Add channel test providers for Email, Slack, Teams, and Webhook

- Implemented EmailChannelTestProvider to generate email preview payloads.
- Implemented SlackChannelTestProvider to create Slack message previews.
- Implemented TeamsChannelTestProvider for generating Teams Adaptive Card previews.
- Implemented WebhookChannelTestProvider to create webhook payloads.
- Added INotifyChannelTestProvider interface for channel-specific preview generation.
- Created ChannelTestPreviewContracts for request and response models.
- Developed NotifyChannelTestService to handle test send requests and generate previews.
- Added rate limit policies for test sends and delivery history.
- Implemented unit tests for service registration and binding.
- Updated project files to include necessary dependencies and configurations.

AGENTS.md

@@ -48,24 +48,7 @@ StellaOps is contained by different modules installable via docker containers
 - Agent. Installable daemon that does the scanning
 - Zastava. Realtime monitor for allowed (verified) installations.
 
-## 4.1) Concelier
-It is webservice based module that is responsible for aggregating vulnerabilities information from various sources, parsing and normalizing them into a canonical shape, merging and deduplicating the results in one place, with export capabilities to Json and TrivyDb. It supports init and resume for all of the sources, parse/normalize and merge/deduplication operations, plus export. Export supports delta exports—similarly to full and incremential database backups.
-
-### 4.1.1) Usage
-It supports operations to be started by cmd line:
-# stella db [fetch|merge|export] [init|resume <point>]
-or 
-api available on https://db.stella-ops.org
-
-### 4.1.2) Data flow (end‑to‑end)
-
-1. **Fetch**: connectors request source windows with retries/backoff, persist raw documents with SHA256/ETag metadata.
-2. **Parse & Normalize**: validate to DTOs (schema-checked), quarantine failures, normalize to canonical advisories (aliases, affected ranges with NEVRA/EVR/SemVer, references, provenance).
-3. **Merge & Deduplicate**: enforce precedence, build/maintain alias graphs, compute deterministic hashes, and eliminate duplicates before persisting to MongoDB.
-4. **Export**: JSON tree and/or Trivy DB; package and (optionally) push; write export state.
-
-### 4.1.3) Architecture
-For more information of the architecture see `./docs/ARCHITECTURE_CONCELIER.md`.
+For more information of the architecture see `./docs/*ARCHITECTURE*.md` files.
 
 ---
 
@@ -118,9 +101,9 @@ You main characteristics:
 - **Directory ownership**: Each agent works **only inside its module directory**. Cross‑module edits require a brief handshake in issues/PR description.
 - **Scoping**: Use each module’s `AGENTS.md` and `TASKS.md` to plan; autonomous agents must read `src/AGENTS.md` and the module docs before acting.
 - **Determinism**: Sort keys, normalize timestamps to UTC ISO‑8601, avoid non‑deterministic data in exports and tests.
-- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md or in ./SPRINTS.md file.
+- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and  in ./SPRINTS.md and ./EXECPLAN.md file.
 - **Coordination**: In case task is discovered as blocked on other team or task, according TASKS.md files that dependency is on needs to be changed by adding new tasks describing the requirement. the current task must be updated as completed.  In case task changes, scope or requirements or rules - other documentations needs be updated accordingly.
-- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and the relevant TODOS.md file. Always check the AGENTS.md in the relevant TODOS.md directory.
+- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and EXECPLAN.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory.
 - **Tests**: Add/extend fixtures and unit tests per change; never regress determinism or precedence.
 - **Test layout**: Use module-specific projects in `StellaOps.Concelier.<Component>.Tests`; shared fixtures/harnesses live in `StellaOps.Concelier.Testing`.
 - **Execution autonomous**: In case you need to continue with more than one options just continue sequentially, unless the continue requires design decision.

