new advisories

docs/04_FEATURE_MATRIX.md

@@ -25,9 +25,12 @@
 |                        | High‑availability split services      | —                             | —                 | ✅ (Add‑On)          | HA Redis & Mongo                           |
 | **Extensibility**      | .NET hot‑load plug‑ins                | ✅                             | N/A               | —                   | AGPL reference SDK                         |
 |                        | Community plug‑in marketplace         | —                             | ⏳ (β Q2‑2026)     | —                   | Moderated listings                         |
-| **Telemetry**          | Opt‑in anonymous metrics              | ✅                             | —                 | —                   | Required for quota satisfaction KPI        |
-| **Quota & Tokens** | **Client‑JWT issuance** | ✅ (online 12 h token) | — | — | `/connect/token` |
-| | **Offline Client‑JWT (30 d)** | ✅ via OUK | — | — | Refreshed monthly in OUK |
+| **Telemetry**          | Opt‑in anonymous metrics              | ✅                             | —                 | —                   | Required for quota satisfaction KPI        |
+| **Quota & Tokens** | **Client‑JWT issuance** | ✅ (online 12 h token) | — | — | `/connect/token` |
+| | **Offline Client‑JWT (30 d)** | ✅ via OUK | — | — | Refreshed monthly in OUK |
+| **Reachability & Evidence** | Graph-level reachability DSSE | ⏳ (Q1‑2026) | — | — | Mandatory attestation per graph; CAS+Rekor; see `docs/reachability/hybrid-attestation.md`. |
+| | Edge-bundle DSSE (selective) | ⏳ (Q2‑2026) | — | — | Optional bundles for runtime/init/contested edges; Rekor publish capped. |
+| | Cross-scanner determinism bench | ⏳ (Q1‑2026) | — | — | CI bench from 23-Nov advisory; determinism rate + CVSS σ. |
 
 > **Legend:** ✅ = Included ⏳ = Planned — = Not applicable  
 > Rows marked “Commercial Add‑On” are optional paid components shipping outside the AGPL‑core; everything else is FOSS.