semi implemented and features implemented save checkpoint

docs/features/unchecked/sbomservice/sbom-lineage-api-backend.md

@@ -0,0 +1,27 @@
+# SBOM Lineage API Backend
+
+## Module
+SbomService
+
+## Status
+IMPLEMENTED
+
+## Description
+REST API endpoints for lineage graph queries, diff computation, and export. Architecture fully documented but backend implementation pending.
+
+## Implementation Details
+- **Lineage controller**: `src/SbomService/StellaOps.SbomService/Controllers/LineageController.cs` -- REST endpoints for lineage queries
+- **Lineage export models**: `src/SbomService/StellaOps.SbomService/Models/LineageExportModels.cs` -- export format models
+- **Path models**: `src/SbomService/StellaOps.SbomService/Models/SbomPathModels.cs` -- graph path traversal models
+- **Projection models**: `src/SbomService/StellaOps.SbomService/Models/SbomProjectionModels.cs` -- lineage projection data
+- **Lineage library**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/` -- core lineage logic
+- **VEX delta repository**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/VexDeltaRepository.cs`
+- **Persistence migrations**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Persistence/Migrations/00001_InitialSchema.sql`
+- **Observability**: `src/SbomService/StellaOps.SbomService/Observability/SbomMetrics.cs`, `SbomTracing.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify lineage API endpoints return valid graph data
+- [ ] Test diff computation between SBOM versions
+- [ ] Verify export endpoints generate correct lineage exports
+- [ ] Test path traversal queries through lineage graph

docs/features/unchecked/sbomservice/sbom-lineage-edge-persistence.md

@@ -0,0 +1,23 @@
+# SBOM Lineage Edge Persistence (PostgreSQL)
+
+## Module
+SbomService
+
+## Status
+IMPLEMENTED
+
+## Description
+PostgreSQL-backed persistence for SBOM lineage graph edges with ISbomLineageEdgeRepository interface, sbom_lineage_edges table schema, and in-memory test implementation. Stores parent-child relationships between SBOM versions across image rebuilds.
+
+## Implementation Details
+- **Lineage library**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/` -- core lineage graph logic
+- **Migrations**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Persistence/Migrations/00001_InitialSchema.sql` -- sbom_lineage_edges table and schema
+- **VEX delta repository**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/VexDeltaRepository.cs` -- VEX delta tracking per edge
+- **SBOM models**: `src/SbomService/StellaOps.SbomService/Models/SbomLedgerModels.cs`, `SbomVersionEvents.cs`, `SbomAssetEvents.cs`
+- **Source**: SPRINT_20251228_005_BE_sbom_lineage_graph_i.md
+
+## E2E Test Plan
+- [ ] Verify edge persistence stores parent-child relationships correctly
+- [ ] Test edge retrieval for lineage graph traversal
+- [ ] Verify migration creates expected schema
+- [ ] Test in-memory implementation for unit testing

docs/features/unchecked/sbomservice/sbom-lineage-hover-cache-with-valkey.md

@@ -0,0 +1,27 @@
+# SBOM Lineage Hover Cache with Valkey
+
+## Module
+SbomService
+
+## Status
+IMPLEMENTED
+
+## Description
+Valkey-backed (Redis-compatible) caching layer for SBOM lineage graph hover card data. Pre-computes and caches component diff summaries, VEX delta counts, and provenance metadata for instant hover card rendering without round-trips to PostgreSQL.
+
+## Implementation Details
+- **Hover cache interface and implementation**: `src/SbomService/StellaOps.SbomService/Services/LineageHoverCache.cs` -- `ILineageHoverCache` with `GetAsync`, `SetAsync`, `InvalidateAsync` for hover card data; 5-minute TTL targeting <150ms response times
+- **Valkey compare cache**: `src/SbomService/StellaOps.SbomService/Services/ValkeyLineageCompareCache.cs` -- `ILineageCompareCache` implementation using `IDistributedCache` (Valkey/Redis) with 10-minute TTL, cache hit/miss/invalidation counters, and `ActivitySource` tracing
+- **In-memory fallback**: `src/SbomService/StellaOps.SbomService/Services/InMemoryLineageCompareCache.cs` -- in-memory `ILineageCompareCache` for testing and non-Valkey deployments
+- **Cache interface**: `src/SbomService/StellaOps.SbomService/Services/ILineageCompareCache.cs` -- compare cache contract
+- **Hover card model**: `src/SbomService/StellaOps.SbomService/Models/SbomProjectionModels.cs` -- `SbomLineageHoverCard` used as cached entity
+- **Frontend hover card**: `src/Web/StellaOps.Web/src/app/features/lineage/components/lineage-hover-card/lineage-hover-card.component.ts` -- Angular hover card component
+- **DI registration**: `src/SbomService/StellaOps.SbomService/Program.cs` -- Valkey cache services registered in DI
+- **Source**: SPRINT_20251228_005_BE_sbom_lineage_graph_i.md
+
+## E2E Test Plan
+- [ ] Verify hover card data is cached with 5-minute TTL
+- [ ] Test cache invalidation when artifact digest changes
+- [ ] Verify <150ms response time for cached hover card requests
+- [ ] Test Valkey compare cache hit/miss tracking metrics
+- [ ] Verify in-memory fallback works when Valkey is unavailable

