Refactor code structure for improved readability and maintainability

2025-12-06 10:23:40 +02:00
parent 6beb9d7c4e
commit 37304cf819
78 changed files with 5471 additions and 104 deletions
--- a/docs/implplan/BLOCKED_DEPENDENCY_TREE.md
+++ b/docs/implplan/BLOCKED_DEPENDENCY_TREE.md
@@ -17,6 +17,20 @@ Before starting work on any BLOCKED task, check this tree to understand:
 - **Chained Blocked** — Blocked by another BLOCKED task
 - **Module** — Module/guild name

+## Ops Deployment (190.A) — Missing Release Artefacts
+
+**Root Blocker:** Orchestrator and Policy images/digests absent from `deploy/releases/2025.09-stable.yaml`
+
+```
+Missing release artefacts (orchestrator + policy)
+    +-- DEPLOY-ORCH-34-001 (Ops Deployment I) — needs digests to author Helm/Compose + rollout playbook
+    +-- DEPLOY-POLICY-27-001 (Ops Deployment I) — needs digests/migrations to build overlays/secrets
+```
+
+**Impact:** Ops Deployment packaging cannot proceed; airgap/offline bundles will also lack orchestrator/policy components until artefacts land.
+
+**To Unblock:** Publish orchestrator/policy images and digests into `deploy/releases/2025.09-stable.yaml` (and airgap manifest), then propagate to helm/compose values.
+
 ---

 ## 1. SIGNALS & RUNTIME FACTS (SGSI0101) — Critical Path
--- a/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
+++ b/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
@@ -32,17 +32,17 @@
 | P1 | PREP-CONCELIER-WEB-AIRGAP-57-001-DEPENDS-ON-5 | DONE (2025-11-20) | Prep at `docs/modules/concelier/prep/2025-11-20-web-airgap-57-001-prep.md`; awaits 56-002 & WEB-OAS-61-002 inputs. | Concelier WebService Guild · AirGap Policy Guild | Document artefact for 57-001 to unblock downstream air-gap tasks. |
 | 1 | CONCELIER-VULN-29-004 | BLOCKED | Depends on CONCELIER-VULN-29-001 | WebService · Observability Guild | Instrument ingestion pipelines with metrics (collisions, withdrawn statements, chunk latency); stream to Vuln Explorer unchanged. |
 | 2 | CONCELIER-WEB-AIRGAP-56-001 | DONE (2025-12-06) | AirGap chain started | WebService Guild | Register mirror bundle sources, expose bundle catalog, enforce sealed-mode (block direct internet feeds). |
-| 3 | CONCELIER-WEB-AIRGAP-56-002 | TODO | 56-001 done; ready to start | WebService Guild | Add staleness + bundle provenance metadata to observation/linkset endpoints. |
-| 4 | CONCELIER-WEB-AIRGAP-57-001 | BLOCKED | Prep P1 done; needs 56-002 | WebService · AirGap Policy Guild | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` payloads with remediation guidance. |
-| 5 | CONCELIER-WEB-AIRGAP-58-001 | BLOCKED | Depends on 57-001 | WebService · AirGap Importer Guild | Emit timeline events for bundle imports (bundle ID, scope, actor) per evidence change. |
-| 6 | CONCELIER-WEB-AOC-19-003 | TODO | WEB-AOC-19-002 validator done | QA Guild | Unit tests for schema validators/forbidden fields (`ERR_AOC_001/2/6/7`), supersedes chains. |
-| 7 | CONCELIER-WEB-AOC-19-004 | BLOCKED | Depends on 19-003 | WebService · QA | Integration tests for large-batch ingest reproducibility; fixtures for Offline Kit. |
-| 8 | CONCELIER-WEB-AOC-19-005 | TODO | WEB-AOC-19-002 validator done | WebService · QA | Fix `/advisories/{key}/chunks` seed data so raw docs resolve. |
-| 9 | CONCELIER-WEB-AOC-19-006 | TODO | WEB-AOC-19-002 validator done | WebService Guild | Align auth/tenant configs with fixtures; ensure allowlist enforcement tests pass. |
-| 10 | CONCELIER-WEB-AOC-19-007 | TODO | WEB-AOC-19-002 validator done | WebService · QA | Ensure AOC verify emits `ERR_AOC_001`; mapper/guard parity with regressions. |
+| 3 | CONCELIER-WEB-AIRGAP-56-002 | DONE (2025-12-06) | Staleness + provenance contracts added | WebService Guild | Add staleness + bundle provenance metadata to observation/linkset endpoints. |
+| 4 | CONCELIER-WEB-AIRGAP-57-001 | DONE (2025-12-06) | Egress blocked payload + remediation | WebService · AirGap Policy Guild | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` payloads with remediation guidance. |
+| 5 | CONCELIER-WEB-AIRGAP-58-001 | DONE | Implemented BundleImportTimelineEvent, BundleTimelineEmitter, POST /bundles/{id}/import endpoint. | WebService · AirGap Importer Guild | Emit timeline events for bundle imports (bundle ID, scope, actor) per evidence change. |
+| 6 | CONCELIER-WEB-AOC-19-003 | DONE | Tests in `AdvisorySchemaValidatorTests.cs` cover ERR_AOC_001/002/006/007. | QA Guild | Unit tests for schema validators/forbidden fields (`ERR_AOC_001/2/6/7`), supersedes chains. |
+| 7 | CONCELIER-WEB-AOC-19-004 | DONE | Created `LargeBatchIngestTests.cs` with reproducibility and scaling tests. | WebService · QA | Integration tests for large-batch ingest reproducibility; fixtures for Offline Kit. |
+| 8 | CONCELIER-WEB-AOC-19-005 | DONE | Created `AdvisoryChunkSeedData.cs` with comprehensive fixtures. | WebService · QA | Fix `/advisories/{key}/chunks` seed data so raw docs resolve. |
+| 9 | CONCELIER-WEB-AOC-19-006 | DONE | Created `AuthTenantTestFixtures.cs` + `TenantAllowlistTests.cs`. | WebService Guild | Align auth/tenant configs with fixtures; ensure allowlist enforcement tests pass. |
+| 10 | CONCELIER-WEB-AOC-19-007 | DONE | Created `AocVerifyRegressionTests.cs` with comprehensive regression tests. | WebService · QA | Ensure AOC verify emits `ERR_AOC_001`; mapper/guard parity with regressions. |
 | 11 | CONCELIER-WEB-OAS-61-002 | DONE (2025-12-06) | Prereq for examples/deprecation | WebService Guild | Migrate APIs to standard error envelope; update controllers/tests. |
-| 12 | CONCELIER-WEB-OAS-62-001 | TODO | 61-002 done; ready to start | WebService Guild | Publish curated examples for observations/linksets/conflicts; wire into dev portal. |
-| 13 | CONCELIER-WEB-OAS-63-001 | BLOCKED | Depends on 62-001 | WebService · API Governance | Emit deprecation headers/notifications steering clients to LNM APIs. |
+| 12 | CONCELIER-WEB-OAS-62-001 | DONE | Created docs for lnm-linksets, observations, conflicts; updated OpenAPI spec v1.0.0 with examples. | WebService Guild | Publish curated examples for observations/linksets/conflicts; wire into dev portal. |
+| 13 | CONCELIER-WEB-OAS-63-001 | TODO | 62-001 done; unblocked | WebService · API Governance | Emit deprecation headers/notifications steering clients to LNM APIs. |
 | 14 | CONCELIER-WEB-OBS-51-001 | DONE (2025-11-23) | Schema 046_TLTY0101 published 2025-11-23 | WebService Guild | `/obs/concelier/health` for ingest health/queue/SLO status. |
 | 15 | CONCELIER-WEB-OBS-52-001 | DONE (2025-11-24) | Depends on 51-001 | WebService Guild | SSE `/obs/concelier/timeline` with paging tokens, audit logging. |
 | 16 | CONCELIER-AIAI-31-002 | DOING (2025-12-05) | Postgres configuration added to WebService; remaining: wire read-through endpoint and add `lnm.cache.*` telemetry metrics. | Concelier Core · Concelier WebService Guilds | Implement Link-Not-Merge linkset cache per `docs/modules/concelier/operations/lnm-cache-plan.md`, expose read-through on `/v1/lnm/linksets`, add metrics `lnm.cache.*`, and cover with deterministic tests. |
@@ -50,6 +50,10 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-06 | CONCELIER-WEB-OAS-62-001 DONE: Created curated API documentation - `lnm-linksets.md`, `observations.md`, `conflicts.md` in `docs/modules/concelier/api/`. Updated OpenAPI spec to v1.0.0 with comprehensive examples (single-linkset, with-conflicts scenarios), error envelope schema, and detailed descriptions. Synced spec to docs mirror. Unblocks 63-001. | Implementer |
+| 2025-12-06 | CONCELIER-WEB-AOC-19-007 DONE: Created `AocVerifyRegressionTests.cs` with comprehensive regression tests covering ERR_AOC_001 for all forbidden fields (severity, cvss, cvss_vector, merged_from, consensus_provider, reachability, asset_criticality, risk_score), ERR_AOC_006 for derived fields (effective_status, effective_range, effective_severity, effective_cvss), ERR_AOC_007 for unknown fields, plus consistency and parity tests. | Implementer |
+| 2025-12-06 | CONCELIER-WEB-AIRGAP-57-001 DONE: Created `AirGapEgressBlockedPayload.cs` with structured payload including `AirGapRemediationGuidance` (steps, configuration hints, documentation links). Updated `SealedModeViolationException` to include payload with remediation. Added `EgressBlocked` factory method in `ConcelierProblemResultFactory.cs`. Unblocks 58-001. | Implementer |
+| 2025-12-06 | CONCELIER-WEB-AIRGAP-56-002 DONE: Created `AirGapMetadataContracts.cs` with `StalenessMetadata`, `BundleProvenanceMetadata`, and `DataFreshnessInfo` records. Added optional `Freshness` field to `LnmLinksetResponse` and `AdvisoryObservationQueryResponse`. Updated `ToLnmResponse` helper to accept freshness parameter. Unblocks 57-001. | Implementer |
 | 2025-12-06 | CONCELIER-WEB-OAS-61-002 DONE: Created `ErrorCodes.cs` with machine-readable codes, `ErrorEnvelopeContracts.cs` with hybrid RFC 7807 + structured error format, `ConcelierProblemResultFactory.cs` with factory methods. Migrated all `Results.BadRequest()`/`Results.NotFound()` calls in Program.cs, MirrorEndpointExtensions.cs, and AirGapEndpointExtensions.cs to use standardized error responses with error codes and traceIds. | Implementer |
 | 2025-12-06 | CONCELIER-WEB-AIRGAP-56-001 DONE: Implemented AirGap infrastructure - `AirGapOptions.cs` (config), `IBundleSourceRegistry`/`BundleSourceRegistry` (source management), `IBundleCatalogService`/`BundleCatalogService` (catalog aggregation with caching), `ISealedModeEnforcer`/`SealedModeEnforcer` (sealed-mode violation tracking), models (`BundleSourceInfo`, `BundleCatalogEntry`, `AggregatedCatalog`, `SealedModeStatus`), `AirGapServiceCollectionExtensions.cs` (DI), and `AirGapEndpointExtensions.cs` (REST API at `/api/v1/concelier/airgap/*`). | Implementer |
 | 2025-12-06 | WEB-AOC-19-002 DONE: Implemented `IAdvisorySchemaValidator` interface and `AdvisorySchemaValidator` class for granular AOC validation (ValidateSchema, ValidateForbiddenFields, ValidateDerivedFields, ValidateAllowedFields, ValidateMergeAttempt). Registered in DI via `AocServiceCollectionExtensions.cs`. Created comprehensive test suite `AdvisorySchemaValidatorTests.cs` covering ERR_AOC_001/002/006/007. Unblocks tasks 6-10 (AOC regression chain). | Implementer |
@@ -71,6 +75,6 @@
 - Linkset cache (CONCELIER-AIAI-31-002): Postgres backend + migration shipped; remaining risk is wiring WebService to use it (DI + read-through) and adding `lnm.cache.*` metrics to avoid cache skew.

