stop syncing with TASKS.md

2025-12-26 11:44:40 +02:00
parent ebce1c80b1
commit 22390057fc
77 changed files with 24 additions and 1018 deletions
--- a/docs/modules/advisory-ai/TASKS.md
+++ b/docs/modules/advisory-ai/TASKS.md
@@ -1,8 +0,0 @@
 # Advisory AI · Tasks
 | Task ID | Description | Owner(s) | Sprint | Status | Notes |
 | --- | --- | --- | --- | --- | --- |
 | ADVISORY-AI-DOCS-0001 | Align module docs with `AGENTS.md` guardrails and required reading. | Docs Guild | SPRINT_0312_0001_0001_docs_modules_advisory_ai | DONE (2025-11-24) | AGENTS/README now call out offline/determinism guardrails and required docs. |
 | ADVISORY-AI-ENG-0001 | Sync module doc pointers into parent docs tree. | Module Team | SPRINT_0312_0001_0001_docs_modules_advisory_ai | DONE (2025-11-24) | Root docs/README now links to Advisory AI dossier. |
 | ADVISORY-AI-OPS-0001 | Document Advisory AI outputs/artefacts in module README. | Ops Guild | SPRINT_0312_0001_0001_docs_modules_advisory_ai | DONE (2025-11-24) | README section expanded with concrete outputs/endpoints/bundles/events. |
--- a/docs/modules/attestor/TASKS.md
+++ b/docs/modules/attestor/TASKS.md
@@ -1,9 +0,0 @@
 # Attestor · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | ATTESTOR-DOCS-0001 | DONE (2025-11-05) | Docs Guild | README aligned with latest release notes and attestation samples. |
 | ATTESTOR-OPS-0001 | BLOCKED (2025-11-30) | Ops Guild | Await next demo outputs; observability runbook stub added. |
 | ATTESTOR-ENG-0001 | DONE (2025-11-27) | Module Team | Implementation plan readiness tracker added. |
 > Keep this table in lockstep with `docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md` (TODO/DOING/DONE/BLOCKED updates go to both files).
--- a/docs/modules/authority/TASKS.md
+++ b/docs/modules/authority/TASKS.md
@@ -1,15 +0,0 @@
 # Authority · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | AUTHORITY-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture refreshed; sprint + monitoring links added. |
 | AUTHORITY-ENG-0001 | DONE (2025-11-27) | Module Team | Readiness tracker in implementation_plan mapped to epics/sprints. |
 | AUTHORITY-OPS-0001 | DONE (2025-11-30) | Ops Guild | TASKS board created; monitoring/grafana references aligned; offline-friendly. |
 | AUTH-GAPS-314-004 | DONE (2025-12-04) | Product Mgmt · Authority Guild | Gap remediation doc `gaps/2025-12-04-auth-gaps-au1-au10.md` + evidence map/paths; awaiting artefact signing. |
 | REKOR-RECEIPT-GAPS-314-005 | DONE (2025-12-04) | Authority Guild · Attestor Guild · Sbomer Guild | Gap remediation doc `gaps/2025-12-04-rekor-receipt-gaps-rr1-rr10.md`; policy/schema/bundle layout fixed; artefacts drafted and hashed, signing pending. |
 | AUTH-GAPS-ARTEFACTS | DOING (2025-12-04) | Docs Guild | Drafted AU1–AU10 artefacts + hashes in `gaps/artifacts/` and `gaps/SHA256SUMS`; awaiting signing. |
 | REKOR-RECEIPT-ARTEFACTS | DOING (2025-12-04) | Docs Guild | Drafted RR1–RR10 artefacts + hashes in `gaps/artifacts/` and `gaps/SHA256SUMS`; awaiting signing. |
 | AUTH-GAPS-SIGNING-SCRIPT | DONE (2025-12-05) | Docs Guild | Added `tools/cosign/sign-authority-gaps.sh` to sign AU/RR artefacts; defaults to `docs/modules/authority/gaps/dsse/2025-12-04`, supports dev key only with `COSIGN_ALLOW_DEV_KEY=1`. |
 | AUTH-GAPS-SMOKE-SIGNED | DONE (2025-12-05) | Docs Guild | Dev-key smoke DSSE bundles generated at `docs/modules/authority/gaps/dev-smoke/2025-12-05/`; production signing still pending real Authority key. |
 > Keep this table in lockstep with `docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md` (TODO/DOING/DONE/BLOCKED updates go to both files).
--- a/docs/modules/ci/TASKS.md
+++ b/docs/modules/ci/TASKS.md
@@ -1,14 +0,0 @@
 # CI Recipes task board
 Keep this table in sync with `docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md`. Use TODO → DOING → DONE/BLOCKED.
 | Task ID | Status | Owner(s) | Notes |
 | --- | --- | --- | --- |
 | CI RECIPES-DOCS-0001 | DONE | Docs Guild | Module charter docs (AGENTS/README/architecture/implementation_plan) refreshed with determinism + offline posture. |
 | CI RECIPES-ENG-0001 | DONE | Module Team | TASKS board established; status mirroring rules documented. |
 | CI RECIPES-OPS-0001 | DONE | Ops Guild | Sprint normalized/renamed; legacy stub retained; statuses mirrored. |
 ## Status rules
 - Update both this file and the relevant sprint entry whenever task status changes.
 - Keep timestamps in UTC ISO-8601; sort new rows deterministically by Task ID.
 - Document any contract/runbook changes in the module docs under this directory and link them from the sprint Decisions & Risks section.
--- a/docs/modules/excititor/TASKS.md
+++ b/docs/modules/excititor/TASKS.md
@@ -1,12 +0,0 @@
 # Excititor · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | EXCITOR-DOCS-0001 | DONE (2025-11-07) | Docs Guild | README aligned to consensus beta release notes. |
 | EXCITOR-OPS-0001 | DONE (2025-11-07) | Ops Guild | Runbooks/observability checklist added (`mirrors.md`). |
 | EXCITOR-ENG-0001 | DONE (2025-11-07) | Module Team | Implementation plan alignment with SPRINT_200 updates. |
 | EXCITITOR-DOCS-0001 | BLOCKED (2025-11-19) | Docs Guild | Await chunk API CI validation + pinned OpenAPI + deterministic samples before finalizing docs. |
 | EXCITITOR-ENG-0001 | BLOCKED (2025-12-03) | Module Team | Blocked by EXCITITOR-DOCS-0001 (chunk API CI/OpenAPI freeze). |
 | EXCITITOR-OPS-0001 | BLOCKED (2025-12-03) | Ops Guild | Blocked by EXCITITOR-DOCS-0001; update runbooks once OpenAPI freezes. |
 > Keep this table in lockstep with `docs/implplan/SPRINT_0333_0001_0001_docs_modules_excititor.md` (TODO/DOING/DONE/BLOCKED updates go to both files).
--- a/docs/modules/export-center/TASKS.md
+++ b/docs/modules/export-center/TASKS.md
@@ -1,9 +0,0 @@
 # Export Center · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | EXPORT CENTER-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture/implementation_plan refreshed; bundle/profiles/offline guidance linked; sprint references added. |
 | EXPORT CENTER-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0320_0001_0001_docs_modules_export_center.md`. |
 | EXPORT CENTER-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana placeholder added; devportal/offline manifest links verified. |
 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both files).
--- a/docs/modules/notify/TASKS.md
+++ b/docs/modules/notify/TASKS.md
@@ -1,10 +0,0 @@
 # Notify · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | NOTIFY-DOCS-0001 | DONE (2025-11-05) | Docs Guild | README refreshed for Notifications Studio pivot + release notes. |
 | NOTIFY-OPS-0001 | BLOCKED (2025-11-30) | Ops Guild | Await next demo outputs; observability runbook stub added. |
 | NOTIFY-ENG-0001 | DONE (2025-11-27) | Module Team | Implementation plan readiness tracker aligned with SPRINT_171..173. |
 | NOTIFY-DOCS-0002 | BLOCKED (2025-11-30) | Docs Guild | Pending NOTIFY-SVC-39-001..004 correlation/digests/simulation/quiet hours evidence. |
 > Keep this table in lockstep with `docs/implplan/SPRINT_322_docs_modules_notify.md` (TODO/DOING/DONE/BLOCKED updates go to both files).
--- a/docs/modules/orchestrator/TASKS.md
+++ b/docs/modules/orchestrator/TASKS.md
@@ -1,12 +0,0 @@
 # Orchestrator docs task board
 | Task ID | Status | Owner(s) | Notes |
 | --- | --- | --- | --- |
 | ORCH-DOCS-0001 | DONE | Docs Guild | README updated with leasing / task runner bridge notes and interim envelope guidance. |
 | ORCH-ENG-0001 | DONE | Module Team | Sprint references normalized; notes synced to doc sprint. |
 | ORCH-OPS-0001 | DONE | Ops Guild | Runbook impacts captured in README; follow-up to update ops docs. |
 | ORCH-OAS-61-001 | DONE | Orchestrator Service Guild | OpenAPI spec drafted for orchestrator endpoints with pagination/idempotency/error envelopes (2025-11-30). |
 | ORCH-OAS-61-002 | DONE | Orchestrator Service Guild | `/.well-known/openapi` discovery endpoint aligned to runtime build metadata (2025-11-30). |
 | ORCH-OAS-63-001 | DONE | Orchestrator Service Guild | Legacy job endpoints emit `Deprecation` + `Link` headers; doc metadata updated (2025-11-30). |
 Status rules: mirror changes in `docs/implplan/SPRINT_0323_0001_0001_docs_modules_orchestrator.md`; use TODO → DOING → DONE/BLOCKED; add brief note if pausing.
--- a/docs/modules/platform/TASKS.md
+++ b/docs/modules/platform/TASKS.md
@@ -1,9 +0,0 @@
 # Platform · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | PLATFORM-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture/implementation_plan refreshed; AOC/offline guardrails linked. |
 | PLATFORM-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0324_0001_0001_docs_modules_platform.md`. |
 | PLATFORM-OPS-0001 | DONE (2025-11-30) | Ops Guild | Cross-links to architecture-overview and 07_HLA verified; offline guidance highlighted. |
 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both files).
--- a/docs/modules/policy/TASKS.md
+++ b/docs/modules/policy/TASKS.md
@@ -1,10 +0,0 @@
 # Policy Engine Guild — Active Tasks
 | Task ID | State | Notes |
 | --- | --- | --- |
 | `POLICY-ENGINE-29-002-CONTRACT` | DONE (2025-11-23) | Streaming simulation contract published at `docs/modules/policy/contracts/29-002-streaming-simulation.md`; unblocks 29-003..40-002 chain. |
 | `PREP-EXPORT-CONSOLE-23-001` | DOING (2025-11-20) | Drafted export bundle + scheduler job contract (see `docs/modules/policy/design/export-console-bundle-contract.md`); waiting on DSSE/storage decisions from Console/Scheduler/Authority. |
 | `PREP-POLICY-AIRGAP-56-001` | DOING (2025-11-20) | Drafted mirror bundle schema for air-gap/ sealed mode (see `docs/modules/policy/design/policy-mirror-bundle-schema.md`); waiting on trust-root and retention policy decisions. |
 | `PREP-POLICY-ENGINE-30-001` | DOING (2025-11-20) | Drafted overlay projection contract (see `docs/modules/policy/design/policy-overlay-projection.md`); waiting on 29-004 metrics/log schema from Platform/Observability. |
 | `SCANNER-POLICY-0001` | DONE (2025-11-10) | Ruby component predicates implemented in engine/tests, DSL docs updated, offline kit verifies `seed-data/analyzers/ruby/git-sources`. |
 | `DOCS-AIAI-31-006` | DONE (2025-11-13) | Published `docs/policy/assistant-parameters.md` capturing Advisory AI configuration knobs (inference/guardrails/cache/queue) and linked it from the module architecture dossier. |
--- a/docs/modules/scheduler/TASKS.md
+++ b/docs/modules/scheduler/TASKS.md
@@ -1,14 +0,0 @@
 # Scheduler module task board
 Keep this table in sync with sprint Delivery Trackers for the Scheduler docs/process stream.
 | Task ID | Status | Owner(s) | Notes |
 | --- | --- | --- | --- |
 | SCHEDULER-DOCS-0001 | DONE | Docs Guild | AGENTS charter refreshed with roles/prereqs/determinism and cross-links. |
 | SCHEDULER-ENG-0001 | DONE | Module Team | TASKS.md created; status mirror rules documented. |
 | SCHEDULER-OPS-0001 | DONE | Ops Guild | Outcomes synced to sprint file and tasks-all tracker. |
 ## Status rules
 - Update both this file and the relevant `docs/implplan/SPRINT_*.md` entry whenever you change a task state.
 - Use TODO → DOING → DONE/BLOCKED. If you pause work, revert to TODO and leave a short note.
 - Document contract or runbook changes in the appropriate module docs under this directory.
--- a/docs/modules/telemetry/TASKS.md
+++ b/docs/modules/telemetry/TASKS.md
@@ -1,9 +0,0 @@
 # Telemetry · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | TELEMETRY-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture refreshed for storage/isolation posture; sprint links added. |
 | TELEMETRY-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana placeholder added under `operations/`. |
 | TELEMETRY-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0330_0001_0001_docs_modules_telemetry.md`. |
 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both files).
--- a/docs/modules/ui/TASKS.md
+++ b/docs/modules/ui/TASKS.md
@@ -1,9 +0,0 @@
 # Console UI · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | CONSOLE UI-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture updated; sprint links and observability references added. |
 | CONSOLE UI-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`. |
 | CONSOLE UI-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana JSON placeholder added under `operations/`. |
 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both places).
--- a/docs/modules/vex-lens/TASKS.md
+++ b/docs/modules/vex-lens/TASKS.md
@@ -1,9 +0,0 @@
 # VEX Lens · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | VEX-CONSENSUS-LENS-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture refresh with consensus workflow and release links; sprint references added. |
 | VEX-LENS-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana JSON placeholder added under `runbooks/`. |
 | VEX-LENS-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0332_0001_0001_docs_modules_vex_lens.md`. |
 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both places).
--- a/docs/modules/vuln-explorer/TASKS.md
+++ b/docs/modules/vuln-explorer/TASKS.md
@@ -1,9 +0,0 @@
 # Vuln Explorer · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | VULNERABILITY-EXPLORER-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture updated; OpenAPI/schema/sprint links added; runbook evidence captured. |
 | VULNERABILITY-EXPLORER-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook + dashboard stub added; health/alert guidance documented. |
 | VULNERABILITY-EXPLORER-ENG-0001 | DONE (2025-11-30) | Module Team | Sprint alignment notes added to implementation_plan; task mirror created. |
 > Status must mirror `/docs/implplan/SPRINT_0334_0001_0001_docs_modules_vuln_explorer.md` (DOING/DONE/BLOCKED updates go to both files).
--- a/docs/modules/zastava/TASKS.md
+++ b/docs/modules/zastava/TASKS.md
@@ -1,13 +0,0 @@
 # Zastava · TASKS (status mirror)
 | Task ID | Status | Owner(s) | Notes / Evidence |
 | --- | --- | --- | --- |
 | ZASTAVA-DOCS-0001 | DONE (2025-11-30) | Docs Guild | README/architecture refreshed; Surface Env/Secrets and sprint links added. |
 | ZASTAVA-ENG-0001 | DONE (2025-11-30) | Module Team | TASKS board created; statuses mirrored with `docs/implplan/SPRINT_0335_0001_0001_docs_modules_zastava.md`. |
 | ZASTAVA-OPS-0001 | DONE (2025-11-30) | Ops Guild | Observability runbook stub + Grafana JSON placeholder added under `operations/`. |
 | ZASTAVA-SCHEMAS-0001 | DONE (2025-12-02) | Zastava Guild | Signed observer/admission schemas + test vectors under `docs/modules/zastava/schemas/`; DSSE + SHA256 published. |
 | ZASTAVA-KIT-0001 | DONE (2025-12-02) | Zastava Guild | Built signed `zastava-kit` bundle with thresholds, schemas, exports, SHA256SUMS, verify.sh; offline parity verified. |
 | ZASTAVA-THRESHOLDS-0001 | DONE (2025-12-02) | Zastava Guild | DSSE-signed `thresholds.yaml`, recorded Evidence Locker targets, and aligned with kit packaging. |
 | ZASTAVA-GAPS-144-007 | DONE (2025-12-02) | Zastava Guild | Remediation plan for ZR1–ZR10 published at `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md`; follow-on schemas/kit/thresholds to be produced and signed. |
 > Keep this table in lockstep with the sprint Delivery Tracker (TODO/DOING/DONE/BLOCKED updates go to both places).
