save checkpoint: save features

docs/features/checked/advisoryai/ai-action-policy-gate.md

@@ -30,8 +30,8 @@ Connects AI-proposed actions to the Policy Engine's K4 lattice for governance-aw
 - [ ] Submit an action that violates policy and verify `ActionPolicyGate` rejects it with a policy violation reason
 - [ ] Verify `ActionDefinition` metadata (risk level, required approvals, allowed scopes) is enforced during gate evaluation
 ## Verification
-- Verified on 2026-02-11 via `run-001`.
-- Tier 0: `docs/qa/feature-checks/runs/advisoryai/ai-action-policy-gate/run-001/tier0-source-check.json`
-- Tier 1: `docs/qa/feature-checks/runs/advisoryai/ai-action-policy-gate/run-001/tier1-build-check.json`
-- Tier 2: `docs/qa/feature-checks/runs/advisoryai/ai-action-policy-gate/run-001/tier2-integration-check.json`
+- Verified on 2026-02-11 via `run-002`.
+- Tier 0: `docs/qa/feature-checks/runs/advisoryai/ai-action-policy-gate/run-002/tier0-source-check.json`
+- Tier 1: `docs/qa/feature-checks/runs/advisoryai/ai-action-policy-gate/run-002/tier1-build-check.json`
+- Tier 2: `docs/qa/feature-checks/runs/advisoryai/ai-action-policy-gate/run-002/tier2-integration-check.json`
 

docs/features/checked/airgap/air-gap-bundle-system.md

@@ -0,0 +1,38 @@
+# Air-Gap Bundle System (DSSE-Signed Bundle Format with Import/Export)
+
+## Module
+AirGap
+
+## Status
+VERIFIED
+
+## Description
+Comprehensive air-gap bundle system with DSSE signing and verification, bundle format with schemas/validation/trust snapshots, controller for state management, importer with quarantine-on-failure, atomic feed activation with rollback, file-based and router-based delivery transport, and offline kit validation (monotonicity checking, telemetry metrics). Covers offline update kits (OUK), replay packs, and audit pack export/import.
+
+## Implementation Details
+- **Controller**: `src/AirGap/StellaOps.AirGap.Controller/` -- state management (`AirGapState.cs`, `AirGapStateService.cs`), endpoints (`AirGapEndpoints.cs` with seal/verify), startup options, telemetry
+- **Importer**: `src/AirGap/StellaOps.AirGap.Importer/` -- bundle planning (`BundleImportPlanner.cs`), quarantine on failure (`FileSystemQuarantineService.cs`, `IQuarantineService.cs`), evidence reconciliation (`EvidenceReconciler.cs`, `EvidenceGraph.cs`), SBOM/DSSE parsers, version monotonicity, trust root config, replay verification
+- **Bundle library**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- bundle format, schema validation, trust snapshot management
+- **Sync library**: `src/AirGap/__Libraries/StellaOps.AirGap.Sync/` -- synchronization for bundle delivery
+- **Persistence**: `src/AirGap/__Libraries/StellaOps.AirGap.Persistence/` and `src/AirGap/StellaOps.AirGap.Storage.Postgres/`
+- **Policy**: `src/AirGap/StellaOps.AirGap.Policy/` -- offline verification policy, analyzers
+- **Tests**: Controller, Importer, Persistence, Sync, Time, and Policy tests under `src/AirGap/__Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Test bundle import with valid DSSE-signed bundle, verify state transition
+- [ ] Test quarantine behavior on invalid bundle signature
+- [ ] Test monotonicity check rejects older bundle version
+- [ ] Test evidence reconciliation correctly parses CycloneDx, DSSE attestations
+- [ ] Test atomic feed activation and rollback on failure
+- [ ] Verify bundle import planning produces correct plan
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source checks passed for controller state/endpoints, importer planner/quarantine/reconciliation, and bundle library surfaces.
+- Tier 1 build and focused behavior tests passed (`13/13` importer-focused, `12/12` controller endpoint/state, plus full suites for importer/controller/bundle).
+- Tier 2 behavioral verification passed via HTTP endpoint integration tests over `/system/airgap/seal`, `/system/airgap/status`, and `/system/airgap/verify` including positive and negative paths.
+- Evidence:
+  - `docs/qa/feature-checks/runs/airgap/air-gap-bundle-system/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/airgap/air-gap-bundle-system/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/airgap/air-gap-bundle-system/run-001/tier2-integration-check.json`

docs/features/checked/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots.md

@@ -0,0 +1,40 @@
+# Air-Gap Epistemic Mode with Sealed Startup and Feed Snapshots
+
+## Module
+AirGap
+
+## Status
+VERIFIED
+
+## Description
+Full epistemic completeness for air-gapped environments: sealed startup validation, feed snapshot repositories, signed mirror connectors, cryptographic binding of knowledge state to scan results, snapshot management, and sealed install enforcement.
+
+## Implementation Details
+- **Sealed startup**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapStartupDiagnosticsHostedService.cs` -- validates sealed state at startup
+- **Startup options**: `src/AirGap/StellaOps.AirGap.Controller/Options/AirGapStartupOptions.cs` -- sealed startup configuration
+- **State management**: `src/AirGap/StellaOps.AirGap.Controller/Domain/AirGapState.cs`, `Services/AirGapStateService.cs`
+- **State stores**: `src/AirGap/StellaOps.AirGap.Controller/Stores/IAirGapStateStore.cs`, `InMemoryAirGapStateStore.cs`
+- **Feed snapshots**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- snapshot management in bundle library
+- **Offline verification**: `src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs`, `OfflineVerificationPolicyLoader.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify sealed startup validation prevents operation with incomplete knowledge state
+- [ ] Test feed snapshot loading and cryptographic binding
+- [ ] Verify state transitions in air-gap controller
+- [ ] Test offline verification policy enforcement
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source/declaration checks passed for sealed-startup diagnostics, controller state store/service, snapshot bundle writer, and offline verification policy loader surfaces.
+- Tier 1 build/tests passed across controller/importer/bundle projects (`27/27` controller, `154/154` importer with new policy-loader tests, `150/150` bundle).
+- Tier 2 behavioral API checks passed for `/system/airgap/status`, `/system/airgap/seal`, and `/system/airgap/verify` with both positive and negative paths; status confirmed `sealed=true` after successful seal.
+- Additional Tier 2 integration evidence covers offline policy parsing/canonicalization via `OfflineVerificationPolicyLoaderTests`.
+- Revalidated on 2026-02-11 with `run-002` to capture fresh Tier 0/1/2 evidence in this execution lane.
+- Evidence:
+  - `docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-001/tier2-api-check.json`
+  - `docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-002/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-002/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots/run-002/tier2-integration-check.json`

docs/features/checked/airgap/deterministic-rekor-receipts-with-offline-verification.md

@@ -0,0 +1,35 @@
+# Deterministic Rekor Receipts with Offline Verification
+
+## Module
+AirGap
+
+## Status
+VERIFIED
+
+## Description
+Offline Rekor receipt verifier validates checkpoint signatures (ECDSA/Ed25519), Merkle inclusion proofs per RFC 6962, and root hash consistency without live transparency log access. Includes TileProxy for local tile-based transparency log proxy, and mirror snapshot resolution for air-gapped deployments.
+
+## Implementation Details
+- **Rekor proof builder**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.Build.cs`, `EnhancedRekorProofBuilder.Validate.cs`, `EnhancedRekorProofBuilder.cs`
+- **Rekor inclusion proof**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/RekorInclusionProof.cs`
+- **Rekor verification step**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/RekorInclusionVerificationStep.cs`
+- **Replay verification**: `src/AirGap/StellaOps.AirGap.Controller/Services/ReplayVerificationService.cs`
+- **Importer replay**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/ReplayVerificationRequest.cs`, `ReplayDepth.cs`
+- **Merkle proofs**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/DeterministicMerkleTreeBuilder.Proof.cs`, `MerkleProof.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify Rekor receipt offline verification validates checkpoint signatures (ECDSA/Ed25519)
+- [ ] Test Merkle inclusion proof verification per RFC 6962
+- [ ] Test root hash consistency verification without live transparency log
+- [ ] Verify replay verification service works in air-gapped mode
+
+## Verification
+- Verified on 2026-02-11 with `run-002`.
+- Tier 0 source/declaration checks passed for Rekor proof builder surfaces, inclusion proof/verification classes, replay verification contracts, and deterministic Merkle proof primitives.
+- Tier 1 build/tests passed across proof-chain, controller, importer, and Attestor/AirGap test suites (`76/76` offline verifier, `80/80` attestor types, `27/27` controller, `154/154` importer).
+- Tier 2 behavioral checks passed for offline receipt verification, offline verifier Rekor-proof path handling, and replay verification behavior in both controller and importer paths.
+- Evidence:
+  - `docs/qa/feature-checks/runs/airgap/deterministic-rekor-receipts-with-offline-verification/run-002/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/airgap/deterministic-rekor-receipts-with-offline-verification/run-002/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/airgap/deterministic-rekor-receipts-with-offline-verification/run-002/tier2-integration-check.json`

docs/features/checked/airgap/deterministic-replay-and-verification-in-air-gap-mode.md

@@ -0,0 +1,36 @@
+# Deterministic Replay and Verification in Air-Gap Mode
+
+## Module
+AirGap
+
+## Status
+VERIFIED
+
+## Description
+Replay manifests capturing input artifacts, verification results, and media types for deterministic reproducibility. Replay verification service for air-gapped environments. Covers offline cryptography plugins and importer validation.
+
+## Implementation Details
+- **Replay verification service**: `src/AirGap/StellaOps.AirGap.Controller/Services/ReplayVerificationService.cs`
+- **Replay contracts**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/ReplayVerificationRequest.cs`, `ReplayDepth.cs`
+- **Attestor replay**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayInputArtifact.cs`, `ReplayResult.cs`, `ReplayStatus.cs`, `ReplayVerificationResult.cs`, `ReplayPromptTemplate.cs`
+- **Offline crypto**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` and plugin implementations (GOST, eIDAS, SM, FIPS, HSM)
+- **Evidence reconciliation**: `src/AirGap/StellaOps.AirGap.Importer/Reconciliation/` -- EvidenceReconciler, EvidenceGraph, JSON normalizer, attestation/SBOM parsers
+- **Importer validation**: `src/AirGap/StellaOps.AirGap.Importer/Validation/` -- bundle validation
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify replay manifests capture all input artifacts with media types
+- [ ] Test replay verification produces identical results from same inputs
+- [ ] Test evidence reconciliation correctly builds evidence graph
+- [ ] Verify offline crypto plugin signing/verification works without network
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source/declaration checks passed for replay service/contracts, proof-chain replay models, offline crypto plugin base/implementations, evidence reconciliation surfaces, and importer validators.
+- Tier 1 build/tests passed across AirGap controller/importer, cryptography plugin/test surfaces, and attestor replay/sign-verify suite (`27/27` controller, `154/154` importer, `108/108` cryptography, `80/80` attestor types).
+- Tier 2 behavioral checks passed with live `/system/airgap/verify` API transactions proving deterministic repeated responses for identical inputs, deterministic policy-freeze replay behavior after seal, and expected negative-path failures for hash drift and stale manifests.
+- Additional Tier 2 integration evidence covers evidence reconciliation and offline crypto plugin behavior without network access.
+- Evidence:
+  - `docs/qa/feature-checks/runs/airgap/deterministic-replay-and-verification-in-air-gap-mode/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/airgap/deterministic-replay-and-verification-in-air-gap-mode/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/airgap/deterministic-replay-and-verification-in-air-gap-mode/run-001/tier2-api-check.json`

docs/features/checked/airgap/deterministic-test-harness.md

@@ -0,0 +1,34 @@
+# Deterministic Test Harness (Frozen Time, Seeded RNG, Network Isolation)
+
+## Module
+AirGap
+
+## Status
+VERIFIED
+
+## Description
+Deterministic testing infrastructure with frozen time providers, deterministic fixtures, and Testcontainers for PostgreSQL isolation across backend and frontend.
+
+## Implementation Details
+- **Test infrastructure**: `src/__Tests/__Libraries/StellaOps.Testing.Chaos/Models.cs` -- chaos/deterministic testing models
+- **AirGap tests**: `src/AirGap/__Tests/` -- Controller, Importer, Persistence, Sync, Time tests
+- **Frozen time**: `src/AirGap/StellaOps.AirGap.Time/` -- time anchor services with frozen time providers, staleness calculation
+- **Time fixtures**: `src/AirGap/StellaOps.AirGap.Time/fixtures/` -- deterministic time test fixtures
+- **Testcontainers**: PostgreSQL isolation via `src/AirGap/StellaOps.AirGap.Storage.Postgres.Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify frozen time providers produce deterministic timestamps
+- [ ] Test seeded RNG produces reproducible results
+- [ ] Verify Testcontainers PostgreSQL isolation works correctly
+- [ ] Test deterministic fixtures produce identical outputs across runs
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source/declaration checks passed for deterministic harness surfaces across AirGap time fixtures/services, sync fixed-time utilities, persistence postgres fixture/tests, and testing replay/chaos libraries.
+- Tier 1 build/tests passed across time/sync/persistence plus testing-chaos/testing-replay projects (`48/48` time tests, `40/40` sync tests, `23/23` persistence tests, `51/51` chaos tests, `20/20` replay tests).
+- Tier 2 behavioral checks passed with live `/system/airgap/verify` repeated requests returning byte-identical pass payloads for identical inputs, plus integration evidence for postgres testcontainer isolation and replay harness execution.
+- Evidence:
+  - `docs/qa/feature-checks/runs/airgap/deterministic-test-harness/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/airgap/deterministic-test-harness/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/airgap/deterministic-test-harness/run-001/tier2-api-check.json`

docs/features/checked/airgap/dsse-receipt-schema-for-authority-sbomer-vexer-flows.md

@@ -0,0 +1,32 @@
+# DSSE/Receipt Schema for Authority/Sbomer/Vexer Flows
+
+## Module
+AirGap
+
+## Status
+VERIFIED
+
+## Description
+DSSE envelope signing/verification across multiple modules with schema types, SPDX3 integration, and air-gap bundle signing. The receipt schema supports Authority, Sbomer, and Vexer flows.
+
+## Implementation Details
+- **DSSE signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs`, `DsseSignature.cs`, `ProofChainSigner.Verification.cs`
+- **DSSE SPDX3**: `src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Envelope.cs`, `DsseSpdx3Signature.cs`, `DsseSpdx3Signer.SignAsync.cs`, `DsseSpdx3Signer.Verify.cs`
+- **DSSE verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/DsseSignatureVerificationStep.cs`
+- **Importer DSSE parsing**: `src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/DsseAttestationParser.cs`
+- **Receipt models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs`, `VerificationResult.cs`, `VerificationCheck.cs`, `VerificationContext.cs`
+- **Signing profiles**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify DSSE envelope creation for Authority/Sbomer/Vexer flows
+- [ ] Test DSSE signature verification with multiple key profiles
+- [ ] Verify receipt schema captures all required verification checks
+- [ ] Test SPDX3 DSSE integration
+
+## Verification
+- Run ID: `run-001`
+- Date (UTC): `2026-02-11`
+- Tier 0: `docs/qa/feature-checks/runs/airgap/dsse-receipt-schema-for-authority-sbomer-vexer-flows/run-001/tier0-source-check.json` (`verdict=pass`)
+- Tier 1: `docs/qa/feature-checks/runs/airgap/dsse-receipt-schema-for-authority-sbomer-vexer-flows/run-001/tier1-build-check.json` (`buildResult=pass`, `testResult=pass`)
+- Tier 2: `docs/qa/feature-checks/runs/airgap/dsse-receipt-schema-for-authority-sbomer-vexer-flows/run-001/tier2-integration-check.json` (`verdict=pass`)

docs/features/checked/airgap/mirror-time-anchor-contract.md

@@ -0,0 +1,34 @@
+# Mirror Time Anchor Contract
+
+## Module
+AirGap
+
+## Status
+VERIFIED
+
+## Description
+Defines canonical time-anchor fields (generatedAt UTC ISO-8601, optional sourceClock hint) and staleness computation (now - generatedAt with +/-5s tolerance) for mirror bundles in air-gapped environments.
+
+## Implementation Details
+- **Time anchor module**: `src/AirGap/StellaOps.AirGap.Time/` -- full module with controllers, services, parsing, models, stores, config, hooks, health checks
+- **Time anchor parsing**: `src/AirGap/StellaOps.AirGap.Time/Parsing/` -- token parsing for time anchor extraction
+- **Staleness calculation**: services compute `now - generatedAt` with tolerance handling
+- **HLC merge services**: `src/AirGap/StellaOps.AirGap.Time/Services/` -- Hybrid Logical Clock for multi-node sync
+- **Deterministic time fixtures**: `src/AirGap/StellaOps.AirGap.Time/fixtures/`
+- **Bundle integration**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/` -- TimeAnchorContent, SnapshotBundleWriter.Sections.TimeAnchor, SnapshotBundleReader.Verify.TimeAnchor
+- **Attestor timestamping**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/TimeCorrelationValidator.Validate.cs`, `TimeCorrelationStatus.cs`
+- **Tests**: `src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/` (TimeAnchorLoaderTests, StalenessCalculatorTests, TimeVerificationServiceTests, TimeTokenParserTests, etc.)
+
+## E2E Test Plan
+- [ ] Verify time anchor is embedded in air-gap bundle with correct ISO-8601 format
+- [ ] Verify staleness calculation correctly computes age with +/-5s tolerance
+- [ ] Verify time anchor verification rejects bundles with tampered timestamps
+- [ ] Verify HLC merge produces consistent ordering across multiple nodes
+
+## Related Documentation
+- Source: SPRINT_0150_0001_0002_mirror_time.md
+
+## Verification
+- Run: `docs/qa/feature-checks/runs/airgap/mirror-time-anchor-contract/run-001/`
+- Date (UTC): 2026-02-11
+

docs/features/checked/airgap/offline-kit-metrics-and-diagnostics.md

@@ -0,0 +1,24 @@
+# Offline Kit Metrics and Diagnostics
+
+## Module
+AirGap
+
+## Status
+IMPLEMENTED
+
+## Description
+Offline kit metrics, telemetry, and startup diagnostics for monitoring air-gap bundle health.
+
+## Implementation Details
+- **Telemetry**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapTelemetry.cs` -- air-gap specific telemetry
+- **Telemetry options**: `src/AirGap/StellaOps.AirGap.Controller/Options/AirGapTelemetryOptions.cs` -- telemetry configuration
+- **Startup diagnostics**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapStartupDiagnosticsHostedService.cs` -- diagnostics at startup
+- **Importer telemetry**: `src/AirGap/StellaOps.AirGap.Importer/Telemetry/` -- import-specific metrics
+- **Status endpoints**: `src/AirGap/StellaOps.AirGap.Controller/Endpoints/Contracts/AirGapStatusResponse.cs` -- status reporting
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify AirGap status endpoint returns correct metrics
+- [ ] Test startup diagnostics detect and report issues
+- [ ] Verify telemetry captures bundle import/export operations
+- [ ] Test importer telemetry tracks import duration and outcomes

docs/features/checked/airgap/trust-profile-management.md

@@ -0,0 +1,33 @@
+# Trust Profile Management (CLI and Bundle)
+
+## Module
+AirGap
+
+## Status
+VERIFIED
+
+## Description
+Named trust profiles (global, eu-eidas, us-fips, bg-gov) for configuring TSA chains, signing algorithms, and verification policies per deployment context. Includes CLI commands (stella trust-profile list/apply/show) and bundle-level profile loading. Distinct from the known "Trust Anchor Management" and "Regional Crypto Profiles" which are about crypto algorithms, not deployment-context trust configuration profiles.
+
+## Implementation Details
+- **Bundle trust profiles**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- named trust profile definitions and loading
+- **Trust root config**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/TrustRootConfig.cs` -- trust root configuration for import verification
+- **AirGap policy**: `src/AirGap/StellaOps.AirGap.Policy/` -- policy enforcement for trust profiles, includes analyzers and tests
+- **Offline verification policy**: `src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs`, `OfflineVerificationPolicyLoader.cs`
+- **Trust anchor verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/TrustAnchorVerificationStep.cs`
+- **Source**: SPRINT_20260120_029_AirGap_offline_bundle_contract.md
+
+## E2E Test Plan
+- [ ] Verify CLI `stella trust-profile list` shows available profiles
+- [ ] Test `stella trust-profile apply` switches active profile
+- [ ] Test `stella trust-profile show` displays profile configuration
+- [ ] Verify trust profiles configure correct TSA chains and signing algorithms
+- [ ] Test bundle-level profile loading from bundle metadata
+
+## Verification
+- Run: `docs/qa/feature-checks/runs/airgap/trust-profile-management/run-002`
+- Date (UTC): `2026-02-11`
+- Tier 0: pass (source references resolved)
+- Tier 1: pass (build/test surfaces for AirGap trust profile and CLI command wiring)
+- Tier 2: pass (CLI list/show/apply + missing-profile negative path + loader behavior suites)
+

docs/features/checked/analyzers/roslyn-analyzer-for-canonicalization-enforcement.md

@@ -0,0 +1,41 @@
+# Roslyn Analyzer for Canonicalization Enforcement (STELLA0100)
+
+## Module
+__Analyzers
+
+## Status
+VERIFIED
+
+## Description
+Custom Roslyn static analyzer (diagnostic STELLA0100) that enforces canonicalization boundaries at compile time. Detects code paths that cross resolver boundaries without proper canonicalization, preventing non-deterministic serialization from leaking into deterministic evaluation pipelines.
+
+## Implementation Details
+- **Canonicalization Boundary Analyzer**: `src/__Analyzers/StellaOps.Determinism.Analyzers/CanonicalizationBoundaryAnalyzer.cs` -- Roslyn `DiagnosticAnalyzer` that reports `STELLA0100` (and companion diagnostics) for boundary serialization violations.
+- **Analyzer Tests**: `src/__Analyzers/StellaOps.Determinism.Analyzers.Tests/CanonicalizationBoundaryAnalyzerTests.cs` -- unit tests for positive and negative analyzer paths.
+
+## E2E Test Plan
+- [x] Verify STELLA0100 is reported when canonicalization boundary rules are violated
+- [x] Verify no diagnostics are emitted for correctly guarded canonical serializer usage
+- [x] Verify analyzer integrates in `dotnet build`/test workflow
+- [x] Verify analyzer avoids false positives in non-boundary scenarios
+
+## Verification
+- **Verified**: 2026-02-11
+- **Method**: Tier 0 source verification + Tier 1 build/test + Tier 2d analyzer behavior replay
+- **Build**: PASS (`src/__Analyzers/StellaOps.Determinism.Analyzers/StellaOps.Determinism.Analyzers.csproj`)
+- **Tests**: PASS (`src/__Analyzers/StellaOps.Determinism.Analyzers.Tests/StellaOps.Determinism.Analyzers.Tests.csproj`: 8/8)
+- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/analyzers/roslyn-analyzer-for-canonicalization-enforcement/run-001/tier0-source-check.json`
+- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/analyzers/roslyn-analyzer-for-canonicalization-enforcement/run-001/tier1-build-check.json`
+- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/analyzers/roslyn-analyzer-for-canonicalization-enforcement/run-001/tier2-integration-check.json`
+
+## Recheck (Run-002)
+- **Rechecked**: 2026-02-11
+- **Method**: Tier 0 source verification + Tier 1 build/test + strict Tier 2 command-line behavior replay
+- **Build**: PASS (`src/__Analyzers/StellaOps.Determinism.Analyzers/StellaOps.Determinism.Analyzers.csproj`)
+- **Tests**: PASS (`src/__Analyzers/StellaOps.Determinism.Analyzers.Tests/StellaOps.Determinism.Analyzers.Tests.csproj`: 8/8)
+- **Tier 2 Behavior**:
+- Positive path: `dotnet build` for a violating sample emits `STELLA0100`.
+- Negative path: `dotnet build` for a compliant sample emits no `STELLA0100`.
+- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/analyzers/roslyn-analyzer-for-canonicalization-enforcement/run-002/tier0-source-check.json`
+- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/analyzers/roslyn-analyzer-for-canonicalization-enforcement/run-002/tier1-build-check.json`
+- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/analyzers/roslyn-analyzer-for-canonicalization-enforcement/run-002/tier2-integration-check.json`

docs/features/checked/aoc/aoc-roslyn-source-analyzer.md

@@ -0,0 +1,45 @@
+# AOC Roslyn Source Analyzer (Compile-Time Contract Enforcement)
+
+## Module
+Aoc
+
+## Status
+VERIFIED
+
+## Description
+Roslyn source analyzer that enforces ingestion contracts at compile time via diagnostics `AOC0001`, `AOC0002`, and `AOC0003`, preventing forbidden and unguarded write patterns in AOC ingestion code.
+
+## Implementation Details
+- **AOC Analyzer**: `src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AocForbiddenFieldAnalyzer.cs` - Roslyn `DiagnosticAnalyzer` that reports:
+  - `AOC0001` for forbidden field writes (for example `severity`, `cvss`, `risk_score`).
+  - `AOC0002` for derived `effective_*` field writes.
+  - `AOC0003` for unguarded database write operations outside `IAocGuard.Validate(...)` scope.
+- **Analyzer Tests**: `src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/AocForbiddenFieldAnalyzerTests.cs` - analyzer behavior tests covering positive and negative paths (diagnostics emitted and suppressed appropriately).
+
+## E2E Test Plan
+- [x] Verify `AOC0001` is reported for forbidden field writes in ingestion context
+- [x] Verify `AOC0002` is reported for `effective_*` derived field writes
+- [x] Verify `AOC0003` is reported for unguarded database writes
+- [x] Verify diagnostics are not reported for allowed writes and non-ingestion/test assemblies
+- [x] Verify analyzer participates in `dotnet build`/test execution paths used in CI
+
+## Verification
+- **Verified**: 2026-02-11
+- **Method**: Tier 0 source verification + Tier 1 build/test + Tier 2d behavioral analyzer test replay
+- **Build**: PASS (`src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj`)
+- **Tests**: PASS (`src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj`: 26/26)
+- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier0-source-check.json`
+- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier1-build-check.json`
+- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-001/tier2-integration-check.json`
+
+## Recheck (Run-002)
+- **Rechecked**: 2026-02-11
+- **Method**: Tier 0 source verification + Tier 1 build/test + strict Tier 2 command-line behavior replay
+- **Build**: PASS (`src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj`)
+- **Tests**: PASS (`src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj`: 26/26)
+- **Tier 2 Behavior**:
+- Positive path: `dotnet build` of a violating ingestion sample reports `AOC0001`, `AOC0002`, and `AOC0003`.
+- Negative path: `dotnet build` of a compliant ingestion sample reports none of `AOC0001`/`AOC0002`/`AOC0003`.
+- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier0-source-check.json`
+- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier1-build-check.json`
+- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/aoc/aoc-roslyn-source-analyzer/run-002/tier2-integration-check.json`