 ## Next Checkpoints
- Wave B (AirGap): 56-002 (staleness metadata) ready to start; then 57-001, 58-001 sequentially.
+- Wave B (AirGap): 56-001, 56-002, 57-001 DONE; 58-001 (timeline events) ready to start.
 - Wave C (AOC regression): Tasks 6/8/9/10 unblocked and ready; execute in parallel.
 - Wave D (OAS alignment): 62-001 (examples) unblocked; then 63-001 (deprecation headers).
--- a/docs/implplan/SPRINT_0122_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0122_0001_0001_policy_reasoning.md
@@ -35,11 +35,11 @@
 | P1 | PREP-LEDGER-RISK-68-001-AWAIT-UNBLOCK-OF-67-0 | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Await unblock of 67-001 + Export Center contract for scored findings. <br><br> Document artefact/deliverable for LEDGER-RISK-68-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`. |
 | P2 | PREP-LEDGER-RISK-69-001-REQUIRES-67-001-68-00 | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Requires 67-001/68-001 to define metrics dimensions. <br><br> Document artefact/deliverable for LEDGER-RISK-69-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`. |
 | P3 | PREP-LEDGER-TEN-48-001-NEEDS-PLATFORM-APPROVE | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Needs platform-approved partitioning + RLS policy (tenant/project shape, session variables). <br><br> Document artefact/deliverable for LEDGER-TEN-48-001 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/findings-ledger/prep/2025-11-20-ledger-risk-prep.md`. |
-| 1 | LEDGER-RISK-67-001 | TODO | Unblocked by [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md); scoring schema available. | Findings Ledger Guild · Risk Engine Guild / `src/Findings/StellaOps.Findings.Ledger` | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links |
-| 2 | LEDGER-RISK-68-001 | TODO | Unblocked; can proceed after 67-001 with [CONTRACT-EXPORT-BUNDLE-009](../contracts/export-bundle.md). | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Enable export of scored findings and simulation results via Export Center integration |
-| 3 | LEDGER-RISK-69-001 | TODO | Unblocked; can proceed after 67-001/68-001. | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps |
-| 4 | LEDGER-TEN-48-001-DEV | TODO | Unblocked by [CONTRACT-FINDINGS-LEDGER-RLS-011](../contracts/findings-ledger-rls.md); RLS pattern defined based on Evidence Locker. | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata |
-| 4b | DEVOPS-LEDGER-TEN-48-001-REL | TODO | Unblocked; can proceed after task 4 with migration templates from contract. | DevOps Guild | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. |
+| 1 | LEDGER-RISK-67-001 | DONE | Implemented ScoredFindingsQueryService with filters, pagination, explainability. | Findings Ledger Guild · Risk Engine Guild / `src/Findings/StellaOps.Findings.Ledger` | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links |
+| 2 | LEDGER-RISK-68-001 | DONE | Implemented ScoredFindingsExportService with JSON/NDJSON/CSV export. | Findings Ledger Guild · Export Guild / `src/Findings/StellaOps.Findings.Ledger` | Enable export of scored findings and simulation results via Export Center integration |
+| 3 | LEDGER-RISK-69-001 | DONE | Implemented ScoringMetricsService + LedgerMetrics scoring gauges. | Findings Ledger Guild · Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps |
+| 4 | LEDGER-TEN-48-001-DEV | DONE | Created 007_enable_rls.sql migration + RlsValidationService. | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata |
+| 4b | DEVOPS-LEDGER-TEN-48-001-REL | TODO | Unblocked; migration ready at migrations/007_enable_rls.sql. | DevOps Guild | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. |

