semi implemented and features implemented save checkpoint

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Advisory/StellaOps.Scanner.Advisory.md

@@ -0,0 +1,40 @@
+# Audit - StellaOps.Scanner.Advisory
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Advisory/StellaOps.Scanner.Advisory.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 1
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Advisory/AdvisoryClient.cs` (196 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Advisory.Tests/StellaOps.Scanner.Advisory.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/StellaOps.Scanner.AiMlSecurity.md

@@ -0,0 +1,51 @@
+# Audit - StellaOps.Scanner.AiMlSecurity
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/StellaOps.Scanner.AiMlSecurity.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 12
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiModelInventoryGenerator.cs` (215 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelProvenanceVerifier.cs` (188 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiMlSecurityContext.cs` (176 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/AiMlSecurityAnalyzer.cs` (172 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/TrainingDataProvenanceAnalyzer.cs` (165 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Reporting/AiMlSecurityReportFormatter.cs` (165 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Policy/AiGovernancePolicyLoader.cs` (152 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelCardCompletenessAnalyzer.cs` (145 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Models/AiMlSecurityModels.cs` (137 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/AiSafetyRiskAnalyzer.cs` (136 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelBinaryAnalyzer.cs` (111 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.AiMlSecurity/Analyzers/ModelCardScoring.cs` (110 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.AiMlSecurity.Tests/StellaOps.Scanner.AiMlSecurity.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/StellaOps.Scanner.Analyzers.Lang.Bun.md

@@ -0,0 +1,48 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Bun
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/StellaOps.Scanner.Analyzers.Lang.Bun.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 9
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunWorkspaceHelper.cs` (448 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/BunLanguageAnalyzer.cs` (408 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunPackage.cs` (324 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockParser.cs` (303 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunInstalledCollector.cs` (298 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunProjectDiscoverer.cs` (242 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockScopeClassifier.cs` (203 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunConfigHelper.cs` (166 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunVersionSpec.cs` (144 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.md

@@ -0,0 +1,53 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Deno
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 14
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/DenoNpmCompatibilityAdapter.cs` (749 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/DenoModuleGraphResolver.cs` (716 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/Runtime/DenoRuntimeShim.cs` (486 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/DenoWorkspaceNormalizer.cs` (444 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/DenoVirtualFileSystem.cs` (426 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/DenoConfigDocument.cs` (416 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/Runtime/DenoRuntimeTraceRunner.cs` (241 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/DenoLockFile.cs` (208 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/DenoLanguageAnalyzer.cs` (192 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/Runtime/DenoRuntimeTraceSerializer.cs` (186 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/DenoBundleInspector.cs` (157 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/DenoImportMapDocument.cs` (152 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/Runtime/DenoRuntimeTraceProbe.cs` (130 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/Observations/DenoObservationSerializer.cs` (109 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.md

@@ -0,0 +1,73 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.DotNet
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 33
+- Service locator usage (BuildServiceProvider/GetService): 1
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetDependencyCollector.cs` (1393 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Callgraph/DotNetCallgraphBuilder.cs` (949 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Capabilities/DotNetCapabilityScanner.cs` (877 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetDeclaredDependencyCollector.cs` (725 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetEntrypointResolver.cs` (706 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Licensing/DotNetLicenseDetector.cs` (652 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetDepsFile.cs` (518 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Parsing/MsBuildProjectParser.cs` (483 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Callgraph/DotNetReachabilityGraph.cs` (442 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Crypto/DotNetCryptoExtractor.cs` (358 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Config/NuGetConfigParser.cs` (355 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetFileCaches.cs` (333 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Bundling/DotNetBundlingSignalCollector.cs` (317 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/DotNetLanguageAnalyzer.cs` (303 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/BuildMetadata/DotNetProjectMetadata.cs` (296 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/PropertyResolution/MsBuildPropertyResolver.cs` (295 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Inheritance/EffectiveProjectBuilder.cs` (289 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Inheritance/CentralPackageManagementParser.cs` (280 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Discovery/DotNetBuildFileDiscovery.cs` (272 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/LockFiles/PackagesLockJsonParser.cs` (255 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Bundling/SingleFileAppDetector.cs` (249 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Config/GlobalJsonParser.cs` (246 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Inheritance/DirectoryBuildPropsResolver.cs` (221 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Bundling/ILMergedAssemblyDetector.cs` (220 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Capabilities/DotNetCapabilityScanResult.cs` (215 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Conflicts/DotNetVersionConflictDetector.cs` (214 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/BuildMetadata/DotNetDependencyDeclaration.cs` (212 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/LockFiles/DotNetLockFileCollector.cs` (168 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetRuntimeConfig.cs` (158 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Capabilities/DotNetCapabilityScanBuilder.cs` (136 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Parsing/PackagesConfigParser.cs` (123 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetRuntimeEvidenceLoader.cs` (110 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Capabilities/DotNetCapabilityEvidence.cs` (102 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/DotNetDependencyCollector.cs`:110 if (context.TryGetService<IDotNetAuthenticodeInspector>(out var inspector))
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.md

@@ -0,0 +1,61 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Go
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 22
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoCapabilityScanner.cs` (838 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/GoLanguageAnalyzer.cs` (830 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoVersionConflictDetector.cs` (438 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoSourceInventory.cs` (427 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBinaryScanner.cs` (406 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoCgoDetector.cs` (398 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoModParser.cs` (373 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoLicenseDetector.cs` (338 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBinaryFormatDetector.cs` (301 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/EnhancedGoLicenseDetector.cs` (273 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoDwarfReader.cs` (239 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoWorkParser.cs` (239 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBuildInfoParser.cs` (234 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoCapabilityScanResult.cs` (227 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoPrivateModuleDetector.cs` (199 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoProjectDiscoverer.cs` (195 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoVendorParser.cs` (178 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoCapabilityScanBuilder.cs` (171 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBuildInfoDecoder.cs` (159 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoBuildInfoProvider.cs` (148 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoSumParser.cs` (129 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoCapabilityEvidence.cs` (102 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.md

@@ -0,0 +1,86 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Java
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 47
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs` (1884 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Callgraph/JavaCallgraphBuilder.cs` (952 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Reflection/JavaReflectionAnalyzer.cs` (731 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Jni/JavaJniAnalyzer.cs` (686 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ClassPath/JavaClassPathBuilder.cs` (660 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Resolver/JavaEntrypointResolver.cs` (539 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaLockFileCollector.cs` (509 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Crypto/JavaCryptoExtractor.cs` (488 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Capabilities/JavaCapabilityScanner.cs` (482 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Maven/MavenPomParser.cs` (479 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Gradle/GradleVersionCatalogParser.cs` (397 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Callgraph/JavaReachabilityGraph.cs` (393 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Resolver/JavaEntrypointAocWriter.cs` (388 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Gradle/GradleGroovyParser.cs` (377 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Gradle/GradleKotlinParser.cs` (375 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Osgi/OsgiBundleParser.cs` (369 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ClassPath/JavaModuleInfoParser.cs` (367 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Runtime/JavaRuntimeEdgeResolver.cs` (357 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/License/SpdxLicenseNormalizer.cs` (352 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Resolver/JavaEntrypointResolution.cs` (342 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Discovery/JavaBuildFileDiscovery.cs` (342 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Maven/MavenParentResolver.cs` (334 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Gradle/TomlParser.cs` (318 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/License/JavaLicenseDetector.cs` (316 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Shading/ShadedJarDetector.cs` (316 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Signature/JavaSignatureManifestAnalyzer.cs` (310 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Maven/MavenEffectivePomBuilder.cs` (289 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Runtime/JavaRuntimeEventParser.cs` (286 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Conflicts/VersionConflictDetector.cs` (280 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/PropertyResolution/JavaPropertyResolver.cs` (266 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaArchive.cs` (264 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/BuildMetadata/JavaProjectMetadata.cs` (238 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Runtime/JavaRuntimeIngestor.cs` (234 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Maven/MavenLocalRepository.cs` (228 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Capabilities/JavaCapabilityScanResult.cs` (218 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Maven/MavenBomImporter.cs` (213 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Runtime/JavaRuntimeIngestion.cs` (211 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Gradle/GradlePropertiesParser.cs` (191 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Runtime/JavaRuntimeEvents.cs` (172 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Capabilities/JavaCapabilityScanBuilder.cs` (170 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/BuildMetadata/JavaDependencyDeclaration.cs` (161 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ServiceProviders/JavaServiceProviderScanner.cs` (160 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Signature/JavaSignatureManifestAnalysis.cs` (150 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ServiceProviders/JavaSpiCatalog.cs` (103 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/ClassPath/JavaClassPathAnalysis.cs` (102 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Capabilities/JavaCapabilityEvidence.cs` (102 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaWorkspaceNormalizer.cs` (101 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/StellaOps.Scanner.Analyzers.Lang.Node.md

