semi implemented and features implemented save checkpoint

docs/features/unchecked/replay/replay-infrastructure.md

@@ -0,0 +1,28 @@
+# Replay Infrastructure (Manifest, Determinism Verifier, Verdict Engine, Drift Detection)
+
+## Module
+Replay
+
+## Status
+IMPLEMENTED
+
+## Description
+Full replay infrastructure: DeterminismVerifier re-hydrates exact inputs from manifest and verifies bit-for-bit verdict reproduction. Run manifest model capturing pipeline state (feeds, rules, versions). DeterministicResolver with feed snapshots, bundle export, and web service. Verdict replay with divergence detection and input drift testing.
+
+## Implementation Details
+- **Determinism Verifier**: `src/Replay/__Libraries/StellaOps.Replay.Core/DeterminismVerifier.cs` -- re-hydrates exact inputs from a run manifest and verifies bit-for-bit verdict reproduction; reports divergences between original and replayed verdicts.
+- **Input Manifest Resolver**: `src/Replay/__Libraries/StellaOps.Replay.Core/InputManifestResolver.cs` -- resolves and snapshots all inputs (feed versions, policy rules, SBOM state) needed to reproduce a verdict, creating a self-contained input manifest.
+- **Replay Executor**: `src/Replay/__Libraries/StellaOps.Replay.Core/ReplayExecutor.cs` -- orchestrates verdict replay by loading the input manifest, executing the policy evaluation pipeline, and comparing outputs against the original verdict.
+- **Replay Job Queue**: `src/Replay/__Libraries/StellaOps.Replay.Core/ReplayJobQueue.cs` -- background job queue for scheduling and processing replay verification requests.
+- **Policy Simulation Input Lock**: `src/Replay/__Libraries/StellaOps.Replay.Core/PolicySimulationInputLock.cs` -- locks input state during replay to prevent concurrent modifications from affecting determinism verification.
+- **Verdict Replay Endpoints**: `src/Replay/StellaOps.Replay.WebService/VerdictReplayEndpoints.cs` -- REST endpoints for submitting replay requests and querying replay results.
+- **Web Service Entry Point**: `src/Replay/StellaOps.Replay.WebService/Program.cs` -- ASP.NET Core web service hosting replay endpoints.
+- **Tests**: `src/Replay/__Tests/StellaOps.Replay.Core.Tests/Unit/DeterminismVerifierTests.cs`, `Unit/InputManifestResolverTests.cs`, `VerdictReplayIntegrationTests.cs`, `VerdictReplayEndpointsTests.cs`, `PolicySimulationInputLockValidatorTests.cs`
+
+## E2E Test Plan
+- [ ] Submit a verdict for replay via the REST endpoint and verify `DeterminismVerifier` produces a bit-for-bit identical verdict when given the same input manifest
+- [ ] Modify a policy rule between the original verdict and the replay and verify the verifier detects the divergence and reports the specific rule that changed
+- [ ] Verify input manifest completeness: resolve a manifest for a verdict, then replay using only the manifest contents (no external lookups) and confirm successful reproduction
+- [ ] Verify input lock: start a replay and concurrently attempt to modify the locked inputs; confirm the modification is blocked until the replay completes
+- [ ] Submit multiple replay requests to the job queue and verify they execute in order with correct results
+- [ ] Verify drift detection: replay a verdict with a different feed snapshot version and confirm the verifier reports input drift

docs/features/unchecked/replay/replay-recording-and-verification-service.md

@@ -0,0 +1,26 @@
+# Replay Recording and Verification Service
+
+## Module
+Replay
+
+## Status
+IMPLEMENTED
+
+## Description
+Dedicated replay service that records verdict inputs/outputs and provides endpoints to replay and verify deterministic verdict execution, ensuring reproducibility of security decisions.
+
+## Implementation Details
+- **Verdict Replay Endpoints**: `src/Replay/StellaOps.Replay.WebService/VerdictReplayEndpoints.cs` -- REST API endpoints for recording verdict executions, submitting replay requests, and querying verification results.
+- **Replay Executor**: `src/Replay/__Libraries/StellaOps.Replay.Core/ReplayExecutor.cs` -- executes recorded verdicts with snapshotted inputs and compares outputs for determinism verification.
+- **Determinism Verifier**: `src/Replay/__Libraries/StellaOps.Replay.Core/DeterminismVerifier.cs` -- compares original and replayed verdict outputs, detecting any divergences in the decision.
+- **Trace Anonymizer**: `src/Replay/__Libraries/StellaOps.Replay.Anonymization/TraceAnonymizer.cs` (implements `ITraceAnonymizer`) -- anonymizes sensitive data in replay traces before storage or export, enabling safe sharing of replay data for debugging.
+- **Anonymization Models**: `src/Replay/__Libraries/StellaOps.Replay.Anonymization/Models.cs` -- data models for anonymized trace records.
+- **Replay Job Queue**: `src/Replay/__Libraries/StellaOps.Replay.Core/ReplayJobQueue.cs` -- queues replay verification jobs for background processing.
+- **Tests**: `src/Replay/__Tests/StellaOps.Replay.Core.Tests/VerdictReplayIntegrationTests.cs`, `VerdictReplayEndpointsTests.cs`; `src/Replay/__Tests/StellaOps.Replay.Anonymization.Tests/TraceAnonymizerTests.cs`
+
+## E2E Test Plan
+- [ ] Record a verdict execution via the REST API and verify the recording captures all inputs (policy rules, feed state, SBOM) and the output verdict
+- [ ] Submit a replay request for the recorded verdict and verify the replayed output matches the original bit-for-bit
+- [ ] Verify trace anonymization: record a verdict with sensitive data (CVE IDs, package names), anonymize the trace via `TraceAnonymizer`, and confirm sensitive fields are replaced while the trace structure is preserved
+- [ ] Verify the replay service returns a clear divergence report when a non-deterministic element is introduced
+- [ ] Verify replay queue ordering: submit 5 replay requests and confirm they are processed sequentially in submission order