docs/features/unchecked/sbomservice/sbom-lineage-ndjson-streaming-export.md

@@ -0,0 +1,27 @@
+# SBOM Lineage NDJSON Streaming Export
+
+## Module
+SbomService
+
+## Status
+IMPLEMENTED
+
+## Description
+NDJSON (newline-delimited JSON) streaming export for SBOM lineage graphs. Enables efficient bulk export of lineage data for offline analysis, air-gap transfer, and integration with external tools that consume streaming JSON formats.
+
+## Implementation Details
+- **Export service interface**: `src/SbomService/StellaOps.SbomService/Services/ILineageExportService.cs` -- export contract
+- **Export service implementation**: `src/SbomService/StellaOps.SbomService/Services/LineageExportService.cs` -- generates signed evidence packs in NDJSON format; 50MB max export size; includes SBOM diff, VEX deltas, reachability diffs, and attestations; optional keyless signing
+- **Export models**: `src/SbomService/StellaOps.SbomService/Models/LineageExportModels.cs` -- `LineageExportRequest`, `LineageExportResponse`, `EvidencePack` (NDJSON structured); configurable includes (SbomDiff, VexDeltas, ReachabilityDiff, Attestations)
+- **NDJSON endpoint**: `src/SbomService/StellaOps.SbomService/Program.cs` -- endpoint returns `application/x-ndjson` content type with deterministic line ordering
+- **Tests**: `src/SbomService/StellaOps.SbomService.Tests/ResolverFeedExportTests.cs` -- `Export_returns_ndjson_in_deterministic_order` test verifying NDJSON output and content type
+- **Frontend export UI**: `src/Web/StellaOps.Web/src/app/features/lineage/components/lineage-export-buttons/lineage-export-buttons.component.ts`, `lineage-export-dialog/lineage-export-dialog.component.ts`, `export-dialog/export-dialog.component.ts`
+- **Frontend export service**: `src/Web/StellaOps.Web/src/app/features/lineage/services/lineage-export.service.ts`
+- **Source**: BATCH_20251229_BE_COMPLETION_SUMMARY.md (SBOM Lineage API sprint section)
+
+## E2E Test Plan
+- [ ] Verify NDJSON export endpoint returns `application/x-ndjson` content type
+- [ ] Test deterministic ordering of export lines
+- [ ] Verify 50MB export size limit is enforced
+- [ ] Test configurable include flags (SbomDiff, VexDeltas, ReachabilityDiff, Attestations)
+- [ ] Verify export works through frontend export dialog UI

docs/features/unchecked/sbomservice/sbom-service-lineage-projection-api.md

@@ -0,0 +1,29 @@
+# SBOM Service Lineage Projection API
+
+## Module
+SbomService
+
+## Status
+IMPLEMENTED
+
+## Description
+REST API for querying SBOM lineage projections including component lookup, version history, and dependency graph traversal with LNM v1 schema support.
+
+## Implementation Details
+- **Projection models**: `src/SbomService/StellaOps.SbomService/Models/SbomProjectionModels.cs` -- `SbomProjectionResult` record with SnapshotId, TenantId, Projection (JsonElement), ProjectionHash, SchemaVersion
+- **Path models**: `src/SbomService/StellaOps.SbomService/Models/SbomPathModels.cs` -- graph path traversal models for lineage queries
+- **Projection repository interface**: `src/SbomService/StellaOps.SbomService/Repositories/IProjectionRepository.cs` -- projection storage contract
+- **File projection repository**: `src/SbomService/StellaOps.SbomService/Repositories/FileProjectionRepository.cs` -- file-backed projection storage
+- **Postgres projection repository**: `src/SbomService/__Libraries/StellaOps.SbomService.Persistence/Postgres/Repositories/PostgresProjectionRepository.cs` -- PostgreSQL-backed projection storage
+- **Query service**: `src/SbomService/StellaOps.SbomService/Services/ISbomQueryService.cs`, `InMemorySbomQueryService.cs` -- SBOM query with projection support
+- **Lineage domain models**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Domain/LineageModels.cs` -- lineage domain with projection relationships
+- **Observability**: `src/SbomService/StellaOps.SbomService/Observability/SbomMetrics.cs` -- projection query metrics
+- **Tests**: `src/SbomService/StellaOps.SbomService.Tests/ProjectionEndpointTests.cs` -- projection endpoint tests
+- **Source**: SPRINT_0142_0001_0001_sbomservice.md
+
+## E2E Test Plan
+- [ ] Verify projection API returns valid SbomProjectionResult with correct schema version
+- [ ] Test component lookup queries through projection API
+- [ ] Verify version history queries return ordered results
+- [ ] Test dependency graph traversal across lineage projections
+- [ ] Verify projection hash integrity for deterministic outputs