@@ -0,0 +1,61 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Node
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/StellaOps.Scanner.Analyzers.Lang.Node.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 22
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodePackageCollector.cs` (1519 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeLockData.cs` (832 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Phase22/NodePhase22Analyzer.cs` (679 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Licensing/NodeLicenseDetector.cs` (586 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Crypto/NodeCryptoExtractor.cs` (576 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Capabilities/NodeCapabilityScanner.cs` (538 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeResolver.cs` (532 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodePackage.cs` (498 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeWorkspaceIndex.cs` (452 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/NodeLanguageAnalyzer.cs` (359 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeImportWalker.cs` (351 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/YarnPnpData.cs` (316 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodePnpDataLoader.cs` (307 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeDependencyIndex.cs` (281 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Capabilities/NodeCapabilityScanBuilder.cs` (271 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Capabilities/NodeCapabilityScanResult.cs` (218 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Phase22/NodePhase22Exporter.cs` (175 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/RuntimeEvidenceLoader.cs` (170 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeInputNormalizer.cs` (166 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeVersionDetector.cs` (145 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeEnvironmentScanner.cs` (126 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Capabilities/NodeCapabilityEvidence.cs` (102 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.SmokeTests/StellaOps.Scanner.Analyzers.Lang.Node.SmokeTests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/StellaOps.Scanner.Analyzers.Lang.Php.md

@@ -0,0 +1,72 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Php
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/StellaOps.Scanner.Analyzers.Lang.Php.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 31
+- Service locator usage (BuildServiceProvider/GetService): 2
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpFrameworkSurfaceScanner.cs` (888 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpCapabilityScanner.cs` (825 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpFfiDetector.cs` (505 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpPharScanner.cs` (480 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpExtensionScanner.cs` (445 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpFrameworkFingerprinter.cs` (437 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpVersionConflictDetector.cs` (417 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpExtension.cs` (364 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpInstalledJsonReader.cs` (361 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/Runtime/PhpRuntimeShim.cs` (342 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpConfigCollector.cs` (319 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpComposerManifestReader.cs` (306 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/PhpLanguageAnalyzer.cs` (299 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpInputNormalizer.cs` (286 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpConfigCollection.cs` (277 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpAutoloadGraphBuilder.cs` (270 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpIncludeGraphBuilder.cs` (269 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpIncludeScanner.cs` (244 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/Runtime/PhpRuntimeEvidenceCollector.cs` (232 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpPharArchive.cs` (202 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpCapabilityScanResult.cs` (200 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpFrameworkSurface.cs` (190 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpComposerManifest.cs` (189 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/ComposerLockReader.cs` (188 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpVirtualFileSystem.cs` (182 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpFrameworkFingerprint.cs` (171 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpCapabilityEvidence.cs` (158 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/Runtime/PhpRuntimeEvidence.cs` (135 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpProjectInput.cs` (111 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpIncludeEdge.cs` (108 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpPackage.cs` (107 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpFrameworkSurfaceScanner.cs`:111 // Scan app/Providers/EventServiceProvider.php for event listeners
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Php/Internal/PhpFrameworkSurfaceScanner.cs`:112 var eventProviderFile = fileSystem.GetFilesByPattern("**/EventServiceProvider.php").FirstOrDefault();
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Php.Tests/StellaOps.Scanner.Analyzers.Lang.Php.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.md

@@ -0,0 +1,91 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Python
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 52
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/PythonDistributionLoader.cs` (1129 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/VirtualFileSystem/PythonInputNormalizer.cs` (953 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/PythonDistributionVfsLoader.cs` (937 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/PythonLanguageAnalyzer.cs` (880 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/PythonLockFileCollector.cs` (829 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/VirtualFileSystem/PythonVirtualFileSystem.cs` (697 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Entrypoints/PythonEntrypointDiscovery.cs` (668 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Imports/PythonImportGraph.cs` (562 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Capabilities/NativeLibraryAnalyzer.cs` (558 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Resolver/PythonModuleResolver.cs` (546 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/PythonZipappAdapter.cs` (528 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Vendoring/VendoredPackageDetector.cs` (525 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Imports/PythonSourceImportExtractor.cs` (514 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Licensing/SpdxLicenseNormalizer.cs` (447 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/PythonStartupHookDetector.cs` (447 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/Adapters/ContainerLayerAdapter.cs` (424 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Framework/PythonFrameworkDetector.cs` (423 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/Adapters/EggInfoAdapter.cs` (417 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Imports/PythonBytecodeImportExtractor.cs` (416 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/RuntimeEvidence/PythonRuntimeEvidenceCollector.cs` (397 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Observations/PythonObservationBuilder.cs` (395 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Conflicts/VersionConflictDetector.cs` (389 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Imports/PythonImportAnalysis.cs` (381 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Capabilities/PythonNativeExtensionScanner.cs` (363 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/PythonScopeClassifier.cs` (360 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/PythonContainerAdapter.cs` (352 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Dependencies/DependencyGraph.cs` (338 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Capabilities/PythonCapabilityDetector.cs` (335 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Framework/PythonProjectConfigParser.cs` (327 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/PythonEnvironmentDetector.cs` (326 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/Adapters/DistInfoAdapter.cs` (316 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/Adapters/PoetryAdapter.cs` (305 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/PythonPackageDiscovery.cs` (299 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Resolver/PythonModuleResolution.cs` (279 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/Adapters/PipEditableAdapter.cs` (279 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/ContainerOverlayHandler.cs` (277 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Licensing/PythonLicenseDetector.cs` (271 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Dependencies/TransitiveDependencyResolver.cs` (254 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Observations/PythonObservationDocument.cs` (231 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Capabilities/PythonCapability.cs` (200 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/RuntimeEvidence/PythonPathHasher.cs` (194 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/RuntimeEvidence/PythonImportHookScript.cs` (194 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Framework/PythonFrameworkKind.cs` (186 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/PythonPackageInfo.cs` (185 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Entrypoints/PythonEntrypoint.cs` (183 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Packaging/Adapters/CondaAdapter.cs` (182 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Capabilities/PythonNativeExtension.cs` (162 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Framework/PythonFrameworkHint.cs` (151 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Imports/PythonImport.cs` (149 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Entrypoints/PythonEntrypointAnalysis.cs` (138 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/Vendoring/VendoringMetadataBuilder.cs` (124 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/Internal/VirtualFileSystem/PythonProjectAnalysis.cs` (122 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/StellaOps.Scanner.Analyzers.Lang.Ruby.md

@@ -0,0 +1,63 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Ruby
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/StellaOps.Scanner.Analyzers.Lang.Ruby.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 22
+- Service locator usage (BuildServiceProvider/GetService): 2
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyContainerScanner.cs` (660 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Observations/RubyObservationSerializer.cs` (589 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyRuntimeGraphBuilder.cs` (466 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Runtime/RubyRuntimeEvidenceCollector.cs` (375 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyVendorArtifactCollector.cs` (374 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyLockCollector.cs` (363 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyCapabilityDetector.cs` (319 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/RubyLanguageAnalyzer.cs` (318 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Runtime/RubyRuntimeShim.cs` (307 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Observations/RubyObservationBuilder.cs` (307 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Policy/RubyPolicySignalEmitter.cs` (286 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Policy/RubyPolicyContextBuilder.cs` (281 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyLockParser.cs` (274 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Runtime/RubyRuntimeTraceReader.cs` (268 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyManifestParser.cs` (267 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Runtime/RubyRuntimeEvidenceIntegrator.cs` (256 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Observations/RubyObservationDocument.cs` (239 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Runtime/RubyRuntimeEvidence.cs` (196 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/Runtime/RubyRuntimeTraceRunner.cs` (164 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyBundlerConfig.cs` (156 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyPackage.cs` (154 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/Internal/RubyPackageCollector.cs` (141 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/RubyLanguageAnalyzer.cs`:100 if (!context.TryGetService<ISurfaceValidatorRunner>(out var validatorRunner)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/RubyLanguageAnalyzer.cs`:101 || !context.TryGetService<ISurfaceEnvironment>(out var environment))
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/StellaOps.Scanner.Analyzers.Lang.Rust.md

@@ -0,0 +1,46 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang.Rust
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/StellaOps.Scanner.Analyzers.Lang.Rust.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 6
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustAnalyzerCollector.cs` (727 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustCargoLockParser.cs` (312 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustLicenseScanner.cs` (298 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/EnhancedRustLicenseDetector.cs` (265 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustBinaryClassifier.cs` (243 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/Internal/RustFingerprintScanner.cs` (186 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/StellaOps.Scanner.Analyzers.Lang.md