--- a/samples/TASKS.completed.md
+++ b/samples/TASKS.completed.md
@@ -1,8 +0,0 @@
 # Completed Tasks
 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|
 | SAMPLES-10-001 | DONE | Samples Guild, Scanner Team | SCANNER-EMIT-10-605 | Curate sample images (nginx, alpine+busybox, distroless+go, .NET AOT, python venv, npm monorepo) with expected SBOM/BOM-Index sidecars. | Samples committed under `samples/`; golden SBOM/BOM-Index files present; documented usage. |
 | SAMPLES-13-004 | DONE (2025-10-23) | Samples Guild, Policy Guild | POLICY-CORE-09-006, UI-POLICY-13-007 | Add policy preview/report fixtures showing confidence bands and unknown-age tags. | Confidence sample (`samples/policy/policy-preview-unknown.json`) reviewed, documented usage in UI dev guide, ajv validation hook updated. |
 | SAMPLES-POLICY-20-001 | DONE (2025-10-26) | Samples Guild, Policy Guild | POLICY-ENGINE-20-002, DOCS-POLICY-20-011 | Create sample policies (`baseline.pol`, `serverless.pol`, `internal-only.pol`) with annotated SBOM/advisory fixtures. | Samples stored under `samples/policy/`; README documents usage; tests validate deterministic outputs. |
 | SAMPLES-POLICY-20-002 | DONE (2025-10-26) | Samples Guild, UI Guild | UI-POLICY-20-002 | Produce simulation diff fixtures (before/after JSON) for UI/CLI tests. | Fixtures committed with schema validation; referenced by UI+CLI tests; docs cross-link. |
--- a/samples/TASKS.md
+++ b/samples/TASKS.md
@@ -1,10 +0,0 @@
 # Samples Guild Tasks (coordination mirror)
 | Task ID | Status | Sprint | Owners | Key dependency / next step | Notes |
 | --- | --- | --- | --- | --- | --- |
 | SAMPLES-GRAPH-24-003 | DONE (2025-12-02) | SPRINT_0509_0001_0001_samples | Samples Guild · SBOM Service Guild | Delivered `samples/graph/graph-40k` fixture with overlay and manifest; see README + hashes. | Large-scale SBOM graph fixture (~40k nodes) + policy overlay snapshot for perf/regression suites. |
 | SAMPLES-GRAPH-24-004 | DONE (2025-12-02) | SPRINT_0509_0001_0001_samples | Samples Guild · UI Guild | Built from graph-40k overlays; artefacts in `samples/graph/graph-40k/explorer`. | Vulnerability explorer JSON/CSV fixtures with conflicting evidence/policy outputs for UI/CLI tests. |
 | SAMPLES-LNM-22-001 | DONE (2025-11-24) | SPRINT_0509_0001_0001_samples | Samples Guild · Concelier Guild | Fixtures published under `samples/linkset/lnm-22-001/`. | Advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements). |
 | SAMPLES-LNM-22-002 | DONE (2025-11-24) | SPRINT_0509_0001_0001_samples | Samples Guild · Excititor Guild | Fixtures published under `samples/linkset/lnm-22-002/`. | VEX observation/linkset fixtures with status conflicts/path relevance; include raw blobs. |
 Status updates must stay in sync with the corresponding sprint tracker.
--- a/src/AirGap/TASKS.md
+++ b/src/AirGap/TASKS.md
@@ -1,23 +0,0 @@
 # AirGap Module Tasks (prep sync)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | PREP-AIRGAP-IMP-56-001-IMPORTER-PROJECT-SCAFF | DONE | Scaffolded importer project/tests; doc at `docs/airgap/importer-scaffold.md`. | 2025-11-20 |
 | PREP-AIRGAP-IMP-56-002-BLOCKED-ON-56-001 | DONE | Unblocked by importer scaffold/trust-root contract. | 2025-11-20 |
 | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | DONE | Shares importer scaffold + validation envelopes. | 2025-11-20 |
 | PREP-AIRGAP-TIME-57-001-TIME-COMPONENT-SCAFFO | DONE | Time anchor parser scaffold; doc at `docs/airgap/time-anchor-scaffold.md`. | 2025-11-20 |
 | PREP-AIRGAP-CTL-56-001-CONTROLLER-PROJECT-SCA | DONE | Controller scaffold drafted; controller project created with seal/unseal/state endpoints per doc. | 2025-11-26 |
 | PREP-AIRGAP-CTL-56-002-BLOCKED-ON-56-001-SCAF | DONE | Scaffold applied to status/seal endpoints; deployment skeleton present. | 2025-11-26 |
 | PREP-AIRGAP-CTL-57-001-BLOCKED-ON-56-002 | DONE | Diagnostics doc at `docs/airgap/sealed-startup-diagnostics.md`. | 2025-11-20 |
 | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | DONE | Telemetry/timeline hooks defined in `docs/airgap/sealed-startup-diagnostics.md`. | 2025-11-20 |
 | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | DONE | Staleness/time-anchor fields wired in controller response; pending Time Guild token refinements. | 2025-11-26 |
 | AIRGAP-IMP-56-001 | DONE | DSSE verifier, TUF validator, Merkle root calculator + import coordinator; tests passing. | 2025-11-20 |
 | AIRGAP-IMP-56-002 | DONE | Root rotation policy (dual approval) + trust store; integrated into import validator; tests passing. | 2025-11-20 |
 | AIRGAP-IMP-57-001 | DONE | In-memory RLS bundle catalog/items repos + schema doc; deterministic ordering and tests passing. | 2025-11-20 |
 | AIRGAP-TIME-57-001 | DONE | Staleness calc, loader/fixtures, TimeStatusService/store, sealed validator, Ed25519 Roughtime + RFC3161 SignedCms verification, APIs + config sample delivered; awaiting final trust roots. | 2025-11-20 |
 | MR-T10.6.1 | DONE | Removed Mongo-backed air-gap state store; controller now uses in-memory store only. | 2025-12-11 |
 | MR-T10.6.2 | DONE | DI simplified to register in-memory air-gap state store (no Mongo options or client). | 2025-12-11 |
 | MR-T10.6.3 | DONE | Converted controller tests to in-memory store; dropped Mongo2Go dependency. | 2025-12-11 |
 | AIRGAP-IMP-0338 | DONE | Implemented monotonicity enforcement + quarantine service (version primitives/checker, Postgres version store, importer validator integration, unit/integration tests). | 2025-12-15 |
 | AIRGAP-OBS-0341-001 | DONE | Sprint 0341: OfflineKit metrics + structured logging fields/scopes in Importer; DSSE/quarantine logs aligned; metrics tests passing. | 2025-12-15 |
 | AIRGAP-IMP-0342 | DONE | Sprint 0342: deterministic evidence reconciliation implemented per advisory §5 (ArtifactIndex/normalization, lattice merge, evidence graph emission + DSSE signing); tests passing. | 2025-12-20 |
--- a/src/Attestor/StellaOps.Attestor/TASKS.md
+++ b/src/Attestor/StellaOps.Attestor/TASKS.md
@@ -1,59 +0,0 @@
 # Attestor · Sprint 3000-0001-0001 (Rekor Merkle Proof Verification)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SPRINT_3000_0001_0001-T1 | DONE | `IRekorClient.VerifyInclusionAsync` contract present. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T2 | DONE | `MerkleProofVerifier` implemented. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T3 | DONE | `CheckpointSignatureVerifier` implemented + used by offline receipt verifier. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T4 | DONE | `RekorVerificationOptions` drafted under Core/Configuration. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T5 | DONE | `HttpRekorClient.VerifyInclusionAsync` implemented (Merkle root verification). | 2025-12-18 |
 | SPRINT_3000_0001_0001-T6 | DONE | `StubRekorClient.VerifyInclusionAsync` implemented. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T6a | DONE | Offline checkpoint/receipt contract + schema: `docs/modules/attestor/transparency.md`, `docs/schemas/rekor-receipt.schema.json`. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T6b | DONE | Offline fixtures + harness: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/Fixtures/Rekor/RekorOfflineReceiptFixtures.cs`, `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/RekorOfflineReceiptVerifierTests.cs`. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T7 | DONE | Verification pipeline evaluates inclusion proof + witness status. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T8 | DONE | Offline mode supported (no external log refresh when `Offline=true`). | 2025-12-18 |
 | SPRINT_3000_0001_0001-T9 | DONE | Unit coverage present (Merkle + checkpoint) via `dotnet test src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/StellaOps.Attestor.Core.Tests.csproj -c Release`. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T10 | DONE | Integration coverage present (`RekorInclusionVerificationIntegrationTests`). | 2025-12-18 |
 | SPRINT_3000_0001_0001-T11 | DONE | Rekor verification metrics exposed. | 2025-12-18 |
 | SPRINT_3000_0001_0001-T12 | DONE | Docs synced (module architecture + transparency contract). | 2025-12-18 |
 # Attestor · Sprint 3000-0001-0002 (Rekor Durable Retry Queue & Metrics)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SPRINT_3000_0001_0002-T1 | DONE | Queue schema designed. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T2 | DONE | `IRekorSubmissionQueue` interface created. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T3 | DONE | `PostgresRekorSubmissionQueue` implemented. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T4 | DONE | `RekorSubmissionStatus` enum added. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T5 | DONE | `RekorRetryWorker` background service implemented. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T6 | DONE | `RekorQueueOptions` configuration added. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T7 | DONE | Queue integrated with worker processing. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T8 | DONE | Dead-letter handling added to queue. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T9 | DONE | `rekor_queue_depth` gauge metric added. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T10 | DONE | `rekor_retry_attempts_total` counter added. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T11 | DONE | `rekor_submission_status_total` counter added. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T12 | DONE | PostgreSQL indexes created. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T13 | DONE | Unit tests added for queue and worker. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T14 | DONE | PostgreSQL integration tests added. | 2025-12-20 |
 | SPRINT_3000_0001_0002-T15 | DONE | Module documentation updated. | 2025-12-20 |
 # Attestor · Sprint 3000-0001-0003 (Rekor Integrated Time Skew Validation)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SPRINT_3000_0001_0003-T1 | DONE | `IntegratedTime` added to `RekorSubmissionResponse`. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T2 | DONE | `IntegratedTime` added to `LogDescriptor`. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T3 | DONE | `TimeSkewValidator` service created. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T4 | DONE | Time skew configuration added to `AttestorOptions`. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T5 | DONE | Validation integrated in `AttestorSubmissionService`. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T6 | DONE | Validation integrated in `AttestorVerificationService`. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T7 | DONE | `attestor.time_skew_detected` counter metric added. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T8 | DONE | Structured logging for anomalies added. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T9 | DONE | Unit tests added. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T10 | DONE | Integration tests added. | 2025-12-20 |
 | SPRINT_3000_0001_0003-T11 | DONE | Documentation updated. | 2025-12-20 |
 Status changes must be mirrored in:
 - `docs/implplan/SPRINT_3000_0001_0001_rekor_merkle_proof_verification.md`
 - `docs/implplan/SPRINT_3000_0001_0002_rekor_retry_queue_metrics.md`
 - `docs/implplan/SPRINT_3000_0001_0003_rekor_time_skew_validation.md`
--- a/src/Bench/StellaOps.Bench/TASKS.md
+++ b/src/Bench/StellaOps.Bench/TASKS.md
@@ -1,13 +0,0 @@
 # Tasks (Benchmarks Guild)
 | ID | Status | Sprint | Notes | Evidence |
 | --- | --- | --- | --- | --- |
 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | SPRINT_0512_0001_0001_bench | Determinism harness and mock scanner added under `src/Bench/StellaOps.Bench/Determinism`; manifests + sample inputs included. | `src/Bench/StellaOps.Bench/Determinism/results` (generated) |
 | BENCH-GRAPH-21-001 | DONE (2025-12-02) | SPRINT_0512_0001_0001_bench | Graph viewport/path harness with overlay support using canonical `samples/graph/graph-40k` fixture; results captured under `Graph/results`. | `src/Bench/StellaOps.Bench/Graph` |
 | BENCH-GRAPH-21-002 | DONE (2025-12-02) | SPRINT_0512_0001_0001_bench | Graph UI Playwright bench driver emitting trace/viewport metadata; linked to 40k fixture. | `src/Bench/StellaOps.Bench/Graph` |
 | BENCH-IMPACT-16-001 | DONE (2025-12-11) | SPRINT_0512_0001_0001_bench | ImpactIndex throughput bench with 10k productKey dataset + NDJSON outputs and unit tests. | `src/Bench/StellaOps.Bench/ImpactIndex` |
 | BENCH-POLICY-20-002 | DONE (2025-12-11) | SPRINT_0512_0001_0001_bench | Policy delta benchmark (full vs delta) using baseline/delta NDJSON fixtures; outputs hashed. | `src/Bench/StellaOps.Bench/PolicyDelta` |
 | BENCH-SIG-26-001 | DONE (2025-12-11) | SPRINT_0512_0001_0001_bench | Reachability scoring harness with schema hash, 10k/50k fixtures, cache outputs for downstream benches. | `src/Bench/StellaOps.Bench/Signals` |
 | BENCH-SIG-26-002 | DONE (2025-12-11) | SPRINT_0512_0001_0001_bench | Policy evaluation cache bench (cold/warm/mixed) consuming reachability caches; outputs hashed. | `src/Bench/StellaOps.Bench/PolicyCache` |
 | BENCH-SCANNER-ANALYZERS-405-008 | DONE (2025-12-13) | SPRINT_0405_0001_0001_scanner_python_detection_gaps.md | Extend Scanner analyzer microbench coverage for the Python analyzer (fixtures + thresholds + docs alignment). | `src/Bench/StellaOps.Bench/Scanner.Analyzers` |
 | BENCH-SCANNER-ANALYZERS-407-009 | DONE (2025-12-13) | SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md | Add Bun analyzer scenario to microbench harness (config + baseline + wiring). | `src/Bench/StellaOps.Bench/Scanner.Analyzers` |
--- a/src/Cli/StellaOps.Cli/TASKS.md
+++ b/src/Cli/StellaOps.Cli/TASKS.md
@@ -1,13 +0,0 @@
 # CLI Guild â€” Active Tasks
 | Task ID | State | Notes |
 | --- | --- | --- |
 | `SCANNER-CLI-0001` | DONE (2025-11-12) | Ruby verbs now consume the persisted `RubyPackageInventory`, warn when inventories are missing, and docs/tests were refreshed per Sprint 138. |
 | `CLI-AIAI-31-001` | DONE (2025-11-24) | `stella advise summarize` command implemented; CLI analyzer build & tests now pass locally. |
 | `CLI-AIAI-31-002` | DONE (2025-11-24) | `stella advise explain` (conflict narrative) command implemented and tested. |
 | `CLI-AIAI-31-003` | DONE (2025-11-24) | `stella advise remediate` command implemented and tested. |
 | `CLI-AIAI-31-004` | DONE (2025-11-24) | `stella advise batch` supports multi-key runs, per-key outputs, summary table, and tests (`HandleAdviseBatchAsync_RunsAllAdvisories`). |
 | `CLI-AIRGAP-339-001` | DONE (2025-12-18) | Implemented `stella offline import/status` (DSSE + Rekor verification, monotonicity + quarantine hooks, state storage) and `stella verify offline` (YAML/JSON policy loader, deterministic evidence reconciliation); tests passing. |
 | `CLI-AIRGAP-341-001` | DONE (2025-12-15) | Sprint 0341: Offline Kit reason/error codes and ProblemDetails integration shipped; tests passing. |
 | `CLI-4300-VERIFY-IMAGE` | DONE (2025-12-22) | Implemented `stella verify image` command, trust policy loader, OCI referrer verification, and tests (`VerifyImageHandlerTests`, `TrustPolicyLoaderTests`, `ImageAttestationVerifierTests`). |
 | `CLI-4600-BYOS-UPLOAD` | DONE (2025-12-22) | Added `stella sbom upload` command with BYOS payload, CLI models, and tests. |
--- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Alpine/TASKS.md
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Alpine/TASKS.md
@@ -1,13 +0,0 @@
 # Concelier Alpine Connector Tasks
 Local status mirror for `docs/implplan/SPRINT_2000_0003_0001_alpine_connector.md`.
 | Task ID | Status | Notes |
 | --- | --- | --- |
 | T1 | DONE | APK version comparer + tests. |
 | T2 | DONE | SecDB parser. |
 | T3 | DOING | Alpine connector fetch/parse/map. |
 | T4 | TODO | DI + config + health check wiring. |
 | T5 | TODO | Tests, fixtures, and snapshots. |
 Last synced: 2025-12-22 (UTC).
--- a/src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/TASKS.md
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/TASKS.md
@@ -1,13 +0,0 @@
 # Concelier Merge Comparator Test Tasks
 Local status mirror for `docs/implplan/SPRINT_2000_0003_0002_distro_version_tests.md`.
 | Task ID | Status | Notes |
 | --- | --- | --- |
 | T1 | DONE | NEVRA comparison corpus expanded. |
 | T2 | DONE | Debian EVR comparison corpus expanded. |
 | T3 | DOING | Golden NDJSON fixtures + regression runner. |
 | T4 | TODO | Testcontainers real-image cross-checks. |
 | T5 | TODO | Test corpus README. |
 Last synced: 2025-12-22 (UTC).
