compose and authority fixes. finish sprints.

docs/modules/binary-index/hybrid-diff-stack.md

@@ -1,6 +1,6 @@
 # Hybrid Diff Stack Architecture (Source -> Symbols -> Normalized Bytes)
 
-> Status: Planned (advisory translation, 2026-02-16)
+> Status: Implemented in BinaryIndex DeltaSig (2026-02-16)
 > Module: BinaryIndex with cross-module contracts (Symbols, EvidenceLocker, Policy, Attestor, ReleaseOrchestrator)
 
 ## 1. Objective
@@ -13,23 +13,36 @@ binary truth at the same time:
 - Binary-level patching: normalization-first per-symbol deltas.
 - Release evidence: DSSE-signed contract consumed by policy and replay.
 
-## 2. Current implementation baseline
+## 2. Implementation baseline (2026-02-16)
 
-Implemented today:
+Implemented in `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/`:
 
-- ELF normalization passes and deterministic delta hash generation.
-- DeltaSig predicate contracts (v1 and v2) with CLI author/sign/verify flows.
-- Symbol manifest model with debug id, code id, source paths, and line data.
+- Hybrid artifact contracts: `semantic_edit_script`, `symbol_map`,
+  `symbol_patch_plan`, and `patch_manifest` (`HybridDiffContracts.cs`).
+- Deterministic artifact composer with digest linking and manifest generation
+  (`HybridDiffComposer.cs`).
+- DeltaSig generation now emits function deltas from symbol-map/signature
+  boundaries (address, section, size) instead of placeholder derivations.
+- DeltaSig predicates include optional `hybridDiff` evidence bundle with linked
+  digests (`Attestation/DeltaSigPredicate.cs`, `DeltaSigService.cs`).
+- Verifier fail-closed checks for hybrid artifact digest/linkage mismatches and
+  boundary/hash reconciliation in dry verification (`DeltaSigService.VerifyAsync`).
+- Policy hooks for hybrid evidence requirements, AST anchor requirements,
+  namespace restrictions, and patch-manifest byte budgets
+  (`DeltaSigPolicyOptions`, `DeltaSigService.EvaluatePolicy`).
+- Binary resolution API evidence (VulnResolutionResponse.Evidence) now projects
+  deterministic hybridDiff payloads for both live lookups and cache hits so
+  the Web evidence drawer can render semantic edit counts, symbol patch plans,
+  manifest summaries, and digest chains from a single response.
 
-Gaps for full advisory scope:
+Current constraints:
 
-- No AST semantic edit script artifact pipeline in current release workflow.
-- No canonical builder output for source-range to symbol-address map as a
-  first-class build artifact contract.
-- No end-to-end "source edits -> symbol patch plan -> normalized deltas"
-  bundle schema consumed by release policy.
-- Existing function delta composition still contains placeholder address/size
-  behavior in parts of DeltaSig generation.
+- Source semantic edits are deterministic text/symbol heuristics, not a full
+  language-specific AST adapter.
+- Symbol maps come from provided build manifests/maps when available; otherwise
+  deterministic fallback maps are synthesized from signatures.
+- Delta application dry-run remains boundary/hash level verification; byte-level
+  patch replay engine integration is still a separate Attestor/Doctor concern.
 
 ## 3. Target contracts
 
@@ -161,3 +174,5 @@ Execution is tracked in:
 - `docs/modules/binary-index/deltasig-v2-schema.md`
 - `docs/modules/scanner/binary-diff-attestation.md`
 - `docs/modules/evidence-locker/guides/evidence-pack-schema.md`
+
+

docs/modules/evidence-locker/export-format.md

@@ -288,6 +288,24 @@ Write-Host "=== Verification Complete: PASSED ===" -ForegroundColor Green
 - File extension: `.openvex.json`
 - Location: `vex/statements/`
 
+### Runtime Witness Triplets (MWD-004)
+
+Runtime micro-witnesses are exported under `runtime-witnesses/` as deterministic triplets grouped by `witness_id`:
+
+| Artifact | MIME Type | File Pattern |
+|----------|-----------|--------------|
+| Trace payload | `application/vnd.stellaops.witness.v1+json` | `runtime-witnesses/<witness-id>/trace.json` |
+| DSSE envelope | `application/vnd.dsse.envelope+json` | `runtime-witnesses/<witness-id>/trace.dsse.json` |
+| Sigstore bundle | `application/vnd.dev.sigstore.bundle.v0.3+json` | `runtime-witnesses/<witness-id>/trace.sigstore.json` |
+
+Manifest/index entries for these artifacts carry deterministic replay keys:
+- `build_id`
+- `kernel_release`
+- `probe_id`
+- `policy_run_id`
+
+Offline replay validation is bundle-contained: `trace.json`, `trace.dsse.json`, and `trace.sigstore.json` are validated together without external lookups.
+
 ## Export Options
 