@@ -0,0 +1,61 @@
+# Audit - StellaOps.Scanner.Analyzers.Lang
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/StellaOps.Scanner.Analyzers.Lang.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 18
+- Service locator usage (BuildServiceProvider/GetService): 4
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageComponentRecord.cs` (477 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/Licensing/LicenseTextExtractor.cs` (389 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/Licensing/CopyrightExtractor.cs` (385 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/Licensing/LicenseCategorizationService.cs` (349 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/Licensing/LicenseDetectionAggregator.cs` (280 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageComponentSemanticExtensions.cs` (261 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/Licensing/LicenseDetectionResult.cs` (260 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/CapabilityScanResult.cs` (233 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageComponentMapper.cs` (223 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/ICapabilityScanner.cs` (164 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Plugin/LanguageAnalyzerPluginCatalog.cs` (147 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerResult.cs` (128 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/Internal/LanguageAnalyzerSurfaceCache.cs` (121 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/CapabilityEvidence.cs` (116 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/Licensing/ILicenseCategorizationService.cs` (114 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/Internal/LanguageWorkspaceFingerprint.cs` (112 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/CapabilityKind.cs` (110 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerContext.cs` (101 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerContext.cs`:48 public bool TryGetService<T>([NotNullWhen(true)] out T? service) where T : class
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerContext.cs`:56 service = Services.GetService(typeof(T)) as T;
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerContext.cs`:92 var environment = services.GetService(typeof(ISurfaceEnvironment)) as ISurfaceEnvironment;
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerContext.cs`:98 var provider = services.GetService(typeof(ISurfaceSecretProvider)) as ISurfaceSecretProvider;
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/StellaOps.Scanner.Analyzers.Lang.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.SmokeTests/StellaOps.Scanner.Analyzers.Lang.Node.SmokeTests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Php.Tests/StellaOps.Scanner.Analyzers.Lang.Php.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.md

@@ -0,0 +1,48 @@
+# Audit - StellaOps.Scanner.Analyzers.Native
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 9
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Elf/ElfReader.cs` (516 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Callgraph/NativeCallgraphBuilder.cs` (365 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Graph/NativeReachabilityGraph.cs` (356 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Graph/NativeGraphDsseWriter.cs` (302 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Demangle/CompositeDemangler.cs` (281 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/Timeline/TimelineBuilder.cs` (259 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/NativeReachabilityAnalyzer.cs` (256 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Elf/ElfTypes.cs` (220 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/Timeline/RuntimeTimeline.cs` (184 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/StellaOps.Scanner.Analyzers.Native.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Library.Tests/StellaOps.Scanner.Analyzers.Native.Library.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Apk/StellaOps.Scanner.Analyzers.OS.Apk.md

@@ -0,0 +1,42 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.Apk
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Apk/StellaOps.Scanner.Analyzers.OS.Apk.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Apk/ApkDatabaseParser.cs` (203 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Apk/ApkPackageAnalyzer.cs` (110 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/StellaOps.Scanner.Analyzers.OS.Dpkg.md

@@ -0,0 +1,42 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.Dpkg
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/StellaOps.Scanner.Analyzers.OS.Dpkg.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgPackageAnalyzer.cs` (268 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgStatusParser.cs` (253 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Homebrew/StellaOps.Scanner.Analyzers.OS.Homebrew.md

@@ -0,0 +1,41 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.Homebrew
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Homebrew/StellaOps.Scanner.Analyzers.OS.Homebrew.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Homebrew/HomebrewPackageAnalyzer.cs` (386 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Homebrew/HomebrewReceiptParser.cs` (237 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/StellaOps.Scanner.Analyzers.OS.MacOsBundle.md

@@ -0,0 +1,42 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.MacOsBundle
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/StellaOps.Scanner.Analyzers.OS.MacOsBundle.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 3
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/MacOsBundleAnalyzer.cs` (439 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/EntitlementsParser.cs` (230 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/InfoPlistParser.cs` (132 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.MacOsBundle.Tests/StellaOps.Scanner.Analyzers.OS.MacOsBundle.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Pkgutil/StellaOps.Scanner.Analyzers.OS.Pkgutil.md

@@ -0,0 +1,42 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.Pkgutil
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Pkgutil/StellaOps.Scanner.Analyzers.OS.Pkgutil.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 3
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Pkgutil/PkgutilPackageAnalyzer.cs` (227 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Pkgutil/BomParser.cs` (198 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Pkgutil/PkgutilReceiptParser.cs` (154 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Pkgutil.Tests/StellaOps.Scanner.Analyzers.OS.Pkgutil.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/StellaOps.Scanner.Analyzers.OS.Rpm.md

@@ -0,0 +1,44 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.Rpm
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/StellaOps.Scanner.Analyzers.OS.Rpm.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 4
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs` (479 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmDatabaseReader.cs` (416 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/BerkeleyDbReader.cs` (211 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs` (137 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey.md

@@ -0,0 +1,41 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey/ChocolateyPackageAnalyzer.cs` (294 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey/NuspecParser.cs` (184 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey.Tests/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Msi/StellaOps.Scanner.Analyzers.OS.Windows.Msi.md

@@ -0,0 +1,40 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.Windows.Msi
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Msi/StellaOps.Scanner.Analyzers.OS.Windows.Msi.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 1
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.Msi/MsiPackageAnalyzer.cs` (284 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Windows.Msi.Tests/StellaOps.Scanner.Analyzers.OS.Windows.Msi.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS.md

@@ -0,0 +1,41 @@
+# Audit - StellaOps.Scanner.Analyzers.OS.Windows.WinSxS
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSManifestParser.cs` (240 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS/WinSxSPackageAnalyzer.cs` (236 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS.Tests/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/StellaOps.Scanner.Analyzers.OS.md

@@ -0,0 +1,46 @@
+# Audit - StellaOps.Scanner.Analyzers.OS
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/StellaOps.Scanner.Analyzers.OS.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 7
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Internal/OsAnalyzerSurfaceCache.cs` (280 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Helpers/OsFileEvidenceFactory.cs` (229 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Mapping/OsComponentMapper.cs` (199 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Helpers/PackageUrlBuilder.cs` (171 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Internal/OsRootfsFingerprint.cs` (155 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Plugin/OsAnalyzerPluginCatalog.cs` (147 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Model/OSPackageRecord.cs` (138 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey.Tests/StellaOps.Scanner.Analyzers.OS.Windows.Chocolatey.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/StellaOps.Scanner.Analyzers.OS.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Pkgutil.Tests/StellaOps.Scanner.Analyzers.OS.Pkgutil.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.MacOsBundle.Tests/StellaOps.Scanner.Analyzers.OS.MacOsBundle.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS.Tests/StellaOps.Scanner.Analyzers.OS.Windows.WinSxS.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Windows.Msi.Tests/StellaOps.Scanner.Analyzers.OS.Windows.Msi.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/StellaOps.Scanner.Analyzers.Secrets.md

@@ -0,0 +1,60 @@
+# Audit - StellaOps.Scanner.Analyzers.Secrets
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/StellaOps.Scanner.Analyzers.Secrets.csproj`
+- Module: `Scanner`
+- Kind: `Analyzer`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 21
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Bundles/BundleVerifier.cs` (527 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Bundles/BundleSigner.cs` (349 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Bundles/BundleBuilder.cs` (345 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Alerts/SecretAlertEmitter.cs` (313 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs` (276 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Alerts/NotifySecretAlertPublisher.cs` (256 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Rules/RulesetLoader.cs` (227 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Alerts/SecretFindingAlertEvent.cs` (221 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Alerts/SecretAlertSettings.cs` (209 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Detectors/EntropyDetector.cs` (199 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Rules/SecretRule.cs` (191 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Bundles/RuleValidator.cs` (186 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerHost.cs` (186 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Detectors/EntropyCalculator.cs` (161 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Masking/PayloadMasker.cs` (151 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Bundles/BundleManifest.cs` (151 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Detectors/CompositeSecretDetector.cs` (139 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Detectors/RegexDetector.cs` (137 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Evidence/SecretLeakEvidence.cs` (136 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerOptions.cs` (118 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Rules/SecretRuleset.cs` (115 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/StellaOps.Scanner.Analyzers.Secrets.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Benchmark/StellaOps.Scanner.Benchmark.md

@@ -0,0 +1,48 @@
+# Audit - StellaOps.Scanner.Benchmark
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/StellaOps.Scanner.Benchmark.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 8
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/Claims/ClaimsIndex.cs` (269 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/Metrics/MetricsCalculator.cs` (164 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/Metrics/BenchmarkMetrics.cs` (152 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/Corpus/CorpusManifest.cs` (129 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/Harness/GrypeAdapter.cs` (125 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/Corpus/FindingClassification.cs` (125 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/Harness/TrivyAdapter.cs` (119 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmark/Harness/SyftAdapter.cs` (111 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.md

@@ -0,0 +1,41 @@
+# Audit - StellaOps.Scanner.Benchmarks
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/ICorpusRunner.cs` (232 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/BenchmarkResultWriter.cs` (222 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Benchmarks.Tests/StellaOps.Scanner.Benchmarks.Tests.csproj [Performance]
+- Missing layers: Unit
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/StellaOps.Scanner.BuildProvenance.md

