` for deterministic computation
+- **ProvcacheService**: `src/__Libraries/StellaOps.Provcache/ProvcacheService.cs` -- multi-partial service: `.Get.cs` (lookup by VeriKey), `.GetOrCompute.cs` (read-through pattern), `.Set.cs` (store with TTL), `.Invalidate.cs`/`.InvalidateBy.cs` (targeted invalidation), `.Prune.cs` (expired entry cleanup), `.Metrics.cs` (telemetry), `.Tracking.cs` (usage tracking)
+- **WriteBehindQueue**: `src/__Libraries/StellaOps.Provcache/WriteBehindQueue.cs` -- multi-partial: `.Enqueue.cs`, `.Drain.cs`, `.Batch.cs`, `.Run.cs`, `.Metrics.cs`; `WriteBehindQueueHostedService` for background processing
+- **ValkeyProvcacheStore**: `src/__Libraries/StellaOps.Provcache.Valkey/ValkeyProvcacheStore.cs` -- Valkey-backed cache: `.Get.cs`, `.GetMany.cs`, `.GetOrSet.cs`, `.Set.cs`, `.SetMany.cs`, `.Invalidate.cs`, `.InvalidateByPattern.cs`
+- **PostgresProvcacheRepository**: `src/__Libraries/StellaOps.Provcache.Postgres/PostgresProvcacheRepository.cs` -- write-behind persistence: `.Read.cs`, `.Upsert.cs`, `.Delete.cs`, `.DeleteFeedExpired.cs`, `.DeletePolicySigner.cs`, `.Revocations.cs`, `.Metrics.cs`, `.Mapping.cs`
+- **ProvcacheOptions**: `src/__Libraries/StellaOps.Provcache/ProvcacheOptions.cs` -- multi-partial: `.Cache.cs`, `.Chunking.cs`, `.TimeWindow.cs`, `.Ttl.cs`, `.WriteBehind.cs`
+- **ProvcacheTelemetry**: `src/__Libraries/StellaOps.Provcache/ProvcacheTelemetry.cs` -- OpenTelemetry metrics: `.Counters.cs`, `.Gauges.cs`, `.Histograms.cs`, `.Metrics.Hits.cs`, `.Metrics.Invalidation.cs`, `.Metrics.Latency.cs`
+- **Source**: SPRINT_8200_0001_0001_provcache_core_backend.md
+
+## E2E Test Plan
+- [ ] Verify VeriKey computation is deterministic for same inputs (source, SBOM, VEX, policy, signer, time window)
+- [ ] Test VeriKey changes when any component hash changes (cache invalidation)
+- [ ] Verify DecisionDigest captures canonicalized evaluation output
+- [ ] Test read-through pattern: cache miss triggers computation and stores result
+- [ ] Verify Valkey store handles get/set/invalidate operations correctly
+- [ ] Test write-behind queue batches writes to Postgres
+- [ ] Verify time window bucketing enables controlled cache expiry
+- [ ] Test ProvcacheService.Prune removes expired entries
--- a/docs/features/unchecked/libraries/replay-manifest.md
+++ b/docs/features/unchecked/libraries/replay-manifest.md
@@ -0,0 +1,33 @@
+# Replay Manifest (Deterministic Replay)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Complete replay manifest system with versioning, export, validation, CAS (content-addressed storage) integration, and reachability-specific replay writers. Enables deterministic re-computation of verdicts.
+
+## Implementation Details
+- **ReplayManifest**: `src/__Libraries/StellaOps.Replay.Core/ReplayManifest.cs` -- core manifest model with versioned schema
+- **ReplayManifestVersions**: `src/__Libraries/StellaOps.Replay.Core/ReplayManifestVersions.cs` -- version tracking and migration
+- **ReplayManifestExtensions**: `src/__Libraries/StellaOps.Replay.Core/ReplayManifestExtensions.cs` -- helper extensions
+- **ReplayManifestExporter**: `src/__Libraries/StellaOps.Replay.Core/ReplayManifestExporter.cs` -- multi-partial export pipeline: `.Export.cs` (main export flow), `.BuildInputs.cs` (input artifact refs), `.BuildOutputs.cs` (output artifact refs), `.BuildToolchain.cs` (tool version pinning), `.BuildVerification.cs` (verification metadata), `.Hashing.cs` (content-addressed hashing), `.Metadata.cs` (export metadata), `.Verify.cs` (post-export verification), `.Convert.cs` (format conversion)
+- **ReplayManifestWriter**: `src/__Libraries/StellaOps.Replay.Core/ReplayManifestWriter.cs` -- `.Manifest.cs` (manifest file writing)
+- **ReachabilityReplayWriter**: `src/__Libraries/StellaOps.Replay.Core/ReachabilityReplayWriter.cs` -- reachability-specific: `.Graphs.cs` (graph serialization), `.Hashing.cs` (graph digest), `.Traces.cs` (trace recording)
+- **StellaReplayBundleWriter**: `src/__Libraries/StellaOps.Replay.Core/StellaReplayBundleWriter.cs` -- multi-partial: `.Entries.cs`, `.Sections.Config.cs`, `.Sections.Content.cs`, `.Sections.Outputs.cs`, `.Sign.cs` (DSSE signing), `.Write.cs` (bundle writing)
+- **Export Models**: `src/__Libraries/StellaOps.Replay.Core/` -- ExportArtifactRef, ExportCiEnvironment, ExportFeedSnapshot, ExportFindingsSummary, ExportInputArtifacts, ExportOutputArtifacts, ExportPolicyBundle, ExportReachabilityInput, ExportSbomInput, ExportToolchainInfo, ExportVerificationInfo, ExportVexInput, ExportSnapshotInfo, ExportMetadataInfo
+- **Pinning Models**: `src/__Libraries/StellaOps.Replay.Core/` -- FeedVersion, KnowledgeSnapshot, LatticeConfig, PolicyBundleRef, RandomSeed, ReachSubgraphRef, SbomRef, TrustConfig, VexDocRef
+- **Tests**: `src/__Libraries/StellaOps.Replay.Core.Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify replay manifest captures all input hashes (feed, SBOM, VEX, policy, tool versions)
+- [ ] Test manifest export produces complete bundle with inputs, outputs, toolchain, verification sections
+- [ ] Verify ReachabilityReplayWriter serializes graphs with deterministic hashing
+- [ ] Test StellaReplayBundleWriter produces DSSE-signed bundles
+- [ ] Verify manifest versioning enables backward-compatible upgrades
+- [ ] Test export verification detects tampered bundles
+- [ ] Verify CAS references maintain content integrity across export/import
+- [ ] Test manifest round-trip: export -> import produces identical manifest
--- a/docs/features/unchecked/libraries/replayable-evidence-packs.md
+++ b/docs/features/unchecked/libraries/replayable-evidence-packs.md
@@ -0,0 +1,32 @@
+# Replayable evidence packs (time-stamped queryable bundles for audits)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Replay executor with drift tracking, verdict attestation, and E2E tests implement time-travel replay of evidence bundles for audit use cases.