 ### CLI Command

docs/modules/evidence-locker/guides/evidence-pack-schema.md

@@ -536,3 +536,15 @@ stella pack replay evidence-pack.tar.gz --verbose --diff
 - [Verdict Attestations](../policy/verdict-attestations.md)
 - [Evidence Locker Architecture](../modules/evidence-locker/architecture.md)
 - [SPRINT_3000_0100_0002](../implplan/SPRINT_3000_0100_0002_evidence_packs.md)
+
+## Hybrid Diff Artifacts
+
+When a verdict payload contains a DeltaSig predicate with `hybridDiff`, include the
+following deterministic artifacts in the evidence pack (for example under
+`binary-diff/`) and keep each artifact digest linked to the attested predicate:
+
+- `semantic_edit_script.json`
+- `symbol_map_before.json`
+- `symbol_map_after.json`
+- `symbol_patch_plan.json`
+- `patch_manifest.json`

docs/modules/orchestrator/architecture.md

@@ -119,6 +119,12 @@ The `CircuitBreakerService` implements the circuit breaker pattern for downstrea
 - Event envelope draft (`docs/modules/orchestrator/event-envelope.md`) defines notifier/webhook/SSE payloads with idempotency keys, provenance, and task runner metadata for job/pack-run events.
 - OpenAPI discovery: `/.well-known/openapi` exposes `/openapi/orchestrator.json` (OAS 3.1) with pagination/idempotency/error-envelope examples; legacy job detail/summary endpoints now ship `Deprecation` + `Link` headers that point to their replacements.
 
+### 4.5) Release control plane dashboard endpoints
+- `GET /api/v1/release-orchestrator/dashboard` — control-plane dashboard payload (pipeline, pending approvals, active deployments, recent releases).
+- `POST /api/v1/release-orchestrator/promotions/{id}/approve` — approve a pending promotion from dashboard context.
+- `POST /api/v1/release-orchestrator/promotions/{id}/reject` — reject a pending promotion from dashboard context.
+- Compatibility aliases are exposed for legacy clients under `/api/release-orchestrator/*`.
+
 All responses include deterministic timestamps, job digests, and DSSE signature fields for offline reconciliation.
 
 ## 5) Observability

docs/modules/signals/contracts/ebpf-micro-witness-determinism-profile.md

@@ -1,10 +1,10 @@
 # eBPF Micro-Witness Determinism Profile v1.0.0
 
-**Status:** PLANNED  
+**Status:** IMPLEMENTED  
 **Version:** 1.0.0  
 **Effective:** 2026-02-16  
 **Owner:** Signals Guild + Scanner Guild + Attestor Guild + Evidence Locker Guild  
-**Sprint:** `docs/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md`
+**Sprint:** `docs-archived/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md`
 
 ---
 
@@ -110,15 +110,24 @@ These keys are required for deterministic replay lookup and audit search.
 
 ## 8. Confirmed Gaps (2026-02-16 Baseline)
 
-- Hard BTF dependency with no split-BTF fallback metadata contract in collector:
+- Resolved in `MWD-001` (2026-02-16): deterministic BTF selection order and metadata emission are now implemented in runtime collector:
   - `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs`
+  - `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeBtfSourceSelector.cs`
 - Probe load path is simulated and does not record selected BTF source:
   - `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/CoreProbeLoader.cs`
-- Runtime witness payload lacks required symbolization tuple fields:
+- Resolved in `MWD-002` (2026-02-16): runtime witness payload and validation now enforce deterministic symbolization tuple fields.
   - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs`
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs`
-- Runtime witness generator implementation is missing:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs`
-- Sigstore bundle (`trace.sigstore.json`) is not yet standardized in witness storage/export:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/013_witness_storage.sql`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs`
+- Resolved in `MWD-003` (2026-02-17): runtime witness generation is implemented with deterministic observation canonicalization, DSSE signing, storage hook, and collector wiring.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessGenerator.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessStorage.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessSigningKeyProvider.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/EbpfRuntimeReachabilityCollector.cs`
+- Resolved in `MWD-004` (2026-02-17): Evidence Locker manifest/export now supports runtime witness triplets and witness-index linkage keys for deterministic replay lookup, with offline bundle-contained verification checks.
   - `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs`
+  - `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs`
+  - `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/RuntimeWitnessOfflineVerifier.cs`
+- Resolved in `MWD-005` (2026-02-17): cross-distro deterministic replay matrix coverage now runs in targeted tests (3 kernel releases, `glibc` + `musl`) and asserts byte-identical replay-frame bytes for fixed witness artifacts with recorded artifact hashes/logs.
+  - `src/EvidenceLocker/__Tests/StellaOps.EvidenceLocker.Export.Tests/RuntimeWitnessOfflineVerifierTests.cs`
+  - `docs/qa/feature-checks/runs/signals/ebpf-micro-witness-determinism/run-001/tier2-replay-matrix-summary.json`

docs/modules/ui/guides/setup-guide.md

@@ -160,6 +160,7 @@ The **Sources** step supports multiple feed types:
 - Self-hosted advisory mirrors for air-gapped environments
 - Supports Basic Auth, Bearer Token, or mTLS authentication
 - Configurable sync intervals
+- Local/default wizard behavior starts in **Custom Feed Sources** mode and leaves mirror URL empty until explicitly configured.
 
 ## Environment Patterns