--- a/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md
+++ b/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md
@@ -19,7 +19,7 @@ Deliver the StellaOps developer portal with interactive API reference, SDK docum
 - `docs/modules/platform/architecture-overview.md`
 ## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
--- a/src/DevPortal/StellaOps.DevPortal.Site/TASKS.md
+++ b/src/DevPortal/StellaOps.DevPortal.Site/TASKS.md
@@ -1,14 +0,0 @@
 # DevPortal Tasks · Sprint 0206.0001.0001
 Keep this file in sync with `docs/implplan/SPRINT_0206_0001_0001_devportal.md`.
 | Task ID | Status | Notes | Last Updated (UTC) |
 | --- | --- | --- | --- |
 | DEVPORT-62-001 | DONE | Astro/Starlight scaffold + aggregate spec + nav/search. | 2025-11-22 |
 | DEVPORT-62-002 | DONE | Schema viewer, examples, copy-curl, version selector. | 2025-11-22 |
 | DEVPORT-63-001 | DONE | Try-It console against sandbox; token onboarding UX. | 2025-11-22 |
 | DEVPORT-63-002 | DONE | Embed SDK snippets/quick starts from tested examples. | 2025-11-22 |
 | DEVPORT-64-001 | DONE | Offline bundle target with specs + SDK archives; zero external assets. | 2025-11-22 |
 | DEVPORT-64-002 | DONE | Accessibility tests, link checker, performance budgets. | 2025-11-22 |
 | DEVPORT-ACT-64-003 | DONE | Re-ran build:offline; link check now passing; a11y still blocked pending Playwright browsers install. | 2025-11-25 |
 | DEVPORT-ACT-64-004 | DONE | A11y task marked skipped-but-pass: host missing `libnss3/libnspr4/libasound2`; script now skips cleanly and exits 0 after cleaning preview. | 2025-11-26 |
--- a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md
+++ b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md
@@ -1,5 +0,0 @@
 # Excititor CycloneDX Format Tasks
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `SPRINT-3600-0002-CDX` | `docs/implplan/SPRINT_3600_0002_0001_cyclonedx_1_7_upgrade.md` | DOING | Update CycloneDX VEX export defaults and media types for 1.7. |
--- a/src/ExportCenter/TASKS.md
+++ b/src/ExportCenter/TASKS.md
@@ -1,7 +0,0 @@
 # Export Center · Local Tasks
 This file mirrors sprint work for the Export Center module.
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `TRI-MASTER-0005` | `docs/implplan/SPRINT_3600_0001_0001_triage_unknowns_master.md` | DONE (2025-12-17) | Sync ExportCenter AGENTS with offline triage bundle (`.stella.bundle.tgz`) + local evidence cache contracts. |
--- a/src/Findings/StellaOps.Findings.Ledger/TASKS.md
+++ b/src/Findings/StellaOps.Findings.Ledger/TASKS.md
@@ -1,31 +0,0 @@
 # Findings Ledger Â· Sprint 0120-0000-0001
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | LEDGER-29-008 | DONE | Determinism harness, metrics, replay tests | 2025-11-22 |
 | LEDGER-34-101 | DONE | Orchestrator export linkage | 2025-11-22 |
 | LEDGER-AIRGAP-56-001 | DONE | Mirror bundle provenance recording | 2025-11-22 |
 Status changes must be mirrored in `docs/implplan/SPRINT_0120_0001_0001_policy_reasoning.md`.
 # Findings Ledger Â· Sprint 0121-0001-0001
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | LEDGER-OBS-54-001 | DONE | Implemented `/v1/ledger/attestations` with deterministic paging, filter hash guard, and schema/OpenAPI updates. | 2025-11-22 |
 | LEDGER-GAPS-121-009 | DONE | FL1â€“FL10 remediation: schema catalog + export canonicals, Merkle/external anchor policy, tenant isolation/redaction manifest, offline verifier + checksum guard, golden fixtures, backpressure metrics. | 2025-12-02 |
 # Findings Ledger Aú Sprint 0121-0001-0002
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | LEDGER-ATTEST-73-002 | DONE | Verification-result and attestation-status filters wired into findings projection queries and exports; tests added. | 2025-12-08 |
 | LEDGER-OAS-61-002 | DONE | `/.well-known/openapi` serves spec with version/build headers, ETag, cache hints. | 2025-12-08 |
 | LEDGER-OAS-62-001 | DONE | SDK-facing OpenAPI assertions for pagination, evidence links, provenance added. | 2025-12-08 |
 | LEDGER-OAS-63-001 | DONE | Deprecation headers and notifications applied to legacy findings export endpoint. | 2025-12-08 |
 | LEDGER-OBS-55-001 | DONE | Incident-mode diagnostics (lag/conflict/replay traces), retention extension for snapshots, timeline/notifier hooks. | 2025-12-08 |
 # Findings Ledger · Sprint 3600-0001-0001 (Triage & Unknowns)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | TRI-MASTER-0004 | DONE | Sync Findings AGENTS with Alerts/Decisions API contract references (SPRINT_3602). | 2025-12-17 |
--- a/src/Mirror/StellaOps.Mirror.Creator/TASKS.md
+++ b/src/Mirror/StellaOps.Mirror.Creator/TASKS.md
@@ -1,11 +0,0 @@
 # Mirror Creator · Task Tracker
 | Task ID | Status | Notes |
 | --- | --- | --- |
 | OFFKIT-GAPS-125-011 | DONE | Offline kit gap remediation (OK1–OK10) via bundle meta + policy layers. |
 | REKOR-GAPS-125-012 | DONE | Rekor policy (RK1–RK10) captured in bundle + verification. |
 | MIRROR-GAPS-125-013 | DONE | Mirror strategy gaps (MS1–MS10) encoded in mirror-policy and bundle meta. |
 | MIRROR-CRT-57-002 | DONE | Time-anchor DSSE emitted when SIGN_KEY is set; bundle meta + verifier check anchor integrity. |
 | MIRROR-CRT-58-001 | DONE | CLI wrappers (`mirror-create.sh`, `mirror-verify.sh`) for deterministic build/verify flows; uses existing assembler + verifier. |
 | MIRROR-CRT-58-002 | DOING (dev) | Export Center scheduling helper (`src/Mirror/StellaOps.Mirror.Creator/schedule-export-center-run.sh`) added; production signing still pending MIRROR-CRT-56-002 key. |
 | EXPORT-OBS-51-001 / 54-001 | DONE | Export Center handoff scripted via `export-center-wire.sh`, scheduler payload now carries bundle metadata, and mirror-sign CI uploads handoff outputs. |
--- a/src/Notifier/StellaOps.Notifier/TASKS.md
+++ b/src/Notifier/StellaOps.Notifier/TASKS.md
@@ -1,46 +0,0 @@
 # Sprint 171 · Notifier.I
 | ID | Status | Owner(s) | Notes |
 | --- | --- | --- | --- |
 | NOTIFY-ATTEST-74-001 | DONE (2025-11-16) | Notifications Service Guild | Attestation template suite complete; Slack expiry template added; coverage tests guard required channels. |
 | NOTIFY-ATTEST-74-002 | DONE (2025-11-24) | Notifications Service Guild · KMS Guild | Attestation event ingestion endpoint + seed routing/templates for key rotation, revocation, and transparency witness failures. |
 | NOTIFY-OAS-61-001 | DONE (2025-11-17) | Notifications Service Guild · API Contracts Guild | OAS updated with rules/templates/incidents/quiet hours and standard error envelope. |
 | NOTIFY-OAS-61-002 | DONE (2025-11-17) | Notifications Service Guild | `.well-known/openapi` discovery endpoint with scope metadata implemented. |
 | NOTIFY-OAS-62-001 | DONE (2025-11-17) | Notifications Service Guild · SDK Generator Guild | SDK usage examples + smoke tests (depends on 61-002). |
 | NOTIFY-OAS-63-001 | DONE (2025-11-17) | Notifications Service Guild · API Governance Guild | Deprecation headers + template notices for retiring APIs (depends on 62-001). |
 | NOTIFY-OBS-51-001 | DONE (2025-11-22) | Notifications Service Guild · Observability Guild | SLO webhook sink validated (`HttpEgressSloSinkTests`, `EventProcessorTests`); TRX: `StellaOps.Notifier.Tests/TestResults/notifier-slo-tests.trx`. |
 | NOTIFY-OBS-55-001 | DONE (2025-11-22) | Notifications Service Guild · Ops Guild | Incident mode start/stop notifications; templates + importable rules with quiet-hour overrides and legal logging metadata. |
 | NOTIFY-RISK-66-001 | DONE (2025-11-24) | Notifications Service Guild · Risk Engine Guild | Added risk-events endpoint + templates/rules for severity change notifications. | 
 | NOTIFY-RISK-67-001 | DONE (2025-11-24) | Notifications Service Guild · Policy Guild | Added routing/templates for risk profile publish/deprecate/threshold change. | 
 | NOTIFY-RISK-68-001 | DONE (2025-11-24) | Notifications Service Guild | Default routing seeds with throttles/locales for risk alerts. | 
 | NOTIFY-GAPS-171-014 | DONE (2025-12-10) | Notifications Service Guild | All NR1–NR10 artifacts complete; DSSE signed with dev key. Production HSM re-signing is deployment concern. |
 | NC-T11.1.1 | DONE (2025-12-10) | Notifier Guild | Create Digest/DigestTypes.cs with DigestType enum (Daily, Weekly, Monthly) |
 | NC-T11.1.2 | DONE (2025-12-10) | Notifier Guild | Add DigestFormat enum (Html, PlainText, Markdown, Json, Slack, Teams) |
 | NC-T11.1.3 | DONE (2025-12-10) | Notifier Guild | Add EscalationProcessResult record to Escalation/IEscalationEngine.cs |
 | NC-T11.1.4 | DONE (2025-12-10) | Notifier Guild | Add NotifyInboxMessage class to Notify.Storage.Mongo/Documents |
 | NC-T11.1.5 | DONE (2025-12-10) | Notifier Guild | Add NotifyAuditEntryDocument class to Notify.Storage.Mongo/Documents |
 | NC-T11.2.1 | DONE (2025-12-10) | Notifier Guild | Removed duplicate Escalations/IntegrationAdapters.cs in favor of canonical Escalation namespace |
 | NC-T11.2.2 | DONE (2025-12-10) | Notifier Guild | Removed duplicate Escalations/InboxChannel.cs in favor of canonical Escalation namespace |
 | NC-T11.2.3 | DONE (2025-12-10) | Notifier Guild | Removed duplicate Escalations/IEscalationPolicy.cs in favor of canonical Escalation namespace |
 | NC-T11.2.4 | DONE (2025-12-10) | Notifier Guild | Removed duplicate Escalations/IOnCallSchedule.cs |
 | NC-T11.2.5 | DONE (2025-12-10) | Notifier Guild | Removed duplicate Escalations/EscalationServiceExtensions.cs |
 | NC-T11.2.6 | DONE (2025-12-10) | Notifier Guild | Deleted empty Escalations folder |
 | NC-T11.5.1 | DONE (2025-12-10) | Notifier Guild | Removed stale DefaultCorrelationEngine; canonical CorrelationEngine remains the registered implementation |
 | NC-T11.5.2 | DONE (2025-12-10) | Notifier Guild | Removed stale DefaultEscalationEngine; canonical EscalationEngine remains the registered implementation |
 | NC-T11.5.3 | DONE (2025-12-10) | Notifier Guild | Removed unused LockBasedThrottler to avoid interface drift; InMemoryNotifyThrottler stays default |
 | NC-T11.5.4 | DONE (2025-12-10) | Notifier Guild | Removed unused DefaultDigestGenerator; DigestGenerator remains canonical implementation |
 | NC-T11.5.5 | DONE (2025-12-10) | Notifier Guild | Removed DefaultStormBreaker and rely on InMemoryStormBreaker via service extensions |
 | NC-T11.3.1 | DONE (2025-12-10) | Notifier Guild | Merged TenantContext definitions into ITenantContext.cs |
 | NC-T11.3.2 | DONE (2025-12-10) | Notifier Guild | Deleted duplicate Tenancy/TenantContext.cs |
 | NC-T11.3.3 | DONE (2025-12-10) | Notifier Guild | Canonical tenant context now uses AsyncLocal accessor only |
 | NC-T11.4.1 | DONE (2025-12-10) | Notifier Guild | Kept async Dispatch/INotifyTemplateRenderer as the sole renderer contract |
 | NC-T11.4.2 | DONE (2025-12-10) | Notifier Guild | Updated NotifierDispatchWorker to RenderAsync with NotifyEvent payloads |
 | NC-T11.4.3 | DONE (2025-12-10) | Notifier Guild | Removed Processing/INotifyTemplateRenderer.cs duplicate |
 | NC-T11.4.4 | DONE (2025-12-10) | Notifier Guild | Removed Processing/SimpleTemplateRenderer.cs duplicate |
 | NC-T11.6.1 | DONE (2025-12-10) | Notifier Guild | ChaosFaultType unified; duplicate enum removed from IChaosTestRunner |
 | NC-T11.6.2 | DONE (2025-12-10) | Notifier Guild | Removed unused Digest/DigestDistributor.cs to eliminate duplicate IDigestDistributor |
 | NC-T11.6.3 | DONE (2025-12-10) | Notifier Guild | TenantIsolationOptions consolidated into single canonical definition |
 | NC-T11.6.4 | DONE (2025-12-10) | Notifier Guild | WebhookSecurityOptions consolidated into single canonical definition |
 | NC-T11.7.1 | DONE (2025-12-10) | Notifier Guild | Added Microsoft.AspNetCore.Http.Abstractions reference to Notifier.Worker |
 | NC-T11.7.2 | DONE (2025-12-10) | Notifier Guild | EscalationServiceExtensions now only canonical Escalation namespace registrations |
 | NC-T11.7.3 | DONE (2025-12-10) | Notifier Guild | DI paths validated after renderer/option consolidation |
--- a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md
+++ b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md
@@ -1,9 +0,0 @@
 # Worker SDK (Go) — Task Tracker
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | WORKER-GO-32-001 | DONE | Initial Go SDK scaffold with config binding, auth headers, claim/ack client, smoke sample, and unit tests. | 2025-11-17 |
 | WORKER-GO-32-002 | DONE | Heartbeat/progress helpers, logging hooks, metrics, and jittered retries. | 2025-11-17 |
 | WORKER-GO-33-001 | DONE | Artifact publish helpers, checksum hashing, metadata payload, idempotency guard. | 2025-11-17 |
 | WORKER-GO-33-002 | DONE | Error classification/backoff helpers and structured failure reporting. | 2025-11-17 |
 | WORKER-GO-34-001 | DONE | Backfill range execution helpers, watermark handshake, artifact dedupe verification. | 2025-11-17 |
--- a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md
+++ b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md
@@ -1,9 +0,0 @@
 # Worker SDK (Python) — Task Tracker
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | WORKER-PY-32-001 | DONE | Async Python SDK scaffold with config/auth headers, claim/ack client, sample worker script, and unit tests using stub transport. | 2025-11-17 |
 | WORKER-PY-32-002 | DONE | Heartbeat/progress helpers with logging/metrics and cancellation-safe retries. | 2025-11-17 |
 | WORKER-PY-33-001 | DONE | Artifact publish/idempotency helpers with checksum hashing and storage adapters. | 2025-11-17 |
 | WORKER-PY-33-002 | DONE | Error classification/backoff helper aligned to orchestrator codes and structured failure reports. | 2025-11-17 |
 | WORKER-PY-34-001 | DONE | Backfill iteration, watermark handshake, and artifact dedupe verification utilities. | 2025-11-17 |
--- a/src/Orchestrator/StellaOps.Orchestrator/TASKS.md
+++ b/src/Orchestrator/StellaOps.Orchestrator/TASKS.md
@@ -1,43 +0,0 @@
 # StellaOps Orchestrator · Sprint 0152-0001-0002 Mirror
 Status mirror for `docs/implplan/SPRINT_0152_0001_0002_orchestrator_ii.md`. Update alongside the sprint file to avoid drift.
 | # | Task ID | Status | Notes |
 | --- | --- | --- | --- |
 | 1 | ORCH-SVC-32-002 | DONE | DAG planner + job state machine implemented. |
 | 2 | ORCH-SVC-32-003 | DONE | Read-only REST APIs with pagination/idempotency. |
 | 3 | ORCH-SVC-32-004 | DONE | SSE streams, metrics, health probes delivered. |
 | 4 | ORCH-SVC-32-005 | DONE | Worker claim/heartbeat/progress/complete endpoints live. |
 | 5 | ORCH-SVC-33-001 | DONE | Sources control-plane validation + Postgres repos. |
 | 6 | ORCH-SVC-33-002 | DONE | Adaptive rate limiting (token bucket + concurrency + backpressure). |
 | 7 | ORCH-SVC-33-003 | DONE | Watermark/backfill manager with duplicate suppression. |
 | 8 | ORCH-SVC-33-004 | DONE | Dead-letter store, replay, notifications. |
 | 9 | ORCH-SVC-34-001 | DONE | Quotas + SLO burn-rate computation and alerts. |
 | 10 | ORCH-SVC-34-002 | DONE | Audit log + run ledger export with signed manifest. |
 | 11 | ORCH-SVC-34-003 | DONE | Perf/scale validation + autoscale/load-shed hooks. |
 | 12 | ORCH-SVC-34-004 | DONE | GA packaging (Docker/Helm/air-gap bundle/provenance checklist). |
 | 13 | ORCH-SVC-35-101 | DONE | Export job class registration + quotas and telemetry. |
 | 14 | ORCH-SVC-36-101 | DONE | Export distribution + retention lifecycle metadata. |
 | 15 | ORCH-SVC-37-101 | DONE | Scheduled exports, pruning, failure alerting. |
 Last synced: 2025-11-30 (UTC).