+
+## Implementation Details
+- **AuditPackBuilder**: `src/__Libraries/StellaOps.AuditPack/AuditPackBuilder.cs` -- multi-partial: `.Build.cs` (assemble audit pack), `.Collectors.cs` (evidence collectors), `.Digests.cs` (input digest computation), `.Export.cs` (export to archive), `.Files.cs` (file entry management)
+- **AuditBundleWriter**: `src/__Libraries/StellaOps.AuditPack/AuditBundleWriter.cs` -- multi-partial: `.Write.cs`, `.Entries.cs`, `.EntryHelpers.cs`, `.Manifest.cs`, `.Merkle.cs` (Merkle tree for bundle integrity), `.Digests.cs`, `.Signing.cs` (DSSE signing), `.Models.cs`
+- **AuditBundleReader**: `src/__Libraries/StellaOps.AuditPack/AuditBundleReader.cs` -- multi-partial: `.Read.cs`, `.Extract.cs`, `.ExtractionHandling.cs`, `.Hashing.cs`, `.InputDigests.cs`, `.Manifest.cs`, `.Merkle.cs`, `.Models.cs`, `.Paths.cs`, `.ReplayInputs.cs`, `.Signature.cs`, `.Verification.cs`
+- **ReplayExecutor**: `src/__Libraries/StellaOps.AuditPack/ReplayExecutor.cs` -- multi-partial: `.Execute.cs`, `.ExecuteInternal.cs`, `.Drift.cs`, `.DriftTracking.cs`, `.Hashing.cs`, `.JsonDiff.cs`/`.JsonDiff.Helpers.cs`, `.Policy.cs`; tracks drift between original and replayed evidence
+- **ReplayAttestationService**: `src/__Libraries/StellaOps.AuditPack/ReplayAttestationService.cs` -- multi-partial: `.Generate.cs`, `.Batch.cs`, `.DsseEnvelope.cs`, `.Hashing.cs`, `.Statement.cs` (in-toto statement), `.Verify.cs`
+- **IsolatedReplayContext**: `src/__Libraries/StellaOps.AuditPack/IsolatedReplayContext.cs` -- multi-partial: `.Initialize.cs`, `.ExtractInputs.cs`, `.Digests.cs`, `.Dispose.cs`, `.Paths.cs`; provides isolated environment for deterministic replay
+- **VerdictReplayPredicate**: `src/__Libraries/StellaOps.AuditPack/VerdictReplayPredicate.cs` -- multi-partial: `.Eligibility.cs`, `.Predict.cs`, `.Divergence.cs`, `.DivergenceHelpers.cs`
+- **AuditPackExportService**: `src/__Libraries/StellaOps.AuditPack/AuditPackExportService.cs` -- multi-partial: `.Json.cs`, `.Zip.cs`, `.ZipHelpers.cs`, `.Dsse.cs`, `.Repository.cs`
+- **Telemetry**: `src/__Libraries/StellaOps.AuditPack/ReplayTelemetry.cs` -- multi-partial: `.Activity.cs`, `.Attestation.cs`, `.Counters.cs`, `.Eligibility.cs`, `.Execution.cs`, `.Gauges.cs`, `.Histograms.cs`, `.Meter.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify AuditPackBuilder assembles complete evidence pack with all collectors
+- [ ] Test AuditBundleWriter produces signed bundle with Merkle tree integrity
+- [ ] Verify AuditBundleReader can extract and verify bundle contents
+- [ ] Test ReplayExecutor performs time-travel replay and tracks drift
+- [ ] Verify ReplayAttestationService generates DSSE-signed in-toto attestations
+- [ ] Test IsolatedReplayContext provides deterministic isolated replay environment
+- [ ] Verify VerdictReplayPredicate correctly predicts replay eligibility and divergence
+- [ ] Test AuditPackExportService exports to JSON and ZIP formats with DSSE signing
--- a/docs/features/unchecked/libraries/risk-scoring-rubric-with-gate-verdicts.md
+++ b/docs/features/unchecked/libraries/risk-scoring-rubric-with-gate-verdicts.md
@@ -0,0 +1,32 @@
+# Risk Scoring Rubric with Gate Verdicts (Routine/Review/Block)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Complete gate evaluator with configurable rules, scoring rubric, EPSS/exploit maturity integration, VEX-aware scoring, and gate decisions (allow/warn/block). Gate configuration supports per-environment thresholds.
