partly or unimplemented features - now implemented

docs/features/README.md

@@ -2,102 +2,106 @@
 
 Structured inventory of all Stella Ops features, organized for E2E verification tracking.
 
-Generated: 2026-02-08
+Generated: 2026-02-08 | Updated: 2026-02-09
 
 ## Summary
 
 | Directory | Meaning | Count |
 |-----------|---------|-------|
 | `checked/` | Features verified by E2E tests | 0 |
-| `unchecked/` | Implemented features needing E2E verification | 1,057 |
-| `unimplemented/` | Partially implemented features | 99 |
-| `dropped/` | Features not found in source code | 29 |
-| **Total** | | **1,185** |
+| `unchecked/` | Implemented features needing E2E verification | 1,144 |
+| `unimplemented/` | Partially implemented features | 0 |
+| `dropped/` | Features not found in source code | 22 |
+| **Total** | | **1,166** |
+
+Note: 73 features previously in `unimplemented/` were completed via SPRINT_20260208 sprints (archived in `docs-archived/implplan/`) and moved to `unchecked/` on 2026-02-09.
 
 ## How to Use
 
 - **To verify a feature**: Pick a file from `unchecked/<module>/`, follow the E2E Test Plan, and if it passes, move the file to `checked/<module>/`.
-- **To implement a missing feature**: Read a file from `unimplemented/<module>/`, review the "What's Missing" section, implement, then move to `unchecked/`.
 - **To understand what was dropped**: Read files in `dropped/` for context on features that were planned but not implemented.
 
 ## Modules by Feature Count
 
 ### Large Modules (50+ features)
 
-| Module | Unchecked | Unimplemented | Dropped | Total |
-|--------|-----------|---------------|---------|-------|
-| [Web](unchecked/web/) | 167 | 17 | 4 | 188 |
-| [Attestor](unchecked/attestor/) | 153 | 27 | 2 | 182 |
-| [Scanner](unchecked/scanner/) | 142 | 9 | 0 | 151 |
-| [Cli](unchecked/cli/) | 97 | 7 | 0 | 104 |
-| [Policy](unchecked/policy/) | 76 | 8 | 5 | 89 |
+| Module | Unchecked | Dropped | Total |
+|--------|-----------|---------|-------|
+| [Web](unchecked/web/) | 178 | 0 | 178 |
+| [Attestor](unchecked/attestor/) | 174 | 0 | 174 |
+| [Scanner](unchecked/scanner/) | 147 | 0 | 147 |
+| [Cli](unchecked/cli/) | 104 | 0 | 104 |
+| [Policy](unchecked/policy/) | 88 | 0 | 88 |
 
 ### Medium Modules (10-49 features)
 
-| Module | Unchecked | Unimplemented | Dropped | Total |
-|--------|-----------|---------------|---------|-------|
-| [ReleaseOrchestrator](unchecked/releaseorchestrator/) | 44 | 1 | 0 | 45 |
-| [BinaryIndex](unchecked/binaryindex/) | 41 | 2 | 0 | 43 |
-| [Concelier](unchecked/concelier/) | 34 | 2 | 0 | 36 |
-| [Libraries](unchecked/libraries/) | 24 | 2 | 1 | 27 |
-| [Router](unchecked/router/) | 18 | 0 | 0 | 18 |
-| [Excititor](unchecked/excititor/) | 17 | 0 | 1 | 18 |
-| [Signals](unchecked/signals/) | 13 | 4 | 1 | 18 |
-| [EvidenceLocker](unchecked/evidencelocker/) | 17 | 0 | 0 | 17 |
-| [AdvisoryAI](unchecked/advisoryai/) | 15 | 1 | 1 | 17 |
-| [Orchestrator](unchecked/orchestrator/) | 14 | 1 | 0 | 15 |
-| [Authority](unchecked/authority/) | 12 | 1 | 0 | 13 |
-| [AirGap](unchecked/airgap/) | 9 | 3 | 0 | 12 |
-| [Tests](unchecked/tests/) | 11 | 0 | 2 | 13 |
-| [Integrations](unchecked/integrations/) | 10 | 1 | 0 | 11 |
-| [Zastava](unchecked/zastava/) | 9 | 1 | 0 | 10 |
+| Module | Unchecked | Dropped | Total |
+|--------|-----------|---------|-------|
+| [ReleaseOrchestrator](unchecked/releaseorchestrator/) | 45 | 0 | 45 |
+| [BinaryIndex](unchecked/binaryindex/) | 43 | 0 | 43 |
+| [Concelier](unchecked/concelier/) | 36 | 0 | 36 |
+| [Libraries](unchecked/libraries/) | 26 | 0 | 26 |
+| [Router](unchecked/router/) | 18 | 0 | 18 |
+| [Excititor](unchecked/excititor/) | 18 | 0 | 18 |
+| [EvidenceLocker](unchecked/evidencelocker/) | 17 | 0 | 17 |
+| [AdvisoryAI](unchecked/advisoryai/) | 16 | 0 | 16 |
+| [Orchestrator](unchecked/orchestrator/) | 15 | 0 | 15 |
+| [Signals](unchecked/signals/) | 14 | 0 | 14 |
+| [Authority](unchecked/authority/) | 13 | 0 | 13 |
+| [Tests](unchecked/tests/) | 12 | 0 | 12 |
+| [Integrations](unchecked/integrations/) | 11 | 0 | 11 |
+| [Telemetry](unchecked/telemetry/) | 11 | 0 | 11 |
+| [AirGap](unchecked/airgap/) | 10 | 0 | 10 |
 