 ## Execution Log
 | Date (UTC) | Update | Owner |
--- a/docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
+++ b/docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
@@ -71,6 +71,7 @@
 | 2025-12-05 | UI-POLICY-23-004 DONE: Added readiness checklist controls, scope scheduling card with persisted window, comment thread, and two-person badge polish in Policy Approvals view; updated PolicyApiService models/endpoints and tests. Attempted `ng test --include policy-approvals.component.spec.ts` but Angular CLI failed with missing rxjs util module (`./util/arrRemove`). | Implementer |
 | 2025-12-05 | Cleaned `node_modules` and reran `npm ci`; targeted `ng test --include policy-approvals.component.spec.ts` now compiles but ChromeHeadless cannot start (missing `libnss3.so` in Playwright chromium env). | Implementer |
 | 2025-12-05 | Attempted `npx playwright install-deps chromium` to pull runtime libs; aborted because sudo password required in sandbox. Tests remain blocked on `libnss3.so`. | Implementer |
+| 2025-12-05 | (Local env note) Prior attempt: portable NSS copied to `.deps/usr/lib/x86_64-linux-gnu`; headless launch still failed (missing system libs). Tests remain BLOCKED locally; proceed via CI. | Implementer |
 | 2025-12-05 | Rebuilt node_modules via `npm ci` (restored missing rxjs util); reran targeted `ng test --include policy-approvals.component.spec.ts`. Test run blocked by pre-existing TS errors in console status client, vulnerability HTTP client/specs, Monaco completions (missing range), jsPDF missing types, and sample JSON imports; analytics prompt answered `N` (disabled). | Implementer |
 | 2025-12-05 | UI-POLICY-20-002 DOING: Added Policy Simulation route `/policy-studio/packs/:packId/simulate`, simulation form, deterministic diff sorting, and findings table; wired to PolicyApiService simulate API. | Implementer |
 | 2025-12-05 | UI-POLICY-20-004 DOING: Added Policy Dashboard route `/policy-studio/packs/:packId/dashboard` with run list, rule heatmap (top 8), and daily VEX/suppression chips sourced from PolicyApiService. | Implementer |
@@ -88,6 +89,13 @@
 | 2025-12-05 | UI-POLICY-20-001 DOING: Added Monaco loader service with offline workers, PolicyEditor component with DSL highlighting, lint marker wiring, compliance checklist, and route `/policy-studio/packs/:packId/editor`; imported Monaco styles globally. | Implementer |
 | 2025-12-05 | UI-POLICY-20-001 housekeeping: disposed Monaco change subscription via TeardownLogic and fixed policy fixtures (`quiet` flag) to clear `tsconfig.spec` compilation errors. | Implementer |
 | 2025-12-05 | TypeScript spec compile now clean after Monaco teardown fix and fixture update (`npx tsc -p tsconfig.spec.json --noEmit`). | Implementer |
+| 2025-12-05 | Attempted targeted Karma runs for approvals/dashboard specs in ChromeHeadless; runs stalled without errors before manual stop. Needs rerun with longer headroom on CI to confirm pass. | Implementer |
+| 2025-12-05 | Retried headless Karma for approvals+dashboard; process stalled again without surfacing errors before manual stop. CI rerun required with more generous timeout/log capture. | Implementer |
+| 2025-12-05 | Additional single-spec run (approvals) in ChromeHeadless also stalled silently; no failures surfaced before manual stop. Treat as pending CI execution. | Implementer |
+| 2025-12-05 | Third attempt with extended timeout flag failed (`Unknown argument: test-timeout`); need CI run with supported Angular/Karma flags (e.g., `--browsers=ChromeHeadless --progress=true --include …`) and longer wall time. | Implementer |
+| 2025-12-06 | Headless run with Playwright Chrome failed to launch: `libnss3.so` missing on runner; Chromium fails to start even after custom CHROME_BIN. Local test execution BLOCKED; CI with system Chrome/dep install required. | Implementer |
+| 2025-12-06 | Refactored approvals spec setup to `waitForAsync` (removed stray `tick`), trimmed optional submission fields to `undefined`, and reran targeted suite with Playwright Chromium + `.deps` NSS libs (`CHROME_BIN=$HOME/.cache/ms-playwright/chromium-1140/chrome-linux/chrome` and `LD_LIBRARY_PATH=$PWD/.deps/usr/lib/x86_64-linux-gnu`); approvals suite now PASS (5/5). | Implementer |
+| 2025-12-06 | Fixed Policy Dashboard `aria-busy` binding to `[attr.aria-busy]` and reran targeted Karma suite with Playwright Chromium + `.deps` NSS libs (`./node_modules/.bin/ng test --watch=false --browsers=ChromeHeadlessOffline --include src/app/features/policy-studio/dashboard/policy-dashboard.component.spec.ts`); dashboard suite now PASS (2/2). | Implementer |
 | 2025-12-05 | Normalised section order to sprint template and renamed checkpoints section; no semantic content changes. | Planning |
 | 2025-12-04 | **Wave C Unblocking Infrastructure DONE:** Implemented foundational infrastructure to unblock tasks 6-15. (1) Added 11 Policy Studio scopes to `scopes.ts`: `policy:author`, `policy:edit`, `policy:review`, `policy:submit`, `policy:approve`, `policy:operate`, `policy:activate`, `policy:run`, `policy:publish`, `policy:promote`, `policy:audit`. (2) Added 6 Policy scope groups to `scopes.ts`: POLICY_VIEWER, POLICY_AUTHOR, POLICY_REVIEWER, POLICY_APPROVER, POLICY_OPERATOR, POLICY_ADMIN. (3) Added 10 Policy methods to AuthService: canViewPolicies/canAuthorPolicies/canEditPolicies/canReviewPolicies/canApprovePolicies/canOperatePolicies/canActivatePolicies/canSimulatePolicies/canPublishPolicies/canAuditPolicies. (4) Added 7 Policy guards to `auth.guard.ts`: requirePolicyViewerGuard, requirePolicyAuthorGuard, requirePolicyReviewerGuard, requirePolicyApproverGuard, requirePolicyOperatorGuard, requirePolicySimulatorGuard, requirePolicyAuditGuard. (5) Created Monaco language definition for `stella-dsl@1` with Monarch tokenizer, syntax highlighting, bracket matching, and theme rules in `features/policy-studio/editor/stella-dsl.language.ts`. (6) Created IntelliSense completion provider with context-aware suggestions for keywords, functions, namespaces, VEX statuses, and actions in `stella-dsl.completions.ts`. (7) Created comprehensive Policy domain models in `features/policy-studio/models/policy.models.ts` covering packs, versions, lint/compile results, simulations, approvals, and run dashboards. (8) Created PolicyApiService in `features/policy-studio/services/policy-api.service.ts` with full CRUD, lint, compile, simulate, approval workflow, and dashboard APIs. Tasks 6-15 are now unblocked for implementation. | Implementer |
 | 2025-12-04 | UI-POLICY-13-007 DONE: Implemented policy confidence metadata display. Created `ConfidenceBadgeComponent` with high/medium/low band colors, score percentage, and age display (days/weeks/months). Created `QuietProvenanceIndicatorComponent` for showing suppressed findings with rule name, source trust, and reachability details. Updated `PolicyRuleResult` model to include unknownConfidence, confidenceBand, unknownAgeDays, sourceTrust, reachability, quietedBy, and quiet fields. Updated Evidence Panel Policy tab template to display confidence badge and quiet provenance indicator for each rule result. Wave C task 5 complete. | Implementer |
@@ -103,6 +111,7 @@
 | ~~VEX schema changes post-sprint 0215~~ | ~~Rework of tasks 2–3~~ | ✅ MITIGATED: VEX tab implemented, schema stable | UI Guild · VEX lead |
 | ~~`orch:read` scope contract slips~~ | ~~Task 4 blocked~~ | ✅ MITIGATED: Scopes/guards implemented | UI Guild · Console Guild |
 | ~~Policy DSL/simulator API churn~~ | ~~Tasks 6–15 blocked~~ | ✅ MITIGATED: Monaco language def, RBAC scopes/guards, API client, models created (2025-12-05) | UI Guild · Policy Guild |
+| Karma headless runs for approvals/dashboard previously incomplete | ✅ MITIGATED: approvals (5/5) and dashboard (2/2) now pass locally with Playwright Chromium + `.deps` NSS libs; still advise CI re-run for broader coverage | Rerun same command set in CI for confirmation and for any additional specs beyond targeted ones. | UI Guild |