@@ -0,0 +1,49 @@
+# Audit - StellaOps.Scanner.BuildProvenance
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/StellaOps.Scanner.BuildProvenance.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 10
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Reporting/BuildProvenanceReportFormatter.cs` (231 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenanceAnalyzer.cs` (207 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildConfigVerifier.cs` (200 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/ReproducibilityVerifier.cs` (185 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/SourceVerifier.cs` (172 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Models/BuildProvenanceModels.cs` (151 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenanceChainBuilder.cs` (148 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuilderVerifier.cs` (144 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/SlsaLevelEvaluator.cs` (133 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildInputIntegrityChecker.cs` (110 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.BuildProvenance.Tests/StellaOps.Scanner.BuildProvenance.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Cache/StellaOps.Scanner.Cache.md

@@ -0,0 +1,44 @@
+# Audit - StellaOps.Scanner.Cache
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Cache/StellaOps.Scanner.Cache.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 4
+- Service locator usage (BuildServiceProvider/GetService): 1
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Cache/FileCas/FileContentAddressableStore.cs` (481 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Cache/LayerCache/LayerCacheStore.cs` (480 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Cache/LayerSbomCas/PostgresLayerSbomCas.cs` (292 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Cache/LayerSbomCas/ILayerSbomCas.cs` (173 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Cache/ScannerCacheServiceCollectionExtensions.cs`:34 var timeProvider = sp.GetService<TimeProvider>() ?? TimeProvider.System;
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Cache.Tests/StellaOps.Scanner.Cache.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.CallGraph/StellaOps.Scanner.CallGraph.md

@@ -0,0 +1,83 @@
+# Audit - StellaOps.Scanner.CallGraph
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/StellaOps.Scanner.CallGraph.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 44
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs` (1179 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaBytecodeAnalyzer.cs` (635 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/DwarfDebugReader.cs` (538 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Node/NodeCallGraphExtractor.cs` (537 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/FunctionBoundaryDetector.cs` (525 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/DotNet/DotNetCallGraphExtractor.cs` (522 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/PythonCallGraphExtractor.cs` (479 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Analysis/BinaryStringLiteralScanner.cs` (464 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Deno/DenoCallGraphExtractor.cs` (441 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoCallGraphExtractor.cs` (426 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Php/PhpCallGraphExtractor.cs` (424 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/JavaScript/JavaScriptCallGraphExtractor.cs` (411 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaModels.cs` (410 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Disassembly/BinaryTextSectionReader.cs` (396 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunCallGraphExtractor.cs` (390 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaCallGraphExtractor.cs` (370 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Ruby/RubyCallGraphExtractor.cs` (357 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaSymbolIdBuilder.cs` (307 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Node/BabelResultParser.cs` (261 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/GuardDetector.cs` (249 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Caching/ValkeyCallGraphCacheService.cs` (242 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Analysis/ReachabilityAnalyzer.cs` (240 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoSymbolIdBuilder.cs` (225 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/PythonSinkMatcher.cs` (200 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoSsaResultParser.cs` (192 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/JavaScript/JsSinkMatcher.cs` (185 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoSinkMatcher.cs` (177 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaSinkMatcher.cs` (175 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Php/PhpSinkMatcher.cs` (174 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoEntrypointClassifier.cs` (161 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaEntrypointClassifier.cs` (157 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Ruby/RubySinkMatcher.cs` (154 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/JavaScript/JsEntrypointClassifier.cs` (152 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryEntrypointClassifier.cs` (152 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Disassembly/DirectCallExtractor.cs` (146 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Php/PhpEntrypointClassifier.cs` (144 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/PythonEntrypointClassifier.cs` (140 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Caching/CircuitBreakerState.cs` (133 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Analysis/BinaryDynamicLoadDetector.cs` (128 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Deno/DenoEntrypointClassifier.cs` (126 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Ruby/RubyEntrypointClassifier.cs` (112 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Deno/DenoSinkMatcher.cs` (111 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunSinkMatcher.cs` (111 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/CallGraphExtractorRegistry.cs` (104 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.CallGraph.Tests/StellaOps.Scanner.CallGraph.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/StellaOps.Scanner.ChangeTrace.md

@@ -0,0 +1,52 @@
+# Audit - StellaOps.Scanner.ChangeTrace
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/StellaOps.Scanner.ChangeTrace.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 13
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/ByteDiff/SectionAnalyzer.cs` (425 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/ByteDiff/ByteLevelDiffer.cs` (381 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/CycloneDx/ChangeTraceEvidenceExtension.cs` (362 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Scoring/TrustDeltaCalculator.cs` (265 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Validation/ChangeTraceValidator.cs` (260 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Models/PackageDelta.cs` (208 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Proofs/LatticeProofGenerator.cs` (196 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Models/ChangeTrace.cs` (178 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Builder/ChangeTraceBuilder.cs` (170 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Serialization/ChangeTraceSerializer.cs` (158 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Integration/IReachGraphClient.cs` (117 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Models/SymbolDelta.cs` (114 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Models/TrustDelta.cs` (111 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.ChangeTrace.Tests/StellaOps.Scanner.ChangeTrace.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Contracts/StellaOps.Scanner.Contracts.md

@@ -0,0 +1,41 @@
+# Audit - StellaOps.Scanner.Contracts
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/StellaOps.Scanner.Contracts.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/CallGraphModels.cs` (485 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/SinkRegistry.cs` (143 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Contracts.Tests/StellaOps.Scanner.Contracts.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Core/StellaOps.Scanner.Core.md

@@ -0,0 +1,82 @@
+# Audit - StellaOps.Scanner.Core
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Core/StellaOps.Scanner.Core.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 42
+- Service locator usage (BuildServiceProvider/GetService): 1
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Normalization/PackageNameNormalizer.cs` (624 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Models/ZeroDayWindowTracking.cs` (535 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Models/FalsificationConditions.cs` (439 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssChangeEvent.cs` (378 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Models/SbomVersioning.cs` (364 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/ScanManifest.cs` (317 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Models/LayerDependencyGraph.cs` (307 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ComponentGraph.cs` (301 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Provenance/IEnrichmentProvenanceCapture.cs` (284 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ComponentModels.cs` (283 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretAlertSettings.cs` (265 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/ProofBundleWriter.cs` (258 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/SecretFindingAlertEvent.cs` (226 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/ScanManifestSigner.cs` (226 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretRevelationService.cs` (223 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/SecretAlertEmitter.cs` (222 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/TrustAnchors/TrustAnchorRegistry.cs` (205 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssPriorityBand.cs` (202 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Models/ComponentIdentity.cs` (202 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretExceptionMatcher.cs` (198 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Normalization/IPackageNameNormalizer.cs` (197 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Provenance/EnrichmentProvenanceCapture.cs` (196 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretDetectionSettings.cs` (194 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretExceptionPattern.cs` (189 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanJob.cs` (173 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/ISecretAlertRouter.cs` (167 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Masking/SecretMasker.cs` (164 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssEvidence.cs` (147 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/ISecretAlertEmitter.cs` (146 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/EpssEnrichmentOptions.cs` (143 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs` (143 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/OfflineKitOptionsValidator.cs` (142 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Utility/ScannerIdentifiers.cs` (136 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Security/AuthorityTokenSource.cs` (128 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanProgressEvent.cs` (121 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/IEpssProvider.cs` (119 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Observability/ScannerLogExtensions.cs` (115 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretRevelationPolicy.cs` (114 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScannerError.cs` (110 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Entropy/EntropyReportBuilder.cs` (107 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/TrustAnchors/FileSystemPublicKeyLoader.cs` (106 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Replay/RecordModeAssembler.cs` (101 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Security/ServiceCollectionExtensions.cs`:29 services.TryAddSingleton<IDpopReplayCache>(provider => new InMemoryDpopReplayCache(provider.GetService<TimeProvider>()));
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/StellaOps.Scanner.Core.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/StellaOps.Scanner.CryptoAnalysis.md

@@ -0,0 +1,52 @@
+# Audit - StellaOps.Scanner.CryptoAnalysis
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/StellaOps.Scanner.CryptoAnalysis.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 13
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Reporting/CryptoInventoryExporter.cs` (312 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAlgorithmCatalog.cs` (261 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Reporting/CryptoAnalysisReportFormatter.cs` (219 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/AlgorithmStrengthAnalyzer.cs` (206 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Models/CryptoAnalysisModels.cs` (176 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/ProtocolAnalyzer.cs` (174 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/CryptoAnalysisAnalyzer.cs` (164 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/FipsComplianceChecker.cs` (146 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/PostQuantumAnalyzer.cs` (144 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Policy/CryptoPolicyLoader.cs` (130 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoInventoryGenerator.cs` (124 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CertificateAnalyzer.cs` (122 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAnalysisContext.cs` (117 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.CryptoAnalysis.Tests/StellaOps.Scanner.CryptoAnalysis.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Delta/StellaOps.Scanner.Delta.md