docs/features/checked/api/policy-trace-panel.md

@@ -0,0 +1,34 @@
+# Policy trace panel ("why blocked" / "what would make it pass")
+
+## Module
+Api
+
+## Status
+VERIFIED
+
+## Description
+Block explanation API controller, CLI explain commands, and verdict rationale renderer provide policy trace functionality explaining why artifacts are blocked and what would unblock them.
+
+## Implementation Details
+- **Scoring Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/ScoringEndpoints.cs` -- exposes REST endpoints for querying scored findings with policy trace context, including why a finding is blocked and which evidence would change the outcome.
+- **Evidence Graph Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/EvidenceGraphEndpoints.cs` -- serves evidence graph subgraphs connecting findings to attestations, VEX statements, and policy decisions, showing the trace of what inputs led to the verdict.
+- **Finding Summary Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/FindingSummaryEndpoints.cs` -- returns finding summaries with policy evaluation trace context including rule names, evaluation outcomes, and evidence references.
+- **Finding Scoring Service**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingScoringService.cs` -- computes and caches finding scores combining CVSS, EPSS, VEX, and reachability signals; explains score composition.
+- **Evidence Graph Builder**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/EvidenceGraphBuilder.cs` -- constructs evidence subgraphs from ledger events and attestation pointers for trace visualization.
+- **VEX Consensus Service**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/VexConsensusService.cs` -- aggregates VEX decisions across sources to explain the consensus status.
+- **Policy Evaluation Service**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Policy/PolicyEngineEvaluationService.cs` -- evaluates policy rules against findings and returns detailed trace output explaining each rule's contribution.
+- **Inline Policy Evaluation Service**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Policy/InlinePolicyEvaluationService.cs` -- lightweight inline evaluation for single-finding traces without external policy engine calls.
+- **Tests**: `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/ScoringEndpointsIntegrationTests.cs`, `ScoringAuthorizationTests.cs`, `PolicyEngineEvaluationServiceTests.cs`, `InlinePolicyEvaluationServiceTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/EvidenceGraphBuilderTests.cs`, `FindingScoringServiceTests.cs`
+
+## E2E Test Plan
+- [x] Query finding summaries (`GET /api/v1/findings/summaries`) with auth and verify structured summary payload is returned.
+- [x] Query summary with invalid finding ID and verify `400` problem-details response.
+- [x] Query unknown finding summary and verify `404`.
+- [x] Query unknown finding evidence graph and verify `404`.
+- [x] Query summaries without auth and verify `401`.
+
+## Verification
+- Verified on 2026-02-11 via FLOW Tier 0/1/2 replay in `run-001`.
+- Tier 0: `docs/qa/feature-checks/runs/api/policy-trace-panel/run-001/tier0-source-check.json`
+- Tier 1: `docs/qa/feature-checks/runs/api/policy-trace-panel/run-001/tier1-build-check.json`
+- Tier 2: `docs/qa/feature-checks/runs/api/policy-trace-panel/run-001/tier2-api-check.json`

docs/features/checked/api/score-api-endpoints.md

@@ -0,0 +1,35 @@
+# Score API Endpoints (/api/v1/score/evaluate, /score/weights)
+
+## Module
+Api
+
+## Status
+VERIFIED
+
+## Description
+The Findings Ledger exposes scoring endpoints through `/api/v1/scoring/*` and `/api/v1/findings/*/score*` contracts used by the current platform surface. Behavioral verification confirmed policy reads, batch-validation errors, unknown-finding handling, and auth enforcement on these scoring APIs.
+
+## Implementation Details
+- **Scoring Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/ScoringEndpoints.cs` -- maps scoring-related routes for policy retrieval, single-finding score retrieval, batch scoring, and score history.
+- **Scored Findings Query Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsQueryService.cs` (implements `IScoredFindingsQueryService`) -- queries findings with their computed scores, supports filtering by severity, status, and component.
+- **Scored Findings Query Models**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsQueryModels.cs` -- query/response models for scored findings queries.
+- **Scored Findings Export Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsExportService.cs` -- exports scored findings as CSV/JSON for reporting and compliance.
+- **Scoring Metrics Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoringMetricsService.cs` -- computes aggregate scoring metrics (mean score, distribution, trend).
+- **Score History Store**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/ScoreHistoryStore.cs` -- persists score snapshots over time for trend analysis.
+- **Scoring Contracts**: `src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/ScoringContracts.cs` -- API DTOs for score requests and responses.
+- **Service Registration Fix**: `src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs` -- registers required scoring and cache dependencies used by `FindingScoringService`.
+- **Tests**: `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/ScoredFindingsQueryServiceTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/ScoringEndpointsIntegrationTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/ScoringObservabilityTests.cs`
+
+## E2E Test Plan
+- [x] Query active scoring policy (`GET /api/v1/scoring/policy`) with auth and verify `200` payload.
+- [x] Submit empty batch scoring request (`POST /api/v1/findings/scores`) and verify `400 SCORING_INVALID_REQUEST`.
+- [x] Query unknown finding score (`GET /api/v1/findings/{findingId}/score`) and verify `404`.
+- [x] Query scoring policy without auth and verify `401`.
+
+## Verification
+- Verified on 2026-02-11 via FLOW Tier 0/1/2 replay in `run-002`.
+- Tier 0: `docs/qa/feature-checks/runs/api/score-api-endpoints/run-002/tier0-source-check.json`
+- Tier 1: `docs/qa/feature-checks/runs/api/score-api-endpoints/run-002/tier1-build-check.json`
+- Tier 2: `docs/qa/feature-checks/runs/api/score-api-endpoints/run-002/tier2-api-check.json`
+- Retest: `docs/qa/feature-checks/runs/api/score-api-endpoints/run-002/retest-result.json`
+- Triage/Fix record: `docs/qa/feature-checks/runs/api/score-api-endpoints/run-001/triage.json`, `docs/qa/feature-checks/runs/api/score-api-endpoints/run-001/fix-summary.json`

docs/features/checked/attestor/adaptive-noise-gating-for-vulnerability-graphs.md

@@ -0,0 +1,31 @@
+# Adaptive Noise Gating for Vulnerability Graphs
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Four-part noise reduction system is implemented: semantic edge deduplication with merged provenance sets, proof-strength hierarchy for confidence scoring, hysteresis damping for small flip-flop deltas, and explicit delta category classification.
+
+## Implementation Details
+- **ProofChain Graph**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/` -- `InMemoryProofGraphService` deduplicates by semantic edge key and merges provenance values deterministically; `ProofGraphEdge` now carries provenance sets.
+- **Proof Strength Hierarchy**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.Confidence.cs` maps evidence into `Authoritative > BinaryProof > StaticAnalysis > Heuristic` strengths and applies bounded corroboration bonuses.
+- **Stability Damping Gate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/IChangeTraceAttestationService.cs` + `ChangeTraceAttestationService.Mapping.cs` + `ChangeTraceAttestationService.Helpers.cs` add configurable hysteresis threshold suppression for low-amplitude modified/rebuilt deltas.
+- **Delta Classification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.Categorization.cs` adds explicit `New/Resolved/ConfidenceUp/ConfidenceDown/PolicyImpact` normalization and inference.
+- **Tests**: `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/Graph/InMemoryProofGraphServiceBehaviorTests.cs`, `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs`, `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/ChangeTrace/ChangeTraceAttestationServiceTests.cs`, `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/DeltaVerdictPredicateCategorizationTests.cs`.
+
+## E2E Test Plan
+- [x] Create a proof graph with redundant edges (same source/target, different provenance) and verify `InMemoryProofGraphService` deduplicates to one edge with merged provenance.
+- [x] Submit evidence at different proof-strength tiers and verify confidence ordering.
+- [x] Generate consecutive snapshots with minor score fluctuations below hysteresis threshold and verify flip-flop suppression.
+- [x] Generate delta verdict changes and verify category mapping (`New/Resolved/ConfidenceUp/ConfidenceDown/PolicyImpact`).
+- [x] Query a subgraph and verify only reachable nodes from root are included.
+
+## Verification
+- Verified on 2026-02-11 using `run-002`.
+- Evidence:
+  - `docs/qa/feature-checks/runs/attestor/adaptive-noise-gating-for-vulnerability-graphs/run-002/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/attestor/adaptive-noise-gating-for-vulnerability-graphs/run-002/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/attestor/adaptive-noise-gating-for-vulnerability-graphs/run-002/tier2-e2e-check.json`

docs/features/checked/attestor/ai-assisted-explanation-and-classification.md

@@ -0,0 +1,43 @@
+# AI-Assisted Explanation and Classification
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+AI authority classifier with explanation scoring, citation references, explanation types, and model identifiers. AI artifact verification step integrates into the verification pipeline.
+
+## Implementation Details
+- **AIAuthorityClassifier**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs` (with `.Explanation`, `.ExplanationScore`, `.PolicyDraft`, `.PolicyDraftScore`, `.Remediation`, `.RemediationScore`, `.VexDraft`, `.VexDraftScore` partials) -- classifies AI outputs into `Suggestion`, `EvidenceBacked`, or `AuthorityThreshold` based on citation rate, verified rate, and confidence score.
+- **AIAuthorityThresholds**: `AIAuthorityThresholds.cs` -- configurable thresholds: `MinCitationRate` (default 0.8), `MinConfidenceScore` (default 0.7), `MinVerifiedCitationRate` (default 0.9), `AuthorityThresholdScore` (default 0.95).
+- **AIArtifactAuthority enum**: `AIArtifactAuthority.cs` -- three levels: Suggestion (no evidence), EvidenceBacked (citations verified), AuthorityThreshold (meets auto-processing score).
+- **AIExplanationPredicate**: `AIExplanationPredicate.cs` -- record extending `AIArtifactBasePredicate` with `ExplanationType`, `Content`, `Citations`, `ConfidenceScore`, `CitationRate`, `Subject`, `ContextScope`.
+- **AIExplanationCitation**: `AIExplanationCitation.cs` -- links claims to evidence with `ClaimIndex`, `ClaimText`, `EvidenceId` (sha256 format), `EvidenceType`, `Verified` flag.
+- **AIExplanationType enum**: `AIExplanationType.cs` -- Exploitability, CodePath, PolicyDecision, RiskFactors, RemediationOptions, PlainLanguageSummary, EvidenceChain.
+- **AIModelIdentifier**: `AIModelIdentifier.cs` -- tracks provider/model/version with optional `WeightsDigest` for local models.
+- **Verification Step**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/AIArtifactVerificationStep.cs` (with `.Execute`, `.Classify`, `.Helpers`, `.Summary`, `.VerifyParse`, `.VerifyValidation` partials) -- integrates into `VerificationPipeline` to verify AI artifacts in proof bundles.
+- **Tests**: `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/AI/AIExplanationAndVerificationBehaviorTests.cs`
+
+## E2E Test Plan
+- [ ] Create an `AIExplanationPredicate` with citation rate >= 0.8, verified rate >= 0.9, and confidence >= 0.7, classify via `AIAuthorityClassifier`, and verify it returns `EvidenceBacked`
+- [ ] Create an explanation with citation rate < 0.8 and verify classifier returns `Suggestion` with appropriate reason messages
+- [ ] Create an explanation with quality score >= 0.95 and verify classifier returns `AuthorityThreshold`
+- [ ] Submit a proof bundle containing AI artifacts through `AIArtifactVerificationStep.ExecuteAsync` and verify all artifacts are validated (parse, schema, classification)
+- [ ] Submit a proof bundle with invalid AI artifacts (malformed predicate) and verify the verification step returns `Passed = false` with error details
+- [ ] Create an `AIExplanationCitation` with `Verified = false` and verify it lowers the verified rate below the threshold, causing the classifier to return `Suggestion`
+- [ ] Verify `AIModelIdentifier.ToString()` produces the canonical `provider:model:version` format
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source checks passed for classifier, predicate, model identifier, and verification-step files.
+- Tier 1 build passed and feature-scoped AI behavior tests passed (`7/7`) via xUnit runner class filtering.
+- Tier 2 behavioral checks passed for:
+  - `EvidenceBacked`, `Suggestion`, and `AuthorityThreshold` classifier outcomes
+  - invalid/malformed artifact rejection in `AIArtifactVerificationStep.ExecuteAsync`
+  - canonical `AIModelIdentifier.ToString()` format
+- Evidence:
+  - `docs/qa/feature-checks/runs/attestor/ai-assisted-explanation-and-classification/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-assisted-explanation-and-classification/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-assisted-explanation-and-classification/run-001/tier2-integration-check.json`

docs/features/checked/attestor/ai-authority-classification-engine.md

@@ -0,0 +1,42 @@
+# AI Authority Classification Engine
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Authority classification engine that determines whether AI outputs are evidence-backed (authoritative) or suggestion-only, with configurable thresholds and scoring across multiple artifact types.
+
+## Implementation Details
+- **Core Classifier**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs` -- partial class with `DetermineAuthority()` method that evaluates `citationRate`, `verifiedRate`, `confidenceScore`, and `qualityScore` against configurable thresholds.
+- **Artifact-Specific Scoring**: Partial files implement scoring for each artifact type:
+  - `AIAuthorityClassifier.Explanation.cs` / `AIAuthorityClassifier.ExplanationScore.cs` -- explanation classification and scoring
+  - `AIAuthorityClassifier.PolicyDraft.cs` / `AIAuthorityClassifier.PolicyDraftScore.cs` -- policy draft classification
+  - `AIAuthorityClassifier.Remediation.cs` / `AIAuthorityClassifier.RemediationScore.cs` -- remediation plan classification
+  - `AIAuthorityClassifier.VexDraft.cs` / `AIAuthorityClassifier.VexDraftScore.cs` -- VEX statement draft classification
+- **Authority Levels**: `AIArtifactAuthority.cs` -- `Suggestion` (no evidence backing), `EvidenceBacked` (citations verified, evidence resolvable), `AuthorityThreshold` (auto-processing eligible)
+- **Thresholds Config**: `AIAuthorityThresholds.cs` -- `MinCitationRate` (0.8), `MinConfidenceScore` (0.7), `MinVerifiedCitationRate` (0.9), `AuthorityThresholdScore` (0.95), `RequireResolvableEvidence` (true)
+- **Classification Result**: `AIAuthorityClassificationResult.cs` -- captures authority level, reasons, and individual scores
+- **Evidence Resolution**: Constructor accepts optional `Func<string, bool>` evidence resolver to verify that cited evidence IDs are resolvable
+- **Tests**: `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/AI/AIAuthorityClassifierTests.cs`
+
+## E2E Test Plan
+- [ ] Classify an explanation with all metrics above thresholds and verify `EvidenceBacked` result with three reason entries (citation rate, verified rate, confidence)
+- [ ] Classify a policy draft with `qualityScore >= 0.95` and verify `AuthorityThreshold` result regardless of other metrics
+- [ ] Classify a remediation plan with `citationRate = 0.5` and verify `Suggestion` result with reason mentioning citation rate below threshold
+- [ ] Classify a VEX draft with an evidence resolver that returns `false` for some evidence IDs and verify the verified rate drops below threshold
+- [ ] Override `AIAuthorityThresholds` with stricter values (e.g., `MinCitationRate = 0.95`) and verify classification changes accordingly
+- [ ] Verify all four artifact-type classifiers (Explanation, PolicyDraft, Remediation, VexDraft) produce correct `AIAuthorityClassificationResult` with type-specific scoring
+
+## Verification
+- Verified on 2026-02-11 with `run-002`.
+- Tier 0 source checks passed for classifier core, thresholds, authority enums, scoring partials, and classification-result model.
+- Tier 1 build passed; scoped xUnit class run passed (`11/11`) including policy-threshold and VEX evidence-resolvability downgrade scenarios.
+- Tier 2 behavioral checks passed across Explanation, PolicyDraft, Remediation, and VEX draft classification paths.
+- Full ProofChain suite remains red on unrelated baseline failures (`35 failed / 780 total`); evidence captured for traceability.
+- Evidence:
+  - `docs/qa/feature-checks/runs/attestor/ai-authority-classification-engine/run-002/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-authority-classification-engine/run-002/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-authority-classification-engine/run-002/tier2-integration-check.json`

docs/features/checked/attestor/ai-explanation-attestation-types.md

@@ -19,6 +19,9 @@ AI explanation attestation predicates with model identifiers, decoding parameter
 - **Replay Support**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/` -- `AIArtifactReplayManifest.cs`, `IAIArtifactReplayer.cs`, `ReplayInputArtifact.cs`, `ReplayPromptTemplate.cs`, `ReplayResult.cs`, `ReplayVerificationResult.cs` implement deterministic replay of AI artifacts.
 - **Media Types**: `__Libraries/StellaOps.Attestor.ProofChain/MediaTypes/AIArtifactMediaTypes.cs` -- defines content-type constants for AI artifacts.
 - **Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AI/AIExplanationStatement.cs` -- wraps the predicate as an in-toto statement.
+- **Tests**:
+  - `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/AI/AIExplanationAndVerificationBehaviorTests.cs`
+  - `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/AI/AIExplanationAttestationTypesTests.cs`
 
 ## E2E Test Plan
 - [ ] Create an `AIExplanationPredicate` with all required fields (explanation type, content, citations, confidence, citation rate, subject) and serialize to JSON, verifying all fields are correctly mapped via `JsonPropertyName` attributes
@@ -30,6 +33,16 @@ AI explanation attestation predicates with model identifiers, decoding parameter
 
 ## Verification
 - Verified on 2026-02-11 via `run-001`.
+- Tier 1 and Tier 2 feature-scoped xUnit class-filtered execution passed (`13/13`) across:
+  - `AIExplanationAndVerificationBehaviorTests`
+  - `AIExplanationAttestationTypesTests`
+- Full ProofChain suite remains baseline-red on unrelated failures (`35`) due Microsoft.Testing.Platform filter limitations; feature gate used class-filtered runner evidence.
+- Behavior confirmed:
+  - `AIExplanationPredicate` JSON contract field mapping and round-trip fidelity
+  - replay manifest capture of model identifier and decoding parameters
+  - mixed citation verification accounting and enum serialization across all explanation types
+  - `AIExplanationStatement` in-toto envelope and `predicateType` contract
+  - positive and negative AI artifact verification-step paths
 - Tier 0: `docs/qa/feature-checks/runs/attestor/ai-explanation-attestation-types/run-001/tier0-source-check.json`
 - Tier 1: `docs/qa/feature-checks/runs/attestor/ai-explanation-attestation-types/run-001/tier1-build-check.json`
 - Tier 2: `docs/qa/feature-checks/runs/attestor/ai-explanation-attestation-types/run-001/tier2-integration-check.json`

docs/features/checked/attestor/ai-remediation-plan-attestation.md

@@ -0,0 +1,40 @@
+# AI Remediation Plan Attestation
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Predicate types for AI-generated remediation plans, including remediation steps, risk assessment, classifier authority decisions, and in-toto statement wrapping as signed attestation artifacts.
+
+## Implementation Details
+- **Remediation Predicate Contract**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIRemediationPlanPredicate.cs` defines remediation-specific fields on top of `AIArtifactBasePredicate`.
+- **Remediation Step Models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/RemediationStep.cs`, `RemediationActionType.cs`, and `RemediationStepStatus.cs` model step intent and execution lifecycle.
+- **Risk and Verification Models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/RemediationRiskAssessment.cs` and `RemediationVerificationStatus.cs` capture risk deltas and remediation verification state.
+- **Classifier Integration**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.Remediation.cs` and `AIAuthorityClassifier.RemediationScore.cs` classify remediation plan authority from evidence resolvability, risk delta, automation coverage, and verification status.
+- **Statement Wrapper**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AI/AIRemediationPlanStatement.cs` wraps remediation predicates in in-toto statement shape (`predicateType: ai-remediation.stella/v1`).
+- **Behavioral Tests**: `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/AI/AIRemediationPlanAttestationBehaviorTests.cs` and `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/AI/AIAuthorityClassifierTests.cs` verify serialization, classifier outcomes, and statement contract behavior.
+
+## E2E Test Plan
+- [x] Create an `AIRemediationPlanPredicate` with multiple `RemediationStep` entries of different `RemediationActionType` values and verify JSON serialization.
+- [x] Create a remediation plan with `RemediationRiskAssessment` and verify risk level fields are preserved.
+- [x] Classify a remediation plan with high resolvable evidence and sufficient confidence threshold inputs and verify `EvidenceBacked` authority.
+- [x] Classify a remediation plan with low evidence backing and verify `Suggestion` authority.
+- [x] Wrap the predicate in `AIRemediationPlanStatement` and verify valid in-toto statement shape and predicate type.
+- [x] Verify `RemediationStepStatus` progression persists through serialization.
+- [x] Verify `RemediationVerificationStatus` persists through serialization.
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source checks passed for remediation predicate/models, classifier partials, statement wrapper, and targeted test classes.
+- Tier 1 passed after resolving one remediation fixture threshold mismatch (`17/17` scoped class tests pass on retest).
+- Tier 2 behavioral verification passed using class-scoped xUnit execution covering remediation serialization, high/low evidence classification outcomes, statement wrapping, and status persistence.
+- Evidence:
+  - `docs/qa/feature-checks/runs/attestor/ai-remediation-plan-attestation/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-remediation-plan-attestation/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-remediation-plan-attestation/run-001/triage.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-remediation-plan-attestation/run-001/fix-summary.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-remediation-plan-attestation/run-001/retest-result.json`
+  - `docs/qa/feature-checks/runs/attestor/ai-remediation-plan-attestation/run-001/tier2-integration-check.json`

docs/features/checked/attestor/attestable-reachability-slices.md

@@ -0,0 +1,46 @@
+# Attestable reachability slices (DSSE/in-toto signed evidence)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Reachability witness payloads wrapped in DSSE-signed attestations provide verifiable evidence slices for triage decisions.
+
+## Implementation Details
+- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path` partial) -- defines the witness payload containing call paths from entry points to vulnerable functions.
+- **Witness Path Nodes**: `WitnessPathNode.cs`, `WitnessCallPathNode.cs` -- model individual nodes in the reachability call path.
+- **Witness Evidence Metadata**: `WitnessEvidenceMetadata.cs` -- metadata about the evidence source (scanner, analysis tool, timestamp).
+- **Witness Gate Info**: `WitnessGateInfo.cs` -- gate information for policy evaluation of witness data.
+- **Reachability Witness Statement**: `ReachabilityWitnessStatement.cs` -- wraps witness payload as an in-toto statement with subject and predicate.
+- **Reachability Subgraph**: `ReachabilitySubgraphStatement.cs` -- subgraph attestation for minimal reachability evidence. `ReachabilitySubgraphPredicate.cs` defines the subgraph predicate.
+- **DSSE Signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` (with `.Verification` partial) signs statements. `DsseEnvelope.cs`, `DsseSignature.cs` model the envelope.
+- **Path Witness Predicate Types**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs` -- defines predicate type URIs for path witnesses.
+- **Proof Emitter**: `IProofEmitter.cs` -- interface for emitting signed proofs including reachability slices.
+
+## E2E Test Plan
+- [ ] Create a `ReachabilityWitnessPayload` with a call path containing 3+ nodes from entry point to vulnerable function, wrap in `ReachabilityWitnessStatement`, and verify the statement structure
+- [ ] Sign the witness statement via `ProofChainSigner` and verify the DSSE envelope contains valid signature and payload
+- [ ] Verify the signed reachability slice via `ProofChainSigner.Verification` and confirm signature validation passes
+- [ ] Create a `ReachabilitySubgraphPredicate` with a minimal subgraph (entry point -> intermediate -> sink) and verify it serializes with correct predicate type
+- [ ] Modify the signed envelope payload and verify that signature verification fails (tamper detection)
+- [ ] Create witness payloads with `WitnessEvidenceMetadata` from different analysis tools and verify metadata is preserved in the signed attestation
+
+## Verification
+- Verified on 2026-02-11 via `run-001`.
+- Tier 1 and Tier 2 feature-scoped xUnit class-filtered execution passed (`5/5`) in:
+  - `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/ReachabilityWitnessAttestationBehaviorTests.cs`
+- Full ProofChain suite remains baseline-red on unrelated failures (`35`), but feature-scoped reachability verification passed and includes fresh behavioral evidence.
+- Behavior confirmed:
+  - `ReachabilityWitnessPayload` + `ReachabilityWitnessStatement` structure with 3-node call path and witness metadata
+  - DSSE signing and verification through `ProofChainSigner`
+  - tamper detection on modified DSSE payload
+  - `ReachabilitySubgraphStatement` serialization with predicate type `reachability-subgraph.stella/v1`
+  - witness evidence metadata preservation across signed payload serialization/deserialization
+- Evidence:
+  - `docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier2-integration-check.json`
+

docs/features/checked/bench/benchmark-harness.md

@@ -0,0 +1,35 @@
+# Benchmark harness (reachability, scanner analyzers, policy engine, determinism)
+
+## Module
+Bench
+
+## Status
+VERIFIED
+
+## Description
+Comprehensive benchmark harness code exists across LinkNotMerge, LinkNotMerge.Vex, Notify, PolicyEngine, and Scanner.Analyzers modules with deterministic benchmark/reporting support.
+
+## Implementation Details
+- **LinkNotMerge Benchmark**: `src/Bench/StellaOps.Bench/LinkNotMerge/StellaOps.Bench.LinkNotMerge/` -- benchmark scenarios for linkset aggregation performance.
+- **LinkNotMerge VEX Benchmark**: `src/Bench/StellaOps.Bench/LinkNotMerge.Vex/StellaOps.Bench.LinkNotMerge.Vex/` -- VEX-specific linkset benchmarks.
+- **Notify Benchmark**: `src/Bench/StellaOps.Bench/Notify/StellaOps.Bench.Notify/` -- notification dispatch benchmarks.
+- **PolicyEngine Benchmark**: `src/Bench/StellaOps.Bench/PolicyEngine/StellaOps.Bench.PolicyEngine/` -- policy evaluation benchmarks.
+- **PolicyEngine Benchmark Policy**: `src/Bench/StellaOps.Bench/PolicyEngine/policies/benchmark-default.yaml` -- benchmark policy fixture compatible with current `StellaOps.Policy` binder schema.
+- **Scanner.Analyzers Benchmark**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/` -- scanner analyzer benchmarks.
+- **Baseline Infrastructure**: benchmark modules include `Baseline/BaselineEntry.cs` and `Baseline/BaselineLoader.cs` for ground-truth comparison.
+- **Reporting Infrastructure**: benchmark modules include JSON and Prometheus writers for machine-consumable artifacts.
+- **Tests**: link-not-merge, vex, notify, and scanner-analyzer benchmark test suites under `src/Bench/StellaOps.Bench/**.Tests/`.
+
+## E2E Test Plan
+- [x] Run LinkNotMerge benchmark harness and verify scenario table output is generated.
+- [x] Verify JSON report output is produced and non-empty.
+- [x] Verify Prometheus metrics output is produced and non-empty.
+- [x] Verify CSV result output is produced and non-empty.
+- [x] Verify negative-path CLI behavior (`--config` missing path) exits non-zero.
+
+## Verification
+- Verified on 2026-02-11 via FLOW Tier 0/1/2 replay in `run-005`.
+- Tier 0: `docs/qa/feature-checks/runs/bench/benchmark-harness/run-005/tier0-source-check.json`
+- Tier 1: `docs/qa/feature-checks/runs/bench/benchmark-harness/run-005/tier1-build-check.json`
+- Tier 2: `docs/qa/feature-checks/runs/bench/benchmark-harness/run-005/tier2-integration-check.json`
+- Tier 2 evidence: `docs/qa/feature-checks/runs/bench/benchmark-harness/run-005/evidence/`

docs/features/checked/bench/reachability-benchmarks-with-ground-truth-datasets.md

