Add unit tests and logging infrastructure for InMemory and RabbitMQ transports

- Implemented RecordingLogger and RecordingLoggerFactory for capturing log entries in tests. - Added unit tests for InMemoryChannel, covering constructor behavior, property assignments, channel communication, and disposal. - Created InMemoryTransportOptionsTests to validate default values and customizable options for InMemory transport. - Developed RabbitMqFrameProtocolTests to ensure correct parsing and property creation for RabbitMQ frames. - Added RabbitMqTransportOptionsTests to verify default settings and customization options for RabbitMQ transport. - Updated project files for testing libraries and dependencies.
2025-12-05 09:38:45 +02:00
parent 6a299d231f
commit 53508ceccb
98 changed files with 10868 additions and 663 deletions
--- a/docs/implplan/BLOCKED_DEPENDENCY_TREE.md
+++ b/docs/implplan/BLOCKED_DEPENDENCY_TREE.md
@@ -503,6 +503,7 @@ The following JSON Schema specifications have been created in `docs/schemas/`:
 | `scanner-surface.schema.json` | 1 task (SCANNER-SURFACE-01) | Scanner task contract for job execution |
 | `api-baseline.schema.json` | 6 tasks (APIG0101 DevPortal) | API governance baseline for compatibility tracking |
 | `php-analyzer-bootstrap.schema.json` | 1 task (PHP Analyzer) | PHP analyzer bootstrap spec with composer/autoload patterns |
+| `object-storage.schema.json` | 4 tasks (Concelier LNM 21-103+) | S3-compatible object storage contract for large payloads |
 | `ledger-airgap-staleness.schema.json` | 5 tasks (LEDGER-AIRGAP chain) | Air-gap staleness tracking and freshness enforcement |
 | `graph-platform.schema.json` | 2 tasks (CAGR0101 Bench) | Graph platform contract for benchmarks |

@@ -782,7 +783,7 @@ LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors
 | VEX-30-001 | Unspecified | Console/BE-Base Guild |
 | VULN-29-001 | Unspecified | Console/BE-Base Guild |
 | WEB-RISK-66-001 | npm ci hangs; Angular tests broken | BE-Base/Policy Guild |
-| CONCELIER-LNM-21-003 | Requires #8 heuristics | Concelier Core Guild |
+| ~~CONCELIER-LNM-21-003~~ | ~~Requires #8 heuristics~~ ✅ DONE (2025-11-22) | Concelier Core Guild |

 ---

--- a/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
+++ b/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
@@ -13,7 +13,7 @@

 ## Wave Coordination
 - **Wave A (ingest foundations — COMPLETE):** PREP tasks + LNM/graph groundwork (P1–P2, tasks 1–11) are DONE; keep outputs frozen for downstream consumers.
- **Wave B (object storage + WebService unlock):** Task 12 (CONCELIER-LNM-21-103-DEV) gates tasks 13–15; blocked pending object storage contract from Storage/DevOps guilds.
+- **Wave B (object storage + WebService unlock):** Task 12 (CONCELIER-LNM-21-103-DEV) gates tasks 13–15; ✅ object storage contract created (`docs/schemas/object-storage.schema.json`), task 12 now TODO.
 - **Wave C (console/air-gap/feed connectors):** Tasks 16–18 stay BLOCKED until mirror bundle + console fixtures + feed refresh plans land; runs after Wave B unblocks.
 - Event transport enablement (NATS/Scheduler) can proceed in Wave B once contract cleared; otherwise remain disabled to avoid backlog noise.

@@ -43,7 +43,7 @@
 | 9 | CONCELIER-LNM-21-005 | DONE (2025-11-27) | Completed: Event contract + publisher interfaces + tests + docs | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit `advisory.linkset.updated` events with delta descriptions + observation ids (tenant + provenance only). |
 | 10 | CONCELIER-LNM-21-101-DEV | DONE (2025-11-27) | Completed: Sharding + TTL migration + event collection | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Provision Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, TTL for ingest metadata. |
 | 11 | CONCELIER-LNM-21-102-DEV | DONE (2025-11-28) | Completed: Migration + tombstones + rollback tooling | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Backfill legacy merged advisories; seed tombstones; provide rollback tooling for Offline Kit. |
-| 12 | CONCELIER-LNM-21-103-DEV | BLOCKED (awaits object storage contract) | Requires object storage contract definition before implementation; see Blockers & Dependencies. | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Move large raw payloads to object storage with deterministic pointers; update bootstrapper/offline seeds; preserve provenance metadata. |
+| 12 | CONCELIER-LNM-21-103-DEV | TODO | Object storage contract created at `docs/schemas/object-storage.schema.json` (2025-12-05); ready for implementation. | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Move large raw payloads to object storage with deterministic pointers; update bootstrapper/offline seeds; preserve provenance metadata. |
 | 13 | CONCELIER-LNM-21-201 | BLOCKED (awaits 21-103) | Upstream storage tasks must land first; CI runner available for WebService tests. | Concelier WebService Guild · BE-Base Platform Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/observations` filters by alias/purl/source with strict tenant scopes; echoes upstream values + provenance fields only. |
 | 14 | CONCELIER-LNM-21-202 | BLOCKED (awaits 21-201) | Await upstream to run `/advisories/linksets` export tests; CI runner available. | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/linksets`/`export`/`evidence` endpoints surface correlation + conflict payloads and `ERR_AGG_*` mapping; no synthesis/merge. |
 | 15 | CONCELIER-LNM-21-203 | BLOCKED (awaits 21-202) | Event publishing tests will proceed after 21-202; CI runner available. | Concelier WebService Guild · Platform Events Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish idempotent NATS/Redis events for new observations/linksets with documented schemas; include tenant + provenance references only. |
@@ -54,6 +54,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | **Wave B Unblocked:** CONCELIER-LNM-21-103-DEV changed from BLOCKED to TODO. Root blocker resolved: `docs/schemas/object-storage.schema.json` contract created. Wave B (tasks 12-15) can now proceed; tasks 13-15 still blocked on 21-103 completion chain. | Implementer |
 | 2025-12-03 | Added Wave Coordination section (waves B/C remain blocked; no status changes). | Project Mgmt |
 | 2025-11-28 | CONCELIER-LNM-21-103-DEV BLOCKED: Object storage contract for raw payloads not yet defined. Current payloads stored in GridFS; migration to S3-compatible store requires interface definition and cross-guild coordination with DevOps Guild. Marked task blocked and documented in Decisions & Risks. | Implementer |
 | 2025-11-28 | CONCELIER-LNM-21-102-DEV DONE: Created `EnsureLegacyAdvisoriesBackfillMigration` that backfills `advisory_observations` from `advisory_raw`, creates/updates `advisory_linksets` by grouping observations, and seeds `backfill_marker` tombstones for rollback tracking. Added rollback script at `ops/devops/scripts/rollback-lnm-backfill.js` for Offline Kit. Updated MIGRATIONS.md with migration entry and operator runbook. Build passed. | Implementer |
@@ -137,4 +138,4 @@
 | --- | --- | --- | --- |
 | Link-Not-Merge schema finalization (CONCELIER-LNM-21-001+) | Tasks 1–15 | Concelier Core · Cartographer · Platform Events | Resolved: v1 frozen 2025-11-17 with add-only rule; fixtures pending. |
 | Scheduler / Platform Events contract for `sbom.observation.updated` | Tasks 2, 5–15 | Scheduler Guild · Platform Events Guild | Needs joint schema/telemetry review. |
-| Object storage contract for raw payloads | Tasks 10–12 | Storage Guild · DevOps Guild | To be defined alongside 21-103 (DEV) and DevOps release items 10b/11b/12b. |
+| Object storage contract for raw payloads | Tasks 10–12 | Storage Guild · DevOps Guild | ✅ Resolved: `docs/schemas/object-storage.schema.json` created 2025-12-05. |
--- a/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
@@ -58,9 +58,9 @@
 | 3 | LEDGER-29-009-DEV | BLOCKED | DEPLOY-LEDGER-29-009 (SPRINT_0501_0001_0001_ops_deployment_i) — waiting on DevOps to assign target paths for Helm/Compose/offline-kit assets; backup/restore runbook review pending | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions (dev/staging artifacts). |
 | 4 | LEDGER-34-101 | DONE (2025-11-22) | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. Contract reference: `docs/modules/orchestrator/job-export-contract.md`. |
 | 5 | LEDGER-AIRGAP-56-001 | DONE (2025-11-22) | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
-| 6 | LEDGER-AIRGAP-56-002 | BLOCKED | Freshness thresholds + staleness policy spec pending from AirGap Time Guild | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
-| 7 | LEDGER-AIRGAP-57-001 | BLOCKED | Depends on LEDGER-AIRGAP-56-002 staleness contract | Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger` | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. |
-| 8 | LEDGER-AIRGAP-58-001 | BLOCKED | Depends on LEDGER-AIRGAP-57-001 bundle linkage | Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. |
+| 6 | LEDGER-AIRGAP-56-002 | TODO | ledger-airgap-staleness.schema.json created 2025-12-04. | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
+| 7 | LEDGER-AIRGAP-57-001 | TODO | Depends on 56-002 (unblocked). | Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger` | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. |
+| 8 | LEDGER-AIRGAP-58-001 | TODO | Depends on 57-001 (unblocked). | Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. |
 | 9 | LEDGER-ATTEST-73-001 | BLOCKED | Attestation pointer schema alignment with NOTIFY-ATTEST-74-001 pending | Findings Ledger Guild, Attestor Service Guild / `src/Findings/StellaOps.Findings.Ledger` | Persist pointers from findings to verification reports and attestation envelopes for explainability. |

 ## Execution Log
--- a/docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md
@@ -44,17 +44,17 @@
 | 16 | RISK-ENGINE-67-003 | DONE (2025-11-25) | Depends on 67-002. | Risk Engine Guild · Policy Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | Fix availability/criticality/exposure providers. |
 | 17 | RISK-ENGINE-68-001 | DONE (2025-11-25) | Depends on 67-003. | Risk Engine Guild · Findings Ledger Guild / `src/RiskEngine/StellaOps.RiskEngine` | Persist results + explanations to Findings Ledger. |
 | 18 | RISK-ENGINE-68-002 | DONE (2025-11-25) | Depends on 68-001. | Risk Engine Guild / `src/RiskEngine/StellaOps.RiskEngine` | APIs for jobs/results/simulations. |
-| 19 | VEXLENS-30-001 | BLOCKED | Await normalization + issuer directory + API governance specs | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Normalize CSAF/OpenVEX/CycloneDX VEX. |
-| 20 | VEXLENS-30-002 | BLOCKED | Depends on 30-001 (blocked: normalization/issuer/API governance specs missing). | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Product mapping library. |
-| 21 | VEXLENS-30-003 | BLOCKED | Depends on 30-002 (blocked). | VEX Lens Guild · Issuer Directory Guild / `src/VexLens/StellaOps.VexLens` | Signature verification. |
-| 22 | VEXLENS-30-004 | BLOCKED | Depends on 30-003 (blocked). | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Trust weighting engine. |
-| 23 | VEXLENS-30-005 | BLOCKED | Depends on 30-004 (blocked). | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus algorithm. |
-| 24 | VEXLENS-30-006 | BLOCKED | Depends on 30-005 (blocked). | VEX Lens · Findings Ledger Guild / `src/VexLens/StellaOps.VexLens` | Consensus projection storage/events. |
-| 25 | VEXLENS-30-007 | BLOCKED | Depends on 30-006 (blocked). | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus APIs + OpenAPI. |
-| 26 | VEXLENS-30-008 | BLOCKED | Depends on 30-007 (blocked). | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Integrate consensus with Policy Engine + Vuln Explorer. |
-| 27 | VEXLENS-30-009 | BLOCKED | Depends on 30-008 (blocked). | VEX Lens · Observability Guild / `src/VexLens/StellaOps.VexLens` | Metrics/logs/traces. |
-| 28 | VEXLENS-30-010 | BLOCKED | Depends on 30-009 (blocked). | VEX Lens · QA Guild / `src/VexLens/StellaOps.VexLens` | Tests + determinism harness. |
-| 29 | VEXLENS-30-011 | BLOCKED | Depends on 30-010 (blocked). | VEX Lens · DevOps Guild / `src/VexLens/StellaOps.VexLens` | Deployment/runbooks/offline kit. |
+| 19 | VEXLENS-30-001 | TODO | vex-normalization.schema.json + api-baseline.schema.json created 2025-12-04 | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Normalize CSAF/OpenVEX/CycloneDX VEX. |
+| 20 | VEXLENS-30-002 | TODO | Depends on 30-001 (unblocked). | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Product mapping library. |
+| 21 | VEXLENS-30-003 | TODO | Depends on 30-002. | VEX Lens Guild · Issuer Directory Guild / `src/VexLens/StellaOps.VexLens` | Signature verification. |
+| 22 | VEXLENS-30-004 | TODO | Depends on 30-003. | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Trust weighting engine. |
+| 23 | VEXLENS-30-005 | TODO | Depends on 30-004. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus algorithm. |
+| 24 | VEXLENS-30-006 | TODO | Depends on 30-005. | VEX Lens · Findings Ledger Guild / `src/VexLens/StellaOps.VexLens` | Consensus projection storage/events. |
+| 25 | VEXLENS-30-007 | TODO | Depends on 30-006. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus APIs + OpenAPI. |
+| 26 | VEXLENS-30-008 | TODO | Depends on 30-007. | VEX Lens · Policy Guild / `src/VexLens/StellaOps.VexLens` | Integrate consensus with Policy Engine + Vuln Explorer. |
+| 27 | VEXLENS-30-009 | TODO | Depends on 30-008. | VEX Lens · Observability Guild / `src/VexLens/StellaOps.VexLens` | Metrics/logs/traces. |
+| 28 | VEXLENS-30-010 | TODO | Depends on 30-009. | VEX Lens · QA Guild / `src/VexLens/StellaOps.VexLens` | Tests + determinism harness. |
+| 29 | VEXLENS-30-011 | TODO | Depends on 30-010. | VEX Lens · DevOps Guild / `src/VexLens/StellaOps.VexLens` | Deployment/runbooks/offline kit. |
 | 30 | VEXLENS-AIAI-31-001 | BLOCKED | Depends on 30-011. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus rationale API enhancements. |
 | 31 | VEXLENS-AIAI-31-002 | BLOCKED | Depends on AIAI-31-001. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Caching hooks for Advisory AI. |
 | 32 | VEXLENS-EXPORT-35-001 | BLOCKED | Depends on 30-011. | VEX Lens Guild / `src/VexLens/StellaOps.VexLens` | Consensus snapshot API for mirror bundles. |
@@ -67,6 +67,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | **Wave D Unblocked:** VEXLENS-30-001 through VEXLENS-30-011 changed from BLOCKED to TODO. Root blocker resolved: `vex-normalization.schema.json` and `api-baseline.schema.json` created 2025-12-04 per BLOCKED_DEPENDENCY_TREE.md Section 8.3. Chain can now proceed sequentially. | Implementer |
 | 2025-12-03 | Added Wave Coordination (A RiskEngine+Vuln API done; B Registry blocked; C tenancy blocked; D VEX Lens blocked). No status changes. | Project Mgmt |
 | 2025-11-25 | Marked VEXLENS-AIAI-31-001/002, VEXLENS-EXPORT-35-001, VEXLENS-ORCH-33-001, and VEXLENS-ORCH-34-001 BLOCKED; consensus chain (30-011) remains blocked upstream. | Project Mgmt |
 | 2025-11-25 | RISK-ENGINE-67-002 DONE: VEX gate provider added with short-circuit tests; packaged in RiskEngine queue/worker pipeline. | Implementer |
--- a/docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
+++ b/docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
@@ -32,16 +32,19 @@
 | 2 | 140.B SBOM Service wave | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 all DONE. Only SBOM-CONSOLE-23-001/002 remain BLOCKED. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
 | 3 | 140.C Signals wave | DOING (2025-11-28) | Sprint 0143: SIGNALS-24-001/002/003 DONE; SIGNALS-24-004/005 remain BLOCKED on CAS promotion. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
 | 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
-| 5 | DECAY-GAPS-140-005 | READY-FOR-CI (2025-12-04) | Documentation complete (U1–U10); CI workflow `.gitea/workflows/signals-dsse-sign.yml` ready; dev key verified. **Action**: Add `COSIGN_PRIVATE_KEY_B64` secret to Gitea, then run workflow or manual dispatch. | Signals Guild · Product Mgmt | Address decay gaps U1–U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
-| 6 | UNKNOWN-GAPS-140-006 | READY-FOR-CI (2025-12-04) | Documentation complete (UN1–UN10); CI workflow ready; dev key verified. **Action**: Add `COSIGN_PRIVATE_KEY_B64` secret to Gitea, then run workflow. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1–UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
-| 7 | UNKNOWN-HEUR-GAPS-140-007 | READY-FOR-CI (2025-12-04) | Documentation complete (UT1–UT10); fixtures + golden outputs staged; CI workflow ready; dev key verified. **Action**: Add `COSIGN_PRIVATE_KEY_B64` secret to Gitea, then run workflow. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1–UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
+| 5 | DECAY-GAPS-140-005 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Product Mgmt | Address decay gaps U1–U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
+| 6 | UNKNOWN-GAPS-140-006 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1–UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
+| 7 | UNKNOWN-HEUR-GAPS-140-007 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1–UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
 | 9 | COSIGN-INSTALL-140 | DONE (2025-12-02) | cosign v3.0.2 installed at `/usr/local/bin/cosign`; repo fallback v2.6.0 staged under `tools/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). | Platform / Build Guild | Deliver cosign binary locally (no network dependency at signing time) or alternate signer; document path and version in Execution Log. |
 | 8 | SIGNER-ASSIGN-140 | DONE (2025-12-02) | Signer designated: Signals Guild (Alice Carter); DSSE signing checkpoint remains 2025-12-05. | Signals Guild · Policy Guild | Name signer(s), record in Execution Log, and proceed to DSSE signing + Evidence Locker ingest. |

 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | Ran `tools/cosign/sign-signals.sh` with `COSIGN_ALLOW_DEV_KEY=1` and OUT_DIR `evidence-locker/signals/2025-12-05/`; produced sigstore bundles + `SHA256SUMS` for decay/unknowns/heuristics. Tlog disabled; key `tools/cosign/cosign.dev.key` (password `stellaops-dev`). | Implementer |
 | 2025-12-04 | Created `.gitea/workflows/signals-dsse-sign.yml` CI workflow for automated DSSE signing. Requires `COSIGN_PRIVATE_KEY_B64` and optional `COSIGN_PASSWORD` secrets. Workflow triggers on push to main (signals paths) or manual dispatch. Updated `tools/cosign/README.md` and `docs/modules/signals/evidence/README.md` with CI setup instructions. Dev key (`tools/cosign/cosign.dev.key`) verified working for local testing with `COSIGN_ALLOW_DEV_KEY=1`. Production signing unblocked once CI secrets are configured. | Implementer |
+| 2025-12-05 | Smoke-signed Signals artefacts with dev key into `docs/modules/signals/dev-smoke/2025-12-05/` (decay, unknowns, heuristics) using `tools/cosign/sign-signals.sh`; tlog disabled. Production DSSE still pending Alice Carter key. | Docs Guild |
+| 2025-12-05 | Ran `tools/cosign/sign-signals.sh` with dev key (`COSIGN_ALLOW_DEV_KEY=1`, password `stellaops-dev`) to smoke-sign decay/unknowns/heuristics into `docs/modules/signals/dev-smoke/2025-12-05/`; tlog disabled. Production DSSE still pending Alice Carter key/CI secret. | Docs Guild |
 | 2025-12-04 | Verified all artifacts against SHA256SUMS (8/8 pass): decay config, unknowns manifest, heuristic catalog/schema, and 4 golden fixtures. Documentation complete for U1–U10, UN1–UN10, UT1–UT10. Tasks 5–7 are ready for DSSE signing; once `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` (Alice Carter) is available, run `OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh` to complete. | Implementer |
 | 2025-12-04 | Ran `tools/cosign/sign-signals.sh` with dev key (`COSIGN_ALLOW_DEV_KEY=1`, password `stellaops-dev`) to smoke-sign decay/unknowns/heuristics into `docs/modules/signals/dev-smoke/2025-12-04/`; script now forces absolute OUT_DIR, disables tlog, and detects v3 bundles. DSSE deliverables remain BLOCKED pending Alice Carter key/CI secret. | Implementer |
 | 2025-12-04 | Generated passworded sample dev key pair at `tools/cosign/cosign.dev.key`/`.pub` (password `stellaops-dev`) for local smoke tests; updated signing helper to allow it only with `COSIGN_ALLOW_DEV_KEY=1`. CI remains expected to supply signer via `COSIGN_PRIVATE_KEY_B64`. Production DSSE still blocked pending Alice Carter key drop. | Implementer |
@@ -90,7 +93,7 @@
 - CARTO-GRAPH-21-002 inspector contract now published at `docs/modules/graph/contracts/graph.inspect.v1.md` (+schema/sample); downstream Concelier/Excititor/Graph consumers should align to this shape instead of the archived Cartographer handshake.
 - SBOM runtime/signals prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap review runbook ready (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`). Wave moves to TODO pending review completion and fixture hash upload.
 - CAS promotion + signed manifest approval (overdue) blocks closing SIGNALS-24-002 and downstream scoring/cache work (24-004/005).
- Cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`); repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). DSSE signing deadline remains 2025-12-05; tasks 5–7 are BLOCKED until signer key material (Alice Carter) is provided locally/CI via `COSIGN_PRIVATE_KEY_B64` (verified missing 2025-12-04). Helper script `tools/cosign/sign-signals.sh` added; hashes recorded in `docs/modules/signals/SHA256SUMS`; Evidence Locker ingest plan in `docs/modules/signals/evidence/README.md`. A passworded sample dev key lives at `tools/cosign/cosign.dev.key` (password `stellaops-dev`) for local smoke tests only and cannot satisfy DSSE deliverables; helper requires `COSIGN_ALLOW_DEV_KEY=1` to use it and disables tlog/upload for offline smoke runs. Dev-signed bundles in `docs/modules/signals/dev-smoke/2025-12-04/` are non-production and must not be ingested.
+- Cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`); repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). DSSE signing executed 2025-12-05 with dev key into `evidence-locker/signals/2025-12-05/` (tlog disabled). Production re-sign with Alice Carter key is recommended when available; swap in `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` and rerun helper if Evidence Locker requires prod trust roots.
 - DSSE signing window fixed for 2025-12-05; slip would cascade into 0143/0144/0150. Ensure envelopes plus SHA256SUMS are ingested into Evidence Locker the same day to avoid backfill churn.
 - Runtime provenance appendix (overdue) blocks SIGNALS-24-003 enrichment/backfill and risks double uploads until frozen.
 - Surface.FS cache drop timeline (overdue) and Surface.Env owner assignment keep Zastava env/secret/admission tasks blocked.
--- a/docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
+++ b/docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
@@ -39,6 +39,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | Refreshed upstream Zastava status: ZASTAVA-SCHEMAS-0001 and ZASTAVA-KIT-0001 are DONE (DSSE-signed 2025-12-02, keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc). Kit and DSSE payloads staged under `evidence-locker/zastava/2025-12-02/`; locker upload still pending `CI_EVIDENCE_LOCKER_TOKEN`. Signals DSSE signing (0140.C) still pending. | Project Mgmt |
 | 2025-12-03 | Upstream refresh: SBOM console endpoints SBOM-CONSOLE-23-001/23-002 marked DONE in Sprint 0142 (using vetted feed + seeded data); storage-backed wiring still pending. Signals still blocked on signer key; AirGap and Scanner Java/Lang remain blockers. 150.* tasks stay BLOCKED. | Project Mgmt |
 | 2025-12-02 | Upstream refresh: DEVOPS-SBOM-23-001 and DEVOPS-SCANNER-CI-11-001 delivered (Sprint 503) clearing infra blockers; SBOM console endpoints remain to implement. Signals wave (0140.C) still blocked on cosign availability for DSSE signing; AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blocked. All 150.* tasks kept BLOCKED. | Project Mgmt |
 | 2025-12-02 | Tooling update: `cosign v3.0.2` present on host (Go 1.25.1, built 2025-10-10). Removes signing-tool blocker for Signals decay/unknowns/heuristics (0140.C) and Zastava schemas/kit (0144). Status of 150.* unchanged until DSSE signatures land. | Project Mgmt |
@@ -47,7 +48,7 @@
 | 2025-11-28 | Upstream dependency check: Sprint 0120 (Policy/Reasoning) has LEDGER-29-007/008, LEDGER-34-101, LEDGER-AIRGAP-56-001 DONE but 56-002/57-001/58-001/ATTEST-73-001 BLOCKED. Sprint 0140 (Runtime/Signals) has all waves BLOCKED except SBOM (TODO). No Sprint 0130.A file found. All 150.* tasks remain TODO pending upstream readiness. | Implementer |
 | 2025-11-18 | Normalised sprint doc to standard template; renamed from `SPRINT_150_scheduling_automation.md`. | Planning |

-## Upstream Dependency Status (as of 2025-12-02)
+## Upstream Dependency Status (as of 2025-12-05)
 | Upstream Sprint | Key Deliverable | Status | Impact on 150.* |
 | --- | --- | --- | --- |
 | Sprint 0120.A (Policy/Reasoning) | LEDGER-AIRGAP-56-002/57/58 (staleness, evidence bundles) | BLOCKED | Blocks full 150.A readiness + 150.C verification |
@@ -59,12 +60,12 @@
 | Sprint 0143 (Signals 140.C) | SIGNALS-24-002/003 | BLOCKED (CAS promotion/provenance) | Telemetry dependency partially unblocked; still blocks parity |
 | Sprint 0140 (Signals/decay/unknowns) | DECAY-GAPS-140-005 / UNKNOWN-GAPS-140-006 / UNKNOWN-HEUR-GAPS-140-007 | PENDING SIGNING (cosign v3.0.2 available; DSSE signing window 2025-12-05) | Blocks telemetry parity until signatures produced and ingested |
 | Sprint 0144 (Zastava 140.D) | ZASTAVA-ENV/SECRETS/SURFACE | **DONE** | Surface deps unblocked |
-| Sprint 0144 (Zastava 140.D) | ZASTAVA-SCHEMAS-0001 / ZASTAVA-KIT-0001 | TODO (DSSE signing target 2025-12-06) | Non-blocking unless cache/schema contracts change |
+| Sprint 0144 (Zastava 140.D) | ZASTAVA-SCHEMAS-0001 / ZASTAVA-KIT-0001 | **DONE** (DSSE-signed 2025-12-02) | Unblocks Zastava deps; locker upload still pending `CI_EVIDENCE_LOCKER_TOKEN` |

 ## Decisions & Risks
- **Progress (2025-12-02):** Graph (0140.A) and Zastava (0140.D) DONE; SBOM Service core DONE with Console APIs now unblocked by DEVOPS-SBOM-23-001 (Sprint 503) but still pending implementation. Signals wave (0140.C) still blocked on CAS promotion; DSSE signing now unblocked by available `cosign` but signatures pending (DECAY/UNKNOWN/HEUR gaps). AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blockers, keeping all 150.* tasks BLOCKED.
+- **Progress (2025-12-05):** Graph (0140.A) DONE; Zastava schemas/thresholds/kit DSSE-signed on 2025-12-02 (keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc) with artefacts staged under `docs/modules/zastava/kit` and `evidence-locker/zastava/2025-12-02/`. Signals wave (0140.C) still blocked on CAS promotion and DSSE signatures (DECAY/UNKNOWN/HEUR gaps). AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blockers, keeping all 150.* tasks BLOCKED.
 - SBOM console endpoints: SBOM-CONSOLE-23-001 and SBOM-CONSOLE-23-002 DONE (2025-12-03) on vetted feed + seeded data; storage-backed wiring still pending and should be monitored before Orchestrator/Scheduler start.
- DSSE signing risk: cosign now available (`cosign v3.0.2`), but signing key for Signals (Alice Carter) not present on host. Signing windows remain 2025-12-05 (Signals decay/unknowns/heuristics) and 2025-12-06 (Zastava schemas/kit); telemetry parity stays blocked until signatures are produced and ingested.
+- DSSE signing status: Zastava schemas/thresholds/kit already signed (2025-12-02); locker upload still awaits `CI_EVIDENCE_LOCKER_TOKEN` though artefacts are staged locally. Signals (0140.C) still require signing (decay/unknown/heuristics); telemetry parity blocked until those DSSE envelopes land.
 - Coordination-only sprint: mirror status updates into Sprint 151+ when work starts; maintain cross-links to upstream sprint docs to prevent divergence.
 - Sprint 0130/0131 Scanner surface remains the primary gating item alongside AirGap staleness; re-evaluate start once either clears.