 ### Small Modules (<10 features)
 
-| Module | Unchecked | Unimplemented | Dropped | Total |
-|--------|-----------|---------------|---------|-------|
-| [Telemetry](unchecked/telemetry/) | 9 | 0 | 0 | 9 |
-| [ReachGraph](unchecked/reachgraph/) | 7 | 2 | 0 | 9 |
-| [Doctor](unchecked/doctor/) | 8 | 0 | 0 | 8 |
-| [SbomService](unchecked/sbomservice/) | 7 | 1 | 0 | 8 |
-| [Gateway](unchecked/gateway/) | 6 | 2 | 0 | 8 |
-| [TaskRunner](unchecked/taskrunner/) | 7 | 0 | 0 | 7 |
-| [VexLens](unchecked/vexlens/) | 6 | 0 | 1 | 7 |
-| [Notifier](unchecked/notifier/) | 7 | 0 | 0 | 7 |
-| [Findings](unchecked/findings/) | 7 | 0 | 0 | 7 |
-| [Graph](unchecked/graph/) | 6 | 1 | 0 | 7 |
-| [ExportCenter](unchecked/exportcenter/) | 6 | 1 | 0 | 7 |
-| [Plugin](unchecked/plugin/) | 6 | 0 | 0 | 6 |
-| [Platform](unchecked/platform/) | 6 | 0 | 0 | 6 |
-| [Signer](unchecked/signer/) | 6 | 0 | 0 | 6 |
-| [Cryptography](unchecked/cryptography/) | 5 | 0 | 1 | 6 |
-| [Timeline](unchecked/timeline/) | 5 | 0 | 0 | 5 |
-| [Tools](unchecked/tools/) | 4 | 0 | 0 | 4 |
-| [Bench](unchecked/bench/) | 2 | 1 | 1 | 4 |
-| [Scheduler](unchecked/scheduler/) | 3 | 0 | 0 | 3 |
-| [RiskEngine](unchecked/riskengine/) | 2 | 0 | 1 | 3 |
-| [Unknowns](unchecked/unknowns/) | 2 | 1 | 0 | 3 |
-| [Replay](unchecked/replay/) | 2 | 1 | 0 | 3 |
+| Module | Unchecked | Dropped | Total |
+|--------|-----------|---------|-------|
+| [Zastava](unchecked/zastava/) | 9 | 0 | 9 |
+| [ReachGraph](unchecked/reachgraph/) | 9 | 0 | 9 |
+| [SbomService](unchecked/sbomservice/) | 8 | 0 | 8 |
+| [Gateway](unchecked/gateway/) | 8 | 0 | 8 |
+| [Doctor](unchecked/doctor/) | 8 | 0 | 8 |
+| [VexLens](unchecked/vexlens/) | 7 | 0 | 7 |
+| [TaskRunner](unchecked/taskrunner/) | 7 | 0 | 7 |
+| [Notifier](unchecked/notifier/) | 7 | 0 | 7 |
+| [Graph](unchecked/graph/) | 7 | 0 | 7 |
+| [Findings](unchecked/findings/) | 7 | 0 | 7 |
+| [ExportCenter](unchecked/exportcenter/) | 7 | 0 | 7 |
+| [Signer](unchecked/signer/) | 6 | 0 | 6 |
+| [Plugin](unchecked/plugin/) | 6 | 0 | 6 |
+| [Platform](unchecked/platform/) | 6 | 0 | 6 |
+| [Cryptography](unchecked/cryptography/) | 6 | 0 | 6 |
+| [Timeline](unchecked/timeline/) | 5 | 0 | 5 |
+| [Tools](unchecked/tools/) | 4 | 0 | 4 |
+| [Replay](unchecked/replay/) | 4 | 0 | 4 |
+| [Scheduler](unchecked/scheduler/) | 3 | 0 | 3 |
+| [RiskEngine](unchecked/riskengine/) | 3 | 0 | 3 |
+| [Bench](unchecked/bench/) | 3 | 0 | 3 |
+| [Unknowns](unchecked/unknowns/) | 2 | 0 | 2 |
+| [Docs](unchecked/docs/) | 2 | 0 | 2 |
+| [DevOps](unchecked/devops/) | 2 | 0 | 2 |
+| [Api](unchecked/api/) | 2 | 0 | 2 |
 