@@ -0,0 +1,45 @@
+# Audit - StellaOps.Scanner.Delta
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Delta/StellaOps.Scanner.Delta.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 5
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaEvidenceComposer.cs` (352 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/DeltaLayerScanner.cs` (343 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/DeltaScanPredicate.cs` (293 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/IDeltaLayerScanner.cs` (270 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Delta/Evidence/IDeltaEvidenceComposer.cs` (137 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Diff/StellaOps.Scanner.Diff.md

@@ -0,0 +1,41 @@
+# Audit - StellaOps.Scanner.Diff
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Diff/StellaOps.Scanner.Diff.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Diff/ComponentDiffer.cs` (398 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Diff/ComponentDiffModels.cs` (109 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Diff.Tests/StellaOps.Scanner.Diff.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Emit/StellaOps.Scanner.Emit.md

@@ -0,0 +1,86 @@
+# Audit - StellaOps.Scanner.Emit
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/StellaOps.Scanner.Emit.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 47
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxComposer.cs` (682 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SbomValidationPipeline.cs` (604 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxCbomWriter.cs` (508 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CryptoProperties.cs` (467 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SpdxComposer.cs` (445 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/LicenseEvidenceBuilder.cs` (441 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Spdx/Serialization/SpdxJsonLdSerializer.cs` (413 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Spdx/Licensing/SpdxLicenseList.cs` (406 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SemanticSbomExtensions.cs` (383 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/SbomDiffEngine.cs` (383 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/FeedserPedigreeDataProvider.cs` (377 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomSerializer.cs` (373 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomAggregationService.cs` (367 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SpdxLayerWriter.cs` (339 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CompositionRecipeService.cs` (333 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/SbomDiff.cs` (280 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/IPedigreeDataProvider.cs` (279 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxLayerWriter.cs` (265 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/CallstackEvidenceBuilder.cs` (259 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CommitInfoBuilder.cs` (255 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CycloneDxPedigreeMapper.cs` (245 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/PatchInfoBuilder.cs` (244 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Index/BomIndexBuilder.cs` (239 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/VariantComponentBuilder.cs` (237 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/CycloneDxEvidenceMapper.cs` (217 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CachedPedigreeDataProvider.cs` (215 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Native/NativeComponentMapper.cs` (205 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Spdx/Models/SpdxModels.cs` (204 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/IdentityEvidenceBuilder.cs` (203 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Native/INativeComponentEmitter.cs` (203 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/PedigreeNotesGenerator.cs` (199 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Spdx/Conversion/SpdxCycloneDxConverter.cs` (198 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/LayerSbomComposer.cs` (197 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/ICryptoAssetExtractor.cs` (196 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/EvidenceConfidenceNormalizer.cs` (175 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Packaging/ScannerArtifactPackageBuilder.cs` (174 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/LegacyEvidencePropertyWriter.cs` (163 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/RebuildProof.cs` (162 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SbomCompositionRequest.cs` (156 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Native/NativeComponentEmitter.cs` (155 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/AncestorComponentBuilder.cs` (149 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/OccurrenceEvidenceBuilder.cs` (134 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/LayerSbomRef.cs` (119 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Spdx/Serialization/SpdxTagValueSerializer.cs` (115 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Native/NativePurlBuilder.cs` (115 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SbomCompositionResult.cs` (108 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Lineage/ISbomStore.cs` (101 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Emit.Tests/StellaOps.Scanner.Emit.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Emit.Lineage.Tests/StellaOps.Scanner.Emit.Lineage.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/StellaOps.Scanner.EntryTrace.md

@@ -0,0 +1,100 @@
+# Audit - StellaOps.Scanner.EntryTrace
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/StellaOps.Scanner.EntryTrace.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 61
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/EntryTraceAnalyzer.cs` (2096 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/FileSystem/LayeredRootFileSystem.cs` (918 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/DockerComposeParser.cs` (790 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/KubernetesManifestParser.cs` (641 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Baseline/BaselineAnalyzer.cs` (637 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/MeshEntrypointAnalyzer.cs` (633 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Baseline/DefaultConfigurations.cs` (630 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/EntryTraceImageContextFactory.cs` (608 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Speculative/ShellSymbolicExecutor.cs` (593 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Baseline/BaselineModels.cs` (540 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/GoSemanticAdapter.cs` (525 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/NodeSemanticAdapter.cs` (520 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Parsing/ShellParser.cs` (485 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Risk/IRiskScorer.cs` (484 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/PythonSemanticAdapter.cs` (473 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/IFingerprintIndex.cs` (473 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/DotNetSemanticAdapter.cs` (469 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Risk/CompositeRiskScorer.cs` (461 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Risk/RiskScore.cs` (453 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/JavaSemanticAdapter.cs` (447 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs` (434 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Mesh/MeshEntrypointGraph.cs` (433 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs` (429 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs` (428 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs` (420 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/BinaryAnalysisResult.cs` (412 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Speculative/ExecutionTree.cs` (393 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/EntryTraceRuntimeReconciler.cs` (381 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/ISymbolRecovery.cs` (379 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/FingerprintCorpusBuilder.cs` (361 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Temporal/InMemoryTemporalEntrypointStore.cs` (342 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Serialization/EntryTraceNdjsonWriter.cs` (334 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Speculative/PathConfidenceScorer.cs` (327 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/FileSystem/DirectoryRootFileSystem.cs` (325 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/IFingerprintGenerator.cs` (312 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Serialization/EntryTraceGraphSerializer.cs` (309 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntryTraceAnalyzer.cs` (308 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Speculative/PathEnumerator.cs` (301 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Speculative/ISymbolicExecutor.cs` (301 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/CodeFingerprint.cs` (299 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Speculative/SymbolicValue.cs` (295 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/SymbolInfo.cs` (276 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/BinaryIntelligenceAnalyzer.cs` (252 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Temporal/TemporalEntrypointGraph.cs` (241 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcFileSystemSnapshot.cs` (230 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/VulnerableFunctionMatcher.cs` (230 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Speculative/SymbolicState.cs` (226 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs` (209 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Parsing/ShellTokenizer.cs` (200 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/EntryTraceTypes.cs` (198 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ISemanticEntrypointAnalyzer.cs` (182 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs` (167 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Temporal/EntrypointDrift.cs` (160 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs` (143 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticConfidence.cs` (140 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Oci/OciImageConfig.cs` (140 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs` (137 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/RootFileSystemExtensions.cs` (130 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/ServiceCollectionExtensions.cs` (114 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Baseline/BaselineServiceCollectionExtensions.cs` (112 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Runtime/ProcGraphBuilder.cs` (104 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.EntryTrace.Tests/StellaOps.Scanner.EntryTrace.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Evidence/StellaOps.Scanner.Evidence.md

@@ -0,0 +1,49 @@
+# Audit - StellaOps.Scanner.Evidence
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/StellaOps.Scanner.Evidence.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 10
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/SbomFuncProofLinker.cs` (552 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/FuncProofBuilder.cs` (476 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/FuncProofTransparencyService.cs` (449 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/FuncProof.cs` (367 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/DeltaSignatureEvidence.cs` (303 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/FuncProofDsseService.cs` (297 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/DeltaSigVexEmitter.cs` (277 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/EvidenceBundle.cs` (251 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Privacy/EvidenceRedactionService.cs` (227 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/FuncProofGenerationOptions.cs` (155 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Evidence.Tests/StellaOps.Scanner.Evidence.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Explainability/StellaOps.Scanner.Explainability.md

@@ -0,0 +1,47 @@
+# Audit - StellaOps.Scanner.Explainability
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/StellaOps.Scanner.Explainability.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 8
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/RiskReport.cs` (277 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Dsse/ExplainabilityPredicateSerializer.cs` (232 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Confidence/EvidenceDensityScorer.cs` (226 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Falsifiability/FalsifiabilityGenerator.cs` (223 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Falsifiability/FalsifiabilityCriteria.cs` (131 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Assumptions/IAssumptionCollector.cs` (123 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Assumptions/AssumptionSet.cs` (119 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Assumptions/Assumption.cs` (108 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Explainability.Tests/StellaOps.Scanner.Explainability.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Gate/StellaOps.Scanner.Gate.md

@@ -0,0 +1,51 @@
+# Audit - StellaOps.Scanner.Gate
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Gate/StellaOps.Scanner.Gate.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 11
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateOptions.cs` (379 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateAuditLogger.cs` (305 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateExcititorAdapter.cs` (263 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs` (249 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/CachingVexObservationProvider.cs` (226 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicy.cs` (201 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateServiceCollectionExtensions.cs` (169 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/IVexObservationQuery.cs` (150 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateResult.cs` (144 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicyEvaluator.cs` (116 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/IVexGateService.cs` (116 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Manifest/StellaOps.Scanner.Manifest.md