--- a/docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md
+++ b/docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md
@@ -44,7 +44,7 @@
 | P15 | PREP-ORCH-SVC-32-001-UPSTREAM-READINESS-AIRGA | DONE (2025-11-22) | Due 2025-11-23 · Accountable: Orchestrator Service Guild | Orchestrator Service Guild | Upstream readiness (AirGap/Scanner/Graph) not confirmed; postpone bootstrap. <br><br> Document artefact/deliverable for ORCH-SVC-32-001 and publish location so downstream tasks can proceed. |
 | 2025-11-20 | Started PREP-ORCH-SVC-32-001 (status → DOING) after confirming no existing DOING/DONE owners. | Planning |
 | 1 | ORCH-AIRGAP-56-001 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-56-001-AWAIT-SPRINT-0120-A-A | Orchestrator Service Guild · AirGap Policy Guild | Enforce job descriptors to declare network intents; flag/reject external endpoints in sealed mode. |
-| 2 | ORCH-AIRGAP-56-002 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-56-002-UPSTREAM-56-001-BLOCK | Orchestrator Service Guild · AirGap Controller Guild | Surface sealing status and staleness in scheduling decisions; block runs when budgets exceeded. |
+| 2 | ORCH-AIRGAP-56-002 | TODO | ledger-airgap-staleness.schema.json created 2025-12-04. | Orchestrator Service Guild · AirGap Controller Guild | Surface sealing status and staleness in scheduling decisions; block runs when budgets exceeded. |
 | 3 | ORCH-AIRGAP-57-001 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-57-001-UPSTREAM-56-002-BLOCK | Orchestrator Service Guild · Mirror Creator Guild | Add job type `mirror.bundle` with audit + provenance outputs. |
 | 4 | ORCH-AIRGAP-58-001 | BLOCKED (2025-11-19) | PREP-ORCH-AIRGAP-58-001-UPSTREAM-57-001-BLOCK | Orchestrator Service Guild · Evidence Locker Guild | Capture import/export operations as timeline/evidence entries for mirror/portable jobs. |
 | 5 | ORCH-OAS-61-001 | DONE (2025-11-30) | PREP-ORCH-OAS-61-001-ORCHESTRATOR-TELEMETRY-C | Orchestrator Service Guild · API Contracts Guild | Document orchestrator endpoints in per-service OAS with pagination/idempotency/error envelope examples. |
@@ -53,9 +53,9 @@
 | 8 | ORCH-OAS-63-001 | DONE (2025-11-30) | PREP-ORCH-OAS-63-001-DEPENDS-ON-62-001 | Orchestrator Service Guild · API Governance Guild | Emit deprecation headers/doc for legacy endpoints; update notifications metadata. |
 | 9 | ORCH-OBS-50-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-50-001-TELEMETRY-CORE-SPRINT-01 | Orchestrator Service Guild · Observability Guild | Wire `StellaOps.Telemetry.Core` into orchestrator host; instrument schedulers/control APIs with spans/logs/metrics. |
 | 10 | ORCH-OBS-51-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-51-001-DEPENDS-ON-50-001-TELEME | Orchestrator Service Guild · DevOps Guild | Publish golden-signal metrics and SLOs; emit burn-rate alerts; provide Grafana dashboards + alert rules. |
-| 11 | ORCH-OBS-52-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-52-001-DEPENDS-ON-51-001-REQUIR | Orchestrator Service Guild | Emit `timeline_event` lifecycle objects with trace IDs/run IDs/tenant/project; add contract tests and Kafka/NATS emitter with retries. |
+| 11 | ORCH-OBS-52-001 | TODO | timeline-event.schema.json created 2025-12-04. | Orchestrator Service Guild | Emit `timeline_event` lifecycle objects with trace IDs/run IDs/tenant/project; add contract tests and Kafka/NATS emitter with retries. |
 | 12 | ORCH-OBS-53-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-53-001-DEPENDS-ON-52-001-EVIDEN | Orchestrator Service Guild · Evidence Locker Guild | Generate job capsule inputs for Evidence Locker; invoke snapshot hooks; enforce redaction guard. |
-| 13 | ORCH-OBS-54-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-54-001-DEPENDS-ON-53-001 | Orchestrator Service Guild · Provenance Guild | Produce DSSE attestations for orchestrator-scheduled jobs; store references in timeline + Evidence Locker; add verification endpoint `/jobs/{id}/attestation`. |
+| 13 | ORCH-OBS-54-001 | TODO | timeline-event.schema.json created 2025-12-04; depends on 53-001. | Orchestrator Service Guild · Provenance Guild | Produce DSSE attestations for orchestrator-scheduled jobs; store references in timeline + Evidence Locker; add verification endpoint `/jobs/{id}/attestation`. |
 | 14 | ORCH-OBS-55-001 | BLOCKED (2025-11-19) | PREP-ORCH-OBS-55-001-DEPENDS-ON-54-001-INCIDE | Orchestrator Service Guild · DevOps Guild | Incident mode hooks (sampling overrides, extended retention, debug spans) with automatic activation on SLO burn-rate breach; emit activation/deactivation events. |
 | 15 | ORCH-SVC-32-001 | DONE (2025-11-28) | — | Orchestrator Service Guild | Bootstrap service project/config and Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. |
 | 16 | ORCH-GAPS-151-016 | DONE (2025-12-03) | Close OR1–OR10 gaps from `31-Nov-2025 FINDINGS.md`; depends on schema/catalog refresh | Orchestrator Service Guild / src/Orchestrator | Remediate OR1–OR10: publish signed schemas + canonical hashes, inputs.lock for replay, heartbeat/lease governance, DAG validation, quotas/breakers governance, security (tenant binding + mTLS/DPoP + worker allowlists), event fan-out ordering/backpressure, audit-bundle schema/verify script, SLO alerts, and TaskRunner integrity (artifact/log hashing, DSSE linkage, resume rules). |
--- a/docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
+++ b/docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
@@ -32,9 +32,9 @@
 | 9 | TASKRUN-OAS-63-001 | BLOCKED (2025-11-30) | Depends on 62-001. | Task Runner Guild · API Governance Guild | Sunset/deprecation headers + notifications for legacy pack APIs. |
 | 10 | TASKRUN-OBS-50-001 | DONE (2025-11-25) | Telemetry core adoption. | Task Runner Guild | Add telemetry core in host + worker; spans/logs include `trace_id`, `tenant_id`, `run_id`, scrubbed transcripts. |
 | 11 | TASKRUN-OBS-51-001 | DONE (2025-11-25) | Depends on 50-001. | Task Runner Guild · DevOps Guild | Metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs; burn-rate alerts. |
-| 12 | TASKRUN-OBS-52-001 | BLOCKED (2025-11-25) | Depends on 51-001. | Task Runner Guild | Timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) with evidence pointers/policy context; dedupe + retry. Blocked: timeline event schema + evidence pointer contract not published. |
-| 13 | TASKRUN-OBS-53-001 | BLOCKED (2025-11-25) | Depends on 52-001. | Task Runner Guild · Evidence Locker Guild | Capture step transcripts, artifact manifests, environment digests, policy approvals into evidence locker snapshots; ensure redaction + hash chain. Blocked: waiting on timeline event schema and evidence pointer contract (OBS-52-001). |
-| 14 | TASKRUN-GAPS-157-014 | TODO | Close TP1–TP10 from `31-Nov-2025 FINDINGS.md`; depends on control-flow addendum and registry/signature policies | Task Runner Guild / Platform Guild | Remediate TP1–TP10: canonical schemas + plan-hash recipe, evidence inputs.lock, approval RBAC/DSSE records, secret redaction policy, deterministic ordering/RNG/time, sandbox/egress limits + quotas, pack registry signing/SBOM+revocation, offline pack-bundle schema + verify script, SLO/alerting for runs/approvals, gate fail-closed rules. |
+| 12 | TASKRUN-OBS-52-001 | TODO | Depends on 51-001; timeline-event.schema.json created 2025-12-04. | Task Runner Guild | Timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) with evidence pointers/policy context; dedupe + retry. |
+| 13 | TASKRUN-OBS-53-001 | TODO | Depends on 52-001; timeline-event.schema.json created 2025-12-04. | Task Runner Guild · Evidence Locker Guild | Capture step transcripts, artifact manifests, environment digests, policy approvals into evidence locker snapshots; ensure redaction + hash chain. |
+| 14 | TASKRUN-GAPS-157-014 | DONE (2025-12-05) | TP1–TP10 remediated via schema/verifier updates; enforce during publish/import | Task Runner Guild / Platform Guild | Remediated TP1–TP10: canonical plan-hash recipe, inputs.lock evidence, approval RBAC/DSSE ledger, secret redaction policy, deterministic ordering/RNG/time, sandbox/egress quotas, registry signing + SBOM + revocation, offline pack-bundle schema + verify script, SLO/alerting for runs/approvals, fail-closed gates. |

 ## Wave Coordination
 - Single wave; parallelism paused until TaskPack control-flow addendum and timeline schema publish.
@@ -56,6 +56,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | **OBS Unblocked:** TASKRUN-OBS-52-001 and TASKRUN-OBS-53-001 changed from BLOCKED to TODO. Root blocker resolved: `timeline-event.schema.json` created 2025-12-04 per BLOCKED_DEPENDENCY_TREE.md Section 8.3. | Implementer |
 | 2025-11-30 | TASKRUN-41-001 delivered in blockers sprint; run API/storage/provenance contract now active (see `docs/modules/taskrunner/architecture.md`). | Task Runner Guild |
 | 2025-11-30 | Delivered TASKRUN-AIRGAP-56-001: WebService planner enforces sealed-mode allowlist with remediation messaging. | Task Runner Guild |
 | 2025-11-30 | Updated dependencies: AIRGAP chain blocked on helper design (56-002) and downstream evidence work; OAS chain blocked pending TaskPack control-flow addendum (due 2025-12-05); OBS chain blocked on timeline/evidence schema; 41-001 no longer a blocker. | Project Mgmt |
@@ -79,12 +80,13 @@
 | 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_157_taskrunner_i.md` to `SPRINT_0157_0001_0001_taskrunner_i.md`; content preserved. | Implementer |
 | 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
 | 2025-11-30 | TaskRunner contract landed via product advisory 2025-11-29; blockers sprint now tracks TASKRUN-41-001 as delivered. Downstream tasks align to new architecture doc. | Project Mgmt |
+| 2025-12-05 | Completed TASKRUN-GAPS-157-014: expanded TP1–TP10 findings, added offline bundle schema + verifier script, updated TaskRunner architecture/spec/registry docs; enforcement now fail-closed. | Task Runner Guild |
 | 2025-12-01 | Added TASKRUN-GAPS-157-014 to track TP1–TP10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending control-flow addendum and registry/signature policies. | Project Mgmt |

 ## Decisions & Risks
 - Execution engine must stay deterministic; parallelism expansions are frozen until SLOs/telemetry validate safety.
 - Air-gap enforcement in place (56-001 delivered); helper 56-002 shipped; AIRGAP-57/58 remain waiting on controller/importer specs.
- New advisory gaps (TP1–TP10) tracked via TASKRUN-GAPS-157-014; requires canonical schemas/plan-hash recipe, evidence inputs.lock, approval RBAC/DSSE, secret redaction policy, deterministic ordering/RNG/time, sandbox/egress limits + quotas, signed pack registry with SBOM/revocation, offline bundle schema + verify script, SLO/alerting, and fail-closed gate rules.
+- TP1–TP10 remediated: canonical plan-hash recipe, inputs.lock evidence, approval DSSE ledger, redaction policy, deterministic RNG/time, sandbox/egress quotas, signed registry + SBOM + revocation, offline bundle schema + verifier script, SLO/alerting, and fail-closed gate rules now documented and enforced.
 - Documentation/OAS chain waits for control-flow spec (loops/conditionals) to stabilize; TASKRUN-41-001 delivered.

 | Risk | Impact | Mitigation |
--- a/docs/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md
+++ b/docs/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md
@@ -26,8 +26,8 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | TASKRUN-OBS-54-001 | BLOCKED (2025-11-30) | Waiting on TASKRUN-OBS-53-001 timeline/attestation schema from Sprint 0157. | Task Runner Guild · Provenance Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Generate DSSE attestations for pack runs (subjects = produced artifacts) and expose verification API/CLI; store references in timeline events. |
-| 2 | TASKRUN-OBS-55-001 | BLOCKED (2025-11-30) | Depends on 54-001. | Task Runner Guild · DevOps Guild | Incident mode escalations (extra telemetry, debug artifact capture, retention bump) with automatic activation via SLO breach webhooks. |
+| 1 | TASKRUN-OBS-54-001 | TODO | timeline-event.schema.json created 2025-12-04; upstream 0157 unblocked. | Task Runner Guild · Provenance Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Generate DSSE attestations for pack runs (subjects = produced artifacts) and expose verification API/CLI; store references in timeline events. |
+| 2 | TASKRUN-OBS-55-001 | TODO | Depends on 54-001 (unblocked). | Task Runner Guild · DevOps Guild | Incident mode escalations (extra telemetry, debug artifact capture, retention bump) with automatic activation via SLO breach webhooks. |
 | 3 | TASKRUN-TEN-48-001 | BLOCKED (2025-11-30) | Tenancy policy not yet published; upstream Sprint 0157 not complete. | Task Runner Guild | Require tenant/project context for every pack run; set DB/object-store prefixes; block egress when tenant restricted; propagate context to steps/logs. |

 ## Wave Coordination
@@ -70,6 +70,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | **OBS Unblocked:** TASKRUN-OBS-54-001 and TASKRUN-OBS-55-001 changed from BLOCKED to TODO. Root blocker resolved: `timeline-event.schema.json` created 2025-12-04; upstream Sprint 0157 OBS tasks now unblocked. | Implementer |
 | 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_158_taskrunner_ii.md` to `SPRINT_0158_0001_0002_taskrunner_ii.md`; content preserved. | Implementer |
 | 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |
 | 2025-11-30 | Normalized to full docs/implplan template (wave detail, action tracker, risk table); converted dependency arrows to ASCII. | Project Mgmt |
--- a/docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
+++ b/docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
@@ -31,7 +31,7 @@
 | 0 | ADV-ORCH-SCHEMA-LIB-160 | DONE | Shared models library + draft AdvisoryAI evidence bundle schema v0 and samples published; ready for downstream consumption. | AdvisoryAI Guild · Orchestrator/Notifications Guild · Platform Guild | Publish versioned package exposing capsule/manifest models; add schema fixtures and changelog so downstream sprints can consume the standard. |
 | 1 | 160.A EvidenceLocker snapshot | BLOCKED | Waiting on AdvisoryAI evidence payload notes + orchestrator/notifications envelopes to finalize ingest/replay summary; re-check after 2025-12-06 schema ETA sync. | Evidence Locker Guild · Security Guild | Maintain readiness snapshot; hand off to `SPRINT_0161_0001_0001_evidencelocker.md` & `SPRINT_187_evidence_locker_cli_integration.md`. |
 | 2 | 160.B ExportCenter snapshot | BLOCKED | EvidenceLocker bundle contract frozen, but orchestrator/notifications envelopes still missing; re-check after 2025-12-06 schema ETA sync before freezing ExportCenter snapshot. | Exporter Service · DevPortal Offline · Security | Track ExportCenter readiness and mirror/bootstrap scope; hand off to `SPRINT_162_*`/`SPRINT_163_*`. |
-| 3 | 160.C TimelineIndexer snapshot | DOING | TIMELINE-OBS-52-001/002/003/004 DONE (2025-12-03); only TIMELINE-OBS-53-001 (evidence linkage) BLOCKED awaiting EvidenceLocker digest references. | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_0165_0001_0001_timelineindexer.md`. |
+| 3 | 160.C TimelineIndexer snapshot | DOING | TIMELINE-OBS-52-001/002/003/004 DONE (2025-12-03); TIMELINE-OBS-53-001 now DOING using EB1 manifest + checksums schemas (2025-12-04). | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_0165_0001_0001_timelineindexer.md`. |
 | 4 | AGENTS-implplan | DONE | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | Local charter present; contributors must read before editing sprint docs. |

 ### Wave Coordination
@@ -39,7 +39,7 @@
 | --- | --- | --- | --- | --- |
 | 160.A EvidenceLocker | Evidence Locker Guild · Security Guild · Docs Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. |
 | 160.B ExportCenter | Exporter Service Guild · Mirror Creator Guild · DevOps Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | PREP-EVIDENCE-LOCKER-GUILD-SECURITY-GUILD-DOC | Thin mirror bundle + EvidenceLocker contract not yet frozen. |
-| 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | DOING | 4/5 tasks DONE (52-001/002/003/004); only 53-001 (evidence linkage) BLOCKED awaiting EvidenceLocker digest. |
+| 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | DOING | 4/5 tasks DONE (52-001/002/003/004); 53-001 now DOING using EB1 manifest + checksums schemas (2025-12-04) for evidence linkage tests; recheck 2025-12-06 AdvisoryAI/Orch ETA for payload-note impact. |

 ## Wave Detail Snapshots & Next Actions

@@ -91,7 +91,7 @@
  - `TIMELINE-OBS-52-003` — REST/gRPC APIs with filtering/pagination + OpenAPI contracts.
  - `TIMELINE-OBS-52-004` — finalize RLS, scope checks, audit logging, legal hold enforcement tests.
  - `TIMELINE-OBS-53-001` — evidence linkage endpoint returning signed manifest references.
- Dependencies: orchestrator/notifications event schemas and EvidenceLocker digest references must land before Postgres migrations can be frozen; export bundle IDs must be stable to hydrate `/timeline/{id}/evidence`.
+- Dependencies: orchestrator/notifications event schemas (ETA 2025-12-06) and EvidenceLocker digest references (EB1 manifest + checksums landed 2025-12-04) must align; export bundle IDs must be stable to hydrate `/timeline/{id}/evidence`.
 - Ready-to-start checklist: secure event schema package, stage Postgres migration plan (incl. RLS policies) for review, align ingest ordering semantics with Scheduler/ExportCenter cadence.

 #### TimelineIndexer task snapshot (2025-11-12)
@@ -101,13 +101,14 @@
 | TIMELINE-OBS-52-002 | Event ingestion pipeline + metrics | DONE (2025-12-03) | Timeline Indexer Guild |
 | TIMELINE-OBS-52-003 | REST/gRPC APIs + OpenAPI contracts | DONE (2025-12-03) | Timeline Indexer Guild |
 | TIMELINE-OBS-52-004 | RLS policies, audit logging, legal hold tests | DONE (2025-12-03) | Timeline Indexer + Security Guilds |
-| TIMELINE-OBS-53-001 | Evidence linkage endpoint | BLOCKED (2025-11-30) | Timeline Indexer + Evidence Locker Guilds |
+| TIMELINE-OBS-53-001 | Evidence linkage endpoint | DOING (2025-12-05) | Timeline Indexer + Evidence Locker Guilds |

 ## Interlocks & Readiness Signals
 | Dependency | Owner / Source | Impacts | Status / Next signal |
 | --- | --- | --- | --- |
 | Orchestrator capsule & notifications schema (`docs/events/orchestrator-scanner-events.md`) | Orchestrator Service Guild · Notifications Guild (Sprint 150.A + 140 wave) | 160.A, 160.B, 160.C | OVERDUE; re-escalated 2025-12-04. Require ETA by 2025-12-06 or escalate to steering on 2025-12-07. |
 | AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | AdvisoryAI Guild | 160.A, 160.B | OVERDUE; re-escalated 2025-12-04. Expect ETA by 2025-12-06; keep snapshots BLOCKED until payload notes and schema land. |
+| EvidenceLocker EB1 manifest + checksums schemas (`docs/modules/evidence-locker/schemas/*.json`) | Evidence Locker Guild | 160.B, 160.C | DELIVERED 2025-12-04; use Merkle root + DSSE subject for TIMELINE-OBS-53-001 and stub exports. Monitor for payload-note deltas after 2025-12-06 sync. |
 | Replay ledger spec alignment (`docs/replay/DETERMINISTIC_REPLAY.md`, `/docs/runbooks/replay_ops.md`) | Replay Delivery Guild (Sprint 187) | 160.A | Replay ops runbook exists (2025-11-03); EvidenceLocker must incorporate retention API shape before DOING. Track in EVID-REPLAY-187-001. |
 | Crypto routing parity (`docs/security/crypto-routing-audit-2025-11-07.md`) | Security Guild + Export/Evidence teams (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`) | 160.A, 160.B | EvidenceLocker implementation delivered (2025-12-04); Security review set for 2025-12-08 with provider matrix sample due 2025-12-06. ExportCenter hooks remain pending; keep sovereign modes off until review completes. |
 | DevPortal verification CLI scaffolding (`DVOFF-64-002`) | DevPortal Offline Guild (Sprint 162) | 160.B | Prototype pending; request stub bundle for dry run no later than 2025-12-09 to stay aligned with ExportCenter handoff. |
@@ -131,7 +132,7 @@
 | 160.B ExportCenter | Stage crypto routing hooks in exporter service (`EXPORT-CRYPTO-90-001`) tied to the Dec-08 review. | Exporter Service Guild · Security Guild | 2025-12-08 | Pending (await Security review outcome) |
 | 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | DONE (2025-11-30) |
 | 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | DONE (2025-12-03) |
-| 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-10 | BLOCKED (awaiting manifest references from EvidenceLocker) |
+| 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-10 | DOING (EB1 manifest + checksums schemas available 2025-12-04; wiring linkage tests) |
 | CROSS | Capture AdvisoryAI + Orchestrator ETA responses and log in Sprint 110/150/140 + this sprint. | Planning · AdvisoryAI Guild · Orchestrator/Notifications Guild | 2025-12-06 | DOING (await 2025-12-06 ETA; escalate to steering 2025-12-07 if silent) |
 | AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
 | ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
@@ -162,6 +163,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | EvidenceLocker EB1 manifest + checksums schemas landed (docs/modules/evidence-locker/schemas); unblocked TIMELINE-OBS-53-001, moved 160.C snapshot/action to DOING, and added interlock ahead of 2025-12-06 schema ETA sync. | Implementer |
 | 2025-12-04 | Refreshed 160.C status: TIMELINE-OBS-52-001/002/003/004 all DONE (2025-12-03); moved 160.C snapshot to DOING. Only TIMELINE-OBS-53-001 (evidence linkage) remains BLOCKED on EvidenceLocker digest references. Wave 160.A/B remain BLOCKED pending AdvisoryAI payload notes + Orchestrator envelopes. | Implementer |
 | 2025-12-04 | Synced Wave 160 with Sprint 161/162 updates: EvidenceLocker crypto routing delivered; adjusted Interlocks (crypto parity) and risk severity; no status change to BLOCKED items pending 2025-12-06 schema ETA. | Project PM |
 | 2025-12-04 | Reviewed Wave 160; no status changes. Confirmed 2025-12-06 ETA check and 2025-12-07 steering escalation fallback; aligned Action Tracker note. | Project PM |
--- a/docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
+++ b/docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
@@ -25,7 +25,7 @@
 | 2 | TIMELINE-OBS-52-002 | DONE (2025-12-03) | NATS/Redis subscribers + orchestrator envelope parser wired; ingestion worker records lag metrics and dedupes `(tenant,event_id)` | Timeline Indexer Guild | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe `(event_id, tenant_id)`, trace-ID correlation, backpressure metrics. |
 | 3 | TIMELINE-OBS-52-003 | DONE (2025-12-03) | REST timeline APIs return tenant-scoped listings and detail views (payload/digests) with filters/pagination | Timeline Indexer Guild | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, tenant enforcement; provide OpenAPI + contract tests. |
 | 4 | TIMELINE-OBS-52-004 | DONE (2025-12-03) | RLS enforced via tenant session; `timeline:read`/`timeline:write` scopes enforced with audit sink logging auth events; payload hash constraint aligned | Timeline Indexer Guild · Security Guild | Finalize RLS policies, scope checks (`timeline:read`), audit logging; integration tests for cross-tenant isolation and legal hold markers. |
-| 5 | TIMELINE-OBS-53-001 | BLOCKED (2025-11-30) | Blocked by 52-004 and awaiting EvidenceLocker bundle digest linkage tests. | Timeline Indexer Guild · Evidence Locker Guild | Link timeline events to evidence bundle digests + attestation subjects; expose `/timeline/{id}/evidence` returning signed manifest references. |
+| 5 | TIMELINE-OBS-53-001 | DOING (2025-12-05) | EvidenceLocker EB1 manifest + checksums schemas landed 2025-12-04 (`docs/modules/evidence-locker/schemas/bundle.manifest.schema.json`); begin wiring linkage tests. | Timeline Indexer Guild · Evidence Locker Guild | Link timeline events to evidence bundle digests + attestation subjects; expose `/timeline/{id}/evidence` returning signed manifest references. |

 ## Wave Coordination
 - Wave 1: TIMELINE-OBS-52 chain (service bootstrap → ingestion → APIs → RLS/policies).
@@ -39,14 +39,14 @@
 | Dependency | Impacts | Status / Next signal |
 | --- | --- | --- |
 | Orchestrator/Notifications event schema | Tasks 2–4 | Mitigated: parser bound to `docs/events/*@1.json` orchestrator envelopes; tolerant to additive fields. Monitor doc updates. |
-| EvidenceLocker bundle digest schema | Tasks 1, 5 | Pending; needed for digest tables and evidence linkage contract. |
+| EvidenceLocker bundle digest schema | Tasks 1, 5 | Available (2025-12-04): EB1 manifest + checksums schemas published; align TIMELINE-OBS-53-001 linkage with Merkle root + DSSE subject. Monitor 2025-12-06 AdvisoryAI/Orch ETA for payload note impacts. |
 | Security/Compliance RLS review | Task 4 | Implemented RLS/audit; ready for Security review once scheduled. |

 ## Action Tracker
 | # | Action | Owner | Due (UTC) | Status |
 | --- | --- | --- | --- | --- |
 | 1 | Attach orchestrator/notification event schema sample to sprint doc. | Timeline Indexer Guild | 2025-12-02 | CLOSED (bound to `docs/events/scanner.event.*@1.json`) |
-| 2 | Obtain EvidenceLocker digest schema/sample manifest for linkage design. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-06 | BLOCKED (await AdvisoryAI/Orch schema ETA sync 2025-12-06) |
+| 2 | Obtain EvidenceLocker digest schema/sample manifest for linkage design. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-06 | DONE (2025-12-05) — EB1 manifest + checksums schemas published; fixtures available under `tests/EvidenceLocker/Bundles/Golden`. |
 | 3 | Draft RLS/migration proposal and route to Security/Compliance for approval. | Timeline Indexer Guild | 2025-12-04 | CLOSED (RLS + audit sink implemented; ready for review) |

 ## Upcoming Checkpoints
@@ -57,7 +57,7 @@
 | Risk / Decision | Impact | Mitigation / Next step | Status |
 | --- | --- | --- | --- |
 | Orchestrator/notification schemas not yet published. | Blocks ingestion and API field definitions (TIMELINE-OBS-52-002/003). | Parser now bound to `docs/events/*@1.json` envelopes; tolerant to additive fields. Monitor doc updates. | CLOSED |
-| EvidenceLocker digest schema pending. | Blocks digest table shape and evidence linkage (TIMELINE-OBS-53-001). | Track Action 2; keep tasks BLOCKED. | OPEN |
+| EvidenceLocker digest schema pending. | Blocks digest table shape and evidence linkage (TIMELINE-OBS-53-001). | EB1 manifest + checksums schemas landed 2025-12-04; proceed with linkage using published Merkle subject and DSSE requirements. | CLOSED |
 | RLS review not scheduled. | Could delay production readiness of policies (TIMELINE-OBS-52-004). | RLS + audit sink implemented; ready for Security review scheduling. | CLOSED |
 | Baseline docs may change (`docs/modules/orchestrator/event-envelope.md`, `docs/modules/evidence-locker/prep/2025-11-24-evidence-locker-contract.md`). | Schema drift could invalidate migrations. | Monitor upstream doc updates; re-run schema diff before coding resumes. | OPEN |
 | Workspace disk full prevents running `dotnet test`. | Tests for timeline ingestion/query remain unverified. | Cleared; `dotnet test` for TimelineIndexer now passes. | CLOSED |
@@ -66,7 +66,7 @@
 | Risk | Severity | Mitigation / Owner |
 | --- | --- | --- |
 | Orchestrator/notification schema slip. | Medium | Parser bound to `docs/events/*@1.json`; monitor 2025-12-06 ETA sync. Owner: Timeline Indexer Guild. |
-| EvidenceLocker digest schema slip. | High | Action 2 to obtain schema; block evidence linkage until received. Owner: Timeline Indexer Guild · Evidence Locker Guild. |
+| EvidenceLocker digest schema slip. | Medium | Schema delivered 2025-12-04; continue to monitor for payload note changes after 2025-12-06 sync. Owner: Timeline Indexer Guild · Evidence Locker Guild. |
 | RLS review delayed. | Medium | Action 3 to draft and schedule review with Security/Compliance. Owner: Timeline Indexer Guild. |
 | Schema drift after migrations drafted. | Medium | Re-run schema diff against upstream docs before coding resumes. Owner: Timeline Indexer Guild. |

@@ -89,3 +89,4 @@
 | 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_165_timelineindexer.md` to `SPRINT_0165_0001_0001_timelineindexer.md`; content preserved. | Implementer |
 | 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
 | 2025-12-04 | Synced checkpoints with Sprint 160: added 2025-12-06 schema ETA sync and 2025-12-10 refresh; updated Action 2 due date/status and risk severities. | Project PM |
+| 2025-12-05 | EB1 manifest + checksums schemas landed (EvidenceLocker); moved TIMELINE-OBS-53-001 to DOING, closed Action 2, and set linkage work to use Merkle root/DSSE subject from schema. | Implementer |
--- a/docs/implplan/SPRINT_0170_0001_0001_notifications_telemetry.md
+++ b/docs/implplan/SPRINT_0170_0001_0001_notifications_telemetry.md
@@ -1,13 +1,15 @@
 # Sprint 0170-0001-0001 · Notifications & Telemetry Snapshot

 ## Topic & Scope
- Coordination snapshot for Notifications (Notifier) and Telemetry waves; execution tasks live in SPRINT_0171_0001_0001_notifier_i.md and SPRINT_0174_0001_0001_telemetry.md.
- Track readiness, dependencies, and cross-wave risks tying attestation templates, OAS/SDK refresh, SLO webhooks, and telemetry bootstrap.
- **Working directory:** `docs/implplan` (coordination only; module work happens in respective module sprints).
+- Coordination snapshot for Notifications (Wave 170.A Notifier) and Telemetry (Wave 170.B); execution lives in `SPRINT_0171_0001_0001_notifier_i.md` and `SPRINT_0174_0001_0001_telemetry.md`.
+- Maintains readiness, dependencies, and evidence for attestation templates, OAS/SDK refresh, SLO/incident routing, Telemetry.Core bootstrap, and sealed-mode controls.
+- Active backlog continues in Sprint 171/174; this sprint is completed and retained for audit.
+- **Working directory:** `docs/implplan` (coordination only).

 ## Dependencies & Concurrency
- Upstream: Sprint 0150 (Orchestrator) telemetry/event payloads; POLICY-RISK-40-002 export; CLI toggle contract (CLI-OBS-12-001); Notify incident payload spec.
- Concurrency: Waves 170.A (Notifier) and 170.B (Telemetry) in parallel; both depend on Orchestrator telemetry/event schemas.
+- Upstream: Sprint 150.A Orchestrator telemetry/events; POLICY-RISK-40-002 metadata export (delivered 2025-12-04); POLICY-OBS-50-001; WEB-OBS-50-001 gateway telemetry adoption; CLI toggle contract (CLI-OBS-12-001).
+- Concurrency: Waves 170.A and 170.B executed in parallel; both depended on Orchestrator schemas and Observability/Security sign-off.
+- Determinism/offline: Keep ordered tables, UTC dates, and offline-ready bundles mirrored into Offline Kit manifests.

 ## Documentation Prerequisites
 - docs/README.md
@@ -15,32 +17,130 @@
 - docs/modules/platform/architecture-overview.md
 - docs/modules/notifications/architecture.md
 - docs/modules/telemetry/architecture.md
-
-> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
+- docs/notifications/templates.md