 ### Single-Feature Modules
 
 | Module | Status |
 |--------|--------|
 | [Aoc](unchecked/aoc/) | Unchecked |
-| [Api](unchecked/api/) | Unchecked (2) |
 | [Analyzers](unchecked/analyzers/) | Unchecked |
-| [DevOps](unchecked/devops/) | Unchecked (2) |
 | [DevPortal](unchecked/devportal/) | Unchecked |
-| [Docs](unchecked/docs/) | Unchecked (2) |
 | [Feedser](unchecked/feedser/) | Unchecked |
-| [Mirror](unimplemented/mirror/) | Unimplemented |
+| [Mirror](unchecked/mirror/) | Unchecked |
 | [PacksRegistry](unchecked/packsregistry/) | Unchecked |
-| [Provenance](unimplemented/provenance/) | Unimplemented |
 | [RuntimeInstrumentation](unchecked/runtimeinstrumentation/) | Unchecked |
 | [Sdk](unchecked/sdk/) | Unchecked |
 | [SmRemote](unchecked/smremote/) | Unchecked |
 | [VulnExplorer](unchecked/vulnexplorer/) | Unchecked |
 
+### Dropped Features (22)
+
+All dropped features are in `dropped/` with explanations for why they were not implemented.
+
 ## File Format
 
 Each feature file follows a standard template:
@@ -110,14 +114,6 @@ Each feature file follows a standard template:
 ## E2E Test Plan (setup, action, verification steps)
 ```
 
-### Unimplemented (PARTIALLY_IMPLEMENTED)
-```
-# Feature Name
-## Module / ## Status / ## Description
-## What's Implemented / ## What's Missing
-## Implementation Plan
-```
-
 ### Dropped (NOT_FOUND)
 ```
 # Feature Name
@@ -132,5 +128,5 @@ This catalog was built from:
 - 1,343 sprint archives (Phase 2)
 - CLI + Web source code scan (Phase 3)
 - Two deduplication passes reducing 1,600 entries to 1,185
-
-See `FEATURE_CATALOG.md` in the repo root for the flat consolidated view.
+- 73 SPRINT_20260208 sprints completing all PARTIALLY_IMPLEMENTED features
+- Final state: 1,144 unchecked + 22 dropped = 1,166 total

docs/features/unchecked/attestor/binary-fingerprint-store-and-trust-scoring.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Binary analysis commands exist in the CLI with score gating, confidence calculation is implemented in the Policy engine, and a Doctor plugin for binary analysis health checks exists. A full binary fingerprint database with ELF/PE section hashing, trust scores, and golden set as described is partially implemented through the existing binary analysis infrastructure.

docs/features/unchecked/attestor/cas-for-sbom-vex-attestation-artifacts.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Content-addressed identifiers are implemented for proof chain artifacts. EvidenceLocker provides bundle building. Full OCI/MinIO CAS for SBOM/VEX blobs is not fully visible.

docs/features/unchecked/attestor/crypto-sovereign-design.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 SigningKeyProfile supports crypto-sovereign configurations. SM2 tests exist for Chinese crypto support. The signing key registry supports multiple profiles. Full eIDAS/GOST/PQC implementations appear to be partially supported through the profile system but not all crypto backends are fully implemented.