@@ -0,0 +1,37 @@
+# Reachability benchmarks with ground-truth datasets
+
+## Module
+Bench
+
+## Status
+VERIFIED
+
+## Description
+Reachability benchmark suite with ground-truth datasets (Java Log4j, C# reachable/dead-code, native ELF), schema validation, and signal-level ground-truth validators.
+
+## Implementation Details
+- **Scanner.Analyzers Benchmark**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/` -- benchmark runner for scanner analyzers against ground-truth datasets. Key files: `ScenarioRunners.cs` (orchestrates benchmark scenarios against corpus data), `NodeBenchMetrics.cs` (captures per-node precision/recall metrics), `BenchmarkConfig.cs` (configures which datasets and analyzers to run).
+- **Baseline Infrastructure**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs` (ground-truth entry model), `BaselineLoader.cs` (loads ground-truth datasets from fixture files).
+- **Reporting**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkJsonWriter.cs` (JSON output), `BenchmarkScenarioReport.cs` (report with precision/recall/F1), `PrometheusWriter.cs` (metric export).
+- **Tests**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BaselineLoaderTests.cs`, `BenchmarkJsonWriterTests.cs`, `BenchmarkScenarioReportTests.cs`, `PrometheusWriterTests.cs`
+
+## E2E Test Plan
+- [ ] Load a Java Log4j ground-truth dataset via `BaselineLoader` and run the scanner analyzer benchmark; verify precision and recall metrics are computed against the ground truth
+- [ ] Load a C# reachable/dead-code ground-truth dataset and verify the benchmark correctly classifies true positives, false positives, and false negatives
+- [ ] Run the benchmark with a native ELF dataset and verify the `NodeBenchMetrics` captures per-node accuracy
+- [ ] Verify JSON report output contains precision, recall, F1 score, and per-scenario timing data
+- [ ] Verify that modifying the ground-truth baseline to include additional entries causes the benchmark to report new false negatives
+- [ ] Verify Prometheus metrics export includes labeled gauges for precision and recall per dataset
+
+## Verification
+- **Verified**: 2026-02-11
+- **Method**: Tier 0 source verification + Tier 1 build/test + Tier 2 behavioral CLI benchmark replay
+- **Build**: PASS (src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj)
+- **Tests**: PASS (src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/StellaOps.Bench.ScannerAnalyzers.Tests.csproj: 15/15)
+- **Tier 0 Evidence**: docs/qa/feature-checks/runs/bench/reachability-benchmarks-with-ground-truth-datasets/run-002/tier0-source-check.json
+- **Tier 1 Evidence**: docs/qa/feature-checks/runs/bench/reachability-benchmarks-with-ground-truth-datasets/run-002/tier1-build-check.json
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/bench/reachability-benchmarks-with-ground-truth-datasets/run-002/tier2-integration-check.json
+
+## Retest Notes
+- **Initial failure (run-001)**: Tier 2 CLI execution failed because analyzer IDs in benchmark config were not instantiable by ScenarioRunnerFactory.
+- **Fix and retest (run-002)**: Added analyzer factory mappings + tests, then reran Tier 0/1/2 with fresh artifacts and passing verdict.

docs/features/checked/bench/vendor-comparison-scanner-parity-tracking.md

@@ -0,0 +1,31 @@
+# Vendor comparison / scanner parity tracking
+
+## Module
+Bench
+
+## Status
+VERIFIED
+
+## Description
+Scanner analyzer benchmark parity tracking capabilities are present through benchmark reports and metric exports. Fresh behavioral verification confirmed parity-report fields are emitted in benchmark JSON output and CLI error semantics are enforced for invalid configuration.
+
+## What's Implemented
+- **Scanner Analyzers Benchmark**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/` -- benchmark harness evaluating analyzer scenarios and recording metrics.
+- **Baseline Loader**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs` -- loads baseline data for benchmark comparisons.
+- **Baseline Entry**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs` -- baseline model.
+- **Benchmark Scenario Report**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkScenarioReport.cs` -- per-scenario report model including regression and parity fields.
+- **Benchmark JSON Writer**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkJsonWriter.cs` -- JSON report writer.
+- **Prometheus Writer**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/PrometheusWriter.cs` -- Prometheus metrics exporter.
+- **Vendor Parity Analyzer**: `src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/VendorParityAnalyzer.cs` -- computes vendor parity projections where vendor fixtures are available.
+
+## E2E Test Plan
+- [x] Run scanner-analyzers benchmark harness and verify JSON/Prometheus/CSV outputs are generated.
+- [x] Validate benchmark JSON output contains `vendorParity` fields in scenario reports.
+- [x] Verify baseline/regression metadata is emitted in benchmark JSON.
+- [x] Verify negative-path behavior with missing config returns non-zero exit code.
+
+## Verification
+- Verified on 2026-02-11 via FLOW Tier 0/1/2 replay in `run-001`.
+- Tier 0: `docs/qa/feature-checks/runs/bench/vendor-comparison-scanner-parity-tracking/run-001/tier0-source-check.json`
+- Tier 1: `docs/qa/feature-checks/runs/bench/vendor-comparison-scanner-parity-tracking/run-001/tier1-build-check.json`
+- Tier 2: `docs/qa/feature-checks/runs/bench/vendor-comparison-scanner-parity-tracking/run-001/tier2-integration-check.json`

docs/features/checked/binaryindex/binary-symbol-table-diff-engine.md

@@ -0,0 +1,35 @@
+# Binary Symbol Table Diff Engine
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Symbol table comparison between binary versions tracking exported/imported symbol changes, version map diffs, GOT/PLT table modifications, and ABI compatibility assessment. Produces content-addressed diff IDs for deterministic reporting.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/SymbolDiff/`
+- **Key Classes**:
+  - `SymbolTableDiffAnalyzer` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/SymbolDiff/SymbolTableDiffAnalyzer.cs`) - computes diffs between symbol tables with `ComputeDiffAsync` and `AssessAbiCompatibility`
+  - `SymbolTableDiff` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/SymbolDiff/SymbolTableDiff.cs`) - diff result model with added/removed/changed symbols
+  - `VersionMapDiff` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/SymbolDiff/VersionMapDiff.cs`) - tracks changes in ELF version maps
+  - `AbiCompatibility` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/SymbolDiff/AbiCompatibility.cs`) - ABI compatibility assessment (FullyCompatible, Warnings, Incompatible)
+  - `DynamicLinkingDiff` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/SymbolDiff/DynamicLinkingDiff.cs`) - GOT/PLT table modification tracking
+  - `NameDemangler` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/SymbolDiff/NameDemangler.cs`) - C++ symbol name demangling
+- **Interfaces**: `ISymbolTableDiffAnalyzer` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/SymbolDiff/ISymbolTableDiffAnalyzer.cs`)
+- **Registration**: `SymbolDiffServiceExtensions` for DI setup
+
+## E2E Test Plan
+- [ ] Compute diff between two ELF binaries with known symbol changes and verify added/removed symbols are correctly identified
+- [ ] Verify `AssessAbiCompatibility` returns `FullyCompatible` when only symbols are added
+- [ ] Verify `AssessAbiCompatibility` returns `Incompatible` when exported symbols are removed
+- [ ] Verify version map diff detection for ELF version script changes
+- [ ] Verify C++ symbol demangling produces human-readable names via `NameDemangler`
+- [ ] Verify content-addressed diff IDs are deterministic for identical inputs
+
+## Verification
+- Verified by QA FLOW run `run-001` on 2026-02-11.
+- Evidence: `docs/qa/feature-checks/runs/binaryindex/binary-symbol-table-diff-engine/run-001/` (Tier 0/1/2 artifacts).
+

docs/features/checked/binaryindex/binary-to-vex-claim-auto-generation.md

@@ -0,0 +1,32 @@
+# Binary-to-VEX Claim Auto-Generation (VexBridge Library)
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Automated generation of VEX claims from binary fingerprint match results. The VexBridge library translates binary match evidence into DSSE-signed VEX statements with confidence scores, enabling automated VEX claim production from binary analysis without manual triage.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/`
+- **Key Classes**:
+  - `VexEvidenceGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/VexEvidenceGenerator.cs`) - generates VEX observations from `BinaryVulnMatch` results; maps `FixState` to `VexClaimStatus` (Fixed -> NotAffected, Vulnerable -> Affected, Unknown -> UnderInvestigation)
+  - `BinaryMatchEvidenceSchema` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/BinaryMatchEvidenceSchema.cs`) - defines evidence schema with match type constants (BuildId, DeltaSignature, etc.)
+  - `VexBridgeOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/VexBridgeOptions.cs`) - configuration for confidence thresholds
+  - `DeltaSigVexBridge` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/VexIntegration/DeltaSigVexBridge.cs`) - bridges delta-signature analysis results into VEX observations with provenance data
+- **Interfaces**: `IVexEvidenceGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/IVexEvidenceGenerator.cs`), `IDeltaSigVexBridge`
+
+## E2E Test Plan
+- [ ] Generate a VEX claim from a `Fixed` binary match and verify status is `NotAffected` with justification `VulnerableCodeNotPresent`
+- [ ] Generate a VEX claim from a `Vulnerable` match and verify status is `Affected`
+- [ ] Generate a VEX claim from an `Unknown` match and verify status is `UnderInvestigation`
+- [ ] Verify confidence threshold enforcement: low-confidence matches below threshold are rejected
+- [ ] Verify Build-ID references are included in VEX evidence when present
+- [ ] Verify `DeltaSigVexBridge` produces VEX observations with symbol provenance metadata
+- [ ] Verify generated VEX statements include correct DSSE evidence references
+
+## Verification
+- Verified by QA FLOW run `run-001` on 2026-02-11.
+- Evidence: `docs/qa/feature-checks/runs/binaryindex/binary-to-vex-claim-auto-generation/run-001/` (Tier 0/1/2 artifacts).

docs/features/checked/binaryindex/binaryindex-ops-cli-commands.md

@@ -0,0 +1,27 @@
+# BinaryIndex Ops CLI Commands (stella binary ops)
+
+## Module
+BinaryIndex
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for BinaryIndex ops: health, bench, cache, config subcommands with JSON/table output and BinaryIndex base URL configuration. Also adds --semantic flag to deltasig extract/author/match commands.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/`, `src/Cli/`
+- **Key Classes**:
+  - `BinaryIndexOpsController` (`src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/BinaryIndexOpsController.cs`) - serves health, bench, cache stats, and config endpoints consumed by CLI
+  - `BinaryIndexOpsHealthResponse` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Configuration/BinaryIndexOpsModels.cs`) - health response model with lifter warmness, component versions
+  - `BinaryIndexOpsOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Configuration/BinaryIndexOpsModels.cs`) - ops configuration with redacted keys and bench rate limits
+  - `B2R2LifterPool` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.B2R2/B2R2LifterPool.cs`) - lifter pool stats reported via ops health endpoint
+- **Source**: SPRINT_20260112_006_CLI_binaryindex_ops_cli.md
+
+## E2E Test Plan
+- [ ] Run `stella binary ops health` and verify JSON output includes lifter warmness and version info
+- [ ] Run `stella binary ops bench` and verify latency measurement results are returned
+- [ ] Run `stella binary ops cache` and verify Valkey hit/miss statistics are reported
+- [ ] Run `stella binary ops config` and verify effective configuration is returned with secrets redacted
+- [ ] Run `stella deltasig extract --semantic` and verify semantic flag is passed through
+- [ ] Verify table output format renders correctly for all subcommands

docs/features/checked/binaryindex/binaryindex-ops-endpoints.md

@@ -0,0 +1,32 @@
+# BinaryIndex Ops Endpoints (Health, Bench, Cache Stats, Config)
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Ops endpoints for BinaryIndex: health (lifter warmness), bench/run (latency measurement), cache stats (Valkey hit/miss), and effective config with deterministic JSON responses.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/StellaOps.BinaryIndex.WebService/`
+- **Key Classes**:
+  - `BinaryIndexOpsController` (`src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/BinaryIndexOpsController.cs`) - exposes `GET /api/v1/ops/binaryindex/health`, bench, cache stats, and config endpoints; integrates with `B2R2LifterPool` and `FunctionIrCacheService`
+  - `B2R2LifterPool` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.B2R2/B2R2LifterPool.cs`) - provides pool stats (warm ISAs, pool sizes, acquire timeouts)
+  - `FunctionIrCacheService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/FunctionIrCacheService.cs`) - Valkey-based function IR cache with hit/miss reporting
+  - `B2R2LifterPoolOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.B2R2/B2R2LifterPoolOptions.cs`) - pool configuration (MaxPoolSizePerIsa, EnableWarmPreload, AcquireTimeout)
+  - `BinaryIndexOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Configuration/BinaryIndexOptions.cs`) - top-level options with B2R2Pool, SemanticLifting sections
+  - `InMemoryBinaryVulnerabilityService` (`src/BinaryIndex/StellaOps.BinaryIndex.WebService/Services/InMemoryBinaryVulnerabilityService.cs`) - deterministic fallback DI implementation used to keep ops/resolution startup healthy in local/offline mode
+- **Source**: SPRINT_20260112_004_BINIDX_b2r2_lowuir_perf_cache.md
+
+## E2E Test Plan
+- [x] Call `GET /api/v1/ops/binaryindex/health` and verify response includes lifter pool/cache readiness fields
+- [x] Call `POST /api/v1/ops/binaryindex/bench/run` and verify deterministic latency measurement JSON
+- [x] Call `GET /api/v1/ops/binaryindex/cache` and verify hit/miss counts and cache key metadata
+- [x] Call `GET /api/v1/ops/binaryindex/config` and verify effective configuration is returned with secrets redacted
+- [x] Verify negative path for bench input validation (`iterations=0` returns `400`)
+
+## Verification
+- Verified on 2026-02-11 via `run-002`.
+- Artifacts: `docs/qa/feature-checks/runs/binaryindex/binaryindex-ops-endpoints/run-002/`

docs/features/checked/binaryindex/cross-distro-golden-set-for-backport-validation.md

@@ -0,0 +1,47 @@
+# Cross-Distro Golden Set for Backport Validation
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Golden set infrastructure exists in BinaryIndex with analysis pipeline and API. The advisory's detailed curated test cases (OpenSSL Heartbleed, sudo Baron Samedit, etc.) and specific database schema may not be fully populated yet.
+
+## What's Implemented
+- **Golden Set Infrastructure**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/` - full authoring, validation, storage, serialization
+  - `GoldenSetExtractor`, `NvdGoldenSetExtractor` - extraction from NVD data
+  - `GoldenSetEnrichmentService` - enriches golden sets with function hints
+  - `GoldenSetValidator`, `ICveValidator` - validation pipeline
+  - `PostgresGoldenSetStore` - PostgreSQL storage
+  - `GoldenSetYamlSerializer` - YAML serialization
+- **Analysis Pipeline**: `GoldenSetAnalysisPipeline` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/`) - runs analysis against golden set definitions
+- **API Controller**: `GoldenSetController` (`src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/`) - CRUD and listing endpoints
+- **Corpus Connectors**: Alpine (`AlpineCorpusConnector`), Debian (`DebianCorpusConnector`), RPM (`RpmCorpusConnector`) for cross-distro support
+- **Validation Harness**: `ValidationHarness` and `ValidationHarnessService` for running golden set tests
+
+## What's Missing
+- Curated cross-distro test cases for high-impact CVEs (OpenSSL Heartbleed CVE-2014-0160, sudo Baron Samedit CVE-2021-3156, etc.) may not be fully populated in the golden set database
+- Cross-distro coverage matrix (Alpine vs Debian vs RHEL backport variations for same CVE) may need population
+- Automated golden set population pipeline from NVD for new CVEs
+
+## Implementation Plan
+- Populate golden set database with curated cross-distro test cases for high-impact CVEs
+- Validate backport detection accuracy across Alpine, Debian, and RHEL for each curated CVE
+- Build automated pipeline to generate cross-distro golden set entries from NVD advisories
+- Add cross-distro regression test suite using existing `ValidationHarness` infrastructure
+
+## Related Documentation
+- Golden set schema: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/Models/GoldenSetDefinition.cs`
+- Authoring workflow: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/Authoring/`
+
+## Verification
+- Tier 0/1/2 artifacts: `docs/qa/feature-checks/runs/binaryindex/cross-distro-golden-set-for-backport-validation/run-001/`.
+- Result: verified.
+- Tier 1/Tier 2 initially hit a deterministic test compilation issue (`CS0117`) in cross-distro coverage tests; run-001 includes triage, fix, and retest artifacts.
+- Final verification evidence:
+  - `tier1-test-goldenset-retest.log` passed (`261/261`).
+  - `tier2-test-goldenset.log` passed (`261/261`).
+  - `tier2-test-analysis.log` passed (`102/102`).
+

docs/features/checked/binaryindex/delta-signature-predicates.md

@@ -0,0 +1,40 @@
+# Delta-Signature Predicates (Function-Level Binary Diffs)
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Function-level delta signature predicates (v1 and v2) with signature generation, matching, and symbol change tracing. V2 adds symbol provenance and IR diffs, which is architecturally superior to the byte-level hunks proposed in the advisory.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/`
+- **Key Classes**:
+  - `DeltaSigPredicate` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/Attestation/DeltaSigPredicate.cs`) - V1 predicate for attestation
+  - `DeltaSigPredicateV2` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/Attestation/DeltaSigPredicateV2.cs`) - V2 predicate with symbol provenance and IR diff support
+  - `DeltaSigPredicateConverter` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/Attestation/DeltaSigPredicateConverter.cs`) - converts between predicate versions
+  - `DeltaSigAttestorIntegration` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/Attestation/DeltaSigAttestorIntegration.cs`) - integrates delta-sig predicates with the Attestor module
+  - `GroundTruthProvenanceResolver` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/Provenance/GroundTruthProvenanceResolver.cs`) - enriches matches with symbol provenance data
+  - `CfgExtractor` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/CfgExtractor.cs`) - extracts control flow graphs for delta-sig generation
+- **Models**: `Models.cs` in DeltaSig namespace - function match records, signature models
+- **VEX Integration**: `DeltaSigVexBridge` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/VexIntegration/`)
+
+## E2E Test Plan
+- [ ] Generate a V1 delta-sig predicate and verify it contains function-level diff data
+- [ ] Generate a V2 delta-sig predicate and verify it includes symbol provenance and IR diff metadata
+- [ ] Convert between V1 and V2 predicates via `DeltaSigPredicateConverter` and verify data fidelity
+- [ ] Verify `DeltaSigAttestorIntegration` produces valid attestation predicates for the Attestor module
+- [ ] Verify `GroundTruthProvenanceResolver` enriches function matches with provenance sources
+- [ ] Verify V2 predicates flow into VEX observations via `DeltaSigVexBridge`
+
+## Verification
+- Tier 0/1/2 artifacts: `docs/qa/feature-checks/runs/binaryindex/delta-signature-predicates/run-001/`.
+- Result: verified.
+- Evidence summary:
+  - `tier1-test-deltasig.log`: Passed 132/132.
+  - `tier1-test-vexbridge.log`: Passed 29/29.
+  - `tier2-test-deltasig.log`: Passed 132/132.
+  - `tier2-test-vexbridge.log`: Passed 29/29.
+- Note: feature dossier key-class naming references `DeltaSigAttestorIntegration`; implementation currently exposes attestation integration behavior through `IDeltaSigAttestorService` and `DeltaSigEnvelopeBuilder` in `DeltaSigAttestorIntegration.cs`.

docs/features/checked/binaryindex/disassembly-and-binary-analysis-pipeline.md

@@ -0,0 +1,49 @@
+# Disassembly and binary analysis pipeline
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Pluggable disassembly framework with Ghidra integration (BSim + version tracking) for binary analysis capabilities.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.Abstractions/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.B2R2/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.Iced/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ghidra/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Decompiler/`
+- **Key Classes**:
+  - `DisassemblyService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly/DisassemblyService.cs`) - core disassembly orchestrator
+  - `HybridDisassemblyService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly/HybridDisassemblyService.cs`) - multi-backend hybrid disassembly with quality-based plugin selection
+  - `DisassemblyPluginRegistry` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly/DisassemblyPluginRegistry.cs`) - manages registered disassembly plugins
+  - `BinaryFormatDetector` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly/BinaryFormatDetector.cs`) - detects ELF/PE/Mach-O format from binary headers
+  - `B2R2DisassemblyPlugin` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.B2R2/B2R2DisassemblyPlugin.cs`) - B2R2 backend with architecture mapping, instruction mapping, operand parsing
+  - `B2R2LowUirLiftingService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.B2R2/B2R2LowUirLiftingService.cs`) - lifts machine code to LowUIR intermediate representation with SSA transformation
+  - `B2R2LifterPool` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.B2R2/B2R2LifterPool.cs`) - object pool for B2R2 lifter instances with warm preloading
+  - `IcedDisassemblyPlugin` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.Iced/IcedDisassemblyPlugin.cs`) - Iced x86/x64 disassembler plugin
+  - `GhidraDisassemblyPlugin` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ghidra/Services/GhidraDisassemblyPlugin.cs`) - Ghidra integration
+  - `GhidraDecompilerAdapter` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Decompiler/GhidraDecompilerAdapter.cs`) - Ghidra decompilation with AST comparison
+- **Abstractions**: `IDisassemblyPlugin`, `IDisassemblyPluginRegistry`, `IDisassemblyService` with models for `BinaryFormat`, `CpuArchitecture`, `DisassembledInstruction`, `InstructionKind`, etc.
+- **Decompiler**: Full AST comparison engine with recursive parser, code normalizer, semantic equivalence checking
+
+## E2E Test Plan
+- [ ] Load an x86-64 ELF binary via `HybridDisassemblyService` and verify disassembly produces valid instructions
+- [ ] Verify `BinaryFormatDetector` correctly identifies ELF, PE, and Mach-O formats
+- [ ] Verify B2R2 plugin handles architecture mapping for x86, x64, ARM, AArch64
+- [ ] Verify B2R2 LowUIR lifting produces valid IR with SSA form
+- [ ] Verify Iced plugin disassembles x86/x64 instructions correctly
+- [ ] Verify `B2R2LifterPool` warm preloading and pool size management
+- [ ] Verify Ghidra decompiler adapter produces comparable ASTs via `AstComparisonEngine`
+- [ ] Verify hybrid disassembly quality scoring selects the best plugin for each binary
+
+## Verification
+- Tier 0/1/2 artifacts: `docs/qa/feature-checks/runs/binaryindex/disassembly-and-binary-analysis-pipeline/run-001/`.
+- Result: verified.
+- Evidence summary:
+  - `tier1-test-disassembly.log`: Passed 45/45.
+  - `tier1-test-ghidra-retest.log`: Passed 122/122.
+  - `tier1-test-decompiler-retest.log`: Passed 35/35.
+  - `tier2-test-disassembly.log`: Passed 45/45.
+  - `tier2-test-ghidra.log`: Passed 122/122.
+  - `tier2-test-decompiler.log`: Passed 35/35.
+- Note: initial Ghidra/Decompiler `--no-build` checks produced `Invalid TargetPath`; reran with build and captured final passing evidence.
+

docs/features/checked/binaryindex/known-build-binary-catalog.md

@@ -0,0 +1,44 @@
+# Known-build binary catalog (Build-ID + hash-based binary identity)
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+BinaryIdentity model and vulnerability assertion repository implement the binary-key-based catalog using Build-ID and file SHA256 as primary keys.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/`
+- **Key Classes**:
+  - `BinaryIdentity` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Models/BinaryIdentity.cs`) - core identity model with Build-ID and file SHA256 dimensions
+  - `BinaryIdentityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/BinaryIdentityService.cs`) - binary identity extraction/indexing service
+  - `BinaryIdentityRepository` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Repositories/BinaryIdentityRepository.cs`) - repository lookups by Build-ID, binary key, and file SHA256
+  - `BinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs`) - assertion-backed vulnerability lookup with method mapping
+  - `CachedBinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/CachedBinaryVulnerabilityService.cs`) - read-through cache for repeat identity lookups
+- **Interfaces**:
+  - `IBinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/IBinaryVulnerabilityService.cs`)
+  - `IBinaryVulnAssertionRepository` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/IBinaryVulnAssertionRepository.cs`)
+  - `IBinaryIdentityRepository` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Repositories/IBinaryIdentityRepository.cs`)
+
+## E2E Test Plan
+- [x] Register a binary identity with known Build-ID and verify it is stored in the catalog
+- [x] Query the catalog by Build-ID and verify the correct binary identity is returned
+- [x] Query by file SHA256 hash and verify the correct binary identity is returned
+- [x] Assert a vulnerability against a binary identity and verify the assertion is persisted
+- [x] Verify `CachedBinaryVulnerabilityService` caches lookups and returns cached results on repeat queries
+- [x] Verify match method mapping: `buildid_catalog` maps to `MatchMethod.BuildIdCatalog`
+
+## Verification
+- Run: `run-002`
+- Date (UTC): 2026-02-12
+- Evidence: `docs/qa/feature-checks/runs/binaryindex/known-build-binary-catalog/run-002/`
+- Tier 1 result: pass (`87/87` tests)
+- Tier 2 result: pass (`10/10` targeted behavioral checks)
+- Verified behaviors:
+  - Build-ID lookup positive and negative paths
+  - File SHA256 lookup, including latest-row precedence behavior
+  - Assertion persistence retrieval path
+  - `buildid_catalog` to `MatchMethod.BuildIdCatalog` mapping
+  - Repeat identity lookup cache-hit behavior

docs/features/checked/binaryindex/local-mirror-layer-for-corpus-sources.md

@@ -0,0 +1,40 @@
+# Local mirror layer for corpus sources
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Local mirror package-source layer for corpus ingestion across Debian, Alpine, and RPM ecosystems with offline-friendly cache fallback and deterministic corpus snapshot behavior.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Debian/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/`
+- **Key Classes**:
+  - `DebianMirrorPackageSource` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Debian/DebianMirrorPackageSource.cs`) - Debian mirror index and package fetch support
+  - `AlpineMirrorPackageSource` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/AlpineMirrorPackageSource.cs`) - Alpine APK mirror index/package fetch with cached fallback
+  - `RpmMirrorPackageSource` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/RpmMirrorPackageSource.cs`) - RPM primary metadata/package fetch with cached fallback
+  - `DebianCorpusConnector` / `AlpineCorpusConnector` / `RpmCorpusConnector` - connector layer using package source abstractions and snapshot repository integration
+  - `ICorpusSnapshotRepository` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus/ICorpusSnapshotRepository.cs`) - deterministic snapshot persistence for offline replay
+- **Interfaces**: `IDebianPackageSource`, `IAlpinePackageSource`, `IRpmPackageSource`
+
+## E2E Test Plan
+- [x] Fetch Debian package index and validate deterministic package parsing behavior
+- [x] Fetch Alpine package index and verify offline index cache fallback behavior
+- [x] Fetch RPM package metadata and verify offline index cache fallback behavior
+- [x] Download package payloads and verify cached payload fallback when remote fetch fails
+- [x] Persist and query corpus snapshots deterministically for offline retrieval behavior
+
+## Verification
+- Run: `run-002`
+- Date (UTC): 2026-02-12
+- Evidence: `docs/qa/feature-checks/runs/binaryindex/local-mirror-layer-for-corpus-sources/run-002/`
+- Tier 0 result: pass (`tier0-source-check.json`)
+- Tier 1 result: pass (`34/34` tests)
+- Tier 2 result: pass (`39/39` targeted integration checks)
+- Verified behaviors:
+  - Debian, Alpine, and RPM mirror package-source implementations are present and wired through corpus connectors.
+  - Alpine and RPM mirror sources provide cached index and package payload fallback for offline/remote-failure paths.
+  - Corpus snapshot repository behavior remains deterministic for distro/release/architecture snapshot lookup paths.
+

docs/features/checked/binaryindex/patch-coverage-tracking.md

@@ -0,0 +1,35 @@
+# Patch Coverage Tracking
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Dedicated patch coverage API endpoint for tracking which CVE patches are covered in binary analysis.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/`
+- **Key Classes**:
+  - `PatchCoverageController` (`src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/PatchCoverageController.cs`) - REST API controller for patch coverage queries using `IDeltaSignatureRepository`
+  - `DeltaSignatureMatcher` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/DeltaSignatureMatcher.cs`) - matches delta signatures to assess patch coverage
+  - `DeltaSigService` / `DeltaSigServiceV2` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/`) - service layer for delta-sig operations
+- **Interfaces**: `IDeltaSignatureRepository` - repository for persisted delta signatures used by patch coverage queries
+
+## E2E Test Plan
+- [x] Query patch coverage API for a known CVE and verify coverage status (covered/not covered)
+- [x] Verify patch coverage percentage calculation: submit binaries with partial patch coverage
+- [x] Verify that delta signatures for the CVE fix are used to determine coverage
+- [x] Verify API returns correct coverage for batch queries across multiple CVEs
+- [x] Verify coverage tracking updates when new delta signatures are added
+
+## Verification
+- Tier 0/1/2 artifacts: `docs/qa/feature-checks/runs/binaryindex/patch-coverage-tracking/run-001/`.
+- Result: verified.
+- Evidence summary:
+  - `tier1-test-webservice-patchcoverage.log`: Passed 7/7.
+  - `tier1-test-deltasig-matcher.log`: Passed 8/8.
+  - `tier2-test-webservice-patchcoverage.log`: Passed 7/7.
+  - `tier2-test-deltasig-matcher.log`: Passed 8/8.
+- Note: webservice and webservice-tests builds were run with scoped output paths in this run to avoid concurrent binary-lock collisions on shared `bin/Release` outputs.

