semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/StellaOps.Doctor.Scheduler/StellaOps.Doctor.Scheduler.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/StellaOps.Doctor.Scheduler/StellaOps.Doctor.Scheduler.md
@@ -0,0 +1,47 @@
+# Audit - StellaOps.Doctor.Scheduler
+
+## Project
+- Path: `src/Doctor/StellaOps.Doctor.Scheduler/StellaOps.Doctor.Scheduler.csproj`
+- Module: `Doctor`
+- Kind: `Worker`
+- SDK: `Microsoft.NET.Sdk.Worker`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 5
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/StellaOps.Doctor.Scheduler/Services/ScheduleExecutor.cs` (309 lines)
+  - `src/Doctor/StellaOps.Doctor.Scheduler/Models/DoctorSchedule.cs` (170 lines)
+  - `src/Doctor/StellaOps.Doctor.Scheduler/Program.cs` (169 lines)
+  - `src/Doctor/StellaOps.Doctor.Scheduler/Models/TrendDataPoint.cs` (146 lines)
+  - `src/Doctor/StellaOps.Doctor.Scheduler/DoctorScheduleWorker.cs` (136 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, E2E, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, E2E, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add E2E coverage for user-visible workflows.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/StellaOps.Doctor.WebService/StellaOps.Doctor.WebService.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/StellaOps.Doctor.WebService/StellaOps.Doctor.WebService.md
@@ -0,0 +1,50 @@
+# Audit - StellaOps.Doctor.WebService
+
+## Project
+- Path: `src/Doctor/StellaOps.Doctor.WebService/StellaOps.Doctor.WebService.csproj`
+- Module: `Doctor`
+- Kind: `WebService`
+- SDK: `Microsoft.NET.Sdk.Web`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 9
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/StellaOps.Doctor.WebService/Contracts/DoctorModels.cs` (493 lines)
+  - `src/Doctor/StellaOps.Doctor.WebService/Services/TimestampingDashboardProvider.cs` (375 lines)
+  - `src/Doctor/StellaOps.Doctor.WebService/Endpoints/TimestampingEndpoints.cs` (359 lines)
+  - `src/Doctor/StellaOps.Doctor.WebService/Services/DoctorRunService.cs` (267 lines)
+  - `src/Doctor/StellaOps.Doctor.WebService/Services/PostgresReportStorageService.cs` (266 lines)
+  - `src/Doctor/StellaOps.Doctor.WebService/Endpoints/DoctorEndpoints.cs` (226 lines)
+  - `src/Doctor/StellaOps.Doctor.WebService/Program.cs` (175 lines)
+  - `src/Doctor/StellaOps.Doctor.WebService/Options/DoctorServiceOptions.cs` (116 lines)
+  - `src/Doctor/StellaOps.Doctor.WebService/Services/InMemoryReportStorageService.cs` (103 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: src/Doctor/__Tests/StellaOps.Doctor.WebService.Tests/StellaOps.Doctor.WebService.Tests.csproj [Unit]
+- Missing layers: Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/StellaOps.Doctor.Plugin.Agent.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/StellaOps.Doctor.Plugin.Agent.md
@@ -0,0 +1,52 @@
+# Audit - StellaOps.Doctor.Plugin.Agent
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/StellaOps.Doctor.Plugin.Agent.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 4
+- Service locator usage (BuildServiceProvider/GetService): 6
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/AgentCertificateExpiryCheck.cs` (198 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/AgentHeartbeatFreshnessCheck.cs` (188 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/StaleAgentCheck.cs` (150 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/AgentVersionConsistencyCheck.cs` (131 lines)
+- Service locator matches:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/AgentCertificateValidityCheck.cs`:41 return context.Services.GetService<IAgentStore>() != null;
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/AgentCapacityCheck.cs`:46 return context.Services.GetService<IAgentStore>() != null;
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/AgentCertificateExpiryCheck.cs`:46 return context.Services.GetService<IAgentStore>() != null;
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/AgentHeartbeatFreshnessCheck.cs`:46 return context.Services.GetService<IAgentStore>() != null;
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/StaleAgentCheck.cs`:47 return context.Services.GetService<IAgentStore>() != null;
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Agent/Checks/AgentVersionConsistencyCheck.cs`:44 return context.Services.GetService<IAgentStore>() != null;
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/StellaOps.Doctor.Plugin.Attestor.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/StellaOps.Doctor.Plugin.Attestor.md
@@ -0,0 +1,49 @@
+# Audit - StellaOps.Doctor.Plugin.Attestor
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/StellaOps.Doctor.Plugin.Attestor.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 6
+- Service locator usage (BuildServiceProvider/GetService): 1
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/Checks/RekorClockSkewCheck.cs` (619 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/Checks/TransparencyLogConsistencyCheck.cs` (248 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/Checks/CosignKeyMaterialCheck.cs` (242 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/Checks/RekorVerificationJobCheck.cs` (231 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/Checks/SigningKeyExpirationCheck.cs` (226 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/Checks/RekorConnectivityCheck.cs` (165 lines)
