semi implemented and features implemented save checkpoint

docs/features/unchecked/tools/ci-cd-workflow-generator.md

@@ -0,0 +1,25 @@
+# CI/CD Workflow Generator (Multi-Platform Pipeline Templates)
+
+## Module
+Tools
+
+## Status
+IMPLEMENTED
+
+## Description
+Generates CI/CD pipeline templates for GitHub Actions, GitLab CI, and Azure DevOps that integrate StellaOps scanning with automatic SARIF upload to code scanning platforms. Supports configurable triggers, scan options, and upload configurations.
+
+## Implementation Details
+- **Workflow Generator Factory**: `src/Tools/StellaOps.Tools.WorkflowGenerator/WorkflowGeneratorFactory.cs` -- factory that selects the appropriate generator implementation based on target CI/CD platform (GitHub Actions, GitLab CI, Azure DevOps).
+- **IWorkflowGenerator Interface**: `src/Tools/StellaOps.Tools.WorkflowGenerator/IWorkflowGenerator.cs` -- common interface for all workflow generators defining `Generate(config)` method that produces platform-specific pipeline YAML/JSON.
+- **GitHub Actions Generator**: `src/Tools/StellaOps.Tools.WorkflowGenerator/GitHubActionsGenerator.cs` -- generates `.github/workflows/*.yml` files with StellaOps scan steps, SARIF upload to GitHub Code Scanning, and configurable triggers (push, PR, schedule).
+- **GitLab CI Generator**: `src/Tools/StellaOps.Tools.WorkflowGenerator/GitLabCiGenerator.cs` -- generates `.gitlab-ci.yml` pipeline definitions with StellaOps scan jobs, artifact reporting, and GitLab SAST integration.
+- **Azure DevOps Generator**: `src/Tools/StellaOps.Tools.WorkflowGenerator/AzureDevOpsGenerator.cs` -- generates `azure-pipelines.yml` with StellaOps scan tasks, SARIF publish to Azure DevOps Code Analysis, and configurable pool/agent specifications.
+
+## E2E Test Plan
+- [ ] Generate a GitHub Actions workflow using `WorkflowGeneratorFactory`, parse the output YAML, and verify it contains the scan step, SARIF upload step, and correct trigger configuration
+- [ ] Generate a GitLab CI pipeline, parse the output YAML, and verify it contains the scan job with correct stage, artifacts, and runner tags
+- [ ] Generate an Azure DevOps pipeline, parse the output YAML, and verify it contains the scan task with correct pool specification and SARIF publish step
+- [ ] Generate workflows for all three platforms with the same scan configuration and verify scan arguments (image reference, policy file, output format) are consistent across all outputs
+- [ ] Generate a workflow with custom triggers (e.g., schedule-only) and verify the output reflects the custom trigger configuration, not the defaults
+- [ ] Verify the generated GitHub Actions workflow is valid YAML and passes `actionlint` or equivalent schema validation

docs/features/unchecked/tools/fixture-harvester-tool.md

@@ -0,0 +1,22 @@
+# Fixture Harvester Tool
+
+## Module
+Tools
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI tool (harvest/validate/regen commands) for deterministic test fixture management. Supports tiered fixtures (Synthetic, Spec Examples, Real Samples, Regression), SHA-256 hash pinning, YAML manifests with schema versioning, and configurable refresh policies.
+
+## Implementation Details
+- **Fixture Updater App**: `src/Tools/FixtureUpdater/StellaOps.Tools.FixtureUpdater/FixtureUpdaterApp.cs` -- CLI entry point that parses commands (harvest, validate, regen) and dispatches to the runner; manages fixture tier selection and output directory configuration.
+- **Fixture Updater Runner**: `src/Tools/FixtureUpdater/StellaOps.Tools.FixtureUpdater/FixtureUpdaterRunner.cs` -- core execution engine that walks fixture manifests, computes SHA-256 hashes, compares against pinned baselines, and regenerates stale fixtures according to refresh policies.
+
+## E2E Test Plan
+- [ ] Run the `harvest` command against a known fixture source directory and verify it produces a YAML manifest with SHA-256 hashes for each harvested artifact
+- [ ] Run the `validate` command against an existing manifest and verify it reports all fixtures as valid when hashes match, and flags mismatches when a fixture file is modified
+- [ ] Run the `regen` command for a single fixture tier (e.g., Synthetic) and verify only fixtures in that tier are regenerated while other tiers remain untouched
+- [ ] Modify a fixture file's content, run `validate`, and verify the tool reports the specific file and expected vs. actual hash
+- [ ] Verify the YAML manifest includes schema version metadata and that the tool rejects manifests with an unsupported schema version
+- [ ] Run the tool with a configurable refresh policy (e.g., "refresh if older than 7 days") and verify it only regenerates fixtures that exceed the staleness threshold