docs/features/checked/binaryindex/patchdiffengine.md

@@ -0,0 +1,31 @@
+# PatchDiffEngine (Binary Pre/Post Patch Comparison for Fix Verification)
+
+## Module
+BinaryIndex
+
+## Status
+IMPLEMENTED
+
+## Description
+Compares pre-patch and post-patch binaries at multiple levels (BasicBlock, CFG, StringRefs, Semantic/KSG fingerprints) to determine if a vulnerability has been remediated. Produces structured verification results with confidence scores based on match depth. Core verification logic for the Golden Set Diff Layer.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/`
+- **Key Classes**:
+  - `PatchDiffEngine` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/PatchDiffEngine.cs`) - core engine comparing pre/post binaries using `ISignatureMatcher`, `IFunctionFingerprintExtractor`, and `IFunctionDiffer`; produces `PatchDiffResult` with confidence scores
+  - `PatchDiffEngine` (builders) (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/PatchDiffEngine.cs`) - builder-level diff engine
+  - `FunctionDiffer` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/FunctionDiffer.cs`) - function-level comparison with semantic analysis, call-graph edge diffing, and string reference comparison
+  - `FunctionRenameDetector` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/FunctionRenameDetector.cs`) - detects renamed functions between versions
+  - `VerdictCalculator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/VerdictCalculator.cs`) - computes fix verification verdict from diff results
+- **Models**: `PatchDiffResult`, `PatchDiffModels`, `DiffEvidenceModels`, `DiffOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/Models/`)
+- **Storage**: `IDiffResultStore`, `InMemoryDiffResultStore` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/Storage/`)
+- **Source**: SPRINT_20260110_012_004_BINDEX_golden_set_diff_verify.md
+
+## E2E Test Plan
+- [ ] Submit pre-patch and post-patch binaries for a known CVE fix and verify the diff result shows patch applied
+- [ ] Verify multi-level comparison: BasicBlock, CFG, StringRefs, and semantic fingerprints all contribute to confidence
+- [ ] Verify `FunctionDiffer` with `IncludeSemanticAnalysis=true` computes semantic similarity
+- [ ] Verify `FunctionRenameDetector` handles renamed functions between versions
+- [ ] Verify `VerdictCalculator` produces correct verdict (Fixed, Vulnerable, Unknown) based on diff evidence
+- [ ] Verify `NoPatchDetected` result is returned when binaries are identical
+- [ ] Verify diff results are persistable via `IDiffResultStore` with content-addressed IDs

docs/features/checked/binaryindex/reproducible-distro-build-pipeline.md

@@ -0,0 +1,38 @@
+# Reproducible Distro Build Pipeline (Container-Based Builders)
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+
+## Description
+Container-based reproducible build pipeline for Alpine, Debian, and RHEL packages. Rebuilds upstream source packages in isolated containers to produce reference binaries for function-level fingerprint comparison, enabling backport detection by comparing distro-patched binaries against unpatched originals.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/`, `src/BinaryIndex/StellaOps.BinaryIndex.Worker/`
+- **Key Classes**:
+  - `ReproducibleBuildJob` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/ReproducibleBuildJobTypes.cs`) - orchestrates distro-specific builds and fingerprint/patch-diff attribution
+  - `ReproducibleBuildJob` compatibility implementation (`src/BinaryIndex/StellaOps.BinaryIndex.Worker/Jobs/ReproducibleBuildJob.cs`)
+  - `ReproducibleBuildOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/ReproducibleBuildJobTypes.cs`) - build configuration (timeouts, architecture, concurrency)
+  - `IReproducibleBuilder` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/IReproducibleBuilder.cs`) - abstraction for container-based builds
+  - `BuilderServiceOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/BuilderOptions.cs`) - builder infrastructure configuration
+  - `GuidProvider` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/GuidProvider.cs`) - deterministic GUID generation for reproducibility
+- **Integration**: Uses `IFingerprintClaimRepository` to store build verification claims; integrates with `IPatchDiffEngine` for post-build binary comparison
+- **Source**: SPRINT_1227_0002_0001_LB_reproducible_builders.md
+
+## E2E Test Plan
+- [ ] Trigger a reproducible build for a Debian package and verify reference binaries are produced
+- [ ] Compare distro-patched binary against unpatched original and verify fingerprint differences
+- [ ] Verify container isolation: build runs in isolated container with controlled environment
+- [ ] Verify `FingerprintClaim` records are generated with build provenance evidence
+- [ ] Verify `GuidProvider` produces deterministic GUIDs for identical build inputs
+- [ ] Verify backport detection: distro-patched binary with backported fix is correctly identified
+
+## Verification
+- Run ID: `run-001`
+- Verified at: `2026-02-12T06:09:39.1151882Z`
+- Evidence:
+  - `docs/qa/feature-checks/runs/binaryindex/reproducible-distro-build-pipeline/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/binaryindex/reproducible-distro-build-pipeline/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/binaryindex/reproducible-distro-build-pipeline/run-001/tier2-e2e-check.json`

docs/features/checked/binaryindex/semantic-analysis-library.md

@@ -0,0 +1,31 @@
+# Semantic Analysis Library (IR Lifting and Function Fingerprinting)
+
+## Module
+BinaryIndex
+
+## Status
+IMPLEMENTED
+
+## Description
+Semantic binary analysis with IR lifting, function fingerprint generation, semantic matching, graph extraction, and call n-gram generation for function-level binary comparison.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/`
+- **Key Classes**:
+  - `IrLiftingService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/IrLiftingService.cs`) - lifts disassembled instructions to deterministic IR/SSA models (with B2R2-specific lifting types available under `Lifting/`)
+  - `SemanticFingerprintGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/SemanticFingerprintGenerator.cs`) - generates `SemanticFingerprint` using Weisfeiler-Lehman graph hashing (KsgWeisfeilerLehmanV1 algorithm)
+  - `SemanticGraphExtractor` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/SemanticGraphExtractor.cs`) - extracts key-semantics graphs (KSG) from lifted IR
+  - `SemanticMatcher` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/SemanticMatcher.cs`) - matches semantic fingerprints for similarity scoring
+  - `CallNgramGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/CallNgramGenerator.cs`) - call-sequence n-gram fingerprinting
+  - `WeisfeilerLehmanHasher` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/Internal/WeisfeilerLehmanHasher.cs`) - WL graph hash implementation
+  - `GraphCanonicalizer` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/Internal/GraphCanonicalizer.cs`) - graph canonicalization for deterministic hashing
+- **Models**: `FingerprintModels` (SemanticFingerprint, SemanticFingerprintOptions, SemanticFingerprintAlgorithm), `GraphModels` (KeySemanticsGraph), `IrModels` (LiftedFunction, IrStatement)
+- **Interfaces**: `IIrLiftingService`, `ISemanticFingerprintGenerator`, `ISemanticGraphExtractor`, `ISemanticMatcher`
+
+## E2E Test Plan
+- [ ] Lift a binary function to IR via `IrLiftingService` and verify IR structure contains valid statements
+- [ ] Generate a semantic fingerprint via `SemanticFingerprintGenerator` and verify hash is deterministic
+- [ ] Extract a key-semantics graph via `SemanticGraphExtractor` and verify node/edge structure
+- [ ] Match two fingerprints of the same function (different compilers) via `SemanticMatcher` and verify high similarity
+- [ ] Verify Weisfeiler-Lehman graph hash produces different hashes for structurally different functions
+- [ ] Verify `GraphCanonicalizer` produces consistent canonical forms for isomorphic graphs

docs/features/checked/binaryindex/vulnerable-binaries-database.md

@@ -0,0 +1,36 @@
+# Vulnerable Binaries Database (BinaryIndex Module)
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+## Description
+Dedicated BinaryIndex module with web service, worker, and library structure for binary vulnerability detection independent of package metadata.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/StellaOps.BinaryIndex.WebService/`, `src/BinaryIndex/StellaOps.BinaryIndex.Worker/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/`
+- **Key Classes**:
+  - **Web Service**: `ResolutionController` (`Controllers/ResolutionController.cs`) - vulnerability resolution API; `GoldenSetController` - golden set management API; `PatchCoverageController` - patch coverage API; `BinaryIndexOpsController` - ops health/bench/cache endpoints
+  - **Worker**: `ReproducibleBuildJob` (`Jobs/ReproducibleBuildJob.cs`) - background worker for build verification
+  - **Persistence**: `BinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs`) - vulnerability detection service with match method mapping and corpus query integration
+  - **Cache**: `CachedBinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/CachedBinaryVulnerabilityService.cs`) - Valkey-backed caching layer
+  - **Analysis**: `SignatureMatcher`, `TaintGateExtractor`, `ReachGraphBinaryReachabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/`)
+  - **Ensemble**: `EnsembleDecisionEngine` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/`) - multi-tier vulnerability classification
+- **Program Entry**: `Program.cs` (`src/BinaryIndex/StellaOps.BinaryIndex.WebService/Program.cs`) - configures services, resolution caching, rate limiting
+
+## E2E Test Plan
+- [x] Query the database for a known vulnerable binary (by Build-ID) and verify vulnerability is detected
+- [x] Submit a binary for analysis and verify detection works independent of package metadata
+- [x] Verify web service endpoints are accessible: resolution, golden set, patch coverage, ops
+- [x] Verify worker job processes reproducible build verification in the background
+- [x] Verify cached lookups improve performance on repeated queries
+- [x] Verify ensemble decision engine combines all matching signals for final vulnerability classification
+
+## Verification
+- Run: `docs/qa/feature-checks/runs/binaryindex/vulnerable-binaries-database/run-002/`
+- Date (UTC): 2026-02-12
+- Tier 0: Source and symbol checks passed, including Worker project buildability and WebService fallback wiring.
+- Tier 1: Build and test gates passed for Analysis, Builders, Cache, Ensemble, Persistence, WebService, Worker, and related test projects.
+- Tier 2: API checks passed for ops/config, golden set listing, patch coverage, invalid payload handling (`400`), single and batch resolution, and repeated cache-backed resolution replay (`fromCache=true`).
+

docs/features/checked/cryptography/additional-crypto-profiles.md

@@ -126,3 +126,17 @@ Verdict: PASS
 - **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-012/tier2-integration-check.json
 - **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (101/101; Cryptography suite 101/101.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-013/tier2-integration-check.json
+- **Outcome**: Checked cryptography behavior remains healthy in continued replay; PQC caveat remains unchanged.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 command-line behavioral replay via cryptography harness + Tier 1 suite replay.
+- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests: 108/108).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/additional-crypto-profiles/run-016/tier2-integration-check.json
+- **Outcome**: Fresh harness transaction validated FIPS/GOST/SM positive signing paths and negative guard behavior (tampered verification + CanHandle ownership check).

docs/features/checked/cryptography/crypto-provider-plugin-architecture.md

@@ -120,3 +120,17 @@ Verdict: PASS
 - **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/crypto-provider-plugin-architecture/run-012/tier2-integration-check.json
 - **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (101/101; Cryptography suite 101/101.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/crypto-provider-plugin-architecture/run-013/tier2-integration-check.json
+- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 command-line behavioral replay via cryptography harness + Tier 1 suite replay.
+- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests: 108/108).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/crypto-provider-plugin-architecture/run-016/tier2-integration-check.json
+- **Outcome**: Fresh harness transaction validated MultiProfileSigner deterministic timestamping and failure propagation semantics.

docs/features/checked/cryptography/eidas-qualified-timestamping.md

@@ -121,3 +121,17 @@ Verdict: PASS
 - **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-012/tier2-integration-check.json
 - **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (101/101; Cryptography suite 101/101.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-013/tier2-integration-check.json
+- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 command-line behavioral replay via cryptography harness + Tier 1 suite replay.
+- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests: 108/108).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-016/tier2-integration-check.json
+- **Outcome**: Fresh harness transaction validated eIDAS CAdES routing and fail-closed signing behavior without certificate material.

docs/features/checked/cryptography/hardware-backed-org-key-kms-signing.md

@@ -116,3 +116,17 @@ Verdict: PASS
 - **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-012/tier2-integration-check.json
 - **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (101/101; Cryptography suite 101/101.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-013/tier2-integration-check.json
+- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 command-line behavioral replay via cryptography harness + Tier 1 suite replay.
+- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests: 108/108).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/hardware-backed-org-key-kms-signing/run-016/tier2-integration-check.json
+- **Outcome**: Fresh harness transaction validated HSM simulation-mode sign/verify and AES-GCM encrypt/decrypt flows.

docs/features/checked/cryptography/hsm-integration.md

@@ -117,3 +117,17 @@ Verdict: PASS
 - **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-012/tier2-integration-check.json
 - **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (101/101; Cryptography suite 101/101.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-013/tier2-integration-check.json
+- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 command-line behavioral replay via cryptography harness + Tier 1 suite replay.
+- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests: 108/108).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/hsm-integration/run-016/tier2-integration-check.json
+- **Outcome**: Fresh harness transaction validated HSM health probe and unsupported-mechanism negative semantics.

docs/features/checked/cryptography/regional-crypto-profiles.md

@@ -121,3 +121,17 @@ Verdict: PASS
 - **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-012/tier2-integration-check.json
 - **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (101/101; Cryptography suite 101/101.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-013/tier2-integration-check.json
+- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 command-line behavioral replay via cryptography harness + Tier 1 suite replay.
+- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests: 108/108).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-016/tier2-integration-check.json
+- **Outcome**: Fresh harness transaction validated GOST+SM regional profile signing plus FIPS hash interoperability path.

docs/features/checked/devops/postgresql-backend-for-rekor-metadata.md

@@ -0,0 +1,36 @@
+# PostgreSQL Backend for Rekor Metadata
+
+## Module
+devops
+
+## Status
+VERIFIED
+
+## Description
+PostgreSQL-based Rekor backend with checkpoint storage, submission queue tables, and VEX-Rekor linkage migration.
+
+## Implementation Details
+- **Rekor Inclusion Proof Models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/RekorInclusionProof.cs` -- model for Rekor inclusion proof data including log index, root hash, tree size, and inclusion hashes.
+- **Enhanced Rekor Proof Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs` (with partials `.Build.cs`, `.Validate.cs`) -- builds and validates Rekor inclusion proofs, storing metadata for PostgreSQL persistence.
+- **Pipeline Rekor Entry**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/RekorEntry.cs` -- pipeline model for Rekor transparency log entries.
+- **Rekor Inclusion Verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/RekorInclusionVerificationStep.cs` -- verification step that validates Rekor inclusion proofs against stored checkpoints.
+- **Database Cluster Config**: `devops/database/postgres/cluster-production.yaml`, `cluster-staging.yaml` -- PostgreSQL cluster definitions for CloudNativePG with Rekor metadata tables.
+- **Database Pooler Config**: `devops/database/postgres/pooler-production.yaml`, `pooler-staging.yaml` -- PgBouncer pooler configurations for Rekor query workloads.
+- **Compose Configuration**: `devops/compose/docker-compose.stella-ops.yml` -- includes PostgreSQL service configuration for the Rekor backend.
+
+## E2E Test Plan
+- [ ] Submit a DSSE attestation through the proof chain pipeline and verify the Rekor entry metadata (log index, root hash, tree size) is persisted to PostgreSQL
+- [ ] Query the stored Rekor checkpoint and verify it matches the transparency log state at submission time
+- [ ] Verify Rekor inclusion proof validation: retrieve a stored proof from PostgreSQL and run `RekorInclusionVerificationStep` to confirm it validates correctly
+- [ ] Verify the submission queue processes entries in order and marks them as submitted after successful Rekor log inclusion
+- [ ] Deploy the PostgreSQL cluster configuration and verify the database schema includes the required Rekor metadata tables
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source checks passed for Rekor proof models/builders, verification step, and DevOps PostgreSQL assets.
+- Tier 1 build and focused behavioral test gates passed (`57/57`) across Rekor inclusion proof, receipt generation/verification, and verification-job integration suites.
+- Tier 2 behavioral checks passed by applying the initial PostgreSQL schema in Docker and validating required tables/indexes for `proofchain.rekor_entries` and `attestor.rekor_submission_queue`.
+- Evidence:
+  - `docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier2-integration-check.json`

docs/features/checked/devops/vex-rekor-linkage.md

@@ -0,0 +1,39 @@
+# VEX-Rekor Linkage
+
+## Module
+devops
+
+## Status
+VERIFIED
+
+## Description
+Database migration and persistence behavior for linking VEX observations to Rekor entries, enabling transparent VEX decision traceability.
+
+## Implementation Details
+- **VEX Proof Integrator Metadata**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.Helpers.cs` and `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.Metadata.cs` implement deterministic VEX verdict status/justification mapping and proof metadata payload generation.
+- **VEX Verdict Proof Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexVerdictProofPayload.cs` defines the serialized proof-carrying payload contract for VEX verdicts.
+- **VEX Verdict ID**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/VexVerdictId.cs` provides content-addressed VEX verdict identifiers.
+- **VEX Delta and Merge Models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaChange.cs`, `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaStatement.cs`, `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaSummary.cs`, and `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexMergeTrace.cs` model delta/merge evidence for VEX decision evolution.
+- **Rekor Linkage Migration**: `devops/database/migrations/V20260117__vex_rekor_linkage.sql` adds Rekor linkage columns and indexes for Excititor and VexHub tables and attestor verification metadata columns.
+- **Compose Configuration**: `devops/compose/docker-compose.stella-ops.yml` provides PostgreSQL infrastructure used for linkage verification workflows.
+- **Excititor Postgres Store**: `src/Excititor/__Libraries/StellaOps.Excititor.Persistence/Postgres/Repositories/PostgresVexObservationStore.cs` now consistently persists and queries Rekor linkage fields on `vex.observations` with ensured Rekor columns/indexes.
+- **Behavioral Coverage**: `src/Excititor/__Tests/StellaOps.Excititor.Persistence.Tests/PostgresVexObservationStoreTests.cs` includes linkage round-trip, pending-queue, and missing-observation negative-path tests.
+
+## E2E Test Plan
+- [x] Create VEX observations and validate Rekor linkage fields can be persisted and queried.
+- [x] Query pending observations and verify unlinked records are returned in deterministic created-at order.
+- [x] Validate migration adds required Rekor columns and indexes across Excititor and VexHub tables.
+- [x] Reapply migration and verify existing Rekor linkage data is preserved.
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source checks passed for Attestor VEX/Rekor models, DevOps migration assets, and Excititor persistence/test paths.
+- Tier 1 passed after resolving a schema mismatch defect in `PostgresVexObservationStore` (`71/71` tests across persistence and attestation suites).
+- Tier 2 passed with fresh Dockerized PostgreSQL interactions validating migration columns/indexes, linked and pending query paths, and idempotent reapply behavior.
+- Evidence:
+  - `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/triage.json`
+  - `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/fix-summary.json`
+  - `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/retest-result.json`
+  - `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/tier2-integration-check.json`

docs/features/checked/devportal/developer-portal.md

@@ -0,0 +1,61 @@
+# Developer Portal (Astro/Starlight)
+
+## Module
+DevPortal
+
+## Status
+VERIFIED
+
+## Description
+Static developer portal built with Astro/Starlight, including API reference pages, try-it console assets, docs guides, and offline bundle packaging suitable for offline/air-gapped delivery.
+
+## Implementation Details
+- **Astro/Starlight Site**: `src/DevPortal/StellaOps.DevPortal.Site/`
+- **Content Configuration**: `src/DevPortal/StellaOps.DevPortal.Site/src/content/config.ts`
+- **API Reference Page**: `src/DevPortal/StellaOps.DevPortal.Site/src/content/docs/api-reference.mdx`
+- **Getting Started Guide**: `src/DevPortal/StellaOps.DevPortal.Site/src/content/docs/guides/getting-started.mdx`
+- **Navigation Search Guide**: `src/DevPortal/StellaOps.DevPortal.Site/src/content/docs/guides/navigation-search.mdx`
+- **OpenAPI Spec**: `src/DevPortal/StellaOps.DevPortal.Site/public/api/stella.yaml`
+- **Try-It Console Assets**:
+  - `src/DevPortal/StellaOps.DevPortal.Site/public/js/try-it-console.js`
+  - `src/DevPortal/StellaOps.DevPortal.Site/public/js/rapidoc-loader.js`
+  - `src/DevPortal/StellaOps.DevPortal.Site/public/js/api-reference.js`
+- **Build/Validation Scripts**:
+  - `src/DevPortal/StellaOps.DevPortal.Site/scripts/build-offline.mjs`
+  - `src/DevPortal/StellaOps.DevPortal.Site/scripts/check-links.mjs`
+  - `src/DevPortal/StellaOps.DevPortal.Site/scripts/check-perf.mjs`
+  - `src/DevPortal/StellaOps.DevPortal.Site/scripts/run-a11y.mjs`
+  - `src/DevPortal/StellaOps.DevPortal.Site/scripts/sync-spec.mjs`
+- **Integrity Check**: `src/DevPortal/StellaOps.DevPortal.Site/SHA256SUMS.devportal-stubs`
+
+## E2E Test Plan
+- [x] Build site and verify static output generation
+- [x] Build offline bundle and verify archive output generation
+- [x] Run link checker and verify no broken links
+- [x] Run accessibility script (with deterministic skip behavior on unsupported host deps)
+- [x] Run distribution budget check
+- [x] Verify SHA256SUMS entry matches referenced artifact
+
+## Verification
+- **Verified**: 2026-02-11
+- **Method**: Tier 0 source verification + Tier 1 build + Tier 2 integration/CLI script replay
+- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/devportal/developer-portal/run-001/tier0-source-check.json`
+- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/devportal/developer-portal/run-001/tier1-build-check.json`
+- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/devportal/developer-portal/run-001/tier2-integration-check.json`
+- **Tests/Checks**:
+  - `npm install`
+  - `npm run sync:spec`
+  - `npm run build`
+  - `npm run build:offline`
+  - `npm run lint:links`
+  - `npm run test:a11y`
+  - `npm run budget:dist`
+  - SHA256 verification against `SHA256SUMS.devportal-stubs`
+
+## Notes
+- DevPortal scripts were patched for cross-platform reliability:
+  - Windows-safe npm invocation in build/preview scripts.
+  - Safe process cleanup when `pkill` is unavailable.
+  - Correct ESM path resolution in perf checks.
+  - Link checker fallback for hosts serving directory pages via `/index.html`.
+  - Offline tar packaging fallback when host tar lacks GNU deterministic flags.