EXECPLAN.md

@@ -4,10 +4,10 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 ## Wave Instructions
 ### Wave 0
 - Team Attestor Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Attestor/TASKS.md`. Focus on ATTESTOR-API-11-201 (TODO), ATTESTOR-VERIFY-11-202 (TODO), ATTESTOR-OBS-11-203 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
-- Team Authority Core & Security Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Authority/TASKS.md`. Focus on AUTH-DPOP-11-001 (TODO), AUTH-MTLS-11-002 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
-- Team Authority Core & Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Authority/TASKS.md`. Focus on AUTHSTORAGE-MONGO-08-001 (BLOCKED). Confirm prerequisites (none) before starting and report status in module TASKS.md.
+- Team Authority Core & Security Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Authority/TASKS.md`. Focus on AUTH-DPOP-11-001 (DOING 2025-10-19), AUTH-MTLS-11-002 (DOING 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md.
+- Team Authority Core & Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Authority/TASKS.md`. Focus on AUTHSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team DevEx/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-002 (TODO), CLI-RUNTIME-13-005 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001, EXCITITOR-EXPORT-01-001) before starting and report status in module TASKS.md.
-- Team DevOps Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SEC-10-301 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
+- Team DevOps Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SEC-10-301 (DOING 2025-10-19); Wave 0A prerequisites reconfirmed so remediation work may proceed. Keep module TASKS.md/Sprints in sync as patches land.
 - Team Diff Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scanner.Diff/TASKS.md`. Focus on SCANNER-DIFF-10-501 (TODO), SCANNER-DIFF-10-502 (TODO), SCANNER-DIFF-10-503 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team Docs Guild, Plugin Team: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on DOC4.AUTH-PDG (REVIEW). Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team Docs/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001) before starting and report status in module TASKS.md.
@@ -19,7 +19,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - Team Notify WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-101 (TODO), NOTIFY-WEB-15-102 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team Platform Events Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on PLATFORM-EVENTS-09-401 (TODO). Confirm prerequisites (external: DOCS-EVENTS-09-003) before starting and report status in module TASKS.md.
 - Team Plugin Platform Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Plugin/TASKS.md`. Focus on PLUGIN-DI-08-001 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
-- Team Plugin Platform Guild, Authority Core: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Plugin/TASKS.md`. Focus on PLUGIN-DI-08-002 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
+- Team Plugin Platform Guild, Authority Core: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Plugin/TASKS.md`. Focus on PLUGIN-DI-08-002 (TODO); coordination session booked for 2025-10-20 to unblock implementation. Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team Policy Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Policy/TASKS.md`. Focus on POLICY-CORE-09-004 (TODO), POLICY-CORE-09-005 (TODO), POLICY-CORE-09-006 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team Runtime Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on RUNTIME-GUILD-09-402 (TODO). Confirm prerequisites (external: SCANNER-POLICY-09-107) before starting and report status in module TASKS.md.
 - Team Scanner WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-EVENTS-15-201 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
@@ -39,11 +39,11 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-UBUNTU-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md.
 - Team Team Excititor Export: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-005 (TODO). Confirm prerequisites (external: EXCITITOR-CORE-02-001, EXCITITOR-EXPORT-01-004) before starting and report status in module TASKS.md.
 - Team Team Excititor Formats: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Excititor.Formats.CSAF/TASKS.md`, `src/StellaOps.Excititor.Formats.CycloneDX/TASKS.md`, `src/StellaOps.Excititor.Formats.OpenVEX/TASKS.md`. Focus on EXCITITOR-FMT-CSAF-01-002 (TODO), EXCITITOR-FMT-CSAF-01-003 (TODO), EXCITITOR-FMT-CYCLONE-01-002 (TODO), EXCITITOR-FMT-CYCLONE-01-003 (TODO), EXCITITOR-FMT-OPENVEX-01-002 (TODO), EXCITITOR-FMT-OPENVEX-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-EXPORT-01-001, EXCITITOR-FMT-CSAF-01-001, EXCITITOR-FMT-CYCLONE-01-001, EXCITITOR-FMT-OPENVEX-01-001, EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md.