docs/features/unchecked/sbomservice/sbom-service-registry-source-integration.md

@@ -0,0 +1,30 @@
+# SBOM Service Registry Source Integration
+
+## Module
+SbomService
+
+## Status
+IMPLEMENTED
+
+## Description
+Registry webhook and source management endpoints allowing container registries to push SBOM metadata events and manage trusted source configurations.
+
+## Implementation Details
+- **Registry source controller**: `src/SbomService/StellaOps.SbomService/Controllers/RegistrySourceController.cs` -- REST endpoints for managing trusted registry source configurations
+- **Registry webhook controller**: `src/SbomService/StellaOps.SbomService/Controllers/RegistryWebhookController.cs` -- endpoints for receiving container registry push/tag events
+- **Registry source service**: `src/SbomService/StellaOps.SbomService/Services/RegistrySourceService.cs` -- source configuration management logic
+- **Registry webhook service**: `src/SbomService/StellaOps.SbomService/Services/RegistryWebhookService.cs` -- webhook event processing
+- **Registry discovery service**: `src/SbomService/StellaOps.SbomService/Services/RegistryDiscoveryService.cs` -- auto-discovery of registry sources
+- **Scan job emitter**: `src/SbomService/StellaOps.SbomService/Services/ScanJobEmitterService.cs` -- emits scan jobs when webhook events arrive
+- **Query options**: `src/SbomService/StellaOps.SbomService/Services/RegistrySourceQueryOptions.cs` -- query filtering for registry sources
+- **Models**: `src/SbomService/StellaOps.SbomService/Models/RegistrySourceModels.cs` -- registry source configuration models
+- **Repository**: `src/SbomService/StellaOps.SbomService/Repositories/IRegistrySourceRepository.cs`, `RegistrySourceRepositories.cs` -- registry source persistence
+- **Tests**: `src/SbomService/StellaOps.SbomService.Tests/RegistrySourceServiceTests.cs`, `RegistryDiscoveryServiceTests.cs`, `RegistryWebhookServiceTests.cs`, `ScanJobEmitterServiceTests.cs`
+- **Source**: SPRINT_0142_0001_0001_sbomservice.md
+
+## E2E Test Plan
+- [ ] Verify registry source CRUD operations through REST API
+- [ ] Test webhook event processing for container registry push events
+- [ ] Verify scan job emission when new images are pushed
+- [ ] Test registry auto-discovery service
+- [ ] Verify tenant isolation in registry source configurations

docs/features/unchecked/sbomservice/sbom-verdict-linking-table.md

@@ -0,0 +1,28 @@
+# SBOM-Verdict Linking Table
+
+## Module
+SbomService
+
+## Status
+IMPLEMENTED
+
+## Description
+Join table linking SBOM versions to VEX consensus verdicts per CVE. Fully implemented with PostgreSQL persistence, in-memory test implementation, and lineage integration.
+
+## Implementation Details
+- **Persistence interface (Persistence layer)**: `src/SbomService/__Libraries/StellaOps.SbomService.Persistence/Repositories/ISbomVerdictLinkRepository.cs` -- `LinkAsync`, `LinkBatchAsync`, `GetVerdictsBySbomAsync`, `GetSbomsByCveAsync`, `GetSbomsByStatusAsync`
+- **Postgres implementation**: `src/SbomService/__Libraries/StellaOps.SbomService.Persistence/Postgres/Repositories/PostgresSbomVerdictLinkRepository.cs` -- PostgreSQL verdict link storage with upsert on conflict
+- **Lineage interface**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/ISbomVerdictLinkRepository.cs` -- lineage-layer verdict link contract
+- **Lineage Postgres implementation**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/SbomVerdictLinkRepository.cs` -- `sbom.sbom_verdict_links` table with columns: sbom_version_id, cve, consensus_projection_id, verdict_status, confidence_score, tenant_id; upsert on `(sbom_version_id, cve, tenant_id)` conflict
+- **Schema migration**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Persistence/Migrations/00001_InitialSchema.sql` -- creates `sbom_verdict_links` table
+- **DI registration**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/DependencyInjection/ServiceCollectionExtensions.cs` -- registers verdict link repository
+- **Lineage domain**: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Domain/LineageModels.cs` -- `SbomVerdictLink` model
+- **Tests**: `src/SbomService/__Tests/StellaOps.SbomService.Lineage.Tests/Domain/LineageModelsTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify SBOM-to-verdict linking creates records in `sbom_verdict_links` table
+- [ ] Test batch linking of multiple verdicts per SBOM version
+- [ ] Verify query by CVE returns all linked SBOM versions
+- [ ] Test query by verdict status with limit parameter
+- [ ] Verify upsert behavior on `(sbom_version_id, cve, tenant_id)` conflict