docs/features/checked/docs/developer-onboarding-quick-start-documentation.md

@@ -0,0 +1,33 @@
+# Developer Onboarding / Quick Start Documentation
+
+## Module
+docs
+
+## Status
+VERIFIED
+
+## Description
+Quick start guide and development documentation exist covering setup, testing, architecture orientation, and local workflow entry points.
+
+## Implementation Details
+- **Repo Documentation Index**: `docs/README.md` -- top-level entry point linking to setup, architecture, and standards docs.
+- **System Architecture**: `docs/07_HIGH_LEVEL_ARCHITECTURE.md` -- canonical high-level architecture overview.
+- **Platform Overview**: `docs/modules/platform/architecture-overview.md` -- platform architecture overview.
+- **Code of Conduct**: `docs/code-of-conduct/CODE_OF_CONDUCT.md` -- binding coding standards.
+- **Testing Practices**: `docs/code-of-conduct/TESTING_PRACTICES.md` -- testing standards and required layers.
+- **Module Dossiers**: `docs/modules/<module>/architecture*.md` -- module architecture references.
+- **DevPortal Site**: `src/DevPortal/StellaOps.DevPortal.Site/src/content/docs/guides/getting-started.mdx` -- onboarding quickstart guide.
+
+## E2E Test Plan
+- [x] Verify `docs/README.md` references onboarding architecture and standards entry points.
+- [x] Verify local path references listed in `docs/README.md` resolve to existing targets.
+- [x] Verify DevPortal getting-started guide exists with actionable install/build-run guidance.
+- [x] Verify negative-path behavior for missing docs target detection returns non-zero status.
+
+## Verification
+- Verified on 2026-02-11 via FLOW Tier 0/1/2 replay in `run-006`.
+- Tier 0: `docs/qa/feature-checks/runs/docs/developer-onboarding-quick-start-documentation/run-006/tier0-source-check.json`
+- Tier 1: `docs/qa/feature-checks/runs/docs/developer-onboarding-quick-start-documentation/run-006/tier1-build-check.json`
+- Tier 2: `docs/qa/feature-checks/runs/docs/developer-onboarding-quick-start-documentation/run-006/tier2-integration-check.json`
+- Triage/Fix: `docs/qa/feature-checks/runs/docs/developer-onboarding-quick-start-documentation/run-001/triage.json`, `docs/qa/feature-checks/runs/docs/developer-onboarding-quick-start-documentation/run-001/fix-summary.json`
+- Retest: `docs/qa/feature-checks/runs/docs/developer-onboarding-quick-start-documentation/run-006/retest-result.json`

docs/features/checked/docs/implementor-guidelines-document.md

@@ -0,0 +1,31 @@
+# Implementor Guidelines Document
+
+## Module
+docs
+
+## Status
+VERIFIED
+
+## Description
+The implementor guidelines document exists at the declared path covering operational checklists for code and doc changes.
+
+## Implementation Details
+- **Code of Conduct**: `docs/code-of-conduct/CODE_OF_CONDUCT.md` -- binding coding standards for all implementers covering naming conventions, error handling patterns, commit discipline, and code review expectations.
+- **Testing Practices**: `docs/code-of-conduct/TESTING_PRACTICES.md` -- testing standards defining required test layers (unit, integration, E2E, performance, security), determinism requirements, and flakiness policies.
+- **Repo-Wide Agent Contract**: `CLAUDE.md` -- defines sprint file discipline, directory ownership, git safety rules, documentation sync requirements, dependency license gates, and role-based behavior contracts.
+- **Module-Local AGENTS.md**: Various `src/<module>/AGENTS.md` files -- per-module implementation guidelines that add module-specific rules without relaxing repo-wide standards.
+- **Sprint Template**: Defined in `CLAUDE.md` section 6 -- mandatory sprint file structure (Topic & Scope, Dependencies, Delivery Tracker, Execution Log, Decisions & Risks).
+
+## E2E Test Plan
+- [x] Verify the `CODE_OF_CONDUCT.md` file exists and covers all sections referenced by the repo-wide agent contract (naming, error handling, commit discipline)
+- [x] Verify the `TESTING_PRACTICES.md` file exists and defines all required test layers (unit, integration, E2E, performance, security)
+- [x] Verify that at least 5 module directories under `src/` contain a module-local `AGENTS.md` file
+- [x] Verify the sprint template in `CLAUDE.md` section 6 is complete and includes all required sections
+- [x] Verify a new contributor can locate the implementor guidelines from the `docs/README.md` entry point within 2 navigation steps
+
+## Verification
+- Verified on 2026-02-11 via FLOW Tier 0/1/2 replay in `run-002`.
+- Tier 0: `docs/qa/feature-checks/runs/docs/implementor-guidelines-document/run-002/tier0-source-check.json`
+- Tier 1: `docs/qa/feature-checks/runs/docs/implementor-guidelines-document/run-002/tier1-build-check.json`
+- Tier 2: `docs/qa/feature-checks/runs/docs/implementor-guidelines-document/run-002/tier2-integration-check.json`
+- Failure loop artifacts: `docs/qa/feature-checks/runs/docs/implementor-guidelines-document/run-001/triage.json`, `docs/qa/feature-checks/runs/docs/implementor-guidelines-document/run-001/confirmation.json`, `docs/qa/feature-checks/runs/docs/implementor-guidelines-document/run-001/fix-summary.json`, `docs/qa/feature-checks/runs/docs/implementor-guidelines-document/run-001/retest-result.json`

docs/features/checked/doctor/doctor-advisoryai-integration.md

@@ -0,0 +1,35 @@
+# Doctor AdvisoryAI Integration
+
+## Module
+Doctor
+
+## Status
+VERIFIED
+
+## Description
+Integration between Doctor diagnostics and AdvisoryAI system to provide deterministic AI-powered diagnosis explanations, with schema-aware context adaptation and a published diagnosis API endpoint.
+
+## Implementation Details
+- **AI diagnosis service**: `src/__Libraries/StellaOps.Doctor/AdvisoryAI/IDoctorAIDiagnosisService.cs` and `src/__Libraries/StellaOps.Doctor/AdvisoryAI/DeterministicDoctorAIDiagnosisService.cs`
+- **Context adapter**: `src/__Libraries/StellaOps.Doctor/AdvisoryAI/DoctorContextAdapter.cs`, `src/__Libraries/StellaOps.Doctor/AdvisoryAI/IDoctorContextAdapter.cs`
+- **Evidence schema registry**: `src/__Libraries/StellaOps.Doctor/AdvisoryAI/IEvidenceSchemaRegistry.cs`
+- **AI context models**: `src/__Libraries/StellaOps.Doctor/AdvisoryAI/Models/DoctorAIContext.cs`
+- **Doctor diagnosis API surface**: `src/Doctor/StellaOps.Doctor.WebService/Endpoints/DoctorEndpoints.cs`, `src/Doctor/StellaOps.Doctor.WebService/Services/DoctorDiagnosisService.cs`, `src/Doctor/StellaOps.Doctor.WebService/Contracts/DoctorModels.cs`, `src/Doctor/StellaOps.Doctor.WebService/Program.cs`
+- **Verification tests**: `src/Doctor/__Tests/StellaOps.Doctor.WebService.Tests/Services/DoctorDiagnosisServiceTests.cs`, `src/__Libraries/__Tests/StellaOps.Doctor.Tests/AdvisoryAI/DoctorContextAdapterTests.cs`
+
+## E2E Test Plan
+- [x] Verify AI diagnosis endpoint accepts doctor health check results.
+- [x] Test context adapter converts health results to proper AI context.
+- [x] Verify evidence schema registry returns valid schemas.
+- [x] Test Doctor diagnosis workflow produces deterministic assessment and remediation output.
+
+## Verification
+- Run: `run-003` (2026-02-11).
+- Tier 0 source verification passed for advisory-ai contracts, diagnosis service wiring, and diagnosis route publication.
+- Tier 1 build/tests passed for Doctor library and Doctor WebService diagnosis paths.
+- Tier 2 API verification passed with fresh user-surface evidence:
+  - `GET /healthz` -> `200`
+  - `GET /openapi/v1.json` -> `200` and published `/api/v1/doctor/diagnosis`
+  - `POST /api/v1/doctor/diagnosis` invalid payload -> `400` (`ProblemDetails`)
+  - `POST /api/v1/doctor/diagnosis` valid inline report -> `200` (`DoctorDiagnosisResponse`)
+- Terminal outcome: `done`.

docs/features/checked/doctor/doctor-runbook-url-integration.md

@@ -0,0 +1,27 @@
+# Doctor Runbook URL Integration
+
+## Module
+Doctor
+
+## Status
+VERIFIED
+
+## Description
+Extended Doctor diagnostic framework to support runbook URL links in remediation output, making operational runbooks discoverable directly from `stella doctor` CLI and UI results.
+
+## Implementation Details
+- **Remediation models**: `src/__Libraries/StellaOps.Doctor/Models/RemediationStep.cs` -- includes runbook URL field
+- **Doctor models**: `src/Doctor/StellaOps.Doctor.WebService/Contracts/DoctorModels.cs` -- API models with runbook references
+- **Auto-remediation**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Timestamping/AutoRemediation.cs` -- remediation with linked runbooks
+- **Source**: SPRINT_20260117_029_DOCS
+
+## E2E Test Plan
+- [x] Verify doctor check results include runbook URLs where applicable
+- [x] Test CLI `stella doctor` output displays remediation payloads and remains contract-compatible after runbook URL projection changes
+- [x] Verify Doctor API remediation DTOs include runbook URL when present
+
+## Verification
+Run: run-002 (2026-02-11)
+- Tier 1 tests passed for Doctor output formatters and Doctor WebService mapping with runbook URL fixtures.
+- Tier 2 verification captured fresh CLI interactions and parity evidence confirming runbook URL projection in formatter/API surfaces when the field is provided by checks.
+- Terminal outcome for this dossier: `done`.

docs/features/checked/doctor/doctor-scheduled-runs-with-alerting-and-trend-analysis.md

@@ -0,0 +1,37 @@
+# Doctor Scheduled Runs with Alerting and Trend Analysis
+
+## Module
+Doctor
+
+## Status
+VERIFIED
+
+## Description
+Cron-based scheduled execution of Doctor health checks with configurable schedules, trend data storage for historical analysis, anomaly detection for health metric degradation, and alerting service integration for notifications on health regressions.
+
+## Implementation Details
+- **Schedule worker**: `src/Doctor/StellaOps.Doctor.Scheduler/DoctorScheduleWorker.cs` -- background worker for cron-based execution
+- **Schedule executor**: `src/Doctor/StellaOps.Doctor.Scheduler/Services/ScheduleExecutor.cs` -- executes scheduled doctor runs
+- **Schedule models**: `src/Doctor/StellaOps.Doctor.Scheduler/Models/DoctorSchedule.cs` -- schedule configuration
+- **Execution tracking**: `src/Doctor/StellaOps.Doctor.Scheduler/Models/ScheduleExecution.cs` -- execution records
+- **Trend data**: `src/Doctor/StellaOps.Doctor.Scheduler/Models/TrendDataPoint.cs` -- trend analysis data model
+- **Alert service**: `src/Doctor/StellaOps.Doctor.Scheduler/Services/IAlertService.cs` -- alerting interface for health regressions
+- **Schedule repository**: `src/Doctor/StellaOps.Doctor.Scheduler/Services/IScheduleRepository.cs`
+- **Trend repository**: `src/Doctor/StellaOps.Doctor.Scheduler/Services/ITrendRepository.cs` -- trend data persistence
+- **Scheduler API endpoints**: `src/Doctor/StellaOps.Doctor.Scheduler/Endpoints/SchedulerEndpoints.cs` -- schedule/trend HTTP surface under `/api/v1/doctor/scheduler/*`
+- **In-memory scheduler stores**: `src/Doctor/StellaOps.Doctor.Scheduler/Services/InMemoryScheduleRepository.cs`, `src/Doctor/StellaOps.Doctor.Scheduler/Services/InMemoryTrendRepository.cs`
+- **Options**: `src/Doctor/StellaOps.Doctor.Scheduler/Options/DoctorSchedulerOptions.cs` -- scheduler configuration
+- **Source**: SPRINT_20260118_020_Doctor_scheduled_runs_trending.md
+
+## E2E Test Plan
+- [x] Verify scheduled doctor runs execute at configured intervals
+- [x] Test trend data accumulation over multiple runs
+- [x] Verify alert service triggers on health degradation (error-path alerting observed on downstream API unavailability)
+- [x] Test schedule CRUD operations via repository and runtime API endpoints
+
+## Verification
+Run: run-002 (2026-02-11)
+- Tier 1 build/test passed for `StellaOps.Doctor.Scheduler` and new repository unit coverage (`4/4`).
+- Tier 2 API probes passed for scheduler CRUD, manual execute, and trend endpoints (`14` successful HTTP transactions; no failed probes).
+- Terminal outcome for this dossier: `done`.
+

docs/features/checked/doctor/doctor-yaml-pack-loader-and-first-party-packs.md

@@ -0,0 +1,30 @@
+# Doctor YAML Pack Loader and First-Party Packs
+
+## Module
+Doctor
+
+## Status
+VERIFIED
+
+## Description
+YAML-based diagnostic pack loader allowing first-party and user-defined diagnostic packs, with a self-service Doctor UI page for running health checks interactively.
+
+## Implementation Details
+- **Plugin core**: `src/Doctor/__Plugins/StellaOps.Doctor.Plugins.Core/IDoctorPlugin.cs` -- plugin interface for pack loading
+- **First-party packs**: 14+ doctor plugins under `src/Doctor/__Plugins/` covering Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Timestamping, Vex
+- **WebService**: `src/Doctor/StellaOps.Doctor.WebService/` -- web service for Doctor UI and API
+- **Doctor endpoints**: `src/Doctor/StellaOps.Doctor.WebService/Endpoints/DoctorEndpoints.cs` -- API for loading and running packs
+- **Doctor service options**: `src/Doctor/StellaOps.Doctor.WebService/Options/DoctorServiceOptions.cs` -- configuration including pack paths
+- **Web UI**: `src/Web/StellaOps.Web/src/app/features/doctor/` -- self-service Doctor UI page
+- **Source**: SPRINT_20260113_005_DOCTOR
+
+## E2E Test Plan
+- [ ] Verify YAML pack loading discovers and registers all first-party packs
+- [ ] Test custom/user-defined pack loading from configured paths
+- [ ] Verify Doctor UI page allows interactive check execution
+- [ ] Test pack results display correctly in UI
+
+## Verification
+- Run: docs/qa/feature-checks/runs/doctor/doctor-yaml-pack-loader-and-first-party-packs/run-001/
+- Date (UTC): 2026-02-11
+

docs/features/checked/feedser/epss-signal-ready-layer.md

@@ -0,0 +1,58 @@
+# EPSS Signal-Ready Layer (Tenant-Scoped Actionable Events)
+
+## Module
+Feedser
+
+## Status
+VERIFIED
+
+## Description
+EPSS signal emission pipeline with change detection, signal flow integration, and signal attaching to risk evaluations. EPSS evidence feeds into the policy determinization scoring system.
+
+## Implementation Details
+- **EPSS Signal Attacher**: `src/Feedser/StellaOps.Feedser.Core/Signals/EpssSignalAttacher.cs` (implements `ISignalAttacher`) -- attaches EPSS probability scores to findings as risk signals, enabling downstream policy evaluation and scoring.
+- **KEV Signal Attacher**: `src/Feedser/StellaOps.Feedser.Core/Signals/KevSignalAttacher.cs` (implements `ISignalAttacher`) -- attaches CISA Known Exploited Vulnerabilities (KEV) status signals to findings.
+- **Signal Attacher Interface**: `src/Feedser/StellaOps.Feedser.Core/Signals/ISignalAttacher.cs` -- contract for signal attachment implementations.
+- **Signal DI Extensions**: `src/Feedser/StellaOps.Feedser.Core/Signals/SignalAttacherServiceExtensions.cs` -- registers `EpssSignalAttacher` and `KevSignalAttacher` in the DI container.
+- **Function Signature Extractor**: `src/Feedser/StellaOps.Feedser.Core/FunctionSignatureExtractor.cs` -- extracts function signatures from patch data for vulnerability correlation.
+- **Hunk Signature Extractor**: `src/Feedser/StellaOps.Feedser.Core/HunkSigExtractor.cs` -- extracts patch hunk signatures for binary-level vulnerability matching.
+- **Patch Signature Model**: `src/Feedser/StellaOps.Feedser.Core/Models/PatchSignature.cs` -- model for extracted patch signatures.
+- **Binary Fingerprinting**: `src/Feedser/StellaOps.Feedser.BinaryAnalysis/BinaryFingerprintFactory.cs` -- factory for creating binary fingerprints using multiple strategies.
+- **Fingerprinters**: `src/Feedser/StellaOps.Feedser.BinaryAnalysis/Fingerprinters/InstructionHashFingerprinter.cs` (instruction-level hashing), `SimplifiedTlshFingerprinter.cs` (TLSH fuzzy hashing).
+- **Binary Fingerprint Model**: `src/Feedser/StellaOps.Feedser.BinaryAnalysis/Models/BinaryFingerprint.cs` -- model for binary fingerprint data.
+- **Tests**: `src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/Signals/EpssSignalAttacherTests.cs`, `src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/FunctionSignatureExtractorTests.cs`, `HunkSigExtractorTests.cs`; `src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/BinaryFingerprintTests.cs`
+
+## E2E Test Plan
+- [x] Attach an EPSS signal to a finding via `EpssSignalAttacher` and verify the EPSS probability score is available in the finding's signal set
+- [x] Attach a KEV signal and verify the finding is marked as a known exploited vulnerability
+- [x] Verify signal change detection: attach an EPSS signal, update the EPSS score, and confirm only the changed signal triggers a re-evaluation event
+- [x] Extract function signatures from a patch file and verify they match expected signatures for the patched functions
+- [x] Generate a binary fingerprint using `InstructionHashFingerprinter` and verify it produces a deterministic hash for the same binary input
+- [x] Generate a TLSH fingerprint via `SimplifiedTlshFingerprinter` and verify it produces a similarity-preserving hash that detects near-duplicate binaries
+
+## Verification
+- **Verified**: 2026-02-11
+- **Method**: Tier 0 source verification + Tier 1 build/test + Tier 2d integration replay
+- **Build/Test**: PASS
+  - `dotnet test src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/StellaOps.Feedser.Core.Tests.csproj -c Release --nologo`
+  - `dotnet test src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/StellaOps.Feedser.BinaryAnalysis.Tests.csproj -c Release --nologo`
+- **Tests**: 102/102 passing
+- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier0-source-check.json`
+- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier1-build-check.json`
+- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-001/tier2-integration-check.json`
+
+## Recheck (Run-002)
+- **Rechecked**: 2026-02-11
+- **Method**: Tier 0 source verification + Tier 1 build/test + strict Tier 2 command-line harness replay
+- **Build/Test**: PASS
+- `dotnet build src/Feedser/StellaOps.Feedser.Core/StellaOps.Feedser.Core.csproj -c Release --nologo`
+- `dotnet test src/Feedser/__Tests/StellaOps.Feedser.Core.Tests/StellaOps.Feedser.Core.Tests.csproj -c Release --nologo`
+- `dotnet test src/Feedser/__Tests/StellaOps.Feedser.BinaryAnalysis.Tests/StellaOps.Feedser.BinaryAnalysis.Tests.csproj -c Release --nologo`
+- **Tests**: 107/107 passing (includes new `KevSignalAttacher` coverage)
+- **Tier 2 Behavior**:
+- Positive path: EPSS/KEV lookups return available signals for known CVEs.
+- Negative path: EPSS returns `NotFound` and KEV returns `IsInKev=false` for unknown CVEs.
+- Determinism path: repeated hunk/fingerprint extraction yields identical hashes and fingerprint values.
+- **Tier 0 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier0-source-check.json`
+- **Tier 1 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier1-build-check.json`
+- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/feedser/epss-signal-ready-layer/run-002/tier2-integration-check.json`

docs/features/checked/findings/findings-ledger-with-append-only-events.md

@@ -0,0 +1,33 @@
+# Findings Ledger with Append-Only Events
+
+## Module
+Findings
+
+## Status
+IMPLEMENTED
+
+## Description
+Findings Ledger with event write service, event constants, integration tests, and contract tests for append-only event persistence.
+
+## Implementation Details
+- **Ledger Event Write Service**: `src/Findings/StellaOps.Findings.Ledger/Services/LedgerEventWriteService.cs` -- core service that appends immutable events to the findings ledger; each event has a unique chain ID, timestamp, event type, actor, and JSON payload.
+- **Ledger Event Models**: `src/Findings/StellaOps.Findings.Ledger/Domain/LedgerEventModels.cs` -- domain models for ledger events including event type, payload, and metadata.
+- **Ledger Event Constants**: `src/Findings/StellaOps.Findings.Ledger/Domain/LedgerEventConstants.cs` -- event type constants (e.g., FindingCreated, VexStatusChanged, PolicyEvaluated, DecisionRecorded).
+- **Ledger Chain ID Generator**: `src/Findings/StellaOps.Findings.Ledger/Domain/LedgerChainIdGenerator.cs` -- generates content-addressed chain IDs linking events to their predecessors for tamper detection.
+- **Evidence Reference**: `src/Findings/StellaOps.Findings.Ledger/Domain/EvidenceReference.cs` -- references to evidence artifacts attached to ledger events.
+- **Ledger Event Repository Interface**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/ILedgerEventRepository.cs` -- persistence contract for ledger events.
+- **Ledger Event Stream Interface**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/ILedgerEventStream.cs` -- streaming interface for replaying event sequences.
+- **Postgres Ledger Event Repository**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/PostgresLedgerEventRepository.cs` -- PostgreSQL implementation of the event repository with append-only guarantees.
+- **Postgres Ledger Event Stream**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/PostgresLedgerEventStream.cs` -- PostgreSQL event stream for replay and projection.
+- **In-Memory Ledger Event Repository**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/InMemory/InMemoryLedgerEventRepository.cs` -- in-memory implementation for testing.
+- **Ledger Event Request/Response**: `src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/LedgerEventRequest.cs`, `LedgerEventResponse.cs` -- API DTOs for event submission and retrieval.
+- **Ledger Event Mapping**: `src/Findings/StellaOps.Findings.Ledger.WebService/Mappings/LedgerEventMapping.cs` -- maps between domain events and API DTOs.
+- **Tests**: `src/Findings/StellaOps.Findings.Ledger.Tests/FindingsLedgerIntegrationTests.cs`, `FindingsLedgerWebServiceContractTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/LedgerEventWriteServiceTests.cs`, `src/Findings/StellaOps.Findings.Ledger.Tests/Infrastructure/InMemoryLedgerEventRepositoryTests.cs`
+
+## E2E Test Plan
+- [ ] Submit a finding event via the REST API and verify it is persisted in the ledger with a valid chain ID linking to the previous event
+- [ ] Verify append-only guarantee: attempt to modify or delete an existing ledger event and confirm the operation is rejected
+- [ ] Submit multiple events in sequence and verify the chain IDs form a valid hash chain (each event's chain ID includes the previous event's hash)
+- [ ] Replay the event stream and verify all events are returned in chronological order with correct payloads
+- [ ] Verify contract tests: submit events with all defined event types from `LedgerEventConstants` and verify each produces a valid response
+- [ ] Verify the in-memory repository passes the same test suite as the PostgreSQL repository

docs/features/checked/findings/ledger-replay-determinism.md

@@ -0,0 +1,36 @@
+# Ledger Replay Determinism
+
+## Module
+Findings
+
+## Status
+VERIFIED
+
+## Description
+Replay determinism verification with dedicated tests and a replay harness tool for offline validation.
+
+## Implementation Details
+- **Ledger Replay Harness**: `src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/` -- offline tool for replaying ledger event sequences and verifying determinism. Key files: `Program.cs` (CLI entry point), `HarnessFixtureReader.cs` (loads event fixtures from files), `HarnessDraftParser.cs` (parses draft event formats), `HarnessMath.cs` (statistical verification of replay results), `HarnessFixtureException.cs` (fixture parsing errors).
+- **Standalone Replay Harness**: `src/Findings/tools/LedgerReplayHarness/` -- standalone version with additional infrastructure. Key files: `HarnessRunner.cs` (orchestrates replay execution), `HarnessFixtureEntry.cs` (fixture entry model), `HarnessFixtureReader.cs`, `HarnessStats.cs` (statistics), `MerkleCalculator.cs` (verifies Merkle hashes during replay), `TaskThrottler.cs` (controls concurrency), `ILedgerClient.cs` and `InMemoryLedgerClient.cs` (ledger client abstraction for replay).
+- **Ledger Hashing**: `src/Findings/StellaOps.Findings.Ledger/Hashing/LedgerHashing.cs` -- computes deterministic hashes of ledger events for replay verification.
+- **Ledger Canonical JSON Serializer**: `src/Findings/StellaOps.Findings.Ledger/Hashing/LedgerCanonicalJsonSerializer.cs` -- canonical JSON serialization ensuring identical byte output regardless of property ordering.
+- **Hash Utilities**: `src/Findings/StellaOps.Findings.Ledger/Hashing/HashUtilities.cs` -- SHA-256 hashing utilities for deterministic event hashing.
+- **Projection Hashing**: `src/Findings/StellaOps.Findings.Ledger/Hashing/ProjectionHashing.cs` -- verifies projection state determinism after replay.
+- **Tests**: `src/Findings/StellaOps.Findings.Ledger.Tests/LedgerReplayDeterminismTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/HarnessRunnerTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.ReplayHarness.Tests/HarnessFixtureReaderTests.cs`, `HarnessMathTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Tools.LedgerReplayHarness.Tests/HarnessFixtureReaderTests.cs`, `HarnessRunnerTests.cs`
+
+## E2E Test Plan
+- [x] Run the ledger replay harness against a fixture file and verify the replay produces identical ledger hashes to the original execution
+- [x] Replay the same event sequence 10 times and verify all runs produce identical projection hashes (statistical determinism)
+- [x] Modify a single event payload in a fixture and verify the replay harness detects the hash mismatch and reports it as a determinism violation
+- [x] Verify Merkle hash consistency: replay events and confirm `MerkleCalculator` produces the same Merkle root as the original anchoring
+- [x] Verify canonical JSON serialization: serialize the same event with different property orderings and confirm `LedgerCanonicalJsonSerializer` produces identical byte output
+- [x] Verify the `HarnessFixtureReader` correctly loads fixtures from both draft and final formats
+
+## Verification
+Run: run-002 (2026-02-11)
+- Tier 0 source verification passed for replay-harness, hashing, and determinism test assets.
+- Tier 1 build/tests passed across Findings ledger + replay harness projects and focused determinism suites.
+- Tier 2 behavioral verification passed using both integration tests and direct CLI harness execution:
+  - positive fixture replay returned exit 0 with report status=pass
+  - hash-mismatch fixture replay returned exit 1 with report status=fail
+- Terminal outcome: done.