docs/features/unchecked/attestor/dsse-envelope-size-management-and-gateway-traversal.md

@@ -4,7 +4,7 @@
 Attestor (with CLI and Scanner integration)
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 DSSE envelope construction and Rekor submission exist, but no explicit size guardrails (70-100KB heuristic), automatic payload splitting/chunking, or gateway-aware sizing logic is implemented. The architecture stores full attestations internally and uses Rekor for hash-based inclusion proofs. Envelope size awareness exists in EPSS fetcher and delta-sig CLI commands, and bundling/queue options have configurable size limits.

docs/features/unchecked/attestor/dsse-signed-exception-objects-with-recheck-policy.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Policy exceptions framework with models, repositories, and services exists. DSSE signing infrastructure is available. Full UI exception modal with recheck policy enforcement is partially complete.

docs/features/unchecked/attestor/dsse-wrapped-reach-maps.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Rich graphs and suppression witnesses exist with signing infrastructure available, but a specific "signed reach-map artifact" as a standalone DSSE-wrapped output is not distinctly implemented as described.

docs/features/unchecked/attestor/evidence-coverage-score-for-ai-gating.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The concept of gating AI output behind evidence quality exists via the AIAuthorityClassifier which scores explanation, remediation, VEX draft, and policy draft quality. The specific UX badge component and coverage scoring service described in the advisory are not implemented as standalone features.

docs/features/unchecked/attestor/evidence-subgraph-ui-visualization.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Backend proof graph model is implemented (nodes, edges, subgraphs, paths). Evidence panel e2e tests exist. Full frontend visualization component status unclear from source search alone.

docs/features/unchecked/attestor/field-level-ownership-map-for-receipts-and-bundles.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Rekor entry and receipt models exist with structured fields, but a formal field-level ownership map document (checklist page) linking fields to specific module responsibilities was not found as a standalone artifact.

docs/features/unchecked/attestor/idempotent-sbom-attestation-apis.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Content-addressed identification for artifacts is implemented. Full idempotent REST API endpoints (POST /sbom/ingest, POST /attest/verify) are not clearly visible as standalone web service endpoints.

docs/features/unchecked/attestor/immutable-evidence-storage-and-regulatory-alignment.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The underlying evidence storage and proof chain infrastructure exists. Specific regulatory compliance mapping (NIS2, DORA, ISO-27001 report templates) not found as distinct modules.

docs/features/unchecked/attestor/in-toto-link-attestation-capture.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The attestation pipeline supports DSSE-wrapped statements and proof chains, which follow in-toto patterns. However, the specific per-step in-toto link capture with `in-toto-run` wrappers as described is not directly implemented.

docs/features/unchecked/attestor/monthly-bundle-rotation-and-re-signing.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The attestation and signing infrastructure exists but the specific monthly bundle re-signing workflow is a planned sprint task.

docs/features/unchecked/attestor/noise-ledger.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Suppression witnesses and audit hash logging exist in the backend. CLI audit commands exist. A dedicated "Noise Ledger" UX component is not present, though the underlying audit/suppression infrastructure is in place.

docs/features/unchecked/attestor/postgresql-persistence-layer.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 PostgreSQL persistence is implemented for Attestor, Scanner, Policy, and TrustVerdict modules with Npgsql, migrations, and repository patterns. Full blueprint (RLS scaffolds, temporal tables for Unknowns, materialized views for triage) is partially realized; not all modules have dedicated schemas.

docs/features/unchecked/attestor/score-replay-and-verification.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Replay subsystem exists with a dedicated module, ProofChain replay models, and CLI commands. However, the specific `/score/{id}/replay` REST endpoint and DSSE-signed replay attestation with payload type `application/vnd.stella.score+json` are not yet wired up (sprint tasks TSF-011, TSF-007).

docs/features/unchecked/attestor/snapshot-export-import-for-air-gap.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Offline verification and evidence pack serialization exists. Full standalone snapshot export/import bundle format (Level B/C portable snapshots) may still be evolving based on evidence pack infrastructure.

docs/features/unchecked/attestor/unknowns-five-dimensional-triage-scoring.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Unknowns aggregation with item model and aggregator service exist. The full five-dimensional weighted scoring formula (P/E/U/C/S) with Hot/Warm/Cold banding and Scheduler-driven triage automation is partially implemented.

