semi implemented and features implemented save checkpoint

docs/features/unchecked/scheduler/scheduler-exception-lifecycle-worker.md

@@ -0,0 +1,26 @@
+# Scheduler Exception Lifecycle Worker
+
+## Module
+Scheduler
+
+## Status
+IMPLEMENTED
+
+## Description
+Background worker that monitors exception expiries and triggers policy re-evaluation when exceptions lapse, enforcing time-bounded risk acceptance.
+
+## Implementation Details
+- **Exception Lifecycle Worker**: `src/Scheduler/StellaOps.Scheduler.WebService/ExceptionLifecycle/ExceptionLifecycleWorker.cs` -- background `IHostedService` that periodically scans for expiring or expired policy exceptions and triggers re-evaluation of affected findings.
+- **Exception Lifecycle Endpoints**: `src/Scheduler/StellaOps.Scheduler.WebService/ExceptionLifecycle/ExceptionLifecycleEndpointExtensions.cs` -- REST endpoints for querying exception status and managing exception lifecycle.
+- **Exception Lifecycle Contracts**: `src/Scheduler/StellaOps.Scheduler.WebService/ExceptionLifecycle/ExceptionLifecycleContracts.cs` -- DTOs for exception status, expiry notifications, and lifecycle transitions.
+- **Exception Repository**: `src/Scheduler/StellaOps.Scheduler.WebService/ExceptionLifecycle/IExceptionRepository.cs` -- persistence contract for policy exceptions with expiry tracking.
+- **Failure Signature Endpoints**: `src/Scheduler/StellaOps.Scheduler.WebService/FailureSignatures/FailureSignatureEndpoints.cs` -- endpoints for managing failure signatures that may trigger exception expiry.
+- **Webhook Endpoints**: `src/Scheduler/StellaOps.Scheduler.WebService/EventWebhooks/EventWebhookEndpointExtensions.cs` -- webhook endpoints for notifying external systems of exception lifecycle events.
+- **Tests**: `src/Scheduler/__Tests/StellaOps.Scheduler.WebService.Tests/ExceptionLifecycle/ExceptionLifecycleWorkerTests.cs`, `ExceptionLifecycleEndpointsTests.cs`
+
+## E2E Test Plan
+- [ ] Create a policy exception with a 1-minute expiry; after expiry, verify the exception lifecycle worker triggers a re-evaluation event for the affected finding
+- [ ] Query the exception lifecycle endpoint and verify active exceptions are listed with their remaining TTL
+- [ ] Verify exception renewal: extend an exception's expiry before it lapses and confirm the worker does not trigger re-evaluation
+- [ ] Verify webhook notification: configure a webhook endpoint and confirm it receives a notification when an exception expires
+- [ ] Create multiple exceptions with staggered expiries and verify the worker processes them in expiry order

docs/features/unchecked/scheduler/scheduler-graph-job-dtos.md

@@ -0,0 +1,27 @@
+# Scheduler Graph Job DTOs (GraphBuildJob/GraphOverlayJob)
+
+## Module
+Scheduler
+
+## Status
+IMPLEMENTED
+
+## Description
+New graph-specific job contracts (GraphBuildJob, GraphOverlayJob) with state machine enforcement, metadata fields, and event schemas for graph build/overlay operations coordination between Scheduler and Cartographer/Graph services.
+
+## Implementation Details
+- **Graph Build Job Request**: `src/Scheduler/StellaOps.Scheduler.WebService/GraphJobs/GraphBuildJobRequest.cs` -- DTO for graph build job requests with source, target, and metadata fields for triggering full graph rebuilds.
+- **Graph Overlay Job Request**: `src/Scheduler/StellaOps.Scheduler.WebService/GraphJobs/GraphOverlayJobRequest.cs` -- DTO for incremental graph overlay operations that merge new data into existing graphs.
+- **Graph Job Service**: `src/Scheduler/StellaOps.Scheduler.WebService/GraphJobs/GraphJobService.cs` -- orchestrates graph job lifecycle with state machine enforcement (Pending, Running, Completed, Failed).
+- **In-Memory Graph Job Store**: `src/Scheduler/StellaOps.Scheduler.WebService/GraphJobs/InMemoryGraphJobStore.cs` -- in-memory persistence for graph job state.
+- **Cartographer Webhook Client**: `src/Scheduler/StellaOps.Scheduler.WebService/GraphJobs/CartographerWebhookClient.cs` -- HTTP client for notifying the Cartographer service of graph job state changes.
+- **Graph Job Endpoints**: `src/Scheduler/StellaOps.Scheduler.WebService/GraphJobs/GraphJobEndpointExtensions.cs` -- REST endpoints for submitting, querying, and managing graph jobs.
+- **Tests**: `src/Scheduler/__Tests/StellaOps.Scheduler.WebService.Tests/GraphJobs/GraphJobServiceTests.cs`, `GraphJobEndpointsTests.cs`, `CartographerWebhookClientTests.cs`
+
+## E2E Test Plan
+- [ ] Submit a `GraphBuildJobRequest` via the REST endpoint and verify it is created with "Pending" status and correct metadata fields
+- [ ] Advance the job through the state machine (Pending -> Running -> Completed) and verify each transition is enforced (e.g., cannot go from Pending directly to Completed)
+- [ ] Submit a `GraphOverlayJobRequest` and verify it references the existing graph to overlay onto
+- [ ] Verify webhook notification: start a graph job and confirm the `CartographerWebhookClient` sends a webhook to the Cartographer service with the job details
+- [ ] Attempt an invalid state transition (e.g., Completed -> Running) and verify it is rejected with an appropriate error
+- [ ] Query graph jobs by status and verify filtering works correctly (e.g., only "Running" jobs are returned)