docs/features/checked/findings/merkle-anchoring-for-audit-integrity.md

@@ -0,0 +1,33 @@
+# Merkle Anchoring for Audit Integrity
+
+## Module
+Findings
+
+## Status
+VERIFIED
+
+## Description
+Dedicated Merkle anchor worker that periodically anchors ledger events to Merkle trees for tamper-evident audit integrity.
+
+## Implementation Details
+- **Merkle Anchor Worker**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Merkle/LedgerMerkleAnchorWorker.cs` -- background worker that periodically collects unanchored ledger events, builds a Merkle tree, and stores the anchor (root hash, tree size, event range).
+- **Merkle Tree Builder**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Merkle/MerkleTreeBuilder.cs` -- builds Merkle trees from ledger event hashes for tamper-evident anchoring.
+- **Ledger Anchor Queue**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Merkle/LedgerAnchorQueue.cs` -- queues events for periodic Merkle anchoring.
+- **Merkle Anchor Repository Interface**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Merkle/IMerkleAnchorRepository.cs` -- persistence contract for Merkle anchor records.
+- **Postgres Merkle Anchor Repository**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/PostgresMerkleAnchorRepository.cs` -- PostgreSQL persistence for Merkle anchor data.
+- **Merkle Anchor Scheduler Interface**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/IMerkleAnchorScheduler.cs` -- scheduling contract for anchor operations.
+- **Postgres Merkle Anchor Scheduler**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Merkle/PostgresMerkleAnchorScheduler.cs` -- PostgreSQL-backed anchor scheduling.
+- **Null Merkle Anchor Scheduler**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Merkle/NullMerkleAnchorScheduler.cs` -- no-op scheduler for environments where Merkle anchoring is disabled.
+- **Ledger Hashing**: `src/Findings/StellaOps.Findings.Ledger/Hashing/LedgerHashing.cs` -- computes deterministic hashes of ledger events that become Merkle tree leaves.
+
+## E2E Test Plan
+- [ ] Submit a batch of ledger events, trigger the Merkle anchor worker, and verify a Merkle anchor record is created with the correct root hash and event range
+- [ ] Verify tamper detection: retrieve an anchored event, modify its payload, recompute the Merkle proof, and confirm the proof fails validation against the stored root hash
+- [ ] Verify the Merkle tree builder produces the same root hash when given the same event hashes in the same order
+- [ ] Verify anchor scheduling: configure a 10-second anchor interval and submit events over 30 seconds; confirm at least 3 anchor records are created
+- [ ] Verify the null scheduler correctly disables anchoring without errors when configured
+- [ ] Verify anchor persistence: create anchors, restart the service, and confirm previously stored anchors are retrievable from PostgreSQL
+
+## Verification
+- Verified by QA FLOW run `run-001` on 2026-02-11.
+- Evidence: `docs/qa/feature-checks/runs/findings/merkle-anchoring-for-audit-integrity/run-001/` (Tier 0/1/2 artifacts).

docs/features/checked/gateway/gateway-connection-lifecycle-management.md

@@ -95,3 +95,20 @@ HELLO frame processing for microservice registration, connection lifecycle manag
 - **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-connection-lifecycle-management/run-012/tier2-integration-check.json
 - **Outcome**: Checked gateway behavior remains healthy in continued replay.
+
+
+## Recheck (Run-013 Module Sweep)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay with fresh request/response evidence + Tier 1 Gateway/Router suite replay.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-connection-lifecycle-management/run-013/tier2-api-check.json.
+- **Outcome**: Checked gateway behavior remains stable with fresh end-user API transactions in this module-wide sweep.
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay on dedicated local port with fresh evidence capture.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-connection-lifecycle-management/run-014/tier2-api-check.json.
+- **Captured Requests**: `/health`, `/metrics`, negative path `/__qa_missing_route__` (404), and correlation-id echo probe.
+- **Outcome**: Connection lifecycle checked behavior remains stable with explicit positive and negative API-path verification.
+

docs/features/checked/gateway/gateway-http-middleware-pipeline.md

@@ -111,3 +111,12 @@ Full HTTP middleware pipeline for the Gateway WebService including endpoint reso
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-http-middleware-pipeline/run-013/tier2-api-check.json
 - **Captured Requests**: `/health`, `/openapi/v1.json` (404), `/openapi.json`, `/openapi.yaml`, `/.well-known/openapi`, `/metrics`, `/__qa_missing_route__` (404), correlation-id echo on `/health`.
 - **Outcome**: Middleware pipeline behavior revalidated from live user-surface HTTP transactions.
+
+
+## Recheck (Run-013 Module Sweep)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay with fresh request/response evidence + Tier 1 Gateway/Router suite replay.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-http-middleware-pipeline/run-013/tier2-api-check.json.
+- **Outcome**: Checked gateway behavior remains stable with fresh end-user API transactions in this module-wide sweep.
+

docs/features/checked/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware.md

@@ -96,3 +96,12 @@ Security middleware that enforces identity header integrity at the Gateway/Route
 - **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-012/tier2-integration-check.json
 - **Outcome**: Checked gateway behavior remains healthy in continued replay.
+
+
+## Recheck (Run-013 Module Sweep)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay with fresh request/response evidence + Tier 1 Gateway/Router suite replay.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-013/tier2-api-check.json.
+- **Outcome**: Checked gateway behavior remains stable with fresh end-user API transactions in this module-wide sweep.
+

docs/features/checked/gateway/router-authority-claims-integration.md

@@ -95,3 +95,12 @@ VERIFIED
 - **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-authority-claims-integration/run-012/tier2-integration-check.json
 - **Outcome**: Checked gateway behavior remains healthy in continued replay.
+
+
+## Recheck (Run-013 Module Sweep)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay with fresh request/response evidence + Tier 1 Gateway/Router suite replay.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-authority-claims-integration/run-013/tier2-api-check.json.
+- **Outcome**: Checked gateway behavior remains stable with fresh end-user API transactions in this module-wide sweep.
+

docs/features/checked/gateway/router-back-pressure-middleware.md

@@ -111,3 +111,12 @@ Rate limiting is present in the Gateway and Graph API services. The advisory's h
 - **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-back-pressure-middleware/run-012/tier2-integration-check.json
 - **Outcome**: Checked gateway behavior remains healthy in continued replay.
+
+
+## Recheck (Run-013 Module Sweep)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay with fresh request/response evidence + Tier 1 Gateway/Router suite replay.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-back-pressure-middleware/run-013/tier2-api-check.json.
+- **Outcome**: Checked gateway behavior remains stable with fresh end-user API transactions in this module-wide sweep.
+

docs/features/checked/gateway/router-heartbeat-and-health-monitoring.md

@@ -100,3 +100,20 @@ Heartbeat protocol with configurable intervals, `HealthMonitorService` for stale
 - **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-heartbeat-and-health-monitoring/run-012/tier2-integration-check.json
 - **Outcome**: Checked gateway behavior remains healthy in continued replay.
+
+
+## Recheck (Run-013 Module Sweep)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay with fresh request/response evidence + Tier 1 Gateway/Router suite replay.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-heartbeat-and-health-monitoring/run-013/tier2-api-check.json.
+- **Outcome**: Checked gateway behavior remains stable with fresh end-user API transactions in this module-wide sweep.
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay on dedicated local port with fresh evidence capture.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-heartbeat-and-health-monitoring/run-014/tier2-api-check.json.
+- **Captured Requests**: `/health`, `/metrics`, negative path `/__qa_missing_route__` (404), and correlation-id echo probe.
+- **Outcome**: Heartbeat/health surfaces remain stable with explicit positive and negative API-path verification.
+

docs/features/checked/gateway/router-payload-size-enforcement.md

@@ -99,3 +99,12 @@ PayloadLimitsMiddleware with per-request, per-connection, and aggregate byte lim
 - **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-payload-size-enforcement/run-012/tier2-integration-check.json
 - **Outcome**: Checked gateway behavior remains healthy in continued replay.
+
+
+## Recheck (Run-013 Module Sweep)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay with fresh request/response evidence + Tier 1 Gateway/Router suite replay.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/router-payload-size-enforcement/run-013/tier2-api-check.json.
+- **Outcome**: Checked gateway behavior remains stable with fresh end-user API transactions in this module-wide sweep.
+

docs/features/checked/gateway/stellarouter-performance-testing-pipeline.md

@@ -99,3 +99,20 @@ Performance testing pipeline with k6 load test scenarios (A-G), correlation ID i
 - **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/stellarouter-performance-testing-pipeline/run-012/tier2-integration-check.json
 - **Outcome**: Checked gateway behavior remains healthy in continued replay.
+
+
+## Recheck (Run-013 Module Sweep)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay with fresh request/response evidence + Tier 1 Gateway/Router suite replay.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/stellarouter-performance-testing-pipeline/run-013/tier2-api-check.json.
+- **Outcome**: Checked gateway behavior remains stable with fresh end-user API transactions in this module-wide sweep.
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTP replay on dedicated local port with fresh evidence capture.
+- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/stellarouter-performance-testing-pipeline/run-014/tier2-api-check.json.
+- **Captured Requests**: `/health`, `/metrics`, negative path `/__qa_missing_route__` (404), and correlation-id echo probe.
+- **Outcome**: Performance/metrics surfaces remain stable with explicit positive and negative API-path verification.
+

docs/features/checked/graph/graph-analytics-engine.md

@@ -107,3 +107,18 @@ Graph analytics with engine, pipeline, DI extensions, and Postgres persistence f
 - **Tests**: PASS (Graph.Api 66/66, Graph.Indexer 37/37, Graph.Indexer.Persistence 17/17; total 120/120).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-analytics-engine/run-012/tier2-integration-check.json
 - **Outcome**: Checked graph behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (Graph matrix 120/120: Api 66, Indexer 37, Indexer.Persistence 17.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-analytics-engine/run-013/tier2-integration-check.json
+- **Outcome**: Checked Graph behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 API replay (query/lineage/diff + tenant guard checks) with deterministic Graph suite replay.
+- **Tests**: PASS (`src/Graph/StellaOps.Graph.sln`: 120/120).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-analytics-engine/run-016/tier2-api-check.json
+- **Outcome**: Fresh user-surface replay confirms graph analytics outputs remain queryable through query/lineage/diff endpoints with expected validation semantics.
+

docs/features/checked/graph/graph-edge-metadata-with-reason-evidence-provenance.md

@@ -108,3 +108,18 @@ EdgeReason and CallgraphEdge models exist in Signals with persistence projection
 - **Tests**: PASS (Graph.Api 66/66, Graph.Indexer 37/37, Graph.Indexer.Persistence 17/17; total 120/120).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-edge-metadata-with-reason-evidence-provenance/run-012/tier2-api-check.json
 - **Outcome**: Checked graph behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (Graph matrix 120/120: Api 66, Indexer 37, Indexer.Persistence 17.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-edge-metadata-with-reason-evidence-provenance/run-013/tier2-integration-check.json
+- **Outcome**: Checked Graph behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 API replay for edge metadata routes (known edge, unknown edge, by-reason, auth/scope guards).
+- **Tests**: PASS (`src/Graph/StellaOps.Graph.sln`: 120/120).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-edge-metadata-with-reason-evidence-provenance/run-016/tier2-api-check.json
+- **Outcome**: Fresh live evidence confirms explanation payloads plus 404/401/403 guard behavior at the API boundary.
+

docs/features/checked/graph/graph-explorer-api-with-streaming-tiles.md

@@ -102,3 +102,18 @@ Graph query and visualization API providing streaming tile-based graph rendering
 - **Tests**: PASS (Graph.Api 66/66, Graph.Indexer 37/37, Graph.Indexer.Persistence 17/17; total 120/120).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-explorer-api-with-streaming-tiles/run-012/tier2-api-check.json
 - **Outcome**: Checked graph behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (Graph matrix 120/120: Api 66, Indexer 37, Indexer.Persistence 17.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-explorer-api-with-streaming-tiles/run-013/tier2-integration-check.json
+- **Outcome**: Checked Graph behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 API replay for search/query/export/download explorer flows with tenant-isolation negatives.
+- **Tests**: PASS (`src/Graph/StellaOps.Graph.sln`: 120/120).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-explorer-api-with-streaming-tiles/run-016/tier2-api-check.json
+- **Outcome**: Fresh live transactions verify streaming tile responses and export artifact retrieval while preserving tenant guards.
+

docs/features/checked/graph/graph-indexer-clustering-and-centrality-background-jobs.md

@@ -96,3 +96,18 @@ Background hosted service that runs graph analytics (Louvain community detection
 - **Tests**: PASS (Graph.Api 66/66, Graph.Indexer 37/37, Graph.Indexer.Persistence 17/17; total 120/120).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-indexer-clustering-and-centrality-background-jobs/run-012/tier2-integration-check.json
 - **Outcome**: Checked graph behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (Graph matrix 120/120: Api 66, Indexer 37, Indexer.Persistence 17.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-indexer-clustering-and-centrality-background-jobs/run-013/tier2-integration-check.json
+- **Outcome**: Checked Graph behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 API replay validating clustered graph traversal/query/diff surfaces and scope enforcement.
+- **Tests**: PASS (`src/Graph/StellaOps.Graph.sln`: 120/120).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-indexer-clustering-and-centrality-background-jobs/run-016/tier2-api-check.json
+- **Outcome**: Fresh user-surface evidence shows clustering/centrality outputs remain operationally consumable via graph APIs.
+

docs/features/checked/graph/graph-indexer-incremental-update-pipeline.md

@@ -105,3 +105,18 @@ Change-stream processor for incremental graph updates, consuming SBOM/scan event
 - **Tests**: PASS (Graph.Api 66/66, Graph.Indexer 37/37, Graph.Indexer.Persistence 17/17; total 120/120).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-indexer-incremental-update-pipeline/run-012/tier2-integration-check.json
 - **Outcome**: Checked graph behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (Graph matrix 120/120: Api 66, Indexer 37, Indexer.Persistence 17.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-indexer-incremental-update-pipeline/run-013/tier2-integration-check.json
+- **Outcome**: Checked Graph behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 API replay for incremental-update surfaces (diff, lineage, path, export) with validation negatives.
+- **Tests**: PASS (`src/Graph/StellaOps.Graph.sln`: 120/120).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-indexer-incremental-update-pipeline/run-016/tier2-api-check.json
+- **Outcome**: Fresh end-user replay verifies incremental graph updates remain externally observable through diff/lineage/export APIs.
+

docs/features/checked/graph/graph-overlay-system.md

@@ -99,3 +99,18 @@ Overlay system with exporter, in-memory overlay service, and tests for layering
 - **Tests**: PASS (Graph.Api 66/66, Graph.Indexer 37/37, Graph.Indexer.Persistence 17/17; total 120/120).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-012/tier2-api-check.json
 - **Outcome**: Checked graph behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (Graph matrix 120/120: Api 66, Indexer 37, Indexer.Persistence 17.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-013/tier2-integration-check.json
+- **Outcome**: Checked Graph behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 API replay with overlay-enabled query stream plus search/path and tenant-guard validation.
+- **Tests**: PASS (`src/Graph/StellaOps.Graph.sln`: 120/120).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-overlay-system/run-016/tier2-api-check.json
+- **Outcome**: Fresh user-surface evidence confirms overlay payloads remain present on query tiles and service contracts hold under negative paths.
+

docs/features/checked/graph/graph-query-and-search-api.md

@@ -103,3 +103,17 @@ Graph API with query, search, and path services for traversing and querying depe
 - **Tests**: PASS (Graph.Api 66/66, Graph.Indexer 37/37, Graph.Indexer.Persistence 17/17; total 120/120).
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-query-and-search-api/run-012/tier2-api-check.json
 - **Outcome**: Checked graph behavior remains healthy in continued replay.
+
+## Recheck (Run-013)
+- **Verified**: 2026-02-10
+- **Method**: Tier 2d deterministic integration replay with fresh command-output evidence.
+- **Tests**: PASS (Graph matrix 120/120: Api 66, Indexer 37, Indexer.Persistence 17.)
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/graph/graph-query-and-search-api/run-013/tier2-integration-check.json
+- **Outcome**: Checked Graph behavior remains healthy in continued replay.
+
+## Recheck (Run-016)
+- **Verified**: 2026-02-11
+- **Method**: Strict Tier 2 API replay against live Graph API (`https://127.0.0.1:10200`) with fresh request/response captures.
+- **Tests**: PASS (Graph solution replay 120/120: Api 66, Indexer 37, Indexer.Persistence 17).
+- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/graph/graph-query-and-search-api/run-016/tier2-api-check.json`
+- **Outcome**: Query/search positive paths returned non-empty NDJSON data (search 3 rows, query 4 rows), and negative guards remained correct for missing auth/scope/tenant (401/403/400).

docs/features/checked/mirror/mirror-creator.md

@@ -0,0 +1,33 @@
+# Mirror Creator
+
+## Module
+Mirror
+
+## Status
+VERIFIED
+
+## Description
+Mirror Creator provides deterministic mirror planning primitives in `src/Mirror/`, including source registration, stable plan generation, and incremental cursor progression. The module currently exposes a core library/test surface rather than a full networked mirror runtime.
+
+## What's Implemented
+- **Core service contract**: `src/Mirror/StellaOps.Mirror.Creator/IMirrorCreatorService.cs` defines source upsert/listing, deterministic plan creation, and sync-result recording operations.
+- **Deterministic planning service**: `src/Mirror/StellaOps.Mirror.Creator/InMemoryMirrorCreatorService.cs` implements normalized IDs, sorted source ordering, stable plan hashing, deterministic output path formatting, and incremental cursor state transitions.
+- **Models and options**: `src/Mirror/StellaOps.Mirror.Creator/MirrorModels.cs` and `src/Mirror/StellaOps.Mirror.Creator/MirrorCreatorOptions.cs` define content kinds, sync modes, plan/result records, and formatting helpers.
+- **DI registration**: `src/Mirror/StellaOps.Mirror.Creator/MirrorServiceCollectionExtensions.cs` wires service registration for consumers.
+- **Behavioral tests**: `src/Mirror/__Tests/StellaOps.Mirror.Creator.Core.Tests/MirrorCreatorServiceTests.cs` verifies deterministic plan IDs/order, incremental mode transition, DI registration, and unknown-plan rejection semantics.
+
+## What's Missing
+- **Standalone Mirror API/runtime**: No dedicated HTTP service endpoints for mirror source management or plan execution in `src/Mirror/`.
+- **Execution telemetry and progress tracking**: No persisted job/status tracking for active mirror operations beyond in-memory cursor recording.
+- **Attestation/export orchestration**: No mirror-specific attestation emission pipeline in this module; broader offline/export capabilities remain primarily under `src/AirGap/`.
+
+## Related Documentation
+- AirGap module (broader offline mirroring scope): `src/AirGap/`
+- Golden Pairs mirror pattern reference: `src/Tools/GoldenPairs/Services/PackageMirrorService.cs`
+
+## Verification
+- Verified on 2026-02-11 via FLOW Tier 0/1/2 loop.
+- Tier 0 source check: `docs/qa/feature-checks/runs/mirror/mirror-creator/run-002/tier0-source-check.json` (`partial` due stale legacy path in feature text; core Mirror paths verified).
+- Tier 1 build + tests: `docs/qa/feature-checks/runs/mirror/mirror-creator/run-002/tier1-build-check.json` (build pass, tests 4/4).
+- Tier 2 behavioral integration: `docs/qa/feature-checks/runs/mirror/mirror-creator/run-002/tier2-integration-check.json` (tests 4/4, including positive and negative semantics).
+- Failure loop closure: initial run-001 failed due command-capture environment handling and was triaged/confirmed before retest pass (`run-001/triage.json`, `run-001/confirmation.json`, `run-002/retest-result.json`).

docs/features/checked/notifier/ack-tokens-for-approval-workflows.md

@@ -0,0 +1,41 @@
+# Ack Tokens for Approval Workflows
+
+## Module
+Notifier
+
+## Status
+VERIFIED
+
+## Description
+HMAC-based ack token service with bridge integration for acknowledgement workflows. Note: uses HMAC rather than DSSE-signed tokens as described in the advisory.
+
+## Implementation Details
+- **IAckTokenService interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/IAckTokenService.cs` -- `CreateToken`, `VerifyToken`, `CreateAckUrl` for signed acknowledgement tokens with configurable expiration and metadata
+- **HmacAckTokenService**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/HmacAckTokenService.cs` -- HMAC-SHA256 implementation with HKDF key derivation, `soa1` token prefix, versioned token format, configurable signing key
+- **IAckBridge interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Escalation/IAckBridge.cs` -- bridge between ack tokens and escalation engine
+- **AckBridge**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Escalation/AckBridge.cs` -- processes ack requests, maps external IDs to internal incident IDs, integrates with `IEscalationEngine` and `IIncidentManager`, supports audit logging
+- **SecurityContracts**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/SecurityContracts.cs` -- ack token request/response DTOs
+- **PackApprovalAckRequest**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/PackApprovalAckRequest.cs` -- pack approval ack request model
+- **EscalationEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/EscalationEndpoints.cs` -- REST endpoints for ack token processing
+- **SecurityEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/SecurityEndpoints.cs` -- security-related endpoints
+- **Tests**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService.Tests/Escalation/AckBridgeTests.cs`
+- **OpenAPI**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/openapi/pack-approvals.yaml`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify HMAC ack token creation with configurable expiration (default 7 days)
+- [ ] Test token verification rejects expired, tampered, or malformed tokens
+- [ ] Verify AckBridge routes ack actions (ack, resolve, escalate) to escalation engine
+- [ ] Test ack URL generation and round-trip verification
+- [ ] Verify pack approval ack workflow through EscalationEndpoints
+- [ ] Test audit logging of ack processing events
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source checks passed for ack token service, ack bridge, security/escalation endpoints, request contracts, and OpenAPI surface.
+- Tier 1 build and focused behavior tests passed (`10/10` class-scoped, `505/505` full suite).
+- Tier 2 API behavior checks passed using Notifier test-host routes for pack approval ack flows (positive + negative) and token verification behavior evidence.
+- Evidence:
+  - `docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier2-api-check.json`

docs/features/checked/notifier/digest-windows-and-throttling.md

@@ -0,0 +1,44 @@
+# Digest Windows and Throttling
+
+## Module
+Notifier
+
+## Status
+VERIFIED
+
+## Description
+Digest generation for coalescing notifications within configurable time windows.
+
+## Implementation Details
+- **INotifyThrottler interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/NotifyThrottler.cs` -- `RecordEventAsync`, `CheckAsync` (with configurable window/maxEvents), `ClearAsync` for per-key throttle management
+- **InMemoryNotifyThrottler**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/NotifyThrottler.cs` -- in-memory sliding window throttler with `ConcurrentDictionary<string, ThrottleState>`, `ThrottlerOptions` for default window/max
+- **IThrottleConfigService**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/IThrottleConfigService.cs` -- per-tenant throttle configuration
+- **ThrottleConfigService**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/ThrottleConfigService.cs` -- resolves throttle windows per event kind
+- **ThrottleConfigurationService**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/ThrottleConfigurationService.cs` -- advanced throttle configuration management
+- **QuietHoursServiceExtensions**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/QuietHoursServiceExtensions.cs` -- quiet hours integration with throttling
+- **ThrottleEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/ThrottleEndpoints.cs` -- REST API for throttle configuration
+- **QuietHoursContracts**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/QuietHoursContracts.cs` -- quiet hours request/response models
+- **IOperatorOverrideService**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/IOperatorOverrideService.cs` -- operator override for throttle bypass
+- **OperatorOverrideService**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/OperatorOverrideService.cs` -- operator override implementation
+- **OperatorOverrideEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/OperatorOverrideEndpoints.cs` -- REST API for operator overrides
+- **Tests**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Correlation/NotifyThrottlerTests.cs`, `ThrottleConfigServiceTests.cs`, `ThrottleConfigurationServiceTests.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Endpoints/SuppressionEndpointsTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [x] Verify sliding window throttling suppresses notifications exceeding maxEvents within window
+- [x] Test per-tenant throttle configuration via ThrottleEndpoints API
+- [x] Verify quiet hours suppress notifications during configured periods
+- [x] Test operator override allows bypassing throttle for specific keys
+- [x] Verify throttle state clears after incident resolution
+- [ ] Test throttle configuration persists across service restarts
+
+## Verification
+- Verified on 2026-02-11 with `run-002`.
+- Tier 0 source checks passed for throttler, throttle configuration, quiet-hours, and operator override services/endpoints.
+- Tier 1 passed after fixing missing DI registrations that made `/api/v2/throttles`, `/api/v2/quiet-hours`, and `/api/v2/overrides` unusable at runtime; focused suppression suite passed (`53/53`) and full Notifier suite passed (`513/513`).
+- Tier 2 API behavior checks passed for positive and negative user flows across throttle config round-trip, delete fallback, quiet-hours evaluation, override bypass checks, and throttle clear lifecycle behavior.
+- Note: throttle/quiet-hours configuration is currently in-memory and not guaranteed to persist across process restarts.
+- Evidence:
+  - `docs/qa/feature-checks/runs/notifier/digest-windows-and-throttling/run-002/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/notifier/digest-windows-and-throttling/run-002/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/notifier/digest-windows-and-throttling/run-002/tier2-api-check.json`

docs/features/checked/notifier/multi-channel-delivery.md

@@ -0,0 +1,45 @@
+# Multi-Channel Delivery (Slack, Teams, Email, Webhooks)
+
+## Module
+Notifier
+
+## Status
+VERIFIED
+
+## Description
+Multi-channel notification delivery with Slack, Webhook connectors (and PagerDuty in Notifier), with snapshot testing and error handling.
+
+## Implementation Details
+- **IChannelAdapter interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/IChannelAdapter.cs` -- `DispatchAsync` and `CheckHealthAsync` typed by `NotifyChannelType`.
+- **ChannelAdapterFactory**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/ChannelAdapterFactory.cs` -- resolves channel adapters by type.
+- **Slack/Webhook/ChatWebhook adapters**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/SlackChannelAdapter.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/WebhookChannelAdapter.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/ChatWebhookChannelAdapter.cs`.
+- **PagerDuty/OpsGenie/Email/InApp adapters**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/PagerDutyChannelAdapter.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/OpsGenieChannelAdapter.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/EmailChannelAdapter.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/InAppChannelAdapter.cs`.
+- **WebhookChannelDispatcher**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Dispatch/WebhookChannelDispatcher.cs`.
+- **IWebhookSecurityService**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/IWebhookSecurityService.cs`.
+- **IFallbackHandler**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Fallback/IFallbackHandler.cs`.
+- **HttpEgressSloSink**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/HttpEgressSloSink.cs`.
+- **Templates**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/offline/notifier/templates/`.
+- **Tests**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Channels/WebhookChannelAdapterTests.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Dispatch/WebhookChannelDispatcherTests.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Dispatch/SimpleTemplateRendererTests.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Security/WebhookSecurityServiceTests.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Fallback/FallbackHandlerTests.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/HttpEgressSloSinkTests.cs`.
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify Slack channel adapter delivers notifications with Block Kit formatting.
+- [ ] Test webhook channel adapter posts to configured URLs with HMAC signature.
+- [ ] Verify PagerDuty adapter creates incidents with correct severity mapping.
+- [ ] Test OpsGenie adapter creates alerts with priority.
+- [ ] Verify email adapter sends with subject and rendered body.
+- [ ] Test in-app notification adapter records notifications for UI retrieval.
+- [ ] Verify channel health checks detect unreachable endpoints.
+- [ ] Test fallback handler routes to secondary channel on primary failure.
+- [ ] Verify egress SLO tracking records delivery latency.
+
+## Verification
+- Verified on 2026-02-11 with `run-003`.
+- Tier 0 source checks passed for adapter surfaces, dispatcher/security/fallback interfaces, template assets, and test coverage points.
+- Tier 1 build + tests passed (builds green; full Notifier suite `520/520`).
+- Tier 2 behavioral checks passed (`48/48`) across webhook adapter behavior, dispatcher flows, fallback routing, egress SLO publication, and identity alert multi-channel rendering.
+- Evidence:
+  - `docs/qa/feature-checks/runs/notifier/multi-channel-delivery/run-003/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/notifier/multi-channel-delivery/run-003/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/notifier/multi-channel-delivery/run-003/tier2-integration-check.json`
+  - `docs/qa/feature-checks/runs/notifier/multi-channel-delivery/run-003/retest-result.json`