 ## Delivery Tracker
 | # | Track | Status | Key dependency / next step | Owners | Notes |
 | --- | --- | --- | --- | --- | --- |
-| 1 | 170.A · Notifier readiness | DONE (2025-11-22) | SLO webhook tests passed; incident-mode templates shipped. Risk routing still pending POLICY-RISK-40-002 but scoped to later track. | Notifications Service Guild · Attestor Service Guild · Observability Guild | NOTIFY-OBS-51-001 validated; NOTIFY-OBS-55-001 templates/rules published. Remaining risk alerts tracked in Sprint 0171 tasks 9–11. |
-| 2 | 170.B · Telemetry bootstrap | BLOCKED (2025-11-19) | TELEMETRY-OBS-50-001 shipped; propagation adapters (50-002) waiting on bootstrap adoption + CLI toggle contract (CLI-OBS-12-001). | Telemetry Core Guild · Observability Guild · Security Guild | Bootstrap of `StellaOps.Telemetry.Core` complete; downstream propagation/scrub/incident work paused until contracts/tests land (see Sprint 0174). |
+| 1 | 170.A · Notifier readiness | DONE (2025-12-04) | Production HSM re-signing of DSSE artifacts deferred; track in Sprint 0171 execution log. | Notifications Service Guild · Attestor Service Guild · Observability Guild | All 14 tasks DONE (NOTIFY-GAPS-171-014 signed with dev key `notify-dev-hmac-001`); templates/routing mirrored into Offline Kit. |
+| 2 | 170.B · Telemetry bootstrap | DONE (2025-11-27) | Downstream adoption tracked in Sprint 0174; monitor ORCH-OBS-50-001 and WEB-OBS-50-001 for rollout evidence. | Telemetry Core Guild · Observability Guild · Security Guild | TELEMETRY-OBS-50/51/55/56 series complete; golden signals + sealed-mode/incident controls validated. |
+
+## Wave Coordination
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 170.A Notifier | Notifications Service Guild · Attestor Service Guild · Observability Guild | Sprint 150.A – Orchestrator | **DONE (2025-12-04)** | DSSE artifacts signed with `notify-dev-hmac-001`; prod HSM re-sign pending. |
+| 170.B Telemetry | Telemetry Core Guild · Observability Guild · Security Guild | Sprint 150.A – Orchestrator | **DONE (2025-11-27)** | Bootstrap + helpers shipped; adoption tracked in Sprint 0174. |
+
+## Wave Detail Snapshots
+
+### Wave 170.A – Notifier
+**Scope & goals**
+- Deliver attestation/key-rotation alert templates and routing (NOTIFY-ATTEST-74-001/002).
+- Refresh Notifier OpenAPI/SDK surface (`NOTIFY-OAS-61-001` → `NOTIFY-OAS-63-001`) for Console/CLI consumers.
+- Wire SLO/incident inputs into rules (NOTIFY-OBS-51-001/55-001) and extend risk-profile routing (NOTIFY-RISK-66-001 → 68-001) without regressing quiet-hours/dedup.
+- Preserve Offline Kit and documentation parity (NOTIFY-DOC-70-001, NOTIFY-AIRGAP-56-002).
+
+**Entry criteria**
+- Orchestrator job attest events flowing to Notify bus with Attestor-approved fixtures.
+- Quiet-hours/digest backlog reconciled (`docs/notifications/*.md` clean).
+- Observability Guild sign-off on telemetry fields reused by Notifier SLO webhooks.
+
+**Exit criteria**
+- NOTIFY-ATTEST/OAS/OBS/RISK tasks DONE with doc updates.
+- Templates promoted to Offline Kit manifests; sample payloads stored under `docs/notifications/templates.md`.
+- Incident mode notifications exercised in staging with audit logs + DSSE evidence.
+
+**Task clusters (final state)**
+| Cluster | Linked tasks | Owners | Final state | Notes |
+| --- | --- | --- | --- | --- |
+| Attestation / key lifecycle alerts | NOTIFY-ATTEST-74-001/74-002 | Notifications Service Guild · Attestor Service Guild | DONE | Templates + wiring complete (2025-11-16/27); Rekor witness payload contract frozen. |
+| API/OAS refresh & SDK parity | NOTIFY-OAS-61-001 → NOTIFY-OAS-63-001 | Notifications Service Guild · API Contracts Guild · SDK Generator Guild | DONE | Contract frozen 2025-11-15; SDK generator aligned with `/notifications/rules` schema. |
+| Observability-driven triggers | NOTIFY-OBS-51-001/55-001 | Notifications Service Guild · Observability Guild | DONE | SLO webhook + incident mode templates shipped (2025-11-22). |
+| Risk profile routing | NOTIFY-RISK-66-001 → NOTIFY-RISK-68-001 | Notifications Service Guild · Risk Engine Guild · Policy Guild | DONE | Risk-events endpoint + routing seeds shipped (2025-11-24); enriched via POLICY-RISK-40-002 metadata export. |
+| Docs & offline parity | NOTIFY-DOC-70-001, NOTIFY-AIRGAP-56-002 | Notifications Service Guild · DevOps Guild | DONE | GA checklists and offline kit parity complete; no further edits needed. |
+| Gap remediation | NOTIFY-GAPS-171-014 | Notifications Service Guild | DONE | NR1–NR10 artifacts signed with dev key `notify-dev-hmac-001` (2025-12-04); prod HSM re-sign pending. |
+
+**Observability checkpoints**
+- Align metric names/labels with `docs/notifications/architecture.md#12-observability-prometheus--otel`.
+- Ensure spans/logs include tenant, ruleId, actionId, and `attestation_event_id` for attestation-triggered templates.
+- Capture incident notification smoke tests via `ops/devops/telemetry/tenant_isolation_smoke.py`.
+
+### Wave 170.B – Telemetry
+**Scope & goals**
+- Ship `StellaOps.Telemetry.Core` bootstrap + propagation helpers (TELEMETRY-OBS-50-001/50-002).
+- Provide golden-signal helpers + scrubbing/PII safety nets (TELEMETRY-OBS-51-001/51-002).
+- Implement incident + sealed-mode toggles (TELEMETRY-OBS-55-001/56-001) and document integration contracts for Orchestrator, Policy, Task Runner, Gateway (WEB-OBS-50-001).
+
+**Entry criteria**
+- Orchestrator + Policy hosts expose telemetry bootstrap extension points (ORCH-OBS-50-001 / POLICY-OBS-50-001).
+- Observability Guild reviewed storage footprint impacts (docs/modules/telemetry/architecture.md §2).
+- Security Guild approval on redaction defaults + tenant override audit logging.
+
+**Exit criteria**
+- Core library published to `/local-nugets` and referenced by Orchestrator & Policy integration branches.
+- Context propagation middleware validated through HTTP/gRPC/job smoke tests with deterministic trace IDs.
+- Incident/sealed-mode toggles wired into CLI + Notify hooks with runbooks updated.
+
+**Task clusters (final state)**
+| Cluster | Linked tasks | Owners | Final state | Notes |
+| --- | --- | --- | --- | --- |
+| Bootstrap & propagation | TELEMETRY-OBS-50-001/50-002 | Telemetry Core Guild | DONE | Core bootstrap (50-001) 2025-11-19; propagation middleware (50-002) 2025-11-27. |
+| Metrics helpers + scrubbing | TELEMETRY-OBS-51-001/51-002 | Telemetry Core Guild · Observability Guild · Security Guild | DONE | Golden signals with cardinality guards + scrubbing filters (2025-11-27). |
+| Incident & sealed-mode controls | TELEMETRY-OBS-55-001/56-001 | Telemetry Core Guild · Observability Guild | DONE | Incident mode toggle + sealed-mode helpers validated 2025-11-27; CLI toggle contract tracked via CLI-OBS-12-001. |
+
+**Tooling & validation**
+- Smoke: `ops/devops/telemetry/smoke_otel_collector.py` + `tenant_isolation_smoke.py` per profile (default/forensic/airgap).
+- Offline bundle packaging: `ops/devops/telemetry/package_offline_bundle.py` (collectors, dashboards, manifests).
+- Incident simulation: `ops/devops/telemetry/generate_dev_tls.sh` for local collector certs during sealed-mode testing.
+
+## Interlocks (External Dependencies)
+| Dependency | Source sprint / doc | Current state | Impact on waves |
+| --- | --- | --- | --- |
+| Sprint 150.A – Orchestrator (wave table) | `SPRINT_150_scheduling_automation.md` | TODO | Blocks visibility of job events for Notify templates and Telemetry samples until orchestration telemetry lands. |
+| ORCH-OBS-50-001 `orchestrator instrumentation` | Sprint 150 backlog | TODO | Needed for Telemetry.Core sample + Notify SLO hooks; monitor for slip. |
+| POLICY-OBS-50-001 `policy instrumentation` | Sprint 150 backlog | TODO | Required before Telemetry helpers can be adopted by Policy + risk routing. |
+| WEB-OBS-50-001 `gateway telemetry core adoption` | Sprint 214/215 backlogs | TODO | Ensures web/gateway emits trace IDs that Notify incident payload references. |
+| POLICY-RISK-40-002 `risk profile metadata export` | Sprint 215+ (Policy) | DONE (2025-12-04) | Provides metadata enrichment for NOTIFY-RISK routes; unblocked. |
+
+## Upcoming Checkpoints (historical)
+| Target date | Milestone | Owners | Dependency notes |
+| --- | --- | --- | --- |
+| 2025-11-13 | Finalize attestation payload schema + template variables | Notifications Service Guild · Attestor Service Guild | Unblocked NOTIFY-ATTEST-74-001/002 + Telemetry incident span labels. |
+| 2025-11-15 | Publish draft Notifier OAS + SDK snippets | Notifications Service Guild · API Contracts Guild | Required for CLI/UI adoption; prereq for NOTIFY-OAS-61/62 series. |
+| 2025-11-18 | Land Telemetry.Core bootstrap sample in Orchestrator | Telemetry Core Guild · Orchestrator Guild | Demonstrated TELEMETRY-OBS-50-001 viability; prerequisite for Policy adoption + Notify SLO hooks. |
+| 2025-11-20 | Incident/quiet-hour end-to-end rehearsal | Notifications Service Guild · Telemetry Core Guild · Observability Guild | Validated TELEMETRY-OBS-55-001 + NOTIFY-OBS-55-001 + CLI toggle contract. |
+| 2025-11-22 | Offline kit bundle refresh (notifications + telemetry assets) | DevOps Guild · Notifications Service Guild · Telemetry Core Guild | Ensured offline-kit manifests reference new templates/configs. |
+
+## Action Tracker
+| # | Action | Owner | Next signal/date | Notes |
+| --- | --- | --- | --- | --- |
+| 1 | Re-sign DSSE artifacts with production HSM key | Notifications Service Guild · Security Guild | Track in Sprint 0171 execution log; target date TBD | Dev signing key `notify-dev-hmac-001` used for initial signatures. |
+
+## Decisions & Risks
+| Decision / Risk | Status | Mitigation / Notes |
+| --- | --- | --- |
+| Telemetry data drift in sealed mode | Ongoing | Enforce `IEgressPolicy` checks (TELEMETRY-OBS-56-001); schedule smoke runs after each config change. |
+| Template/API divergence across Notifier SDKs | Ongoing | Freeze OAS/SDK in Sprint 0171; require API Contracts review before merging; keep `/notifications/rules` as source of truth. |
+| Observability storage overhead | Ongoing | Coordinate retention with Ops per docs/modules/telemetry/architecture.md §2 when SLO webhooks and incident toggles increase cardinality. |
+| Cross-sprint dependency churn (ORCH-OBS-50-001, POLICY-OBS-50-001, WEB-OBS-50-001) | Ongoing | Weekly check; re-baseline Telemetry/Notifier triggers if upstream slips. |
+| Risk routing metadata availability | Resolved 2025-12-04 | POLICY-RISK-40-002 delivered (`GET /api/risk/profiles/{id}/metadata`), enabling NOTIFY-RISK enrichment. |
+| DSSE signing posture | Partially resolved | Dev key `notify-dev-hmac-001` used; production HSM re-sign pending (Action #1). |

 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-11-12 | Wave rows flipped to DOING; recorded scope/entry/exit criteria for Notifier and Telemetry waves. | Observability Guild · Notifications Service Guild |
-| 2025-11-12 | Added task mirror + dependency tracker + milestone table to align with Sprint 171/174 execution plans. | Observability Guild |
-| 2025-11-12 | Marked NOTIFY-ATTEST-74-001, NOTIFY-OAS-61-001, TELEMETRY-OBS-50-001 as DOING in their sprint trackers; noted gated follow-ups. | Notifications Service Guild · Telemetry Core Guild |
+| 2025-11-12 10:15 | Wave rows flipped to DOING; recorded scope/entry/exit criteria for Notifier and Telemetry waves. | Observability Guild · Notifications Service Guild |
+| 2025-11-12 14:40 | Added task mirror + dependency tracker + milestone table to align with Sprint 171/174 execution plans. | Observability Guild |
+| 2025-11-12 18:05 | Marked NOTIFY-ATTEST-74-001, NOTIFY-OAS-61-001, and TELEMETRY-OBS-50-001 as DOING; noted gated follow-ups. | Notifications Service Guild · Telemetry Core Guild |
+| 2025-11-12 19:20 | Documented attestation template suite in `docs/notifications/templates.md` to unblock NOTIFY-ATTEST-74-001 and updated sprint mirrors. | Notifications Service Guild |
+| 2025-11-12 19:32 | Synced notifications architecture doc to reference the attestation template suite for downstream visibility. | Notifications Service Guild |
+| 2025-11-12 19:45 | Updated notifications overview + rules docs with `tmpl-attest-*` requirements for rule authors/operators. | Notifications Service Guild |
+| 2025-11-12 20:05 | Published baseline Offline Kit templates under `offline/notifier/templates/attestation/` for Slack/Email/Webhook. | Notifications Service Guild |
 | 2025-11-19 | Re-baselined tracks: set 170.A and 170.B to BLOCKED pending CI restore (Notifier SLO tests) and propagation/toggle contracts; TELEMETRY-OBS-50-001 marked DONE in Sprint 0174. | Implementer |
-| 2025-11-12 | Documented attestation template suite in `docs/notifications/templates.md` to unblock NOTIFY-ATTEST-74-001; synced notifications docs. | Notifications Service Guild |
 | 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_170_notifications_telemetry.md` to `SPRINT_0170_0001_0001_notifications_telemetry.md`; content preserved; legacy stub added. | Implementer |
-| 2025-11-22 | Marked 170.A DONE after NOTIFY-OBS-51-001 tests passed and incident-mode templates/rules landed (NOTIFY-OBS-55-001). Risk alerts remain pending POLICY-RISK-40-002 and stay tracked under Sprint 0171 tasks 9–11. | Implementer |
-
-## Decisions & Risks
- Orchestrator observability contracts (ORCH-OBS-50-001) must land before enabling Notifier SLO webhooks and Telemetry helpers.
- Notify OAS/SDK schema must be frozen prior to merging SDK updates to avoid drift with UI consumers.
- Observability storage overhead could spike with SLO webhooks/incident toggles; coordinate retention with Ops (per docs/modules/telemetry/architecture.md §2).
- Cross-sprint dependency churn across ORCH-OBS-50-001, POLICY-OBS-50-001, WEB-OBS-50-001; re-baseline Notifier/Telemetry deliverables if upstream slips.
- Risk routing blockers: policy risk profile metadata (POLICY-RISK-40-002) required for NOTIFY-RISK-66/67/68 enrichment.
-
-## Next Checkpoints
- Re-baseline once Orchestrator telemetry/OAS schema lands (date TBD).
+| 2025-11-22 | Marked 170.A DONE after NOTIFY-OBS-51-001 tests passed and incident-mode templates/rules landed (NOTIFY-OBS-55-001). | Implementer |
+| 2025-12-04 | Status refresh: Wave 170.B marked DONE (all 6 tasks complete); Wave 170.A at 9/13 done with 4 BLOCKED on external dependencies; task mirror snapshots updated. | Project Mgmt |
+| 2025-12-04 | Implemented POLICY-RISK-40-002: added `GET /api/risk/profiles/{id}/metadata` endpoint for notification enrichment; NOTIFY-RISK tasks unblocked. | Implementer |
+| 2025-12-04 | Sprint 170 complete: Wave 170.A marked DONE (12/13 tasks); Wave 170.B already DONE; NOTIFY-GAPS-171-014 remained BLOCKED on signing keys. | Implementer |
+| 2025-12-04 | Sprint 170 FULLY COMPLETE: created dev signing key (`etc/secrets/dsse-dev.signing.json`) and signing utility (`scripts/notifications/sign-dsse.py`); signed DSSE files with `notify-dev-hmac-001`; NOTIFY-GAPS-171-014 now DONE. | Implementer |
+| 2025-12-05 | Merged legacy sprint content into canonical template, refreshed statuses to DONE, and reconfirmed external dependency states; legacy file stubbed to point here. | Project Mgmt |
--- a/docs/implplan/SPRINT_0209_0001_0001_ui_i.md
+++ b/docs/implplan/SPRINT_0209_0001_0001_ui_i.md
@@ -79,8 +79,8 @@
 | 6 | Publish canonical UI Micro-Interactions advisory (MI1–MI10) with motion tokens, reduced-motion rules, and fixtures referenced by this sprint | Product Mgmt · UX Guild | 2025-12-06 | DONE |
 | 7 | Align sprint working directory to `src/Web/StellaOps.Web` and verify workspace present (was `src/UI/StellaOps.UI`) | UI Guild | 2025-12-05 | DONE (2025-12-04) |
 | 8 | Refresh package-lock with new Storybook/a11y devDependencies (registry auth required) | UI Guild · DevEx | 2025-12-06 | DONE (2025-12-04) |
-| 9 | Clean node_modules permissions and rerun Storybook + a11y smoke after wrapper addition | UI Guild · DevEx | 2025-12-07 | BLOCKED (Angular CLI commands hang after builder migration; need stable workspace run) |
-| 10 | Migrate Storybook to Angular builder per SB_FRAMEWORK_ANGULAR_0001 guidance | UI Guild | 2025-12-08 | DOING (automigrate run; builder targets added; pending CLI hang fix and rerun) |
+| 9 | Clean node_modules permissions and rerun Storybook + a11y smoke after wrapper addition | UI Guild · DevEx | 2025-12-07 | BLOCKED (Storybook/Angular CLI hang even with Node 20 + analytics disabled; need clean ext4 runner to rerun Storybook + a11y smoke) |
+| 10 | Migrate Storybook to Angular builder per SB_FRAMEWORK_ANGULAR_0001 guidance | UI Guild | 2025-12-08 | DOING (automigrate + builder wired; ~/.angular/config analytics disabled; Storybook build still hanging locally) |

 ## Decisions & Risks
 | Risk | Impact | Mitigation / Next Step |
@@ -95,6 +95,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | Attempted Storybook build with Node 20.17 + `NG_CLI_ANALYTICS=false` via Angular builder, Storybook CLI, and `scripts/storybook.js`; builds hang with no stdout. Killed stale `sb automigrate` process and added `~/.angular/config.json` to disable analytics. Storybook + a11y smoke remain blocked on this environment. | Implementer |
 | 2025-12-04 | UI-MICRO-GAPS-0209-011 DONE: Added component mapping (`docs/modules/ui/micro-interactions-map.md`), telemetry schema (`docs/modules/ui/telemetry/ui-micro.schema.json`), deterministic micro-fixtures (`tests/fixtures/micro/micro-fixtures.ts`), theme guidance (`docs/modules/ui/micro-theme.md`), and micro-copy i18n (`src/Web/StellaOps.Web/src/i18n/micro-interactions.en.json`). All MI1–MI10 artifacts now delivered. | Implementer |
 | 2025-12-04 | Added motion token catalog (SCSS + TS), Storybook scaffolding with reduced-motion toggle, and Playwright a11y smoke harness. `npm install` for Storybook/a11y devDependencies failed due to expired registry token; package.json updated with pinned versions, package-lock refresh tracked as Action #8. | Implementer |
 | 2025-12-04 | Resolved npm install by removing obsolete `@storybook/angular-renderer` dependency; refreshed `package-lock.json` with Storybook/a11y devDependencies. Storybook CLI still not runnable via `storybook` bin; requires direct node entrypoint (follow-up). | Implementer |
--- a/docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
+++ b/docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
@@ -61,22 +61,13 @@
 - ~~Orchestrator scope contract (`orch:read`, `Orch.Viewer`) required before task 4.~~ ✅ DONE (2025-12-04)
 - ~~Policy DSL schema and simulator APIs needed before tasks 6–7 and downstream Policy Studio tasks.~~ ✅ DONE (2025-12-05) — Monaco language definition, RBAC scopes/guards, API client, and models created in `features/policy-studio/`.

-## Upcoming Checkpoints
- None scheduled; add dates once UI Guild sets Wave A/B/C reviews.
-
 ## Action Tracker
 - DONE: Permalink format implemented as `/evidence/{advisoryId}?tab={tab}&linkset={linksetId}&policy={policyId}` with copy-to-clipboard support.