-- Team Team Excititor Storage: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Focus on EXCITITOR-STORAGE-MONGO-08-001 (TODO), EXCITITOR-STORAGE-03-001 (TODO). Confirm prerequisites (external: EXCITITOR-STORAGE-01-003, EXCITITOR-STORAGE-02-001) before starting and report status in module TASKS.md.
+- Team Team Excititor Storage: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Focus on EXCITITOR-STORAGE-MONGO-08-001 (DONE 2025-10-19), EXCITITOR-STORAGE-03-001 (TODO). Confirm prerequisites (external: EXCITITOR-STORAGE-01-003, EXCITITOR-STORAGE-02-001) before starting and report status in module TASKS.md.
 - Team Team Excititor WebService: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Excititor.WebService/TASKS.md`. Focus on EXCITITOR-WEB-01-002 (TODO), EXCITITOR-WEB-01-003 (TODO), EXCITITOR-WEB-01-004 (TODO). Confirm prerequisites (external: EXCITITOR-ATTEST-01-001, EXCITITOR-EXPORT-01-001, EXCITITOR-WEB-01-001) before starting and report status in module TASKS.md.
 - Team Team Excititor Worker: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-002 (TODO), EXCITITOR-WORKER-01-004 (TODO), EXCITITOR-WORKER-02-001 (TODO). Confirm prerequisites (external: EXCITITOR-CORE-02-001, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md.
-- Team Team Merge & QA Enforcement: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Concelier.Merge/TASKS.md`. Focus on FEEDMERGE-COORD-02-900 (DOING). Confirm prerequisites (none) before starting and report status in module TASKS.md.
-- Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-MONGO-08-001 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
+- Team Team Merge & QA Enforcement: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Concelier.Merge/TASKS.md`. Focus on FEEDMERGE-COORD-02-900 (DOING). Confirm prerequisites (none) before starting and report status in module TASKS.md. **2025-10-19:** Coordination refreshed; connector owners notified and TASKS.md entries updated.
+- Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team Team WebService & Authority: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md`, `src/StellaOps.Concelier.WebService/TASKS.md`. Focus on SEC2.PLG (DOING), SEC3.PLG (DOING), SEC5.PLG (DOING), PLG4-6.CAPABILITIES (BLOCKED), PLG6.DIAGRAM (TODO), PLG7.RFC (REVIEW), FEEDWEB-DOCS-01-001 (DOING), FEEDWEB-OPS-01-006 (TODO), FEEDWEB-OPS-01-007 (BLOCKED). Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team Tools Guild, BE-Conn-MSRC: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Concelier.Connector.Common/TASKS.md`. Focus on FEEDCONN-SHARED-STATE-003 (**TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
 - Team UX Specialist, Angular Eng: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Web/TASKS.md`. Focus on WEB1.TRIVY-SETTINGS (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md.
@@ -60,7 +60,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - Team Licensing Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/licensing/TASKS.md`. Focus on DEVOPS-LIC-14-004 (TODO). Confirm prerequisites (internal: AUTH-MTLS-11-002 (Wave 0)) before starting and report status in module TASKS.md.
 - Team Notify Engine Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-301 (TODO). Confirm prerequisites (internal: NOTIFY-MODELS-15-101 (Wave 0)) before starting and report status in module TASKS.md.
 - Team Notify Queue Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Notify.Queue/TASKS.md`. Focus on NOTIFY-QUEUE-15-401 (TODO). Confirm prerequisites (internal: NOTIFY-MODELS-15-101 (Wave 0)) before starting and report status in module TASKS.md.
-- Team Notify WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-103 (TODO). Confirm prerequisites (internal: NOTIFY-WEB-15-102 (Wave 0)) before starting and report status in module TASKS.md.
+- Team Notify WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-103 (DONE). Confirm prerequisites (internal: NOTIFY-WEB-15-102 (Wave 0)) before starting and report status in module TASKS.md.
 - Team Scanner WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-RUNTIME-12-301 (TODO). Confirm prerequisites (internal: ZASTAVA-CORE-12-201 (Wave 0)) before starting and report status in module TASKS.md.
 - Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-301 (TODO). Confirm prerequisites (internal: SCANNER-EMIT-10-605 (Wave 0)) before starting and report status in module TASKS.md.
 - Team Scheduler Queue Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scheduler.Queue/TASKS.md`. Focus on SCHED-QUEUE-16-402 (TODO), SCHED-QUEUE-16-403 (TODO). Confirm prerequisites (internal: SCHED-QUEUE-16-401 (Wave 0)) before starting and report status in module TASKS.md.
@@ -74,14 +74,14 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-UBUNTU-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md.
 - Team Team Excititor Export: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-006 (TODO). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0)) before starting and report status in module TASKS.md.
 - Team Team Excititor Worker: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-ATTEST-01-003 (Wave 0); external: EXCITITOR-EXPORT-01-002, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md.
-- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.UI/TASKS.md`. Focus on UI-ATTEST-11-005 (TODO), UI-VEX-13-003 (TODO), UI-POLICY-13-007 (TODO), UI-ADMIN-13-004 (TODO), UI-AUTH-13-001 (TODO), UI-SCANS-13-002 (TODO), UI-NOTIFY-13-006 (TODO), UI-SCHED-13-005 (TODO). Confirm prerequisites (internal: ATTESTOR-API-11-201 (Wave 0), AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0), EXCITITOR-EXPORT-01-005 (Wave 0), NOTIFY-WEB-15-101 (Wave 0), POLICY-CORE-09-006 (Wave 0), SCHED-WEB-16-101 (Wave 0), SIGNER-API-11-101 (Wave 0); external: EXCITITOR-CORE-02-001, SCANNER-WEB-09-102, SCANNER-WEB-09-103) before starting and report status in module TASKS.md.
+- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.UI/TASKS.md`. Focus on UI-ATTEST-11-005 (TODO), UI-VEX-13-003 (TODO), UI-POLICY-13-007 (TODO), UI-ADMIN-13-004 (TODO), UI-AUTH-13-001 (TODO), UI-SCANS-13-002 (TODO), UI-NOTIFY-13-006 (DOING), UI-SCHED-13-005 (TODO). Confirm prerequisites (internal: ATTESTOR-API-11-201 (Wave 0), AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0), EXCITITOR-EXPORT-01-005 (Wave 0), NOTIFY-WEB-15-101 (Wave 0), POLICY-CORE-09-006 (Wave 0), SCHED-WEB-16-101 (Wave 0), SIGNER-API-11-101 (Wave 0); external: EXCITITOR-CORE-02-001, SCANNER-WEB-09-102, SCANNER-WEB-09-103) before starting and report status in module TASKS.md.
 - Team Zastava Observer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Zastava.Observer/TASKS.md`. Focus on ZASTAVA-OBS-12-001 (TODO). Confirm prerequisites (internal: ZASTAVA-CORE-12-201 (Wave 0)) before starting and report status in module TASKS.md.
 
 ### Wave 2
 - Team Bench Guild, Notify Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `bench/TASKS.md`. Focus on BENCH-NOTIFY-15-001 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md.
 - Team Bench Guild, Scheduler Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `bench/TASKS.md`. Focus on BENCH-IMPACT-16-001 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md.
 - Team Deployment Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/deployment/TASKS.md`. Focus on DEVOPS-OPS-14-003 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1)) before starting and report status in module TASKS.md.
-- Team DevOps Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-MIRROR-08-001 (TODO), DEVOPS-PERF-10-002 (TODO), DEVOPS-REL-17-002 (TODO). Confirm prerequisites (internal: BENCH-SCANNER-10-002 (Wave 1), DEVOPS-REL-14-001 (Wave 1), SCANNER-EMIT-17-701 (Wave 1)) before starting and report status in module TASKS.md.
+- Team DevOps Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-MIRROR-08-001 (DONE 2025-10-19), DEVOPS-PERF-10-002 (TODO), DEVOPS-REL-17-002 (TODO). Confirm prerequisites (internal: BENCH-SCANNER-10-002 (Wave 1), DEVOPS-REL-14-001 (Wave 1), SCANNER-EMIT-17-701 (Wave 1)) before starting and report status in module TASKS.md.