+- Service locator matches:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Attestor/Checks/RekorVerificationJobCheck.cs`:54 var statusProvider = context.Services.GetService<IRekorVerificationStatusProvider>();
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/StellaOps.Doctor.Plugin.Auth.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/StellaOps.Doctor.Plugin.Auth.md
@@ -0,0 +1,46 @@
+# Audit - StellaOps.Doctor.Plugin.Auth
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/StellaOps.Doctor.Plugin.Auth.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 4
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/Checks/OidcProviderConnectivityCheck.cs` (323 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/Checks/AuthConfigurationCheck.cs` (166 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/Checks/TokenServiceHealthCheck.cs` (161 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Auth/Checks/SigningKeyHealthCheck.cs` (138 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/StellaOps.Doctor.Plugin.BinaryAnalysis.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/StellaOps.Doctor.Plugin.BinaryAnalysis.md
@@ -0,0 +1,50 @@
+# Audit - StellaOps.Doctor.Plugin.BinaryAnalysis
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/StellaOps.Doctor.Plugin.BinaryAnalysis.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 6
+- Service locator usage (BuildServiceProvider/GetService): 3
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/DdebRepoEnabledCheck.cs` (384 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/KpiBaselineExistsCheck.cs` (377 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/DebuginfodAvailabilityCheck.cs` (350 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/CorpusMirrorFreshnessCheck.cs` (324 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/BuildinfoCacheCheck.cs` (321 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/SymbolRecoveryFallbackCheck.cs` (192 lines)
+- Service locator matches:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/BuildinfoCacheCheck.cs`:63 var httpClientFactory = context.Services.GetService<IHttpClientFactory>();
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/DdebRepoEnabledCheck.cs`:79 var httpClientFactory = context.Services.GetService<IHttpClientFactory>();
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.BinaryAnalysis/Checks/DebuginfodAvailabilityCheck.cs`:74 var httpClientFactory = context.Services.GetService<IHttpClientFactory>();
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: src/Doctor/__Tests/StellaOps.Doctor.Plugin.BinaryAnalysis.Tests/StellaOps.Doctor.Plugin.BinaryAnalysis.Tests.csproj [Unit]
+- Missing layers: Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/StellaOps.Doctor.Plugin.Compliance.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/StellaOps.Doctor.Plugin.Compliance.md
@@ -0,0 +1,49 @@
+# Audit - StellaOps.Doctor.Plugin.Compliance
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/StellaOps.Doctor.Plugin.Compliance.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 7
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/Checks/AttestationSigningHealthCheck.cs` (216 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/Checks/EvidenceExportReadinessCheck.cs` (198 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/Checks/AuditReadinessCheck.cs` (196 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/Checks/ComplianceFrameworkCheck.cs` (191 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/Checks/EvidenceTamperCheck.cs` (190 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/Checks/EvidenceGenerationRateCheck.cs` (189 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Compliance/Checks/ProvenanceCompletenessCheck.cs` (185 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/StellaOps.Doctor.Plugin.Environment.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/StellaOps.Doctor.Plugin.Environment.md
@@ -0,0 +1,49 @@
+# Audit - StellaOps.Doctor.Plugin.Environment
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/StellaOps.Doctor.Plugin.Environment.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 7
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/Checks/EnvironmentConnectivityCheck.cs` (402 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/Checks/EnvironmentSecretHealthCheck.cs` (335 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/Checks/EnvironmentDeploymentHealthCheck.cs` (335 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/Checks/EnvironmentNetworkPolicyCheck.cs` (328 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/Checks/EnvironmentCapacityCheck.cs` (292 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/Checks/EnvironmentDriftCheck.cs` (277 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Environment/Services/IEnvironmentHealthClient.cs` (110 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.EvidenceLocker/StellaOps.Doctor.Plugin.EvidenceLocker.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.EvidenceLocker/StellaOps.Doctor.Plugin.EvidenceLocker.md
@@ -0,0 +1,47 @@
+# Audit - StellaOps.Doctor.Plugin.EvidenceLocker
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.EvidenceLocker/StellaOps.Doctor.Plugin.EvidenceLocker.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 4
+- Service locator usage (BuildServiceProvider/GetService): 1