docs/features/unchecked/attestor/vex-findings-api-with-proof-artifacts.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 VEX verdict models, VEX delta predicates, and a VexProofSpineService exist in the backend, but the full API contract (GET /vex/findings/:id with proof artifacts) is not visible as a standalone endpoint.

docs/features/unchecked/attestor/vex-receipt-sidebar.md

@@ -4,7 +4,7 @@
 Attestor
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Backend VEX receipt model and verdict receipt statement exist. VEX hub feature exists in frontend but a dedicated "sidebar" UX for individual VEX receipts is not a standalone component.

docs/features/unchecked/authority/rfc-3161-tsa-client-for-ci-cd-timestamping.md

@@ -4,7 +4,7 @@
 Authority
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 RFC 3161 TSA client infrastructure for CI/CD timestamping. A comprehensive TSA client library exists in the Authority module with ASN.1 encoding/decoding, multi-provider failover, response caching, and certificate chain verification. The eIDAS plugin adds additional compliance support. Some CI/CD-specific integration features are still missing.

docs/features/unchecked/bench/vendor-comparison-scanner-parity-tracking.md

@@ -4,7 +4,7 @@
 Bench
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Scanner analyzer benchmarks and golden-set diff comparisons exist, but a dedicated vendor-comparison dashboard or automated parity scoring system as described in the advisory is not visible.

docs/features/unchecked/binaryindex/cross-distro-golden-set-for-backport-validation.md

@@ -4,7 +4,7 @@
 BinaryIndex
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Golden set infrastructure exists in BinaryIndex with analysis pipeline and API. The advisory's detailed curated test cases (OpenSSL Heartbleed, sudo Baron Samedit, etc.) and specific database schema may not be fully populated yet.

docs/features/unchecked/binaryindex/elf-normalization-and-delta-hashing.md

@@ -4,7 +4,7 @@
 BinaryIndex
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Low-entropy delta signatures over ELF segments with normalization (relocation zeroing, NOP canonicalization, jump table rewriting). Not yet implemented.

docs/features/unchecked/cli/baseline-selection-logic.md

@@ -4,7 +4,7 @@
 Cli
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Compare feature infrastructure exists with services and CLI builder. The specific baseline selection logic (last green verdict, previous release tag) and its visibility to users may be partially implemented.

docs/features/unchecked/cli/cli-parity.md

@@ -4,7 +4,7 @@
 Cli
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The CLI infrastructure is extensive but a dedicated `stella advise` command with `--evidence --no-action` flags as described is not explicitly found. However, the `stella advise ask` command does exist with these flags.

docs/features/unchecked/cli/determinism-hash-signature-verification-in-ui.md

@@ -4,7 +4,7 @@
 Cli
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Proofs and proof-studio UI features exist for browsing proof artifacts. Bundle verification exists in CLI. Full inline determinism hash and signature verification status display in the compare view may be partially wired up.

docs/features/unchecked/cli/oci-referrers-for-evidence-storage.md

@@ -4,7 +4,7 @@
 Cli
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module.

docs/features/unchecked/cli/unknowns-export-artifacts.md

@@ -4,7 +4,7 @@
 Cli
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Backend unknowns ranking and proof emission services exist along with CLI command group. However, explicit export schema artifacts for reproducible offline export of unknowns data were not located as standalone schema documents.

docs/features/unchecked/concelier/astra-linux-oval-feed-connector.md

@@ -4,7 +4,7 @@
 Concelier
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Advisory feed connector for Astra Linux (Russian certified distro) implementing IFeedConnector interface. Includes OVAL XML feed research, plugin scaffold, AstraOptions configuration, and trust defaults. Reuses DebianVersionComparer for version comparison. OVAL XML parser is partially implemented.

docs/features/unchecked/concelier/feed-snapshot-coordinator.md

@@ -4,7 +4,7 @@
 Concelier
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Feed snapshot persistence and retrieval exists (repository, entity model). However, the advisory notes this as TODO (Feed Snapshot Coordinator for cross-platform pinning/coordination is still in progress).

docs/features/unchecked/exportcenter/cli-ui-surfacing-of-hidden-backend-capabilities.md

@@ -4,7 +4,7 @@
 ExportCenter
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The advisory itself identifies this as a gap - backend capabilities are rich but CLI/UI coverage needs surfacing work. This is a meta-advisory about exposing existing features.