 - Team DevOps Guild, Notify Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-205 (TODO). Confirm prerequisites (internal: DEVOPS-SCANNER-09-204 (Wave 1)) before starting and report status in module TASKS.md.
 - Team Notify Engine Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-302 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md.
 - Team Notify Queue Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Notify.Queue/TASKS.md`. Focus on NOTIFY-QUEUE-15-403 (TODO), NOTIFY-QUEUE-15-402 (TODO). Confirm prerequisites (internal: NOTIFY-QUEUE-15-401 (Wave 1)) before starting and report status in module TASKS.md.
@@ -121,7 +121,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 
 ### Wave 5
 - Team Excititor Connectors – Stella: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-002 (Wave 4)) before starting and report status in module TASKS.md.
-- Team Notify Connectors Guild: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-502 (TODO), NOTIFY-CONN-TEAMS-15-602 (TODO), NOTIFY-CONN-EMAIL-15-702 (TODO), NOTIFY-CONN-WEBHOOK-15-802 (TODO). Confirm prerequisites (internal: NOTIFY-CONN-EMAIL-15-701 (Wave 4), NOTIFY-CONN-SLACK-15-501 (Wave 4), NOTIFY-CONN-TEAMS-15-601 (Wave 4), NOTIFY-CONN-WEBHOOK-15-801 (Wave 4)) before starting and report status in module TASKS.md.
+- Team Notify Connectors Guild: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-502 (DOING), NOTIFY-CONN-TEAMS-15-602 (DOING), NOTIFY-CONN-EMAIL-15-702 (DOING), NOTIFY-CONN-WEBHOOK-15-802 (DOING). Confirm prerequisites (internal: NOTIFY-CONN-EMAIL-15-701 (Wave 4), NOTIFY-CONN-SLACK-15-501 (Wave 4), NOTIFY-CONN-TEAMS-15-601 (Wave 4), NOTIFY-CONN-WEBHOOK-15-801 (Wave 4)) before starting and report status in module TASKS.md.
 - Team Scanner WebService Guild: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-RUNTIME-17-401 (TODO). Confirm prerequisites (internal: POLICY-RUNTIME-17-201 (Wave 4), SCANNER-EMIT-17-701 (Wave 1), SCANNER-RUNTIME-12-301 (Wave 1), ZASTAVA-OBS-17-005 (Wave 3)) before starting and report status in module TASKS.md.
 - Team TBD: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. Focus on SCANNER-ANALYZERS-LANG-10-308D (TODO), SCANNER-ANALYZERS-LANG-10-308G (TODO), SCANNER-ANALYZERS-LANG-10-308P (TODO), SCANNER-ANALYZERS-LANG-10-308R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-307D (Wave 4), SCANNER-ANALYZERS-LANG-10-307G (Wave 4), SCANNER-ANALYZERS-LANG-10-307P (Wave 4), SCANNER-ANALYZERS-LANG-10-307R (Wave 4)) before starting and report status in module TASKS.md.
 
@@ -130,7 +130,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - Team TBD: read EXECPLAN.md Wave 6 and SPRINTS.md rows for `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. Focus on SCANNER-ANALYZERS-LANG-10-309D (TODO), SCANNER-ANALYZERS-LANG-10-309G (TODO), SCANNER-ANALYZERS-LANG-10-309P (TODO), SCANNER-ANALYZERS-LANG-10-309R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-308D (Wave 5), SCANNER-ANALYZERS-LANG-10-308G (Wave 5), SCANNER-ANALYZERS-LANG-10-308P (Wave 5), SCANNER-ANALYZERS-LANG-10-308R (Wave 5)) before starting and report status in module TASKS.md.
 
 ### Wave 7
-- Team Team Core Engine & Storage Analytics: read EXECPLAN.md Wave 7 and SPRINTS.md rows for `src/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-001 (TODO). Confirm prerequisites (internal: FEEDSTORAGE-DATA-07-001 (Wave 10)) before starting and report status in module TASKS.md.