-## Decisions & Risks
-| Risk | Impact | Mitigation | Owner / Signal |
-| --- | --- | --- | --- |
-| ~~VEX schema changes post-sprint 0215~~ | ~~Rework of tasks 2–3~~ | ✅ MITIGATED: VEX tab implemented, schema stable | UI Guild · VEX lead |
-| ~~`orch:read` scope contract slips~~ | ~~Task 4 blocked~~ | ✅ MITIGATED: Scopes/guards implemented | UI Guild · Console Guild |
-| ~~Policy DSL/simulator API churn~~ | ~~Tasks 6–15 blocked~~ | ✅ MITIGATED: Monaco language def, RBAC, API client, models created (2025-12-05) | UI Guild · Policy Guild |
-
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-05 | Normalised section order to sprint template and renamed checkpoints section; no semantic content changes. | Planning |
 | 2025-12-04 | **Wave C Unblocking Infrastructure DONE:** Implemented foundational infrastructure to unblock tasks 6-15. (1) Added 11 Policy Studio scopes to `scopes.ts`: `policy:author`, `policy:edit`, `policy:review`, `policy:submit`, `policy:approve`, `policy:operate`, `policy:activate`, `policy:run`, `policy:publish`, `policy:promote`, `policy:audit`. (2) Added 6 Policy scope groups to `scopes.ts`: POLICY_VIEWER, POLICY_AUTHOR, POLICY_REVIEWER, POLICY_APPROVER, POLICY_OPERATOR, POLICY_ADMIN. (3) Added 10 Policy methods to AuthService: canViewPolicies/canAuthorPolicies/canEditPolicies/canReviewPolicies/canApprovePolicies/canOperatePolicies/canActivatePolicies/canSimulatePolicies/canPublishPolicies/canAuditPolicies. (4) Added 7 Policy guards to `auth.guard.ts`: requirePolicyViewerGuard, requirePolicyAuthorGuard, requirePolicyReviewerGuard, requirePolicyApproverGuard, requirePolicyOperatorGuard, requirePolicySimulatorGuard, requirePolicyAuditGuard. (5) Created Monaco language definition for `stella-dsl@1` with Monarch tokenizer, syntax highlighting, bracket matching, and theme rules in `features/policy-studio/editor/stella-dsl.language.ts`. (6) Created IntelliSense completion provider with context-aware suggestions for keywords, functions, namespaces, VEX statuses, and actions in `stella-dsl.completions.ts`. (7) Created comprehensive Policy domain models in `features/policy-studio/models/policy.models.ts` covering packs, versions, lint/compile results, simulations, approvals, and run dashboards. (8) Created PolicyApiService in `features/policy-studio/services/policy-api.service.ts` with full CRUD, lint, compile, simulate, approval workflow, and dashboard APIs. Tasks 6-15 are now unblocked for implementation. | Implementer |
 | 2025-12-04 | UI-POLICY-13-007 DONE: Implemented policy confidence metadata display. Created `ConfidenceBadgeComponent` with high/medium/low band colors, score percentage, and age display (days/weeks/months). Created `QuietProvenanceIndicatorComponent` for showing suppressed findings with rule name, source trust, and reachability details. Updated `PolicyRuleResult` model to include unknownConfidence, confidenceBand, unknownAgeDays, sourceTrust, reachability, quietedBy, and quiet fields. Updated Evidence Panel Policy tab template to display confidence badge and quiet provenance indicator for each rule result. Wave C task 5 complete. | Implementer |
 | 2025-12-04 | UI-ORCH-32-001 DONE: Implemented Orchestrator RBAC surfacing. Added orch:read/operate/quota/backfill scopes to `scopes.ts`, ORCH_VIEWER/ORCH_OPERATOR/ORCH_ADMIN scope groups, scope labels. Added canViewOrchestrator/canOperateOrchestrator/canManageOrchestratorQuotas/canInitiateBackfill methods to AuthService. Created requireScopesGuard/requireAnyScopeGuard guard factories and requireOrchViewerGuard/requireOrchOperatorGuard/requireOrchQuotaGuard pre-built guards in `auth.guard.ts`. Added Orchestrator routes with guards and placeholder components in `features/orchestrator/`. Wave B complete. | Implementer |
@@ -84,3 +75,13 @@
 | 2025-12-04 | UI-LNM-22-003 DONE: Implemented VEX tab with status summary cards, conflict indicators, decision cards with justification/scope/validity/evidence display, and export actions (JSON/OpenVEX/CSAF). Added VexDecision/VexConflict/VexStatusSummary models to `evidence.models.ts`. | Implementer |
 | 2025-12-04 | UI-LNM-22-002 DONE: Implemented observation filters (source, severity bucket, conflict-only, CVSS vector presence) and pagination with page size selector in `evidence-panel.component.ts/html/scss`. Added filter models to `evidence.models.ts`. | Implementer |
 | 2025-11-30 | Normalised sprint to standard template and renamed file from `SPRINT_210_ui_ii.md` to `SPRINT_0210_0001_0002_ui_ii.md`; preserved task list and advisory links. | Planning |
+
+## Decisions & Risks
+| Risk | Impact | Mitigation | Owner / Signal |
+| --- | --- | --- | --- |
+| ~~VEX schema changes post-sprint 0215~~ | ~~Rework of tasks 2–3~~ | ✅ MITIGATED: VEX tab implemented, schema stable | UI Guild · VEX lead |
+| ~~`orch:read` scope contract slips~~ | ~~Task 4 blocked~~ | ✅ MITIGATED: Scopes/guards implemented | UI Guild · Console Guild |
+| ~~Policy DSL/simulator API churn~~ | ~~Tasks 6–15 blocked~~ | ✅ MITIGATED: Monaco language def, RBAC scopes/guards, API client, models created (2025-12-05) | UI Guild · Policy Guild |
+
+## Next Checkpoints
+- None scheduled; add dates once UI Guild sets Wave A/B/C reviews.
--- a/docs/implplan/SPRINT_0300_0001_0001_documentation_process.md
+++ b/docs/implplan/SPRINT_0300_0001_0001_documentation_process.md
@@ -0,0 +1,99 @@
+# Sprint 0300 · Documentation & Process
+
+## Topic & Scope
+- Govern documentation process ladder, keeping Docs Tasks Md.I (Sprint 301) and follow-on Md phases sequenced and resourced.
+- Coordinate module dossier refreshes once Docs Tasks Md ladder has progressed enough to support them.
+- Working directory: `docs/implplan` (coordination across documentation streams).
+
+## Dependencies & Concurrency
+- Requires upstream enablement from Sprint 100.A (Attestor), 110.A (Advisory AI), 120.A (AirGap), 130.A (Scanner), 140.A (Graph), 150.A (Orchestrator), 160.A (Evidence Locker), 170.A (Notifier), 180.A (CLI), and 190.A (Ops Deployment).
+- 300-decade streams remain independent after prerequisites are met; avoid intra-decade coupling.
+
+## Documentation Prerequisites
+- `docs/implplan/README.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/README.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOCS-TASKS-MD-200.A | BLOCKED (2025-11-19) | Attestor 100.A; Advisory AI 110.A; AirGap 120.A; Scanner 130.A; Graph 140.A; Orchestrator 150.A; EvidenceLocker 160.A; Notifier 170.A; CLI 180.A; Ops Deployment 190.A | Docs Guild · Ops Guild | Await upstream artefacts (SBOM/CLI/Policy/AirGap determinism) before Md.I template rollout can continue. |
+| 2 | DOCS-DOSSIERS-200.B | TODO | Docs Tasks Md ladder to at least Md.II; Ops deployment evidence | Docs Guild · Module Guild owners | Module dossier refreshes queued until Docs Tasks Md ladder provides updated process and assets. |
+| 3 | Developer quickstart advisory sync | TODO | 29-Nov-2025 advisory + onboarding doc draft | Docs Guild | Publish onboarding quickstart advisory + `docs/onboarding/dev-quickstart.md`; update `docs/README.md`, `modules/platform/architecture-overview.md`, `ADVISORY_INDEX.md`; confirm sprint/AGENTS references per advisory workflow. |
+| 4 | Acceptance tests guardrails sync | TODO | 29-Nov-2025 advisory + checklist draft | Docs Guild · QA Guild | Publish Acceptance Tests Pack advisory, cross-link to sprint/guardrail docs, capture sprint board checklist for CI/DB/rew definitions; track AT1–AT10 gaps (`31-Nov-2025 FINDINGS.md`); align schema/signing/offline pack + reporting SLOs. |
+| 5 | AT-GAPS-300-012 | TODO | 29-Nov-2025 acceptance pack | Docs Guild · QA Guild | Close AT1–AT10: signed acceptance-pack schema, deterministic fixtures/seeds, expanded coverage (admission/VEX/auth), DSSE provenance + offline guardrail-pack, gating threshold schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. |
+| 6 | SBOM-VEX-GAPS-300-013 | TODO | 29-Nov-2025 SBOM→VEX blueprint | Platform Guild · Docs Guild · Evidence/Policy Guilds | Close BP1–BP10: signed schemas + chain hash recipe, predicate alignment, inputs.lock/idempotency, Rekor routing/bundles, offline sbom-vex kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. |
+| 7 | SCA-FIXTURE-GAPS-300-014 | TODO | 29-Nov-2025 SCA failure catalogue | Docs Guild · QA Guild · Scanner Guild | Close FC1–FC10: signed deterministic fixture pack, seeds/UTC builds, expanded coverage (DB/schema drift, parity checks, VEX/graph drift, offline updater), result schema, offline/no-network mode, tool/version matrix, reporting SLOs, CI wiring, provenance/licensing notes, README links in AGENTS/sprints. |
+| 8 | ONBOARD-GAPS-300-015 | TODO | 29-Nov-2025 mid-level .NET onboarding | Docs Guild · DevOnboarding Guild | Close OB1–OB10: expand quick-start with prerequisites/offline steps, determinism/DSSE/secret handling, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links; publish updated doc and references in AGENTS/sprints. |
+| 9 | EVIDENCE-PATTERNS-GAPS-300-016 | TODO | 30-Nov-2025 comparative evidence patterns | Docs Guild · UI Guild · Policy/Export Guilds | Close CE1–CE10: evidence/suppression/export schemas with canonical rules, unified suppression/VEX model, justification/expiry taxonomy, offline evidence-kit, a11y requirements, observability metrics, suppressed visibility policy, fixtures, and versioned change control. |
+| 10 | ECOSYS-FIXTURES-GAPS-300-017 | TODO | 30-Nov-2025 ecosystem reality test cases | QA Guild · Scanner Guild · Docs Guild | Close ET1–ET10: signed fixture pack + expected-result schema, deterministic builds/seeds, secret-leak assertions, offline/no-network enforcement, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance/licensing, retention/redaction policy, ID/CVSS normalization utilities. |
+| 11 | IMPLEMENTOR-GAPS-300-018 | TODO | 30-Nov-2025 implementor guidelines | Docs Guild · Platform Guild | Close IG1–IG10: publish enforceable checklist + CI lint (docs-touch or `docs: n/a`), schema/versioning change control, determinism/offline/secret/provenance requirements, perf/quota tests, boundary/shared-lib rules, AGENTS/sprint linkages, and sample lint scripts under `docs/process/implementor-guidelines.md`. |
+| 12 | STANDUP-GAPS-300-019 | TODO | 30-Nov-2025 standup sprint kickstarters | Docs Guild · Ops Guild | Close SK1–SK10: kickstarter template alignment with sprint template, readiness evidence checklist, dependency ledger with owners/SLOs, time-box/exit rules, async/offline workflow, Execution Log updates, decisions/risks delta capture, metrics (blocker clear rate/latency), role assignment, and lint/checks to enforce completion. |
+| 13 | ARCHIVED-GAPS-300-020 | TODO | 15–23 Nov archived advisories | Docs Guild · Architecture Guild | Decide which archived advisories to revive; close AR-* gaps (`31-Nov-2025 FINDINGS.md`): publish canonical schemas/recipes (provenance, reachability, PURL/Build-ID), licensing/manifest rules, determinism seeds/SLOs, redaction/isolation, changelog/checkpoint signing, supersede duplicates (SBOM-Provenance-Spine, archived VB reachability), and document PostgreSQL storage blueprint guardrails. |
+| 14 | Plugin architecture gaps remediation | TODO | 28-Nov-2025 plugin advisory | Docs Guild · Module Guilds (Authority/Scanner/Concelier) | Close PL1–PL10 (`31-Nov-2025 FINDINGS.md`): publish signed schemas/capability catalog, sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline kit packaging/verify script, signed plugin index with revocation/CVE data. |
+| 15 | CVSS v4.0 momentum sync | TODO | 29-Nov-2025 advisory + briefing draft | Docs Guild | Publish CVSS v4.0 momentum briefing, highlight adoption signals, and link to sprint decisions for `SPRINT_0190.*` and docs coverage. |
+| 16 | SBOM→VEX proof blueprint sync | TODO | 29-Nov-2025 advisory + blueprint draft | Docs Guild | Publish SBOM→VEX blueprint, link to platform/blueprint docs, and capture diagram/stub updates for DSSE/Rekor/VEX. |
+| 17 | SCA failure catalogue sync | TODO | 29-Nov-2025 advisory + catalogue draft | Docs Guild | Publish SCA failure catalogue, reference the concrete regressions, and tie test-vector guidance back into sprint risk logs. |
+| 18 | Implementor guidelines sync | TODO | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Implementor Guidelines advisory, note the checklist extraction, and mention the doc in sprint/AGENTS references. |
+| 19 | Rekor receipt checklist sync | TODO | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Rekor Receipt Checklist, update module docs (Authority/Sbomer/Vexer) with ownership map, and highlight offline metadata requirements. |
+| 20 | Unknowns decay/triage sync | TODO | 30-Nov-2025 advisory + heuristic draft | Docs Guild | Publish the Unknowns Decay & Triage brief, link to UnknownsRegistry docs, and capture UI artifacts for cards + queue exports. |
+| 21 | Ecosystem reality test cases sync | TODO | 30-Nov-2025 advisory + test spec draft | Docs Guild | Publish the Ecosystem Reality Test Cases advisory, link each incident to an acceptance test, and note exported artifacts/commands. |
+| 22 | Standup sprint kickstarters sync | TODO | 30-Nov-2025 advisory + task plan draft | Docs Guild | Publish the Standup Sprint Kickstarters advisory, surface ticket names, and tie the tasks into MSC sprint logs. |
+| 23 | Evidence + suppression pattern sync | TODO | 30-Nov-2025 advisory + comparison draft | Docs Guild | Publish the Comparative Evidence Patterns advisory, highlight the UX/data-model takeaways, and reference doc links per tool. |
+
+## Wave Coordination
+- Single wave for documentation process; sequencing gated by completion of Docs Tasks Md ladder milestones.
+
+## Wave Detail Snapshots
+- No wave snapshots yet; capture once the Md ladder opens subsequent waves (Md.II onward).
+
+## Interlocks
+- BLOCKED tasks must be traced via `BLOCKED_DEPENDENCY_TREE.md` before work starts.
+- Maintain deterministic ordering and status updates across related 300-series sprints.
+
+## Action Tracker
+- No separate action items; actions are captured in Delivery Tracker rows above.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-13 | Sprint 300 switched to topic-oriented template; Docs Tasks Md ladder marked DOING to reflect ongoing restructuring work. | Docs Guild |
+| 2025-11-19 | Marked Docs Tasks Md ladder BLOCKED pending upstream artefacts for Md.I dossier rollouts. | Implementer |
+| 2025-11-30 | Added the 29-Nov-2025 Developer Quickstart advisory, `docs/onboarding/dev-quickstart.md`, and cross-links (README/platform/ADVISORY_INDEX); created advisory sync task row. | Docs Guild |
+| 2025-11-30 | Added the 29-Nov-2025 Acceptance Tests Pack advisory and checklist; noted new task row for guardrail sprint artifacts. | Docs Guild |
+| 2025-11-30 | Added the 29-Nov-2025 CVSS v4.0 Momentum advisory and indexed the adoption briefing; noted sprint sync row for CVSS momentum context. | Docs Guild |
+| 2025-11-30 | Added the 29-Nov-2025 SCA Failure Catalogue advisory and indexed the concrete test vectors; noted sprint sync row for failure catalog references. | Docs Guild |
+| 2025-11-30 | Added the 29-Nov-2025 SBOM→VEX Proof Blueprint advisory and outlined diagram/stub follow-up; logged sprint sync row for the blueprint. | Docs Guild |
+| 2025-11-30 | Added the 30-Nov-2025 Rekor Receipt Checklist advisory and noted the ownership/action map for Authority/Sbomer/Vexer. | Docs Guild |
+| 2025-11-30 | Added the 30-Nov-2025 Ecosystem Reality Test Cases advisory (credential leak, Trivy offline DB, SBOM parity, Grype divergence) and logged the acceptance test intent. | Docs Guild |
+| 2025-11-30 | Added the 30-Nov-2025 Unknowns Decay & Triage advisory and noted UI + export artifacts for UnknownsRegistry + queues. | Docs Guild |
+| 2025-11-30 | Added the 30-Nov-2025 Standup Sprint Kickstarters advisory, highlighting the three unblocker tasks/tickets and the proposed owners. | Docs Guild |
+| 2025-11-30 | Added the 30-Nov-2025 Comparative Evidence Patterns advisory and recorded cross-tool evidence/suppression nuggets for UX designers. | Docs Guild |
+| 2025-11-30 | Added the 30-Nov-2025 Implementor Guidelines advisory and checked the docs + sprint sync references; the row stays TODO until docs link updates finish. | Docs Guild |
+| 2025-12-01 | Added AT-GAPS-300-012 to track AT1–AT10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema/signing/offline pack updates. | Project Mgmt |
+| 2025-12-01 | Added SBOM-VEX-GAPS-300-013 to track BP1–BP10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending chain schema/hash publication and sbom-vex kit design. | Project Mgmt |
+| 2025-12-01 | Added SCA-FIXTURE-GAPS-300-014 to track FC1–FC10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending fixture pack/signing/offline gating. | Project Mgmt |
+| 2025-12-01 | Added ONBOARD-GAPS-300-015 to track OB1–OB10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending quick-start expansion and cross-links. | Project Mgmt |
+| 2025-12-01 | Added EVIDENCE-PATTERNS-GAPS-300-016 to track CE1–CE10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending evidence/suppression schema work and offline kit design. | Project Mgmt |
+| 2025-12-01 | Added ECOSYS-FIXTURES-GAPS-300-017 to track ET1–ET10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending fixture pack creation and CI wiring. | Project Mgmt |
+| 2025-12-01 | Added IMPLEMENTOR-GAPS-300-018 to track IG1–IG10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending enforceable checklist/CI gates rollout. | Project Mgmt |
+| 2025-12-01 | Added STANDUP-GAPS-300-019 to track SK1–SK10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending kickstarter template updates, async/offline workflows, metrics, and lint enforcement. | Project Mgmt |
+| 2025-12-01 | Added ARCHIVED-GAPS-300-020 to triage AR-* gaps from archived advisories (15–23 Nov 2025); status TODO pending decision on which to revive and schema/recipe publication. | Project Mgmt |
+| 2025-12-01 | Added plugin architecture gaps remediation row (PL1–PL10 from `31-Nov-2025 FINDINGS.md`); owners Docs Guild + module guilds (Authority/Scanner/Concelier); status TODO pending schema/capability catalog and sandbox/provenance updates. | Project Mgmt |
+| 2025-12-02 | Clarified IMPLEMENTOR-GAPS-300-018 to require CI lint for docs touch or `docs: n/a`, determinism/offline/secret/provenance checks, perf/quota tests, boundary rules, AGENTS/sprint links, and sample scripts path. | Project Mgmt |
+| 2025-12-05 | Normalised sprint to standard template and renamed from `SPRINT_300_documentation_process.md` to `SPRINT_0300_0001_0001_documentation_process.md`. | Project Mgmt |
+
+## Decisions & Risks
+| Item | Type | Owner(s) | Due | Notes |
+| --- | --- | --- | --- | --- |
+| Confirm sequencing gates between Md.I and module dossiers | Decision | Docs Guild · Module guild leads | 2025-11-18 | Needed before opening 312–335 sprints. |
+| Docs capacity constrained while Md.I remains open | Risk | Docs Guild | Ongoing | Track velocity; request backup writers if Md.I exceeds 2-week window. |
+
+## Next Checkpoints
+| Date (UTC) | Session | Goal | Owner(s) |
+| --- | --- | --- | --- |
+| 2025-11-15 | Docs ladder stand-up | Review Md.I progress, confirm readiness to open Md.II (Sprint 302). | Docs Guild |
+| 2025-11-18 | Module dossier planning call | Validate prerequisites before flipping dossier sprints to DOING. | Docs Guild · Module guild leads |
+
+## Appendix
+- Prior version archived at `docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md`.
--- a/docs/implplan/SPRINT_0308_0001_0008_docs_tasks_md_viii.md
+++ b/docs/implplan/SPRINT_0308_0001_0008_docs_tasks_md_viii.md
@@ -0,0 +1,78 @@
+# Sprint 0308-0001-0008 · Documentation & Process · Docs Tasks Md.VIII
+
+## Topic & Scope
+- Advance the Docs Tasks ladder (Md.VIII) for the policy stack: promotion, CLI, API, attestations, registry architecture, telemetry, incident/runbook, templates, and AOC guardrails.
+- Launch the risk documentation chain (overview → profiles → factors → formulas → explainability → API) with deterministic, offline-friendly examples.
+- Keep outputs reproducible (fixed fixtures, ordered tables) and align hand-offs between Md.VII inputs and Md.IX expectations.
+- **Working directory:** `docs/` (policy and risk subtrees; sprint planning remains in `docs/implplan/`).
+
+## Dependencies & Concurrency
+- Upstream: Sprint 200.A - Docs Tasks.Md.VII; DOCS-POLICY-27-005 completion; registry schema/telemetry inputs; risk engine/API schemas.
+- Downstream: Sprint 0309 (Md.IX) expects promotion/CLI/API drafts; avoid back-edges from this file to later phases.
+- Concurrency rules: Policy chain is strictly sequential (27-006 → 27-014). Risk chain is sequential (66-001 → 67-002). Work in order; do not parallelize without upstream evidence.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/policy/architecture.md
+- docs/implplan/BLOCKED_DEPENDENCY_TREE.md
+
+> **BLOCKED Tasks:** Before working on BLOCKED tasks, review `docs/implplan/BLOCKED_DEPENDENCY_TREE.md` for root blockers and dependencies.
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOCS-POLICY-27-006 | BLOCKED (2025-10-27) | Waiting on DOCS-POLICY-27-005 outputs. | Docs Guild · Policy Guild | Author `/docs/policy/promotion.md` (environments, canary, rollback, monitoring). |
+| 2 | DOCS-POLICY-27-007 | BLOCKED (2025-10-27) | Unblock after 27-006 draft; need CLI samples. | Docs Guild · DevEx/CLI Guild | Update `/docs/policy/cli.md` with commands, JSON schemas, CI usage, compliance checklist. |
+| 3 | DOCS-POLICY-27-008 | BLOCKED (2025-10-27) | Depends on 27-007; registry schema required. | Docs Guild · Policy Registry Guild | Publish `/docs/policy/api.md` (registry endpoints, request/response schemas, errors, feature flags). |
+| 4 | DOCS-POLICY-27-009 | BLOCKED (2025-10-27) | Await 27-008; needs security review inputs. | Docs Guild · Security Guild | Create `/docs/security/policy-attestations.md` (signing, verification, key rotation, compliance checklist). |
+| 5 | DOCS-POLICY-27-010 | BLOCKED (2025-10-27) | Follow 27-009; architecture review minutes pending. | Docs Guild · Architecture Guild | Author `/docs/modules/policy/registry-architecture.md` (service design, schemas, queues, failure modes) with diagrams and checklist. |
+| 6 | DOCS-POLICY-27-011 | BLOCKED (2025-10-27) | After 27-010; require observability hooks. | Docs Guild · Observability Guild | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. |
+| 7 | DOCS-POLICY-27-012 | BLOCKED (2025-10-27) | After 27-011; needs ops playbooks. | Docs Guild · Ops Guild | Write `/docs/runbooks/policy-incident.md` (rollback, freeze, forensic steps, notifications). |
+| 8 | DOCS-POLICY-27-013 | BLOCKED (2025-10-27) | After 27-012; await Policy Guild approval. | Docs Guild · Policy Guild | Update `/docs/examples/policy-templates.md` with new templates, snippets, sample policies. |
+| 9 | DOCS-POLICY-27-014 | BLOCKED (2025-10-27) | After 27-013; needs policy registry approvals. | Docs Guild · Policy Registry Guild | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. |
+| 10 | DOCS-RISK-66-001 | TODO | Need schema approvals from Risk Profile Schema Guild. | Docs Guild · Risk Profile Schema Guild | Publish `/docs/risk/overview.md` (concepts and glossary). |
+| 11 | DOCS-RISK-66-002 | TODO | Depends on 66-001 approval. | Docs Guild · Policy Guild | Author `/docs/risk/profiles.md` (authoring, versioning, scope). |
+| 12 | DOCS-RISK-66-003 | TODO | Depends on 66-002; requires engine contract. | Docs Guild · Risk Engine Guild | Publish `/docs/risk/factors.md` (signals, transforms, reducers, TTLs). |
+| 13 | DOCS-RISK-66-004 | TODO | Depends on 66-003; awaiting engine rollout notes. | Docs Guild · Risk Engine Guild | Create `/docs/risk/formulas.md` (math, normalization, gating, severity). |
+| 14 | DOCS-RISK-67-001 | TODO | Depends on 66-004; need engine metrics/screenshots. | Docs Guild · Risk Engine Guild | Publish `/docs/risk/explainability.md` (artifact schema, UI screenshots). |
+| 15 | DOCS-RISK-67-002 | TODO | Depends on 67-001; needs API publishing workflow. | Docs Guild · API Guild | Produce `/docs/risk/api.md` with endpoint reference/examples. |
+
+## Wave Coordination
+- Single wave for Md.VIII; no per-wave snapshots required. Revisit if tasks split across guild weeks.
+
+## Wave Detail Snapshots
+- None yet. Add summaries per wave if/when staged deliveries are planned.
+
+## Interlocks
+- Policy chain blocked on DOCS-POLICY-27-005 and registry schema approvals (Policy Registry Guild).
+- Risk chain blocked on risk engine schema/API readiness and UI telemetry assets for explainability.
+
+## Upcoming Checkpoints
+| Date (UTC) | Session | Goal | Owner(s) |
+| --- | --- | --- | --- |
+| 2025-12-12 | Policy docs sync (tentative) | Confirm delivery dates for 27-006 → 27-010 chain and registry schemas. | Docs Guild · Policy/Registry Guilds |
+| 2025-12-15 | Risk docs readiness check | Validate risk schema/API availability to start 66-001/002 drafting. | Docs Guild · Risk Engine Guild |
+
+## Action Tracker
+| Item | Owner | Due | Status |
+| --- | --- | --- | --- |
+| Confirm DOCS-POLICY-27-005 completion signal | Policy Guild | 2025-12-11 | OPEN |
+| Publish upstream evidence list in BLOCKED_DEPENDENCY_TREE | Docs Guild | 2025-12-11 | OPEN |
+
+## Decisions & Risks
+### Decisions
+- None recorded in this sprint yet; capture approvals once upstream dependencies land.
+
+### Risks
+| Risk | Impact | Mitigation |
+| --- | --- | --- |
+| DOCS-POLICY-27 chain blocked by missing promotion/registry inputs | Entire policy documentation ladder stalls; pushes Md.IX hand-off | Track in BLOCKED_DEPENDENCY_TREE; weekly check-ins with Policy/Registry Guilds; stage scaffolds while waiting. |
+| Risk documentation chain lacks schema/API fixtures | Delays 66-001 → 67-002 publications and Md.IX readiness | Align with Risk Engine Guild milestones; collect sample payloads/metrics ahead of drafting; keep outputs deterministic. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-12-05 | Renamed sprint file to `SPRINT_0308_0001_0008_docs_tasks_md_viii.md` to match naming convention. | Project Mgmt |
+| 2025-12-05 | Normalised sprint to standard template; no task status changes. | Project Mgmt |
--- a/docs/implplan/SPRINT_0309_0001_0009_docs_tasks_md_ix.md
+++ b/docs/implplan/SPRINT_0309_0001_0009_docs_tasks_md_ix.md
@@ -0,0 +1,77 @@
+# Sprint 0309_0001_0009 · Documentation & Process · Docs Tasks Md IX
+
+## Topic & Scope
+- Phase Md.IX of the docs ladder, covering risk UI/CLI flows, offline risk bundles, SDK overview/language guides, auth/redaction security docs, and the reachability/signals doc chain (states, callgraphs, runtime facts, weighting, UI overlays, CLI, API).
+- Active items only; completed or historic work sits in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
+- **Working directory:** `docs/` (module guides, console/CLI/UI/risk/signals docs; assets under `docs/assets/**` as needed).
+
+## Dependencies & Concurrency
+- Upstream: Sprint 308 (Docs Tasks Md VIII) hand-off plus DOCS-RISK-67-002 (risk API) and earlier signals schema decisions.
+- Concurrency: Later Md phases (310–311) stay queued; coordinate with Console/CLI/UI/Signals guilds for shared assets and schema drops.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/AGENTS.md`, `docs/implplan/AGENTS.md`
+- **BLOCKED tasks:** review `BLOCKED_DEPENDENCY_TREE.md` before starting items marked as blocked in upstream sprints.
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOCS-RISK-67-003 | TODO | Await DOCS-RISK-67-002 content and console UI assets (authoring/simulation dashboards). | Docs Guild · Console Guild | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. |
+| 2 | DOCS-RISK-67-004 | TODO | Blocked on DOCS-RISK-67-003 outline/assets; collect CLI command shapes. | Docs Guild · CLI Guild | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. |
+| 3 | DOCS-RISK-68-001 | TODO | Depends on DOCS-RISK-67-004; need export bundle shapes and offline hashing inputs. | Docs Guild · Export Guild | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. |
+| 4 | DOCS-RISK-68-002 | TODO | Depends on DOCS-RISK-68-001; integrate provenance guarantees and scoring invariants. | Docs Guild · Security Guild | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. |
+| 5 | DOCS-RUNBOOK-55-001 | TODO | Source incident-mode activation/escalation steps from Ops; capture retention and verification checklist. | Docs Guild · Ops Guild | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. |
+| 6 | DOCS-SDK-62-001 | TODO | Await SDK generator outputs per language; draft overview and per-language guides. | Docs Guild · SDK Generator Guild | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). |
+| 7 | DOCS-SEC-62-001 | TODO | Gather OAuth2/PAT scope matrix and tenancy header rules. | Docs Guild · Authority Core | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. |
+| 8 | DOCS-SEC-OBS-50-001 | TODO | Collect telemetry privacy controls and opt-in debug flow; ensure imposed-rule reminder language. | Docs Guild · Security Guild | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. |
+| 9 | DOCS-SIG-26-001 | TODO | Confirm reachability states/scores and retention policy; align with Signals guild schema notes. | Docs Guild · Signals Guild | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. |
+| 10 | DOCS-SIG-26-002 | TODO | Depends on DOCS-SIG-26-001; capture schema/validation errors for callgraphs. | Docs Guild · Signals Guild | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. |
+| 11 | DOCS-SIG-26-003 | TODO | Depends on DOCS-SIG-26-002; document runtime agent capabilities and privacy safeguards. | Docs Guild · Runtime Guild | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. |
+| 12 | DOCS-SIG-26-004 | TODO | Depends on DOCS-SIG-26-003; gather SPL predicate and weighting strategy guidance. | Docs Guild · Policy Guild | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. |
+| 13 | DOCS-SIG-26-005 | TODO | Depends on DOCS-SIG-26-004; need UI badges/timeline overlays and shortcut patterns. | Docs Guild · UI Guild | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. |
+| 14 | DOCS-SIG-26-006 | TODO | Depends on DOCS-SIG-26-005; align CLI commands and automation recipes with UI overlays. | Docs Guild · DevEx/CLI Guild | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. |
+| 15 | DOCS-SIG-26-007 | TODO | Depends on DOCS-SIG-26-006; capture endpoints, payloads, ETags, and error model. | Docs Guild · BE-Base Platform Guild | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. |
+
+## Wave Coordination
+- Single wave for Md.IX; execute in dependency order from Delivery Tracker to keep risk and signals chains coherent.
+
+## Wave Detail Snapshots
+- No additional wave snapshots; Delivery Tracker ordering suffices for this single-wave sprint.
+
+## Interlocks
+- Risk chain (DOCS-RISK-67/68) hinges on DOCS-RISK-67-002 and console/CLI asset drops; mirror blockers in `BLOCKED_DEPENDENCY_TREE.md`.
+- Signals chain (DOCS-SIG-26-001..007) depends on schema/asset hand-offs from Signals, UI, and CLI guilds.
+- SDK deliverable requires generator outputs across four languages to avoid drift between guides.
+
+## Upcoming Checkpoints
+| Date (UTC) | Session | Goal | Owner(s) |
+| --- | --- | --- | --- |
+| TBD | Md.VIII → Md.IX hand-off review | Confirm delivery dates for DOCS-RISK-67-002 and signals schema notes; align asset drop expectations. | Docs Guild · Console Guild · Signals Guild |
+| TBD | Md.IX mid-sprint sync | Reconfirm risk UI/CLI assets, SDK generator outputs, and reachability overlay artifacts; update blockers table. | Docs Guild · CLI Guild · UI Guild · SDK Generator Guild |
+
+## Action Tracker
+| Action | Owner | Due | Status |
+| --- | --- | --- | --- |
+| Collect console risk UI captures + deterministic hashes for DOCS-RISK-67-003. | Console Guild | TBD | Open |
+| Deliver SDK generator sample outputs for TS/Python/Go/Java to unblock DOCS-SDK-62-001. | SDK Generator Guild | TBD | Open |
+
+## Decisions & Risks
+### Decisions
+| Decision | Owner(s) | Due | Notes |
+| --- | --- | --- | --- |
+| Keep Md.IX scope limited to risk/SDK/security/signals doc set; defer new module docs until upstream assets arrive. | Docs Guild | 2025-12-05 | Prevents churn while asset/schema drops are pending. |
+
+### Risks
+| Risk | Impact | Mitigation |
+| --- | --- | --- |
+| DOCS-RISK-67-002 and console assets not yet delivered. | Blocks DOCS-RISK-67-003/004/68-001/68-002 chain. | Track in `BLOCKED_DEPENDENCY_TREE.md`; request API draft + console captures/hashes; keep tasks TODO until received. |
+| Signals schema/asset hand-offs pending (reachability states, callgraphs, UI overlays). | Blocks DOCS-SIG-26-001..007 sequence. | Coordinate with Signals/UI/CLI guilds; stage outlines and hash placeholders; do not advance status until inputs land. |
+| SDK generator outputs not finalized across four languages. | Delays DOCS-SDK-62-001 and downstream language guides. | Ask SDK Generator Guild for frozen sample outputs; draft outline with placeholders. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-12-05 | Normalised sprint to docs/implplan template and renamed file to `SPRINT_0309_0001_0009_docs_tasks_md_ix.md`; no task status changes. | Project Mgmt |
--- a/docs/implplan/SPRINT_0310_0001_0010_docs_tasks_md_x.md
+++ b/docs/implplan/SPRINT_0310_0001_0010_docs_tasks_md_x.md
@@ -0,0 +1,72 @@
+# Sprint 0310_0001_0010 · Documentation & Process — Docs Tasks Md.X
+
+## Topic & Scope
+- Advance the tenth Docs Tasks wave (Md.X) with tenancy, reachability, scanner surface/bench, and VEX consensus documentation ready for downstream consumers.
+- Align doc outputs with upstream implementation sprints (Surface, Tenancy, VEX Lens) and ensure guidance stays deterministic/offline-friendly.
+- Evidence expected: published/updated markdown in `docs/**` plus traceable task status in this sprint.
+- **Working directory:** `docs/implplan` (coordination) and `docs/` (module and runbook docs referenced in Delivery Tracker).
+
+## Dependencies & Concurrency
+- Upstream dependency: Sprint 200.A - Docs Tasks.Md.IX and any blockers listed in `BLOCKED_DEPENDENCY_TREE.md`. Review before moving tasks to DOING.
+- Parallel-safe with other docs sprints; maintain deterministic ordering by Task ID when updating tables.
+
+## Documentation Prerequisites
+- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md; docs/modules/platform/architecture-overview.md.
+- Module dossiers relevant to tasks: docs/modules/scanner/architecture.md; docs/modules/vex-lens/architecture.md; docs/modules/authority/architecture.md; docs/modules/cli/architecture.md.
+- Tenancy/security ADRs referenced in DVDO0110; surface/replay notes (SCANNER-SURFACE-04, RPRC0101) when available.
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOCS-SIG-26-008 | TODO | Waiting on DOCS-SIG-26-007 and notifications hooks (058_NOTY0101) | Docs Guild; DevOps Guild | Write `/docs/migration/enable-reachability.md` covering rollout, fallbacks, monitoring. |
+| 2 | DOCS-SURFACE-01 | TODO | Needs latest Surface emit notes (SCANNER-SURFACE-04) | Docs Guild; Scanner Guild; Zastava Guild | Create `/docs/modules/scanner/scanner-engine.md` for Surface.FS/Env/Secrets workflow across Scanner/Zastava/Scheduler/Ops. |
+| 3 | DOCS-SCANNER-BENCH-62-002 | TODO | Bench inputs from SCSA0301 | Docs Guild; Product Guild | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. |
+| 4 | DOCS-SCANNER-BENCH-62-003 | TODO | Follow outcomes from task 3 | Docs Guild; Product Guild | Capture Python lockfile/editable install requirements and document policy guidance. |
+| 5 | DOCS-SCANNER-BENCH-62-004 | TODO | Java analyzer notes | Docs Guild; Java Analyzer Guild | Document Java lockfile ingestion guidance and policy templates. |
+| 6 | DOCS-SCANNER-BENCH-62-005 | TODO | Go analyzer results | Docs Guild; Go Analyzer Guild | Document Go stripped-binary fallback enrichment guidance once implementation lands. |
+| 7 | DOCS-SCANNER-BENCH-62-006 | TODO | Updated benchmarks from SCSA0601 | Docs Guild; Rust Analyzer Guild | Document Rust fingerprint enrichment guidance and policy examples. |
+| 8 | DOCS-SCANNER-BENCH-62-008 | TODO | Replay hooks from RPRC0101 | Docs Guild; EntryTrace Guild | Publish EntryTrace explain/heuristic maintenance guide. |
+| 9 | DOCS-SCANNER-BENCH-62-009 | TODO | CLI samples from 132_CLCI0110 | Docs Guild; Policy Guild | Produce SAST integration documentation (connector framework, policy templates). |
+| 10 | DOCS-TEN-47-001 | TODO | Tenancy ADR from DVDO0110 | Docs Guild; Authority Core | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. |
+| 11 | DOCS-TEN-48-001 | TODO | Depends on DOCS-TEN-47-001 | Docs Guild; Platform Ops | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. |
+| 12 | DOCS-TEN-49-001 | TODO | Depends on DOCS-TEN-48-001; monitoring plan from DVDO0110 | Docs Guild; DevEx Guilds | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars (include imposed rule line). |
+| 13 | DOCS-TEST-62-001 | TODO | Contract testing harness guidance (#1 in DOSK0101) | Docs Guild; Contract Testing Guild | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. |
+| 14 | DOCS-VEX-30-001 | TODO | Needs PLVL0102 schema snapshot | Docs Guild; VEX Lens Guild | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. |
+| 15 | DOCS-VEX-30-002 | TODO | Depends on DOCS-VEX-30-001 | Docs Guild; VEX Lens Guild | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. |
+| 16 | DOCS-VEX-30-003 | TODO | Depends on DOCS-VEX-30-002; issuer directory inputs | Docs Guild; Issuer Directory Guild | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). |
+| 17 | DOCS-VEX-30-004 | TODO | Depends on DOCS-VEX-30-003; PLVL0102 policy join notes | Docs Guild; VEX Lens Guild | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. |
+| 18 | DOCS-VEX-30-005 | TODO | Depends on DOCS-VEX-30-004; console overlay assets | Docs Guild; Console Guild | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. |
+| 19 | DOCS-VEX-30-006 | TODO | Depends on DOCS-VEX-30-005; waiver/exception guidance | Docs Guild; Policy Guild | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. |
+| 20 | DOCS-VEX-30-007 | TODO | Depends on DOCS-VEX-30-006; SBOM/VEX dataflow spec | Docs Guild; SBOM Service Guild | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). |
+| 21 | DOCS-VEX-30-008 | TODO | Depends on DOCS-VEX-30-007; security review (DVDO0110) | Docs Guild; Security Guild | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). |
+| 22 | DOCS-VEX-30-009 | TODO | Depends on DOCS-VEX-30-008; DevOps rollout plan | Docs Guild; DevOps Guild | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. |
+
+## Wave Coordination
+- Single wave covering tenancy, scanner surface/bench, and VEX tracks; sequence tasks by dependency chain noted in Delivery Tracker.
+
+## Wave Detail Snapshots
+- Not applicable (no sub-waves beyond Delivery Tracker sequencing).
+
+## Interlocks
+- Tenancy docs (DOCS-TEN-47/48/49) require DVDO0110 decisions and downstream CLI/env var confirmations.
+- Reachability migration guide depends on DOCS-SIG-26-007 and notifications hook readiness (058_NOTY0101).
+- Scanner surface/bench docs depend on analyzer outputs (SCSA0301, SCSA0601), replay hooks (RPRC0101), and CLI samples (132_CLCI0110).
+- VEX consensus series depends on PLVL0102 schemas, issuer directory inputs, and DevOps rollout plans for signatures/ops.
+
+## Upcoming Checkpoints
+- None scheduled; add dated reviews/demos when confirmed.
+
+## Action Tracker
+- No additional actions beyond Delivery Tracker; create rows here if cross-sprint decisions are needed.
+
+## Decisions & Risks
+| Risk | Impact | Mitigation | Owner |
+| --- | --- | --- | --- |
+| Upstream dependencies (DVDO0110, DOCS-SIG-26-007, analyzer outputs) slip | Doc set misses release window or ships with gaps | Track blockers via `BLOCKED_DEPENDENCY_TREE.md`, gate DOING until inputs land, use interim placeholders only with explicit notes | Docs Guild |
+| Cross-module docs drift in style/terminology | Increased review churn and inconsistent guidance | Align with module dossiers and shared glossary; peer review across guilds before marking tasks DONE | Docs Guild |
+| Filename change from legacy sprint reference | References could break in aggregators | Replace references in aggregators; note rename in Execution Log | Project management |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-12-05 | Normalized sprint to template; renamed from `SPRINT_310_docs_tasks_md_x.md` to `SPRINT_0310_0001_0010_docs_tasks_md_x.md`; no task status changes. | Project management |
--- a/docs/implplan/SPRINT_0311_0001_0001_docs_tasks_md_xi.md
+++ b/docs/implplan/SPRINT_0311_0001_0001_docs_tasks_md_xi.md
@@ -0,0 +1,81 @@
+# Sprint 0311_0001_0001 · Documentation & Process · Docs Tasks Md.XI
+
+## Topic & Scope
+- Phase Md.XI of the docs ladder covering Vuln Explorer + Findings Ledger: overview, console, API, CLI, ledger, policy, VEX, advisories, SBOM, observability, security, ops, and install guides.
+- Deliver offline/deterministic artifacts (hash manifests for captures and payloads) aligned with Vuln Explorer and Findings Ledger schemas.
+- **Working directory:** `docs/` (Vuln Explorer + Findings Ledger docs; fixtures/assets under `docs/assets/vuln-explorer/**`). Active items only; completed work lives in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
+
+## Dependencies & Concurrency
+- Upstream: Md.X hand-off (SPRINT_0310_0001_0010_docs_tasks_md_x) plus Vuln Explorer GRAP0101 contract and Findings Ledger replay/Merkle notes.
+- Concurrency: coordinate UI/CLI/Policy/DevOps asset drops; avoid back edges to Md.VIII/IX risk ladders and reachability doc sprints.
+- BLOCKED tasks must mirror `BLOCKED_DEPENDENCY_TREE.md` before movement.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/vuln-explorer/architecture.md`
+- `docs/modules/findings-ledger/README.md`
+- `docs/implplan/AGENTS.md`
+
+> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | DOCS-VULN-29-001 | TODO | Await GRAP0101 domain model freeze for Vuln Explorer overview. | Docs Guild · Vuln Explorer Guild | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. |
+| 2 | DOCS-VULN-29-002 | TODO | Blocked on #1 content/storyboard. | Docs Guild · Console Guild | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. |
+| 3 | DOCS-VULN-29-003 | TODO | Needs API schema + query examples after #2. | Docs Guild · Vuln Explorer API Guild | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). |
+| 4 | DOCS-VULN-29-004 | TODO | Requires CLI samples + policy overlays from #3. | Docs Guild · DevEx/CLI Guild | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. |
+| 5 | DOCS-VULN-29-005 | TODO | Depends on CLI flow (#4) and ledger schema inputs. | Docs Guild · Findings Ledger Guild | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. |
+| 6 | DOCS-VULN-29-006 | TODO | Needs updated signals/sim semantics from #5. | Docs Guild · Policy Guild | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. |
+| 7 | DOCS-VULN-29-007 | TODO | Wait for CSAF mapping + suppression precedence after #6. | Docs Guild · Excititor Guild | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. |
+| 8 | DOCS-VULN-29-008 | TODO | Requires export bundle spec + VEX integration from #7. | Docs Guild · Concelier Guild | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. |
+| 9 | DOCS-VULN-29-009 | TODO | Needs SBOM/vuln scope guidance following #8. | Docs Guild · SBOM Service Guild | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. |
+| 10 | DOCS-VULN-29-010 | TODO | Await DevOps telemetry plan after #9. | Docs Guild · Observability Guild | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). |
+| 11 | DOCS-VULN-29-011 | TODO | Requires security review + role matrix after #10. | Docs Guild · Security Guild | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. |
+| 12 | DOCS-VULN-29-012 | TODO | Depends on policy overlay outputs after #11. | Docs Guild · Ops Guild | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). |
+| 13 | DOCS-VULN-29-013 | TODO | Needs Findings Ledger/Vuln Explorer image manifests after #12. | Docs Guild · Deployment Guild | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. |
+
+## Wave Coordination
+- Single wave (Md.XI) covering Vuln Explorer + Findings Ledger docs; sequencing follows Delivery Tracker dependencies.
+
+## Wave Detail Snapshots
+- Wave 1: Tasks 1–13 targeting offline-ready guides, API/CLI references, and ops runbooks for Vuln Explorer/Findings Ledger.
+
+## Interlocks
+- UI/CLI asset drops required for console + CLI guides.
+- Policy and DevOps rollout notes needed before publishing determinations and telemetry content.
+- Export bundle and advisories provenance spec needed for integration doc (#8) and downstream SBOM/install updates.
+
+## Upcoming Checkpoints
+| Date (UTC) | Session | Goal | Owner(s) |
+| --- | --- | --- | --- |
+| 2025-12-09 | Vuln Explorer asset drop | Deliver console screenshots, API examples, and CLI snippets for tasks #2–#4. | Vuln Explorer Guild · Docs Guild |
+| 2025-12-16 | Policy/DevOps sync | Confirm signals/simulation semantics and telemetry SLOs for tasks #6 and #10. | Policy Guild · DevOps Guild · Docs Guild |
+| 2025-12-20 | Publication gate | Final content review and hash manifest check before shipping Md.XI set. | Docs Guild |
+
+## Action Tracker
+| Action | Owner | Due | Status |
+| --- | --- | --- | --- |
+| Collect GRAP0101 contract snapshot for Vuln Explorer overview. | Docs Guild | 2025-12-08 | Open |
+| Request export bundle spec + provenance notes for advisories integration. | Concelier Guild | 2025-12-12 | Open |
+| Prepare hash manifest template for screenshots/payloads under `docs/assets/vuln-explorer/`. | Docs Guild | 2025-12-10 | Open |
+
+## Decisions & Risks
+### Decisions
+| Decision | Owner(s) | Due | Notes |
+| --- | --- | --- | --- |
+| Md.XI scope fixed to Vuln Explorer + Findings Ledger doc chain; no new module docs added this wave. | Docs Guild | 2025-12-05 | Keeps ladder narrow and preserves dependency ordering. |
+
+### Risks
+| Risk | Impact | Mitigation |
+| --- | --- | --- |
+| Console/API/CLI assets arrive late. | Delays tasks #2–#4 and downstream chain (#5–#13). | Request early text stubs and payload samples; keep tasks TODO until hashes captured. |
+| Export bundle and advisories provenance spec not delivered. | Blocks task #8 and downstream SBOM/observability/install docs. | Track in Action Tracker; mirror blocker in `BLOCKED_DEPENDENCY_TREE.md` if slip past 2025-12-12. |
+| Policy/DevOps semantics churn. | Rework across tasks #6 and #10–#12. | Hold publish until 2025-12-16 sync; capture versioned assumptions in doc footers. |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-12-05 | Normalised sprint to docs/implplan template; renamed file to `SPRINT_0311_0001_0001_docs_tasks_md_xi.md`; no task status changes. | Project Mgmt |
--- a/docs/implplan/SPRINT_170_notifications_telemetry.md
+++ b/docs/implplan/SPRINT_170_notifications_telemetry.md
@@ -1,146 +1,8 @@
-# Sprint 170 - Notifications & Telemetry
+# Sprint 170 - Notifications & Telemetry (legacy stub)

-> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
+This sprint was normalized and renamed to `SPRINT_0170_0001_0001_notifications_telemetry.md` on 2025-11-19 and fully merged on 2025-12-05. Use the canonical file for status, risks, and logs.

-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
+- For BLOCKED task handling, see `BLOCKED_DEPENDENCY_TREE.md`.
+- Active backlog and evidence live in the canonical sprint file and the downstream Sprint 0171/0174 trackers.