docs/features/unchecked/scheduler/scheduler-impactindex-and-surface-fs-pointers.md

@@ -0,0 +1,27 @@
+# Scheduler ImpactIndex and Surface.FS Pointers
+
+## Module
+Scheduler
+
+## Status
+IMPLEMENTED
+
+## Description
+ImpactIndex computation for prioritizing scheduled vulnerability evaluations, with Surface.FS pointers linking scheduler jobs to filesystem-level SBOM surface data for efficient incremental rescans.
+
+## Implementation Details
+- **Impact Index Service**: `src/Scheduler/StellaOps.Scheduler.WebService/ImpactIndex/ImpactIndexService.cs` -- computes impact index scores for scheduled jobs based on vulnerability severity, component exposure, and deployment topology.
+- **Impact Index Endpoints**: `src/Scheduler/StellaOps.Scheduler.WebService/ImpactIndex/ImpactIndexEndpointExtensions.cs` -- REST endpoints for querying and updating impact index scores.
+- **Impact Index Contracts**: `src/Scheduler/StellaOps.Scheduler.WebService/ImpactIndex/ImpactIndexContracts.cs` -- DTOs for impact index query/update operations.
+- **Surface FS Pointers**: `src/Scheduler/StellaOps.Scheduler.WebService/SurfaceFs/SurfaceFsPointerService.cs` -- manages filesystem-level pointers linking SBOM surface data to scheduler jobs for incremental rescan optimization.
+- **Surface FS Endpoints**: `src/Scheduler/StellaOps.Scheduler.WebService/SurfaceFs/SurfaceFsEndpointExtensions.cs` -- REST endpoints for managing Surface.FS pointers.
+- **Surface FS Contracts**: `src/Scheduler/StellaOps.Scheduler.WebService/SurfaceFs/SurfaceFsContracts.cs` -- DTOs for Surface.FS pointer operations.
+- **Scan Schedule Service**: `src/Scheduler/StellaOps.Scheduler.WebService/Scheduling/ScanScheduleService.cs` -- schedules vulnerability rescans prioritized by impact index.
+- **Tests**: `src/Scheduler/__Tests/StellaOps.Scheduler.WebService.Tests/ImpactIndex/ImpactIndexServiceTests.cs`, `ImpactIndexEndpointsTests.cs`; `src/Scheduler/__Tests/StellaOps.Scheduler.WebService.Tests/SurfaceFs/SurfaceFsPointerServiceTests.cs`
+
+## E2E Test Plan
+- [ ] Compute an impact index for a component with a critical CVE in a production deployment and verify the score is higher than for the same CVE in a staging deployment
+- [ ] Create a Surface.FS pointer linking a scheduler job to an SBOM surface file and verify the pointer is queryable by job ID
+- [ ] Verify incremental rescan: update an SBOM surface file, query the Surface.FS pointer, and confirm the scheduler creates a rescan job only for the changed components
+- [ ] Verify impact-based prioritization: submit multiple jobs with different impact indices and verify the scheduler processes higher-impact jobs first
+- [ ] Query impact index scores via the REST endpoint and verify results are sorted by score descending