+
+## Implementation Details
+- **GateEvaluator**: `src/__Libraries/StellaOps.DeltaVerdict/GateEvaluator.cs` -- multi-partial implementation: `.Evaluate.cs` (main evaluation entry point), `.Rules.cs` (rule processing), `.ScoreRules.cs` (score-based rules), `.Epss.cs` (EPSS probability integration), `.EpssRules.cs` (EPSS-specific rule evaluation), `.ExploitRules.cs` (exploit maturity rules), `.Vex.cs` (VEX-aware scoring adjustments), `.Decisions.cs` (gate decision computation), `.Decisions.Block.cs` (block decision logic), `.Decisions.Warn.cs` (warn decision logic), `.Decisions.CustomRules.cs` (custom rule evaluation), `.Helpers.cs` (shared helpers), `.Batch.cs` (batch evaluation)
+- **IGateEvaluator**: `src/__Libraries/StellaOps.DeltaVerdict/IGateEvaluator.cs` -- interface for gate evaluation
+- **GateConfiguration**: `src/__Libraries/StellaOps.DeltaVerdict/GateConfiguration.cs` -- per-environment threshold configuration
+- **GateRule**: `src/__Libraries/StellaOps.DeltaVerdict/GateRule.cs` -- configurable rule model
+- **GateAction**: `src/__Libraries/StellaOps.DeltaVerdict/GateAction.cs` -- action enum (allow/warn/block)
+- **GateDecision**: `src/__Libraries/StellaOps.DeltaVerdict/GateDecision.cs` -- decision model with action, reason, matched rules
+- **Scoring Inputs**: `src/__Libraries/StellaOps.DeltaVerdict/` -- `CvssInput.cs`, `EpssInput.cs`, `ExploitMaturityInput.cs`, `PatchProofInput.cs`, `ReachabilityInputRecord.cs`, `VexInput.cs`
+- **Normalization**: `src/__Libraries/StellaOps.DeltaVerdict/DimensionNormalization.cs`, `NormalizationTrace.cs` -- scoring dimension normalization
+- **Adversarial Validation**: `src/__Libraries/StellaOps.DeltaVerdict/Validation/AdversarialInputValidator.cs` -- multi-partial: `.Validation.cs`, `.Reachability.cs`, `.Status.cs`, `.Vex.cs`, `.VexStatements.cs`, `.Helpers.cs` with `AdversarialValidationPolicy` for input validation
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify GateEvaluator produces correct gate decisions (allow/warn/block) based on CVSS scores
+- [ ] Test EPSS probability integration adjusts gate decisions for high-exploitation-probability CVEs
+- [ ] Verify exploit maturity rules escalate findings with known exploits
+- [ ] Test VEX-aware scoring: not_affected VEX downgrades severity
+- [ ] Verify per-environment gate configuration applies different thresholds
+- [ ] Test batch evaluation processes multiple findings consistently
+- [ ] Verify adversarial input validation detects manipulated scoring inputs
+- [ ] Test custom rule evaluation with user-defined gate rules
--- a/docs/features/unchecked/libraries/rpm-evr-version-comparison.md
+++ b/docs/features/unchecked/libraries/rpm-evr-version-comparison.md
@@ -0,0 +1,27 @@
+# RPM EVR Version Comparison
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+RPM Epoch:Version-Release parsing and rpmvercmp-equivalent comparison for RHEL/Fedora/SUSE packages. Implements `IVersionComparator` with `ComparatorType.RpmEvr`, including segment-based comparison with numeric-first ordering, alpha segment comparison, tilde pre-release semantics, and `CompareWithProof` generating human-readable proof lines.
+
+## Implementation Details
+- **RpmVersionComparer**: `src/__Libraries/StellaOps.VersionComparison/Comparers/RpmVersionComparer.cs` -- singleton (`Instance`); implements `IVersionComparator` with `ComparatorType.RpmEvr`; `Compare(left, right)` returns `VersionComparisonResult` with `ProofLines`; `CompareWithProof(left, right)` generates readable proof; internal methods: `ParseEvr(version)` parses `epoch:version-release` format, `CompareRpmVersion(a, b)` applies rpmvercmp algorithm, `SkipToNextSegment(s, ref pos)` advances past separators, `CompareNumericSegment(a, b, ref posA, ref posB)` compares digit runs (longer numeric wins, then lexicographic), `CompareAlphaSegment(a, b, ref posA, ref posB)` compares alpha character runs
+- **IVersionComparator**: `src/__Libraries/StellaOps.VersionComparison/IVersionComparator.cs` -- interface defining `ComparatorType` property, `Compare(left, right)` returning `VersionComparisonResult`, `CompareWithProof(left, right)` returning proof lines
+- **ComparatorType**: `src/__Libraries/StellaOps.VersionComparison/IVersionComparator.cs` -- enum: `RpmEvr`, `Dpkg`, `Apk`, `SemVer`
+- **VersionComparisonResult**: `src/__Libraries/StellaOps.VersionComparison/IVersionComparator.cs` -- record with `Comparison` (int), `ProofLines` (IReadOnlyList<string>), `Comparator` (ComparatorType)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify RpmVersionComparer correctly parses epoch:version-release format
+- [ ] Test rpmvercmp numeric segment comparison (longer digit run wins)
+- [ ] Verify alpha segment comparison follows RPM ordering rules
+- [ ] Test tilde pre-release semantics (tilde sorts before everything including empty)
+- [ ] Verify epoch comparison takes priority over version and release
+- [ ] Test CompareWithProof generates human-readable proof lines for each comparison step
+- [ ] Verify singleton pattern (RpmVersionComparer.Instance returns same reference)
+- [ ] Test edge cases: missing epoch (defaults to 0), missing release, empty segments
--- a/docs/features/unchecked/libraries/runtime-purity-enforcement.md
+++ b/docs/features/unchecked/libraries/runtime-purity-enforcement.md
@@ -0,0 +1,31 @@
+# Runtime Purity Enforcement
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Runtime purity enforcement beyond static analysis, ensuring deterministic evaluation by blocking ambient state access (system clock, network, filesystem, environment variables) during pure computation phases. Provides `PureEvaluationContext` with prohibited accessors that throw `AmbientAccessViolationException`, and injected replacements for deterministic test and evaluation scenarios.