+- Team Team Core Engine & Storage Analytics: read EXECPLAN.md Wave 7 and SPRINTS.md rows for `src/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-001 (DONE 2025-10-19). Confirm prerequisites (internal: FEEDSTORAGE-DATA-07-001 (Wave 10)) before starting and report status in module TASKS.md.
 
 ### Wave 8
 - Team Team Core Engine & Data Science: read EXECPLAN.md Wave 8 and SPRINTS.md rows for `src/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-002 (TODO). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md.
@@ -148,7 +148,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - Team Concelier Export Guild: read EXECPLAN.md Wave 12 and SPRINTS.md rows for `src/StellaOps.Concelier.Exporter.Json/TASKS.md`. Focus on CONCELIER-EXPORT-08-201 (TODO). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md.
 
 ### Wave 13
-- Team Concelier Export Guild: read EXECPLAN.md Wave 13 and SPRINTS.md rows for `src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md`. Focus on CONCELIER-EXPORT-08-202 (TODO). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12)) before starting and report status in module TASKS.md.
+- Team Concelier Export Guild: read EXECPLAN.md Wave 13 and SPRINTS.md rows for `src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md`. Focus on CONCELIER-EXPORT-08-202 (DONE 2025-10-19). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12)) before starting and report status in module TASKS.md.
 
 ### Wave 14
 - Team Concelier WebService Guild: read EXECPLAN.md Wave 14 and SPRINTS.md rows for `src/StellaOps.Concelier.WebService/TASKS.md`. Focus on CONCELIER-WEB-08-201 (TODO). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12), DEVOPS-MIRROR-08-001 (Wave 2)) before starting and report status in module TASKS.md.
@@ -210,7 +210,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
       1. [DOING] FEEDWEB-DOCS-01-001 — Document authority toggle & scope requirements — Quickstart updates are staged; awaiting Docs guild review before publishing operator guide refresh.
          • Prereqs: —
          • Current: DOING (2025-10-10)
-      2. [TODO] FEEDWEB-OPS-01-006 — Rename plugin drop directory to namespaced path — Repoint build outputs to `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`, update PluginHost defaults, Offline Kit packaging, and operator docs.
+      2. [DONE] FEEDWEB-OPS-01-006 — Rename plugin drop directory to namespaced path — Build outputs now target `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`, plugin host defaults updated, and docs/tests refreshed (see `dotnet test src/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj --no-restore`).
          • Prereqs: —
          • Current: TODO
       3. [BLOCKED] FEEDWEB-OPS-01-007 — Authority resilience adoption — Roll out retry/offline knobs to deployment docs and align CLI parity once LIB5 resilience options land; unblock when library release is available and docs review completes.
@@ -319,25 +319,25 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - **Sprint 8** · Mongo strengthening
   - Team: Authority Core & Storage Guild
     - Path: `src/StellaOps.Authority/TASKS.md`
-      1. [BLOCKED] AUTHSTORAGE-MONGO-08-001 — Harden Authority Mongo usage — Scoped sessions with causal consistency pending rate-limiter stream updates; resume once plugin lockout telemetry stabilises.
+      1. [DONE] AUTHSTORAGE-MONGO-08-001 — Harden Authority Mongo usage — Scoped Mongo sessions with majority read/write concerns wired through stores and GraphQL/HTTP pipelines; replica-set election regression validated.
          • Prereqs: —
          • Current: BLOCKED (2025-10-19)
   - Team: Team Excititor Storage
     - Path: `src/StellaOps.Excititor.Storage.Mongo/TASKS.md`
-      1. [TODO] EXCITITOR-STORAGE-MONGO-08-001 — EXCITITOR-STORAGE-MONGO-08-001 – Session + causal consistency hardening
+      1. [DONE 2025-10-19] EXCITITOR-STORAGE-MONGO-08-001 — Session + causal consistency hardening shipped with scoped session provider, repository updates, and replica-set consistency tests (`dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`)
          • Prereqs: EXCITITOR-STORAGE-01-003 (external/completed)
-         • Current: TODO – Register Mongo client/database with majority read/write concerns, expose scoped session helper enabling causal consistency, thread session handles through raw/export/consensus/cache stores (including GridFS reads), and extend integration tests to verify read-your-write semantics during replica-set failover.