 ## SPRINT_0339_0001_0001 First Signal API
 Status mirror for `docs/implplan/SPRINT_0339_0001_0001_first_signal_api.md`. Update alongside the sprint file to avoid drift.
 | # | Task ID | Status | Notes |
 | --- | --- | --- | --- |
 | 1 | ORCH-TTFS-0339-001 | DONE | First signal API delivered (service/repo/cache/endpoint/ETag/SSE/tests/docs). |
 Last synced: 2025-12-15 (UTC).
 ## SPRINT_0341_0001_0001 TTFS Enhancements
 Status mirror for `docs/implplan/SPRINT_0341_0001_0001_ttfs_enhancements.md`. Update alongside the sprint file to avoid drift.
 | # | Task ID | Status | Notes |
 | --- | --- | --- | --- |
 | 1 | TTFS-T4 | DONE | Enrich FirstSignal with best-effort failure signature lookup via Scheduler WebService; surfaces `lastKnownOutcome` in API response. |
 Last synced: 2025-12-18 (UTC).
--- a/src/Orchestrator/TASKS.md
+++ b/src/Orchestrator/TASKS.md
@@ -1,27 +0,0 @@
 # Orchestrator · Sprint Mirrors (0151 / 0152)
 Local status mirror for orchestration sprints to keep doc and code views aligned. Update this alongside the canonical sprint files:
 - `docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md`
 - `docs/implplan/SPRINT_0152_0001_0002_orchestrator_ii.md`
 | Sprint | Task ID | Status | Notes |
 | --- | --- | --- | --- |
 | 0151 | ORCH-OAS-61-001 | DONE | Per-service OpenAPI doc with pagination/idempotency/error envelopes. |
 | 0151 | ORCH-OAS-61-002 | DONE | `/.well-known/openapi` discovery and version metadata. |
 | 0151 | ORCH-OAS-62-001 | DONE | OpenAPI + SDK smoke tests for pagination and pack-run schedule/retry endpoints. |
 | 0151 | ORCH-OAS-63-001 | DONE | Deprecation headers/metadata for legacy job endpoints. |
 | 0151 | ORCH-OBS-50-001 | BLOCKED | Waiting on Telemetry Core (Sprint 0174). |
 | 0151 | ORCH-OBS-51-001 | BLOCKED | Depends on 50-001 and telemetry schema. |
 | 0151 | ORCH-OBS-52-001 | BLOCKED | Needs event schema from Sprint 0150.A. |
 | 0151 | ORCH-OBS-53-001 | BLOCKED | Evidence Locker capsule inputs not frozen. |
 | 0151 | ORCH-OBS-54-001 | BLOCKED | Provenance attestations depend on 53-001. |
 | 0151 | ORCH-OBS-55-001 | BLOCKED | Incident-mode hooks depend on 54-001. |
 | 0151 | ORCH-AIRGAP-56-001 | BLOCKED | Await AirGap staleness contracts (Sprint 0120.A). |
 | 0151 | ORCH-AIRGAP-56-002 | BLOCKED | Await upstream 56-001. |
 | 0151 | ORCH-AIRGAP-57-001 | BLOCKED | Await upstream 56-002. |
 | 0151 | ORCH-AIRGAP-58-001 | BLOCKED | Await upstream 57-001. |
 | 0151 | ORCH-SVC-32-001 | DONE | Service bootstrap + initial schema/migrations. |
 | 0151 | ORCH-GAPS-151-016 | DONE | OR1–OR10 gaps: canonical hashes, replay inputs.lock, heartbeat ordering, log/artifact integrity. |
 | 0152 | ORCH-SVC-32-002…37-101 | DONE | See `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` for per-task detail. |
 Last synced: 2025-12-03 (UTC).
--- a/src/Policy/StellaOps.Policy.Engine/TASKS.md
+++ b/src/Policy/StellaOps.Policy.Engine/TASKS.md
@@ -1,12 +0,0 @@
 # Policy Engine · Local Tasks
 This file mirrors sprint work for the Policy Engine module.
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `POLICY-GATE-401-033` | `docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md` | DONE (2025-12-13) | Implemented PolicyGateEvaluator (lattice/uncertainty/evidence completeness) and aligned tests/docs; see `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs` and `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Gates/PolicyGateEvaluatorTests.cs`. |
 | `DET-3401-011` | `docs/implplan/SPRINT_3401_0001_0001_determinism_scoring_foundations.md` | DONE (2025-12-14) | Added `Explain` to `RiskScoringResult` and covered JSON serialization + null-coercion in `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Scoring/RiskScoringResultTests.cs`. |
 | `PDA-3801-0001` | `docs/implplan/SPRINT_3801_0001_0001_policy_decision_attestation.md` | DONE (2025-12-19) | Implemented `PolicyDecisionAttestationService` + predicate model + DI wiring; covered signer/Rekor flows in `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Attestation/PolicyDecisionAttestationServiceTests.cs`. |
 | `EXC-3900-0003-0002-T6` | `docs/implplan/SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md` | DONE (2025-12-22) | Added ExceptionRecheckGate and DI registration for build gate integration. |
 | `UNK-4100-0001-T6` | `docs/implplan/SPRINT_4100_0001_0001_reason_coded_unknowns.md` | DONE (2025-12-22) | Extended unknowns API DTOs with reason codes, remediation hints, and evidence refs. |
 | `UNK-4100-0001-0002` | `docs/implplan/SPRINT_4100_0001_0002_unknown_budgets.md` | DONE (2025-12-22) | Added unknown budget enforcement in policy evaluation, options binding, and budget service tests. |
--- a/src/Policy/__Libraries/StellaOps.Policy/TASKS.md
+++ b/src/Policy/__Libraries/StellaOps.Policy/TASKS.md
@@ -1,23 +0,0 @@
 # Policy Library Local Tasks
 This file mirrors sprint work for the `StellaOps.Policy` library.
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `DET-3401-001` | `docs/implplan/SPRINT_3401_0001_0001_determinism_scoring_foundations.md` | DONE (2025-12-14) | Added `FreshnessBucket` + `FreshnessMultiplierConfig` in `src/Policy/__Libraries/StellaOps.Policy/Scoring/FreshnessModels.cs` and covered bucket boundaries in `src/Policy/__Tests/StellaOps.Policy.Tests/Scoring/EvidenceFreshnessCalculatorTests.cs`. |
 | `DET-3401-002` | `docs/implplan/SPRINT_3401_0001_0001_determinism_scoring_foundations.md` | DONE (2025-12-14) | Implemented `EvidenceFreshnessCalculator` in `src/Policy/__Libraries/StellaOps.Policy/Scoring/EvidenceFreshnessCalculator.cs`. |
 | `DET-3401-009` | `docs/implplan/SPRINT_3401_0001_0001_determinism_scoring_foundations.md` | DONE (2025-12-14) | Added `ScoreExplanation` + `ScoreExplainBuilder` in `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoreExplanation.cs` and tests in `src/Policy/__Tests/StellaOps.Policy.Tests/Scoring/ScoreExplainBuilderTests.cs`. |
 | `EXC-3900-0003-0002-T1` | `docs/implplan/SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md` | DONE (2025-12-22) | Defined RecheckPolicy model in `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/RecheckPolicy.cs`. |
 | `EXC-3900-0003-0002-T2` | `docs/implplan/SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md` | DONE (2025-12-22) | Extended ExceptionObject, repository mapping, and migration for recheck policy tracking. |
 | `EXC-3900-0003-0002-T3` | `docs/implplan/SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md` | DONE (2025-12-22) | Added evidence hook and requirements models in `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs`. |
 | `EXC-3900-0003-0002-T4` | `docs/implplan/SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md` | DONE (2025-12-22) | Added RecheckEvaluationService and context model. |
 | `EXC-3900-0003-0002-T5` | `docs/implplan/SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md` | DONE (2025-12-22) | Added EvidenceRequirementValidator and support interfaces. |
 | `EXC-3900-0003-0002-T8` | `docs/implplan/SPRINT_3900_0003_0002_recheck_policy_evidence_hooks.md` | DONE (2025-12-22) | Aligned recheck/evidence migration and added Postgres tests for recheck fields. |
 | `SPRINT-7000-0002-0001-T1` | `docs/implplan/SPRINT_7000_0002_0001_unified_confidence_model.md` | DONE (2025-12-22) | Added unified confidence score models in `src/Policy/__Libraries/StellaOps.Policy/Confidence/Models/ConfidenceScore.cs`. |
 | `SPRINT-7000-0002-0001-T2` | `docs/implplan/SPRINT_7000_0002_0001_unified_confidence_model.md` | DONE (2025-12-22) | Added configurable weights in `src/Policy/__Libraries/StellaOps.Policy/Confidence/Configuration/ConfidenceWeightOptions.cs`. |
 | `SPRINT-7000-0002-0001-T3` | `docs/implplan/SPRINT_7000_0002_0001_unified_confidence_model.md` | DONE (2025-12-22) | Implemented calculator and inputs in `src/Policy/__Libraries/StellaOps.Policy/Confidence/Services/ConfidenceCalculator.cs`. |
 | `SPRINT-7000-0002-0001-T4` | `docs/implplan/SPRINT_7000_0002_0001_unified_confidence_model.md` | DONE (2025-12-22) | Added confidence evidence models in `src/Policy/__Libraries/StellaOps.Policy/Confidence/Models/ConfidenceEvidence.cs`. |
 | `SPRINT-7000-0002-0001-T5` | `docs/implplan/SPRINT_7000_0002_0001_unified_confidence_model.md` | DONE (2025-12-22) | Integrated confidence scoring into policy evaluation and runtime responses. |
 | `SPRINT-7000-0002-0001-T6` | `docs/implplan/SPRINT_7000_0002_0001_unified_confidence_model.md` | DONE (2025-12-22) | Added confidence calculator tests in `src/Policy/__Tests/StellaOps.Policy.Tests/Confidence/ConfidenceCalculatorTests.cs` and runtime eval assertion. |
 | `SPRINT-7100-0002-0001` | `docs/implplan/SPRINT_7100_0002_0001_policy_gates_merge.md` | DOING | Implementing ClaimScore merge + policy gates for trust lattice decisioning. |
--- a/src/RiskEngine/StellaOps.RiskEngine/TASKS.md
+++ b/src/RiskEngine/StellaOps.RiskEngine/TASKS.md
@@ -1,10 +0,0 @@
 # Risk Engine Tasks (Sprint 0129-0001-0001)
 | Task ID | Status | Notes |
 | --- | --- | --- |
 | RISK-ENGINE-66-001 | DONE (2025-11-25) | Scoring queue + worker + provider registry scaffolded; deterministic tests added. |
 | RISK-ENGINE-66-002 | DONE (2025-11-25) | Default transforms provider added; queue/worker tests updated. |
 | RISK-ENGINE-67-001 | DONE (2025-11-25) | CVSS+KEV provider implemented with tests; clamped scoring formula shipped. |
 | RISK-ENGINE-67-002 | DONE (2025-11-25) | VEX gate provider added; short-circuits on denial flag. |
 | RISK-ENGINE-67-003 | DONE (2025-11-25) | Fix availability / criticality / exposure provider added with weighted scoring + missing-signal defaults tested. |
 | RISK-ENGINE-68-001 | DONE (2025-11-25) | Worker now persists results via result-store abstraction; in-memory store added with FIFO snapshot + failure capture. |
--- a/src/SbomService/TASKS.md
+++ b/src/SbomService/TASKS.md
@@ -1,16 +0,0 @@
 # SbomService Tasks (prep sync)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | PREP-SBOM-CONSOLE-23-001-BUILD-TEST-FAILING-D | DONE | Offline feed cache + script added; see `docs/modules/sbomservice/offline-feed-plan.md`. | 2025-11-20 |
 | SBOM-SERVICE-21-002 | DONE | `sbom.version.created` events emitted via in-memory publisher; `/internal/sbom/events` + backfill wired; component lookup pagination cursor fixed; tests pass. | 2025-11-23 |
 | SBOM-SERVICE-21-003 | DONE | Entrypoint/service node API (`GET/POST /entrypoints`) with tenant guard, deterministic ordering, seeded data; tests added. | 2025-11-23 |
 | SBOM-SERVICE-23-001 | DONE | LNM v1 projection now returns asset metadata (criticality, owner, environment, exposure flags, tags); fixture + docs updated; projection test covers criticality. | 2025-11-23 |
 | SBOM-SERVICE-23-002 | DONE | `sbom.asset.updated` events emitted idempotently (snapshot+tenant+hash) when projections served; `/internal/sbom/asset-events` endpoint added; tests validate idempotency. | 2025-11-23 |
 | SBOM-ORCH-32-001 | DONE | In-memory orchestrator source registry (`/internal/orchestrator/sources`) with deterministic seed + idempotent registration. | 2025-11-23 |
 | SBOM-ORCH-33-001 | DONE | Orchestrator control signals (pause/throttle/backpressure) exposed via `/internal/orchestrator/control`; metrics emitted. | 2025-11-23 |
 | SBOM-ORCH-34-001 | DONE | Watermark tracking endpoints (`/internal/orchestrator/watermarks`) implemented for backfill reconciliation. | 2025-11-23 |
 | SBOM-VULN-29-001 | DONE | Inventory evidence emitted (scope/runtime_flag/paths/nearest_safe_version) with `/internal/sbom/inventory` diagnostics + backfill endpoint. | 2025-11-23 |
 | SBOM-VULN-29-002 | DONE | Resolver feed candidates emitted with NDJSON export/backfill endpoints; idempotent keys across tenant/artifact/purl/version/scope/runtime_flag. | 2025-11-24 |
 | SPRINT-4600-LEDGER | DONE | Implement SBOM lineage ledger (LEDGER-001..020) including version chain, diff, lineage, and retention. | 2025-12-22 |
 | SPRINT-4600-BYOS | DONE | BYOS upload validation/normalization, quality scoring, analysis trigger stub, docs/tests. | 2025-12-22 |
--- a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md
+++ b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md
@@ -1,12 +0,0 @@
 # Deno Analyzer Tasks (Sprint 130)
 | Order | Task ID | State | Summary |
 | --- | --- | --- | --- |
 | 1 | `SCANNER-ANALYZERS-DENO-26-001` | DONE | Deterministic input normalizer + VFS merger for `deno.json(c)`, import maps, lockfiles, vendor trees, `$DENO_DIR`, and OCI layers. |
 | 2 | `SCANNER-ANALYZERS-DENO-26-002` | DONE | Module graph resolver covering static/dynamic imports, npm bridge, cache lookups, built-ins, WASM/JSON assertions with provenance. |
 | 3 | `SCANNER-ANALYZERS-DENO-26-003` | DONE | npm/node compatibility adapter for `npm:` specifiers, `exports` evaluation, and builtin usage logging. |
 | 4 | `SCANNER-ANALYZERS-DENO-26-004` | DONE | Permission/capability analyzer for FS/net/env/process/crypto/FFI/workers plus dynamic import heuristics with reason codes. |
 | 5 | `SCANNER-ANALYZERS-DENO-26-005` | DONE | Bundle/binary inspectors for eszip and `deno compile` executables to recover graphs/config/resources/snapshots. |
 | 6 | `SCANNER-ANALYZERS-DENO-26-006` | DONE | OCI/container adapter that stitches per-layer Deno caches, vendor trees, and compiled binaries into provenance-aware inputs. |
 | 7 | `SCANNER-ANALYZERS-DENO-26-007` | DONE | AOC-compliant observation writers (entrypoints, modules, capability edges, workers, warnings, binaries) with deterministic reason codes. |
 | 8 | `SCANNER-ANALYZERS-DENO-26-008` | DONE | Fixture and benchmark suite for vendor/npm/FFI/worker/dynamic import/bundle/cache/container cases. |
--- a/src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md
+++ b/src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md
@@ -1,7 +0,0 @@
 # Scanner Native Analyzer Tasks
 | Task ID | Sprint | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- | --- |
 | BID-3500-0011 | `docs/implplan/SPRINT_3500_0011_0001_buildid_mapping_index.md` | DONE | Offline Build-ID→PURL index (NDJSON) with DSSE verification + SHA-256 binding; test evidence under `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/Index/`. | 2025-12-19 |
 | PE-3500-0010-0001 | `docs/implplan/SPRINT_3500_0010_0001_pe_full_parser.md` | DONE | Completed golden fixtures (MSVC/MinGW/Clang) via `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/Fixtures/PeBuilder.cs` and added positive parsing tests in `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/PeReaderTests.cs`. | 2025-12-19 |
 | MACH-3500-0010-0002 | `docs/implplan/SPRINT_3500_0010_0002_macho_full_parser.md` | DONE | Implemented export trie parsing (LC_DYLD_INFO(_ONLY)/LC_DYLD_EXPORTS_TRIE) + added signed/unsigned fixtures and tests in `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/MachOReaderTests.cs`. | 2025-12-19 |
--- a/src/Scanner/StellaOps.Scanner.WebService/TASKS.md
+++ b/src/Scanner/StellaOps.Scanner.WebService/TASKS.md
@@ -1,12 +0,0 @@
 # Scanner WebService Local Tasks
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `SCAN-API-3101-001` | `docs/implplan/archived/SPRINT_3101_0001_0001_scanner_api_standardization.md` | DONE | Scanner OpenAPI spec aligned with current endpoints including ProofSpine routes; composed into `src/Api/StellaOps.Api.OpenApi/stella.yaml`. |
 | `PROOFSPINE-3100-API` | `docs/implplan/archived/SPRINT_3100_0001_0001_proof_spine_system.md` | DONE | Implemented and tested `/api/v1/spines/*` endpoints with verification output (CBOR accept tracked in SPRINT_3105). |
 | `PROOF-CBOR-3105-001` | `docs/implplan/SPRINT_3105_0001_0001_proofspine_cbor_accept.md` | DONE | Added `Accept: application/cbor` support for ProofSpine endpoints + tests (`dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj -c Release`). |
 | `SCAN-AIRGAP-0340-001` | `docs/implplan/SPRINT_0340_0001_0001_scanner_offline_config.md` | DONE | Offline kit import + DSSE/offline Rekor verification wired; integration tests cover success/failure/audit. |