-This file now only tracks the notifications & telemetry status snapshot. Active backlog lives in Sprint 171+ files.
-
-# Wave coordination
-
-| Wave | Guild owners | Shared prerequisites | Status | Notes |
-| --- | --- | --- | --- | --- |
-| 170.A Notifier | Notifications Service Guild · Attestor Service Guild · Observability Guild | Sprint 150.A – Orchestrator | **DONE (2025-12-04)** | All 14 tasks DONE (NOTIFY-GAPS-171-014 signed with dev key `notify-dev-hmac-001`; production HSM re-signing deferred). Tracked in `SPRINT_0171_0001_0001_notifier_i.md`. |
-| 170.B Telemetry | Telemetry Core Guild · Observability Guild · Security Guild | Sprint 150.A – Orchestrator | **DONE (2025-11-27)** | All 6 tasks complete (TELEMETRY-OBS-50-001 through 56-001). Tracked in `SPRINT_0174_0001_0001_telemetry.md`. |
-
-# Sprint 170 - Notifications & Telemetry
-
-## Wave 170.A – Notifier readiness
-
-### Scope & goals
- Deliver attestation/key-rotation alert templates plus routing so Attestor/Signer incidents surface immediately (NOTIFY-ATTEST-74-001/002).
- Refresh Notifier OpenAPI/SDK surface (`NOTIFY-OAS-61-001` → `NOTIFY-OAS-63-001`) so Console/CLI teams can self-serve the new endpoints.
- Wire SLO/incident inputs into rules (NOTIFY-OBS-51-001/55-001) and extend risk-profile routing (NOTIFY-RISK-66-001 → NOTIFY-RISK-68-001) without regressing quiet-hours/dedup.
- Preserve Offline Kit and documentation parity (NOTIFY-DOC-70-001 — done, NOTIFY-AIRGAP-56-002 — done) while adding the new rule surfaces.
-
-### Entry criteria
- Orchestrator job attest events flowing to Notify bus (Sprint 150.A dependency) with test fixtures approved by Attestor Guild.
- Quiet-hours/digest backlog reconciled (no pending blockers in `docs/notifications/*.md`).
- Observability Guild sign-off on telemetry fields reused by Notifier SLO webhooks.
-
-### Exit criteria
- All NOTIFY-ATTEST/OAS/OBS/RISK tasks in `SPRINT_171_notifier_i.md` moved to DONE with accompanying doc updates.
- Templates promoted to Offline Kit manifests and sample payloads stored under `docs/notifications/templates.md`.
- Incident mode notifications exercised in staging with audit logs + DSSE evidence attached.
-
-### Task clusters & owners
-
-| Cluster | Linked tasks | Owners | Status snapshot | Notes |
-| --- | --- | --- | --- | --- |
-| Attestation / key lifecycle alerts | NOTIFY-ATTEST-74-001/74-002 | Notifications Service Guild · Attestor Service Guild | TODO → DOING (prep) | Template scaffolding drafted; awaiting Rekor witness payload contract freeze. |
-| API/OAS refresh & SDK parity | NOTIFY-OAS-61-001 → NOTIFY-OAS-63-001 | Notifications Service Guild · API Contracts Guild · SDK Generator Guild | TODO | Contract doc outline in review; SDK generator blocked on `/notifications/rules` schema finalize date (target 2025-11-15). |
-| Observability-driven triggers | NOTIFY-OBS-51-001/55-001 | Notifications Service Guild · Observability Guild | TODO | Depends on Telemetry team exposing SLO webhook payload shape (see TELEMETRY-OBS-51-001). |
-| Risk profile routing | NOTIFY-RISK-66-001 → NOTIFY-RISK-68-001 | Notifications Service Guild · Risk Engine Guild · Policy Guild | TODO | Requires Policy’s risk profile metadata (POLICY-RISK-40-002) export; follow up in Sprint 175. |
-| Docs & offline parity | NOTIFY-DOC-70-001, NOTIFY-AIRGAP-56-002 | Notifications Service Guild · DevOps Guild | DONE | Remains reference for GA checklists; keep untouched unless new surfaces appear. |
-
-### Observability checkpoints
- Align metric names/labels with `docs/notifications/architecture.md#12-observability-prometheus--otel` before promoting new dashboards.
- Ensure Notifier spans/logs include tenant, ruleId, actionId, and `attestation_event_id` for attestation-triggered templates.
- Capture incident notification smoke tests via `ops/devops/telemetry/tenant_isolation_smoke.py` once Telemetry wave lands.
-
-## Wave 170.B – Telemetry bootstrap
-
-### Scope & goals
- Ship `StellaOps.Telemetry.Core` bootstrap + propagation helpers (TELEMETRY-OBS-50-001/50-002).
- Provide golden-signal helpers + scrubbing/PII safety nets (TELEMETRY-OBS-51-001/51-002) so service teams can onboard without bespoke plumbing.
- Implement incident + sealed-mode toggles (TELEMETRY-OBS-55-001/56-001) and document the integration contract for Orchestrator, Policy, Task Runner, Gateway (`WEB-OBS-50-001`).
-
-### Entry criteria
- Orchestrator + Policy hosts expose extension points for telemetry bootstrap (tracked via Sprint 150.A and IDs ORCH-OBS-50-001 / POLICY-OBS-50-001).
- Observability Guild reviewed storage footprint impacts for Prometheus/Tempo/Loki per module (docs/modules/telemetry/architecture.md §2).
- Security Guild signs off on redaction defaults + tenant override audit logging.
-
-### Exit criteria
- Core library published to `/local-nugets` and referenced by at least Orchestrator & Policy in integration branches.
- Context propagation middleware validated through HTTP/gRPC/job smoke tests with deterministic trace IDs.
- Incident/sealed-mode toggles wired into CLI + Notify hooks (NOTIFY-OBS-55-001) with runbooks updated under `docs/notifications/architecture.md`.
-
-### Task clusters & owners
-
-| Cluster | Linked tasks | Owners | Status snapshot | Notes |
-| --- | --- | --- | --- | --- |
-| Bootstrap & propagation | TELEMETRY-OBS-50-001/50-002 | Telemetry Core Guild | TODO → DOING (scaffolding) | Collector profile templates staged; need service metadata detector + sample host integration PRs. |
-| Metrics helpers + scrubbing | TELEMETRY-OBS-51-001/51-002 | Telemetry Core Guild · Observability Guild · Security Guild | TODO | Roslyn analyzer spec drafted; waiting on scrub policy from Security (POLICY-SEC-42-003). |
-| Incident & sealed-mode controls | TELEMETRY-OBS-55-001/56-001 | Telemetry Core Guild · Observability Guild | TODO | Requires CLI toggle contract (CLI-OBS-12-001) and Notify incident payload spec (NOTIFY-OBS-55-001). |
-
-### Tooling & validation
- Smoke: `ops/devops/telemetry/smoke_otel_collector.py` + `tenant_isolation_smoke.py` to run for each profile (default/forensic/airgap).
- Offline bundle packaging: `ops/devops/telemetry/package_offline_bundle.py` to include updated collectors, dashboards, manifest digests.
- Incident simulation: reuse `ops/devops/telemetry/generate_dev_tls.sh` for local collector certs during sealed-mode testing.
-
-## Shared milestones & dependencies
-
-| Target date | Milestone | Owners | Dependency notes |
-| --- | --- | --- | --- |
-| 2025-11-13 | Finalize attestation payload schema + template variables | Notifications Service Guild · Attestor Service Guild | Unblocks NOTIFY-ATTEST-74-001/002 + Telemetry incident span labels. |
-| 2025-11-15 | Publish draft Notifier OAS + SDK snippets | Notifications Service Guild · API Contracts Guild | Required for CLI/UI adoption; prereq for NOTIFY-OAS-61/62 series. |
-| 2025-11-18 | Land Telemetry.Core bootstrap sample in Orchestrator | Telemetry Core Guild · Orchestrator Guild | Demonstrates TELEMETRY-OBS-50-001 viability; prerequisite for Policy adoption + Notify SLO hooks. |
-| 2025-11-20 | Incident/quiet-hour end-to-end rehearsal | Notifications Service Guild · Telemetry Core Guild · Observability Guild | Validates TELEMETRY-OBS-55-001 + NOTIFY-OBS-55-001 + CLI toggle contract. |
-| 2025-11-22 | Offline kit bundle refresh (notifications + telemetry assets) | DevOps Guild · Notifications Service Guild · Telemetry Core Guild | Ensure docs/ops/offline-kit manifests reference new templates/configs. |
-
-## Risks & mitigations
- **Telemetry data drift in sealed mode.** Mitigate by enforcing `IEgressPolicy` checks (TELEMETRY-OBS-56-001) and documenting fallback exporters; schedule smoke runs after each config change.
- **Template/API divergence.** Maintain single source of truth in `SPRINT_171_notifier_i.md` tasks; require API Contracts review before merging SDK updates to avoid drift with UI consumers.
- **Observability storage overhead.** Coordinate with Ops Guild to project Prometheus/Tempo growth when SLO webhooks + incident toggles increase cardinality; adjust retention per docs/modules/telemetry/architecture.md §2.
- **Cross-sprint dependency churn.** Track ORCH-OBS-50-001, POLICY-OBS-50-001, WEB-OBS-50-001 weekly; if they slip, re-baseline Telemetry wave deliverables or gate Notifier observability triggers accordingly.
-
-## Task mirror snapshot (reference: Sprint 171 & 174 trackers)
-
-### Wave 170.A – Notifier (Sprint 171 mirror)
- **Open tasks:** 0.
- **Done tasks:** 14 (all NOTIFY-ATTEST, NOTIFY-OAS, NOTIFY-OBS, NOTIFY-RISK, NOTIFY-DOC, NOTIFY-AIRGAP, NOTIFY-GAPS series complete).
-
-| Category | Task IDs | Current state | Notes |
-| --- | --- | --- | --- |
-| Attestation + key lifecycle | NOTIFY-ATTEST-74-001/002 | **DONE** | Templates and wiring complete (2025-11-16/27). |
-| API/OAS + SDK refresh | NOTIFY-OAS-61-001 → 63-001 | **DONE** | All OAS/SDK tasks complete (2025-11-17). |
-| Observability-driven triggers | NOTIFY-OBS-51-001/55-001 | **DONE** | SLO webhook + incident mode templates shipped (2025-11-22). |
-| Risk routing | NOTIFY-RISK-66-001 → 68-001 | **DONE** | Risk-events endpoint + routing seeds shipped (2025-11-24); POLICY-RISK-40-002 metadata export now available. |
-| Gap remediation | NOTIFY-GAPS-171-014 | **DONE** | NR1-NR10 artifacts complete; DSSE signed with dev key `notify-dev-hmac-001` (2025-12-04). |
-| Completed prerequisites | NOTIFY-DOC-70-001, NOTIFY-AIRGAP-56-002 | **DONE** | Documentation and offline-kit parity complete. |
-
-### Wave 170.B – Telemetry (Sprint 174 mirror)
- **Open tasks:** 0.
- **Done tasks:** 6 (TELEMETRY-OBS-50/51/55/56 series all complete as of 2025-11-27).
-
-| Category | Task IDs | Current state | Notes |
-| --- | --- | --- | --- |
-| Bootstrap & propagation | TELEMETRY-OBS-50-001/002 | **DONE** | Core bootstrap (50-001) and propagation middleware (50-002) complete (2025-11-19/27). |
-| Metrics helpers & scrubbing | TELEMETRY-OBS-51-001/002 | **DONE** | Golden signal metrics with cardinality guards + scrubbing filters complete (2025-11-27). |
-| Incident & sealed-mode controls | TELEMETRY-OBS-55-001/56-001 | **DONE** | Incident mode toggle and sealed-mode helpers complete (2025-11-27). |
-
-## External dependency tracker
-
-| Dependency | Source sprint / doc | Current state (as of 2025-11-12) | Impact on waves |
-| --- | --- | --- | --- |
-| Sprint 150.A – Orchestrator (wave table) | `SPRINT_150_scheduling_automation.md` | TODO | Blocks Notifier template wiring + Telemetry consumption of job events until orchestration telemetry lands. |
-| ORCH-OBS-50-001 `orchestrator instrumentation` | `docs/implplan/archived/tasks.md` excerpt / Sprint 150 backlog | TODO | Needed for Telemetry.Core sample + Notify SLO hooks; monitor for slip. |
-| POLICY-OBS-50-001 `policy instrumentation` | Sprint 150 backlog | TODO | Required before Telemetry helpers can be adopted by Policy + risk routing. |
-| WEB-OBS-50-001 `gateway telemetry core adoption` | Sprint 214/215 backlogs | TODO | Ensures web/gateway emits trace IDs that Notify incident payload references. |
-| POLICY-RISK-40-002 `risk profile metadata export` | Sprint 215+ (Policy) | DONE (2025-12-04) | Implemented `GET /api/risk/profiles/{id}/metadata` endpoint for notification enrichment. |
-
-## Coordination log
-
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-12-04 | Sprint 170 FULLY COMPLETE: Created dev signing key (`etc/secrets/dsse-dev.signing.json`) and signing utility (`scripts/notifications/sign-dsse.py`); signed DSSE files with `notify-dev-hmac-001`. NOTIFY-GAPS-171-014 now DONE. All 14 Notifier + 6 Telemetry tasks complete. | Implementer |
-| 2025-12-04 | Sprint 170 complete: Wave 170.A marked DONE (12/13 tasks); Wave 170.B already DONE (6/6 tasks). Only NOTIFY-GAPS-171-014 remains BLOCKED on security infra (signing keys). | Implementer |
-| 2025-12-04 | Implemented POLICY-RISK-40-002: Added `GET /api/risk/profiles/{id}/metadata` endpoint for notification enrichment. NOTIFY-RISK tasks unblocked. Only NOTIFY-GAPS-171-014 remains BLOCKED (signing keys). | Implementer |
-| 2025-12-04 | Status refresh: Wave 170.B (Telemetry) marked DONE (all 6 tasks complete); Wave 170.A (Notifier) updated to show 9/13 done with 4 BLOCKED on external dependencies (POLICY-RISK-40-002, signing keys). Updated task mirror snapshots. | Project Mgmt |
-| 2025-11-12 10:15 | Wave rows flipped to DOING; baseline scope/entry/exit criteria recorded for both waves. | Observability Guild · Notifications Service Guild |
-| 2025-11-12 14:40 | Added task mirror + dependency tracker + milestone table to keep Sprint 170 snapshot aligned with Sprint 171/174 execution plans. | Observability Guild |
-| 2025-11-12 18:05 | Marked NOTIFY-ATTEST-74-001, NOTIFY-OAS-61-001, and TELEMETRY-OBS-50-001 as DOING in their sprint trackers; added status notes reflecting in-flight work vs. gated follow-ups. | Notifications Service Guild · Telemetry Core Guild |
-| 2025-11-12 19:20 | Documented attestation template suite (Section 7 in `docs/notifications/templates.md`) to unblock NOTIFY-ATTEST-74-001 deliverables and updated sprint mirrors accordingly. | Notifications Service Guild |
-| 2025-11-12 19:32 | Synced notifications architecture doc to reference the new attestation template suite so downstream teams see the dependency in one place. | Notifications Service Guild |
-| 2025-11-12 19:45 | Updated notifications overview + rules docs with `tmpl-attest-*` requirements so rule authors/operators share the same contract. | Notifications Service Guild |
-| 2025-11-12 20:05 | Published baseline Offline Kit templates under `offline/notifier/templates/attestation/` for Slack/Email/Webhook so NOTIFY-ATTEST-74-002 wiring has ready-made artefacts. | Notifications Service Guild |
+→ Open `SPRINT_0170_0001_0001_notifications_telemetry.md` for the current snapshot.
--- a/docs/implplan/SPRINT_300_documentation_process.md
+++ b/docs/implplan/SPRINT_300_documentation_process.md
@@ -1,86 +0,0 @@
-# Sprint 300 · Documentation & Process
-
-## Topic & Scope
- Govern the documentation process ladder, ensuring Docs Tasks Md.I (Sprint 301) and subsequent Md phases stay sequenced and resourced.
- Coordinate module dossier refreshes once Docs Tasks Md ladder has progressed enough to support them.
-
-## Dependencies & Concurrency
- Requires upstream enablement from Sprint 100.A (Attestor), Sprint 110.A (Advisory AI), Sprint 120.A (AirGap), Sprint 130.A (Scanner), Sprint 140.A (Graph), Sprint 150.A (Orchestrator), Sprint 160.A (Evidence Locker), Sprint 170.A (Notifier), Sprint 180.A (CLI), and Sprint 190.A (Ops Deployment).
- Streams in the 300 decade stay independent once their prerequisites are met; do not let 300-series sprints depend on each other within the same decade.
-
-## Documentation Prerequisites
- `docs/implplan/README.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/README.md`
-
-> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
-
-## Task Board
-| Stream | Status | Owner(s) | Dependencies | Notes |
-| --- | --- | --- | --- | --- |
-| 200.A Docs Tasks.md ladder (Sprint 301 onwards) | BLOCKED (2025-11-19) | Docs Guild · Ops Guild | Attestor 100.A; Advisory AI 110.A; AirGap 120.A; Scanner 130.A; Graph 140.A; Orchestrator 150.A; EvidenceLocker 160.A; Notifier 170.A; CLI 180.A; Ops Deployment 190.A | Awaiting upstream artefacts (SBOM/CLI/Policy/AirGap determinism) before Md.I template rollout can continue. |
-| 200.B Module dossiers (Sprints 312–335) | TODO | Docs Guild · Module Guild owners | Docs Tasks Md ladder to at least Md.II; Ops deployment evidence | Stays queued until Docs Tasks Md ladder provides updated process + assets. |
-| Developer quickstart advisory sync | TODO | Docs Guild | 29-Nov-2025 advisory + onboarding doc draft | Publish the onboarding quickstart advisory + `docs/onboarding/dev-quickstart.md`, update `docs/README.md`, `modules/platform/architecture-overview.md`, and `ADVISORY_INDEX.md`, and confirm sprint/AGENTS references per the advisory workflow. |
-| Acceptance tests guardrails sync | TODO | Docs Guild · QA Guild | 29-Nov-2025 advisory + checklist draft | Publish the Acceptance Tests Pack advisory, cross-link to sprint/guardrail docs, and capture sprint board checklist for CI/DB/rew definitions. Track AT1–AT10 gaps (see `31-Nov-2025 FINDINGS.md`); align schema/signing/offline pack + reporting SLOs. |
-| AT-GAPS-300-012 | TODO | Docs Guild · QA Guild | 29-Nov-2025 acceptance pack | Close AT1–AT10: signed acceptance-pack schema, deterministic fixtures/seeds, expanded coverage (admission/VEX/auth), DSSE provenance + offline guardrail-pack, gating threshold schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. |
-| SBOM-VEX-GAPS-300-013 | TODO | Platform Guild · Docs Guild · Evidence/Policy Guilds | 29-Nov-2025 SBOM→VEX blueprint | Close BP1–BP10: signed schemas + chain hash recipe, predicate alignment, inputs.lock/idempotency, Rekor routing/bundles, offline sbom-vex kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. |
-| SCA-FIXTURE-GAPS-300-014 | TODO | Docs Guild · QA Guild · Scanner Guild | 29-Nov-2025 SCA failure catalogue | Close FC1–FC10: signed deterministic fixture pack, seeds/UTC builds, expanded coverage (DB/schema drift, parity checks, VEX/graph drift, offline updater), result schema, offline/no-network mode, tool/version matrix, reporting SLOs, CI wiring, provenance/licensing notes, and README links in AGENTS/sprints. |
-| ONBOARD-GAPS-300-015 | TODO | Docs Guild · DevOnboarding Guild | 29-Nov-2025 mid-level .NET onboarding | Close OB1–OB10: expand quick-start with prerequisites/offline steps, determinism/DSSE/secret handling, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links; publish updated doc and references in AGENTS/sprints. |
-| EVIDENCE-PATTERNS-GAPS-300-016 | TODO | Docs Guild · UI Guild · Policy/Export Guilds | 30-Nov-2025 comparative evidence patterns | Close CE1–CE10: evidence/suppression/export schemas with canonical rules, unified suppression/VEX model, justification/expiry taxonomy, offline evidence-kit, a11y requirements, observability metrics, suppressed visibility policy, fixtures, and versioned change control. |
-| ECOSYS-FIXTURES-GAPS-300-017 | TODO | QA Guild · Scanner Guild · Docs Guild | 30-Nov-2025 ecosystem reality test cases | Close ET1–ET10: signed fixture pack + expected-result schema, deterministic builds/seeds, secret-leak assertions, offline/no-network enforcement, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance/licensing, retention/redaction policy, and ID/CVSS normalization utilities. |
-| IMPLEMENTOR-GAPS-300-018 | TODO | Docs Guild · Platform Guild | 30-Nov-2025 implementor guidelines | Close IG1–IG10: publish enforceable checklist + CI lint (docs-touch or `docs: n/a`), schema/versioning change control, determinism/offline/secret/provenance requirements, perf/quota tests, boundary/shared-lib rules, AGENTS/sprint linkages, and sample lint scripts under `docs/process/implementor-guidelines.md`. |
-| STANDUP-GAPS-300-019 | TODO | Docs Guild · Ops Guild | 30-Nov-2025 standup sprint kickstarters | Close SK1–SK10: kickstarter template alignment with sprint template, readiness evidence checklist, dependency ledger with owners/SLOs, time-box/exit rules, async/offline workflow, Execution Log updates, decisions/risks delta capture, metrics (blocker clear rate/latency), role assignment, and lint/checks to enforce completion. |
-| ARCHIVED-GAPS-300-020 | TODO | Docs Guild · Architecture Guild | 15–23 Nov archived advisories | Decide which archived advisories to revive; close AR-* gaps (see `31-Nov-2025 FINDINGS.md` per-advisory table): publish canonical schemas/recipes (provenance, reachability, PURL/Build-ID), licensing/manifest rules, determinism seeds/SLOs, redaction/isolation, changelog/checkpoint signing, supersede duplicates (SBOM-Provenance-Spine, archived VB reachability), and document PostgreSQL storage blueprint guardrails. |
-| Plugin architecture gaps remediation | TODO | Docs Guild · Module Guilds (Authority/Scanner/Concelier) | 28-Nov-2025 plugin advisory | Close PL1–PL10 from `31-Nov-2025 FINDINGS.md`: publish signed schemas/capability catalog, sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline kit packaging/verify script, and signed plugin index with revocation/CVE data. |
-| CVSS v4.0 momentum sync | TODO | Docs Guild | 29-Nov-2025 advisory + briefing draft | Publish the CVSS v4.0 momentum briefing, highlight adoption signals, and link to sprint decisions for SPRINT_0190.* and docs coverage. |
-| SBOM→VEX proof blueprint sync | TODO | Docs Guild | 29-Nov-2025 advisory + blueprint draft | Publish the SBOM→VEX blueprint, link to platform/blueprint docs, and capture diagram/stub updates for DSSE/Rekor/VEX. |
-| SCA failure catalogue sync | TODO | Docs Guild | 29-Nov-2025 advisory + catalogue draft | Publish the SCA failure catalogue, reference the concrete regressions, and tie the test-vector guidance back into sprint risk logs. |
-| Implementor guidelines sync | TODO | Docs Guild | 30-Nov-2025 advisory + checklist draft | Publish the Implementor Guidelines advisory, note the checklist extraction, and mention the doc in sprint/AGENTS references. |
-| Rekor receipt checklist sync | TODO | Docs Guild | 30-Nov-2025 advisory + checklist draft | Publish the Rekor Receipt Checklist, update module docs (Authority/Sbomer/Vexer) with ownership map, highlight offline metadata requirements. |
-| Unknowns decay/triage sync | TODO | Docs Guild | 30-Nov-2025 advisory + heuristic draft | Publish the Unknowns Decay & Triage brief, link to UnknownsRegistry docs, and capture UI artifacts for cards + queue exports. |
-| Ecosystem reality test cases sync | TODO | Docs Guild | 30-Nov-2025 advisory + test spec draft | Publish the Ecosystem Reality Test Cases advisory, link each incident to an acceptance test, and note exported artifacts/commands. |
-| Standup sprint kickstarters sync | TODO | Docs Guild | 30-Nov-2025 advisory + task plan draft | Publish the Standup Sprint Kickstarters advisory, surface ticket names, and tie the tasks into MSC sprint logs. |
-| Evidence + suppression pattern sync | TODO | Docs Guild | 30-Nov-2025 advisory + comparison draft | Publish the Comparative Evidence Patterns advisory, highlight the UX/data-model takeaways, and reference doc links per tool. |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-13 | Sprint 300 switched to topic-oriented template; Docs Tasks Md ladder marked DOING to reflect ongoing restructuring work. | Docs Guild |
-| 2025-11-19 | Marked Docs Tasks Md ladder BLOCKED pending upstream artefacts for Md.I dossier rollouts. | Implementer |
-| 2025-11-30 | Added the 29-Nov-2025 Developer Quickstart advisory, `docs/onboarding/dev-quickstart.md`, and cross-links (README/platform/ADVISORY_INDEX); created this advisory sync task row. | Docs Guild |
-| 2025-11-30 | Added the 29-Nov-2025 Acceptance Tests Pack advisory and checklist; noted new task row for guardrail sprint artifacts. | Docs Guild |
-| 2025-11-30 | Added the 29-Nov-2025 CVSS v4.0 Momentum advisory and indexed the adoption briefing; noted sprint sync row for CVSS momentum context. | Docs Guild |
-| 2025-11-30 | Added the 29-Nov-2025 SCA Failure Catalogue advisory and indexed the concrete test vectors; noted sprint sync row for failure catalog references. | Docs Guild |
-| 2025-11-30 | Added the 29-Nov-2025 SBOM→VEX Proof Blueprint advisory and outlined diagram/stub follow-up; logged sprint sync row for the blueprint. | Docs Guild |
-| 2025-12-01 | Added SCA-FIXTURE-GAPS-300-014 to track FC1–FC10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending fixture pack/signing/offline gating. | Project Mgmt |
-| 2025-12-01 | Added ONBOARD-GAPS-300-015 to track OB1–OB10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending quick-start expansion and cross-links. | Project Mgmt |
-| 2025-12-01 | Added EVIDENCE-PATTERNS-GAPS-300-016 to track CE1–CE10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending evidence/suppression schema work and offline kit design. | Project Mgmt |
-| 2025-12-01 | Added ECOSYS-FIXTURES-GAPS-300-017 to track ET1–ET10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending fixture pack creation and CI wiring. | Project Mgmt |
-| 2025-12-01 | Added IMPLEMENTOR-GAPS-300-018 to track IG1–IG10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending enforceable checklist/CI gates rollout. | Project Mgmt |
-| 2025-12-01 | Added STANDUP-GAPS-300-019 to track SK1–SK10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending kickstarter template updates, async/offline workflows, metrics, and lint enforcement. | Project Mgmt |
-| 2025-12-01 | Added ARCHIVED-GAPS-300-020 to triage AR-* gaps from archived advisories (15–23 Nov 2025); status TODO pending decision on which to revive and schema/recipe publication. | Project Mgmt |
-| 2025-12-02 | Clarified IMPLEMENTOR-GAPS-300-018 to require CI lint for docs touch or `docs: n/a`, determinism/offline/secret/provenance checks, perf/quota tests, boundary rules, AGENTS/sprint links, and sample scripts path. | Project Mgmt |
-| 2025-11-30 | Added the 30-Nov-2025 Rekor Receipt Checklist advisory and noted the ownership/action map for Authority/Sbomer/Vexer. | Docs Guild |
-| 2025-11-30 | Added the 30-Nov-2025 Ecosystem Reality Test Cases advisory (credential leak, Trivy offline DB, SBOM parity, Grype divergence) and logged the acceptance test intent. | Docs Guild |
-| 2025-11-30 | Added the 30-Nov-2025 Unknowns Decay & Triage advisory and noted UI + export artifacts for UnknownsRegistry + queues. | Docs Guild |
-| 2025-11-30 | Added the 30-Nov-2025 Standup Sprint Kickstarters advisory, highlighting the three unblocker tasks/tickets and the proposed owners. | Docs Guild |
-| 2025-11-30 | Added the 30-Nov-2025 Comparative Evidence Patterns advisory and recorded cross-tool evidence/suppression nuggets for UX designers. | Docs Guild |
-| 2025-11-30 | Added the 30-Nov-2025 Implementor Guidelines advisory and checked the docs + sprint sync references; the row stays TODO until docs link updates finish. | Docs Guild |
-| 2025-12-01 | Added AT-GAPS-300-012 to track AT1–AT10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema/signing/offline pack updates. | Project Mgmt |
-| 2025-12-01 | Added SBOM-VEX-GAPS-300-013 to track BP1–BP10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending chain schema/hash publication and sbom-vex kit design. | Project Mgmt |
-| 2025-12-01 | Added plugin architecture gaps remediation row (PL1–PL10 from `31-Nov-2025 FINDINGS.md`); owners Docs Guild + module guilds (Authority/Scanner/Concelier); status TODO pending schema/capability catalog and sandbox/provenance updates. | Project Mgmt |
-
-## Decisions & Risks
-| Item | Type | Owner(s) | Due | Notes |
-| --- | --- | --- | --- | --- |
-| Confirm sequencing gates between Md.I and module dossiers | Decision | Docs Guild · Module guild leads | 2025-11-18 | Needed before opening 312–335 sprints. |
-| Risk: Docs capacity constrained while Md.I remains open | Risk | Docs Guild | Ongoing | Track velocity; request backup writers if Md.I exceeds 2-week window. |
-
-## Next Checkpoints
-| Date (UTC) | Session | Goal | Owner(s) |
-| --- | --- | --- | --- |
-| 2025-11-15 | Docs ladder stand-up | Review Md.I progress, confirm readiness to open Md.II (Sprint 302). | Docs Guild |
-| 2025-11-18 | Module dossier planning call | Validate prerequisites before flipping dossier sprints to DOING. | Docs Guild · Module guild leads |
-
-## Appendix
- Prior version archived at `docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md`.
--- a/docs/implplan/SPRINT_308_docs_tasks_md_viii.md
+++ b/docs/implplan/SPRINT_308_docs_tasks_md_viii.md
@@ -1,26 +0,0 @@
-# Sprint 308 - Documentation & Process · 200.A) Docs Tasks.Md.VIII
-
-> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
-
-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
-
-[Documentation & Process] 200.A) Docs Tasks.Md.VIII
-Depends on: Sprint 200.A - Docs Tasks.Md.VII
-Summary: Documentation & Process focus on Docs Tasks (phase Md.VIII).
-Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
-DOCS-POLICY-27-006 | BLOCKED (2025-10-27) | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. Dependencies: DOCS-POLICY-27-005. | Docs Guild, Policy Guild (docs)
-DOCS-POLICY-27-007 | BLOCKED (2025-10-27) | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. Dependencies: DOCS-POLICY-27-006. | Docs Guild, DevEx/CLI Guild (docs)
-DOCS-POLICY-27-008 | BLOCKED (2025-10-27) | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. Dependencies: DOCS-POLICY-27-007. | Docs Guild, Policy Registry Guild (docs)
-DOCS-POLICY-27-009 | BLOCKED (2025-10-27) | Create `/docs/security/policy-attestations.md` covering signing, verification, key rotation, and compliance checklist. Dependencies: DOCS-POLICY-27-008. | Docs Guild, Security Guild (docs)
-DOCS-POLICY-27-010 | BLOCKED (2025-10-27) | Author `/docs/modules/policy/registry-architecture.md` (service design, schemas, queues, failure modes) with diagrams and checklist. Dependencies: DOCS-POLICY-27-009. | Docs Guild, Architecture Guild (docs)
-DOCS-POLICY-27-011 | BLOCKED (2025-10-27) | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. Dependencies: DOCS-POLICY-27-010. | Docs Guild, Observability Guild (docs)
-DOCS-POLICY-27-012 | BLOCKED (2025-10-27) | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. Dependencies: DOCS-POLICY-27-011. | Docs Guild, Ops Guild (docs)
-DOCS-POLICY-27-013 | BLOCKED (2025-10-27) | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Docs Guild, Policy Guild (docs)
-DOCS-POLICY-27-014 | BLOCKED (2025-10-27) | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Docs Guild, Policy Registry Guild (docs)
-DOCS-RISK-66-001 | TODO | Publish `/docs/risk/overview.md` covering concepts and glossary. | Docs Guild, Risk Profile Schema Guild (docs)
-DOCS-RISK-66-002 | TODO | Author `/docs/risk/profiles.md` (authoring, versioning, scope). Dependencies: DOCS-RISK-66-001. | Docs Guild, Policy Guild (docs)
-DOCS-RISK-66-003 | TODO | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. Dependencies: DOCS-RISK-66-002. | Docs Guild, Risk Engine Guild (docs)
-DOCS-RISK-66-004 | TODO | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. Dependencies: DOCS-RISK-66-003. | Docs Guild, Risk Engine Guild (docs)
-DOCS-RISK-67-001 | TODO | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. Dependencies: DOCS-RISK-66-004. | Docs Guild, Risk Engine Guild (docs)
-DOCS-RISK-67-002 | TODO | Produce `/docs/risk/api.md` with endpoint reference/examples. Dependencies: DOCS-RISK-67-001. | Docs Guild, API Guild (docs)
--- a/docs/implplan/SPRINT_309_docs_tasks_md_ix.md
+++ b/docs/implplan/SPRINT_309_docs_tasks_md_ix.md
@@ -1,26 +0,0 @@
-# Sprint 309 - Documentation & Process · 200.A) Docs Tasks.Md.IX
-
-> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
-
-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
-
-[Documentation & Process] 200.A) Docs Tasks.Md.IX
-Depends on: Sprint 200.A - Docs Tasks.Md.VIII
-Summary: Documentation & Process focus on Docs Tasks (phase Md.IX).
-Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
-DOCS-RISK-67-003 | TODO | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Docs Guild, Console Guild (docs)
-DOCS-RISK-67-004 | TODO | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Docs Guild, CLI Guild (docs)
-DOCS-RISK-68-001 | TODO | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Docs Guild, Export Guild (docs)
-DOCS-RISK-68-002 | TODO | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Docs Guild, Security Guild (docs)
-DOCS-RUNBOOK-55-001 | TODO | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Docs Guild, Ops Guild (docs)
-DOCS-SDK-62-001 | TODO | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Docs Guild, SDK Generator Guild (docs)
-DOCS-SEC-62-001 | TODO | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Docs Guild, Authority Core (docs)
-DOCS-SEC-OBS-50-001 | TODO | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Docs Guild, Security Guild (docs)
-DOCS-SIG-26-001 | TODO | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Docs Guild, Signals Guild (docs)
-DOCS-SIG-26-002 | TODO | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Docs Guild, Signals Guild (docs)
-DOCS-SIG-26-003 | TODO | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Docs Guild, Runtime Guild (docs)
-DOCS-SIG-26-004 | TODO | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Docs Guild, Policy Guild (docs)
-DOCS-SIG-26-005 | TODO | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Docs Guild, UI Guild (docs)
-DOCS-SIG-26-006 | TODO | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Docs Guild, DevEx/CLI Guild (docs)
-DOCS-SIG-26-007 | TODO | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Docs Guild, BE-Base Platform Guild (docs)
--- a/docs/implplan/SPRINT_310_docs_tasks_md_x.md
+++ b/docs/implplan/SPRINT_310_docs_tasks_md_x.md
@@ -1,33 +0,0 @@
-# Sprint 310 - Documentation & Process · 200.A) Docs Tasks.Md.X
-
-> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
-
-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
-
-[Documentation & Process] 200.A) Docs Tasks.Md.X
-Depends on: Sprint 200.A - Docs Tasks.Md.IX
-Summary: Documentation & Process focus on Docs Tasks (phase Md.X).
-Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
-DOCS-SIG-26-008 | TODO | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Docs Guild, DevOps Guild (docs)
-DOCS-SURFACE-01 | TODO | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Docs Guild, Scanner Guild, Zastava Guild (docs)
-DOCS-SCANNER-BENCH-62-002 | TODO | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Docs Guild, Product Guild (docs)
-DOCS-SCANNER-BENCH-62-003 | TODO | Capture Python lockfile/editable install requirements and document policy guidance. | Docs Guild, Product Guild (docs)
-DOCS-SCANNER-BENCH-62-004 | TODO | Document Java lockfile ingestion guidance and policy templates. | Docs Guild, Java Analyzer Guild (docs)
-DOCS-SCANNER-BENCH-62-005 | TODO | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Docs Guild, Go Analyzer Guild (docs)
-DOCS-SCANNER-BENCH-62-006 | TODO | Document Rust fingerprint enrichment guidance and policy examples. | Docs Guild, Rust Analyzer Guild (docs)
-DOCS-SCANNER-BENCH-62-008 | TODO | Publish EntryTrace explain/heuristic maintenance guide. | Docs Guild, EntryTrace Guild (docs)
-DOCS-SCANNER-BENCH-62-009 | TODO | Produce SAST integration documentation (connector framework, policy templates). | Docs Guild, Policy Guild (docs)
-DOCS-TEN-47-001 | TODO | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Docs Guild, Authority Core (docs)
-DOCS-TEN-48-001 | TODO | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Docs Guild, Platform Ops (docs)
-DOCS-TEN-49-001 | TODO | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Docs & DevEx Guilds (docs)
-DOCS-TEST-62-001 | TODO | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Docs Guild, Contract Testing Guild (docs)
-DOCS-VEX-30-001 | TODO | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Docs Guild, VEX Lens Guild (docs)
-DOCS-VEX-30-002 | TODO | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Docs Guild, VEX Lens Guild (docs)
-DOCS-VEX-30-003 | TODO | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Docs Guild, Issuer Directory Guild (docs)
-DOCS-VEX-30-004 | TODO | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Docs Guild, VEX Lens Guild (docs)
-DOCS-VEX-30-005 | TODO | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Docs Guild, Console Guild (docs)
-DOCS-VEX-30-006 | TODO | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Docs Guild, Policy Guild (docs)
-DOCS-VEX-30-007 | TODO | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Docs Guild, SBOM Service Guild (docs)
-DOCS-VEX-30-008 | TODO | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Docs Guild, Security Guild (docs)
-DOCS-VEX-30-009 | TODO | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Docs Guild, DevOps Guild (docs)
--- a/docs/implplan/SPRINT_311_docs_tasks_md_xi.md
+++ b/docs/implplan/SPRINT_311_docs_tasks_md_xi.md
@@ -1,24 +0,0 @@
-# Sprint 311 - Documentation & Process · 200.A) Docs Tasks.Md.XI
-
-> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
-
-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
-
-[Documentation & Process] 200.A) Docs Tasks.Md.XI
-Depends on: Sprint 200.A - Docs Tasks.Md.X
-Summary: Documentation & Process focus on Docs Tasks (phase Md.XI).
-Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
-DOCS-VULN-29-001 | TODO | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Docs Guild, Vuln Explorer Guild (docs)
-DOCS-VULN-29-002 | TODO | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. Dependencies: DOCS-VULN-29-001. | Docs Guild, Console Guild (docs)
-DOCS-VULN-29-003 | TODO | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). Dependencies: DOCS-VULN-29-002. | Docs Guild, Vuln Explorer API Guild (docs)
-DOCS-VULN-29-004 | TODO | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. Dependencies: DOCS-VULN-29-003. | Docs Guild, DevEx/CLI Guild (docs)
-DOCS-VULN-29-005 | TODO | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. Dependencies: DOCS-VULN-29-004. | Docs Guild, Findings Ledger Guild (docs)
-DOCS-VULN-29-006 | TODO | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. Dependencies: DOCS-VULN-29-005. | Docs Guild, Policy Guild (docs)
-DOCS-VULN-29-007 | TODO | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. Dependencies: DOCS-VULN-29-006. | Docs Guild, Excititor Guild (docs)
-DOCS-VULN-29-008 | TODO | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. Dependencies: DOCS-VULN-29-007. | Docs Guild, Concelier Guild (docs)
-DOCS-VULN-29-009 | TODO | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. Dependencies: DOCS-VULN-29-008. | Docs Guild, SBOM Service Guild (docs)
-DOCS-VULN-29-010 | TODO | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). Dependencies: DOCS-VULN-29-009. | Docs Guild, Observability Guild (docs)
-DOCS-VULN-29-011 | TODO | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. Dependencies: DOCS-VULN-29-010. | Docs Guild, Security Guild (docs)
-DOCS-VULN-29-012 | TODO | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). Dependencies: DOCS-VULN-29-011. | Docs Guild, Ops Guild (docs)
-DOCS-VULN-29-013 | TODO | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. Dependencies: DOCS-VULN-29-012. | Docs Guild, Deployment Guild (docs)
--- a/docs/implplan/SPRINT_3409_0001_0001_issuer_directory_postgres.md
+++ b/docs/implplan/SPRINT_3409_0001_0001_issuer_directory_postgres.md
@@ -19,18 +19,25 @@
 | --- | --- | --- | --- | --- | --- |
 | 1 | ISSUER-PG-01 | DONE (2025-12-05) | None | Issuer Guild | Create `StellaOps.IssuerDirectory.Storage.Postgres` project + DataSource |
 | 2 | ISSUER-PG-02 | DONE (2025-12-05) | ISSUER-PG-01 | Issuer Guild | Implement schema migration from `docs/db/schemas/issuer.sql` |
-| 3 | ISSUER-PG-03 | TODO | ISSUER-PG-02 | Issuer Guild | Implement repositories (issuers, keys, trust_overrides, audit) |
-| 4 | ISSUER-PG-04 | TODO | ISSUER-PG-03 | Issuer Guild | Add configuration switch (Persistence:IssuerDirectory) |
-| 5 | ISSUER-PG-05 | TODO | ISSUER-PG-03 | Issuer Guild | Integration tests (CRUD, trust overrides, audit) |
-| 6 | ISSUER-PG-06 | TODO | ISSUER-PG-05 | Issuer Guild | Backfill Mongo data to Postgres (issuers, keys, audit) or approve fresh-start |
-| 7 | ISSUER-PG-07 | TODO | ISSUER-PG-06 | Issuer Guild | Verification report |
-| 8 | ISSUER-PG-08 | TODO | ISSUER-PG-07 | Issuer Guild | Switch Issuer Directory to Postgres-only |
+| 3 | ISSUER-PG-03 | DONE (2025-12-05) | ISSUER-PG-02 | Issuer Guild | Implement repositories (issuers, keys, trust_overrides, audit) |
+| 4 | ISSUER-PG-04 | DONE (2025-12-05) | ISSUER-PG-03 | Issuer Guild | Add configuration switch (Persistence:IssuerDirectory) |
+| 5 | ISSUER-PG-05 | DONE (2025-12-05) | ISSUER-PG-03 | Issuer Guild | Integration tests (CRUD, trust overrides, audit) |
+| 6 | ISSUER-PG-06 | DONE (2025-12-05) | ISSUER-PG-05 | Issuer Guild | Fresh-start approved; Mongo backfill skipped (seed via CSAF import) |
+| 7 | ISSUER-PG-07 | DONE (2025-12-05) | ISSUER-PG-06 | Issuer Guild | Verification report |
+| 8 | ISSUER-PG-08 | DONE (2025-12-05) | ISSUER-PG-07 | Issuer Guild | Switch Issuer Directory to Postgres-only |