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.EvidenceLocker/Checks/AttestationRetrievalCheck.cs` (283 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.EvidenceLocker/Checks/MerkleAnchorCheck.cs` (268 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.EvidenceLocker/Checks/EvidenceIndexCheck.cs` (220 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.EvidenceLocker/Checks/ProvenanceChainCheck.cs` (212 lines)
+- Service locator matches:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.EvidenceLocker/Checks/AttestationRetrievalCheck.cs`:68 var httpClient = context.Services.GetService<IHttpClientFactory>()?.CreateClient("EvidenceLocker");
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/StellaOps.Doctor.Plugin.Notify.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/StellaOps.Doctor.Plugin.Notify.md
@@ -0,0 +1,53 @@
+# Audit - StellaOps.Doctor.Plugin.Notify
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/StellaOps.Doctor.Plugin.Notify.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 9
+- Service locator usage (BuildServiceProvider/GetService): 3
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/NotifyQueueHealthCheck.cs` (232 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/EmailConnectivityCheck.cs` (186 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/TeamsConnectivityCheck.cs` (169 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/WebhookConnectivityCheck.cs` (166 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/EmailConfiguredCheck.cs` (161 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/SlackConnectivityCheck.cs` (153 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/WebhookConfiguredCheck.cs` (128 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/TeamsConfiguredCheck.cs` (125 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/SlackConfiguredCheck.cs` (109 lines)
+- Service locator matches:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/NotifyDoctorPlugin.cs`:35 var providers = services.GetService<IEnumerable<INotifyChannelHealthProvider>>();
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/NotifyQueueHealthCheck.cs`:51 var eventQueueHealthCheck = context.Services.GetService<StellaOps.Notify.Queue.NotifyQueueHealthCheck>();
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/NotifyQueueHealthCheck.cs`:52 var deliveryQueueHealthCheck = context.Services.GetService<StellaOps.Notify.Queue.NotifyDeliveryQueueHealthCheck>();
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/StellaOps.Doctor.Plugin.Notify.Tests.csproj [Unit]
+- Missing layers: Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/StellaOps.Doctor.Plugin.Observability.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/StellaOps.Doctor.Plugin.Observability.md
@@ -0,0 +1,45 @@
+# Audit - StellaOps.Doctor.Plugin.Observability
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/StellaOps.Doctor.Plugin.Observability.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 4
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/Checks/LogRotationCheck.cs` (182 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/Checks/LogDirectoryCheck.cs` (143 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/Checks/PrometheusScrapeCheck.cs` (136 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/Checks/OtlpEndpointCheck.cs` (122 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: src/Doctor/__Tests/StellaOps.Doctor.Plugin.Observability.Tests/StellaOps.Doctor.Plugin.Observability.Tests.csproj [Unit]
+- Missing layers: Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Operations/StellaOps.Doctor.Plugin.Operations.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Operations/StellaOps.Doctor.Plugin.Operations.md
@@ -0,0 +1,45 @@
+# Audit - StellaOps.Doctor.Plugin.Operations
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Operations/StellaOps.Doctor.Plugin.Operations.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 3
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Operations/Checks/JobQueueHealthCheck.cs` (196 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Operations/Checks/DeadLetterQueueCheck.cs` (145 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Operations/Checks/SchedulerHealthCheck.cs` (134 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/StellaOps.Doctor.Plugin.Postgres.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/StellaOps.Doctor.Plugin.Postgres.md
@@ -0,0 +1,45 @@
+# Audit - StellaOps.Doctor.Plugin.Postgres
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/StellaOps.Doctor.Plugin.Postgres.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 3
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/Checks/PostgresConnectionPoolCheck.cs` (241 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/Checks/PostgresConnectivityCheck.cs` (239 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Postgres/Checks/PostgresMigrationStatusCheck.cs` (217 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/StellaOps.Doctor.Plugin.Release.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/StellaOps.Doctor.Plugin.Release.md
@@ -0,0 +1,49 @@
+# Audit - StellaOps.Doctor.Plugin.Release
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/StellaOps.Doctor.Plugin.Release.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 7