 | `DRIFT-3600-API` | `docs/implplan/SPRINT_3600_0003_0001_drift_detection_engine.md` | DONE | Add reachability drift endpoints (`/api/v1/scans/{id}/drift`, `/api/v1/drift/{id}/sinks`) + integration tests. |
 | `SCAN-API-3103-001` | `docs/implplan/SPRINT_3103_0001_0001_scanner_api_ingestion_completion.md` | DONE | Implement missing ingestion services + DI for callgraph/SBOM endpoints and add deterministic integration tests. |
 | `EPSS-SCAN-011` | `docs/implplan/SPRINT_3410_0002_0001_epss_scanner_integration.md` | DONE | Wired `/api/v1/epss/*` endpoints and added `EpssEndpointsTests` integration coverage. |
 | `SLICE-3820-API` | `docs/implplan/SPRINT_3820_0001_0001_slice_query_replay_apis.md` | DOING | Implement slice query/replay endpoints, caching, and OpenAPI updates. |
--- a/src/Scanner/StellaOps.Scanner.Worker/TASKS.md
+++ b/src/Scanner/StellaOps.Scanner.Worker/TASKS.md
@@ -1,8 +0,0 @@
 # Scanner Worker Tasks (Sprint 0409.0001.0001)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SCAN-NL-0409-002 | DONE | OS analyzer surface-cache wiring + hit/miss metrics + worker tests updated to current APIs. | 2025-12-12 |
 | SCAN-NATIVE-3500-0014 | DONE | Native analyzer stage integrated into dispatcher (discovery → emit → layer fragments) + unit tests for native stage execution. | 2025-12-19 |
 | NAI-003 | DONE | Native analyzer stage wired into `CompositeScanAnalyzerDispatcher` (and Worker project references canonical `StellaOps.Scanner.Analyzers.Native` so `*.Index` types resolve). | 2025-12-19 |
 | NAI-005 | DONE | Integration tests for native analyzer stage + fragment append behavior (`StellaOps.Scanner.Worker.Tests`). | 2025-12-19 |
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/TASKS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/TASKS.md
@@ -1,13 +0,0 @@
 # Bun Analyzer Tasks (Sprint 0407)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SCAN-BUN-407-001 | DONE | Container-layer aware project discovery (`layers/`, `.layers/`, `layer*`), bounded + deterministic. | 2025-12-13 |
 | SCAN-BUN-407-002 | DONE | Declared-only fallback from `package.json` with safe identities (no range-as-version PURLs). | 2025-12-13 |
 | SCAN-BUN-407-003 | DONE | bun.lock v1 graph enrichment (dependency specifiers + deterministic dev/optional/peer classification). | 2025-12-13 |
 | SCAN-BUN-407-004 | DONE | Make `includeDev` meaningful for lockfile-only and installed scans; use `scopeUnknown` when unsure. | 2025-12-13 |
 | SCAN-BUN-407-005 | DONE | Version-specific patch mapping + relative patch paths (no absolute path leakage). | 2025-12-13 |
 | SCAN-BUN-407-006 | DONE | Evidence strengthening + locator precision (bun.lock locators, bounded sha256). | 2025-12-13 |
 | SCAN-BUN-407-007 | DONE | Identity safety for non-npm sources (git/file/link/workspace/tarball/custom registry). | 2025-12-13 |
 | SCAN-BUN-407-008 | DONE | Document analyzer contract under `docs/modules/scanner/` and link sprint. | 2025-12-13 |
 | SCAN-BUN-407-009 | DONE | Optional: deterministic benchmark if perf risk materializes. | 2025-12-13 |
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md
@@ -1,32 +0,0 @@
 # Node Analyzer Tasks (Sprint 132)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SCANNER-ANALYZERS-NODE-22-001 | DONE | VFS/input normalizer covers dirs/tgz/container layers/pnpm/Yarn PnP; Node version detection wired. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-002 | DONE | Entrypoint discovery extended (exports/imports/workers/electron/shebang) with normalized condition sets. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-003 | DONE | Import walker flags dynamic patterns with confidence and de-bundles source maps. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-004 | DONE | Resolver engine added (core modules, exports/imports maps, extension priority, self references). | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-005 | DONE | Yarn PnP and pnpm virtual store adapters supported via VFS; tests updated. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-006 | DONE | Bundle/source-map correlation emits component/entrypoint records with resolver traces. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-007 | DONE | Native addon/WASM/capability edges produced with normalized targets. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-008 | DONE | Phase22 observation export (entrypoints/components/edges) added to analyzer output. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-009 | DONE | Fixture suite refreshed (npm/pnpm/PnP/bundle/electron/worker) with golden outputs. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-010 | DONE | Runtime evidence hooks (ESM loader/CJS require) with path scrubbing and hashed loader IDs; ingestion to runtime-* records. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-011 | DONE | Packaged plug-in manifest (0.1.0) with runtime hooks; CLI/offline docs refreshed. | 2025-12-01 |
 | SCANNER-ANALYZERS-NODE-22-012 | DONE | Container filesystem adapter (layer roots) + NODE_OPTIONS/env warnings emitted. | 2025-12-01 |
 ## Node Detection Gaps (Sprint 0406)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SCAN-NODE-406-001 | DONE | Emit declared-only components (explicit-key via LanguageExplicitKey; no range-as-version PURLs; sourceType metadata). | 2025-12-13 |
 | SCAN-NODE-406-002 | DONE | Multi-version lock correctness + `(name,version)` matching. | 2025-12-13 |
 | SCAN-NODE-406-003 | DONE | Yarn Berry (v2/v3) lock parsing. | 2025-12-13 |
 | SCAN-NODE-406-004 | DONE | Harden pnpm lock parsing (integrity-missing, snapshots). | 2025-12-13 |
 | SCAN-NODE-406-005 | DONE | Fix package-lock nested node_modules naming. | 2025-12-13 |
 | SCAN-NODE-406-006 | DONE | Workspace glob expansion (`*`/`**`) + bounds. | 2025-12-13 |
 | SCAN-NODE-406-007 | DONE | Workspace-aware dependency scopes. | 2025-12-13 |
 | SCAN-NODE-406-008 | DONE | Import scanning correctness + bounds. | 2025-12-13 |
 | SCAN-NODE-406-009 | DONE | Deterministic package.json hashing for on-disk packages + fixtures. | 2025-12-13 |
 | SCAN-NODE-406-010 | DONE | Fixtures + goldens: lock-only package-lock/yarn-berry/pnpm, workspace glob (`*`/`**`), container app-root discovery. | 2025-12-13 |
 | SCAN-NODE-406-011 | DONE | Docs + offline benchmark (Node contract doc + new bench scenario + import-scan metrics). | 2025-12-13 |
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md
@@ -1,22 +0,0 @@
 # Python Analyzer Tasks
 ## Python Detection Gaps (Sprint 0405)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SCAN-PY-405-001 | DONE | Wire layout-aware VFS/discovery into `PythonLanguageAnalyzer`. | 2025-12-13 |
 | SCAN-PY-405-002 | DONE | Preserve dist-info/egg-info evidence; emit explicit-key components for editable lock entries. Added Scope/SourceType metadata per Action 1. | 2025-12-13 |
 | SCAN-PY-405-003 | DONE | Lock precedence (poetry.lock > Pipfile.lock > pdm.lock > uv.lock > requirements.txt), `-r` includes with cycle detection, PEP 508 parsing, `name @ url` direct references, Pipenv `develop` section. | 2025-12-13 |
 | SCAN-PY-405-004 | DONE | Container overlay contract implemented: OCI whiteout semantics (`.wh.*`, `.wh..wh..opq`), deterministic layer ordering, `container.overlayIncomplete` metadata marker. | 2025-12-13 |
 | SCAN-PY-405-005 | DONE | Vendoring integration: `VendoringMetadataBuilder` for parent metadata + embedded components with High confidence. | 2025-12-13 |
 | SCAN-PY-405-006 | DONE | Scope classification added (prod/dev/docs/build) from lock sections and file names per Interlock 4. Usage signals remain default. | 2025-12-13 |
 | SCAN-PY-405-007 | DONE | Added deterministic fixtures + goldens: conda-meta env, requirements includes+editable, Pipfile.lock default+develop, wheel workspace, zipapp embedded requirements, container whiteouts, and vendored directories. | 2025-12-21 |
 | SCAN-PY-405-008 | DONE | Docs + deterministic offline bench for Python analyzer contract. | 2025-12-13 |
 ## Completed Contracts (Action Decisions 2025-12-13)
 1. **Action 1 - Explicit-Key Identity**: Uses `LanguageExplicitKey.Create("python", "pypi", name, spec, originLocator)` for non-versioned components.
 2. **Action 2 - Lock Precedence**: Deterministic order with first-wins dedupe; full PEP 508 support.
 3. **Action 3 - Container Overlay**: OCI whiteout semantics honored; incomplete overlay marked.
 4. **Action 4 - Vendored Deps**: Parent metadata by default; separate components only with High confidence + known version.
 5. **Interlock 4 - Usage/Scope**: Scope classification added (from lock sections); runtime/import analysis opt-in.
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md
@@ -1,21 +0,0 @@
 # Ruby Analyzer Guild — Active Tasks
 | Task ID | State | Notes |
 | --- | --- | --- |
 | `SCANNER-ENG-0009` | DONE (2025-11-13) | Ruby analyzer parity landed end-to-end: Mongo-backed `ruby.packages` inventories, WebService `/api/scans/{scanId}/ruby-packages`, CLI `ruby resolve` + observations, plugin manifest packaging, and targeted tests (`StellaOps.Scanner.Analyzers.Lang.Ruby.Tests`, `StellaOps.Scanner.Worker.Tests`, `StellaOps.Scanner.WebService.Tests --filter FullyQualifiedName~RubyPackages`). |
 | `SCANNER-ENG-0016` | DONE (2025-11-10) | RubyLockCollector merged with vendor cache ingestion; workspace overrides, bundler groups, git/path fixture, and offline-kit mirror updated. |
 | `SCANNER-ENG-0017` | DONE (2025-11-09) | Build runtime require/autoload graph builder with tree-sitter Ruby per design §4.4, feed EntryTrace hints. |
 | `SCANNER-ENG-0018` | DONE (2025-11-09) | Emit Ruby capability + framework surface signals, align with design §4.5 / Sprint 138. |
 | `SCANNER-ANALYZERS-RUBY-28-001` | DONE (2025-11-27) | Added OCI container layer support (layers/, .layers/, layer/) to RubyLockCollector and RubyVendorArtifactCollector for VFS/container workspace discovery. Existing implementation already covered Gemfile/lock, vendor/bundle, .gem archives, .bundle/config, Rack configs, and framework fingerprints. |
 | `SCANNER-ANALYZERS-RUBY-28-002` | DONE (2025-11-27) | Enhanced RubyLockParser to capture gem dependency edges with version constraints from Gemfile.lock; added RubyDependencyEdge type; updated RubyLockEntry, RubyObservationDocument, observation builder and serializer to produce dependencyEdges with from/to/constraint fields. PURLs and resolver traces now included. |
 | `SCANNER-ANALYZERS-RUBY-28-003` | DONE (2025-11-27) | AOC-compliant observations integration: added schema field, RubyObservationEntrypoint and RubyObservationEnvironment types; builder generates entrypoints (path/type/requiredGems) and environment profiles (bundlePaths/gemfiles/lockfiles/frameworks); RubyRuntimeGraph provides GetEntrypointFiles/GetRequiredGems; bundlerConfig wired through analyzer for complete observation coverage. |
 | `SCANNER-ANALYZERS-RUBY-28-004` | DONE (2025-11-27) | Fixtures/benchmarks for Ruby analyzer: created cli-app fixture with Thor/TTY-Prompt CLI gems, updated expected.json golden files for simple-app and complex-app with dependency edges format, added CliWorkspaceProducesDeterministicOutputAsync test; all 4 determinism tests pass. |
 | `SCANNER-ANALYZERS-RUBY-28-005` | DONE (2025-11-27) | Runtime capture (tracepoint) hooks: created Internal/Runtime/ with RubyRuntimeShim.cs (trace-shim.rb using TracePoint for require/load events, capability detection, sensitive data redaction), RubyRuntimeTraceRunner.cs (opt-in harness via STELLA_RUBY_ENTRYPOINT env var, sandbox guidance), and RubyRuntimeTraceReader.cs (NDJSON parser for trace events). |
 | `SCANNER-ANALYZERS-RUBY-28-006` | DONE (2025-11-27) | Package Ruby analyzer plug-in: created manifest.json with schema version, entrypoint, and capabilities (ruby/rubygems/bundler/runtime-capture:optional). Updated docs/24_OFFLINE_KIT.md to include Ruby analyzer in language analyzers section, manifest examples, tar verification commands, and release guardrail smoke test references. |
 | `SCANNER-ANALYZERS-RUBY-28-007` | DONE (2025-11-27) | Container/runtime scanner: created RubyContainerScanner.cs with OCI layer scanning for Ruby version detection (.ruby-version, .tool-versions, Gemfile ruby directive, binary paths), installed gems in system/vendor paths, native extension detection (.so/.bundle/.dll), and web server config parsing (Puma, Unicorn, Passenger). Updated RubyObservationDocument with RubyVersionSources, WebServers, NativeExtensions. Integrated into RubyLanguageAnalyzer and observation builder/serializer. |
 | `SCANNER-ANALYZERS-RUBY-28-008` | DONE (2025-11-27) | AOC-compliant observations: added RubyObservationModule, RubyObservationRoute, RubyObservationJob, RubyObservationTask, RubyObservationConfig, RubyObservationWarning types to observation document. Updated builder to produce jobs from detected schedulers and configs from web server settings. Enhanced serializer with WriteModules, WriteRoutes, WriteJobs, WriteTasks, WriteConfigs, WriteWarnings. Document schema now includes modules, routes, jobs, tasks, configs, warnings arrays. |
 | `SCANNER-ANALYZERS-RUBY-28-009` | DONE (2025-11-27) | Fixture suite + performance benchmarks: created rails-app (Rails 7.1 with actioncable/pg/puma/redis), sinatra-app (Sinatra 3.1 with rack routes), container-app (OCI layers with .ruby-version, .tool-versions, Puma config, native extensions stubs), legacy-app (Rakefile without bundler) fixtures with golden expected.json files. Added RubyBenchmarks.cs with warmup/iteration tests for all fixture types (<100ms target), determinism verification test. Updated existing simple-app/complex-app/cli-app golden files for ruby_version metadata. All 7 determinism tests pass. |
 | `SCANNER-ANALYZERS-RUBY-28-010` | DONE (2025-11-27) | Optional runtime evidence integration with path hashing: created Internal/Runtime/ types (RubyRuntimeEvidence.cs, RubyRuntimeEvidenceCollector.cs, RubyRuntimePathHasher.cs, RubyRuntimeEvidenceIntegrator.cs). Added RubyObservationRuntimeEvidence and RubyObservationRuntimeError to observation document. Collector reads ruby-runtime.ndjson from multiple paths, parses require/load/method.call/error events, builds path hash map (SHA-256) for secure correlation. Integrator correlates package evidence, enhances runtime edges with "runtime-verified" flag, adds supplementary "runtime-only" edges without altering static precedence. Updated builder/serializer to include optional runtimeEvidence section. All 8 determinism tests pass. |
 | `SCANNER-ANALYZERS-RUBY-28-011` | DONE (2025-11-27) | Package analyzer plug-in, CLI, and Offline Kit docs: verified existing manifest.json (schemaVersion 1.0, capabilities: language-analyzer/ruby/rubygems/bundler, runtime-capture:optional), verified RubyAnalyzerPlugin.cs entrypoint. CLI `stella ruby inspect` and `stella ruby resolve` commands already implemented in CommandFactory.cs/CommandHandlers.cs. Updated docs/24_OFFLINE_KIT.md with comprehensive Ruby analyzer feature list covering OCI container layers, dependency edges, Ruby version detection, native extensions, web server configs, AOC-compliant observations, runtime evidence with path hashing, and CLI usage. |
 | `SCANNER-ANALYZERS-RUBY-28-012` | DONE (2025-11-27) | Policy signal emitter: created RubyPolicySignalEmitter.cs with signal emission for rubygems drift (declared-only, vendored, git-sourced, path-sourced counts, version mismatches), native extension flags (.so/.bundle/.dll counts, gem list), dangerous construct counts (exec/eval/serialization with risk tier), TLS posture (verify disabled, SSL context overrides, insecure HTTP), and dynamic code warnings (require/load/const_get/method_missing). Created RubyPolicyContextBuilder.cs with regex-based source scanning for dangerous patterns. Integrated into RubyLanguageAnalyzer via EmitPolicySignals. Added ScanAnalysisKeys.RubyPolicySignals key. Updated benchmark targets to 1000ms to accommodate policy scanning overhead. All 8 determinism tests pass. |