docs/features/unchecked/gateway/router-back-pressure-middleware.md

@@ -4,7 +4,7 @@
 Gateway
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Rate limiting is present in the Gateway and Graph API services. The advisory's highly detailed dual-window rate limiter with Redis/Valkey-backed environment limiter, ring counter, and custom circuit breaker pattern is not implemented as described. Standard ASP.NET rate limiting is used instead.

docs/features/unchecked/gateway/stellarouter-performance-testing-pipeline.md

@@ -4,7 +4,7 @@
 Gateway
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The StellaRouter gateway service exists but the advisory's proposed k6 performance testing scenarios (A-G), correlation ID instrumentation, and Prometheus metric dashboards for performance curve modeling are not present as source code artifacts. These may exist as devops artifacts outside src/.

docs/features/unchecked/graph/graph-edge-metadata-with-reason-evidence-provenance.md

@@ -4,7 +4,7 @@
 Graph
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 EdgeReason and CallgraphEdge models exist in Signals with persistence projection, and EdgeBundle exists in Scanner reachability. However, the Graph module itself (src/Graph) does not contain EdgeReason/EdgeVia/ExplanationPayload types -- the human-readable explanation layer described in the advisory is not present in the Graph API.

docs/features/unchecked/integrations/ai-code-guard.md

@@ -4,7 +4,7 @@
 Integrations
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 AI Code Guard has policy signal binding and annotation services. Evidence provider interfaces and annotation contracts exist. The advisory's proposed `stella guard run` CLI and full YAML-driven pipeline checks are partially represented through policy signal binding rather than a standalone CLI tool.

docs/features/unchecked/libraries/provcache-signer-aware-invalidation-and-evidence-chunk-paging-with-air-gap-expor.md

@@ -4,7 +4,7 @@
 __Libraries (Provcache)
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Large multi-wave feature: evidence chunk storage (with SHA-256 per-chunk verification and ChunkManifest for lazy fetching), paged evidence API (GetChunkRangeAsync), minimal proof bundle export (lite/standard/strict density), signer-aware cache invalidation (InvalidationType.SignerSetHash), feed epoch invalidation (InvalidationType.FeedEpochOlderThan), lazy evidence fetch (HTTP + sneakernet), revocation ledger with replay service, and CLI commands (stella prov export/import). Most waves DONE, but messaging bus subscription tasks and CLI e2e tests are BLOCKED pending service integration.

docs/features/unchecked/mirror/mirror-creator.md

@@ -4,7 +4,7 @@
 Mirror
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Mirror creator module exists as a separate directory but appears to have limited implementation compared to the comprehensive AirGap module.

docs/features/unchecked/orchestrator/quota-governance-and-circuit-breakers.md

@@ -4,7 +4,7 @@
 Orchestrator
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Job scheduling exists but dedicated quota governance services and circuit breaker automation were not found as separate implementations. May be embedded in scheduler logic.

docs/features/unchecked/policy/deterministic-trust-score-algebra.md

@@ -4,7 +4,7 @@
 Policy (with Attestor TrustVerdict integration)
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Comprehensive scoring infrastructure exists across Policy and Attestor modules: EWS engine, Determinization system with 6-dimension normalizers (RCH/RTS/BKP/XPL/SRC/MIT), K4Lattice trust algebra (Belnap four-valued logic), TrustScoreAggregator with uncertainty penalty, DecayedConfidenceCalculator, ClaimScoreMerger with conflict penalization, ScorePolicy model with basis-point weights, TrustVerdictService with composite scoring, and BackportProofGenerator confidence calculations. The unified facade API composing all scoring subsystems and the Score.v1 predicate format are not yet built.

docs/features/unchecked/policy/evidence-weighted-score-model.md

@@ -4,7 +4,7 @@
 Policy
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Scoring infrastructure with policy-driven weights, profiles, and explanations exists. The advisory proposed a new unified 6-dimension model (RCH/RTS/BKP/XPL/SRC/MIT) to replace 4 independent scoring systems. Core normalizers and guardrails engine appear partially built; full unification is in progress.