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/Checks/PromotionGateHealthCheck.cs` (447 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/Checks/ActiveReleaseHealthCheck.cs` (377 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/Checks/EnvironmentReadinessCheck.cs` (360 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/Checks/ReleaseConfigurationCheck.cs` (359 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/Checks/RollbackReadinessCheck.cs` (331 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/Checks/ReleaseScheduleHealthCheck.cs` (287 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Release/Services/IReleaseHealthClient.cs` (145 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/StellaOps.Doctor.Plugin.Scanner.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/StellaOps.Doctor.Plugin.Scanner.md
@@ -0,0 +1,49 @@
+# Audit - StellaOps.Doctor.Plugin.Scanner
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/StellaOps.Doctor.Plugin.Scanner.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 7
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/Checks/SliceCacheHealthCheck.cs` (234 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/Checks/ReachabilityComputationHealthCheck.cs` (234 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/Checks/ScannerQueueHealthCheck.cs` (232 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/Checks/ScannerResourceUtilizationCheck.cs` (224 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/Checks/VulnerabilityScanHealthCheck.cs` (218 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/Checks/WitnessGraphHealthCheck.cs` (215 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Scanner/Checks/SbomGenerationHealthCheck.cs` (202 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Storage/StellaOps.Doctor.Plugin.Storage.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Storage/StellaOps.Doctor.Plugin.Storage.md
@@ -0,0 +1,44 @@
+# Audit - StellaOps.Doctor.Plugin.Storage
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Storage/StellaOps.Doctor.Plugin.Storage.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 3
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Storage/Checks/EvidenceLockerWriteCheck.cs` (254 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Storage/Checks/DiskSpaceCheck.cs` (240 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Storage/Checks/BackupDirectoryCheck.cs` (218 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: tests/Doctor/StellaOps.Doctor.Plugin.Storage.Tests/StellaOps.Doctor.Plugin.Storage.Tests.csproj [Unit]
+- Missing layers: Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/StellaOps.Doctor.Plugin.Timestamping.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/StellaOps.Doctor.Plugin.Timestamping.md
@@ -0,0 +1,54 @@
+# Audit - StellaOps.Doctor.Plugin.Timestamping
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/StellaOps.Doctor.Plugin.Timestamping.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: inherited true
+- Deterministic: inherited true
+- 100-line rule violations: 13
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/EvidenceStalenessCheck.cs` (708 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/TsaHealthChecks.cs` (449 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/TimeSkewChecks.cs` (420 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/TsaCertificateExpiryCheck.cs` (419 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/AutoRemediation.cs` (310 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/EuTrustListChecks.cs` (308 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/TsaAvailabilityCheck.cs` (225 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/IDoctorCheck.cs` (200 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/TimestampingHealthCheckPlugin.cs` (190 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/RevocationCacheFreshCheck.cs` (172 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/CrlDistributionCheck.cs` (160 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/OcspResponderCheck.cs` (152 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/OcspStaplingEnabledCheck.cs` (123 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: src/Doctor/__Tests/StellaOps.Doctor.Plugin.Timestamping.Tests/StellaOps.Doctor.Plugin.Timestamping.Tests.csproj [Unit]
+- Missing layers: Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.
--- a/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Vex/StellaOps.Doctor.Plugin.Vex.md
+++ b/docs/implplan-blocked/audits/csproj-standards/Doctor/__Plugins/StellaOps.Doctor.Plugin.Vex/StellaOps.Doctor.Plugin.Vex.md
@@ -0,0 +1,45 @@
+# Audit - StellaOps.Doctor.Plugin.Vex
+
+## Project
+- Path: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Vex/StellaOps.Doctor.Plugin.Vex.csproj`
+- Module: `Doctor`
+- Kind: `Plugin`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 3
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Vex/Checks/VexDocumentValidationCheck.cs` (192 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Vex/Checks/VexIssuerTrustCheck.cs` (128 lines)
+  - `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Vex/Checks/VexSchemaComplianceCheck.cs` (119 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Integration, Security, Offline
+- Detected test projects: none
+- Missing layers: Unit, Integration, Security, Offline
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add integration tests for cross-component flows.
+- Add security tests for authn/authz or input validation.
+- Add offline/airgap coverage with fixtures only.