@@ -0,0 +1,52 @@
+# Audit - StellaOps.Scanner.Manifest
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/StellaOps.Scanner.Manifest.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 12
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/LayerDigestResolver.cs` (425 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Reuse/LayerReuseDetector.cs` (324 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/OciManifestSnapshotService.cs` (315 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/BaseImageDetector.cs` (257 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Persistence/ManifestSnapshotRepository.cs` (250 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Reuse/ILayerReuseDetector.cs` (245 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/DiffIdCache.cs` (182 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/LayerProvenance.cs` (144 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/IOciManifestSnapshotService.cs` (133 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Models/ManifestComparisonResult.cs` (123 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Models/OciManifestSnapshot.cs` (122 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/ILayerDigestResolver.cs` (109 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/StellaOps.Scanner.MaterialChanges.md

@@ -0,0 +1,42 @@
+# Audit - StellaOps.Scanner.MaterialChanges
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/StellaOps.Scanner.MaterialChanges.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 3
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/CardGenerators.cs` (630 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/MaterialChangesReport.cs` (306 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/MaterialChangesOrchestrator.cs` (263 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.MaterialChanges.Tests/StellaOps.Scanner.MaterialChanges.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Orchestration/StellaOps.Scanner.Orchestration.md

@@ -0,0 +1,42 @@
+# Audit - StellaOps.Scanner.Orchestration
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Orchestration/StellaOps.Scanner.Orchestration.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Orchestration/Fidelity/FidelityAwareAnalyzer.cs` (433 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Orchestration/Fidelity/FidelityLevel.cs` (112 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/StellaOps.Scanner.PatchVerification.md

@@ -0,0 +1,44 @@
+# Audit - StellaOps.Scanner.PatchVerification
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/StellaOps.Scanner.PatchVerification.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 5
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs` (441 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationEvidence.cs` (148 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/IPatchSignatureStore.cs` (122 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/InMemoryPatchSignatureStore.cs` (119 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationResult.cs` (110 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.PatchVerification.Tests/StellaOps.Scanner.PatchVerification.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.ProofIntegration/StellaOps.Scanner.ProofIntegration.md

@@ -0,0 +1,40 @@
+# Audit - StellaOps.Scanner.ProofIntegration
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.ProofIntegration/StellaOps.Scanner.ProofIntegration.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 1
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ProofIntegration/ProofAwareVexGenerator.cs` (173 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.ProofIntegration.Tests/StellaOps.Scanner.ProofIntegration.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/StellaOps.Scanner.ProofSpine.md

@@ -0,0 +1,43 @@
+# Audit - StellaOps.Scanner.ProofSpine
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/StellaOps.Scanner.ProofSpine.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 4
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/ProofSpineBuilder.cs` (442 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/ProofSpineVerifier.cs` (188 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/ProofSpineBuilderExtensions.cs` (148 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/HmacDsseSigningService.cs` (143 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.ProofSpine.Tests/StellaOps.Scanner.ProofSpine.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Queue/StellaOps.Scanner.Queue.md

@@ -0,0 +1,43 @@
+# Audit - StellaOps.Scanner.Queue
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Queue/StellaOps.Scanner.Queue.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 3
+- Service locator usage (BuildServiceProvider/GetService): 1
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Queue/Redis/RedisScanQueue.cs` (766 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Queue/Nats/NatsScanQueue.cs` (654 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Queue/ScanQueueContracts.cs` (115 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Queue/ScannerQueueServiceCollectionExtensions.cs`:31 var timeProvider = sp.GetService<TimeProvider>() ?? TimeProvider.System;
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Queue.Tests/StellaOps.Scanner.Queue.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.md

@@ -0,0 +1,165 @@
+# Audit - StellaOps.Scanner.Reachability
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 117
+- Service locator usage (BuildServiceProvider/GetService): 9
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Lifters/BinaryReachabilityLifter.cs` (901 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs` (838 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs` (769 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs` (599 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs` (568 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SubgraphExtractor.cs` (549 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/ReachabilityUnionWriter.cs` (517 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Binary/BinaryPatchVerifier.cs` (510 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/ObservationStore/PostgresRuntimeObservationStore.cs` (499 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/EbpfSignalMerger.cs` (492 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/FunctionMapGenerator.cs` (490 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs` (480 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Jobs/ReachabilityEvidenceJobExecutor.cs` (478 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Lifters/DotNetReachabilityLifter.cs` (473 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/SurfaceAwareReachabilityAnalyzer.cs` (473 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/IncrementalReachabilityService.cs` (470 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/K8sBoundaryExtractor.cs` (462 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Lifters/NodeReachabilityLifter.cs` (441 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Explanation/PathExplanationService.cs` (432 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/ReachabilityGraphBuilder.cs` (427 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/EdgeBundle.cs` (418 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphSemanticExtensions.cs` (417 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Ordering/DeterministicGraphOrderer.cs` (414 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/Verification/ClaimVerifier.cs` (410 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphExtractor.cs` (401 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitness.cs` (400 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs` (395 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PostgresReachabilityCache.cs` (394 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Stack/ReachabilityStack.cs` (392 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs` (392 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs` (390 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/Verification/IClaimVerifier.cs` (385 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs` (384 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/VulnerabilityReachabilityFilter.cs` (360 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/RichGraphGateAnnotator.cs` (357 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs` (348 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionWitnessBuilder.cs` (342 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs` (339 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/RuntimeStaticMerger.cs` (332 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Explanation/PathExplanationModels.cs` (326 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphReader.cs` (311 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/EbpfRuntimeReachabilityCollector.cs` (302 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityWitnessPublisher.cs` (296 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SymbolId.cs` (286 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Explanation/PathRenderer.cs` (286 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessBuilder.cs` (285 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/StateFlipDetector.cs` (284 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IWitnessVerifier.cs` (280 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphModels.cs` (280 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IPathWitnessBuilder.cs` (278 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraph.cs` (277 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Services/PostgresCveSymbolMappingRepository.cs` (277 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/SurfaceQueryService.cs` (275 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphWriter.cs` (258 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/IReachabilityCache.cs` (251 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/MiniMap/MiniMapExtractor.cs` (250 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Binary/IBinaryPatchVerifier.cs` (248 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Vex/VexStatusDeterminer.cs` (246 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Stack/ReachabilityResultFactory.cs` (245 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/ISurfaceQueryService.cs` (238 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/EdgeBundlePublisher.cs` (236 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Jobs/ReachabilityEvidenceJob.cs` (231 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/InMemorySliceCache.cs` (229 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Stack/ReachabilityStackEvaluator.cs` (227 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/ObservedPathSliceGenerator.cs` (223 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/FunctionMapPredicate.cs` (221 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilitySubgraphPublisher.cs` (217 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GatePatterns.cs` (217 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Services/ICveSymbolMappingService.cs` (215 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/StaticReachabilityAnalyzer.cs` (213 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SymbolIdBuilder.cs` (209 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Layer3/ILayer3Analyzer.cs` (205 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/MiniMap/ReachabilityMiniMap.cs` (203 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/ImpactSetCalculator.cs` (201 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessMatcher.cs` (199 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityWitnessDsseBuilder.cs` (199 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/IRuntimeReachabilityCollector.cs` (195 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Layer2/ILayer2Analyzer.cs` (193 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/GraphRootIntegration.cs` (192 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/IReachabilityResolver.cs` (192 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceCache.cs` (183 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SignedWitnessGenerator.cs` (179 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/ObservationStore/IRuntimeObservationStore.cs` (179 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDiffComputer.cs` (178 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/PolicyBinding.cs` (173 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionDsseSigner.cs` (168 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs` (168 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/CompositeGateDetector.cs` (165 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/ReachabilityReplayWriter.cs` (159 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs` (158 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/ReachabilityRichGraphPublisher.cs` (153 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/GraphDeltaComputer.cs` (150 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/NonDefaultConfigDetector.cs` (149 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ClaimIdGenerator.cs` (147 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Vex/IVexStatusDeterminer.cs` (147 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/AttestingRichGraphWriter.cs` (146 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/ServiceCollectionExtensions.cs` (142 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Layer1/ILayer1Analyzer.cs` (137 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/AdminOnlyDetector.cs` (136 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/IGraphDeltaComputer.cs` (136 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs` (135 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Lifters/ReachabilityLifterRegistry.cs` (135 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/CodeIdBuilder.cs` (131 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/IFunctionMapGenerator.cs` (130 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyGraphBuilder.cs` (121 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/FeatureFlagDetector.cs` (121 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/CompositeBoundaryExtractor.cs` (119 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/CodeId.cs` (118 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GateMultiplierCalculator.cs` (118 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GateModels.cs` (116 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicyLoader.cs` (115 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/Replay/SliceDiffComputer.cs` (113 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/VerdictComputer.cs` (109 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/AuthGateDetector.cs` (109 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryExtractionContext.cs` (108 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs` (106 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/ISurfaceRepository.cs` (104 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:39 timeProvider: sp.GetService<TimeProvider>(),
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:40 cas: sp.GetService<IFileContentAddressableStore>(),
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:41 dsseSigningService: sp.GetService<IDsseSigningService>(),
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:42 cryptoProfile: sp.GetService<ICryptoProfile>(),
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:43 rekorClient: sp.GetService<IRekorClient>()));
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:58 timeProvider: sp.GetService<TimeProvider>(),
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:59 cas: sp.GetService<IFileContentAddressableStore>(),
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:60 dsseSigningService: sp.GetService<IDsseSigningService>(),
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityAttestationServiceCollectionExtensions.cs`:61 cryptoProfile: sp.GetService<ICryptoProfile>()));
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/StellaOps.Scanner.Reachability.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Reachability.Stack.Tests/StellaOps.Scanner.Reachability.Stack.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/StellaOps.Scanner.ReachabilityDrift.md