+         • Current: DONE – Scoped sessions with causal consistency in place; repositories/tests updated for deterministic read-your-write semantics.
   - Team: Team Normalization & Storage Backbone
     - Path: `src/StellaOps.Concelier.Storage.Mongo/TASKS.md`
-      1. [TODO] FEEDSTORAGE-MONGO-08-001 — Causal-consistent Concelier storage sessions — Ensure `AddMongoStorage` registers a scoped session facilitator (causal consistency + majority concerns), update repositories to accept optional session handles, and add integration coverage proving read-your-write and monotonic reads across a replica set/election scenario.
+      1. [DONE] FEEDSTORAGE-MONGO-08-001 — Causal-consistent Concelier storage sessions — Scoped session facilitator registered, repositories accept optional session handles, and replica-set failover tests verify read-your-write + monotonic reads.
          • Prereqs: —
          • Current: TODO
 - **Sprint 8** · Platform Maintenance
   - Team: Team Excititor Storage
     - Path: `src/StellaOps.Excititor.Storage.Mongo/TASKS.md`
-      1. [TODO] EXCITITOR-STORAGE-03-001 — EXCITITOR-STORAGE-03-001 – Statement backfill tooling
+      1. [DONE 2025-10-19] EXCITITOR-STORAGE-03-001 — Statement backfill tooling
          • Prereqs: EXCITITOR-STORAGE-02-001 (external/completed)
-         • Current: TODO – Provide CLI/scripted tooling to replay historical statements into `vex.statements` (leveraging `/excititor/statements`), document operational runbook, and add smoke test verifying replayed data includes severity/KEV/EPSS signals.
+         • Current: DONE – Admin backfill endpoint, CLI command (`stellaops excititor backfill-statements`), integration coverage, and operator runbook published; further automation tracked separately if needed.
   - Team: Team Excititor Worker
     - Path: `src/StellaOps.Excititor.Worker/TASKS.md`
       1. [TODO] EXCITITOR-WORKER-02-001 — EXCITITOR-WORKER-02-001 – Resolve Microsoft.Extensions.Caching.Memory advisory
@@ -351,7 +351,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
          • Current: TODO
   - Team: Plugin Platform Guild, Authority Core
     - Path: `src/StellaOps.Plugin/TASKS.md`
-      1. [TODO] PLUGIN-DI-08-002 — Update Authority plugin integration — Flow scoped services through identity-provider registrars, bootstrap flows, and background jobs; add regression coverage around scoped lifetimes.
+      1. [TODO] PLUGIN-DI-08-002 — Update Authority plugin integration — Flow scoped services through identity-provider registrars, bootstrap flows, and background jobs; add regression coverage around scoped lifetimes. (Coordination session set for 2025-10-20 15:00–16:00 UTC; document outcomes before implementation.)
          • Prereqs: —
          • Current: TODO
 - **Sprint 9** · Docs & Governance
@@ -386,7 +386,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - **Sprint 10** · DevOps Perf
   - Team: DevOps Guild
     - Path: `ops/devops/TASKS.md`
-      1. [TODO] DEVOPS-SEC-10-301 — Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0 surfaced during scanner cache and worker test runs.
+      1. [DOING] DEVOPS-SEC-10-301 — Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0 surfaced during scanner cache and worker test runs (Wave 0A prerequisites cleared; remediation in progress).
          • Prereqs: —
          • Current: TODO
 - **Sprint 10** · Scanner Analyzers & SBOM
@@ -473,12 +473,12 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
          • Current: TODO
   - Team: Authority Core & Security Guild
     - Path: `src/StellaOps.Authority/TASKS.md`
-      1. [TODO] AUTH-DPOP-11-001 — Implement DPoP proof validation + nonce handling for high-value audiences per architecture.