+
+## Implementation Details
+- **PureEvaluationContext**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `CreateStrict()` returns context with all prohibited accessors (no time, no network, no filesystem, no environment); `Create(injectedNow, envVars)` returns context with injected deterministic providers for time and environment; holds `TimeProvider`, `INetworkAccessor`, `IFileSystemAccessor`, `IEnvironmentAccessor` properties
+- **AmbientAccessViolationException**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- thrown by prohibited accessors when ambient state access is attempted during pure evaluation; carries `AccessType` string describing which ambient access was blocked
+- **ProhibitedTimeProvider**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `TimeProvider` subclass; `GetUtcNow()` and `GetLocalNow()` throw `AmbientAccessViolationException("TimeProvider")`
+- **ProhibitedNetworkAccessor**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `INetworkAccessor` implementation; all methods throw `AmbientAccessViolationException("NetworkAccessor")`
+- **ProhibitedFileSystemAccessor**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `IFileSystemAccessor` implementation; all methods throw `AmbientAccessViolationException("FileSystemAccessor")`
+- **ProhibitedEnvironmentAccessor**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `IEnvironmentAccessor` implementation; `GetEnvironmentVariable(name)` throws `AmbientAccessViolationException("EnvironmentAccessor")`
+- **InjectedTimeProvider**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `TimeProvider` subclass; `GetUtcNow()` returns fixed `DateTimeOffset` set at construction; deterministic time for evaluation
+- **InjectedEnvironmentAccessor**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `IEnvironmentAccessor` implementation; returns values from injected `IReadOnlyDictionary<string, string>` instead of real environment
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify PureEvaluationContext.CreateStrict() blocks time access with AmbientAccessViolationException
+- [ ] Test ProhibitedNetworkAccessor throws on any network access during pure evaluation
+- [ ] Verify ProhibitedFileSystemAccessor throws on file read/write during pure evaluation
+- [ ] Test ProhibitedEnvironmentAccessor throws on environment variable access
+- [ ] Verify PureEvaluationContext.Create(injectedNow, envVars) allows deterministic time access
+- [ ] Test InjectedTimeProvider returns fixed time value consistently
+- [ ] Verify InjectedEnvironmentAccessor returns injected values, not real environment
+- [ ] Test DeterministicResolver uses PureEvaluationContext for its EvaluatePure phase
--- a/docs/features/unchecked/libraries/shared-testkit-library-with-deterministic-infrastructure.md
+++ b/docs/features/unchecked/libraries/shared-testkit-library-with-deterministic-infrastructure.md
@@ -0,0 +1,37 @@
+# Shared TestKit Library with Deterministic Infrastructure
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Comprehensive shared test kit with standardized test categories (Unit, Integration, Property, Snapshot, Contract, Security, Performance, Live, Architecture, Golden, Benchmark, AirGap, Chaos, Determinism, Resilience, Observability), blast-radius annotations for operational surfaces, deterministic helpers (DeterministicTime, DeterministicRandom), fixture support (PostgresFixture, ValkeyFixture, HttpFixtureServer, WebServiceFixture), assertion utilities (CanonicalJsonAssert, SnapshotAssert, EvidenceChainAssert, LogContractAssert, MetricsContractAssert, OTelContractAssert), and stability/incident testing infrastructure.
+
+## Implementation Details
+- **TestCategories**: `src/__Libraries/StellaOps.TestKit/TestCategories.cs` -- static class with 20+ category constants: `Unit`, `Property`, `Snapshot`, `Integration`, `Contract`, `Security`, `Performance`, `Live`, `Architecture`, `Golden`, `Benchmark`, `AirGap`, `Chaos`, `Determinism`, `Resilience`, `Observability`, `StorageConcurrency`, `StorageIdempotency`, `QueryDeterminism`, `StorageMigration`, `SchemaEvolution`, `ConfigDiff`, `HLC`, `Federation`, `Latency`, `Immutability`, `Parity`, `PostIncident`, `EvidenceChain`, `Longevity`, `Interop`, `EnvironmentSkew`; nested `BlastRadius` class with `Auth`, `Scanning`, `Evidence`, `Compliance`, `Advisories`, `RiskPolicy`, `Crypto`, `Integrations`, `Persistence`, `Api`
+- **DeterministicTime**: `src/__Libraries/StellaOps.TestKit/Deterministic/DeterministicTime.cs` -- sealed class implementing `IDisposable`; constructor takes UTC `DateTime`; `UtcNow` property returns fixed time (thread-safe with lock); `Advance(TimeSpan)` moves time forward/backward; `SetTo(DateTime)` sets to specific time; `Reset(DateTime)` resets to new start
+- **DeterministicRandom**: `src/__Libraries/StellaOps.TestKit/Deterministic/DeterministicRandom.cs` -- deterministic random number generator for reproducible test scenarios
+- **Assertions**: `src/__Libraries/StellaOps.TestKit/CanonicalJsonAssert.cs` (canonical JSON equality), `SnapshotAssert.cs` (golden snapshot comparison), `EvidenceChainAssert.cs` (evidence chain verification), `LogContractAssert.cs` (structured log contract assertions), `MetricsContractAssert.cs` (metrics contract verification), `OTelContractAssert.cs` (OpenTelemetry contract assertions)