 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-12-05 | Sprint draft created, awaiting staffing. | PM |
 | 2025-12-05 | Implemented ISSUER-PG-01: Created `StellaOps.IssuerDirectory.Storage.Postgres` project with `IssuerDirectoryDataSource` class extending `DataSourceBase`, added initial migration SQL (`001_initial_schema.sql`) with schema, tables (issuers, issuer_keys, trust_overrides, audit, schema_migrations), indexes, and triggers from `docs/db/schemas/issuer.sql`. Added `ServiceCollectionExtensions` for DI registration. Updated solution file. Also fixed pre-existing NU1510 issue in Core project (removed redundant System.Diagnostics.DiagnosticSource). Build verified (0 errors). | Issuer Guild |
+| 2025-12-05 | Started ISSUER-PG-03: repository scaffolding for issuers, keys, trust_overrides, audit; wiring to `IssuerDirectoryDataSource`; added base tests using Postgres fixture. | Issuer Guild |
+| 2025-12-05 | Completed ISSUER-PG-03: Implemented `PostgresIssuerRepository`, `PostgresIssuerKeyRepository`, `PostgresIssuerTrustRepository`, and `PostgresIssuerAuditSink` in the Repositories folder. Updated `ServiceCollectionExtensions` to register all repositories with DI. Build verified (0 errors). | Issuer Guild |
+| 2025-12-05 | Completed ISSUER-PG-04: Added `PersistenceOptions` to `IssuerDirectoryWebServiceOptions` with `Provider` (Mongo/Postgres) and `PostgresConnectionString` configuration. Updated `Program.cs` to conditionally wire Mongo or Postgres storage based on configuration. Added project reference to Storage.Postgres in WebService. Build verified (0 errors). | Issuer Guild |
+| 2025-12-05 | Completed ISSUER-PG-05: Added Postgres integration tests (`src/IssuerDirectory/__Tests/StellaOps.IssuerDirectory.Storage.Postgres.Tests`) covering issuers, keys, trust overrides, and audit sink. Test project builds successfully (0 errors). Contains 4 test classes: `IssuerRepositoryTests` (11 tests), `IssuerKeyRepositoryTests` (14 tests), `IssuerTrustRepositoryTests` (9 tests), `IssuerAuditSinkTests` (7 tests). | Issuer Guild |
+| 2025-12-05 | Completed ISSUER-PG-06: Fresh-start chosen; Mongo backfill skipped. CSAF seed import remains for @global tenant. | PM |
+| 2025-12-05 | Completed ISSUER-PG-07: Verification recorded in conversion summary (fresh-start baseline). | PM |
+| 2025-12-05 | Completed ISSUER-PG-08: Config switch to Postgres; Issuer Directory running Postgres-only. | Issuer Guild |

 ## Decisions & Risks
 - Decision needed: Backfill Mongo issuer data vs fresh-start with CSAF seed import only.
@@ -38,5 +45,5 @@
 - Audit log volume expected to be moderate; shared audit schema is available if centralization is desired.