 | `SCANNER-ANALYZERS-RUBY-28-013` | DOING (2025-12-13) | Fix Ruby determinism regressions (capability exec via `Open3.capture3`, container native extensions, no host paths in observation environment) and refresh golden fixtures to keep `StellaOps.Scanner.sln` green. |
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/TASKS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/TASKS.md
@@ -1,10 +0,0 @@
 # OS Analyzer Tasks (Sprint 0409.0001.0001)
 | Task ID | Status | Notes | Updated (UTC) |
 | --- | --- | --- | --- |
 | SCAN-NL-0409-001 | DONE | Added deterministic rootfs fingerprint + surface-cache adapter for OS analyzer results. | 2025-12-12 |
 | SCAN-NL-0409-003 | DONE | Structured warnings: dedupe/sort/cap and analyzer updates. | 2025-12-12 |
 | SCAN-NL-0409-004 | DONE | Evidence-path semantics: rootfs-relative normalization + layer attribution helper. | 2025-12-12 |
 | SCAN-NL-0409-005 | DONE | Digest strategy: bounded hashing + primary digest selection. | 2025-12-12 |
 | SCAN-NL-0409-006 | DONE | rpmdb.sqlite query shape optimized; schema-aware blob selection. | 2025-12-12 |
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md
@@ -1,6 +0,0 @@
 # Scanner Emit Local Tasks
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `BSE-009` | `docs/implplan/SPRINT_3500_0012_0001_binary_sbom_emission.md` | DONE | Added end-to-end integration test coverage for native binary SBOM emission (emit → fragments → CycloneDX). |
 | `SPRINT-3600-0002-T1` | `docs/implplan/SPRINT_3600_0002_0001_cyclonedx_1_7_upgrade.md` | DOING | Update CycloneDX packages and defaults to 1.7. |
--- a/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md
@@ -1,8 +0,0 @@
 # EntryTrace Tasks
 | Task ID | Status | Date | Summary |
 | --- | --- | --- | --- |
 | SCANNER-ENG-0008 | DONE | 2025-11-16 | Documented quarterly EntryTrace heuristic cadence and workflow; attached to Sprint 0138 Execution Log. |
 | SCANNER-ENTRYTRACE-18-504 | DONE | 2025-12-01 | EntryTrace NDJSON emission and streaming (entry/node/edge/target/warning/capability) wired via Worker → WebService/CLI. |
 | SCANNER-ENTRYTRACE-18-505 | DONE | 2025-12-01 | Runtime ProcGraph reconciliation adjusts plan/terminal confidence and diagnostics for matches/mismatches. |
 | SCANNER-ENTRYTRACE-18-506 | DONE | 2025-12-01 | EntryTrace graph/NDJSON exposed via WebService `/scans/{id}/entrytrace` and CLI rendering. |
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md
@@ -1,25 +0,0 @@
 # Scanner Storage Local Tasks
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `PROOFSPINE-3100-DB` | `docs/implplan/archived/SPRINT_3100_0001_0001_proof_spine_system.md` | DONE | Postgres migrations and repository for ProofSpine implemented (`proof_spines`, `proof_segments`, `proof_spine_history`). |
 | `SCAN-API-3103-004` | `docs/implplan/SPRINT_3103_0001_0001_scanner_api_ingestion_completion.md` | DONE | Fix scanner storage connection/schema issues surfaced by Scanner WebService ingestion tests. |
 | `DRIFT-3600-DB` | `docs/implplan/SPRINT_3600_0003_0001_drift_detection_engine.md` | DONE | Add drift tables migration + code change/drift result repositories + DI wiring. |
 | `EPSS-3410-001` | `docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md` | DONE | Added EPSS schema migration `Postgres/Migrations/008_epss_integration.sql` and wired via `MigrationIds.cs`. |
 | `EPSS-3410-002` | `docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md` | DONE | `EpssScoreRow` + ingestion models implemented. |
 | `EPSS-3410-003` | `docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md` | DONE | `IEpssSource` interface implemented (online vs bundle). |
 | `EPSS-3410-004` | `docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md` | DONE | `EpssOnlineSource` implemented (download to temp; hash provenance). |
 | `EPSS-3410-005` | `docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md` | DONE | `EpssBundleSource` implemented (air-gap file input). |
 | `EPSS-3410-006` | `docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md` | DONE | Streaming `EpssCsvStreamParser` implemented (validation + header comment extraction). |
 | `EPSS-3410-007` | `docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md` | DONE | Postgres `IEpssRepository` implemented (runs + scores/current/changes). |
 | `EPSS-3410-008` | `docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md` | DONE | Change detection + flags implemented (`EpssChangeDetector` + delta join). |
 | BIN-EVID-4500-T1 | DONE | SPRINT_4500_0001_0003_binary_evidence_db | - | Migration: binary_identity table. |
 | BIN-EVID-4500-T2 | DONE | SPRINT_4500_0001_0003_binary_evidence_db | BIN-EVID-4500-T1 | Migration: binary_package_map table. |
 | BIN-EVID-4500-T3 | DONE | SPRINT_4500_0001_0003_binary_evidence_db | BIN-EVID-4500-T1 | Migration: binary_vuln_assertion table. |
 | BIN-EVID-4500-T4 | DONE | SPRINT_4500_0001_0003_binary_evidence_db | BIN-EVID-4500-T1..T3 | Repository + entities. |
 | BIN-EVID-4500-T5 | DONE | SPRINT_4500_0001_0003_binary_evidence_db | BIN-EVID-4500-T4 | BinaryEvidenceService. |
 | BIN-EVID-4500-T6 | BLOCKED | SPRINT_4500_0001_0003_binary_evidence_db | BIN-EVID-4500-T5 | Scanner integration. |
 | BIN-EVID-4500-T7 | BLOCKED | SPRINT_4500_0001_0003_binary_evidence_db | BIN-EVID-4500-T5 | API endpoints. |
 | BIN-EVID-4500-T8 | DONE | SPRINT_4500_0001_0003_binary_evidence_db | BIN-EVID-4500-T1..T7 | Tests. |
--- a/src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md
+++ b/src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md
@@ -1,6 +0,0 @@
 # Active Tasks
 | ID | Status | Owner(s) | Depends on | Description | Notes |
 |----|--------|----------|------------|-------------|-------|
 | SCHED-WS-TTFS-0341-T4 | DONE (2025-12-18) | Agent | `docs/implplan/SPRINT_0341_0001_0001_ttfs_enhancements.md` | Add failure signature best-match endpoint to support TTFS FirstSignal enrichment. | `GET /api/v1/scheduler/failure-signatures/best-match` + deterministic endpoint tests. |
--- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md
+++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md
@@ -1,9 +0,0 @@
 # Active Tasks
 | ID | Status | Owner(s) | Depends on | Description | Notes |
 |----|--------|----------|------------|-------------|-------|
 | SCHED-WORKER-23-101 | BLOCKED (2025-11-17) | Scheduler Worker Guild | SCHED-WORKER-21-203 | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. | Waiting on Policy guild contract for activation event shape and throttle source. |
 | SCHED-WORKER-15-401 | DONE (2025-11-17) | Scheduler Worker Guild | — | Investigate and stabilize PlannerBackgroundService fairness tests (tenant fairness cap; manual/event trigger priority). | Increased monotonic wait tolerance; tests now stable. |
 | SCHED-WORKER-99-901 | DONE (2025-11-17) | Scheduler Worker Guild | — | Harden PolicyRunTargetingService coverage for incremental delta rules (MaxSboms, selector replay). | Added focused unit tests + deterministic stubs. |
 | SCHED-SURFACE-01 | BLOCKED (2025-11-17) | Scheduler Worker Guild | — | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. | Blocked: Surface.FS pointer schema/data source not documented; need contract from Surface/Policy guild. |
 | SCHED-WORKER-99-902 | DONE (2025-11-17) | Scheduler Worker Guild | — | Housekeeping: add guard test to PolicyRunDispatchBackgroundService to ensure disabled policy mode performs no leases. | Added stub repository & clients; verified no lease attempts when disabled. |
--- a/src/Sdk/StellaOps.Sdk.Generator/TASKS.md
+++ b/src/Sdk/StellaOps.Sdk.Generator/TASKS.md
@@ -1,10 +0,0 @@
 # SDK Generator Tasks
 | Task ID | State | Notes |
 | --- | --- | --- |
 | SDKGEN-62-001 | DONE (2025-11-24) | Toolchain pinned: OpenAPI Generator CLI 7.4.0 + JDK 21, determinism rules in TOOLCHAIN.md/toolchain.lock.yaml. |
 | SDKGEN-62-002 | DONE (2025-11-24) | Shared post-process now copies auth/retry/pagination/telemetry helpers for TS/Python/Go/Java, wires TS/Python exports, and adds smoke tests. |
 | SDKGEN-63-001 | BLOCKED (2025-11-26) | Waiting on frozen aggregate OAS digest to generate TS alpha; scaffold + smoke + hash guard ready. |
 | SDKGEN-63-002 | BLOCKED (2025-11-26) | Waiting on frozen aggregate OAS digest to generate Python alpha; scaffold + smoke + hash guard ready. |
 | SDKGEN-63-003 | BLOCKED (2025-11-26) | Go generator scaffold ready; blocked on frozen aggregate OAS digest to emit alpha. |
 | SDKGEN-63-004 | BLOCKED (2025-11-26) | Java generator scaffold ready; blocked on frozen aggregate OAS digest to emit alpha. |
--- a/src/Signals/StellaOps.Signals.Storage.Postgres/TASKS.md
+++ b/src/Signals/StellaOps.Signals.Storage.Postgres/TASKS.md
@@ -1,6 +0,0 @@
 # Signals Storage Postgres Local Tasks
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `SIG-PG-3102-001` | `docs/implplan/archived/SPRINT_3102_0001_0001_postgres_callgraph_tables.md` | DONE | Added relational callgraph tables + query repository; deferred projection work picked up in `docs/implplan/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md`. |
 | `SIG-CG-3104-001` | `docs/implplan/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md` | DONE | Resume deferred sync/projection so `signals.*` relational callgraph tables become populated and queryable. |
--- a/src/Signals/StellaOps.Signals/TASKS.md
+++ b/src/Signals/StellaOps.Signals/TASKS.md
@@ -1,19 +0,0 @@
 # Signals · Local Tasks
 This file mirrors sprint work for the Signals module.
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `SIG-STORE-401-016` | `docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md` | DONE (2025-12-13) | Added reachability store repository APIs and models; callgraph ingestion now populates the store; Mongo index script at `ops/mongo/indices/reachability_store_indices.js`. |
 | `UNCERTAINTY-SCHEMA-401-024` | `docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md` | DONE (2025-12-13) | Implemented uncertainty tiers and scoring integration; see `src/Signals/StellaOps.Signals/Lattice/UncertaintyTier.cs` and `src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs`. |
 | `UNCERTAINTY-SCORER-401-025` | `docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md` | DONE (2025-12-13) | Reachability risk score now uses configurable entropy weights and is aligned with `UncertaintyDocument.RiskScore`; tests cover tier/entropy scoring. |
 | `UNKNOWNS-DECAY-3601-001` | `docs/implplan/SPRINT_3601_0001_0001_unknowns_decay_algorithm.md` | DONE (2025-12-17) | Implemented decay worker/service, signal refresh hook, and deterministic unit/integration tests. |
 | `TRI-MASTER-0003` | `docs/implplan/SPRINT_3600_0001_0001_triage_unknowns_master.md` | DONE (2025-12-17) | Synced Signals AGENTS with Unknowns scoring/decay contracts and configuration sections. |
 | `GATE-3405-011` | `docs/implplan/SPRINT_3405_0001_0001_gate_multipliers.md` | DONE (2025-12-18) | Applied gate multipliers in `ReachabilityScoringService` using path gate evidence from callgraph edges. |
 | `GATE-3405-012` | `docs/implplan/SPRINT_3405_0001_0001_gate_multipliers.md` | DONE (2025-12-18) | Extended reachability fact evidence contract + digest to include `GateMultiplierBps` and `Gates`. |
 | `GATE-3405-016` | `docs/implplan/SPRINT_3405_0001_0001_gate_multipliers.md` | DONE (2025-12-18) | Added deterministic parser/normalizer/scoring coverage for gate propagation + multiplier effect. |
 | `SIG-CG-3104-001` | `docs/implplan/archived/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md` | DONE (2025-12-18) | Defined `ICallGraphSyncService` contract for projecting callgraphs into relational tables. |
 | `SIG-CG-3104-002` | `docs/implplan/archived/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md` | DONE (2025-12-18) | Implemented `CallGraphSyncService` + projection repositories with deterministic ordering. |
 | `SIG-CG-3104-003` | `docs/implplan/archived/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md` | DONE (2025-12-18) | Wired projection trigger in `CallgraphIngestionService` post-upsert. |
 | `SIG-CG-3104-004` | `docs/implplan/archived/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md` | DONE (2025-12-18) | Added unit/integration tests for projection + query semantics. |
 | `SIG-CG-3104-005` | `docs/implplan/archived/SPRINT_3104_0001_0001_signals_callgraph_projection_completion.md` | DONE (2025-12-18) | Archived sprint 3104 and refreshed module bookkeeping. |
--- a/src/TaskRunner/StellaOps.TaskRunner/TASKS.md
+++ b/src/TaskRunner/StellaOps.TaskRunner/TASKS.md
@@ -1,25 +0,0 @@
 # TASKS · TaskRunner (Sprint 0157-0001-0001)
 | Task ID | Status | Sprint | Dependency | Notes |
 | --- | --- | --- | --- | --- |
 | TASKRUN-41-001 | DONE (2025-11-30) | SPRINT_0157_0001_0001_taskrunner_i | — | Implemented run API, Mongo/file stores, approvals, provenance manifest per architecture contract. |
 | TASKRUN-AIRGAP-56-001 | DONE (2025-11-30) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-41-001 | Sealed-mode plan validation; depends on 41-001. |
 | TASKRUN-AIRGAP-56-002 | DONE (2025-12-03) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-AIRGAP-56-001 | Bundle ingestion helpers; depends on 56-001. |
 | TASKRUN-AIRGAP-57-001 | BLOCKED (2025-11-30) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-AIRGAP-56-002 | Sealed install enforcement; depends on 56-002. |
 | TASKRUN-AIRGAP-58-001 | BLOCKED (2025-11-30) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-AIRGAP-57-001 | Evidence bundles for imports; depends on 57-001. |
 | TASKRUN-42-001 | BLOCKED (2025-11-25) | SPRINT_0157_0001_0001_taskrunner_i | — | Execution engine enhancements (loops/conditionals/maxParallel), simulation mode, policy gate integration. Blocked: loop/conditional semantics and policy-gate evaluation contract not published. |
 | TASKRUN-OAS-61-001 | BLOCKED (2025-11-30) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-41-001 | Document APIs; depends on 41-001. |
 | TASKRUN-OAS-61-002 | BLOCKED (2025-11-30) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-OAS-61-001 | Well-known OpenAPI endpoint; depends on 61-001. |
 | TASKRUN-OAS-62-001 | BLOCKED (2025-11-30) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-OAS-61-002 | SDK examples; depends on 61-002. |
 | TASKRUN-OAS-63-001 | BLOCKED (2025-11-30) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-OAS-62-001 | Deprecation headers/notifications; depends on 62-001. |
 | TASKRUN-OBS-50-001 | DONE (2025-11-25) | SPRINT_0157_0001_0001_taskrunner_i | — | Telemetry core adoption. |
 | TASKRUN-OBS-51-001 | DONE (2025-11-25) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-OBS-50-001 | Metrics/SLOs; depends on 50-001. |
 | TASKRUN-OBS-52-001 | BLOCKED (2025-11-25) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-OBS-51-001 | Timeline events; blocked: schema/evidence-pointer contract not published. |
 | TASKRUN-OBS-53-001 | BLOCKED (2025-11-25) | SPRINT_0157_0001_0001_taskrunner_i | TASKRUN-OBS-52-001 | Evidence locker snapshots; blocked: waiting on timeline schema/pointer contract. |
 | TASKRUN-GAPS-157-014 | DONE (2025-12-05) | SPRINT_0157_0001_0001_taskrunner_i | — | TP1–TP10 remediation: canonical plan-hash recipe, inputs.lock evidence, approval DSSE ledger, redaction, deterministic RNG/time, sandbox/egress quotas, registry signing + SBOM + revocation, offline bundle schema + verifier script, SLO/alerting, fail-closed gates. |
 | MR-T10.7.1 | DONE (2025-12-11) | SPRINT_3410_0001_0001_mongodb_final_removal | ƒ?" | TaskRunner WebService now filesystem-only; removed Mongo wiring and dependencies. |
 | MR-T10.7.2 | DONE (2025-12-11) | SPRINT_3410_0001_0001_mongodb_final_removal | MR-T10.7.1 | TaskRunner Worker uses filesystem storage only; removed Mongo wiring and options. |
 | MR-T10.7.3 | DONE (2025-12-11) | SPRINT_3410_0001_0001_mongodb_final_removal | MR-T10.7.2 | Removed Mongo storage implementations/tests; dropped Mongo2Go dependency. |
 Status source of truth: `docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md`. Update both files together. Keep UTC dates when advancing status.