 ## Next Checkpoints
- None scheduled; add dates once UI Guild sets Wave A/B/C reviews.
+- Schedule: rerun targeted Karma suites for approvals/dashboard in CI; log outcomes.
--- a/docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
+++ b/docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
@@ -4,7 +4,7 @@
 - Phase III UI uplift focusing on Policy Studio RBAC updates and reachability-first experiences across Vulnerability Explorer, Why drawer, SBOM Graph, and the new Reachability Center.
 - Surface reachability evidence (columns, badges, call paths, timelines, halos) and align Console policy workspace with scopes `policy:author/review/approve/operate/audit/simulate`.
 - Active items only; completed/historic work live in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
- **Working directory:** `src/UI/StellaOps.UI`.
+- **Working directory:** `src/Web/StellaOps.Web`.
 - Continues UI stream after `SPRINT_0210_0001_0002_ui_ii.md` (UI II).

 ## Dependencies & Concurrency
@@ -30,11 +30,11 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | UI-POLICY-27-001 | TODO | UI-POLICY-23-006 results; scope strings finalised | UI Guild; Product Ops (src/UI/StellaOps.UI) | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. |
-| 2 | UI-SIG-26-001 | TODO | Reachability columns spec + signals feed schema | UI Guild; Signals Guild (src/UI/StellaOps.UI) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
-| 3 | UI-SIG-26-002 | TODO | 2; call path data availability | UI Guild (src/UI/StellaOps.UI) | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. |
-| 4 | UI-SIG-26-003 | TODO | 3; overlay state/legend finalized | UI Guild (src/UI/StellaOps.UI) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
-| 5 | UI-SIG-26-004 | TODO | 4; coverage metrics stitched | UI Guild (src/UI/StellaOps.UI) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |
+| 1 | UI-POLICY-27-001 | TODO | Path corrected; work in `src/Web/StellaOps.Web` using existing Policy Studio scopes | UI Guild; Product Ops (src/Web/StellaOps.Web) | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. |
+| 2 | UI-SIG-26-001 | TODO | Path corrected; work in `src/Web/StellaOps.Web`; needs reachability fixtures | UI Guild; Signals Guild (src/Web/StellaOps.Web) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
+| 3 | UI-SIG-26-002 | TODO | Depends on 2; path corrected to `src/Web/StellaOps.Web` | UI Guild (src/Web/StellaOps.Web) | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. |
+| 4 | UI-SIG-26-003 | TODO | Depends on 3; path corrected to `src/Web/StellaOps.Web` | UI Guild (src/Web/StellaOps.Web) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
+| 5 | UI-SIG-26-004 | TODO | Depends on 4; path corrected to `src/Web/StellaOps.Web` | UI Guild (src/Web/StellaOps.Web) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |

 ## Wave Coordination
 - **Wave A:** Policy Studio RBAC guard updates (task 1) once scopes are final.
@@ -58,6 +58,7 @@
 | 1 | Confirm final Policy Studio scopes and RBAC copy with Policy Engine owners. | UI Guild · Policy Guild | 2025-12-03 | TODO |
 | 2 | Deliver reachability evidence fixture (columns, call paths, overlays) for SIG-26 chain. | Signals Guild | 2025-12-04 | TODO |
 | 3 | Define SBOM Graph overlay performance budget (FPS target, node count, halo rendering limits). | UI Guild | 2025-12-05 | TODO |
+| 4 | Align UI III work to `src/Web/StellaOps.Web` (canonical Angular workspace); ensure reachability fixtures available. | DevEx · UI Guild | 2025-12-06 | TODO |

 ## Decisions & Risks
 | Risk | Impact | Mitigation | Owner / Signal |
@@ -65,8 +66,10 @@
 | Policy scope strings change late | Rework of RBAC guards, auth stubs, and messaging (task 1) | Freeze scope list before Cypress fixtures; keep feature flag until policy contract stable. | UI Guild · Policy Guild |
 | Reachability evidence incomplete or non-deterministic | Tasks 2–5 blocked or produce noisy UI | Require deterministic fixtures from Signals/Graph; stage behind feature flag and contract tests. | Signals Guild · UI Guild |
 | SBOM Graph overlays exceed performance budget | Poor UX/offline performance for tasks 3–4 | Set render limits and sampling; add perf guardrails in implementation plan. | UI Guild |
+| Reachability fixtures availability | Tasks 2–5 depend on deterministic SIG-26 evidence | Coordinate with Signals/Graph guilds to deliver stable fixtures before UI merge. | Signals Guild · UI Guild |

 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-30 | Normalised sprint to standard template and renamed file from `SPRINT_211_ui_iii.md` to `SPRINT_0211_0001_0003_ui_iii.md`; no task status changes. | Planning |
+| 2025-12-06 | Corrected working directory to `src/Web/StellaOps.Web`; unblocked Delivery Tracker items accordingly. Reachability fixtures still required. | Implementer |
--- a/docs/implplan/SPRINT_0215_0001_0001_vuln_triage_ux.md
+++ b/docs/implplan/SPRINT_0215_0001_0001_vuln_triage_ux.md
@@ -3,7 +3,7 @@
 ## Topic & Scope
 - Implement vulnerability triage workspace with VEX-first decisioning UX aligned with industry patterns (Snyk, GitLab, Harbor/Trivy, Anchore).
 - Build evidence-first finding cards, VEX modal, attestation views, and audit bundle export.
- **Working directory:** `src/UI/StellaOps.UI`
+- **Working directory:** `src/Web/StellaOps.Web`