@@ -0,0 +1,47 @@
+# Audit - StellaOps.Scanner.ReachabilityDrift
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/StellaOps.Scanner.ReachabilityDrift.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 7
+- Service locator usage (BuildServiceProvider/GetService): 1
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Attestation/DriftAttestationService.cs` (360 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/CodeChangeFactExtractor.cs` (342 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Models/DriftModels.cs` (293 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/DriftCauseExplainer.cs` (254 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/ReachabilityDriftDetector.cs` (177 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/PathCompressor.cs` (147 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Attestation/IDriftAttestationService.cs` (140 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/DependencyInjection/ServiceCollectionExtensions.cs`:21 var timeProvider = sp.GetService<TimeProvider>();
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/StellaOps.Scanner.ReachabilityDrift.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Registry/StellaOps.Scanner.Registry.md

@@ -0,0 +1,42 @@
+# Audit - StellaOps.Scanner.Registry
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Registry/StellaOps.Scanner.Registry.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 2
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Registry/RegistryClient.cs` (427 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Registry/IRegistryClient.cs` (121 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: none
+- Missing layers: Unit, Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add a unit test project named `<Project>.Tests` (or document exception).
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Sarif/StellaOps.Scanner.Sarif.md

@@ -0,0 +1,45 @@
+# Audit - StellaOps.Scanner.Sarif
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Sarif/StellaOps.Scanner.Sarif.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 6
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sarif/SarifExportService.cs` (447 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sarif/Rules/SarifRuleRegistry.cs` (417 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sarif/FindingInput.cs` (244 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sarif/Models/SarifModels.cs` (232 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sarif/SarifExportOptions.cs` (144 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sarif/Fingerprints/FingerprintGenerator.cs` (139 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Libraries/StellaOps.Scanner.Sarif.Tests/StellaOps.Scanner.Sarif.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/StellaOps.Scanner.ServiceSecurity.md

@@ -0,0 +1,48 @@
+# Audit - StellaOps.Scanner.ServiceSecurity
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/StellaOps.Scanner.ServiceSecurity.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 9
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/NestedServiceAnalyzer.cs` (223 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/DataFlowAnalyzer.cs` (159 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/ServiceSecurityContext.cs` (124 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Models/ServiceSecurityModels.cs` (124 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/TrustBoundaryAnalyzer.cs` (121 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/RateLimitingAnalyzer.cs` (121 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Reporting/ServiceSecurityReportFormatter.cs` (118 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Policy/ServiceSecurityPolicyLoader.cs` (114 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/Analyzers/ServiceSecurityHelpers.cs` (104 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.ServiceSecurity.Tests/StellaOps.Scanner.ServiceSecurity.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/StellaOps.Scanner.SmartDiff.md

@@ -0,0 +1,53 @@
+# Audit - StellaOps.Scanner.SmartDiff
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/StellaOps.Scanner.SmartDiff.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 14
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifOutputGenerator.cs` (483 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeDetector.cs` (369 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/SmartDiffScoringConfig.cs` (352 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/Repositories.cs` (239 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/BoundaryProof.cs` (216 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateEmitter.cs` (199 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexEvidence.cs` (187 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateModels.cs` (180 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/SmartDiffPredicate.cs` (176 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifModels.cs` (169 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/ReachabilityGateBridge.cs` (167 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Attestation/DeltaVerdictBuilder.cs` (164 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeResult.cs` (156 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/RiskStateSnapshot.cs` (107 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/StellaOps.Scanner.SmartDiff.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Sources/StellaOps.Scanner.Sources.md

@@ -0,0 +1,67 @@
+# Audit - StellaOps.Scanner.Sources
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Sources/StellaOps.Scanner.Sources.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 28
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Configuration/SourceConfigValidator.cs` (836 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Handlers/Git/GitSourceHandler.cs` (514 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Persistence/SbomSourceRepository.cs` (474 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Handlers/Zastava/ZastavaSourceHandler.cs` (459 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Services/SbomSourceService.cs` (434 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Domain/SbomSource.cs` (411 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/ConnectionTesters/GitConnectionTester.cs` (392 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Handlers/Cli/CliSourceHandler.cs` (361 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Handlers/Docker/DockerSourceHandler.cs` (347 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Contracts/SourceContracts.cs` (340 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Triggers/SourceTriggerDispatcher.cs` (331 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Persistence/SbomSourceRunRepository.cs` (308 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/ConnectionTesters/DockerConnectionTester.cs` (306 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/ConnectionTesters/ZastavaConnectionTester.cs` (234 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Handlers/Docker/ImageDiscovery.cs` (207 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Configuration/GitSourceConfig.cs` (183 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Domain/SbomSourceRun.cs` (182 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Configuration/ZastavaSourceConfig.cs` (178 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Handlers/Git/IGitClient.cs` (172 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Triggers/TriggerContext.cs` (153 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Persistence/ISbomSourceRepository.cs` (129 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Handlers/Zastava/IRegistryClient.cs` (128 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/DependencyInjection/ServiceCollectionExtensions.cs` (126 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Services/ISbomSourceService.cs` (124 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Configuration/CliSourceConfig.cs` (124 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/ConnectionTesters/CliConnectionTester.cs` (122 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Scheduling/SourceSchedulerHostedService.cs` (115 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Sources/Handlers/ISourceTypeHandler.cs` (113 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Sources.Tests/StellaOps.Scanner.Sources.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/StellaOps.Scanner.Storage.Oci.md

@@ -0,0 +1,51 @@
+# Audit - StellaOps.Scanner.Storage.Oci
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/StellaOps.Scanner.Storage.Oci.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 12
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/OciImageInspector.cs` (882 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/Offline/OfflineBundleService.cs` (605 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/SlicePullService.cs` (485 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/FuncProofOciPublisher.cs` (339 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/OciAncestryExtractor.cs` (297 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/OciArtifactPusher.cs` (292 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/VerdictOciPublisher.cs` (288 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/Diagnostics/VerdictPushDiagnostics.cs` (202 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/IOciAncestryExtractor.cs` (148 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/SliceOciManifestBuilder.cs` (130 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/OciImageReference.cs` (121 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/OciModels.cs` (103 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Storage.Oci.Tests/StellaOps.Scanner.Storage.Oci.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Storage/StellaOps.Scanner.Storage.md

@@ -0,0 +1,94 @@
+# Audit - StellaOps.Scanner.Storage
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Storage/StellaOps.Scanner.Storage.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 51
+- Service locator usage (BuildServiceProvider/GetService): 4
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssRepository.cs` (688 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresReachabilityDriftResultRepository.cs` (527 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresSecretDetectionSettingsRepository.cs` (451 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/PostgresScanMetricsRepository.cs` (449 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/PostgresProofSpineRepository.cs` (401 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssSignalRepository.cs` (399 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/ClassificationHistoryRepository.cs` (361 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/CachingEpssProvider.cs` (339 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresBinaryEvidenceRepository.cs` (330 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/RuntimeEventRepository.cs` (306 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssCsvStreamParser.cs` (297 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Services/BinaryEvidenceService.cs` (295 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresFuncProofRepository.cs` (294 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresRiskStateRepository.cs` (286 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresVexCandidateStore.cs` (285 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssReplayService.cs` (285 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/PostgresWitnessRepository.cs` (282 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresFacetSealStore.cs` (275 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresMaterialRiskChangeRepository.cs` (269 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IEpssSignalRepository.cs` (242 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Services/ClassificationChangeTracker.cs` (238 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/ObjectStore/RustFsArtifactObjectStore.cs` (237 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs` (229 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssRawRepository.cs` (228 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/ServiceCollectionExtensions.cs` (220 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/LayerRepository.cs` (212 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Services/FnDriftMetricsExporter.cs` (201 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/Events/EpssUpdatedEvent.cs` (195 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Services/FnDriftCalculator.cs` (177 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/ArtifactRepository.cs` (176 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/ScannerStorageOptions.cs` (176 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Models/ScanMetricsModels.cs` (173 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/EpssServiceCollectionExtensions.cs` (166 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IEpssRawRepository.cs` (152 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresObservedCveRepository.cs` (152 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/JobRepository.cs` (151 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Entities/SecretDetectionSettingsRow.cs` (146 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Services/ArtifactStorageService.cs` (144 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresProofBundleRepository.cs` (142 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresIdempotencyKeyRepository.cs` (138 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresScanManifestRepository.cs` (131 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresCallGraphSnapshotRepository.cs` (125 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Models/ClassificationChangeModels.cs` (122 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresReachabilityResultRepository.cs` (119 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Entities/FuncProofDocumentRow.cs` (116 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresCodeChangeRepository.cs` (114 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/ISecretDetectionSettingsRepository.cs` (111 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssExplainHashCalculator.cs` (110 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IEpssRepository.cs` (105 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/IEpssSignalPublisher.cs` (104 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IObservedCveRepository.cs` (101 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/EpssServiceCollectionExtensions.cs`:53 var timeProvider = sp.GetService<TimeProvider>() ?? TimeProvider.System;
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/EpssServiceCollectionExtensions.cs`:62 var cacheFactory = sp.GetService<IDistributedCacheFactory>();
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/EpssServiceCollectionExtensions.cs`:127 var timeProvider = sp.GetService<TimeProvider>() ?? TimeProvider.System;
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/EpssServiceCollectionExtensions.cs`:136 var cacheFactory = sp.GetService<IDistributedCacheFactory>();
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/StellaOps.Scanner.Storage.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Storage.Oci.Tests/StellaOps.Scanner.Storage.Oci.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/StellaOps.Scanner.Surface.Env.md