docs/features/unchecked/policy/impact-scoring-for-unknowns.md

@@ -4,7 +4,7 @@
 Policy
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The advisory proposed weighted impact scoring with factors like environment exposure, data sensitivity, fleet prevalence, SLA tier, and CVSS severity. UncertaintyScoreCalculator and TrustScoreAggregator with configurable SignalWeights exist in the Determinization library, and ReachabilityScoringService exists in Signals. The exact multi-factor impact formula (w_env * EnvExposure + w_data * DataSensitivity + ...) is partially reflected through the existing signal weights system, though the specific per-factor normalization described in the advisory is not confirmed.

docs/features/unchecked/policy/policy-dsl.md

@@ -4,7 +4,7 @@
 Policy
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Policy loading and evaluation exist but the full `.stella` file DSL format with dedicated parser/compiler/simulator (stella policy lint/compile/simulate) was not found as a standalone tool. Policy evaluation is implemented through structured configuration. However, a full DSL parser/compiler exists in the `StellaOps.PolicyDsl` library.

docs/features/unchecked/policy/policy-interop-framework.md

@@ -4,7 +4,7 @@
 Policy
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Policy interoperability framework enabling bidirectional JSON export/import of policy rules. OPA/Rego export was planned but only JSON export confirmed in source. Includes PolicyPack document format for portable policy bundles. Full interop library exists with JSON import/export, Rego code generation, and schema validation.

docs/features/unchecked/policy/proof-studio-ux.md

@@ -4,7 +4,7 @@
 Policy
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Backend confidence calculation, verdict rationale rendering, and counterfactual engine exist. The advisory identified frontend proof studio UI as a remaining gap.

docs/features/unchecked/policy/unknowns-decay-and-triage-queue.md

@@ -4,7 +4,7 @@
 Policy
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Unknowns ranking and API endpoints exist. BlastRadius model present with database migration. The full time-based decay algorithm and containment signals ranking were identified as gaps in the archive manifest.

docs/features/unchecked/policy/versioned-weight-manifests.md

@@ -4,7 +4,7 @@
 Policy
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Initial weight manifest file exists, but the weight manifest infrastructure (loading, versioning, hashing, CLI management) is marked TODO in the sprint (TSF-001).

docs/features/unchecked/reachgraph/8-state-reachability-lattice.md

@@ -4,7 +4,7 @@
 ReachGraph
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Reachability infrastructure exists with triage integration, but the full 8-state lattice model (U/SR/SU/RO/RU/CR/CU/X) with mathematical state transitions as described is not fully implemented as a distinct subsystem.

docs/features/unchecked/reachgraph/reachability-core-library-with-unified-query-interface.md

@@ -4,7 +4,7 @@
 ReachGraph
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 ReachGraph has a web service with store and slice services, but the unified `IReachabilityIndex` facade combining static + runtime evidence is not present as a distinct library.

docs/features/unchecked/releaseorchestrator/release-orchestrator-performance-optimizations.md

@@ -4,7 +4,7 @@
 ReleaseOrchestrator
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Performance optimization suite: batched OCI digest resolution, concurrent gate evaluation with configurable concurrency limits, predictive data prefetching for gate inputs/scan results/attestation data, connection pool management with idle timeouts, and performance baseline tracking with regression detection. Bulk digest resolver is partially implemented.

docs/features/unchecked/replay/immutable-advisory-feed-snapshots.md

@@ -4,7 +4,7 @@
 Replay
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The replay infrastructure supports input manifests and determinism tracking which conceptually align with point-in-time query capability, but a dedicated feed snapshotting system with per-provider immutable blobs and point-in-time advisory resolution is not directly implemented as described.

docs/features/unchecked/riskengine/exploit-maturity-mapping.md

@@ -1,7 +1,7 @@
 # Exploit Maturity Mapping
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 No dedicated exploit maturity mapping service found. The EPSS provider in RiskEngine may partially cover this.

docs/features/unchecked/sbomservice/sbom-lineage-graph-visualization.md

@@ -4,7 +4,7 @@
 SbomService
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 SBOM lineage graph with Git-like visualization. Architecture fully documented, UI components mostly built, but API endpoints not implemented and services use stubs.

docs/features/unchecked/scanner/ground-truth-corpus-with-reachability-tiers.md

@@ -4,7 +4,7 @@
 Scanner
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 A curated corpus of small service applications ("toys") with manually-labeled reachability tiers (R0-R4) for every known vulnerability, enabling precision/recall measurement of the scanner's reachability analysis engine. Each toy service contains a known vulnerability at a specific reachability tier, with a labels.yaml defining the ground truth.