+- **Fixtures**: `src/__Libraries/StellaOps.TestKit/PostgresFixture.cs` (Testcontainers PostgreSQL), `ValkeyFixture.cs` (Testcontainers Valkey/Redis), `HttpFixtureServer.cs` (HTTP test server), `WebServiceFixture.cs` (web service test fixture), `ConnectorHttpFixture.cs` (connector HTTP fixture)
+- **Stability**: `src/__Libraries/StellaOps.TestKit/StabilityMetrics.cs` and `StabilityTestRunner.cs` -- stability measurement and runner
+- **Blast Radius**: `src/__Libraries/StellaOps.TestKit/BlastRadiusTestRunner.cs` and `BlastRadiusValidator.cs` -- targeted blast-radius test execution
+- **Incident Testing**: `src/__Libraries/StellaOps.TestKit/IncidentMetadata.cs` and `IncidentTestGenerator.cs` -- post-incident regression test generation
+- **Schema/Version Compatibility**: `src/__Libraries/StellaOps.TestKit/SchemaVersionMatrix.cs` and `VersionCompatibilityFixture.cs` -- multi-version schema testing
+- **Storage Testing**: `src/__Libraries/StellaOps.TestKit/CacheIdempotencyTests.cs`, `QueryDeterminismTests.cs`, `StorageConcurrencyTests.cs`, `StorageIdempotencyTests.cs` -- reusable storage test bases
+- **Connector Testing**: `src/__Libraries/StellaOps.TestKit/ConnectorTestBase.cs`, `ConnectorLiveSchemaTestBase.cs`, `ConnectorResilienceTestBase.cs`, `ConnectorSecurityTestBase.cs` -- connector integration test bases
+- **Observability**: `src/__Libraries/StellaOps.TestKit/OtelCapture.cs` -- OpenTelemetry capture for test assertions
+- **Skew Testing**: `src/__Libraries/StellaOps.TestKit/SkewTestRunner.cs`, `EnvironmentProfile.cs` -- environment skew simulation
+- **Intent Tracking**: `src/__Libraries/StellaOps.TestKit/IntentAttribute.cs`, `TestIntents.cs`, `IntentCoverageReport.cs`, `RequirementAttribute.cs` -- requirement-to-test traceability
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify TestCategories constants enable filtering via `dotnet test --filter "Category=Unit"`
+- [ ] Test DeterministicTime provides fixed UTC time and supports Advance/SetTo/Reset
+- [ ] Verify DeterministicRandom produces reproducible sequences from same seed
+- [ ] Test PostgresFixture creates and manages Testcontainers PostgreSQL instances
+- [ ] Verify ValkeyFixture creates and manages Testcontainers Valkey instances
+- [ ] Test CanonicalJsonAssert correctly compares JSON with key-order independence
+- [ ] Verify SnapshotAssert detects golden snapshot deviations
+- [ ] Test BlastRadiusTestRunner filters and runs tests by blast-radius annotation
--- a/docs/features/unchecked/libraries/stellaverdict-unified-artifact-with-json-ld-context.md
+++ b/docs/features/unchecked/libraries/stellaverdict-unified-artifact-with-json-ld-context.md
@@ -0,0 +1,27 @@
+# StellaVerdict Unified Artifact with JSON-LD Context
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Consolidates multiple verdict-related artifacts (score, evidence, attestation, policy trace) into a single unified StellaVerdict schema with JSON-LD context. Includes VerdictAssemblyService for composing verdicts from PolicyVerdict + ProofBundle + KnowledgeInputs, content-addressable verdictId (`urn:stella:verdict:sha256:...`), and comprehensive sub-models for subjects, claims, inputs, evidence graphs, policy paths, results, provenance, and signatures.
+
+## Implementation Details
+- **StellaVerdict**: `src/__Libraries/StellaOps.Verdict/Schema/StellaVerdict.cs` -- sealed record with JSON-LD `@context` ("https://stella-ops.org/schema/verdict/v1") and `@type` ("StellaVerdict"); `VerdictId` (`urn:stella:verdict:sha256:...`), `SchemaVersion` ("1.0"), `VerdictVersion` (int); nested records: `VerdictSubject` (NodeId, Purl, ImageRef, Digest, Environment), `VerdictClaim` (VerdictStatus enum: Pass/Fail/Warn/Error/Unknown, Confidence 0-1, Summary, Details), `VerdictInputs` (Advisories, VexStatements, CvssScores, EpssScores, KevEntries, ReachabilityResults, PolicyRules, SbomComponents), `VerdictEvidenceGraph` (RootId, Nodes list, Edges list), `VerdictPolicyStep` (RuleId, RuleName, Input, Output, Decision enum: Allow/Block/Warn/Skip), `VerdictResult` (Verdict, PolicyPath list, Timestamp, Expiry, Deterministic bool), `VerdictProvenance` (GeneratorId, GeneratorVersion, BuildId, SourceCommit, Environment, GeneratedAt), `VerdictSignature` (Algorithm, KeyId, Value, Certificate, Timestamp)
+- **VerdictAssemblyService**: `src/__Libraries/StellaOps.Verdict/Services/VerdictAssemblyService.cs` -- implements `IVerdictAssemblyService`; `AssembleVerdict(context)` orchestrates composition via: `BuildSubject(context)`, `BuildClaim(context)`, `BuildInputs(context)`, `BuildEvidenceGraph(context)`, `BuildPolicyPath(context)`, `BuildResult(context)`, `BuildProvenance(context)`; takes `VerdictAssemblyContext` with `PolicyVerdict`, `ProofBundle`, `KnowledgeInputs` (`VerdictKnowledgeInputs` record with advisory/VEX/CVSS/EPSS/KEV/reachability/policy/SBOM data); generates content-addressed `VerdictId` via SHA-256 of canonical JSON
+- **IVerdictAssemblyService**: `src/__Libraries/StellaOps.Verdict/Services/VerdictAssemblyService.cs` -- interface: `AssembleVerdict(VerdictAssemblyContext)` returns `StellaVerdict`
+- **VerdictAssemblyContext**: `src/__Libraries/StellaOps.Verdict/Services/VerdictAssemblyService.cs` -- record with `PolicyVerdict`, `ProofBundle`, `KnowledgeInputs` (`VerdictKnowledgeInputs`)
+- **Source**: SPRINT_1227_0014_0001_BE_stellaverdict_consolidation.md
+
+## E2E Test Plan
+- [ ] Verify StellaVerdict includes JSON-LD @context and @type fields
+- [ ] Test VerdictId is content-addressed (same inputs produce same urn:stella:verdict:sha256:...)