docs/features/checked/notifier/notification-correlation-engine.md

@@ -0,0 +1,43 @@
+# Notification Correlation Engine
+
+## Module
+Notifier
+
+## Status
+VERIFIED
+
+## Description
+Correlates related notification events across time windows to reduce noise and group related alerts, preventing notification storms during large-scale vulnerability disclosures or policy changes.
+
+## Implementation Details
+- **ICorrelationEngine interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/ICorrelationEngine.cs` -- `CorrelateAsync` for event correlation.
+- **CorrelationEngine**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/CorrelationEngine.cs` -- orchestrates correlation key building, incident management, throttling, and quiet hours evaluation.
+- **ICorrelationKeyBuilder**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/ICorrelationKeyBuilder.cs` -- builds correlation keys from events.
+- **ICorrelationKeyEvaluator**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/ICorrelationKeyEvaluator.cs` -- evaluates correlation key expressions.
+- **DefaultCorrelationKeyEvaluator**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/DefaultCorrelationKeyEvaluator.cs` -- default key evaluator implementation.
+- **IncidentManager**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/IncidentManager.cs` -- creates and manages incidents from correlated events.
+- **NotifyIncident**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/NotifyIncident.cs` -- incident model.
+- **CorrelationServiceExtensions**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Correlation/CorrelationServiceExtensions.cs` -- DI registration for correlation services.
+- **NotifierEventProcessor**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/NotifierEventProcessor.cs` -- integrates correlation engine into event processing pipeline.
+- **Tests**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Correlation/CorrelationEngineTests.cs`, `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Correlation/IncidentManagerTests.cs`.
+- **Source**: SPRINT_0172_0001_0002_notifier_ii.md
+
+## E2E Test Plan
+- [ ] Verify events with same correlation key are grouped into a single incident.
+- [ ] Test time-window-based correlation correctly groups events within window.
+- [ ] Verify throttling suppresses repeat notifications for same incident.
+- [ ] Test quiet hours evaluation defers notifications during configured periods.
+- [ ] Verify new incidents are created when correlation window expires.
+- [ ] Test correlation key building for different event kinds (CVE, policy, attestation).
+
+## Verification
+- Re-verified on 2026-02-11 with fresh `run-002`.
+- Tier 0 source checks passed for correlation interfaces/services, incident model, processor integration, and test surfaces.
+- Tier 1 build + tests passed (`521/521`) with code-review parity confirming correlation pipeline stages and service wiring.
+- Tier 2 behavioral checks passed (`86/86`) across correlation engine decisions, incident lifecycle behavior, throttling windows, quiet-hours suppression, correlation key composition, and incident API interactions.
+- Runtime gap fixed during verification: Notifier WebService startup DI was missing `IIncidentManager` and `ICryptoHmac` registrations; `Program.cs` now registers correlation services and HMAC crypto, and `StartupDependencyWiringTests` guards the wiring path.
+- Evidence:
+  - `docs/qa/feature-checks/runs/notifier/notification-correlation-engine/run-002/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/notifier/notification-correlation-engine/run-002/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/notifier/notification-correlation-engine/run-002/tier2-integration-check.json`
+  - `docs/qa/feature-checks/runs/notifier/notification-correlation-engine/run-002/tier2-api-check.json`

docs/features/checked/notifier/notification-digest-generator.md

@@ -0,0 +1,27 @@
+# Notification Digest Generator
+
+## Module
+Notifier
+
+## Status
+IMPLEMENTED
+
+## Description
+Configurable digest aggregation that batches notifications into scheduled summary digests (hourly/daily/weekly) with customizable grouping and priority thresholds.
+
+## Implementation Details
+- **IDigestGenerator interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Digest/IDigestGenerator.cs` -- `GenerateAsync` and `PreviewAsync` for producing digest reports
+- **DigestGenerator**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Digest/DigestGenerator.cs` -- default implementation; queries IncidentManager for events in time range, produces `DigestResult` with `DigestId`, `TotalIncidentCount`, and `Summary.TotalEvents`; supports preview mode
+- **DigestScheduleRunner**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Digest/DigestScheduleRunner.cs` -- `BackgroundService` that runs digest generation on configured schedules; uses `IDigestDistributor` to deliver digests, `IDigestTenantProvider` for multi-tenant support; configurable via `DigestScheduleOptions.Enabled` and `Schedules`
+- **DigestTypes**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Digest/DigestTypes.cs` -- digest models (`DigestResult`, `DigestQuery`, `DigestSummary`)
+- **DigestServiceExtensions**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Digest/DigestServiceExtensions.cs` -- DI registration for digest services
+- **Tests**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/Digest/DigestGeneratorTests.cs`
+- **Source**: SPRINT_0172_0001_0002_notifier_ii.md
+
+## E2E Test Plan
+- [ ] Verify scheduled digest generation runs at configured intervals (hourly/daily/weekly)
+- [ ] Test digest aggregates incidents within the configured time window
+- [ ] Verify preview mode returns digest without side effects
+- [ ] Test multi-tenant digest generation processes each tenant independently
+- [ ] Verify digest distribution delivers summary to configured channels
+- [ ] Test DigestScheduleRunner respects Enabled=false configuration

docs/features/checked/notifier/notification-rules-engine.md

@@ -0,0 +1,33 @@
+# Notification Rules Engine
+
+## Module
+Notifier
+
+## Status
+IMPLEMENTED
+
+## Description
+Rules engine with NotifyRule model, rule evaluator interface, evaluation outcomes, and schema migration support.
+
+## Implementation Details
+- **DefaultNotifyRuleEvaluator**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/DefaultNotifyRuleEvaluator.cs` -- evaluates `NotifyRule` against `NotifyEvent`; matches on event kind, namespace, repository, digest, severity (ranked none=0 through blocker=6); returns `NotifyRuleEvaluationOutcome` with match/not-matched reason
+- **NotifierEventProcessor**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Processing/NotifierEventProcessor.cs` -- integrates rule evaluation into the event processing pipeline
+- **SimulationEngine**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Simulation/SimulationEngine.cs` -- dry-run simulation of rule evaluation
+- **DefaultNotifySimulationEngine**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Simulation/DefaultNotifySimulationEngine.cs` -- default simulation engine implementation
+- **ISimulationEngine**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Simulation/ISimulationEngine.cs` -- simulation interface
+- **RuleEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/RuleEndpoints.cs` -- REST API for rule CRUD and testing
+- **SimulationEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/SimulationEndpoints.cs` -- REST API for rule simulation
+- **RiskTemplateSeeder**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Setup/RiskTemplateSeeder.cs` -- seeds default risk notification rules
+- **AttestationTemplateSeeder**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Setup/AttestationTemplateSeeder.cs` -- seeds attestation notification rules
+- **InMemoryNotifyRepositories**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Storage/InMemoryNotifyRepositories.cs` -- in-memory rule storage
+- **Sample rules**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.docs/risk-rules.sample.json`
+- **Tests**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/RuleEvaluatorTests.cs`, `Simulation/SimulationEngineTests.cs`, `EventProcessorTests.cs`, `Endpoints/NotifyApiEndpointsTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify rule evaluator matches events by kind, namespace, repository, and severity
+- [ ] Test disabled rules are skipped with "rule_disabled" reason
+- [ ] Verify severity-based filtering (e.g., minimum severity threshold)
+- [ ] Test rule CRUD through RuleEndpoints API
+- [ ] Verify simulation endpoints allow dry-run rule testing without side effects
+- [ ] Test seeded default rules for risk and attestation scenarios

docs/features/checked/notifier/notification-storm-breaker.md

@@ -0,0 +1,31 @@
+# Notification Storm Breaker
+
+## Module
+Notifier
+
+## Status
+VERIFIED
+
+## Description
+Circuit breaker mechanism that detects notification storms and applies adaptive throttling to prevent overwhelming downstream channels during mass event cascades.
+
+## Implementation Details
+- **IStormBreaker interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/StormBreaker/IStormBreaker.cs` -- `EvaluateAsync` (records event and checks storm condition), `GetStateAsync` (gets current storm state for a key), `GetActiveStormsAsync` (lists all active storms for a tenant)
+- **StormBreakerServiceExtensions**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/StormBreaker/StormBreakerServiceExtensions.cs` -- DI registration for storm breaker services
+- **ChannelAdapterOptions**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Channels/ChannelAdapterOptions.cs` -- circuit breaker configuration for channel adapters
+- **StormBreakerEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/StormBreakerEndpoints.cs` -- REST API for viewing and managing active storms
+- **INotifierMetrics**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Observability/INotifierMetrics.cs` -- metrics counters for storm detection events
+- **Tests**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/StormBreaker/StormBreakerTests.cs`
+- **Source**: SPRINT_0172_0001_0002_notifier_ii.md
+
+## E2E Test Plan
+- [ ] Verify storm detection triggers when event rate exceeds configured threshold
+- [ ] Test storm consolidation batches events into summary notifications
+- [ ] Verify active storm state is queryable via StormBreakerEndpoints API
+- [ ] Test storm resolution when event rate drops below threshold
+- [ ] Verify per-tenant storm isolation (storms in one tenant do not affect others)
+- [ ] Test metrics emission for storm detection and resolution events
+
+## Verification
+- Run: `docs/qa/feature-checks/runs/notifier/notification-storm-breaker/run-001/`
+- Date (UTC): 2026-02-11

docs/features/checked/packsregistry/packs-registry-service-with-mirroring-and-compliance-dashboards.md

@@ -0,0 +1,49 @@
+# Packs Registry Service with Mirroring and Compliance Dashboards
+
+## Module
+PacksRegistry
+
+## Status
+VERIFIED
+
+## Description
+Registry service for managing pack lifecycle (publish, version, deprecate) with mirroring support for air-gapped environments, attestation integration, and compliance dashboard APIs.
+
+## Implementation Details
+- **Pack Service**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Services/PackService.cs` -- core pack lifecycle operations: publish, query, version, and deprecate packs.
+- **Mirror Service**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Services/MirrorService.cs` -- manages mirror sources for air-gapped pack distribution.
+- **Attestation Service**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Services/AttestationService.cs` -- manages attestation records for packs, verifying pack provenance and signatures.
+- **Compliance Service**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Services/ComplianceService.cs` -- computes compliance summaries for pack registries (attestation coverage, signature verification status).
+- **Lifecycle Service**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Services/LifecycleService.cs` -- manages pack lifecycle transitions (active, deprecated, archived).
+- **Parity Service**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Services/ParityService.cs` -- tracks parity between primary and mirror registries.
+- **Export Service**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Services/ExportService.cs` -- exports pack data for offline/air-gap seeding.
+- **Core Contracts**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Contracts/` -- interfaces: `IPackRepository.cs`, `IMirrorRepository.cs`, `IAttestationRepository.cs`, `IAuditRepository.cs`, `ILifecycleRepository.cs`, `IParityRepository.cs`, `IPackSignatureVerifier.cs`.
+- **Core Models**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Models/` -- `PackRecord.cs`, `MirrorSourceRecord.cs`, `AttestationRecord.cs`, `AuditRecord.cs`, `LifecycleRecord.cs`, `ParityRecord.cs`, `PackPolicyOptions.cs`.
+- **Web API Contracts**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Contracts/` -- DTOs: `PackUploadRequest.cs`, `PackResponse.cs`, `PackManifestResponse.cs`, `MirrorRequest.cs`, `MirrorResponse.cs`, `MirrorSyncRequest.cs`, `AttestationUploadRequest.cs`, `AttestationResponse.cs`, `ComplianceSummaryResponse.cs`, `LifecycleRequest.cs`, `LifecycleResponse.cs`, `ParityRequest.cs`, `ParityResponse.cs`, `OfflineSeedRequest.cs`, `RotateSignatureRequest.cs`.
+- **Infrastructure (File System)**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/FileSystem/` -- file-based repository implementations: `FilePackRepository.cs`, `FileMirrorRepository.cs`, `FileAttestationRepository.cs`, `FileAuditRepository.cs`, `FileLifecycleRepository.cs`, `FileParityRepository.cs`.
+- **Infrastructure (InMemory)**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/InMemory/` -- in-memory repository implementations for testing.
+- **Signature Verification**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/Verification/RsaSignatureVerifier.cs`, `SimpleSignatureVerifier.cs` -- RSA and simple signature verification for pack integrity.
+- **Postgres Persistence**: `src/PacksRegistry/__Libraries/StellaOps.PacksRegistry.Persistence/Postgres/Repositories/` -- `PostgresPackRepository.cs`, `PostgresMirrorRepository.cs`, `PostgresAttestationRepository.cs`, `PostgresAuditRepository.cs`, `PostgresLifecycleRepository.cs`, `PostgresParityRepository.cs`.
+- **EF Core Context**: `src/PacksRegistry/__Libraries/StellaOps.PacksRegistry.Persistence/EfCore/Context/PacksRegistryDbContext.cs` -- Entity Framework Core context.
+- **Worker**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Worker.cs` -- background worker for mirror sync and parity checks.
+- **Tests**: `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/PackServiceTests.cs`, `PacksApiTests.cs`, `FilePackRepositoryTests.cs`, `ExportServiceTests.cs`, `RsaSignatureVerifierTests.cs`; `src/PacksRegistry/__Tests/StellaOps.PacksRegistry.Persistence.Tests/PostgresPackRepositoryTests.cs`
+
+## E2E Test Plan
+- [x] Publish a pack via the REST API and verify it is stored in the registry with correct metadata (name, version, digest)
+- [x] Configure a mirror source and trigger a sync; verify the pack is replicated to the mirror with matching digest
+- [x] Upload an attestation for a published pack and verify the compliance dashboard endpoint reports the pack as attested
+- [x] Deprecate a pack via lifecycle API and verify it is no longer returned in active pack queries but remains queryable with a deprecated filter
+- [x] Verify parity check: publish a pack, sync to mirror, then update parity state and confirm the mirror is reported as out-of-sync
+- [x] Export packs for offline seeding and verify the exported bundle contains all pack data and attestations needed for air-gap import
+- [x] Verify RSA signature verification logic via `RsaSignatureVerifierTests` in Tier 1.
+
+## Verification
+- Verified on 2026-02-11 via FLOW Tier 0/1/2 loop.
+- Initial behavioral replay (`run-001`) failed on three contract gaps (attestation coverage metric, deprecated-list filtering, attestation export artifacts):
+  - `docs/qa/feature-checks/runs/packsregistry/packs-registry-service-with-mirroring-and-compliance-dashboards/run-001/tier2-api-check.json`
+  - `docs/qa/feature-checks/runs/packsregistry/packs-registry-service-with-mirroring-and-compliance-dashboards/run-001/triage.json`
+- Gaps were fixed in-module and retested with full pass (`run-002`):
+  - Tier 0 source check: `docs/qa/feature-checks/runs/packsregistry/packs-registry-service-with-mirroring-and-compliance-dashboards/run-002/tier0-source-check.json`
+  - Tier 1 build/tests: `docs/qa/feature-checks/runs/packsregistry/packs-registry-service-with-mirroring-and-compliance-dashboards/run-002/tier1-build-check.json`
+  - Tier 2 API replay: `docs/qa/feature-checks/runs/packsregistry/packs-registry-service-with-mirroring-and-compliance-dashboards/run-002/tier2-api-check.json`
+  - Retest closure: `docs/qa/feature-checks/runs/packsregistry/packs-registry-service-with-mirroring-and-compliance-dashboards/run-002/retest-result.json`

docs/features/checked/platform/materialized-views-for-analytics.md

@@ -0,0 +1,39 @@
+# Materialized Views for Analytics
+
+## Module
+Platform
+
+## Status
+VERIFIED
+
+## Description
+Materialized views with indexes, VEX validity filters, and deterministic arrays are used for analytics with a dedicated maintenance service for refresh.
+
+## Implementation Details
+- **PlatformAnalyticsMaintenanceService**: `src/Platform/StellaOps.Platform.WebService/Services/PlatformAnalyticsMaintenanceService.cs` -- BackgroundService that periodically refreshes 4 materialized views (`mv_supplier_concentration`, `mv_license_distribution`, `mv_vuln_exposure`, `mv_attestation_coverage`) using `REFRESH MATERIALIZED VIEW CONCURRENTLY`; supports daily rollup backfill, configurable interval, and run-on-startup mode via `PlatformAnalyticsMaintenanceOptions`
+- **PlatformAnalyticsQueryExecutor**: `src/Platform/StellaOps.Platform.WebService/Services/PlatformAnalyticsQueryExecutor.cs` -- executes analytical queries against materialized views
+- **PlatformAnalyticsService**: `src/Platform/StellaOps.Platform.WebService/Services/PlatformAnalyticsService.cs` -- service layer for analytics queries (suppliers, licenses, vulnerabilities, backlog, attestation coverage, vulnerability/component trends)
+- **AnalyticsEndpoints**: `src/Platform/StellaOps.Platform.WebService/Endpoints/AnalyticsEndpoints.cs` -- REST API at `/api/analytics` with 7 endpoints: suppliers, licenses, vulnerabilities, backlog, attestation-coverage, trends/vulnerabilities, trends/components; all require `AnalyticsRead` authorization
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify materialized views refresh concurrently without blocking reads
+- [ ] Test daily rollup backfill covers configured BackfillDays range
+- [ ] Verify analytics endpoints return correct data from materialized views
+- [ ] Test analytics service returns 503 when analytics storage is not configured
+- [ ] Verify trend endpoints return daily data points for specified time windows
+
+## Verification
+- Verified on 2026-02-11 via `run-001`.
+- Tier 0 source checks passed for maintenance, query executor, analytics service, and analytics endpoints.
+- Tier 1 build + targeted test gates passed across webservice and analytics projects.
+- Tier 2 behavioral checks passed with fresh user-surface/API and integration evidence:
+  - backfill + `REFRESH MATERIALIZED VIEW CONCURRENTLY` maintenance path (`PlatformAnalyticsMaintenanceServiceTests`)
+  - unconfigured endpoint path returns `503` (`AnalyticsEndpointsTests`, 7 routes)
+  - configured endpoint success payloads and trend points (`AnalyticsEndpointsSuccessTests`)
+  - analytics service cache/normalization behavior for suppliers, vulnerabilities, backlog, attestation coverage, and trend windows (`PlatformAnalyticsServiceTests`)
+  - materialized-view + stored-procedure integration behavior in Docker PostgreSQL (`AnalyticsSchemaIntegrationTests`, 22 tests)
+- Evidence:
+  - `docs/qa/feature-checks/runs/platform/materialized-views-for-analytics/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/platform/materialized-views-for-analytics/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/platform/materialized-views-for-analytics/run-001/tier2-integration-check.json`

docs/features/checked/platform/platform-service-aggregation-layer.md

@@ -0,0 +1,38 @@
+# Platform Service Aggregation Layer
+
+## Module
+Platform
+
+## Status
+VERIFIED
+
+## Description
+Backend Platform Service acting as aggregation layer for health status, quotas, onboarding progress, user preferences, and global search across all modules.
+
+## Implementation Details
+- **PlatformEndpoints**: `src/Platform/StellaOps.Platform.WebService/Endpoints/PlatformEndpoints.cs` -- REST API at `/api/v1/platform` with 6 endpoint groups: health (summary/dependencies/incidents/metrics), quotas (summary/tenants/alerts), onboarding (status/complete/skip), preferences (dashboard/profiles), search, metadata; all with tenant-scoped authorization policies
+- **PlatformHealthService**: `src/Platform/StellaOps.Platform.WebService/Services/PlatformHealthService.cs` -- aggregates health status from all platform services
+- **PlatformQuotaService**: service for quota tracking with alert management (create alert thresholds per tenant)
+- **PlatformOnboardingService**: `src/Platform/StellaOps.Platform.WebService/Services/PlatformOnboardingService.cs` -- tracks onboarding progress with step completion and skip support
+- **PlatformPreferencesService**: `src/Platform/StellaOps.Platform.WebService/Services/PlatformPreferencesService.cs` -- user dashboard preferences with profile management (CRUD)
+- **PlatformSearchService**: global search across all modules with source filtering, pagination
+- **PlatformMetadataService**: `src/Platform/StellaOps.Platform.WebService/Services/PlatformMetadataService.cs` -- platform metadata retrieval
+- **PlatformCache**: `src/Platform/StellaOps.Platform.WebService/Services/PlatformCache.cs` -- caching layer with TTL and data-as-of timestamps
+- **Source**: SPRINT_20251229_043_PLATFORM_platform_service_foundation
+
+## E2E Test Plan
+- [ ] Verify health summary endpoint aggregates all service statuses
+- [ ] Test quota alerts are created and returned with proper authorization
+- [ ] Verify onboarding step completion transitions correctly
+- [ ] Test global search returns results from multiple sources with pagination
+- [ ] Verify dashboard preferences persist and load per tenant/user
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source checks confirmed aggregation endpoint + service/cache implementation parity.
+- Tier 1 build and endpoint test suite passed (98/98) after adding quota alert and search pagination/filter coverage.
+- Tier 2 API behavior checks passed for health, quota (positive + negative), onboarding, preferences, and search routes using live HTTP request/response transactions against `http://127.0.0.1:10011`.
+- Evidence:
+  - `docs/qa/feature-checks/runs/platform/platform-service-aggregation-layer/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/platform/platform-service-aggregation-layer/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/platform/platform-service-aggregation-layer/run-001/tier2-api-check.json`

docs/features/checked/platform/platform-setup-wizard-backend-api.md

@@ -0,0 +1,36 @@
+# Platform Setup Wizard Backend API
+
+## Module
+Platform
+
+## Status
+VERIFIED
+
+## Description
+Real /api/v1/setup/* endpoints replacing UI mocks with deterministic session state (create, resume, execute, skip, finalize), tenant scoping, and offline-first "data as of" metadata.
+
+## Implementation Details
+- **SetupEndpoints**: `src/Platform/StellaOps.Platform.WebService/Endpoints/SetupEndpoints.cs` -- REST API at `/api/v1/setup` with 3 endpoint groups: sessions (GET current, POST create, POST resume, POST finalize), steps (POST execute, POST skip), definitions (GET step definitions); AllowAnonymous during initial setup, requires auth after completion
+- **SetupStateDetector**: detects setup completion state from storage/DB settings; routes between bootstrap context and authenticated context
+- **PlatformSetupService**: service layer for setup wizard operations (CreateSessionAsync, ResumeOrCreateSessionAsync, ExecuteStepAsync, SkipStepAsync, FinalizeSessionAsync, GetStepDefinitionsAsync)
+- **SetupWizardModels**: `src/Platform/StellaOps.Platform.WebService/Contracts/SetupWizardModels.cs` -- request/response models (CreateSetupSessionRequest, SetupSessionResponse, ExecuteSetupStepRequest, SkipSetupStepRequest, FinalizeSetupSessionRequest, FinalizeSetupSessionResponse, SetupStepDefinitionsResponse)
+- **Problem+JSON errors**: all endpoints return RFC 7807 ProblemDetails on errors
+- **Source**: SPRINT_20260112_004_PLATFORM_setup_wizard_backend.md
+
+## E2E Test Plan
+- [ ] Verify setup session creates with bootstrap context when auth is unavailable
+- [ ] Test session resume returns existing session or creates new one
+- [ ] Verify step execution updates session state correctly
+- [ ] Test step skip marks step as skipped and advances session
+- [ ] Verify finalize completes setup and subsequent requests require authentication
+- [ ] Test step definitions endpoint returns all available setup steps
+
+## Verification
+- Verified on 2026-02-11 with run-001 Tier 0/1/2 evidence.
+- Tier 1 build/test pass: platform webservice + platform webservice tests (100/100).
+- Tier 2 setup API behavior checks pass (7/7 setup-focused class tests) covering create/resume/execute/skip/finalize/definitions and required-step skip negative path.
+- Evidence:
+  - `docs/qa/feature-checks/runs/platform/platform-setup-wizard-backend-api/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/platform/platform-setup-wizard-backend-api/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/platform/platform-setup-wizard-backend-api/run-001/tier2-api-check.json`
+

docs/features/checked/platform/sbom-analytics-lake.md

@@ -0,0 +1,38 @@
+# SBOM Analytics Lake (Star-Schema PostgreSQL)
+
+## Module
+Platform
+
+## Status
+VERIFIED
+
+## Description
+Star-schema PostgreSQL analytics layer for SBOM data with component registry, vulnerability correlation tables, attestation tracking, materialized views for trend analysis, and stored procedures for analytics queries. While "Materialized Views for Analytics" is in the known list, this is a much broader star-schema analytics subsystem with dedicated migration, ingestion services, and multi-table analytics design.
+
+## Implementation Details
+- **AnalyticsIngestionService**: `src/Platform/StellaOps.Platform.Analytics/Services/AnalyticsIngestionService.cs` -- BackgroundService subscribing to orchestrator scanner-report-ready events (`OrchestratorEventKinds.ScannerReportReady` / `scanner.event.report.ready`) via `IEventStream`; parses SBOM (CycloneDX/SPDX), resolves artifact digests, upserts into star-schema tables (`analytics.artifacts`, `analytics.raw_sboms`, `analytics.components`, `analytics.artifact_components`), and builds dependency paths via BFS from root component.
+- **VulnerabilityCorrelationService**: `src/Platform/StellaOps.Platform.Analytics/Services/VulnerabilityCorrelationService.cs` -- correlates PURL-based components with known vulnerabilities; updates artifact vulnerability counts
+- **AttestationIngestionService**: `src/Platform/StellaOps.Platform.Analytics/Services/AttestationIngestionService.cs` -- ingests attestation events into analytics
+- **Utilities**: PurlParser (PURL normalization), LicenseExpressionRenderer (license aggregation), Sha256Hasher (digest computation), TenantNormalizer (tenant filtering), VersionRuleEvaluator, VulnerabilityCorrelationRules
+- **AnalyticsIngestionOptions**: `src/Platform/StellaOps.Platform.Analytics/Options/AnalyticsIngestionOptions.cs` -- configurable stream names, tenant allowlists, ingest/schema versions
+- **Tests**: `src/Platform/__Tests/StellaOps.Platform.Analytics.Tests/`
+- **Source**: SPRINT_20260120_030_Platform_sbom_analytics_lake.md
+
+## E2E Test Plan
+- [ ] Verify SBOM ingestion from scanner scanner-report-ready events (`scanner.event.report.ready`) populates all star-schema tables
+- [ ] Test component deduplication via (purl, hash_sha256) conflict resolution
+- [ ] Verify dependency path BFS builds correct depth and introduced_via values
+- [ ] Test vulnerability correlation updates component and artifact vulnerability counts
+- [ ] Verify daily rollup stored procedure computes correct aggregates
+- [ ] Test tenant filtering respects AllowedTenants configuration
+
+## Verification
+- Verified on 2026-02-11 with `run-001`.
+- Tier 0 source checks confirmed ingestion services/options/test surfaces and dependency-path builders are present.
+- Tier 1 build + focused analytics class checks passed (`64/64`).
+- Tier 2 integration behavior checks passed (`171/171`) across schema integration, ingestion helpers, vulnerability-correlation rules, and tenant normalization behavior.
+- Tier 0 reported `partial` only because utility source paths in this dossier still used `Services/` names while active implementations are under `src/Platform/StellaOps.Platform.Analytics/Utilities/`.
+- Evidence:
+  - `docs/qa/feature-checks/runs/platform/sbom-analytics-lake/run-001/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/platform/sbom-analytics-lake/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/platform/sbom-analytics-lake/run-001/tier2-integration-check.json`