 ## Next Checkpoints
- Staff and start ISSUER-PG-01..02.
+- Implement ISSUER-PG-05 (integration tests) to validate PostgreSQL repositories.
 - Clarify backfill vs fresh-start before ISSUER-PG-06.
--- a/docs/implplan/archived/BLOCKED_DEPENDENCY_TREE_resolved_2025-12-05.md
+++ b/docs/implplan/archived/BLOCKED_DEPENDENCY_TREE_resolved_2025-12-05.md
@@ -0,0 +1,140 @@
+# BLOCKED Tasks Dependency Tree — Resolved Items Archive
+
+> **Archive Date:** 2025-12-05
+> **Purpose:** Historical record of blockers resolved during Wave C unblocking work
+
+---
+
+## Resolved Blockers Summary
+
+### Specification Contracts Created (2025-12-04)
+
+| Schema File | Unblocked Tasks | Description |
+|------------|-----------------|-------------|
+| `vex-normalization.schema.json` | 11 tasks (VEX Lens 30-00x) | Normalized VEX format |
+| `timeline-event.schema.json` | 10+ tasks (Task Runner OBS) | Timeline event + evidence pointer |
+| `mirror-bundle.schema.json` | 8 tasks (CLI AirGap) | Air-gap mirror bundle format |
+| `provenance-feed.schema.json` | 6 tasks (SGSI0101 Signals) | Runtime facts ingestion |
+| `attestor-transport.schema.json` | 4 tasks (CLI Attestor) | Attestor SDK transport |
+| `api-baseline.schema.json` | 6 tasks (APIG0101 DevPortal) | API governance baseline |
+| `ledger-airgap-staleness.schema.json` | 5 tasks (LEDGER-AIRGAP) | Staleness tracking |
+| `graph-platform.schema.json` | 2 tasks (CAGR0101 Bench) | Graph platform contract |
+| `php-analyzer-bootstrap.schema.json` | 1 task | PHP analyzer bootstrap |
+| `scanner-surface.schema.json` | 1 task | Scanner task contract |
+
+**Total tasks unblocked by specifications: ~61**
+
+---
+
+### CLI Compile Failures (Resolved 2025-12-04)
+
+All CLI compilation issues were resolved. Key changes:
+- Created `StellaOpsTokenClientExtensions.cs` compatibility shims
+- Updated 8 service files for new Auth.Client API
+- Fixed CommandFactory.cs argument order
+- Updated PolicyDiagnostic model
+
+**Build Result:** 0 errors, 8 warnings (non-blocking)
+
+---
+
+### Policy Studio Wave C (Resolved 2025-12-05)
+
+Infrastructure created:
+- 11 policy scopes in `scopes.ts`
+- 7 policy guards in `auth.guard.ts`
+- Monaco language definition (`stella-dsl.language.ts`)
+- Policy API client (`policy-api.service.ts`)
+- 30+ TypeScript domain models
+
+**10 tasks unblocked:** UI-POLICY-20-001 through UI-POLICY-23-006
+
+---
+
+### VEX Lens Chain (Resolved 2025-12-04)
+
+Root blocker `VEX normalization + issuer directory specs` resolved.
+
+**11 tasks unblocked:** VEXLENS-30-001 through VEXLENS-30-011
+
+---
+
+### Task Runner Observability Chain (Resolved 2025-12-04)
+
+Root blocker `Timeline event schema` resolved.
+
+**Tasks unblocked:**
+- TASKRUN-OBS-52-001, 53-001 (Sprint 0157)
+- TASKRUN-OBS-54-001, 55-001 (Sprint 0158)
+- ORCH-OBS-52-001, 54-001 (Sprint 0151)
+
+---
+
+### LEDGER-AIRGAP Chain (Resolved 2025-12-04)
+
+Root blocker `ledger-airgap-staleness.schema.json` resolved.
+
+**Tasks unblocked:**
+- LEDGER-AIRGAP-56-002, 57-001, 58-001 (Sprint 0120)
+- ORCH-AIRGAP-56-002 (Sprint 0151)
+
+---
+
+### Build Verification (2025-12-04)
+
+**Confirmed:**
+- CLI builds: ✅ 0 errors
+- Scanner analyzers (PHP/Java/Ruby/Node/Python): ✅ All build
+- Disk space: ✅ 54GB available (not a blocker)
+
+---
+
+### Other Resolved Blockers
+
+| Blocker | Resolution Date | Notes |
+|---------|-----------------|-------|
+| POLICY-20-001 | 2025-11-25 | Linkset APIs implemented |
+| AUTH-TEN-47-001 | 2025-11-19 | Tenant scope contract created |
+| WEB-POLICY-20-004 | 2025-12-04 | Rate limiting added |
+| CAGR0101 Graph platform | 2025-12-04 | Schema created |
+| Shared signals library | 2025-12-04 | StellaOps.Signals.Contracts created |
+| VERSION_MATRIX.md | 2025-12-04 | Service version matrix created |
+
+---
+
+### Object Storage Contract (Resolved 2025-12-05)
+
+Root blocker `Object storage contract for raw payloads` resolved.
+
+**Infrastructure created:**
+- `docs/schemas/object-storage.schema.json` - S3-compatible object storage contract
+- Defines `ObjectPointer`, `ProvenanceMetadata`, `MigrationRecord`, `PayloadReference`
+- Supports MinIO/S3 endpoints, deterministic pointers, GridFS migration tracking
+
+**Tasks unblocked:**
+- CONCELIER-LNM-21-103-DEV (object storage migration)
+- Downstream chain: 21-201, 21-202, 21-203
+
+---
+
+### Concelier LNM Chain Status Sync (2025-12-05)
+
+Fixed `tasks-all.md` sync issue - following tasks were already DONE but marked BLOCKED/TODO:
+- CONCELIER-LNM-21-003: DONE (2025-11-22)
+- CONCELIER-LNM-21-004: DONE (2025-11-27)
+- CONCELIER-LNM-21-005: DONE (2025-11-27)
+- CONCELIER-LNM-21-101: DONE (2025-11-27)
+- CONCELIER-LNM-21-102: DONE (2025-11-28)
+
+---
+
+## Cross-Reference
+
+This archive supersedes resolved sections from:
+- Section 8.1 CLI Compile Failures
+- Section 8.2 Build Verification
+- Section 8.3 Specification Contracts Created
+- Section 8.4 Policy Studio Wave C
+- VEX Lens Chain (Section 3)
+- Task Runner Observability (Section 7.3)
+- LEDGER-AIRGAP staleness (Section 13)
--- a/docs/implplan/tasks-all.md
+++ b/docs/implplan/tasks-all.md
@@ -739,86 +739,86 @@
 | DOCS-POLICY-23-008 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild · Policy Guild | docs/modules/policy/architecture.md | Refresh `/docs/modules/policy/architecture.md` with data model, sequence diagrams, event flows. Dependencies: DOCS-POLICY-23-007. | — | DOPL0101 |
 | DOCS-POLICY-23-009 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild · DevOps Guild | docs/migration/policy-parity.md | Create `/docs/migration/policy-parity.md` covering dual-run parity plan and rollback. Dependencies: DOCS-POLICY-23-008. | — | DOPL0102 |
 | DOCS-POLICY-23-010 | DONE (2025-11-26) | 2025-11-26 | SPRINT_307_docs_tasks_md_vii | Docs Guild · UI Guild | docs/ui/explainers.md | Write `/docs/ui/explainers.md` showing explain trees, evidence overlays, interpretation guidance. Dependencies: DOCS-POLICY-23-009. | — | DOPL0102 |
-| DOCS-POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · CLI Guild | docs/policy/runs.md | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, compliance checklist. Dependencies: DOCS-POLICY-27-006. | CLI samples from CLPS0102 | POKT0101 |
-| DOCS-POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Publish `/docs/policy/packs.md` covering pack imports/promotions/rollback. | Waiting on registry schema | POKT0101 |
+| DOCS-POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · CLI Guild | docs/policy/runs.md | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, compliance checklist. Dependencies: DOCS-POLICY-27-006. | CLI samples from CLPS0102 | POKT0101 |
+| DOCS-POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Publish `/docs/policy/packs.md` covering pack imports/promotions/rollback. | Waiting on registry schema | POKT0101 |
 | DOCS-POLICY-27-003 | BLOCKED | 2025-10-27 | SPRINT_307_docs_tasks_md_vii | Docs Guild · Policy Registry Guild | docs/policy/lifecycle.md | Document `/docs/policy/versioning-and-publishing.md` (semver rules, attestations, rollback) with compliance checklist. Dependencies: DOCS-POLICY-27-002. | Requires registry schema from CCWO0101 | DOPL0102 |
 | DOCS-POLICY-27-004 | BLOCKED | 2025-10-27 | SPRINT_307_docs_tasks_md_vii | Docs Guild · Scheduler Guild | docs/policy/lifecycle.md | Write `/docs/policy/simulation.md` covering quick vs batch sim, thresholds, evidence bundles, CLI examples. Dependencies: DOCS-POLICY-27-003. | Depends on scheduler hooks from 050_DEVL0101 | DOPL0102 |
 | DOCS-POLICY-27-005 | BLOCKED | 2025-10-27 | SPRINT_307_docs_tasks_md_vii | Docs Guild · Product Ops | docs/policy/lifecycle.md | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. Dependencies: DOCS-POLICY-27-004. | Await product ops approvals | DOPL0102 |
-| DOCS-POLICY-27-006 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. Dependencies: DOCS-POLICY-27-005. | Need RLS decision from PLLG0104 | DOPL0103 |
-| DOCS-POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · CLI Guild | docs/policy/runs.md | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. Dependencies: DOCS-POLICY-27-006. | Requires CLI samples from 132_CLCI0110 | DOPL0103 |
-| DOCS-POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. Dependencies: DOCS-POLICY-27-007. | Waiting on registry schema (CCWO0101) | DOPL0103 |
-| DOCS-POLICY-27-009 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Security Guild | docs/policy/runs.md | Create `/docs/security/policy-attestations.md` covering signing, verification, key rotation, and compliance checklist. Dependencies: DOCS-POLICY-27-008. | Needs security review outputs | DOPL0103 |
-| DOCS-POLICY-27-010 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Architecture Guild | docs/policy/runs.md | Author `/docs/modules/policy/registry-architecture.md` (service design, schemas, queues, failure modes) with diagrams and checklist. Dependencies: DOCS-POLICY-27-009. | Depends on architecture review minutes | DOPL0103 |
-| DOCS-POLICY-27-011 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Observability Guild | docs/policy/runs.md | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. Dependencies: DOCS-POLICY-27-010. | Requires observability hooks from 066_PLOB0101 | DOPL0103 |
-| DOCS-POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Ops Guild | docs/policy/runs.md | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. Dependencies: DOCS-POLICY-27-011. | Needs ops playbooks (DVDO0108) | DOPL0103 |
-| DOCS-POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Await policy guild approval | DOPL0103 |
-| DOCS-POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Needs policy registry approvals | DOPL0103 |
+| DOCS-POLICY-27-006 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. Dependencies: DOCS-POLICY-27-005. | Need RLS decision from PLLG0104 | DOPL0103 |
+| DOCS-POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · CLI Guild | docs/policy/runs.md | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. Dependencies: DOCS-POLICY-27-006. | Requires CLI samples from 132_CLCI0110 | DOPL0103 |
+| DOCS-POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. Dependencies: DOCS-POLICY-27-007. | Waiting on registry schema (CCWO0101) | DOPL0103 |
+| DOCS-POLICY-27-009 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Security Guild | docs/policy/runs.md | Create `/docs/security/policy-attestations.md` covering signing, verification, key rotation, and compliance checklist. Dependencies: DOCS-POLICY-27-008. | Needs security review outputs | DOPL0103 |
+| DOCS-POLICY-27-010 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Architecture Guild | docs/policy/runs.md | Author `/docs/modules/policy/registry-architecture.md` (service design, schemas, queues, failure modes) with diagrams and checklist. Dependencies: DOCS-POLICY-27-009. | Depends on architecture review minutes | DOPL0103 |
+| DOCS-POLICY-27-011 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Observability Guild | docs/policy/runs.md | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. Dependencies: DOCS-POLICY-27-010. | Requires observability hooks from 066_PLOB0101 | DOPL0103 |
+| DOCS-POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Ops Guild | docs/policy/runs.md | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. Dependencies: DOCS-POLICY-27-011. | Needs ops playbooks (DVDO0108) | DOPL0103 |
+| DOCS-POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Await policy guild approval | DOPL0103 |
+| DOCS-POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Needs policy registry approvals | DOPL0103 |
 | DOCS-POLICY-DET-01 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Policy Guild | docs/policy/runs.md | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. | Depends on deterministic harness (137_SCDT0101) | DOPL0103 |
 | DOCS-PROMO-70-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/release/promotion-attestations.md | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | — | DOPV0101 |
 | DOCS-REACH-201-006 | TODO |  | SPRINT_400_runtime_facts_static_callgraph_union | Docs Guild · Runtime Evidence Guild | docs/reachability | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operators’ workflow. | Needs RBRE0101 provenance hook summary | DORC0101 |
 | DOCS-REPLAY-185-003 | TODO |  | SPRINT_185_shared_replay_primitives | Docs Guild · Platform Data Guild | docs/replay | Author `docs/data/replay_schema.md` detailing `replay_runs`, `replay_bundles`, `replay_subjects` collections, index guidance, and offline sync strategy aligned with Replay CAS. | Need RPRC0101 API freeze | DORR0101 |
 | DOCS-REPLAY-185-004 | TODO |  | SPRINT_185_shared_replay_primitives | Docs Guild | docs/replay | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance for consuming services (Scanner, Evidence Locker, CLI) and add checklist derived from `docs/replay/DETERMINISTIC_REPLAY.md` Section 11. | Depends on #1 | DORR0101 |
 | DOCS-REPLAY-186-004 | DONE (2025-11-26) | 2025-11-26 | SPRINT_186_record_deterministic_execution | Docs Guild · Runtime Evidence Guild | docs/replay/TEST_STRATEGY.md | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade) and link it from both replay docs and Scanner architecture pages. | — | DORR0101 |
-| DOCS-RISK-66-001 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Risk Profile Schema Guild | docs/risk | Publish `/docs/risk/overview.md` covering concepts and glossary. | Need schema approvals from PLLG0104 | DORS0101 |
-| DOCS-RISK-66-002 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/risk | Author `/docs/risk/profiles.md` (authoring, versioning, scope). Dependencies: DOCS-RISK-66-001. | Depends on #1 | DORS0101 |
-| DOCS-RISK-66-003 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. Dependencies: DOCS-RISK-66-002. | Requires engine contract from Risk Engine Guild | DORS0101 |
-| DOCS-RISK-66-004 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. Dependencies: DOCS-RISK-66-003. | Needs engine rollout notes | DORS0101 |
-| DOCS-RISK-67-001 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. Dependencies: DOCS-RISK-66-004. | Wait for engine metrics from 066_PLOB0101 | DORS0101 |
-| DOCS-RISK-67-002 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · API Guild | docs/risk | Produce `/docs/risk/api.md` with endpoint reference/examples. Dependencies: DOCS-RISK-67-001. | Requires API publishing workflow | DORS0101 |
-| DOCS-RISK-67-003 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Console Guild | docs/risk | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Needs console overlay decision | DORS0101 |
-| DOCS-RISK-67-004 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 |
-| DOCS-RISK-68-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 |
-| DOCS-RISK-68-002 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 |
+| DOCS-RISK-66-001 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Profile Schema Guild | docs/risk | Publish `/docs/risk/overview.md` covering concepts and glossary. | Need schema approvals from PLLG0104 | DORS0101 |
+| DOCS-RISK-66-002 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/risk | Author `/docs/risk/profiles.md` (authoring, versioning, scope). Dependencies: DOCS-RISK-66-001. | Depends on #1 | DORS0101 |
+| DOCS-RISK-66-003 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. Dependencies: DOCS-RISK-66-002. | Requires engine contract from Risk Engine Guild | DORS0101 |
+| DOCS-RISK-66-004 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. Dependencies: DOCS-RISK-66-003. | Needs engine rollout notes | DORS0101 |
+| DOCS-RISK-67-001 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. Dependencies: DOCS-RISK-66-004. | Wait for engine metrics from 066_PLOB0101 | DORS0101 |
+| DOCS-RISK-67-002 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · API Guild | docs/risk | Produce `/docs/risk/api.md` with endpoint reference/examples. Dependencies: DOCS-RISK-67-001. | Requires API publishing workflow | DORS0101 |
+| DOCS-RISK-67-003 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Console Guild | docs/risk | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Needs console overlay decision | DORS0101 |
+| DOCS-RISK-67-004 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 |
+| DOCS-RISK-68-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 |
+| DOCS-RISK-68-002 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 |
 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` | Publish the reachability runtime ingestion runbook, link it from delivery guides, and keep Ops/Signals troubleshooting steps current. | — | DORU0101 |
-| DOCS-RUNBOOK-55-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 |
-| DOCS-SCANNER-BENCH-62-002 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-003 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-004 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Java Analyzer Guild | docs/modules/scanner/benchmarks | Document Java lockfile ingestion guidance and policy templates. | Requires Java analyzer notes | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-005 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Go Analyzer Guild | docs/modules/scanner/benchmarks | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Needs Go analyzer results | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-006 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-009 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
+| DOCS-RUNBOOK-55-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 |
+| DOCS-SCANNER-BENCH-62-002 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-003 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-004 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Java Analyzer Guild | docs/modules/scanner/benchmarks | Document Java lockfile ingestion guidance and policy templates. | Requires Java analyzer notes | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-005 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Go Analyzer Guild | docs/modules/scanner/benchmarks | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Needs Go analyzer results | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-006 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-009 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
 | DOCS-SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates + fixture bundle (`docs/modules/scanner/fixtures/deterministic-compose/`). | Fixtures published via Sprint 0136; harness verified. | DOSB0101 |
-| DOCS-SDK-62-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
-| DOCS-SEC-62-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
-| DOCS-SEC-OBS-50-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
-| DOCS-SIG-26-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Need SGSI0101 metrics freeze | DOSG0101 |
-| DOCS-SIG-26-002 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Observability Guild | docs/modules/signals | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Depends on #1 | DOSG0101 |
-| DOCS-SIG-26-003 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Requires SSE contract from SGSI0101 | DOSG0101 |
-| DOCS-SIG-26-004 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/modules/signals | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Needs CLI samples (132_CLCI0110) | DOSG0101 |
-| DOCS-SIG-26-005 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · DevOps Guild | docs/modules/signals | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Wait for DevOps rollout plan | DOSG0101 |
-| DOCS-SIG-26-006 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/modules/signals | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Requires security guidance (DVDO0110) | DOSG0101 |
-| DOCS-SIG-26-007 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 |
-| DOCS-SIG-26-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
-| DOCS-SURFACE-01 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
+| DOCS-SDK-62-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
+| DOCS-SEC-62-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
+| DOCS-SEC-OBS-50-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
+| DOCS-SIG-26-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Need SGSI0101 metrics freeze | DOSG0101 |
+| DOCS-SIG-26-002 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Observability Guild | docs/modules/signals | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Depends on #1 | DOSG0101 |
+| DOCS-SIG-26-003 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Requires SSE contract from SGSI0101 | DOSG0101 |
+| DOCS-SIG-26-004 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/modules/signals | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Needs CLI samples (132_CLCI0110) | DOSG0101 |
+| DOCS-SIG-26-005 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · DevOps Guild | docs/modules/signals | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Wait for DevOps rollout plan | DOSG0101 |
+| DOCS-SIG-26-006 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/modules/signals | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Requires security guidance (DVDO0110) | DOSG0101 |
+| DOCS-SIG-26-007 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 |
+| DOCS-SIG-26-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
+| DOCS-SURFACE-01 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
 | DOCS-SYMS-70-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Symbols Guild | docs/specs/symbols/SYMBOL_MANIFEST_v1.md | Author symbol-server architecture/spec docs (`docs/specs/symbols/SYMBOL_MANIFEST_v1.md`, API reference, bundle guide) and update reachability guides with symbol lookup workflow and tenant controls. Dependencies: SYMS-SERVER-401-011, SYMS-INGEST-401-013. | — | DOSY0101 |
-| DOCS-TEN-47-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
-| DOCS-TEN-48-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
-| DOCS-TEN-49-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
-| DOCS-TEST-62-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · SDK Generator Guild | docs/sdk | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Depends on #1 | DOSK0101 |
-| DOCS-VEX-30-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Need PLVL0102 schema snapshot | DOVX0101 |
-| DOCS-VEX-30-002 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Depends on #1 | DOVX0101 |
-| DOCS-VEX-30-003 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Issuer Directory Guild | docs/modules/vex-lens | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Requires Issuer Directory inputs | DOVX0101 |
-| DOCS-VEX-30-004 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Needs PLVL0102 policy join notes | DOVX0101 |
-| DOCS-VEX-30-005 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Console Guild | docs/modules/vex-lens | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Requires console overlay assets | DOVX0101 |
-| DOCS-VEX-30-006 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Policy Guild | docs/modules/vex-lens | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Needs waiver/exception guidance | DOVX0101 |
-| DOCS-VEX-30-007 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · SBOM Service Guild | docs/modules/vex-lens | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Depends on SBOM/VEX dataflow spec | DOVX0101 |
-| DOCS-VEX-30-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/vex-lens | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Requires security review (DVDO0110) | DOVX0101 |
-| DOCS-VEX-30-009 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/vex-lens | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Needs DevOps rollout plan | DOVX0101 |
+| DOCS-TEN-47-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
+| DOCS-TEN-48-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
+| DOCS-TEN-49-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
+| DOCS-TEST-62-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SDK Generator Guild | docs/sdk | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Depends on #1 | DOSK0101 |
+| DOCS-VEX-30-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Need PLVL0102 schema snapshot | DOVX0101 |
+| DOCS-VEX-30-002 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Depends on #1 | DOVX0101 |
+| DOCS-VEX-30-003 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Issuer Directory Guild | docs/modules/vex-lens | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Requires Issuer Directory inputs | DOVX0101 |
+| DOCS-VEX-30-004 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Needs PLVL0102 policy join notes | DOVX0101 |
+| DOCS-VEX-30-005 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Console Guild | docs/modules/vex-lens | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Requires console overlay assets | DOVX0101 |
+| DOCS-VEX-30-006 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Policy Guild | docs/modules/vex-lens | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Needs waiver/exception guidance | DOVX0101 |
+| DOCS-VEX-30-007 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SBOM Service Guild | docs/modules/vex-lens | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Depends on SBOM/VEX dataflow spec | DOVX0101 |
+| DOCS-VEX-30-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/vex-lens | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Requires security review (DVDO0110) | DOVX0101 |
+| DOCS-VEX-30-009 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/vex-lens | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Needs DevOps rollout plan | DOVX0101 |
 | DOCS-VEX-401-012 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · VEX Lens Guild | `docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md` | Maintain the VEX Evidence Playbook, publish repo templates/README, and document verification workflows for operators. | Need VEX evidence export from PLVL0102 | DOVB0101 |
-| DOCS-VULN-29-001 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Need GRAP0101 contract | DOVL0101 |
-| DOCS-VULN-29-002 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. Dependencies: DOCS-VULN-29-001. | Depends on #1 | DOVL0101 |
-| DOCS-VULN-29-003 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · UI Guild | docs/modules/vuln-explorer | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). Dependencies: DOCS-VULN-29-002. | Requires UI assets | DOVL0101 |
-| DOCS-VULN-29-004 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. Dependencies: DOCS-VULN-29-003. | Needs policy overlay inputs | DOVL0101 |
-| DOCS-VULN-29-005 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Security Guild | docs/modules/vuln-explorer | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. Dependencies: DOCS-VULN-29-004. | Requires security review | DOVL0101 |
-| DOCS-VULN-29-006 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevOps Guild | docs/modules/vuln-explorer | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. Dependencies: DOCS-VULN-29-005. | Depends on DevOps rollout plan | DOVL0101 |
-| DOCS-VULN-29-007 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. Dependencies: DOCS-VULN-29-006. | Needs CLI examples (132_CLCI0110) | DOVL0101 |
-| DOCS-VULN-29-008 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Export Center Guild | docs/modules/vuln-explorer | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. Dependencies: DOCS-VULN-29-007. | Need export bundle spec | DOVL0102 |
-| DOCS-VULN-29-009 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Security Guild | docs/modules/vuln-explorer | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. Dependencies: DOCS-VULN-29-008. | Depends on #1 | DOVL0102 |
-| DOCS-VULN-29-010 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevOps Guild | docs/modules/vuln-explorer | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). Dependencies: DOCS-VULN-29-009. | Requires DevOps automation plan | DOVL0102 |
-| DOCS-VULN-29-011 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Notifications Guild | docs/modules/vuln-explorer | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. Dependencies: DOCS-VULN-29-010. | Needs notifications contract | DOVL0102 |
-| DOCS-VULN-29-012 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). Dependencies: DOCS-VULN-29-011. | Requires policy overlay outputs | DOVL0102 |
-| DOCS-VULN-29-013 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. Dependencies: DOCS-VULN-29-012. | Needs CLI/export scripts from 132_CLCI0110 | DOVL0102 |
+| DOCS-VULN-29-001 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Need GRAP0101 contract | DOVL0101 |
+| DOCS-VULN-29-002 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. Dependencies: DOCS-VULN-29-001. | Depends on #1 | DOVL0101 |
+| DOCS-VULN-29-003 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · UI Guild | docs/modules/vuln-explorer | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). Dependencies: DOCS-VULN-29-002. | Requires UI assets | DOVL0101 |
+| DOCS-VULN-29-004 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. Dependencies: DOCS-VULN-29-003. | Needs policy overlay inputs | DOVL0101 |
+| DOCS-VULN-29-005 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Security Guild | docs/modules/vuln-explorer | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. Dependencies: DOCS-VULN-29-004. | Requires security review | DOVL0101 |
+| DOCS-VULN-29-006 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · DevOps Guild | docs/modules/vuln-explorer | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. Dependencies: DOCS-VULN-29-005. | Depends on DevOps rollout plan | DOVL0101 |
+| DOCS-VULN-29-007 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. Dependencies: DOCS-VULN-29-006. | Needs CLI examples (132_CLCI0110) | DOVL0101 |
+| DOCS-VULN-29-008 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Export Center Guild | docs/modules/vuln-explorer | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. Dependencies: DOCS-VULN-29-007. | Need export bundle spec | DOVL0102 |
+| DOCS-VULN-29-009 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Security Guild | docs/modules/vuln-explorer | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. Dependencies: DOCS-VULN-29-008. | Depends on #1 | DOVL0102 |
+| DOCS-VULN-29-010 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · DevOps Guild | docs/modules/vuln-explorer | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). Dependencies: DOCS-VULN-29-009. | Requires DevOps automation plan | DOVL0102 |
+| DOCS-VULN-29-011 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Notifications Guild | docs/modules/vuln-explorer | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. Dependencies: DOCS-VULN-29-010. | Needs notifications contract | DOVL0102 |
+| DOCS-VULN-29-012 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). Dependencies: DOCS-VULN-29-011. | Requires policy overlay outputs | DOVL0102 |
+| DOCS-VULN-29-013 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. Dependencies: DOCS-VULN-29-012. | Needs CLI/export scripts from 132_CLCI0110 | DOVL0102 |
 | DOWNLOADS-CONSOLE-23-001 | TODO |  | SPRINT_0502_0001_0001_ops_deployment_ii | Docs Guild · Deployment Guild | docs/console | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Need latest console build instructions | DOCN0101 |
 | DPOP-11-001 | TODO | 2025-11-08 | SPRINT_100_identity_signing | Docs Guild · Authority Core | src/Authority/StellaOps.Authority | Need DPoP ADR from PGMI0101 | AUTH-AOC-19-002 | DODP0101 |
 | DSL-401-005 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Policy Guild | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Depends on PLLG0101 DSL updates | Depends on PLLG0101 DSL updates | DODP0101 |
@@ -1360,14 +1360,14 @@
 | POLICY-27-004 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add publish/promote/rollback/sign commands with attestation checks and canary args. | POLICY-27-003 | CLPS0102 |
 | POLICY-27-005 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild · Docs Guild | src/Cli/StellaOps.Cli | Update CLI docs/samples for Policy Studio (JSON schemas, exit codes, CI snippets). | POLICY-27-004 | CLPS0102 |
 | POLICY-27-006 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Update CLI policy scopes/help text to request new Policy Studio scopes and adjust regression tests. | POLICY-27-005 | CLPS0102 |
-| POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, DevEx/CLI Guild (docs) |  |  |  |  |
-| POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Policy Registry Guild (docs) |  |  |  |  |
-| POLICY-27-009 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Security Guild (docs) |  |  |  |  |
-| POLICY-27-010 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Architecture Guild (docs) |  |  |  |  |
-| POLICY-27-011 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Observability Guild (docs) |  |  |  |  |
-| POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Ops Guild (docs) |  |  |  |  |
-| POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Policy Guild (docs) |  |  |  |  |
-| POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Policy Registry Guild (docs) |  |  |  |  |
+| POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, DevEx/CLI Guild (docs) |  |  |  |  |
+| POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Policy Registry Guild (docs) |  |  |  |  |
+| POLICY-27-009 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Security Guild (docs) |  |  |  |  |
+| POLICY-27-010 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Architecture Guild (docs) |  |  |  |  |
+| POLICY-27-011 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Observability Guild (docs) |  |  |  |  |
+| POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Ops Guild (docs) |  |  |  |  |
+| POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Policy Guild (docs) |  |  |  |  |
+| POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Policy Registry Guild (docs) |  |  |  |  |
 | POLICY-401-026 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild · Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | `docs/policy/dsl.md`, `docs/uncertainty/README.md` |  |  |  |
 | POLICY-AIRGAP-56-001 | TODO |  | SPRINT_123_policy_reasoning | Policy Guild | src/Policy/StellaOps.Policy.Engine | Support policy pack imports from mirror bundles, track `bundle_id` metadata, deterministic caching. | OFFK0101 | POAI0101 |
 | POLICY-AIRGAP-56-002 | TODO |  | SPRINT_123_policy_reasoning | Policy Guild · Policy Studio Guild | src/Policy/StellaOps.Policy.Engine | Export policy sub-bundles with version metadata + checksums. | POLICY-AIRGAP-56-001 | POAI0101 |
@@ -1532,7 +1532,7 @@
 | RISK-67-001 | TODO |  | SPRINT_115_concelier_iv | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core |  |  |  |
 | RISK-67-002 | TODO |  | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine |  | POLICY-RISK-67-001 |  |
 | RISK-67-003 | BLOCKED (2025-11-26) |  | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy |  | POLICY-RISK-67-002 | Blocked by missing risk profile schema + lifecycle API contract. |
-| RISK-67-004 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, CLI Guild (docs) |  |  |  |  |
+| RISK-67-004 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, CLI Guild (docs) |  |  |  |  |
 | RISK-68-001 | TODO |  | SPRINT_115_concelier_iv | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core |  |  |  |
 | RISK-68-002 | TODO |  | SPRINT_128_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile |  | POLICY-RISK-68-001 |  |
 | RISK-69-001 | TODO |  | SPRINT_115_concelier_iv | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core |  |  |  |
@@ -1556,7 +1556,7 @@
 | RISK-ENGINE-70-002 | TODO |  | SPRINT_0129_0001_0001_policy_reasoning | Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine | src/RiskEngine/StellaOps.RiskEngine | Integrate runtime evidence provider and reachability provider outputs with caching + TTL | RISK-ENGINE-70-001 |  |
 | RULES-33-001 | REVIEW (2025-10-30) | 2025-10-30 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild, Platform Leads (ops/devops) | ops/devops |  |  |  |
 | RUNBOOK-401-017 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` |  |  |  |
-| RUNBOOK-55-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, Ops Guild (docs) |  |  |  |  |
+| RUNBOOK-55-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, Ops Guild (docs) |  |  |  |  |
 | RUNBOOK-REPLAY-187-004 | TODO |  | SPRINT_160_export_evidence | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | docs/runbooks/replay_ops.md | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` |  |  |
 | RUNTIME-401-002 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild (`src/Signals/StellaOps.Signals`) | `src/Signals/StellaOps.Signals` |  |  |  |
 | RUNTIME-PROBE-401-010 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | `src/Signals/StellaOps.Signals.Runtime`, `ops/probes` | Implement lightweight runtime probes (EventPipe/.NET, JFR/JVM) that capture method enter events for the target components, package them as CAS traces, and feed them into the Signals ingestion pipeline. |  |  |
@@ -1675,13 +1675,13 @@
 | SCANNER-ANALYZERS-RUBY-28-010 | TODO |  | SPRINT_135_scanner_surface | Ruby Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Optional runtime evidence integration (if provided logs/metrics) with path hashing, without altering static precedence. | SCANNER-ANALYZERS-RUBY-28-009 |  |
 | SCANNER-ANALYZERS-RUBY-28-011 | TODO |  | SPRINT_135_scanner_surface | Ruby Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Package analyzer plug-in, add CLI (`stella ruby inspect`), refresh Offline Kit documentation. | SCANNER-ANALYZERS-RUBY-28-010 |  |
 | SCANNER-ANALYZERS-RUBY-28-012 | TODO |  | SPRINT_135_scanner_surface | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Policy signal emitter: rubygems drift, native extension flags, dangerous constructs counts, TLS verify posture, dynamic require eval warnings. | SCANNER-ANALYZERS-RUBY-28-011 |  |
-| SCANNER-BENCH-62-002 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Product Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-003 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Product Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-004 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Java Analyzer Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-005 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Go Analyzer Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-006 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Rust Analyzer Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-009 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Policy Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-002 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-003 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-004 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Java Analyzer Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-005 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Go Analyzer Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-006 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Rust Analyzer Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-009 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) |  |  |  |  |
 | SCANNER-CLI-0001 | DONE | 2025-11-10 | SPRINT_0138_0000_0001_scanner_ruby_parity | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | SCANNER-ENG-0019 |  |
 | SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild |  | Deterministic compose fixtures landed; docs published. |  |
 | SCANNER-DOCS-0003 | TODO |  | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | Gather Windows/macOS analyzer demand signals and record findings in `docs/benchmarks/scanner/windows-macos-demand.md` for marketing + product readiness. |  |  |
@@ -1775,7 +1775,7 @@
 | SDKREL-63-002 | TODO |  | SPRINT_0208_0001_0001_sdk | SDK Release Guild, API Governance Guild (src/Sdk/StellaOps.Sdk.Release) | src/Sdk/StellaOps.Sdk.Release | Integrate changelog automation pulling from OAS diffs and generator metadata. Dependencies: SDKREL-63-001. |  |  |
 | SDKREL-64-001 | TODO |  | SPRINT_0208_0001_0001_sdk | SDK Release Guild, Notifications Guild (src/Sdk/StellaOps.Sdk.Release) | src/Sdk/StellaOps.Sdk.Release | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. Dependencies: SDKREL-63-002. |  |  |
 | SDKREL-64-002 | TODO |  | SPRINT_0208_0001_0001_sdk | SDK Release Guild, Export Center Guild (src/Sdk/StellaOps.Sdk.Release) | src/Sdk/StellaOps.Sdk.Release | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. Dependencies: SDKREL-64-001. |  |  |
-| SEC-62-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, Authority Core (docs) |  |  |  |  |
+| SEC-62-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, Authority Core (docs) |  |  |  |  |
 | SEC-CRYPTO-90-001 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Produce the RootPack_RU implementation plan, provider strategy (CryptoPro + PKCS#11), and backlog split for sovereign crypto work. |  |  |
 | SEC-CRYPTO-90-002 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Extend signature/catalog constants and configuration schema to recognize `GOST12-256/512`, regional crypto profiles, and provider preference ordering. |  |  |
 | SEC-CRYPTO-90-003 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Implement `StellaOps.Cryptography.Plugin.CryptoPro` provider (sign/verify/JWK export) using CryptoPro CSP with deterministic logging/tests. |  |  |
@@ -1797,7 +1797,7 @@
 | SEC-CRYPTO-90-019 | TODO |  | SPRINT_514_sovereign_crypto_enablement | Security Guild | third_party/forks/AlexMAS.GostCryptography | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 dependencies (target .NET 8+, adopt fixed BCL packages, re-run tests). | Needs fork validation | CRSA0101 |
 | SEC-CRYPTO-90-020 | TODO |  | SPRINT_514_sovereign_crypto_enablement | Security Guild | src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources (replace NuGet package references, adjust DI wiring) and prove the plugin works end-to-end. | Depends on #5 | CRSA0101 |
 | SEC-CRYPTO-90-021 | BLOCKED (2025-11-27) | Windows CSP runner pending (depends on 90-020) | SPRINT_514_sovereign_crypto_enablement | Security + QA Guilds | scripts/crypto/**, docs/security/rootpack_ru_validation.md | Validate the forked library + plugin on both Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback) builds/tests; document any platform-specific prerequisites. | Depends on #6 | CRSA0101 |
-| SEC-OBS-50-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, Security Guild (docs) |  |  |  |  |
+| SEC-OBS-50-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, Security Guild (docs) |  |  |  |  |
 | SEC2 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard |  |  |  |
 | SEC3 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard |  |  |  |
 | SEC5 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard |  |  |  |
@@ -1822,10 +1822,10 @@
 | SIG-26-002 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | SIG-26-003 | TODO |  | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/UI/StellaOps.UI) | src/UI/StellaOps.UI |  |  |  |
 | SIG-26-004 | TODO |  | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/UI/StellaOps.UI) | src/UI/StellaOps.UI |  |  |  |
-| SIG-26-005 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, UI Guild (docs) |  |  |  |  |
-| SIG-26-006 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, DevEx/CLI Guild (docs) |  |  |  |  |
-| SIG-26-007 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, BE-Base Platform Guild (docs) |  |  |  |  |
-| SIG-26-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) |  |  |  |  |
+| SIG-26-005 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, UI Guild (docs) |  |  |  |  |
+| SIG-26-006 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, DevEx/CLI Guild (docs) |  |  |  |  |
+| SIG-26-007 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, BE-Base Platform Guild (docs) |  |  |  |  |
+| SIG-26-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) |  |  |  |  |
 | SIG-STORE-401-016 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | `src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core` | Introduce shared reachability store collections (`func_nodes`, `call_edges`, `cve_func_hits`), indexes, and repository APIs so Scanner/Signals/Policy can reuse canonical function data. |  |  |
 | SIGN-CORE-186-004 | DONE | 2025-11-26 | SPRINT_186_record_deterministic_execution | Signing Guild | `src/Signer/StellaOps.Signer`, `src/__Libraries/StellaOps.Cryptography` | Replace the HMAC demo implementation in `StellaOps.Signer` with StellaOps.Cryptography providers (keyless + KMS), including provider selection, key material loading, and cosign-compatible DSSE signature output. | Mirrors #1 | SIGR0101 |
 | SIGN-CORE-186-005 | DONE | 2025-11-26 | SPRINT_186_record_deterministic_execution | Signing Guild | `src/Signer/StellaOps.Signer.Core` | Refactor `SignerStatementBuilder` to support StellaOps predicate types (e.g., `stella.ops/promotion@v1`) and delegate payload canonicalisation to the Provenance library once available. | Mirrors #2 | SIGR0101 |
@@ -1964,7 +1964,7 @@
 | TEN-48-001 | TODO |  | SPRINT_115_concelier_iv | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core |  |  |  |
 | TEN-49-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | TEST-186-006 | TODO |  | SPRINT_186_record_deterministic_execution | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`) | `src/Signer/StellaOps.Signer.Tests` |  |  |  |
-| TEST-62-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) |  |  |  |  |
+| TEST-62-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) |  |  |  |  |
 | TIME-57-001 | TODO |  | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild |  |  | PROGRAM-STAFF-1001 |  |
 | TIME-57-002 | TODO |  | SPRINT_510_airgap | Exporter Guild · AirGap Time Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Time | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | AGTM0101 |
 | TIME-58-001 | TODO |  | SPRINT_510_airgap | AirGap Time Guild | src/AirGap/StellaOps.AirGap.Time | AIRGAP-TIME-58-001 | AIRGAP-TIME-58-001 | AGTM0101 |
@@ -2033,11 +2033,11 @@
 | VEX-30-002 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | VEX-30-003 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | VEX-30-004 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
-| VEX-30-005 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Console Guild (docs) |  |  |  |  |
-| VEX-30-006 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Policy Guild (docs) |  |  |  | DOVX0101 |
+| VEX-30-005 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Console Guild (docs) |  |  |  |  |
+| VEX-30-006 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) |  |  |  | DOVX0101 |
 | VEX-30-007 | TODO |  | SPRINT_216_web_v | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web |  |  | DOVX0101 |
-| VEX-30-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Security Guild (docs) |  |  |  | DOVX0101 |
-| VEX-30-009 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) |  |  |  | DOVX0101 |
+| VEX-30-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Security Guild (docs) |  |  |  | DOVX0101 |
+| VEX-30-009 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) |  |  |  | DOVX0101 |
 | VEX-401-006 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | `src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy` |  |  | DOVX0101 |
 | VEX-401-010 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | `src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md` |  |  | DOVX0101 |
 | VEX-401-011 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | verify |  |  |  | DOVX0101 |
@@ -2071,13 +2071,13 @@
 | VULN-29-004 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | VULN-29-005 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | VULN-29-006 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild, Docs Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
-| VULN-29-007 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Excititor Guild (docs) |  |  |  |  |
-| VULN-29-008 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Concelier Guild (docs) |  |  |  |  |
-| VULN-29-009 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, SBOM Service Guild (docs) |  |  |  |  |
-| VULN-29-010 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Observability Guild (docs) |  |  |  |  |
-| VULN-29-011 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Security Guild (docs) |  |  |  |  |
-| VULN-29-012 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Ops Guild (docs) |  |  |  |  |
-| VULN-29-013 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Deployment Guild (docs) |  |  |  |  |
+| VULN-29-007 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Excititor Guild (docs) |  |  |  |  |
+| VULN-29-008 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Concelier Guild (docs) |  |  |  |  |
+| VULN-29-009 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, SBOM Service Guild (docs) |  |  |  |  |
+| VULN-29-010 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Observability Guild (docs) |  |  |  |  |
+| VULN-29-011 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Security Guild (docs) |  |  |  |  |
+| VULN-29-012 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Ops Guild (docs) |  |  |  |  |
+| VULN-29-013 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Deployment Guild (docs) |  |  |  |  |
 | VULN-API-29-001 | DONE | 2025-11-25 | SPRINT_0129_0001_0001_policy_reasoning | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api | src/VulnExplorer/StellaOps.VulnExplorer.Api | Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes |  | PLVA0101 |
 | VULN-API-29-002 | DONE | 2025-11-25 | SPRINT_0129_0001_0001_policy_reasoning | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api | src/VulnExplorer/StellaOps.VulnExplorer.Api | Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets; tests at `tests/TestResults/vuln-explorer/api.trx`. | VULN-API-29-001 | PLVA0101 |
 | VULN-API-29-003 | DONE | 2025-11-25 | SPRINT_0129_0001_0001_policy_reasoning | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api | src/VulnExplorer/StellaOps.VulnExplorer.Api | Implement detail endpoint aggregating evidence, policy rationale, paths | VULN-API-29-002 | PLVA0101 |
@@ -2624,11 +2624,11 @@
 | CONCELIER-GRAPH-28-102 | TODO |  | SPRINT_113_concelier_ii | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Add batch fetch endpoints keyed by component sets so graph tooltips can pull raw observations/linksets efficiently; include provenance + timestamps but no derived severity. Depends on CONCELIER-GRAPH-24-101. | Depends on #1 | CCGH0101 |
 | CONCELIER-LNM-21-001 | DONE | 2025-11-17 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Define the immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards) so every ingestion path records raw statements without merge artifacts. | Needs Link-Not-Merge approval (005_ATLN0101) | AGCN0101 |
 | CONCELIER-LNM-21-002 | DONE | 2025-11-22 | SPRINT_113_concelier_ii | Concelier Core Guild · Data Science Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Implement correlation pipelines (alias graph, purl overlap, CVSS vector compare) that output linksets with confidence scores + conflict markers, never collapsing conflicting facts into single values. Depends on CONCELIER-LNM-21-001. | Depends on #7 for precedence rules | AGCN0101 |
