up

docs/modules/policy/architecture.md

@@ -21,7 +21,7 @@ The service operates strictly downstream of the **Aggregation-Only Contract (AOC
 - Emit CVSS v4.0 receipts with canonical hashing and policy replay/backfill rules; store tenant-scoped receipts with RBAC; export receipts deterministically (UTC/fonts/order) and flag v3.1→v4.0 conversions (see Sprint 0190 CVSS-GAPS-190-014 / `docs/modules/policy/cvss-v4.md`).
 - Emit per-finding OpenVEX decisions anchored to reachability evidence, forward them to Signer/Attestor for DSSE/Rekor, and publish the resulting artifacts for bench/verification consumers.
 - Consume reachability lattice decisions (`ReachDecision`, `docs/reachability/lattice.md`) to drive confidence-based VEX gates (not_affected / under_investigation / affected) and record the policy hash used for each decision.
-- Honor **hybrid reachability attestations**: graph-level DSSE is required input; when edge-bundle DSSEs exist, prefer their per-edge provenance for quarantine, dispute, and high-risk decisions. Quarantined edges (revoked in bundles or listed in Unknowns registry) must be excluded before VEX emission.
+- Honor **hybrid reachability attestations**: graph-level DSSE is required input; when edge-bundle DSSEs exist, prefer their per-edge provenance for quarantine, dispute, and high-risk decisions. Quarantined edges (revoked in bundles or listed in Unknowns registry) must be excluded before VEX emission. See [`docs/reachability/hybrid-attestation.md`](../../reachability/hybrid-attestation.md) for verification runbooks and offline replay steps.
 - Enforce **shadow + coverage gates** for new/changed policies: shadow runs record findings without enforcement; promotion blocked until shadow and coverage fixtures pass (see lifecycle/runtime docs). CLI/Console enforce attachment of lint/simulate/coverage evidence.
 - Operate incrementally: react to change streams (advisory/vex/SBOM deltas) with ≤ 5 min SLA.
 - Provide simulations with diff summaries for UI/CLI workflows without modifying state.

docs/modules/scanner/architecture.md

@@ -339,6 +339,7 @@ The emitted `buildId` metadata is preserved in component hashes, diff payloads,
 * WebService constructs **predicate** with `image_digest`, `stellaops_version`, `license_id`, `policy_digest?` (when emitting **final reports**), timestamps.
 * Calls **Signer** (requires **OpTok + PoE**); Signer verifies **entitlement + scanner image integrity** and returns **DSSE bundle**.
 * **Attestor** logs to **Rekor v2**; returns `{uuid,index,proof}` → stored in `artifacts.rekor`.
+* **Hybrid reachability attestations**: graph-level DSSE (mandatory) plus optional edge-bundle DSSEs for runtime/init/contested edges. See [`docs/reachability/hybrid-attestation.md`](../../reachability/hybrid-attestation.md) for verification runbooks and Rekor guidance.
 * Operator enablement runbooks (toggles, env-var map, rollout guidance) live in [`operations/dsse-rekor-operator-guide.md`](operations/dsse-rekor-operator-guide.md) per SCANNER-ENG-0015.
 
 ---

docs/modules/ui/README.md

@@ -2,18 +2,18 @@
 
 The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
 
-## Latest updates (2025-11-30)
-- Docs refreshed per `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`; added observability runbook stub and TASKS mirror.
-- Access-control guidance from 2025-11-03 remains valid; ensure Authority scopes are verified before enabling uploads.
-
-## Responsibilities
+## Latest updates (2025-11-30)
+- Docs refreshed per `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`; added observability runbook stub and TASKS mirror.
+- Access-control guidance from 2025-11-03 remains valid; ensure Authority scopes are verified before enabling uploads.
+
+## Responsibilities
 - Render real-time status for ingestion, scanning, policy, and exports via SSE.
 - Provide policy editor, SBOM explorer, and advisory views with accessibility compliance.
 - Integrate with Authority for fresh-auth and scope enforcement.
 - Support offline bundles with deterministic build outputs.
 
 ## Key components
-- Angular 17 workspace under `src/UI/StellaOps.UI`.
+- Angular 17 workspace under `src/Web/StellaOps.Web`.
 - Signals-based state management with `@ngrx/signals` store.
 - API client generator (`core/api`).
 
@@ -22,16 +22,16 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt
 - Authority for DPoP-protected calls.
 - Telemetry streams for observability dashboards.
 
-## Operational notes
-- Auth smoke tests in `operations/auth-smoke.md`.
-- Observability runbook + dashboard stub in `operations/observability.md` and `operations/dashboards/console-ui-observability.json` (offline import).
-- Console architecture doc for layout and SSE fan-out.
-- Accessibility and security guides in ../../ui/ & ../../security/.
+## Operational notes
+- Auth smoke tests in `operations/auth-smoke.md`.
+- Observability runbook + dashboard stub in `operations/observability.md` and `operations/dashboards/console-ui-observability.json` (offline import).
+- Console architecture doc for layout and SSE fan-out.
+- Accessibility and security guides in ../../ui/ & ../../security/.
 
-## Related resources
-- ./operations/auth-smoke.md
-- ./operations/observability.md
-- ./console-architecture.md
+## Related resources
+- ./operations/auth-smoke.md
+- ./operations/observability.md
+- ./console-architecture.md
 
 ## Backlog references
 - DOCS-CONSOLE-23-001 … DOCS-CONSOLE-23-003 baseline (done).