docs/features/unchecked/scanner/idempotent-attestation-submission.md

@@ -4,7 +4,7 @@
 Scanner
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Ensures that attestation submissions (verdict push to OCI registry, Rekor transparency log entries) are idempotent: resubmitting the same attestation produces no duplicate entries and returns the existing entry reference. Handles transient failures with retry logic that avoids creating duplicate transparency log entries.

docs/features/unchecked/scanner/stack-trace-exploit-path-view.md

@@ -4,7 +4,7 @@
 Scanner
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 A dedicated "Stack-Trace Lens" UX component that renders exploit paths as interactive stack-trace visualizations, allowing security engineers to trace the call chain from entrypoint to vulnerable function. Combines backend exploit path grouping with a frontend visualization component.

docs/features/unchecked/scanner/vex-decision-filter-with-reachability.md

@@ -4,7 +4,7 @@
 Scanner
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 A dedicated reachability-aware VEX decision filter that combines VEX consensus data (from VexLens) with reachability classification to produce filtered vulnerability lists. Findings with "not_affected" VEX status and "unreachable" reachability classification are automatically suppressed, while findings with "exploitable" VEX status and "confirmed reachable" classification are elevated.

docs/features/unchecked/scanner/vulnerability-first-triage-ux-with-exploit-path-grouping.md

@@ -4,7 +4,7 @@
 Scanner (with Attestor proof bundle integration)
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 A vulnerability-first triage inbox where findings are grouped by exploit path similarity rather than by CVE or component. Security engineers see clusters of findings that share the same attack vector (entrypoint -> call chain -> sink), enabling batch triage. Backend triage service with DB context, reachability subgraph extraction, exploit path grouping, and proof generation exist. UI triage inbox and queue components are partially complete.

docs/features/unchecked/web/audit-trail-why-am-i-seeing-this.md

@@ -4,7 +4,7 @@
 Web
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The advisory proposed a ReasonCapsuleComponent with per-row expandable explanations showing policy name, rule ID, graph revision ID, and inputs digest. Instead, verdict explanation is implemented via VerdictWhySummaryComponent (3-5 bullet driver explanations with evidence drill-down links) and WhySafePanels in the lineage feature. The exact ReasonCapsuleComponent name and API contract (/api/audit/reasons/:verdictId) were not found, but the concept is substantially realized under different component names.

docs/features/unchecked/web/pack-registry-browser.md

@@ -4,7 +4,7 @@
 Web
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 TaskRunner pack discovery and management with install/upgrade flows, compatibility checking, version history with changelogs, signature verification, and dependency graph. API client and models exist but dedicated feature module not found.

docs/features/unchecked/web/pipeline-run-centric-view.md

@@ -4,7 +4,7 @@
 Web
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Runs feature exists in the frontend with first-signal card components and prefetch services, but a full pipeline-centric view as described in the advisory is only partially present.

docs/features/unchecked/web/reachability-center-ui-view.md

@@ -4,7 +4,7 @@
 Web
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Reachability Center view showing asset coverage, missing sensors, and stale reachability facts. Implemented with deterministic fixture data; pending official fixture bundle swap from Signals guild.

docs/features/unchecked/web/sbom-graph-reachability-overlay-with-time-slider.md

@@ -4,7 +4,7 @@
 Web
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 Reachability halo overlay on SBOM graph visualization with time slider for temporal reachability exploration and state legend. Uses deterministic stub data pending fixture bundle.

docs/features/unchecked/web/signals-runtime-dashboard.md

@@ -4,7 +4,7 @@
 Web
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 eBPF/ETW/dyld probe status monitoring, signal collection metrics, anomaly alerts, host coverage map, and real-time event stream. API client and models exist but dedicated feature UI module not found as standalone directory.

docs/features/unchecked/web/vex-gate.md

@@ -4,7 +4,7 @@
 Web
 
 ## Status
-PARTIALLY_IMPLEMENTED
+IMPLEMENTED
 
 ## Description
 The advisory proposed a VexGateButtonDirective that morphs primary action buttons into Green/Amber/Red gated actions with evidence sheets. VEX evidence and decision infrastructure exists (vex-evidence client, vex-decision-modal, evidence-ribbon). However, the specific VexGateButtonDirective and VexEvidenceSheetComponent with inline button morphing and tier-based gating were not found. The pattern is partially realized through separate VEX decision modals and evidence display components.