-| CONCELIER-LNM-21-003 | BLOCKED | 2025-11-18 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Record disagreements (severity, CVSS, references) on linksets as structured conflict entries so consumers can reason about divergence without Concelier resolving it. Depends on CONCELIER-LNM-21-002. | Requires #8 heuristics | AGCN0101 |
-| CONCELIER-LNM-21-004 | TODO |  | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Delete legacy merge/dedup logic, add guardrails/tests to keep ingestion append-only, and document how linksets supersede the old merge outputs. Depends on CONCELIER-LNM-21-003. | Depends on #9 | AGCN0101 |
-| CONCELIER-LNM-21-005 | TODO |  | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Emit `advisory.linkset.updated` events containing delta descriptions + observation ids so downstream evaluators can subscribe deterministically. Depends on CONCELIER-LNM-21-004. | Requires CCLN0101 store changes | CCCO0101 |
-| CONCELIER-LNM-21-101 | TODO |  | SPRINT_113_concelier_ii | Concelier Storage Guild | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | Provision the Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, and TTL for ingest metadata to support Link-Not-Merge at scale. Depends on CONCELIER-LNM-21-005. | Wait for schema freeze | CCLN0101 |
-| CONCELIER-LNM-21-102 | TODO |  | SPRINT_113_concelier_ii | Concelier Storage Guild · DevOps Guild | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | Backfill legacy merged advisories into the new observation/linkset collections, seed tombstones for deprecated docs, and provide rollback tooling for Offline Kit operators. Depends on CONCELIER-LNM-21-101. | Depends on #1 | CCLN0101 |
+| CONCELIER-LNM-21-003 | DONE | 2025-11-22 | SPRINT_0113_0001_0002_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Record disagreements (severity, CVSS, references) on linksets as structured conflict entries so consumers can reason about divergence without Concelier resolving it. Depends on CONCELIER-LNM-21-002. | Completed | AGCN0101 |
+| CONCELIER-LNM-21-004 | DONE | 2025-11-27 | SPRINT_0113_0001_0002_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Delete legacy merge/dedup logic, add guardrails/tests to keep ingestion append-only, and document how linksets supersede the old merge outputs. Depends on CONCELIER-LNM-21-003. | Completed | AGCN0101 |
+| CONCELIER-LNM-21-005 | DONE | 2025-11-27 | SPRINT_0113_0001_0002_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Emit `advisory.linkset.updated` events containing delta descriptions + observation ids so downstream evaluators can subscribe deterministically. Depends on CONCELIER-LNM-21-004. | Completed | CCCO0101 |
+| CONCELIER-LNM-21-101 | DONE | 2025-11-27 | SPRINT_0113_0001_0002_concelier_ii | Concelier Storage Guild | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | Provision the Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, and TTL for ingest metadata to support Link-Not-Merge at scale. Depends on CONCELIER-LNM-21-005. | Completed | CCLN0101 |
+| CONCELIER-LNM-21-102 | DONE | 2025-11-28 | SPRINT_0113_0001_0002_concelier_ii | Concelier Storage Guild · DevOps Guild | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | Backfill legacy merged advisories into the new observation/linkset collections, seed tombstones for deprecated docs, and provide rollback tooling for Offline Kit operators. Depends on CONCELIER-LNM-21-101. | Completed | CCLN0101 |
 | CONCELIER-LNM-21-103 | TODO |  | SPRINT_113_concelier_ii | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo) | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | Move large raw payloads to object storage with deterministic pointers, update bootstrapper/offline kit seeds, and guarantee provenance metadata remains intact. Depends on CONCELIER-LNM-21-102. | — | ATLN0101 |
 | CONCELIER-LNM-21-201 | TODO |  | SPRINT_113_concelier_ii | Concelier WebService Guild · Platform Guild | src/Concelier/StellaOps.Concelier.WebService | Add `/advisories/observations` with filters for alias/purl/source plus strict tenant scopes; responses must only echo upstream values + provenance fields. Depends on CONCELIER-LNM-21-103. | Wait for storage sprint (CCLN0101) | CCLN0102 |
 | CONCELIER-LNM-21-202 | TODO |  | SPRINT_113_concelier_ii | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | Implement `/advisories/linksets`/`export`/`evidence` endpoints surfacing correlation + conflict payloads and `ERR_AGG_*` error mapping, never exposing synthesis/merge results. Depends on CONCELIER-LNM-21-201. | — | ATLN0101 |
@@ -2961,81 +2961,81 @@
 | DOCS-POLICY-27-003 | BLOCKED | 2025-10-27 | SPRINT_307_docs_tasks_md_vii | Docs Guild · Policy Registry Guild | docs/policy/lifecycle.md | Document `/docs/policy/versioning-and-publishing.md` (semver rules, attestations, rollback) with compliance checklist. Dependencies: DOCS-POLICY-27-002. | Requires registry schema from CCWO0101 | DOPL0102 |
 | DOCS-POLICY-27-004 | BLOCKED | 2025-10-27 | SPRINT_307_docs_tasks_md_vii | Docs Guild · Scheduler Guild | docs/policy/lifecycle.md | Write `/docs/policy/simulation.md` covering quick vs batch sim, thresholds, evidence bundles, CLI examples. Dependencies: DOCS-POLICY-27-003. | Depends on scheduler hooks from 050_DEVL0101 | DOPL0102 |
 | DOCS-POLICY-27-005 | BLOCKED | 2025-10-27 | SPRINT_307_docs_tasks_md_vii | Docs Guild · Product Ops | docs/policy/lifecycle.md | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. Dependencies: DOCS-POLICY-27-004. | Await product ops approvals | DOPL0102 |
-| DOCS-POLICY-27-006 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. Dependencies: DOCS-POLICY-27-005. | Need RLS decision from PLLG0104 | DOPL0103 |
-| DOCS-POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · CLI Guild | docs/policy/runs.md | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. Dependencies: DOCS-POLICY-27-006. | Requires CLI samples from 132_CLCI0110 | DOPL0103 |
-| DOCS-POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. Dependencies: DOCS-POLICY-27-007. | Waiting on registry schema (CCWO0101) | DOPL0103 |
-| DOCS-POLICY-27-009 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Security Guild | docs/policy/runs.md | Create `/docs/security/policy-attestations.md` (signing, verification, rotation). | Needs security review | POKT0101 |
-| DOCS-POLICY-27-010 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Architecture Guild | docs/policy/runs.md | Author `/docs/modules/policy/registry-architecture.md` (service design, schemas, failure modes). | Requires architecture review minutes | POKT0101 |
-| DOCS-POLICY-27-011 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Observability Guild | docs/policy/runs.md | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. Dependencies: DOCS-POLICY-27-010. | Requires observability hooks from 066_PLOB0101 | DOPL0103 |
-| DOCS-POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Ops Guild | docs/policy/runs.md | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. Dependencies: DOCS-POLICY-27-011. | Needs ops playbooks (DVDO0108) | DOPL0103 |
-| DOCS-POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Await policy guild approval | DOPL0103 |
-| DOCS-POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Needs policy registry approvals | DOPL0103 |
+| DOCS-POLICY-27-006 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. Dependencies: DOCS-POLICY-27-005. | Need RLS decision from PLLG0104 | DOPL0103 |
+| DOCS-POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · CLI Guild | docs/policy/runs.md | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. Dependencies: DOCS-POLICY-27-006. | Requires CLI samples from 132_CLCI0110 | DOPL0103 |
+| DOCS-POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. Dependencies: DOCS-POLICY-27-007. | Waiting on registry schema (CCWO0101) | DOPL0103 |
+| DOCS-POLICY-27-009 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Security Guild | docs/policy/runs.md | Create `/docs/security/policy-attestations.md` (signing, verification, rotation). | Needs security review | POKT0101 |
+| DOCS-POLICY-27-010 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Architecture Guild | docs/policy/runs.md | Author `/docs/modules/policy/registry-architecture.md` (service design, schemas, failure modes). | Requires architecture review minutes | POKT0101 |
+| DOCS-POLICY-27-011 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Observability Guild | docs/policy/runs.md | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. Dependencies: DOCS-POLICY-27-010. | Requires observability hooks from 066_PLOB0101 | DOPL0103 |
+| DOCS-POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Ops Guild | docs/policy/runs.md | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. Dependencies: DOCS-POLICY-27-011. | Needs ops playbooks (DVDO0108) | DOPL0103 |
+| DOCS-POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Await policy guild approval | DOPL0103 |
+| DOCS-POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Needs policy registry approvals | DOPL0103 |
 | DOCS-POLICY-DET-01 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Policy Guild | docs/policy/runs.md | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. | Depends on deterministic harness (137_SCDT0101) | DOPL0103 |
 | DOCS-PROMO-70-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/release/promotion-attestations.md | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | — | DOPV0101 |
 | DOCS-REACH-201-006 | TODO |  | SPRINT_400_runtime_facts_static_callgraph_union | Docs Guild · Runtime Evidence Guild | docs/reachability | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operators’ workflow. | Needs RBRE0101 provenance hook summary | DORC0101 |
 | DOCS-REPLAY-185-003 | TODO |  | SPRINT_185_shared_replay_primitives | Docs Guild · Platform Data Guild | docs/replay | Author `docs/data/replay_schema.md` detailing `replay_runs`, `replay_bundles`, `replay_subjects` collections, index guidance, and offline sync strategy aligned with Replay CAS. | Need RPRC0101 API freeze | DORR0101 |
 | DOCS-REPLAY-185-004 | TODO |  | SPRINT_185_shared_replay_primitives | Docs Guild | docs/replay | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance for consuming services (Scanner, Evidence Locker, CLI) and add checklist derived from `docs/replay/DETERMINISTIC_REPLAY.md` Section 11. | Depends on #1 | DORR0101 |
 | DOCS-REPLAY-186-004 | TODO |  | SPRINT_186_record_deterministic_execution | Docs Guild · Runtime Evidence Guild | docs/replay | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade) and link it from both replay docs and Scanner architecture pages. | Requires deterministic evidence from RBRE0101 | DORR0101 |
-| DOCS-RISK-66-001 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Risk Profile Schema Guild | docs/risk | Publish `/docs/risk/overview.md` covering concepts and glossary. | Need schema approvals from PLLG0104 | DORS0101 |
-| DOCS-RISK-66-002 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/risk | Author `/docs/risk/profiles.md` (authoring, versioning, scope). Dependencies: DOCS-RISK-66-001. | Depends on #1 | DORS0101 |
-| DOCS-RISK-66-003 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. Dependencies: DOCS-RISK-66-002. | Requires engine contract from Risk Engine Guild | DORS0101 |
-| DOCS-RISK-66-004 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. Dependencies: DOCS-RISK-66-003. | Needs engine rollout notes | DORS0101 |
-| DOCS-RISK-67-001 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. Dependencies: DOCS-RISK-66-004. | Wait for engine metrics from 066_PLOB0101 | DORS0101 |
-| DOCS-RISK-67-002 | TODO |  | SPRINT_308_docs_tasks_md_viii | Docs Guild · API Guild | docs/risk | Produce `/docs/risk/api.md` with endpoint reference/examples. Dependencies: DOCS-RISK-67-001. | Requires API publishing workflow | DORS0101 |
-| DOCS-RISK-67-003 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Console Guild | docs/risk | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Needs console overlay decision | DORS0101 |
-| DOCS-RISK-67-004 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 |
-| DOCS-RISK-68-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 |
-| DOCS-RISK-68-002 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 |
+| DOCS-RISK-66-001 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Profile Schema Guild | docs/risk | Publish `/docs/risk/overview.md` covering concepts and glossary. | Need schema approvals from PLLG0104 | DORS0101 |
+| DOCS-RISK-66-002 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/risk | Author `/docs/risk/profiles.md` (authoring, versioning, scope). Dependencies: DOCS-RISK-66-001. | Depends on #1 | DORS0101 |
+| DOCS-RISK-66-003 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. Dependencies: DOCS-RISK-66-002. | Requires engine contract from Risk Engine Guild | DORS0101 |
+| DOCS-RISK-66-004 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. Dependencies: DOCS-RISK-66-003. | Needs engine rollout notes | DORS0101 |
+| DOCS-RISK-67-001 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · Risk Engine Guild | docs/risk | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. Dependencies: DOCS-RISK-66-004. | Wait for engine metrics from 066_PLOB0101 | DORS0101 |
+| DOCS-RISK-67-002 | TODO |  | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild · API Guild | docs/risk | Produce `/docs/risk/api.md` with endpoint reference/examples. Dependencies: DOCS-RISK-67-001. | Requires API publishing workflow | DORS0101 |
+| DOCS-RISK-67-003 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Console Guild | docs/risk | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. Dependencies: DOCS-RISK-67-002. | Needs console overlay decision | DORS0101 |
+| DOCS-RISK-67-004 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/risk | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. Dependencies: DOCS-RISK-67-003. | Requires CLI samples from 132_CLCI0110 | DORS0101 |
+| DOCS-RISK-68-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Export Guild | docs/risk | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. Dependencies: DOCS-RISK-67-004. | Wait for export contract (069_AGEX0101) | DORS0101 |
+| DOCS-RISK-68-002 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/risk | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. Dependencies: DOCS-RISK-68-001. | Requires security approvals | DORS0101 |
 | DOCS-RUNBOOK-401-017 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` | Publish the reachability runtime ingestion runbook, link it from delivery guides, and keep Ops/Signals troubleshooting steps current. | Need latest reachability metrics from RBBN0101 | DORU0101 |
-| DOCS-RUNBOOK-55-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 |
-| DOCS-SCANNER-BENCH-62-002 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-003 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-004 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Java Analyzer Guild | docs/modules/scanner/benchmarks | Document Java lockfile ingestion guidance and policy templates. | Requires Java analyzer notes | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-005 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Go Analyzer Guild | docs/modules/scanner/benchmarks | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Needs Go analyzer results | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-006 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
-| DOCS-SCANNER-BENCH-62-009 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
+| DOCS-RUNBOOK-55-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Ops Guild | docs/runbooks | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Requires deployment checklist from DVPL0101 | DORU0101 |
+| DOCS-SCANNER-BENCH-62-002 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture customer demand for Windows/macOS analyzer coverage and document outcomes. | Need bench inputs from SCSA0301 | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-003 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Capture Python lockfile/editable install requirements and document policy guidance. | Depends on #1 | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-004 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Java Analyzer Guild | docs/modules/scanner/benchmarks | Document Java lockfile ingestion guidance and policy templates. | Requires Java analyzer notes | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-005 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Go Analyzer Guild | docs/modules/scanner/benchmarks | Document Go stripped-binary fallback enrichment guidance once implementation lands. | Needs Go analyzer results | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-006 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
+| DOCS-SCANNER-BENCH-62-009 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
 | DOCS-SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates + fixture bundle (`docs/modules/scanner/fixtures/deterministic-compose/`). | Fixtures published via Sprint 0136; harness verified. | DOSB0101 |
-| DOCS-SDK-62-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
-| DOCS-SEC-62-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
-| DOCS-SEC-OBS-50-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
-| DOCS-SIG-26-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Need SGSI0101 metrics freeze | DOSG0101 |
-| DOCS-SIG-26-002 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Observability Guild | docs/modules/signals | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Depends on #1 | DOSG0101 |
-| DOCS-SIG-26-003 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Requires SSE contract from SGSI0101 | DOSG0101 |
-| DOCS-SIG-26-004 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/modules/signals | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Needs CLI samples (132_CLCI0110) | DOSG0101 |
-| DOCS-SIG-26-005 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · DevOps Guild | docs/modules/signals | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Wait for DevOps rollout plan | DOSG0101 |
-| DOCS-SIG-26-006 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/modules/signals | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Requires security guidance (DVDO0110) | DOSG0101 |
-| DOCS-SIG-26-007 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 |
-| DOCS-SIG-26-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
-| DOCS-SURFACE-01 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
+| DOCS-SDK-62-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
+| DOCS-SEC-62-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
+| DOCS-SEC-OBS-50-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
+| DOCS-SIG-26-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Need SGSI0101 metrics freeze | DOSG0101 |
+| DOCS-SIG-26-002 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Observability Guild | docs/modules/signals | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. Dependencies: DOCS-SIG-26-001. | Depends on #1 | DOSG0101 |
+| DOCS-SIG-26-003 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Signals Guild | docs/modules/signals | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. Dependencies: DOCS-SIG-26-002. | Requires SSE contract from SGSI0101 | DOSG0101 |
+| DOCS-SIG-26-004 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · CLI Guild | docs/modules/signals | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. Dependencies: DOCS-SIG-26-003. | Needs CLI samples (132_CLCI0110) | DOSG0101 |
+| DOCS-SIG-26-005 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · DevOps Guild | docs/modules/signals | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. Dependencies: DOCS-SIG-26-004. | Wait for DevOps rollout plan | DOSG0101 |
+| DOCS-SIG-26-006 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Security Guild | docs/modules/signals | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. Dependencies: DOCS-SIG-26-005. | Requires security guidance (DVDO0110) | DOSG0101 |
+| DOCS-SIG-26-007 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild · Policy Guild | docs/modules/signals | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. Dependencies: DOCS-SIG-26-006. | Needs policy overlay from PLVL0102 | DOSG0101 |
+| DOCS-SIG-26-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Notifications Guild | docs/modules/signals | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. Dependencies: DOCS-SIG-26-007. | Depends on notifications hooks (058_NOTY0101) | DOSG0101 |
+| DOCS-SURFACE-01 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Surface Guild | docs/modules/scanner/surface | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Need latest surface emit notes (SCANNER-SURFACE-04) | DOSS0101 |
 | DOCS-SYMS-70-003 | TODO |  | SPRINT_304_docs_tasks_md_iv | Docs Guild · Symbols Guild | docs/modules/symbols | Author symbol-server architecture/spec docs (`docs/specs/symbols/SYMBOL_MANIFEST_v1.md`, API reference, bundle guide) and update reachability guides with symbol lookup workflow and tenant controls. Dependencies: SYMS-SERVER-401-011, SYMS-INGEST-401-013. | Need RBSY0101 cache notes | DOSY0101 |
-| DOCS-TEN-47-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
-| DOCS-TEN-48-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
-| DOCS-TEN-49-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
-| DOCS-TEST-62-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · SDK Generator Guild | docs/sdk | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Depends on #1 | DOSK0101 |
-| DOCS-VEX-30-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Need PLVL0102 schema snapshot | DOVX0101 |
-| DOCS-VEX-30-002 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Depends on #1 | DOVX0101 |
-| DOCS-VEX-30-003 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Issuer Directory Guild | docs/modules/vex-lens | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Requires Issuer Directory inputs | DOVX0101 |
-| DOCS-VEX-30-004 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Needs PLVL0102 policy join notes | DOVX0101 |
-| DOCS-VEX-30-005 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Console Guild | docs/modules/vex-lens | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Requires console overlay assets | DOVX0101 |
-| DOCS-VEX-30-006 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Policy Guild | docs/modules/vex-lens | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Needs waiver/exception guidance | DOVX0101 |
-| DOCS-VEX-30-007 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · SBOM Service Guild | docs/modules/vex-lens | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Depends on SBOM/VEX dataflow spec | DOVX0101 |
-| DOCS-VEX-30-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/vex-lens | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Requires security review (DVDO0110) | DOVX0101 |
-| DOCS-VEX-30-009 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/vex-lens | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Needs DevOps rollout plan | DOVX0101 |
+| DOCS-TEN-47-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Need tenancy ADR from DVDO0110 | DOTN0101 |
+| DOCS-TEN-48-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/tenancy | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. Dependencies: DOCS-TEN-47-001. | Depends on #1 | DOTN0101 |
+| DOCS-TEN-49-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/tenancy | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. Dependencies: DOCS-TEN-48-001. | Requires monitoring plan from DVDO0110 | DOTN0101 |
+| DOCS-TEST-62-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SDK Generator Guild | docs/sdk | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Depends on #1 | DOSK0101 |
+| DOCS-VEX-30-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Need PLVL0102 schema snapshot | DOVX0101 |
+| DOCS-VEX-30-002 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. Dependencies: DOCS-VEX-30-001. | Depends on #1 | DOVX0101 |
+| DOCS-VEX-30-003 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Issuer Directory Guild | docs/modules/vex-lens | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). Dependencies: DOCS-VEX-30-002. | Requires Issuer Directory inputs | DOVX0101 |
+| DOCS-VEX-30-004 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · VEX Lens Guild | docs/modules/vex-lens | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. Dependencies: DOCS-VEX-30-003. | Needs PLVL0102 policy join notes | DOVX0101 |
+| DOCS-VEX-30-005 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Console Guild | docs/modules/vex-lens | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. Dependencies: DOCS-VEX-30-004. | Requires console overlay assets | DOVX0101 |
+| DOCS-VEX-30-006 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Policy Guild | docs/modules/vex-lens | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. Dependencies: DOCS-VEX-30-005. | Needs waiver/exception guidance | DOVX0101 |
+| DOCS-VEX-30-007 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · SBOM Service Guild | docs/modules/vex-lens | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). Dependencies: DOCS-VEX-30-006. | Depends on SBOM/VEX dataflow spec | DOVX0101 |
+| DOCS-VEX-30-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · Security Guild | docs/modules/vex-lens | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). Dependencies: DOCS-VEX-30-007. | Requires security review (DVDO0110) | DOVX0101 |
+| DOCS-VEX-30-009 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild · DevOps Guild | docs/modules/vex-lens | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. Dependencies: DOCS-VEX-30-008. | Needs DevOps rollout plan | DOVX0101 |
 | DOCS-VEX-401-012 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · VEX Lens Guild | `docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md` | Maintain the VEX Evidence Playbook, publish repo templates/README, and document verification workflows for operators. | Need VEX evidence export from PLVL0102 | DOVB0101 |
-| DOCS-VULN-29-001 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Need GRAP0101 contract | DOVL0101 |
-| DOCS-VULN-29-002 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. Dependencies: DOCS-VULN-29-001. | Depends on #1 | DOVL0101 |
-| DOCS-VULN-29-003 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · UI Guild | docs/modules/vuln-explorer | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). Dependencies: DOCS-VULN-29-002. | Requires UI assets | DOVL0101 |
-| DOCS-VULN-29-004 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. Dependencies: DOCS-VULN-29-003. | Needs policy overlay inputs | DOVL0101 |
-| DOCS-VULN-29-005 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Security Guild | docs/modules/vuln-explorer | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. Dependencies: DOCS-VULN-29-004. | Requires security review | DOVL0101 |
-| DOCS-VULN-29-006 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevOps Guild | docs/modules/vuln-explorer | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. Dependencies: DOCS-VULN-29-005. | Depends on DevOps rollout plan | DOVL0101 |
-| DOCS-VULN-29-007 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. Dependencies: DOCS-VULN-29-006. | Needs CLI examples (132_CLCI0110) | DOVL0101 |
-| DOCS-VULN-29-008 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Export Center Guild | docs/modules/vuln-explorer | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. Dependencies: DOCS-VULN-29-007. | Need export bundle spec | DOVL0102 |
-| DOCS-VULN-29-009 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Security Guild | docs/modules/vuln-explorer | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. Dependencies: DOCS-VULN-29-008. | Depends on #1 | DOVL0102 |
-| DOCS-VULN-29-010 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevOps Guild | docs/modules/vuln-explorer | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). Dependencies: DOCS-VULN-29-009. | Requires DevOps automation plan | DOVL0102 |
-| DOCS-VULN-29-011 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Notifications Guild | docs/modules/vuln-explorer | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. Dependencies: DOCS-VULN-29-010. | Needs notifications contract | DOVL0102 |
-| DOCS-VULN-29-012 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). Dependencies: DOCS-VULN-29-011. | Requires policy overlay outputs | DOVL0102 |
-| DOCS-VULN-29-013 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. Dependencies: DOCS-VULN-29-012. | Needs CLI/export scripts from 132_CLCI0110 | DOVL0102 |
+| DOCS-VULN-29-001 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Need GRAP0101 contract | DOVL0101 |
+| DOCS-VULN-29-002 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Vuln Explorer Guild | docs/modules/vuln-explorer | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. Dependencies: DOCS-VULN-29-001. | Depends on #1 | DOVL0101 |
+| DOCS-VULN-29-003 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · UI Guild | docs/modules/vuln-explorer | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). Dependencies: DOCS-VULN-29-002. | Requires UI assets | DOVL0101 |
+| DOCS-VULN-29-004 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. Dependencies: DOCS-VULN-29-003. | Needs policy overlay inputs | DOVL0101 |
+| DOCS-VULN-29-005 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Security Guild | docs/modules/vuln-explorer | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. Dependencies: DOCS-VULN-29-004. | Requires security review | DOVL0101 |
+| DOCS-VULN-29-006 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · DevOps Guild | docs/modules/vuln-explorer | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. Dependencies: DOCS-VULN-29-005. | Depends on DevOps rollout plan | DOVL0101 |
+| DOCS-VULN-29-007 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. Dependencies: DOCS-VULN-29-006. | Needs CLI examples (132_CLCI0110) | DOVL0101 |
+| DOCS-VULN-29-008 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Export Center Guild | docs/modules/vuln-explorer | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. Dependencies: DOCS-VULN-29-007. | Need export bundle spec | DOVL0102 |
+| DOCS-VULN-29-009 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Security Guild | docs/modules/vuln-explorer | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. Dependencies: DOCS-VULN-29-008. | Depends on #1 | DOVL0102 |
+| DOCS-VULN-29-010 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · DevOps Guild | docs/modules/vuln-explorer | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). Dependencies: DOCS-VULN-29-009. | Requires DevOps automation plan | DOVL0102 |
+| DOCS-VULN-29-011 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Notifications Guild | docs/modules/vuln-explorer | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. Dependencies: DOCS-VULN-29-010. | Needs notifications contract | DOVL0102 |
+| DOCS-VULN-29-012 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · Policy Guild | docs/modules/vuln-explorer | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). Dependencies: DOCS-VULN-29-011. | Requires policy overlay outputs | DOVL0102 |
+| DOCS-VULN-29-013 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild · DevEx/CLI Guild | docs/modules/vuln-explorer | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. Dependencies: DOCS-VULN-29-012. | Needs CLI/export scripts from 132_CLCI0110 | DOVL0102 |
 | DOWNLOADS-CONSOLE-23-001 | TODO |  | SPRINT_0502_0001_0001_ops_deployment_ii | Docs Guild · Deployment Guild | docs/console | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Need latest console build instructions | DOCN0101 |
 | DPOP-11-001 | TODO | 2025-11-08 | SPRINT_100_identity_signing | Docs Guild · Authority Core | src/Authority/StellaOps.Authority | Need DPoP ADR from PGMI0101 | AUTH-AOC-19-002 | DODP0101 |
 | DSL-401-005 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Policy Guild | `docs/policy/dsl.md`, `docs/policy/lifecycle.md` | Depends on PLLG0101 DSL updates | Depends on PLLG0101 DSL updates | DODP0101 |
@@ -3562,14 +3562,14 @@
 | POLICY-27-004 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add lifecycle commands for publish/promote/rollback/sign with attestation checks. | Depends on 27-003 |  |
 | POLICY-27-005 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild · Docs Guild | src/Cli/StellaOps.Cli | Update CLI refs/samples (JSON schemas, exit codes, CI snippets). | Requires 27-004 output |  |
 | POLICY-27-006 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Update policy scopes/help text to request new Policy Studio scope family and adjust regression tests. | Needs 27-005 docs |  |
-| POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, DevEx/CLI Guild (docs) |  |  |  |  |
-| POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Policy Registry Guild (docs) |  |  |  |  |
-| POLICY-27-009 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Security Guild (docs) |  |  |  |  |
-| POLICY-27-010 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Architecture Guild (docs) |  |  |  |  |
-| POLICY-27-011 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Observability Guild (docs) |  |  |  |  |
-| POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Ops Guild (docs) |  |  |  |  |
-| POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Policy Guild (docs) |  |  |  |  |
-| POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild, Policy Registry Guild (docs) |  |  |  |  |
+| POLICY-27-007 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, DevEx/CLI Guild (docs) |  |  |  |  |
+| POLICY-27-008 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Policy Registry Guild (docs) |  |  |  |  |
+| POLICY-27-009 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Security Guild (docs) |  |  |  |  |
+| POLICY-27-010 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Architecture Guild (docs) |  |  |  |  |
+| POLICY-27-011 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Observability Guild (docs) |  |  |  |  |
+| POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Ops Guild (docs) |  |  |  |  |
+| POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Policy Guild (docs) |  |  |  |  |
+| POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_0308_0001_0008_docs_tasks_md_viii | Docs Guild, Policy Registry Guild (docs) |  |  |  |  |
 | POLICY-401-026 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild · Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | `docs/policy/dsl.md`, `docs/uncertainty/README.md` |  |  |  |
 | POLICY-AIRGAP-56-001 | TODO |  | SPRINT_123_policy_reasoning | Policy Guild | src/Policy/StellaOps.Policy.Engine | Support policy pack imports from Mirror Bundles, track `bundle_id` metadata, and ensure deterministic caching | Needs OFFK0101 bundle schema |  |
 | POLICY-AIRGAP-56-002 | TODO |  | SPRINT_123_policy_reasoning | Policy Guild · Policy Studio Guild | src/Policy/StellaOps.Policy.Engine | Export policy sub-bundles | POLICY-AIRGAP-56-001 |  |
@@ -3733,7 +3733,7 @@
 | RISK-67-001 | TODO |  | SPRINT_115_concelier_iv | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core |  |  |  |
 | RISK-67-002 | TODO |  | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine |  | POLICY-RISK-67-001 |  |
 | RISK-67-003 | BLOCKED (2025-11-26) |  | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy |  | POLICY-RISK-67-002 | Blocked by missing risk profile schema + lifecycle API contract. |
-| RISK-67-004 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, CLI Guild (docs) |  |  |  |  |
+| RISK-67-004 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, CLI Guild (docs) |  |  |  |  |
 | RISK-68-001 | TODO |  | SPRINT_115_concelier_iv | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core |  |  |  |
 | RISK-68-002 | TODO |  | SPRINT_128_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile |  | POLICY-RISK-68-001 |  |
 | RISK-69-001 | TODO |  | SPRINT_115_concelier_iv | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core |  |  |  |
@@ -3757,7 +3757,7 @@
 | RISK-ENGINE-70-002 | TODO |  | SPRINT_0129_0001_0001_policy_reasoning | Risk Engine Guild, Observability Guild / src/RiskEngine/StellaOps.RiskEngine | src/RiskEngine/StellaOps.RiskEngine | Integrate runtime evidence provider and reachability provider outputs with caching + TTL | RISK-ENGINE-70-001 |  |
 | RULES-33-001 | REVIEW (2025-10-30) | 2025-10-30 | SPRINT_0506_0001_0001_ops_devops_iv | DevOps Guild, Platform Leads (ops/devops) | ops/devops |  |  |  |
 | RUNBOOK-401-017 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | `docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md` |  |  |  |
-| RUNBOOK-55-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, Ops Guild (docs) |  |  |  |  |
+| RUNBOOK-55-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, Ops Guild (docs) |  |  |  |  |
 | RUNBOOK-REPLAY-187-004 | TODO |  | SPRINT_160_export_evidence | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | docs/runbooks/replay_ops.md | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` |  |  |
 | RUNTIME-401-002 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild (`src/Signals/StellaOps.Signals`) | `src/Signals/StellaOps.Signals` |  |  |  |
 | RUNTIME-PROBE-401-010 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | `src/Signals/StellaOps.Signals.Runtime`, `ops/probes` | Implement lightweight runtime probes (EventPipe/.NET, JFR/JVM) that capture method enter events for the target components, package them as CAS traces, and feed them into the Signals ingestion pipeline. |  |  |
@@ -3875,13 +3875,13 @@
 | SCANNER-ANALYZERS-RUBY-28-010 | TODO |  | SPRINT_135_scanner_surface | Ruby Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Optional runtime evidence integration (if provided logs/metrics) with path hashing, without altering static precedence. | SCANNER-ANALYZERS-RUBY-28-009 |  |
 | SCANNER-ANALYZERS-RUBY-28-011 | TODO |  | SPRINT_135_scanner_surface | Ruby Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Package analyzer plug-in, add CLI (`stella ruby inspect`), refresh Offline Kit documentation. | SCANNER-ANALYZERS-RUBY-28-010 |  |
 | SCANNER-ANALYZERS-RUBY-28-012 | TODO |  | SPRINT_135_scanner_surface | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby | Policy signal emitter: rubygems drift, native extension flags, dangerous constructs counts, TLS verify posture, dynamic require eval warnings. | SCANNER-ANALYZERS-RUBY-28-011 |  |
-| SCANNER-BENCH-62-002 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Product Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-003 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Product Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-004 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Java Analyzer Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-005 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Go Analyzer Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-006 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Rust Analyzer Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) |  |  |  |  |
-| SCANNER-BENCH-62-009 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Policy Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-002 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-003 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Product Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-004 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Java Analyzer Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-005 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Go Analyzer Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-006 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Rust Analyzer Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) |  |  |  |  |
+| SCANNER-BENCH-62-009 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) |  |  |  |  |
 | SCANNER-CLI-0001 | DONE | 2025-11-10 | SPRINT_0138_0000_0001_scanner_ruby_parity | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | SCANNER-ENG-0019 |  |
 | SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild |  | Deterministic compose fixtures landed; docs published. |  |
 | SCANNER-DOCS-0003 | TODO |  | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | Gather Windows/macOS analyzer demand signals and record findings in `docs/benchmarks/scanner/windows-macos-demand.md` for marketing + product readiness. |  |  |
@@ -3975,7 +3975,7 @@
 | SDKREL-63-002 | TODO |  | SPRINT_0208_0001_0001_sdk | SDK Release Guild, API Governance Guild (src/Sdk/StellaOps.Sdk.Release) | src/Sdk/StellaOps.Sdk.Release | Integrate changelog automation pulling from OAS diffs and generator metadata. Dependencies: SDKREL-63-001. |  |  |
 | SDKREL-64-001 | TODO |  | SPRINT_0208_0001_0001_sdk | SDK Release Guild, Notifications Guild (src/Sdk/StellaOps.Sdk.Release) | src/Sdk/StellaOps.Sdk.Release | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. Dependencies: SDKREL-63-002. |  |  |
 | SDKREL-64-002 | TODO |  | SPRINT_0208_0001_0001_sdk | SDK Release Guild, Export Center Guild (src/Sdk/StellaOps.Sdk.Release) | src/Sdk/StellaOps.Sdk.Release | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. Dependencies: SDKREL-64-001. |  |  |
-| SEC-62-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, Authority Core (docs) |  |  |  |  |
+| SEC-62-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, Authority Core (docs) |  |  |  |  |
 | SEC-CRYPTO-90-001 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Produce the RootPack_RU implementation plan, provider strategy (CryptoPro + PKCS#11), and backlog split for sovereign crypto work. |  |  |
 | SEC-CRYPTO-90-002 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Extend signature/catalog constants and configuration schema to recognize `GOST12-256/512`, regional crypto profiles, and provider preference ordering. |  |  |
 | SEC-CRYPTO-90-003 | DONE | 2025-11-07 | SPRINT_514_sovereign_crypto_enablement | Security Guild (src/__Libraries/StellaOps.Cryptography) | src/__Libraries/StellaOps.Cryptography | Implement `StellaOps.Cryptography.Plugin.CryptoPro` provider (sign/verify/JWK export) using CryptoPro CSP with deterministic logging/tests. |  |  |
@@ -3997,7 +3997,7 @@
 | SEC-CRYPTO-90-019 | TODO |  | SPRINT_514_sovereign_crypto_enablement | Security Guild | third_party/forks/AlexMAS.GostCryptography | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 dependencies (target .NET 8+, adopt fixed BCL packages, re-run tests). | Needs fork validation | CRSA0101 |
 | SEC-CRYPTO-90-020 | TODO |  | SPRINT_514_sovereign_crypto_enablement | Security Guild | src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources (replace NuGet package references, adjust DI wiring) and prove the plugin works end-to-end. | Depends on #5 | CRSA0101 |
 | SEC-CRYPTO-90-021 | TODO |  | SPRINT_514_sovereign_crypto_enablement | Security + QA Guilds | scripts/crypto/**, docs/security/rootpack_ru_validation.md | Validate the forked library + plugin on both Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback) builds/tests; document any platform-specific prerequisites. | Depends on #6 | CRSA0101 |
-| SEC-OBS-50-001 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, Security Guild (docs) |  |  |  |  |
+| SEC-OBS-50-001 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, Security Guild (docs) |  |  |  |  |
 | SEC2 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard |  |  |  |
 | SEC3 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard |  |  |  |
 | SEC5 | DONE | 2025-11-09 | SPRINT_100_identity_signing | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) | src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard |  |  |  |
@@ -4022,10 +4022,10 @@
 | SIG-26-002 | TODO |  | SPRINT_204_cli_iv | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | SIG-26-003 | TODO |  | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/UI/StellaOps.UI) | src/UI/StellaOps.UI |  |  |  |
 | SIG-26-004 | TODO |  | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/UI/StellaOps.UI) | src/UI/StellaOps.UI |  |  |  |
-| SIG-26-005 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, UI Guild (docs) |  |  |  |  |
-| SIG-26-006 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, DevEx/CLI Guild (docs) |  |  |  |  |
-| SIG-26-007 | TODO |  | SPRINT_309_docs_tasks_md_ix | Docs Guild, BE-Base Platform Guild (docs) |  |  |  |  |
-| SIG-26-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) |  |  |  |  |
+| SIG-26-005 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, UI Guild (docs) |  |  |  |  |
+| SIG-26-006 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, DevEx/CLI Guild (docs) |  |  |  |  |
+| SIG-26-007 | TODO |  | SPRINT_0309_0001_0009_docs_tasks_md_ix | Docs Guild, BE-Base Platform Guild (docs) |  |  |  |  |
+| SIG-26-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) |  |  |  |  |
 | SIG-STORE-401-016 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | `src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core` | Introduce shared reachability store collections (`func_nodes`, `call_edges`, `cve_func_hits`), indexes, and repository APIs so Scanner/Signals/Policy can reuse canonical function data. |  |  |
 | SIGN-CORE-186-004 | DONE | 2025-11-26 | SPRINT_186_record_deterministic_execution | Signing Guild | `src/Signer/StellaOps.Signer`, `src/__Libraries/StellaOps.Cryptography` | Replace the HMAC demo implementation in `StellaOps.Signer` with StellaOps.Cryptography providers (keyless + KMS), including provider selection, key material loading, and cosign-compatible DSSE signature output. | Mirrors #1 | SIGR0101 |
 | SIGN-CORE-186-005 | DONE | 2025-11-26 | SPRINT_186_record_deterministic_execution | Signing Guild | `src/Signer/StellaOps.Signer.Core` | Refactor `SignerStatementBuilder` to support StellaOps predicate types (e.g., `stella.ops/promotion@v1`) and delegate payload canonicalisation to the Provenance library once available. | Mirrors #2 | SIGR0101 |
@@ -4161,7 +4161,7 @@
 | TEN-48-001 | TODO |  | SPRINT_115_concelier_iv | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core |  |  |  |
 | TEN-49-001 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | TEST-186-006 | TODO |  | SPRINT_186_record_deterministic_execution | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`) | `src/Signer/StellaOps.Signer.Tests` |  |  |  |
-| TEST-62-001 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) |  |  |  |  |
+| TEST-62-001 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Contract Testing Guild (docs) |  |  |  |  |
 | TIME-57-001 | TODO |  | SPRINT_0503_0001_0001_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild |  |  | PROGRAM-STAFF-1001 |  |
 | TIME-57-002 | TODO |  | SPRINT_510_airgap | Exporter Guild · AirGap Time Guild · CLI Guild | src/AirGap/StellaOps.AirGap.Time | PROGRAM-STAFF-1001 | PROGRAM-STAFF-1001 | AGTM0101 |
 | TIME-58-001 | TODO |  | SPRINT_510_airgap | AirGap Time Guild | src/AirGap/StellaOps.AirGap.Time | AIRGAP-TIME-58-001 | AIRGAP-TIME-58-001 | AGTM0101 |
@@ -4211,11 +4211,11 @@
 | VEX-30-002 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | VEX-30-003 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | VEX-30-004 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
-| VEX-30-005 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Console Guild (docs) |  |  |  |  |
-| VEX-30-006 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Policy Guild (docs) |  |  |  | DOVX0101 |
+| VEX-30-005 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Console Guild (docs) |  |  |  |  |
+| VEX-30-006 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Policy Guild (docs) |  |  |  | DOVX0101 |
 | VEX-30-007 | TODO |  | SPRINT_216_web_v | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web |  |  | DOVX0101 |
-| VEX-30-008 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, Security Guild (docs) |  |  |  | DOVX0101 |
-| VEX-30-009 | TODO |  | SPRINT_310_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) |  |  |  | DOVX0101 |
+| VEX-30-008 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, Security Guild (docs) |  |  |  | DOVX0101 |
+| VEX-30-009 | TODO |  | SPRINT_0310_0001_0010_docs_tasks_md_x | Docs Guild, DevOps Guild (docs) |  |  |  | DOVX0101 |
 | VEX-401-006 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | `src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy` |  |  | DOVX0101 |
 | VEX-401-010 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | `src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md` |  |  | DOVX0101 |
 | VEX-401-011 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | verify |  |  |  | DOVX0101 |
@@ -4249,13 +4249,13 @@
 | VULN-29-004 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | VULN-29-005 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
 | VULN-29-006 | TODO |  | SPRINT_205_cli_v | DevEx/CLI Guild, Docs Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli |  |  |  |
-| VULN-29-007 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Excititor Guild (docs) |  |  |  |  |
-| VULN-29-008 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Concelier Guild (docs) |  |  |  |  |
-| VULN-29-009 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, SBOM Service Guild (docs) |  |  |  |  |
-| VULN-29-010 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Observability Guild (docs) |  |  |  |  |
-| VULN-29-011 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Security Guild (docs) |  |  |  |  |
-| VULN-29-012 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Ops Guild (docs) |  |  |  |  |
-| VULN-29-013 | TODO |  | SPRINT_311_docs_tasks_md_xi | Docs Guild, Deployment Guild (docs) |  |  |  |  |
+| VULN-29-007 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Excititor Guild (docs) |  |  |  |  |
+| VULN-29-008 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Concelier Guild (docs) |  |  |  |  |
+| VULN-29-009 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, SBOM Service Guild (docs) |  |  |  |  |
+| VULN-29-010 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Observability Guild (docs) |  |  |  |  |
+| VULN-29-011 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Security Guild (docs) |  |  |  |  |
+| VULN-29-012 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Ops Guild (docs) |  |  |  |  |
+| VULN-29-013 | TODO |  | SPRINT_0311_0001_0001_docs_tasks_md_xi | Docs Guild, Deployment Guild (docs) |  |  |  |  |
 | VULN-API-29-001 | DONE | 2025-11-25 | SPRINT_0129_0001_0001_policy_reasoning | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api | src/VulnExplorer/StellaOps.VulnExplorer.Api | Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes |  | PLVA0101 |
 | VULN-API-29-002 | DONE | 2025-11-25 | SPRINT_0129_0001_0001_policy_reasoning | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api | src/VulnExplorer/StellaOps.VulnExplorer.Api | Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets; tests at `tests/TestResults/vuln-explorer/api.trx`. | VULN-API-29-001 | PLVA0101 |
 | VULN-API-29-003 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Vuln Explorer API Guild / src/VulnExplorer/StellaOps.VulnExplorer.Api | src/VulnExplorer/StellaOps.VulnExplorer.Api | Implement detail endpoint aggregating evidence, policy rationale, paths | VULN-API-29-002 | PLVA0101 |