 ## Dependencies & Concurrency
 - Upstream sprints: SPRINT_0209_0001_0001_ui_i (UI I), SPRINT_0210_0001_0002_ui_ii (UI II - VEX tab).
@@ -28,30 +28,30 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | UI-TRIAGE-01-001 | BLOCKED | UI workspace missing (src/UI/StellaOps.UI has no Angular project files) | UI Guild (src/UI/StellaOps.UI) | Create Artifacts List view with columns: Artifact, Type, Environment(s), Open/Total vulns, Max severity, Attestations badge, Last scan. Include sorting, filtering, and "View vulnerabilities" primary action. |
-| 2 | UI-TRIAGE-01-002 | TODO | UI-TRIAGE-01-001 | UI Guild (src/UI/StellaOps.UI) | Build Vulnerability Workspace split layout: left panel with finding cards (CVE, package, severity, path), right panel with Explainability tabs (Overview, Reachability, Policy, Attestations). |
-| 3 | UI-TRIAGE-01-003 | TODO | UI-TRIAGE-01-002 | UI Guild (src/UI/StellaOps.UI) | Implement evidence-first Finding Card component with severity badge, package info, location path, and primary actions (Fix PR, VEX, Attach Evidence). Include `New`, `VEX: Not affected`, `Policy: blocked` badges. |
-| 4 | UI-TRIAGE-01-004 | TODO | UI-TRIAGE-01-003 | UI Guild (src/UI/StellaOps.UI) | Build Explainability Panel Overview tab: title, severity, package/version, scanner+DB date, finding history timeline, current VEX decision summary. |
-| 5 | UI-TRIAGE-01-005 | TODO | UI-TRIAGE-01-004 | UI Guild (src/UI/StellaOps.UI) | Build Explainability Panel Reachability tab: call path visualization, module list, runtime usage indicators (when available from scanner). |
-| 6 | UI-TRIAGE-01-006 | TODO | UI-TRIAGE-01-004 | UI Guild (src/UI/StellaOps.UI) | Build Explainability Panel Policy tab: policy evaluation result, gate details with "this gate failed because..." explanation, links to gate definitions. |
-| 7 | UI-TRIAGE-01-007 | TODO | UI-TRIAGE-01-004 | UI Guild (src/UI/StellaOps.UI) | Build Explainability Panel Attestations tab: list attestations mentioning artifact/vulnerabilityId/scan with type, subject, predicate, signer, verified badge. |
-| 8 | UI-VEX-02-001 | TODO | UI-TRIAGE-01-003 | UI Guild; Excititor Guild (src/UI/StellaOps.UI) | Create VEX Modal component with status radio buttons (Not Affected, Affected-mitigated, Affected-unmitigated, Fixed), justification type select, justification text area. |
-| 9 | UI-VEX-02-002 | TODO | UI-VEX-02-001 | UI Guild (src/UI/StellaOps.UI) | Add VEX Modal scope section: environments multi-select, projects multi-select with clear scope preview. |
-| 10 | UI-VEX-02-003 | TODO | UI-VEX-02-002 | UI Guild (src/UI/StellaOps.UI) | Add VEX Modal validity section: notBefore date (default now), notAfter date with expiry recommendations and warnings for long durations. |
-| 11 | UI-VEX-02-004 | TODO | UI-VEX-02-003 | UI Guild (src/UI/StellaOps.UI) | Add VEX Modal evidence section: add links (PR, ticket, doc, commit), attach attestation picker, evidence preview list with remove action. |
-| 12 | UI-VEX-02-005 | TODO | UI-VEX-02-004 | UI Guild (src/UI/StellaOps.UI) | Add VEX Modal review section: summary preview of VEX statement to be created, "Will generate signed attestation" indicator, View raw JSON toggle for power users. |
-| 13 | UI-VEX-02-006 | TODO | UI-VEX-02-005 | UI Guild (src/UI/StellaOps.UI) | Wire VEX Modal to backend: POST /vex-decisions on save, handle success/error states, update finding card VEX badge on completion. |
-| 14 | UI-VEX-02-007 | TODO | UI-VEX-02-006 | UI Guild (src/UI/StellaOps.UI) | Add bulk VEX action: multi-select findings from list, open VEX modal with bulk context, apply decision to all selected findings. |
-| 15 | UI-ATT-03-001 | TODO | UI-TRIAGE-01-007 | UI Guild; Attestor Guild (src/UI/StellaOps.UI) | Create Attestations View per artifact: table with Type, Subject, Predicate type, Scanner/policy engine, Signer (keyId + trusted badge), Created at, Verified status. |
-| 16 | UI-ATT-03-002 | TODO | UI-ATT-03-001 | UI Guild (src/UI/StellaOps.UI) | Build Attestation Detail modal: header (statement id, subject, signer), predicate preview (vuln scan counts, SBOM bomRef, VEX decision status), verify command snippet. |
-| 17 | UI-ATT-03-003 | TODO | UI-ATT-03-002 | UI Guild (src/UI/StellaOps.UI) | Add "Signed evidence" pill to finding cards: clicking opens attestation detail modal, shows human-readable JSON view. |
-| 18 | UI-GATE-04-001 | TODO | UI-TRIAGE-01-006 | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Create Policy & Gating View: matrix of gates vs subject types (CI Build, Registry Admission, Runtime Admission), rule descriptions, last evaluation stats. |
-| 19 | UI-GATE-04-002 | TODO | UI-GATE-04-001 | UI Guild (src/UI/StellaOps.UI) | Add gate drill-down: recent evaluations list, artifact links, policy attestation links, condition failure explanations. |
-| 20 | UI-GATE-04-003 | TODO | UI-GATE-04-002 | UI Guild (src/UI/StellaOps.UI) | Add "Ready to deploy" badge on artifact cards when all gates pass and required attestations verified. |
-| 21 | UI-AUDIT-05-001 | TODO | UI-TRIAGE-01-001 | UI Guild; Export Center Guild (src/UI/StellaOps.UI) | Create "Create immutable audit bundle" button on Artifact page, Pipeline run detail, and Policy evaluation detail views. |
-| 22 | UI-AUDIT-05-002 | TODO | UI-AUDIT-05-001 | UI Guild (src/UI/StellaOps.UI) | Build Audit Bundle creation wizard: subject artifact+digest selection, time window picker, content checklist (Vuln reports, SBOM, VEX, Policy evals, Attestations). |
-| 23 | UI-AUDIT-05-003 | TODO | UI-AUDIT-05-002 | UI Guild (src/UI/StellaOps.UI) | Wire audit bundle creation to POST /audit-bundles, show progress, display bundle ID, hash, download button, and OCI reference on completion. |
-| 24 | UI-AUDIT-05-004 | TODO | UI-AUDIT-05-003 | UI Guild (src/UI/StellaOps.UI) | Add audit bundle history view: list previously created bundles with bundleId, createdAt, subject, download/view actions. |
+| 1 | UI-TRIAGE-01-001 | TODO | Path corrected; work in `src/Web/StellaOps.Web` | UI Guild (src/Web/StellaOps.Web) | Create Artifacts List view with columns: Artifact, Type, Environment(s), Open/Total vulns, Max severity, Attestations badge, Last scan. Include sorting, filtering, and "View vulnerabilities" primary action. |
+| 2 | UI-TRIAGE-01-002 | TODO | Depends on task 1 | UI Guild (src/Web/StellaOps.Web) | Build Vulnerability Workspace split layout: left panel with finding cards (CVE, package, severity, path), right panel with Explainability tabs (Overview, Reachability, Policy, Attestations). |
+| 3 | UI-TRIAGE-01-003 | TODO | Depends on task 2 | UI Guild (src/Web/StellaOps.Web) | Implement evidence-first Finding Card component with severity badge, package info, location path, and primary actions (Fix PR, VEX, Attach Evidence). Include `New`, `VEX: Not affected`, `Policy: blocked` badges. |
+| 4 | UI-TRIAGE-01-004 | TODO | Depends on task 3 | UI Guild (src/Web/StellaOps.Web) | Build Explainability Panel Overview tab: title, severity, package/version, scanner+DB date, finding history timeline, current VEX decision summary. |
+| 5 | UI-TRIAGE-01-005 | TODO | Depends on task 4 | UI Guild (src/Web/StellaOps.Web) | Build Explainability Panel Reachability tab: call path visualization, module list, runtime usage indicators (when available from scanner). |
+| 6 | UI-TRIAGE-01-006 | TODO | Depends on task 4 | UI Guild (src/Web/StellaOps.Web) | Build Explainability Panel Policy tab: policy evaluation result, gate details with "this gate failed because..." explanation, links to gate definitions. |