docs/features/checked/platform/scanner-platform-events.md

@@ -0,0 +1,36 @@
+# Scanner Platform Events (Redis Streams)
+
+## Module
+Platform
+
+## Status
+VERIFIED
+
+## Description
+Scanner WebService events are ingested by Platform Analytics from the configured stream. The ingestion path now supports `scanner.event.report.ready` and `scanner.scan.completed`, handles scanner DSSE payload decoding for report-ready content, and resumes from persisted stream checkpoints after restart.
+
+## Implementation Details
+- **AnalyticsIngestionService**: `src/Platform/StellaOps.Platform.Analytics/Services/AnalyticsIngestionService.cs` -- subscribes to scanner stream; supports both `OrchestratorEventKinds.ScannerReportReady` and `OrchestratorEventKinds.ScannerScanCompleted`; resolves report payloads from direct JSON, wrapped `reportReady`, and DSSE envelopes; persists and restores scanner stream checkpoints.
+- **ScannerOrchestratorEvents**: `src/Platform/StellaOps.Platform.Analytics/Models/ScannerOrchestratorEvents.cs` -- scanner event models, including `ScanCompletedEventPayload` and scanner event-kind constants.
+- **AnalyticsIngestionOptions**: `src/Platform/StellaOps.Platform.Analytics/Options/AnalyticsIngestionOptions.cs` -- stream settings include `ResumeFromCheckpoint` and optional `ScannerCheckpointFilePath`.
+- **IEventStream/IEventStreamFactory**: `src/Router/__Libraries/StellaOps.Messaging/Abstractions/IEventStream.cs` -- stream subscription with `StreamPosition.After(entryId)` checkpoint resume support.
+- **Tests**: `src/Platform/__Tests/StellaOps.Platform.Analytics.Tests/ScannerPlatformEventsBehaviorTests.cs`.
+- **Source**: 2025-10-19-scanner-policy.md
+
+## E2E Test Plan
+- [ ] Verify scanner report-ready events (`scanner.event.report.ready`) are consumed and processed by analytics ingestion.
+- [ ] Verify scanner scan-completed events (`scanner.scan.completed`) are accepted and mapped into report-ready ingestion payloads.
+- [ ] Verify DSSE envelope payloads are decoded and parsed into report-ready scanner payloads.
+- [ ] Verify scanner stream checkpoint normalization and subscription position resolution for restart resume.
+- [ ] Verify tenant filtering skips events from non-allowed tenants.
+
+## Verification
+- Verified on 2026-02-11 with `run-003`.
+- Tier 0 source checks passed with scanner event-kind, DSSE parser, and checkpoint resume declarations present.
+- Tier 1 build + tests passed (`185/185`) with code-review parity confirming previously missing scanner-event claims are implemented.
+- Tier 2 behavioral/e2e checks passed (`38/38`) across scanner event behavior tests, Docker-backed analytics schema integration, and tenant normalization checks.
+- Evidence:
+  - `docs/qa/feature-checks/runs/platform/scanner-platform-events/run-003/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/platform/scanner-platform-events/run-003/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/platform/scanner-platform-events/run-003/tier2-integration-check.json`
+  - `docs/qa/feature-checks/runs/platform/scanner-platform-events/run-003/retest-result.json`

docs/features/checked/plugin/plugin-configuration-and-context.md

@@ -130,3 +130,12 @@ Plugin configuration loading and context injection for runtime plugin behavior c
 - **Tests**: PASS (105/105; Plugin matrix 314/314: Abstractions 79, Host 105, Registry 65, Sandbox 47, SDK 7, HelloWorld sample 11.)
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-configuration-and-context/run-013/tier2-integration-check.json
 - **Outcome**: Checked Plugin behavior remains healthy in continued replay.
+
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2d deterministic integration replay with fresh per-feature command evidence + full suite replay.
+- **Tests**: PASS (105/105; module suite 314/314).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-configuration-and-context/run-014/tier2-integration-check.json
+- **Outcome**: Plugin configuration/context checked behavior remains stable with fresh host replay evidence.
+

docs/features/checked/plugin/plugin-dependency-resolution.md

@@ -126,3 +126,12 @@ Plugin dependency resolution with resolver service, interface, and comprehensive
 - **Tests**: PASS (105/105; Plugin matrix 314/314: Abstractions 79, Host 105, Registry 65, Sandbox 47, SDK 7, HelloWorld sample 11.)
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-dependency-resolution/run-013/tier2-integration-check.json
 - **Outcome**: Checked Plugin behavior remains healthy in continued replay.
+
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2d deterministic integration replay with fresh per-feature command evidence + full suite replay.
+- **Tests**: PASS (105/105; module suite 314/314).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-dependency-resolution/run-014/tier2-integration-check.json
+- **Outcome**: Dependency resolution checked behavior remains stable with fresh host replay evidence.
+

docs/features/checked/plugin/plugin-discovery.md

@@ -129,3 +129,12 @@ Multi-strategy plugin discovery with filesystem scanning, embedded plugins, and
 - **Tests**: PASS (11/11; Plugin matrix 314/314: Abstractions 79, Host 105, Registry 65, Sandbox 47, SDK 7, HelloWorld sample 11.)
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-discovery/run-013/tier2-integration-check.json
 - **Outcome**: Checked Plugin behavior remains healthy in continued replay.
+
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2d deterministic integration replay with fresh per-feature command evidence + full suite replay.
+- **Tests**: PASS (11/11; module suite 314/314).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-discovery/run-014/tier2-integration-check.json
+- **Outcome**: Discovery checked behavior remains stable with fresh sample replay evidence.
+

docs/features/checked/plugin/plugin-host-with-assembly-isolation.md

@@ -130,3 +130,12 @@ Plugin host with assembly-based loading, isolated AssemblyLoadContext, and confi
 - **Tests**: PASS (105/105; Plugin matrix 314/314: Abstractions 79, Host 105, Registry 65, Sandbox 47, SDK 7, HelloWorld sample 11.)
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-host-with-assembly-isolation/run-013/tier2-integration-check.json
 - **Outcome**: Checked Plugin behavior remains healthy in continued replay.
+
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2d deterministic integration replay with fresh per-feature command evidence + full suite replay.
+- **Tests**: PASS (105/105; module suite 314/314).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-host-with-assembly-isolation/run-014/tier2-integration-check.json
+- **Outcome**: Host lifecycle and assembly-isolation checked behavior remains stable with fresh replay evidence.
+

docs/features/checked/plugin/plugin-sandbox.md

@@ -131,3 +131,12 @@ Process-level plugin sandboxing with gRPC communication bridge for secure out-of
 - **Tests**: PASS (47/47; Plugin matrix 314/314: Abstractions 79, Host 105, Registry 65, Sandbox 47, SDK 7, HelloWorld sample 11.)
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-sandbox/run-013/tier2-integration-check.json
 - **Outcome**: Checked Plugin behavior remains healthy in continued replay.
+
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2d deterministic integration replay with fresh per-feature command evidence + full suite replay.
+- **Tests**: PASS (47/47; module suite 314/314).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/plugin-sandbox/run-014/tier2-integration-check.json
+- **Outcome**: Sandbox checked behavior remains stable with fresh policy/restriction replay evidence.
+

docs/features/checked/plugin/unified-plugin-architecture-with-trust-based-execution-model.md

@@ -139,3 +139,12 @@ Complete unified plugin system reworking seven disparate plugin patterns (Crypto
 - **Tests**: PASS (79/79; Plugin matrix 314/314: Abstractions 79, Host 105, Registry 65, Sandbox 47, SDK 7, HelloWorld sample 11.)
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/unified-plugin-architecture-with-trust-based-execution-model/run-013/tier2-integration-check.json
 - **Outcome**: Checked Plugin behavior remains healthy in continued replay.
+
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2d deterministic integration replay with fresh per-feature command evidence + full suite replay.
+- **Tests**: PASS (79/79; module suite 314/314).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/plugin/unified-plugin-architecture-with-trust-based-execution-model/run-014/tier2-integration-check.json
+- **Outcome**: Unified plugin lifecycle/trust-model checked behavior remains stable with fresh abstractions replay evidence.
+

docs/features/checked/replay/immutable-advisory-feed-snapshots.md

@@ -0,0 +1,29 @@
+# Immutable Advisory Feed Snapshots
+
+## Module
+Replay
+
+## Status
+VERIFIED
+
+## Description
+Replay provides immutable, content-addressed advisory feed snapshots that can be queried by provider and time anchor for deterministic replay workflows.
+
+## What's Implemented
+- **Feed Snapshot Capture and Storage**: `src/Replay/__Libraries/StellaOps.Replay.Core/FeedSnapshots/FeedSnapshotService.cs` captures per-provider snapshots as immutable blobs and stores them by digest.
+- **Content Addressing and Integrity Checks**: `src/Replay/__Libraries/StellaOps.Replay.Core/FeedSnapshots/FeedSnapshotService.cs` computes SHA-256 digests and supports integrity verification against stored content.
+- **Snapshot Indexing by Time**: `src/Replay/__Libraries/StellaOps.Replay.Core/FeedSnapshots/FeedSnapshotService.cs` and `IFeedSnapshotIndexStore` support provider/time lookups and listing for point-in-time resolution.
+- **Point-in-Time Advisory Resolution Core**: `src/Replay/__Libraries/StellaOps.Replay.Core/FeedSnapshots/PointInTimeAdvisoryResolver.cs` resolves advisory state from snapshots at or before a requested timestamp.
+- **Snapshot API Contract Surface**: `src/Replay/StellaOps.Replay.WebService/PointInTimeQueryEndpoints.cs` defines snapshot capture/get/verify/bundle and advisory query endpoint handlers.
+- **Behavioral Coverage**:
+  - `src/Replay/__Tests/StellaOps.Replay.Core.Tests/FeedSnapshots/FeedSnapshotServiceTests.cs`
+  - `src/Replay/__Tests/StellaOps.Replay.Core.Tests/FeedSnapshots/PointInTimeAdvisoryResolverTests.cs`
+  - `src/Replay/__Tests/StellaOps.Replay.Core.Tests/FeedSnapshots/PointInTimeQueryEndpointsTests.cs`
+
+## Verification
+- Run ID: `run-003`
+- Date (UTC): `2026-02-11`
+- Tier 0: `pass` (`docs/qa/feature-checks/runs/replay/immutable-advisory-feed-snapshots/run-003/tier0-source-check.json`)
+- Tier 1: `pass` (`docs/qa/feature-checks/runs/replay/immutable-advisory-feed-snapshots/run-003/tier1-build-check.json`)
+- Tier 2: `pass` (`94/94`) (`docs/qa/feature-checks/runs/replay/immutable-advisory-feed-snapshots/run-003/tier2-integration-check.json`)
+- Evidence directory: `docs/qa/feature-checks/runs/replay/immutable-advisory-feed-snapshots/run-003/evidence/`

docs/features/checked/replay/point-in-time-vulnerability-query.md

@@ -0,0 +1,29 @@
+# Point-in-Time Vulnerability Query (As-Of Date)
+
+## Module
+Replay
+
+## Status
+VERIFIED
+
+## Description
+Replay exposes point-in-time advisory query APIs that resolve vulnerability state by provider and timestamp, including diff and cross-provider behaviors.
+
+## What's Implemented
+- **Point-in-Time API Endpoints**: `src/Replay/StellaOps.Replay.WebService/PointInTimeQueryEndpoints.cs` maps advisory query, timeline, diff, and snapshot endpoints under `/v1/pit/*`.
+- **WebService Registration**: `src/Replay/StellaOps.Replay.WebService/Program.cs` wires `MapPointInTimeQueryEndpoints()` and required replay snapshot/query dependencies into DI.
+- **Snapshot Storage and Time Indexing**: `src/Replay/__Libraries/StellaOps.Replay.Core/FeedSnapshots/FeedSnapshotService.cs` and `IFeedSnapshotIndexStore` implement immutable snapshot capture and temporal lookup.
+- **Advisory Resolution Engine**: `src/Replay/__Libraries/StellaOps.Replay.Core/FeedSnapshots/PointInTimeAdvisoryResolver.cs` resolves advisory state, cross-provider consensus, timeline, and field-level diffs.
+- **Replay WebService In-Memory Feed Support**: `src/Replay/StellaOps.Replay.WebService/FeedSnapshotSupport.cs` provides in-memory blob/index stores and JSON advisory extraction used by API flows.
+- **Behavioral Coverage**:
+  - `src/Replay/__Tests/StellaOps.Replay.Core.Tests/FeedSnapshots/PointInTimeAdvisoryResolverTests.cs`
+  - `src/Replay/__Tests/StellaOps.Replay.Core.Tests/FeedSnapshots/PointInTimeQueryEndpointsTests.cs`
+  - `src/Replay/__Tests/StellaOps.Replay.Core.Tests/FeedSnapshots/PointInTimeQueryApiIntegrationTests.cs`
+
+## Verification
+- Run ID: `run-003`
+- Date (UTC): `2026-02-11`
+- Tier 0: `pass` (`docs/qa/feature-checks/runs/replay/point-in-time-vulnerability-query/run-003/tier0-source-check.json`)
+- Tier 1: `pass` (`docs/qa/feature-checks/runs/replay/point-in-time-vulnerability-query/run-003/tier1-build-check.json`)
+- Tier 2: `pass` (`docs/qa/feature-checks/runs/replay/point-in-time-vulnerability-query/run-003/tier2-api-check.json`)
+- Evidence directory: `docs/qa/feature-checks/runs/replay/point-in-time-vulnerability-query/run-003/evidence/`

docs/features/checked/replay/replay-infrastructure.md

@@ -0,0 +1,37 @@
+# Replay Infrastructure (Manifest, Determinism Verifier, Verdict Engine, Drift Detection)
+
+## Module
+Replay
+
+## Status
+VERIFIED
+
+## Description
+Full replay infrastructure: DeterminismVerifier re-hydrates exact inputs from manifest and verifies bit-for-bit verdict reproduction. Run manifest model capturing pipeline state (feeds, rules, versions). DeterministicResolver with feed snapshots, bundle export, and web service. Verdict replay with divergence detection and input drift testing.
+
+## Implementation Details
+- **Determinism Verifier**: `src/Replay/__Libraries/StellaOps.Replay.Core/DeterminismVerifier.cs` -- re-hydrates exact inputs from a run manifest and verifies bit-for-bit verdict reproduction; reports divergences between original and replayed verdicts.
+- **Input Manifest Resolver**: `src/Replay/__Libraries/StellaOps.Replay.Core/InputManifestResolver.cs` -- resolves and snapshots all inputs (feed versions, policy rules, SBOM state) needed to reproduce a verdict, creating a self-contained input manifest.
+- **Replay Executor**: `src/Replay/__Libraries/StellaOps.Replay.Core/ReplayExecutor.cs` -- orchestrates verdict replay by loading the input manifest, executing the policy evaluation pipeline, and comparing outputs against the original verdict.
+- **Replay Job Queue**: `src/Replay/__Libraries/StellaOps.Replay.Core/ReplayJobQueue.cs` -- background job queue for scheduling and processing replay verification requests.
+- **Policy Simulation Input Lock**: `src/Replay/__Libraries/StellaOps.Replay.Core/PolicySimulationInputLock.cs` -- locks input state during replay to prevent concurrent modifications from affecting determinism verification.
+- **Verdict Replay Endpoints**: `src/Replay/StellaOps.Replay.WebService/VerdictReplayEndpoints.cs` -- REST endpoints for submitting replay requests and querying replay results.
+- **Web Service Entry Point**: `src/Replay/StellaOps.Replay.WebService/Program.cs` -- ASP.NET Core web service hosting replay endpoints.
+- **Tests**: `src/Replay/__Tests/StellaOps.Replay.Core.Tests/Unit/DeterminismVerifierTests.cs`, `Unit/InputManifestResolverTests.cs`, `VerdictReplayIntegrationTests.cs`, `VerdictReplayEndpointsTests.cs`, `PolicySimulationInputLockValidatorTests.cs`
+
+## E2E Test Plan
+- [x] Submit a verdict for replay via the REST endpoint and verify `DeterminismVerifier` produces a bit-for-bit identical verdict when given the same input manifest.
+- [x] Modify a policy rule between the original verdict and the replay and verify divergence is detected and reported.
+- [x] Verify input manifest completeness by replaying using manifest contents only.
+- [x] Verify input lock behavior protects replay consistency during concurrent mutation attempts.
+- [x] Submit multiple replay requests and verify queue processing order and result handling.
+- [x] Verify drift detection when replay uses a different feed snapshot/input state.
+
+## Verification
+- Run ID: `run-001`
+- Date (UTC): `2026-02-11`
+- Tier 0: `pass` (`docs/qa/feature-checks/runs/replay/replay-infrastructure/run-001/tier0-source-check.json`)
+- Tier 1: `pass` (`docs/qa/feature-checks/runs/replay/replay-infrastructure/run-001/tier1-build-check.json`)
+- Tier 2: `pass` (`docs/qa/feature-checks/runs/replay/replay-infrastructure/run-001/tier2-integration-check.json`)
+- Evidence directory: `docs/qa/feature-checks/runs/replay/replay-infrastructure/run-001/evidence/`
+

docs/features/checked/replay/replay-recording-and-verification-service.md

@@ -0,0 +1,34 @@
+# Replay Recording and Verification Service
+
+## Module
+Replay
+
+## Status
+VERIFIED
+
+## Description
+Dedicated replay service that records verdict inputs/outputs and provides endpoints to replay and verify deterministic verdict execution, ensuring reproducibility of security decisions.
+
+## Implementation Details
+- **Verdict Replay Endpoints**: `src/Replay/StellaOps.Replay.WebService/VerdictReplayEndpoints.cs` -- REST API endpoints for recording verdict executions, submitting replay requests, and querying verification results.
+- **Replay Executor**: `src/Replay/__Libraries/StellaOps.Replay.Core/ReplayExecutor.cs` -- executes recorded verdicts with snapshotted inputs and compares outputs for determinism verification.
+- **Determinism Verifier**: `src/Replay/__Libraries/StellaOps.Replay.Core/DeterminismVerifier.cs` -- compares original and replayed verdict outputs, detecting any divergences in the decision.
+- **Trace Anonymizer**: `src/Replay/__Libraries/StellaOps.Replay.Anonymization/TraceAnonymizer.cs` (implements `ITraceAnonymizer`) -- anonymizes sensitive data in replay traces before storage or export, enabling safe sharing of replay data for debugging.
+- **Anonymization Models**: `src/Replay/__Libraries/StellaOps.Replay.Anonymization/Models.cs` -- data models for anonymized trace records.
+- **Replay Job Queue**: `src/Replay/__Libraries/StellaOps.Replay.Core/ReplayJobQueue.cs` -- queues replay verification jobs for background processing.
+- **Tests**: `src/Replay/__Tests/StellaOps.Replay.Core.Tests/VerdictReplayIntegrationTests.cs`, `src/Replay/__Tests/StellaOps.Replay.Core.Tests/VerdictReplayEndpointsTests.cs`, and `src/Replay/__Tests/StellaOps.Replay.Anonymization.Tests/TraceAnonymizerTests.cs`.
+
+## E2E Test Plan
+- [x] Record/submit replay verification requests through replay service endpoints and validate returned contracts.
+- [x] Replay recorded verdict logic and verify deterministic output comparison behavior.
+- [x] Verify divergence signaling behavior when replay output differs from original verdict.
+- [x] Verify trace anonymization preserves structure while redacting sensitive fields.
+- [x] Verify replay queue processing behavior through replay core behavioral suite.
+
+## Verification
+- Run ID: `run-002`
+- Date (UTC): `2026-02-11`
+- Tier 0: `pass` (`docs/qa/feature-checks/runs/replay/replay-recording-and-verification-service/run-002/tier0-source-check.json`)
+- Tier 1: `pass` (`docs/qa/feature-checks/runs/replay/replay-recording-and-verification-service/run-002/tier1-build-check.json`)
+- Tier 2: `pass` (`docs/qa/feature-checks/runs/replay/replay-recording-and-verification-service/run-002/tier2-integration-check.json`)
+- Evidence directory: `docs/qa/feature-checks/runs/replay/replay-recording-and-verification-service/run-002/evidence/`

docs/features/checked/riskengine/cvss-kev-risk-signal-combination.md

@@ -114,3 +114,11 @@ Risk engine combining CVSS scores with KEV (Known Exploited Vulnerabilities) dat
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-013/tier2-api-check.json
 - **Captured Requests**: `/risk-scores/providers`; `/risk-scores/simulations` for KEV bonus (0.95), no-KEV baseline (0.75), and unknown provider error semantics.
 - **Outcome**: CVSS+KEV checked behavior revalidated from live API transactions.
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTPS API verification with fresh request/response capture.
+- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/cvss-kev-risk-signal-combination/run-014/tier2-api-check.json
+- **Captured Requests**: `/risk-scores/providers`; `/risk-scores/simulations` for KEV bonus (0.95), no-KEV baseline (0.75), and unknown provider error semantics.
+- **Outcome**: CVSS+KEV checked behavior remains stable with fresh live API replay.

docs/features/checked/riskengine/epss-risk-band-mapping.md

@@ -111,3 +111,11 @@ EPSS provider with bundle loading, fetching, and risk band mapping. Contains two
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/epss-risk-band-mapping/run-013/tier2-api-check.json
 - **Captured Requests**: `/risk-scores/simulations` for EPSS direct score (0.77), CVSS+KEV+EPSS percentile bonus (0.55), and missing-signal fallback (0).
 - **Outcome**: EPSS mapping behavior revalidated from live API transactions.
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTPS API verification with fresh request/response capture.
+- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/epss-risk-band-mapping/run-014/tier2-api-check.json
+- **Captured Requests**: `/risk-scores/simulations` for EPSS direct score (0.77), CVSS+KEV+EPSS percentile bonus (0.55), and missing-signal fallback (0).
+- **Outcome**: EPSS mapping checked behavior remains stable with fresh live API replay.

docs/features/checked/riskengine/exploit-maturity-mapping.md

@@ -110,3 +110,11 @@ Dedicated exploit maturity mapping service consolidating EPSS, KEV, and in-the-w
 - **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/exploit-maturity-mapping/run-013/tier2-api-check.json
 - **Captured Requests**: `/exploit-maturity/{cveId}`, `/exploit-maturity/{cveId}/level`, `/exploit-maturity/{cveId}/history`, `/exploit-maturity/batch` (success) and `/exploit-maturity/batch` with empty list (400).
 - **Outcome**: Exploit maturity API contracts revalidated from live API transactions.
+
+## Recheck (Run-014)
+- **Verified**: 2026-02-11
+- **Method**: Tier 2a live HTTPS API verification with fresh request/response capture.
+- **Tests**: PASS (src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests: 94/94).
+- **Tier 2 Evidence**: docs/qa/feature-checks/runs/riskengine/exploit-maturity-mapping/run-014/tier2-api-check.json
+- **Captured Requests**: `/exploit-maturity/{cveId}`, `/exploit-maturity/{cveId}/level`, `/exploit-maturity/{cveId}/history`, `/exploit-maturity/batch` (success) and `/exploit-maturity/batch` with empty list (400).
+- **Outcome**: Exploit maturity checked API contracts remain stable with fresh live replay.

docs/features/checked/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge.md

@@ -0,0 +1,41 @@
+# Tetragon/eBPF Runtime Instrumentation Bridge (Runtime Witnesses, Build Correlation)
+
+## Module
+RuntimeInstrumentation
+
+## Status
+VERIFIED
+
+## Description
+Runtime trace ingestion and query bridge for Tetragon/eBPF evidence with privacy canonicalization, hot-symbol aggregation, runtime timeline correlation to build artifacts, and disabled-mode null-service fallback.
+
+## Implementation Details
+- **Runtime Traces API (ingest + query + score)**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/RuntimeTracesEndpoints.cs` -- `POST /api/v1/findings/{findingId}/runtime/traces` for ingestion and `GET` runtime traces/score retrieval.
+- **Runtime Timeline API**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/RuntimeTimelineEndpoints.cs` -- timeline query endpoint with time-window and bucket options.
+- **Runtime Contracts**: `src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/RuntimeTracesContracts.cs` -- ingest request/response and runtime traces DTOs.
+- **Runtime In-Memory Services**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/InMemoryRuntimeInstrumentationServices.cs` -- deterministic observation store, address canonicalization, hot-symbol hit aggregation, and timeline construction.
+- **Runtime Null Service (disabled mode)**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/NullRuntimeTracesService.cs` -- accepts ingest requests and returns non-materialized query behavior when runtime instrumentation is disabled.
+- **Runtime Wiring Toggle**: `src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs` -- switches between in-memory runtime services and null runtime services via `findings:ledger:runtime:enabled`.
+- **Runtime Signal Ingester**: `src/Unknowns/__Libraries/StellaOps.Unknowns.Core/Services/RuntimeSignalIngester.cs` -- containment/blast-radius signal ingestion path used by unknowns analysis.
+- **Signal Snapshot Builder**: `src/Findings/StellaOps.Findings.Ledger/Observations/SignalSnapshotBuilder.cs` -- signal snapshot composition for replay/audit workflows.
+
+## E2E Test Plan
+- [x] Submit a runtime trace event via the runtime traces endpoint and verify it is persisted and queryable.
+- [x] Correlate runtime trace data to build artifact metadata and verify timeline details include component/artifact linkage.
+- [x] Verify privacy filtering canonicalizes raw user-space memory addresses in returned symbol/file fields.
+- [x] Verify hot-symbol tracking aggregates repeated symbol observations with higher hit counts.
+- [x] Verify null runtime traces service handles requests without server errors when runtime instrumentation is disabled.
+- [x] Query runtime timeline over a time range and verify chronological ordering and correlation metadata.
+
+## Verification
+- `run-001` (2026-02-11): failed behavioral verification, triaged/confirmed missing ingest and runtime service wiring.
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-001/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-001/tier2-api-check.json`
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-001/triage.json`
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-001/confirmation.json`
+- `run-002` (2026-02-11): passed after fixes.
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/tier0-source-check.json`
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/tier1-build-check.json`
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/tier2-api-check.json`
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/fix-summary.json`
+  - `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/retest-result.json`