@@ -0,0 +1,40 @@
+# Audit - StellaOps.Scanner.Surface.Env
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/StellaOps.Scanner.Surface.Env.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 1
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/SurfaceEnvironmentBuilder.cs` (301 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Surface.Env.Tests/StellaOps.Scanner.Surface.Env.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/StellaOps.Scanner.Surface.FS.md

@@ -0,0 +1,45 @@
+# Audit - StellaOps.Scanner.Surface.FS
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/StellaOps.Scanner.Surface.FS.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 6
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/SurfaceManifestModels.cs` (350 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/FacetSealExtractor.cs` (311 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/FileSurfaceManifestStore.cs` (267 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/SurfaceManifestDeterminismVerifier.cs` (262 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/ServiceCollectionExtensions.cs` (155 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/FileSurfaceCache.cs` (151 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Surface.FS.Tests/StellaOps.Scanner.Surface.FS.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/StellaOps.Scanner.Surface.Secrets.md

@@ -0,0 +1,45 @@
+# Audit - StellaOps.Scanner.Surface.Secrets
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/StellaOps.Scanner.Surface.Secrets.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 5
+- Service locator usage (BuildServiceProvider/GetService): 1
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/RegistryAccessSecret.cs` (347 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/OfflineSurfaceSecretProvider.cs` (258 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/CasAccessSecret.cs` (207 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/AuditingSurfaceSecretProvider.cs` (152 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/CachingSurfaceSecretProvider.cs` (114 lines)
+- Service locator matches:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/ServiceCollectionExtensions.cs`:33 var timeProvider = sp.GetService<TimeProvider>() ?? TimeProvider.System;
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+- Replace service locator usage with constructor injection.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/StellaOps.Scanner.Surface.Secrets.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/StellaOps.Scanner.Surface.Validation.md

@@ -0,0 +1,40 @@
+# Audit - StellaOps.Scanner.Surface.Validation
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/StellaOps.Scanner.Surface.Validation.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: PASS
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 0
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - none
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- None.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Surface.Validation.Tests/StellaOps.Scanner.Surface.Validation.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Surface/StellaOps.Scanner.Surface.md

@@ -0,0 +1,50 @@
+# Audit - StellaOps.Scanner.Surface
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Surface/StellaOps.Scanner.Surface.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 11
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Collectors/PatternBasedSurfaceCollector.cs` (279 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Collectors/NodeJsEntryPointCollector.cs` (278 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/SurfaceAnalyzer.cs` (217 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Collectors/ExternalCallCollector.cs` (212 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Collectors/ProcessExecutionCollector.cs` (177 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Collectors/SecretAccessCollector.cs` (173 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Collectors/NetworkEndpointCollector.cs` (170 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Output/SurfaceAnalysisWriter.cs` (117 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/SurfaceServiceCollectionExtensions.cs` (107 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Signals/SurfaceSignalEmitter.cs` (102 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface/Discovery/SurfaceEntryRegistry.cs` (102 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Surface.Validation.Tests/StellaOps.Scanner.Surface.Validation.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Surface.Tests/StellaOps.Scanner.Surface.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/StellaOps.Scanner.Surface.Secrets.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Surface.FS.Tests/StellaOps.Scanner.Surface.FS.Tests.csproj [Unit], src/Scanner/__Tests/StellaOps.Scanner.Surface.Env.Tests/StellaOps.Scanner.Surface.Env.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Triage/StellaOps.Scanner.Triage.md

@@ -0,0 +1,47 @@
+# Audit - StellaOps.Scanner.Triage
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Triage/StellaOps.Scanner.Triage.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 8
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/TriageDbContext.cs` (243 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageEnums.cs` (189 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageCaseCurrent.cs` (162 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageFinding.cs` (160 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs` (144 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageScan.cs` (121 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageDecision.cs` (120 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageEvidenceArtifact.cs` (103 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/StellaOps.Scanner.Triage.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.Validation/StellaOps.Scanner.Validation.md

@@ -0,0 +1,45 @@
+# Audit - StellaOps.Scanner.Validation
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.Validation/StellaOps.Scanner.Validation.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 6
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Validation/ValidatorBinaryManager.cs` (483 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Validation/CycloneDxValidator.cs` (433 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Validation/SpdxValidator.cs` (402 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Validation/ISbomValidator.cs` (352 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Validation/CompositeValidator.cs` (183 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Validation/ValidationGateOptions.cs` (147 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Tests/StellaOps.Scanner.Validation.Tests/StellaOps.Scanner.Validation.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.

docs/implplan-blocked/audits/csproj-standards/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/StellaOps.Scanner.VulnSurfaces.md

@@ -0,0 +1,69 @@
+# Audit - StellaOps.Scanner.VulnSurfaces
+
+## Project
+- Path: `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/StellaOps.Scanner.VulnSurfaces.csproj`
+- Module: `Scanner`
+- Kind: `Library`
+- SDK: `Microsoft.NET.Sdk`
+- TargetFramework: `net10.0`
+- Audit date (UTC): 2026-01-30
+
+## Coding Standards Findings
+- Status: FAIL
+- Nullable: enable
+- TreatWarningsAsErrors: explicit true
+- Deterministic: inherited true
+- 100-line rule violations: 30
+- Service locator usage (BuildServiceProvider/GetService): 0
+- Analyzer enforcement: missing repo-wide (see summary).
+
+### Details
+- 100-line files:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/CallGraph/JavaInternalGraphBuilder.cs` (531 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Fingerprint/JavaBytecodeFingerprinter.cs` (508 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Fingerprint/JavaScriptMethodFingerprinter.cs` (492 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/CallGraph/PythonInternalGraphBuilder.cs` (449 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Fingerprint/PythonAstFingerprinter.cs` (433 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/CallGraph/JavaScriptInternalGraphBuilder.cs` (420 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Storage/PostgresVulnSurfaceRepository.cs` (407 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Builder/VulnSurfaceBuilder.cs` (324 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Download/PyPIPackageDownloader.cs` (295 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/TriggerMethodExtractor.cs` (270 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Models/VulnSurface.cs` (268 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Fingerprint/CecilMethodFingerprinter.cs` (242 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Download/NpmPackageDownloader.cs` (238 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Diagnostics/VulnSurfaceMetrics.cs` (233 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Fingerprint/MethodDiffEngine.cs` (225 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/CallGraph/CecilInternalGraphBuilder.cs` (216 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/MethodKeys/JavaMethodKeyBuilder.cs` (212 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Download/MavenPackageDownloader.cs` (198 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Fingerprint/IMethodFingerprinter.cs` (179 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Models/VulnSurfaceTrigger.cs` (168 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/MethodKeys/PythonMethodKeyBuilder.cs` (165 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/MethodKeys/DotNetMethodKeyBuilder.cs` (161 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/MethodKeys/NodeMethodKeyBuilder.cs` (149 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/CallGraph/InternalCallGraph.cs` (137 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Download/NuGetPackageDownloader.cs` (136 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Services/VulnSurfaceService.cs` (134 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Builder/IVulnSurfaceBuilder.cs` (125 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/CallGraph/IInternalCallGraphBuilder.cs` (124 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Download/IPackageDownloader.cs` (123 lines)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/MethodKeys/IMethodKeyBuilder.cs` (111 lines)
+- Service locator matches:
+  - none
+
+### Fix Guidance
+- Split files over 100 lines into smaller types or partials.
+
+## Testing Fullness Findings
+- Status: FAIL
+- Expected layers: Unit, Performance
+- Detected test projects: src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces.Tests/StellaOps.Scanner.VulnSurfaces.Tests.csproj [Unit]
+- Missing layers: Performance
+
+### Manual checks required
+- Observability contract tests for WebService/Worker.
+- Offline execution (tests must run without network access).
+
+### Fix Guidance
+- Add performance regression coverage for scanner/export/release paths.