+| 7 | UI-TRIAGE-01-007 | TODO | Depends on task 4 | UI Guild (src/Web/StellaOps.Web) | Build Explainability Panel Attestations tab: list attestations mentioning artifact/vulnerabilityId/scan with type, subject, predicate, signer, verified badge. |
+| 8 | UI-VEX-02-001 | TODO | Depends on task 3 | UI Guild; Excititor Guild (src/Web/StellaOps.Web) | Create VEX Modal component with status radio buttons (Not Affected, Affected-mitigated, Affected-unmitigated, Fixed), justification type select, justification text area. |
+| 9 | UI-VEX-02-002 | TODO | Depends on task 8 | UI Guild (src/Web/StellaOps.Web) | Add VEX Modal scope section: environments multi-select, projects multi-select with clear scope preview. |
+| 10 | UI-VEX-02-003 | TODO | Depends on task 9 | UI Guild (src/Web/StellaOps.Web) | Add VEX Modal validity section: notBefore date (default now), notAfter date with expiry recommendations and warnings for long durations. |
+| 11 | UI-VEX-02-004 | TODO | Depends on task 10 | UI Guild (src/Web/StellaOps.Web) | Add VEX Modal evidence section: add links (PR, ticket, doc, commit), attach attestation picker, evidence preview list with remove action. |
+| 12 | UI-VEX-02-005 | TODO | Depends on task 11 | UI Guild (src/Web/StellaOps.Web) | Add VEX Modal review section: summary preview of VEX statement to be created, "Will generate signed attestation" indicator, View raw JSON toggle for power users. |
+| 13 | UI-VEX-02-006 | TODO | Depends on task 12 | UI Guild (src/Web/StellaOps.Web) | Wire VEX Modal to backend: POST /vex-decisions on save, handle success/error states, update finding card VEX badge on completion. |
+| 14 | UI-VEX-02-007 | TODO | Depends on task 13 | UI Guild (src/Web/StellaOps.Web) | Add bulk VEX action: multi-select findings from list, open VEX modal with bulk context, apply decision to all selected findings. |
+| 15 | UI-ATT-03-001 | TODO | Depends on task 7 | UI Guild; Attestor Guild (src/Web/StellaOps.Web) | Create Attestations View per artifact: table with Type, Subject, Predicate type, Scanner/policy engine, Signer (keyId + trusted badge), Created at, Verified status. |
+| 16 | UI-ATT-03-002 | TODO | Depends on task 15 | UI Guild (src/Web/StellaOps.Web) | Build Attestation Detail modal: header (statement id, subject, signer), predicate preview (vuln scan counts, SBOM bomRef, VEX decision status), verify command snippet. |
+| 17 | UI-ATT-03-003 | TODO | Depends on task 16 | UI Guild (src/Web/StellaOps.Web) | Add "Signed evidence" pill to finding cards: clicking opens attestation detail modal, shows human-readable JSON view. |
+| 18 | UI-GATE-04-001 | TODO | Depends on task 6 | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Create Policy & Gating View: matrix of gates vs subject types (CI Build, Registry Admission, Runtime Admission), rule descriptions, last evaluation stats. |
+| 19 | UI-GATE-04-002 | TODO | Depends on task 18 | UI Guild (src/Web/StellaOps.Web) | Add gate drill-down: recent evaluations list, artifact links, policy attestation links, condition failure explanations. |
+| 20 | UI-GATE-04-003 | TODO | Depends on task 19 | UI Guild (src/Web/StellaOps.Web) | Add "Ready to deploy" badge on artifact cards when all gates pass and required attestations verified. |
+| 21 | UI-AUDIT-05-001 | TODO | Depends on task 1 | UI Guild; Export Center Guild (src/Web/StellaOps.Web) | Create "Create immutable audit bundle" button on Artifact page, Pipeline run detail, and Policy evaluation detail views. |
+| 22 | UI-AUDIT-05-002 | TODO | Depends on task 21 | UI Guild; Export Center Guild (src/Web/StellaOps.Web) | Build Audit Bundle creation wizard: subject artifact+digest selection, time window picker, content checklist (Vuln reports, SBOM, VEX, Policy evals, Attestations). |
+| 23 | UI-AUDIT-05-003 | TODO | Depends on task 22 | UI Guild; Export Center Guild (src/Web/StellaOps.Web) | Wire audit bundle creation to POST /audit-bundles, show progress, display bundle ID, hash, download button, and OCI reference on completion. |
+| 24 | UI-AUDIT-05-004 | TODO | Depends on task 23 | UI Guild (src/Web/StellaOps.Web) | Add audit bundle history view: list previously created bundles with bundleId, createdAt, subject, download/view actions. |
 | 25 | API-VEX-06-001 | TODO | - | API Guild (src/VulnExplorer) | Implement POST /v1/vex-decisions endpoint with VexDecisionDto request/response per schema, validation, attestation generation trigger. |
 | 26 | API-VEX-06-002 | TODO | API-VEX-06-001 | API Guild (src/VulnExplorer) | Implement PATCH /v1/vex-decisions/{id} for updating existing decisions with supersedes tracking. |
 | 27 | API-VEX-06-003 | TODO | API-VEX-06-002 | API Guild (src/VulnExplorer) | Implement GET /v1/vex-decisions with filters for vulnerabilityId, subject, status, scope, validFor. |
@@ -63,9 +63,9 @@
 | 33 | DTO-09-001 | TODO | SCHEMA-08-001 | API Guild | Create VexDecisionDto, SubjectRefDto, EvidenceRefDto, VexScopeDto, ValidForDto C# DTOs per advisory. |
 | 34 | DTO-09-002 | TODO | SCHEMA-08-002 | API Guild | Create VulnScanAttestationDto, AttestationSubjectDto, VulnScanPredicateDto C# DTOs per advisory. |
 | 35 | DTO-09-003 | TODO | SCHEMA-08-003 | API Guild | Create AuditBundleIndexDto, BundleArtifactDto, BundleVexDecisionEntryDto C# DTOs per advisory. |
-| 36 | TS-10-001 | BLOCKED | UI workspace missing; schemas not present locally | UI Guild | Create TypeScript interfaces for VexDecision, SubjectRef, EvidenceRef, VexScope, ValidFor per advisory. |
-| 37 | TS-10-002 | BLOCKED | UI workspace missing; schemas not present locally | UI Guild | Create TypeScript interfaces for VulnScanAttestation, AttestationSubject, VulnScanPredicate per advisory. |
-| 38 | TS-10-003 | BLOCKED | UI workspace missing; schemas not present locally | UI Guild | Create TypeScript interfaces for AuditBundleIndex, BundleArtifact, BundleVexDecisionEntry per advisory. |
+| 36 | TS-10-001 | TODO | Schemas not present locally; path corrected to `src/Web/StellaOps.Web` | UI Guild (src/Web/StellaOps.Web) | Create TypeScript interfaces for VexDecision, SubjectRef, EvidenceRef, VexScope, ValidFor per advisory. |
+| 37 | TS-10-002 | TODO | Schemas not present locally; path corrected to `src/Web/StellaOps.Web` | UI Guild (src/Web/StellaOps.Web) | Create TypeScript interfaces for VulnScanAttestation, AttestationSubject, VulnScanPredicate per advisory. |
+| 38 | TS-10-003 | TODO | Schemas not present locally; path corrected to `src/Web/StellaOps.Web` | UI Guild (src/Web/StellaOps.Web) | Create TypeScript interfaces for AuditBundleIndex, BundleArtifact, BundleVexDecisionEntry per advisory. |
 | 39 | DOC-11-001 | TODO | Product advisory doc sync | Docs Guild (docs/) | Update high-level positioning for VEX-first triage: refresh docs/key-features.md and docs/07_HIGH_LEVEL_ARCHITECTURE.md with UX/audit bundle narrative; link 28-Nov-2025 advisory. |
 | 40 | DOC-11-002 | TODO | DOC-11-001 | Docs Guild; UI Guild | Update docs/modules/ui/architecture.md with triage workspace + VEX modal flows; add schema links and advisory cross-references. |
 | 41 | DOC-11-003 | TODO | DOC-11-001 | Docs Guild; Vuln Explorer Guild; Export Center Guild | Update docs/modules/vuln-explorer/architecture.md and docs/modules/export-center/architecture.md with VEX decision/audit bundle API surfaces and schema references. |
@@ -113,6 +113,7 @@
 | 2 | Confirm attestation predicate types with Attestor team | API Guild | 2025-12-03 | TODO |
 | 3 | Review audit bundle format with Export Center team | API Guild | 2025-12-04 | TODO |
 | 4 | Accessibility review of VEX modal with Accessibility Guild | UI Guild | 2025-12-09 | TODO |
+| 5 | Align UI work to canonical workspace `src/Web/StellaOps.Web`; ensure fixtures regenerated for triage/VEX components | DevEx · UI Guild | 2025-12-06 | TODO |