+- [ ] Verify VerdictAssemblyService composes verdict from PolicyVerdict + ProofBundle + KnowledgeInputs
+- [ ] Test VerdictClaim.VerdictStatus enum covers Pass/Fail/Warn/Error/Unknown
+- [ ] Verify VerdictInputs captures all knowledge sources (advisories, VEX, CVSS, EPSS, KEV, reachability)
+- [ ] Test VerdictEvidenceGraph contains linked nodes and edges
+- [ ] Verify VerdictPolicyStep records policy evaluation path with decisions
+- [ ] Test VerdictProvenance captures generator, build, and source commit information
--- a/docs/features/unchecked/libraries/triage-quality-kpi-collector-infrastructure.md
+++ b/docs/features/unchecked/libraries/triage-quality-kpi-collector-infrastructure.md
@@ -0,0 +1,29 @@
+# Triage Quality KPI Collector Infrastructure
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+KpiCollector service for collecting triage quality metrics (false-positive rate, reachability coverage, explainability score, etc.) with multi-domain KPI collection. Measures quality outcomes across reachability, runtime, explainability, replay, unknown budgets, and operational dimensions. Distinct from existing TTE/TTFS metrics which measure timing; this measures triage quality outcomes.
+
+## Implementation Details
+- **KpiCollector**: `src/__Libraries/StellaOps.Metrics/Kpi/KpiCollector.cs` -- implements `IKpiCollector`; `CollectAsync()` orchestrates collection across all KPI domains: reachability KPIs (coverage %, false-positive rate, graph completeness), runtime KPIs (observation count, runtime coverage, staleness), explainability KPIs (score distribution, citation coverage, explanation completeness), replay KPIs (eligibility rate, success rate, determinism score), unknown budget KPIs (budget utilization, exception count, drift rate), operational KPIs (scan latency, throughput, error rate)
+- **IKpiCollector**: `src/__Libraries/StellaOps.Metrics/Kpi/KpiCollector.cs` -- interface: `CollectAsync()`, `RecordReachabilityResultAsync(result)`, `RecordRuntimeObservationAsync(observation)`, `RecordVerdictAsync(verdict)`, `RecordReplayAttemptAsync(attempt)`
+- **RecordReachabilityResultAsync**: records reachability analysis outcomes for coverage tracking
+- **RecordRuntimeObservationAsync**: records runtime observation data for runtime KPI computation
+- **RecordVerdictAsync**: records verdict outcomes for quality KPI computation
+- **RecordReplayAttemptAsync**: records replay attempt results for replay success/eligibility metrics
+- **Source**: SPRINT_7000_0005_0001_quality_kpis_tracking.md
+
+## E2E Test Plan
+- [ ] Verify KpiCollector.CollectAsync aggregates KPIs across all domains
+- [ ] Test reachability KPIs: coverage percentage, false-positive rate, graph completeness
+- [ ] Verify runtime KPIs: observation count, runtime coverage, staleness detection
+- [ ] Test explainability KPIs: score distribution, citation coverage, explanation completeness
+- [ ] Verify replay KPIs: eligibility rate, success rate, determinism score
+- [ ] Test unknown budget KPIs: budget utilization, exception count, drift rate
+- [ ] Verify RecordReachabilityResultAsync/RecordVerdictAsync accumulate data for collection
+- [ ] Test operational KPIs: scan latency, throughput, error rate
--- a/docs/features/unchecked/libraries/unified-deterministic-resolver.md
+++ b/docs/features/unchecked/libraries/unified-deterministic-resolver.md
@@ -0,0 +1,27 @@
+# Unified Deterministic Resolver (DeterministicResolver)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Full deterministic resolver with 4-phase resolution (validate, order, evaluate, digest), immutable evidence graph with content-addressed GraphDigest, Tarjan's SCC cycle detection, implicit data detection, and integration with trust lattice engine. Guarantees pure evaluation with no IO in the compute phase.