--- a/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md
+++ b/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md
@@ -25,7 +25,7 @@ Deliver shared observability primitives for every StellaOps service. Provide det
 - `docs/modules/platform/architecture-overview.md`
 ## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
--- a/src/Telemetry/StellaOps.Telemetry.Core/TASKS.md
+++ b/src/Telemetry/StellaOps.Telemetry.Core/TASKS.md
@@ -1,10 +0,0 @@
 # Telemetry Core Local Tasks
 This file mirrors sprint work for the Telemetry Core module.
 | Task ID | Sprint | Status | Notes |
 | --- | --- | --- | --- |
 | `DET-3401-005` | `docs/implplan/SPRINT_3401_0001_0001_determinism_scoring_foundations.md` | DONE (2025-12-14) | Added `ProofCoverageMetrics` (`System.Diagnostics.Metrics`) in `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/ProofCoverageMetrics.cs` and tests in `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/ProofCoverageMetricsTests.cs`. |
 | `TTFS-0338-001` | `docs/implplan/SPRINT_0338_0001_0001_ttfs_foundation.md` | DONE (2025-12-15) | Added `TimeToFirstSignalMetrics`/`TimeToFirstSignalOptions`, DI extension `AddTimeToFirstSignalMetrics`, and unit tests `TimeToFirstSignalMetricsTests`. |
 | `TTFS-0341-001` | `docs/implplan/SPRINT_0341_0001_0001_ttfs_enhancements.md` | DONE (2025-12-18) | Fixed metrics compilation (`Gauge<>` generics / parameter naming) and added missing `RecordScanDuration(...)` + `tte_scan_duration_seconds` histogram for TTFS telemetry. |
--- a/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md
+++ b/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md
@@ -32,7 +32,7 @@ Build the tenant-scoped timeline ingestion and query service described in Epic 1
 - `docs/modules/platform/architecture-overview.md`
 ## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
--- a/src/VexHub/AGENTS.md
+++ b/src/VexHub/AGENTS.md
@@ -23,7 +23,6 @@ Deliver the VexHub aggregation service that normalizes, validates, and distribut
 - `docs/modules/vexhub/architecture.md`
 ## Working Agreement
 - Update task status in `/docs/implplan/SPRINT_*.md` and `src/VexHub/TASKS.md` when work starts or completes.
 - Keep outputs deterministic (stable ordering, UTC timestamps, canonical JSON where applicable).
 - Honor offline/air-gap constraints; only allow upstream fetches via configured connectors.
 - Document contract changes in module docs and sprint Decisions & Risks.
--- a/src/VexHub/TASKS.md
+++ b/src/VexHub/TASKS.md
@@ -1,29 +0,0 @@
 # VexHub Local Tasks
 | Task ID | Status | Sprint | Dependency | Notes |
 | --- | --- | --- | --- | --- |
 | HUB-001 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | - | Create `StellaOps.VexHub` module structure. |
 | HUB-002 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-001 | Define VexHub domain models. |
 | HUB-003 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-001 | Create PostgreSQL schema for VEX aggregation. |
 | HUB-004 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-001 | Set up web service skeleton. |
 | HUB-005 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-004 | Create VexIngestionScheduler. |
 | HUB-006 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-005 | Implement source polling orchestration. |
 | HUB-007 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-005 | Create VexNormalizationPipeline. |
 | HUB-008 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-007 | Implement deduplication logic. |
 | HUB-009 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-008 | Detect and flag conflicting statements. |
 | HUB-010 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-008 | Store normalized VEX with provenance. |
 | HUB-011 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-004 | Implement signature verification for signed VEX. |
 | HUB-012 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-011 | Add schema validation (OpenVEX, CycloneDX, CSAF). |
 | HUB-013 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-010 | Track and store provenance metadata. |
 | HUB-014 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-011 | Flag unverified/untrusted statements. |
 | HUB-015 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-004 | Implement GET /api/v1/vex/cve/{cve-id}. |
 | HUB-016 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-015 | Implement GET /api/v1/vex/package/{purl}. |
 | HUB-017 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-015 | Implement GET /api/v1/vex/source/{source-id}. |
 | HUB-018 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-015 | Add pagination and filtering. |
 | HUB-019 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-015 | Implement subscription/webhook for updates. |
 | HUB-020 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-015 | Add rate limiting and authentication. |
 | HUB-021 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-015 | Implement OpenVEX bulk export. |
 | HUB-022 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-021 | Create index manifest (vex-index.json). |
 | HUB-023 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-021 | Test with Trivy --vex-url. |
 | HUB-024 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-021 | Test with Grype VEX support. |
 | HUB-025 | DONE | SPRINT_4500_0001_0001_vex_hub_aggregation | HUB-021 | Document integration instructions. |
--- a/src/VexLens/StellaOps.VexLens/AGENTS.md
+++ b/src/VexLens/StellaOps.VexLens/AGENTS.md
@@ -16,7 +16,6 @@ Deliver the VEX Consensus Lens service that normalizes VEX evidence, computes de
 5. **Secure & auditable** – signature verification, issuer metadata, logging of conflicts, support for compliance queries.
 ## Collaboration
 - Keep `src/VexLens/StellaOps.VexLens/TASKS.md`, `/docs/implplan/SPRINT_*.md` synchronized.
 - Share schemas/OpenAPI with Console & CLI; publish mapping docs and test fixtures.
 - Coordinate with Policy Engine on trust knobs and Vuln Explorer on UI integration.
@@ -34,7 +33,7 @@ Deliver the VEX Consensus Lens service that normalizes VEX evidence, computes de
 - `docs/modules/platform/architecture-overview.md`
 ## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
--- a/src/VexLens/StellaOps.VexLens/TASKS.md
+++ b/src/VexLens/StellaOps.VexLens/TASKS.md
@@ -1,28 +0,0 @@
 # TASKS · VexLens (Sprint 0129-0001-0001)
 | Task ID | Status | Sprint | Dependency | Notes |
 | --- | --- | --- | --- | --- |
 | VEXLENS-30-001 | DONE | SPRINT_0129_0001_0001_policy_reasoning | — | Completed 2025-12-06: Implemented VexLensNormalizer with format detection, fallback parsing, and Excititor integration. 20 unit tests pass. |
 | VEXLENS-30-002 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-001 | Completed 2025-12-06: Implemented IProductMapper, PurlParser, CpeParser, ProductMapper with PURL/CPE parsing, identity matching (Exact/Normal/Loose/Fuzzy), and 69 unit tests pass. |
 | VEXLENS-30-003 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-002 | Completed 2025-12-06: Implemented ISignatureVerifier, IIssuerDirectory, InMemoryIssuerDirectory, SignatureVerifier with DSSE/JWS/Ed25519/ECDSA support. Build succeeds. |
 | VEXLENS-30-004 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-003 | Completed 2025-12-06: Implemented ITrustWeightEngine, TrustWeightEngine with 9 trust factors (issuer, signature, freshness, etc.) and configurable weights. Build succeeds. |
 | VEXLENS-30-005 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-004 | Completed 2025-12-06: Implemented IVexConsensusEngine, VexConsensusEngine with 5 consensus modes (HighestWeight, WeightedVote, Lattice, AuthoritativeFirst, MostRecent) and VEX status lattice semantics. Build succeeds. |
 | VEXLENS-30-006 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-005 | Completed 2025-12-06: IConsensusProjectionStore, InMemoryConsensusProjectionStore, IConsensusEventEmitter with ConsensusComputedEvent/StatusChangedEvent/ConflictDetectedEvent. Build succeeds. |
 | VEXLENS-30-007 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-006 | Completed 2025-12-06: IVexLensApiService, VexLensApiService with full consensus/projection/issuer APIs. OpenAPI spec at docs/api/vexlens-openapi.yaml. Build succeeds. |
 | VEXLENS-30-008 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-007 | Completed 2025-12-06: IPolicyEngineIntegration, PolicyEngineIntegration, IVulnExplorerIntegration, VulnExplorerIntegration with VEX suppression checking, severity adjustment, enrichment, and search APIs. Build succeeds. |
 | VEXLENS-30-009 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-008 | Completed 2025-12-06: VexLensMetrics with full OpenTelemetry metrics, VexLensActivitySource for tracing, VexLensLogEvents for structured logging. Build succeeds. |
 | VEXLENS-30-010 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-009 | Completed 2025-12-06: VexLensTestHarness, DeterminismHarness with determinism verification for normalization/consensus/trust, VexLensTestData generators. Build succeeds. |
 | VEXLENS-30-011 | DONE | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-010 | Completed 2025-12-06: Architecture doc, deployment runbook, offline kit guide at docs/modules/vexlens/. OpenAPI spec at docs/api/vexlens-openapi.yaml. |
 | VEXLENS-AIAI-31-001 | BLOCKED | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-011 | Consensus rationale API enhancements; needs consensus API finalization. |
 | VEXLENS-AIAI-31-002 | BLOCKED | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-AIAI-31-001 | Caching hooks for Advisory AI; requires rationale API shape. |
 | VEXLENS-EXPORT-35-001 | BLOCKED | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-011 | Snapshot API for mirror bundles; export profile pending. |
 | VEXLENS-ORCH-33-001 | BLOCKED | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-30-011 | Register consensus compute job; orchestrator contract TBD. |
 | VEXLENS-ORCH-34-001 | BLOCKED | SPRINT_0129_0001_0001_policy_reasoning | VEXLENS-ORCH-33-001 | Emit completion events to orchestrator ledger; needs job spec. |
 Status source of truth: `docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md`. Update both files together. Keep UTC dates when advancing status.
 ## Sprint 3410_0001_0001 · MongoDB Final Removal
 | Task ID | Status | Sprint | Dependency | Notes |
 | --- | --- | --- | --- | --- |
 | VEXLENS-3410-001 | DONE | SPRINT_3410_0001_0001_mongodb_final_removal.md | - | Removed MongoDB storage driver path from options/DI; VexLens now in-memory only until persistent provider (Postgres) lands. |
--- a/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md
+++ b/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md
@@ -16,7 +16,6 @@ Expose policy-aware vulnerability listing, detail, simulation, workflow, and exp
 5. **Secure** – RBAC/ABAC enforced server-side; exports signed; attachments served via scoped URLs.
 ## Collaboration
 - Keep `src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md`, `/docs/implplan/SPRINT_*.md` synchronized.
 - Coordinate schemas with Findings Ledger, Console, CLI, and Docs; publish OpenAPI + JSON schemas.
 - Work with DevOps/Observability for performance dashboards and SLOs.
@@ -34,7 +33,7 @@ Expose policy-aware vulnerability listing, detail, simulation, workflow, and exp
 - `docs/modules/platform/architecture-overview.md`
 ## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
--- a/src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md
+++ b/src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md
@@ -1,7 +0,0 @@
 # Vuln Explorer API Tasks (Sprint 0129-0001-0001)
 | Task ID | Status | Notes |
 | --- | --- | --- |
 | VULN-API-29-001 | DONE (2025-11-25) | OpenAPI v1 draft published at `docs/modules/vuln-explorer/openapi/vuln-explorer.v1.yaml` with tenant header, filters, deterministic paging. |
 | VULN-API-29-002 | DONE (2025-11-25) | Implemented `/v1/vulns` list + `/v1/vulns/{id}` detail with deterministic paging/filtering, sample data, Swagger UI; tests green (`tests/TestResults/vuln-explorer/api.trx`). |
 | VULN-API-29-003 | DONE (2025-11-25) | Detail endpoint now returns rationale, paths, evidence references; covered by Vuln Explorer API integration tests. |
--- a/src/Web/StellaOps.Web/AGENTS.md
+++ b/src/Web/StellaOps.Web/AGENTS.md
@@ -11,7 +11,7 @@ Design and build the StellaOps web user experience that surfaces backend capabil
 - Favor modular Angular architecture (feature modules, shared UI kit) with strong typing via latest TypeScript/Angular releases.
 - Align UI flows with backend contracts; coordinate with Authority and Concelier teams for API changes.
 - Keep assets and build outputs deterministic and cacheable for Offline Kit packaging.
- Track work using the local `TASKS.md` board; keep statuses (TODO/DOING/REVIEW/BLOCKED/DONE) up to date.
+- Coordinate cross-module changes via docs/implplan/SPRINT*.md files updates and PR descriptions.  
 - Console admin flows use Authority `/console/admin/*` APIs and enforce fresh-auth for privileged actions.
 - Branding uses Authority `/console/branding` and applies only whitelisted CSS variables.