 ## Decisions & Risks
 | Risk | Impact | Mitigation / Next Step |
@@ -122,7 +123,7 @@
 | Export Center capacity | Audit bundle generation slow | Async generation with progress; queue management |
 | Bulk VEX operations performance | UI-VEX-02-007 slow for large selections | Batch API endpoint; pagination; background processing |
 | Advisory doc sync lag | Docs drift from UX/API decisions | Track DOC-11-* tasks; block release sign-off until docs updated |
-| UI workspace absent | Blocks UI-TRIAGE-* and TS-10-* tasks | Restore Angular project under src/UI/StellaOps.UI or provide module path; rebaseline mocks |
+| UI workspace path corrected | UI-TRIAGE-* and TS-10-* tasks proceed in `src/Web/StellaOps.Web`; fixtures still needed | Keep work in canonical workspace; regenerate deterministic fixtures before merge |
 | VT gaps (VT1–VT10) | Missing schemas/evidence linkage/determinism/a11y/offline parity could ship broken triage UX | Track TRIAGE-GAPS-215-042; publish schemas, enforce RBAC/tenant binding, redaction, deterministic ordering, offline triage-kit, attestation verification UX, and UX telemetry before release |

 ## Execution Log
@@ -134,6 +135,7 @@
 | 2025-12-01 | Added TRIAGE-GAPS-215-042 to track VT1–VT10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema publication and UI workspace bootstrap. | Project Mgmt |
 | 2025-12-01 | Added UI-PROOF-VEX-0215-010 to address PVX1–PVX10 proof-linked VEX UI gaps from `31-Nov-2025 FINDINGS.md`; status TODO pending API scope/caching/integrity rules and fixtures. | Project Mgmt |
 | 2025-12-01 | Added TTE-GAPS-0215-011 to cover TTE1–TTE10 Time-to-Evidence metric gaps from `31-Nov-2025 FINDINGS.md`; status TODO pending schema publication, SLO policy, and telemetry alignment. | Project Mgmt |
+| 2025-12-06 | Corrected working directory to `src/Web/StellaOps.Web`; unblocked UI delivery tracker rows; fixtures still required. | Implementer |

 ---
 *Sprint created: 2025-11-28*
--- a/docs/implplan/SPRINT_0500_0001_0001_ops_offline.md
+++ b/docs/implplan/SPRINT_0500_0001_0001_ops_offline.md
@@ -23,7 +23,7 @@ Active items only. Completed/historic work lives in `docs/implplan/archived/task
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | OPS-COORD-190 | TODO | Aggregate wave checkpoints and propagate blockers into `SPRINT_0501`–`SPRINT_0508` Delivery Trackers. | Project PM (docs/implplan) | Maintain Ops & Offline coordination tracker; no artefacts beyond status/log updates. |
+| 1 | OPS-COORD-190 | DONE (2025-12-06) | Aggregate wave checkpoints and propagate blockers into `SPRINT_0501`–`SPRINT_0508` Delivery Trackers. | Project PM (docs/implplan) | Maintain Ops & Offline coordination tracker; no artefacts beyond status/log updates. |