+
+## Implementation Details
+- **DeterministicResolver**: `src/__Libraries/StellaOps.Resolver/DeterministicResolver.cs` -- `ResolveAsync(graph, evaluator, context)` orchestrates 4-phase resolution: Phase 1 `Validate(graph)` runs cycle detection and implicit data detection; Phase 2 `OrderNodes(graph)` produces deterministic topological ordering; Phase 3 `EvaluatePure(orderedNodes, evaluator, context)` evaluates each node with predecessor verdicts (no IO); Phase 4 computes final resolution digest from all node verdicts; uses `PureEvaluationContext` to enforce runtime purity
+- **EvidenceGraph**: `src/__Libraries/StellaOps.Resolver/EvidenceGraph.cs` -- immutable record with sorted `Nodes` (IReadOnlyList<EvidenceNode>) and `Edges` (IReadOnlyList<EvidenceEdge>); `GraphDigest` (content-addressed via `CanonicalJsonSerializer.SerializeWithDigest`); `AddNode(node)` and `AddEdge(edge)` return new immutable instances; nodes and edges sorted for deterministic digest
+- **GraphValidation**: `src/__Libraries/StellaOps.Resolver/GraphValidation.cs` -- `DefaultGraphValidator` combining `TarjanCycleDetector` (Tarjan's SCC algorithm with `IsCycleCut` edge exclusion) and `DefaultImplicitDataDetector` (detects dangling edges, duplicate IDs); `TarjanCycleDetector` uses index/lowlink tracking, stack-based DFS, reports strongly connected components with >1 node as cycles
+- **RuntimePurity**: `src/__Libraries/StellaOps.Resolver/Purity/RuntimePurity.cs` -- `PureEvaluationContext` with `CreateStrict()` (all prohibited accessors) and `Create(injectedNow, envVars)` (deterministic providers); `ProhibitedTimeProvider`, `ProhibitedNetworkAccessor`, `ProhibitedFileSystemAccessor`, `ProhibitedEnvironmentAccessor` all throw `AmbientAccessViolationException`; `InjectedTimeProvider` and `InjectedEnvironmentAccessor` for deterministic evaluation
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify DeterministicResolver.ResolveAsync produces deterministic results for same graph
+- [ ] Test Phase 1: Validate detects cycles via Tarjan's SCC and reports them
+- [ ] Verify Phase 2: OrderNodes produces stable topological ordering
+- [ ] Test Phase 3: EvaluatePure runs without IO access (PureEvaluationContext enforced)
+- [ ] Verify Phase 4: final resolution digest is content-addressed and deterministic
+- [ ] Test EvidenceGraph is immutable (AddNode/AddEdge return new instances)
+- [ ] Verify GraphDigest changes when any node or edge changes
+- [ ] Test DefaultImplicitDataDetector catches dangling edges and duplicate node IDs
--- a/docs/features/unchecked/libraries/unified-ievidence-interface-with-cross-module-adapters.md
+++ b/docs/features/unchecked/libraries/unified-ievidence-interface-with-cross-module-adapters.md
@@ -0,0 +1,37 @@
+# Unified IEvidence Interface with Cross-Module Adapters
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+Defines a unified IEvidence interface (SubjectNodeId, EvidenceType, EvidenceId, Payload, Signatures, Provenance) with EvidenceRecord implementation (content-addressed ID via SHA-256 of canonical JSON) and cross-module adapters (EvidenceBundleAdapter, EvidenceStatementAdapter, ProofSegmentAdapter, ExceptionApplicationAdapter). Enables "get evidence for node X" queries across all modules through IEvidenceStore.
+
+## Implementation Details
+- **IEvidence**: `src/__Libraries/StellaOps.Evidence.Core/IEvidence.cs` -- interface: `SubjectNodeId` (string, content-addressed subject identifier), `EvidenceType` (EvidenceType enum), `EvidenceId` (string, content-addressed sha256:...), `Payload` (ReadOnlyMemory<byte>), `Signatures` (IReadOnlyList<EvidenceSignature>), `Provenance` (EvidenceProvenance), `ExternalPayloadCid` (optional CID for external storage), `PayloadSchemaVersion` (string)
+- **EvidenceRecord**: `src/__Libraries/StellaOps.Evidence.Core/EvidenceRecord.cs` -- sealed record implementing `IEvidence`; `Create(subjectNodeId, type, payload, generatorId, generatorVersion, generatedAt)` factory method; `ComputeEvidenceId()` computes SHA-256 of canonical JSON `{SubjectNodeId, EvidenceType, PayloadBase64, GeneratorId, GeneratorVersion, GeneratedAt}` -> `sha256:...` format; `VerifyIntegrity()` recomputes and compares ID
+- **EvidenceType**: `src/__Libraries/StellaOps.Evidence.Core/EvidenceType.cs` -- enum of evidence types
+- **EvidenceSignature**: `src/__Libraries/StellaOps.Evidence.Core/EvidenceSignature.cs` -- signature model with `SignerType`
+- **EvidenceProvenance**: `src/__Libraries/StellaOps.Evidence.Core/EvidenceProvenance.cs` -- provenance model (generator, version, timestamp)
+- **IEvidenceStore**: `src/__Libraries/StellaOps.Evidence.Core/IEvidenceStore.cs` -- storage interface: `StoreAsync(evidence)`, `StoreBatchAsync(records)`, `GetByIdAsync(evidenceId)`, `GetBySubjectAsync(subjectNodeId, typeFilter?)`, `GetByTypeAsync(evidenceType, limit)`, `ExistsAsync(subjectNodeId, type)`, `DeleteAsync(evidenceId)`, `CountBySubjectAsync(subjectNodeId)`; idempotent storage (duplicate IDs are no-ops)
+- **InMemoryEvidenceStore**: `src/__Libraries/StellaOps.Evidence.Core/InMemoryEvidenceStore.cs` -- multi-partial: `.Store.cs`, `.Lookup.cs`, `.Delete.cs`, `.Subject.cs`; in-memory implementation for testing
+- **Cross-Module Adapters** (`src/__Libraries/StellaOps.Evidence.Core/Adapters/`):
+  - **EvidenceBundleAdapter**: `.cs`, `.BinaryDiff.cs`, `.CallStack.cs`, `.Diff.cs`, `.GraphRevision.cs`, `.Provenance.cs`, `.Reachability.cs`, `.VexStatus.cs` -- adapts evidence bundles to IEvidence
+  - **EvidenceStatementAdapter**: `.cs`, `.Payload.cs` -- adapts in-toto statements to IEvidence; `EvidenceStatementInput` for input binding
+  - **ProofSegmentAdapter**: `.cs`, `.Payload.cs` -- adapts proof chain segments to IEvidence; `ProofSegmentInput` for input binding
+  - **ExceptionApplicationAdapter**: `.cs` -- adapts exception/override decisions to IEvidence
+  - **IEvidenceAdapter**: `.cs` -- adapter interface contract
+  - **EvidenceAdapterBase**: `.cs` -- base class for all adapters
+- **Source**: SPRINT_8100_0012_0002_unified_evidence_model.md
+
+## E2E Test Plan
+- [ ] Verify EvidenceRecord.Create produces content-addressed EvidenceId (sha256:...)