docs/features/unchecked/tools/golden-pairs-mirror-and-diff-pipeline.md

@@ -0,0 +1,28 @@
+# Golden Pairs Mirror and Diff Pipeline
+
+## Module
+Tools
+
+## Status
+IMPLEMENTED
+
+## Description
+Package mirror service to download pre/post-patch binary pairs from distro repos, and a diff pipeline service that runs section-hash diffing to produce golden diff reports for backport detection validation.
+
+## Implementation Details
+- **Golden Pairs App**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/GoldenPairsApp.cs` -- CLI entry point for the golden pairs toolchain; orchestrates mirror downloads and diff pipeline execution.
+- **Package Mirror Service**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/PackageMirrorService.cs` -- downloads pre-patch and post-patch binary packages from distribution repositories (Debian, RPM, Alpine) for known CVE fixes.
+- **Diff Pipeline Service**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/DiffPipelineService.cs` -- runs section-hash diffing between pre/post-patch binaries, producing structured diff reports that serve as ground truth for backport detection validation.
+- **Section Hash Provider**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/SectionHashProvider.cs` -- computes per-section hashes (e.g., .text, .rodata) for ELF/PE binaries to enable fine-grained diff comparison.
+- **Golden Pair Loader**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/GoldenPairLoader.cs` -- loads golden pair metadata from the local store for comparison against new diff results.
+- **Golden Pairs Schema Provider**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Schema/GoldenPairsSchemaProvider.cs` -- provides JSON schema definitions for golden pair metadata and diff report validation.
+- **Golden Pairs Models**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Models/` -- data models for golden pair records, diff reports, section hashes, and mirror source definitions.
+- **Serialization**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Serialization/` -- JSON serialization for golden pair data with canonical formatting for deterministic output.
+
+## E2E Test Plan
+- [ ] Run `PackageMirrorService` to download a known CVE fix pair (e.g., a Debian openssl patch), and verify both pre-patch and post-patch binaries are downloaded and stored with correct metadata
+- [ ] Run `DiffPipelineService` on a downloaded pair and verify the diff report identifies the changed sections (e.g., .text section modified, .rodata unchanged)
+- [ ] Run `SectionHashProvider` on a known binary and verify section hashes are deterministic across multiple runs
+- [ ] Load a golden pair via `GoldenPairLoader`, re-run the diff pipeline, and verify the new diff report matches the stored golden diff
+- [ ] Validate a diff report against the JSON schema from `GoldenPairsSchemaProvider` and verify it passes schema validation
+- [ ] Mirror a package pair, intentionally corrupt the post-patch binary, run the diff pipeline, and verify the diff report reflects the unexpected changes

docs/features/unchecked/tools/golden-pairs-validation-infrastructure.md

@@ -0,0 +1,25 @@
+# Golden Pairs Validation Infrastructure
+
+## Module
+Tools
+
+## Status
+IMPLEMENTED
+
+## Description
+Data model for golden pair metadata, binary artifacts, and diff reports used to validate binary diff detection against known-good CVE fix pairs.
+
+## Implementation Details
+- **Golden Pairs Models**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Models/` -- data models defining golden pair records (CVE ID, package name, distro, pre/post versions), binary artifact metadata (section hashes, file sizes, architectures), and diff report structures (changed sections, confidence scores).
+- **Golden Pairs Schema Provider**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Schema/GoldenPairsSchemaProvider.cs` -- provides JSON schema definitions for validating golden pair metadata files, diff reports, and mirror source configurations.
+- **Golden Pair Loader**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/GoldenPairLoader.cs` -- loads and validates golden pair records from the local file store, resolving binary artifact paths and associated diff reports.
+- **Serialization**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Serialization/` -- canonical JSON serialization for golden pair data ensuring deterministic output for hash comparison and attestation purposes.
+- **Section Hash Provider**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/SectionHashProvider.cs` -- computes deterministic per-section hashes for binary artifacts, enabling reproducible diff comparisons across environments.
+
+## E2E Test Plan
+- [ ] Load a golden pair record via `GoldenPairLoader` and verify all required fields (CVE ID, package name, pre/post versions, distro) are populated and valid
+- [ ] Validate a golden pair metadata file against the schema from `GoldenPairsSchemaProvider` and verify it passes; then corrupt a required field and verify validation fails
+- [ ] Serialize a golden pair record via the canonical serializer, deserialize it back, and verify round-trip fidelity (all fields match, no data loss)
+- [ ] Compute section hashes for a binary artifact using `SectionHashProvider` on two separate runs and verify the hashes are identical (determinism check)
+- [ ] Load a diff report for a known CVE fix pair and verify it correctly identifies which binary sections changed between pre-patch and post-patch versions
+- [ ] Verify the schema provider covers all model types: golden pair records, diff reports, and mirror source configurations