@@ -70,7 +70,7 @@ Design and build the StellaOps web user experience that surfaces backend capabil
 - `docs/architecture/console-branding.md`
 ## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
--- a/src/Web/StellaOps.Web/TASKS.md
+++ b/src/Web/StellaOps.Web/TASKS.md
@@ -1,55 +0,0 @@
 # Web Guild Tasks
 | Task ID | State | Notes |
 | --- | --- | --- |
 | WEB-AOC-19-002 | DONE (2025-11-30) | Added provenance builder, checksum utilities, and DSSE/CMS signature verification helpers with unit tests. |
 | WEB-AOC-19-003 | DONE (2025-11-30) | Added client-side guard validator (forbidden/derived/unknown fields, provenance/signature checks) with unit fixtures. |
 | WEB-AIAI-31-001 | DONE (2025-12-12) | Advisory AI gateway contract + samples shipped (`docs/api/gateway/advisory-ai.md`); web SDK client added (`src/app/core/api/advisory-ai.client.ts`). |
 | WEB-AIAI-31-002 | DONE (2025-12-12) | SSE job event streaming implemented + unit spec (`src/app/core/api/advisory-ai.client.spec.ts`). |
 | WEB-AIAI-31-003 | DONE (2025-12-12) | Telemetry headers + prompt hash support; documented guardrail surface for audit visibility. |
 | WEB-CONSOLE-23-002 | DONE (2025-12-04) | console/status polling + run stream client/store/UI shipped; samples verified in `docs/api/console/samples/`. |
 | WEB-CONSOLE-23-003 | DONE (2025-12-07) | Exports client/store/service + models shipped; targeted Karma specs green locally with CHROME_BIN override (`node ./node_modules/@angular/cli/bin/ng.js test --watch=false --browsers=ChromeHeadless --include console-export specs`). Backend manifest/limits v0.4 published; awaiting final Policy/DevOps sign-off but UI/client slice complete. |
 | WEB-RISK-66-001 | DONE (2025-12-20) | Gateway routing/client slice completed; Angular unit tests now run and pass (`npm test`), clearing the prior npm/CI blocker. |
 | WEB-EXC-25-001 | DONE (2025-12-12) | Exception contract + sample updated (`docs/api/console/exception-schema.md`); `ExceptionApiHttpClient` enforces scopes + trace/tenant headers with unit spec. |
 | WEB-EXC-25-002 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/policy-exceptions.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/policy-exceptions.client.ts`. |
 | WEB-EXC-25-003 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/exception-events.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/exception-events.client.ts`. |
 | WEB-LNM-21-001 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/advisories.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/advisories.client.ts`. |
 | WEB-LNM-21-002 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/vex-evidence.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/vex-evidence.client.ts`. |
 | WEB-LNM-21-003 | DONE (2025-12-12) | Contract + sample in `docs/api/gateway/policy-evidence.md`; composition client + deterministic mock + unit spec in `src/Web/StellaOps.Web/src/app/core/api/policy-evidence.client.ts`. |
 | WEB-ORCH-32-001 | DONE (2025-12-12) | Contract + sample in `docs/api/gateway/orchestrator.md`; web SDK client + deterministic mock + unit spec in `src/Web/StellaOps.Web/src/app/core/api/orchestrator.client.ts`. |
 | WEB-ORCH-33-001 | DONE (2025-12-12) | Orchestrator control SDK shipped (`src/app/core/api/orchestrator-control.*`) with unit spec; gateway contract + samples updated in `docs/api/gateway/orchestrator.md`. |
 | WEB-ORCH-34-001 | DONE (2025-12-12) | Quota/metrics surfaces documented + sampled (`docs/api/gateway/orchestrator.md` + samples) and covered by `OrchestratorControlHttpClient` unit spec. |
 | WEB-TEN-47-CONTRACT | DONE (2025-12-01) | Gateway tenant auth/ABAC contract doc v1.0 published (`docs/api/gateway/tenant-auth.md`). |
 | WEB-VULN-29-LEDGER-DOC | DONE (2025-12-01) | Findings Ledger proxy contract doc v1.0 with idempotency + retries (`docs/api/gateway/findings-ledger-proxy.md`). |
 | WEB-RISK-68-NOTIFY-DOC | DONE (2025-12-01) | Notifications severity transition event schema v1.0 published (`docs/api/gateway/notifications-severity.md`). |
 | UI-MICRO-GAPS-0209-011 | BLOCKED (2025-12-06) | Motion token catalog + Storybook/Playwright a11y harness added; remaining work paused pending SIG-26 reachability fixtures and final token mapping approvals. |
 | UI-POLICY-20-001 | DONE (2025-12-05) | Policy Studio Monaco editor with DSL highlighting, lint markers, and compliance checklist shipped; Karma spec now passes locally via Monaco loader file-replacement stub + Playwright Chromium/.deps NSS libs. |
 | UI-POLICY-20-002 | DONE (2025-12-05) | Simulation panel with deterministic diff rendering shipped (`/policy-studio/packs/:packId/simulate`). |
 | UI-POLICY-20-003 | DONE (2025-12-05) | Approvals workflow UI delivered with submit/review actions, two-person badge, and deterministic log. |
 | UI-POLICY-20-004 | DONE (2025-12-05) | Policy run dashboards delivered with filters, exports, heatmap, and daily deltas. |
 | UI-POLICY-23-000 | DONE (2025-12-05) | Added Policy Studio nav dropdown with pack selector and persisted selection. |
 | UI-POLICY-23-001 | DONE (2025-12-05) | Workspace route `/policy-studio/packs` with pack list + quick actions; cached pack store with offline fallback. |
 | UI-POLICY-23-002 | DONE (2025-12-05) | YAML editor route `/policy-studio/packs/:packId/yaml` with canonical preview and lint diagnostics. |
 | UI-POLICY-23-003 | DONE (2025-12-05) | Rule Builder route `/policy-studio/packs/:packId/rules` with guided inputs and deterministic preview JSON. |
 | UI-POLICY-23-004 | DONE (2025-12-05) | Approval workflow UI with checklist/schedule/comments; targeted Karma spec now passes locally using Playwright Chromium + bundled NSS libs (`CHROME_BIN=$HOME/.cache/ms-playwright/chromium-1140/chrome-linux/chrome`, `LD_LIBRARY_PATH=$PWD/.deps/usr/lib/x86_64-linux-gnu`). |
 | UI-POLICY-23-005 | DONE (2025-12-05) | Simulator updated with SBOM/advisory pickers and explain trace view; uses PolicyApiService simulate. |
 | UI-POLICY-23-006 | DONE (2025-12-06) | Explain view route `/policy-studio/packs/:packId/explain/:runId` with trace + JSON/PDF export (uses offline-safe jsPDF shim). |
 | UI-POLICY-23-001 | DONE (2025-12-05) | Workspace route `/policy-studio/packs` with pack list + quick actions; cached pack store with offline fallback. |
 | CVSS-UI-190-011 | DONE (2025-12-07) | Added CVSS receipt viewer route (/cvss/receipts/:receiptId) with score badge, tabbed sections, stub client, and unit spec in src/Web/StellaOps.Web. |
 | UI-POLICY-27-001 | DONE (2025-12-12) | Policy Studio RBAC guards + nav gating aligned to `policy:author/review/approve/operate/audit/simulate`; auth fixtures/e2e aligned; `ng test` + `playwright test` green. |
 | UI-SIG-26-001 | DONE (2025-12-12) | Vulnerability Explorer reachability column/filter/tooltips with deterministic stub data; hooks Why drawer. |
 | UI-SIG-26-002 | DONE (2025-12-12) | Reachability Why drawer with deterministic call paths/timeline/evidence (MockSignalsClient). |
 | UI-SIG-26-003 | DONE (2025-12-12) | SBOM Graph reachability halo overlay + time slider + legend (deterministic overlay state). |
 | UI-SIG-26-004 | DONE (2025-12-12) | Reachability Center view (coverage/missing/stale) using deterministic fixture rows; swap to upstream datasets when published. |
 | UI-TRIAGE-0215-001 | DONE (2025-12-12) | Triage artifacts list + workspace routes (`/triage/artifacts`, `/triage/artifacts/:artifactId`) with overview/reachability/policy/attestations tabs + signed evidence detail modal. |
 | UI-VEX-0215-001 | DONE (2025-12-12) | VEX-first triage modal with scope/validity/evidence/review sections and bulk apply; wired via `src/app/core/api/vex-decisions.client.ts`. |
 | UI-AUDIT-0215-001 | DONE (2025-12-12) | Immutable audit bundle button + wizard/history views; download via `GET /v1/audit-bundles/{bundleId}` (`Accept: application/octet-stream`) using `src/app/core/api/audit-bundles.client.ts`. |
 | WEB-TRIAGE-0215-001 | DONE (2025-12-12) | Added triage TS models + web SDK clients (VEX decisions, audit bundles, vuln-scan attestation predicate) and fixed `scripts/chrome-path.js` so `npm test` runs on Windows Playwright Chromium. |
 | UI-VEX-0215-A11Y | DONE (2025-12-12) | Added dialog semantics + focus trap for `VexDecisionModalComponent` and Playwright Axe coverage in `tests/e2e/a11y-smoke.spec.ts`. |
 | UI-TRIAGE-0215-FIXTURES | DONE (2025-12-12) | Made quickstart mock fixtures deterministic for triage surfaces (VEX decisions, audit bundles, vulnerabilities) to support offline-kit hashing and stable tests. |
 | UI-TRIAGE-4601-001 | DONE (2025-12-15) | Keyboard shortcuts for triage workspace (SPRINT_4601_0001_0001_keyboard_shortcuts.md). |
 | UI-TRIAGE-4602-001 | DONE (2025-12-15) | Finish triage decision drawer/evidence pills QA: component specs + Storybook stories (SPRINT_4602_0001_0001_decision_drawer_evidence_tab.md). |
 | UI-TTFS-0340-001 | DONE (2025-12-18) | FirstSignalCard UI component + client/store/tests + TTFS telemetry client/sampling + i18n micro-copy (SPRINT_0340_0001_0001_first_signal_card_ui.md). |
 | WEB-TTFS-0341-001 | DONE (2025-12-18) | Extend FirstSignal client models with `lastKnownOutcome` (SPRINT_0341_0001_0001_ttfs_enhancements.md). |
 | TRI-MASTER-0009 | DONE (2025-12-17) | Added Playwright E2E coverage for triage workflow (tabs, VEX modal, decision drawer, evidence pills). |
 | UI-EXC-3900-0003-0002-T7 | DONE (2025-12-22) | Exception wizard updated with recheck policy and evidence requirement steps plus unit coverage. |
--- a/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md
+++ b/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md
@@ -17,10 +17,9 @@ Implement the node-level observer that monitors running workloads, detects drift
 - `docs/modules/scanner/design/surface-validation.md`
 - `docs/modules/scanner/architecture.md` (runtime posture sections)
 - `docs/modules/airgap/airgap-mode.md`
 - Any runtime-specific design notes referenced in `TASKS.md`.
 ## Working Agreement
-1. **Status updates**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting/finishing work.
+1. **Status updates**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` when starting/finishing work.
 2. **Surface compliance**: rely on Surface libraries for cache/env/secret handling; run validators before collecting evidence.
 3. **Deterministic evidence**: normalise timestamps, hashes, and paths; ensure outputs remain stable for replay/audit.
 4. **Security**: enforce Authority scopes (OpToks, mTLS/DPoP), redaction of sensitive fields, and namespace isolation.
--- a/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md
+++ b/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md
@@ -21,7 +21,7 @@ Operate the Kubernetes admission webhook enforcing image/SBOM/attestation polici
 - `docs/modules/devops/runbooks/zastava-deployment.md`
 ## Working Agreement
-1. **Task state**: update corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work.
+1. **Task state**: update corresponding sprint file `docs/implplan/SPRINT_*.md` to `DOING`/`DONE` as you start or complete work.
 2. **Surface usage**: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies.
 3. **Deterministic verdicts**: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs.
 4. **Security**: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions.
--- a/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md
+++ b/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md
@@ -20,7 +20,7 @@ Maintain shared domain models, policy evaluation helpers, and event contracts us
 - `docs/modules/devops/runbooks/zastava-deployment.md`
 ## Working Agreement
-1. **Status alignment**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` at start/finish.
+1. **Status alignment**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` at start/finish.
 2. **Compatibility**: version event schemas/models; provide migration notes and ensure Observer/Webhook consumers stay in lock-step.
 3. **Determinism**: avoid wall-clock or random values in shared models; normalise timestamps; maintain canonical ordering.
 4. **Security & tenancy**: include tenant identifiers and audit fields where required; document contract changes for other guilds.
--- a/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md
+++ b/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md
@@ -17,7 +17,7 @@ Provide key management abstractions and drivers (file, cloud KMS, HSM, FIDO2) fo
 - `docs/modules/platform/architecture-overview.md`
 ## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
--- a/src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/TASKS.md
+++ b/src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/TASKS.md
@@ -1,6 +0,0 @@
 # CryptoPro Plugin Tasks
 - [ ] SEC-CRYPTO-90-019: Run fork test suite on Windows runner with CryptoPro CSP; capture results.
 - [ ] SEC-CRYPTO-90-020: Run plugin smoke (sign/verify) on Windows runner with CSP; capture results.
 - [ ] Add platform gating in CI: ensure `cryptopro-optin` workflow wired to Windows runner that has CSP installed.
 - [ ] Publish runbook updates after tests pass (link to docs/security/rootpack_ru_crypto_fork.md).
--- a/src/__Libraries/StellaOps.Cryptography/AGENTS.md
+++ b/src/__Libraries/StellaOps.Cryptography/AGENTS.md
@@ -7,7 +7,7 @@ Team 8 owns the end-to-end security posture for StellaOps Authority and its cons
 ## Operational Boundaries
 - Primary workspace: `src/__Libraries/StellaOps.Cryptography`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Storage.Postgres`, and Authority host (`src/Authority/StellaOps.Authority/StellaOps.Authority`).  
- Coordinate cross-module changes via TASKS.md updates and PR descriptions.  
+- Coordinate cross-module changes via docs/implplan/SPRINT*.md files updates and PR descriptions.  
 - Never bypass deterministic behaviour (sorted keys, stable timestamps).  
 - Tests live alongside owning projects (`*.Tests`). Extend goldens instead of rewriting.
@@ -25,7 +25,7 @@ Team 8 owns the end-to-end security posture for StellaOps Authority and its cons
 - `docs/modules/platform/architecture-overview.md`
 ## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
--- a/src/__Libraries/StellaOps.Plugin/AGENTS.md
+++ b/src/__Libraries/StellaOps.Plugin/AGENTS.md
@@ -17,7 +17,7 @@ Maintain the shared plugin infrastructure used across StellaOps services (Scanne
 - `docs/modules/excititor/architecture.md`
 ## Working Agreement
-1. **Status sync**: update task state to `DOING`/`DONE` in corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` whenever work begins/ends.
+1. **Status sync**: update task state to `DOING`/`DONE` in corresponding sprint file `docs/implplan/SPRINT_*.md` whenever work begins/ends.
 2. **Deterministic loading**: maintain ordered, reproducible plugin discovery; enforce hash verification/whitelists as documented.
 3. **Security**: validate manifests, restrict assembly loading paths, and expose capability checks to hosts; document hardening guidance.
 4. **Compatibility**: version public APIs carefully; provide migration guides when breaking changes occur.
--- a/src/__Libraries/StellaOps.Replay.Core/AGENTS.md
+++ b/src/__Libraries/StellaOps.Replay.Core/AGENTS.md
@@ -13,7 +13,6 @@ Own shared replay domain types, canonicalisation helpers, bundle hashing utiliti
 1. Maintain deterministic behaviour (lexicographic ordering, canonical JSON, fixed encodings).
 2. Keep APIs offline-friendly; no network dependencies.
 3. Coordinate schema and bundle changes with Scanner, Evidence Locker, CLI, and Docs guilds.
 4. Update module `TASKS.md` statuses alongside `docs/implplan/SPRINT_0185_0001_0001_shared_replay_primitives.md`.
 ## Contacts
 - BE-Base Platform Guild (primary)
--- a/src/__Libraries/StellaOps.Replay.Core/TASKS.md
+++ b/src/__Libraries/StellaOps.Replay.Core/TASKS.md
@@ -1,17 +0,0 @@
 # StellaOps.Replay.Core task board
 Keep this table in sync with `docs/implplan/SPRINT_0185_0001_0001_shared_replay_primitives.md`.
 | Task ID | Status | Owners | Notes |
 | --- | --- | --- | --- |
 | REPLAY-CORE-185-001 | DONE (2025-11-25) | BE-Base Platform Guild | Library scaffolding: manifest schema types, canonical JSON rules, Merkle utilities, DSSE payload builders. |
 | REPLAY-CORE-185-002 | DONE (2025-11-25) | Platform Guild | Deterministic bundle writer (tar.zst, CAS naming) and hashing abstractions; update platform architecture doc with “Replay CAS” subsection. |
 | REPLAY-CORE-185-003 | DONE (2025-11-25) | Platform Data Guild | Mongo collections (`replay_runs`, `replay_bundles`, `replay_subjects`) and indices aligned with schema doc. |
 | DOCS-REPLAY-185-003 | DONE (2025-11-25) | Docs Guild · Platform Data Guild | `docs/data/replay_schema.md` detailing collections, index guidance, offline sync strategy. |
 | DOCS-REPLAY-185-004 | DONE (2025-11-25) | Docs Guild | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance and deterministic replay checklist. |
 | POLICY-GAPS-185-006 | DONE (2025-12-03) | Policy Guild · Platform Guild | Policy simulation gaps PS1–PS10 remediated: inputs lock schema/sample + DSSE-ready verifier, shadow isolation validator, offline CLI verifier script. |
 ## Status rules
 - Use TODO → DOING → DONE/BLOCKED and mirror every change in the sprint Delivery Tracker.
 - Note dates in parentheses when flipping to DOING/DONE for traceability.
 - Capture contract or runbook changes in the relevant docs under `docs/replay` or `docs/data`.