+- [ ] Test EvidenceRecord.VerifyIntegrity detects tampered records
+- [ ] Verify IEvidenceStore.GetBySubjectAsync returns all evidence for a given subject node
+- [ ] Test IEvidenceStore.StoreAsync is idempotent (duplicate EvidenceIds are no-ops)
+- [ ] Verify EvidenceBundleAdapter correctly adapts bundle types (BinaryDiff, Reachability, VexStatus, etc.)
+- [ ] Test EvidenceStatementAdapter converts in-toto statements to IEvidence format
+- [ ] Verify ProofSegmentAdapter converts proof chain segments to IEvidence format
+- [ ] Test cross-module query: evidence from different adapters can be queried uniformly via GetBySubjectAsync
--- a/docs/features/unchecked/libraries/verdict-bundle-builder.md
+++ b/docs/features/unchecked/libraries/verdict-bundle-builder.md
@@ -0,0 +1,31 @@
+# Verdict Bundle Builder (Scoring + Signing + Rekor Anchoring)
+
+## Module
+__Libraries
+
+## Status
+IMPLEMENTED
+
+## Description
+End-to-end verdict bundle pipeline: scoring from EWS (Evidence-Weighted Score) results, input extraction, normalization tracing, gate evaluation, content-addressed bundle digest, DSSE signing, and Rekor transparency log anchoring with inclusion proof verification. Integrates scoring manifest versioning, VEX-aware overrides, and per-environment gate configuration.
+
+## Implementation Details
+- **VerdictBundleBuilder**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictBundleBuilder.cs` -- implements `IVerdictBundleBuilder`; constructor takes `IGateEvaluator`, `TimeProvider`, `IScoringManifestProvider`; `Build(ewsResult, input, policy, gateConfig)` orchestrates: `ExtractInputs` (from EWS input), `CreateNormalizationTrace` (from EWS result), `GetManifestRef` (scoring manifest reference), `CalculateRawScore`, `GetVerdictOverride` (VEX overrides), gate evaluation via `IGateEvaluator.Evaluate`, `ComputeBundleDigest` (SHA-256 of canonical JSON); multi-partial: `.Score.cs` (score calculation), `.Normalization.cs` (normalization trace), `.Digest.cs` (content-addressed digest), `.Extract.cs` (input extraction), `.Manifest.cs` (manifest binding), `.Override.cs` (VEX override), `.Projections.cs`/`.Projections.Details.cs` (result projections)
+- **IVerdictBundleBuilder**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/IVerdictBundleBuilder.cs` -- interface: `Build(ewsResult, input, policy, gateConfig)` and `Build(ewsResult, input, policy)` (default gate config)
+- **VerdictBundle**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictBundle.cs` -- sealed partial record: `BundleId` (content-addressed sha256:...), `SchemaVersion`, `FindingId` (CVE@PURL), `ManifestRef` (ScoringManifestRef), `Inputs` (VerdictInputs), `Normalization` (NormalizationTrace), `RawScore` (double), `FinalScore` (double, clamped 0-1), `Override` (VerdictOverride?), `Gate` (GateDecision), `ComputedAt` (DateTimeOffset), `BundleDigest` (SHA-256), `DsseSignature` (DSSE envelope); multi-partial: `.Rekor.cs` (Rekor anchoring fields)
+- **VerdictSigningService**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictSigningService.cs` -- multi-partial: `.Sign.cs` (DSSE signing), `.Verify.cs` (signature verification), `.Canonical.cs` (canonical JSON for signing), `.Envelope.cs` (DSSE envelope construction), `.Projections.cs`/`.Projections.Extensions.cs` (projection helpers)
+- **VerdictRekorAnchorService**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictRekorAnchorService.cs` -- multi-partial: `.Anchor.cs` (submit to Rekor), `.Verify.cs` (verify anchoring), `.InclusionProof.cs` (Merkle inclusion proof verification), `.Helpers.cs`; `VerdictAnchorResult`, `VerdictAnchorVerificationResult`
+- **Scoring Manifest**: `src/__Libraries/StellaOps.DeltaVerdict/Manifest/ScoringManifest.cs` -- manifest model with `ScoringWeights`, `ScoringNormalizers`; `ScoringManifestVersioner` multi-partial: `.Bump.cs`, `.Compare.cs`/`.Compare.Helpers.cs`, `.Versioning.cs` for semantic versioning of manifest changes
+- **Delta Computation**: `src/__Libraries/StellaOps.DeltaVerdict/Engine/DeltaComputationEngine.cs` -- multi-partial: `.Components.cs`, `.ChangedComponents.cs`, `.Vulnerabilities.cs`, `.Risk.cs`; `IDeltaComputationEngine` interface
+- **Signing Infrastructure**: `src/__Libraries/StellaOps.DeltaVerdict/Signing/` -- `DeltaSigningService`, `ScoringManifestSigningService`, `ScoringManifestRekorAnchorService` with full DSSE envelope, Rekor submission, and verification
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify VerdictBundleBuilder.Build produces content-addressed BundleId (sha256:...)
+- [ ] Test BundleDigest is deterministic for same EWS result and policy inputs
+- [ ] Verify gate evaluation integrates with GateEvaluator for allow/warn/block decisions
+- [ ] Test VerdictSigningService produces valid DSSE signatures on verdict bundles
+- [ ] Verify VerdictRekorAnchorService submits to Rekor and retrieves inclusion proof
+- [ ] Test Rekor inclusion proof verification detects tampered entries
+- [ ] Verify ScoringManifestVersioner bumps versions correctly for manifest changes
+- [ ] Test VEX override correctly modifies final score when not_affected VEX status applies