 ## Wave Coordination

@@ -39,6 +39,7 @@ Active items only. Completed/historic work lives in `docs/implplan/archived/task
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-12-05 | Normalised sprint to standard template (added scope, dependencies, prereqs, delivery tracker) and repositioned checkpoints; no status changes. | Project PM |
+| 2025-12-06 | Updated wave snapshot: 190.A deployment blocked awaiting orchestrator/policy release digests; 190.B DevOps phases mostly DONE with console/exporter still BLOCKED; 190.C Offline Kit DONE; marked OPS-COORD-190 DONE. | Project PM |
 | 2025-12-04 | Cross-link scrub: all references to legacy ops sprint filenames updated to new IDs across implplan docs; no status changes. | Project PM |
 | 2025-12-04 | Renamed to `SPRINT_0500_0001_0001_ops_offline.md` to match sprint filename template; no scope/status changes. | Project PM |
 | 2025-12-04 | Added cross-wave checkpoint (2025-12-10) to align Ops & Offline waves with downstream sprint checkpoints; no status changes. | Project PM |
--- a/docs/implplan/SPRINT_0502_0001_0001_ops_deployment_ii.md
+++ b/docs/implplan/SPRINT_0502_0001_0001_ops_deployment_ii.md
@@ -21,11 +21,11 @@
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | DEPLOY-POLICY-27-002 | TODO | Depends on DEPLOY-POLICY-27-001 | Deployment Guild, Policy Guild | Document rollout/rollback playbooks for policy publish/promote (canary, emergency freeze, evidence retrieval) under `docs/runbooks/policy-incident.md` |
-| 2 | DEPLOY-VEX-30-001 | TODO | None | Deployment Guild, VEX Lens Guild | Provide Helm/Compose overlays, scaling defaults, offline kit instructions for VEX Lens service |
-| 3 | DEPLOY-VEX-30-002 | TODO | Depends on DEPLOY-VEX-30-001 | Deployment Guild, Issuer Directory Guild | Package Issuer Directory deployment manifests, backups, security hardening guidance |
-| 4 | DEPLOY-VULN-29-001 | TODO | None | Deployment Guild, Findings Ledger Guild | Helm/Compose overlays for Findings Ledger + projector incl. DB migrations, Merkle anchor jobs, scaling guidance |
-| 5 | DEPLOY-VULN-29-002 | TODO | Depends on DEPLOY-VULN-29-001 | Deployment Guild, Vuln Explorer API Guild | Package `stella-vuln-explorer-api` manifests, health checks, autoscaling policies, offline kit with signed images |
-| 6 | DOWNLOADS-CONSOLE-23-001 | TODO | None | Deployment Guild, DevOps Guild | Maintain signed downloads manifest pipeline; publish JSON at `deploy/downloads/manifest.json`; doc sync cadence for Console/docs |
+| 2 | DEPLOY-VEX-30-001 | BLOCKED (2025-12-06) | Root blocker: VEX Lens images/digests absent from release manifests; need published artefacts to build overlays/offline kit | Deployment Guild, VEX Lens Guild | Provide Helm/Compose overlays, scaling defaults, offline kit instructions for VEX Lens service |
+| 3 | DEPLOY-VEX-30-002 | BLOCKED (2025-12-06) | Depends on DEPLOY-VEX-30-001 | Deployment Guild, Issuer Directory Guild | Package Issuer Directory deployment manifests, backups, security hardening guidance |
+| 4 | DEPLOY-VULN-29-001 | BLOCKED (2025-12-06) | Root blocker: Findings Ledger/Vuln Explorer images/digests absent from release manifests | Deployment Guild, Findings Ledger Guild | Helm/Compose overlays for Findings Ledger + projector incl. DB migrations, Merkle anchor jobs, scaling guidance |
+| 5 | DEPLOY-VULN-29-002 | BLOCKED (2025-12-06) | Depends on DEPLOY-VULN-29-001 | Deployment Guild, Vuln Explorer API Guild | Package `stella-vuln-explorer-api` manifests, health checks, autoscaling policies, offline kit with signed images |
+| 6 | DOWNLOADS-CONSOLE-23-001 | BLOCKED (2025-12-06) | Waiting on console release artefacts and signed digests to publish manifest | Deployment Guild, DevOps Guild | Maintain signed downloads manifest pipeline; publish JSON at `deploy/downloads/manifest.json`; doc sync cadence for Console/docs |
 | 7 | HELM-45-001 | DONE (2025-12-05) | None | Deployment Guild | Scaffold `deploy/helm/stella` chart with values, toggles, pinned digests, migration Job templates |
 | 8 | HELM-45-002 | DONE (2025-12-05) | Depends on HELM-45-001 | Deployment Guild, Security Guild | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), document security posture |
 | 9 | HELM-45-003 | DONE (2025-12-05) | Depends on HELM-45-002 | Deployment Guild, Observability Guild | Implement HPA, PDB, readiness gates, Prometheus scrape annotations, OTel hooks, upgrade hooks |
@@ -33,6 +33,8 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-06 | Marked DEPLOY-VEX-30-001/002, DEPLOY-VULN-29-001/002 BLOCKED: VEX Lens and Findings/Vuln images absent from release manifests; cannot build overlays/offline kits. | Deployment Guild |
+| 2025-12-06 | Marked DOWNLOADS-CONSOLE-23-001 BLOCKED pending console release digests to produce signed downloads manifest. | Deployment Guild |
 | 2025-12-05 | HELM-45-003 DONE: added HPA template with per-service overrides, PDB support, Prometheus scrape annotations hook, and production defaults (prod enabled, airgap prometheus on but HPA off). | Deployment Guild |
 | 2025-12-05 | HELM-45-002 DONE: added ingress/TLS toggles, NetworkPolicy defaults, pod security contexts, and ExternalSecret scaffold (prod enabled, airgap off); documented via values changes and templates (`core.yaml`, `networkpolicy.yaml`, `ingress.yaml`, `externalsecrets.yaml`). | Deployment Guild |
 | 2025-12-05 | HELM-45-001 DONE: added migration job scaffolding and toggle to Helm chart (`deploy/helm/stellaops/templates/migrations.yaml`, values defaults), kept digest pins, and published install guide (`deploy/helm/stellaops/INSTALL.md`). | Deployment Guild |
--- a/docs/implplan/SPRINT_0505_0001_0001_ops_devops_iii.md
+++ b/docs/implplan/SPRINT_0505_0001_0001_ops_devops_iii.md
@@ -28,7 +28,7 @@
 | 6 | DEVOPS-LNM-TOOLING-22-000 | BLOCKED | Await upstream storage backfill tool specs & Excititor migration outputs | DevOps, Concelier, Excititor Guilds | Package/tooling for linkset/advisory migrations |
 | 7 | DEVOPS-LNM-22-001 | BLOCKED (2025-10-27) | Blocked on DEVOPS-LNM-TOOLING-22-000 | DevOps Guild, Concelier Guild | Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, automate deployment |
 | 8 | DEVOPS-LNM-22-002 | BLOCKED (2025-10-27) | Blocked on DEVOPS-LNM-22-001 and Excititor storage migration | DevOps Guild, Excititor Guild | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events; document ops runbook |
-| 9 | DEVOPS-LNM-22-003 | TODO | Depends on DEVOPS-LNM-22-002 | DevOps Guild, Observability Guild | Add CI/monitoring for new metrics (`advisory_observations_total`, `linksets_total`, ingest→API SLA alerts) |
+| 9 | DEVOPS-LNM-22-003 | BLOCKED (2025-12-06) | Depends on DEVOPS-LNM-22-002 (blocked) | DevOps Guild, Observability Guild | Add CI/monitoring for new metrics (`advisory_observations_total`, `linksets_total`, ingest→API SLA alerts) |
 | 10 | DEVOPS-OAS-61-001 | DONE (2025-11-24) | None | DevOps Guild, API Contracts Guild | Add CI stages for OpenAPI lint, validation, compat diff; enforce PR gating |
 | 11 | DEVOPS-OAS-61-002 | DONE (2025-11-24) | Depends on DEVOPS-OAS-61-001 | DevOps Guild, Contract Testing Guild | Mock server + contract test suite in PR/nightly; publish artifacts |
 | 12 | DEVOPS-OPENSSL-11-001 | DONE (2025-11-24) | None | DevOps Guild, Build Infra Guild | Package OpenSSL 1.1 shim into test harness outputs for Mongo2Go suites |
@@ -44,11 +44,12 @@
 | 22 | DEVOPS-LEDGER-OAS-62-001-REL | BLOCKED (2025-11-24) | Await finalized Ledger OAS/versioning | DevOps Guild, Findings Ledger Guild | SDK generation/signing for Ledger |
 | 23 | DEVOPS-LEDGER-OAS-63-001-REL | BLOCKED (2025-11-24) | Await OAS change log/lifecycle policy | DevOps Guild, Findings Ledger Guild | Deprecation governance artefacts |
 | 24 | DEVOPS-LEDGER-PACKS-42-001-REL | BLOCKED (2025-11-24) | Await schema + storage contract | DevOps Guild, Findings Ledger Guild | Snapshot/time-travel export packaging |
-| 25 | DEVOPS-LEDGER-PACKS-42-002-REL | TODO | Depends on DEVOPS-LEDGER-PACKS-42-001-REL | DevOps Guild, Findings Ledger Guild | Add pack signing + integrity verification job to release bundles |
+| 25 | DEVOPS-LEDGER-PACKS-42-002-REL | BLOCKED (2025-12-06) | Depends on DEVOPS-LEDGER-PACKS-42-001-REL (blocked) | DevOps Guild, Findings Ledger Guild | Add pack signing + integrity verification job to release bundles |

 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-06 | Marked DEVOPS-LNM-22-003 and DEVOPS-LEDGER-PACKS-42-002-REL BLOCKED due to upstream dependencies (22-002, 42-001-REL) still blocked. | Project PM |
 | 2025-12-04 | Renamed from `SPRINT_505_ops_devops_iii.md` to template-compliant `SPRINT_0505_0001_0001_ops_devops_iii.md`; no status changes. | Project PM |
 | 2025-11-24 | Completed DEVOPS-OAS-61-001/002: added OAS CI workflow `.gitea/workflows/oas-ci.yml` (compose, lint, examples, compat diff, contract tests, aggregate spec upload). | Implementer |
 | 2025-11-24 | Completed DEVOPS-OPENSSL-11-001: copied OpenSSL 1.1 shim into all test outputs via shared Directory.Build.props; Authority Mongo2Go tests pass. | Implementer |