+      1. [DOING] AUTH-DPOP-11-001 — Implement DPoP proof validation + nonce handling for high-value audiences per architecture.
          • Prereqs: —
-         • Current: TODO
-      2. [TODO] AUTH-MTLS-11-002 — Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates.
+         • Current: DOING (2025-10-19)
+      2. [DOING] AUTH-MTLS-11-002 — Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates.
          • Prereqs: —
-         • Current: TODO
+         • Current: DOING (2025-10-19)
   - Team: Signer Guild
     - Path: `src/StellaOps.Signer/TASKS.md`
       1. [TODO] SIGNER-API-11-101 — `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing.
@@ -718,7 +718,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
       5. [TODO] UI-SCANS-13-002 — Build scans module (list/detail/SBOM/diff/attestation) with performance + accessibility targets.
          • Prereqs: SCANNER-WEB-09-102 (external/completed), SIGNER-API-11-101 (Wave 0)
          • Current: TODO
-      6. [TODO] UI-NOTIFY-13-006 — Notify panel: channels/rules CRUD, deliveries view, test send integration.
+      6. [DOING] UI-NOTIFY-13-006 — Notify panel: channels/rules CRUD, deliveries view, test send integration.
          • Prereqs: NOTIFY-WEB-15-101 (Wave 0)
          • Current: TODO
       7. [TODO] UI-SCHED-13-005 — Scheduler panel: schedules CRUD, run history, dry-run preview using API/mocks.
@@ -748,7 +748,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
          • Current: TODO
   - Team: Notify WebService Guild
     - Path: `src/StellaOps.Notify.WebService/TASKS.md`
-      1. [TODO] NOTIFY-WEB-15-103 — Delivery history + test-send endpoints with rate limits.
+      1. [DONE] NOTIFY-WEB-15-103 — Delivery history + test-send endpoints with rate limits.
          • Prereqs: NOTIFY-WEB-15-102 (Wave 0)
          • Current: TODO
 - **Sprint 16** · Scheduler Intelligence
@@ -809,9 +809,9 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - **Sprint 8** · Mirror Distribution
   - Team: DevOps Guild
     - Path: `ops/devops/TASKS.md`
-      1. [TODO] DEVOPS-MIRROR-08-001 — Stand up managed mirror profiles for `*.stella-ops.org` (Concelier/Excititor), including Helm/Compose overlays, multi-tenant secrets, CDN caching, and sync documentation.
+      1. [DONE] DEVOPS-MIRROR-08-001 — Stand up managed mirror profiles for `*.stella-ops.org` (Concelier/Excititor), including Helm/Compose overlays, multi-tenant secrets, CDN caching, and sync documentation.
          • Prereqs: DEVOPS-REL-14-001 (Wave 1)
-         • Current: TODO
+         • Current: DONE (2025-10-19)
 - **Sprint 9** · DevOps Foundations
   - Team: DevOps Guild, Notify Guild
     - Path: `ops/devops/TASKS.md`
@@ -1121,19 +1121,19 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - **Sprint 15** · Notify Foundations
   - Team: Notify Connectors Guild
     - Path: `src/StellaOps.Notify.Connectors.Email/TASKS.md`
-      1. [TODO] NOTIFY-CONN-EMAIL-15-702 — Add DKIM signing optional support and health/test-send flows.
+      1. [DOING] NOTIFY-CONN-EMAIL-15-702 — Add DKIM signing optional support and health/test-send flows.
          • Prereqs: NOTIFY-CONN-EMAIL-15-701 (Wave 4)
          • Current: TODO
     - Path: `src/StellaOps.Notify.Connectors.Slack/TASKS.md`
-      1. [TODO] NOTIFY-CONN-SLACK-15-502 — Health check & test-send support with minimal scopes and redacted tokens.
+      1. [DOING] NOTIFY-CONN-SLACK-15-502 — Health check & test-send support with minimal scopes and redacted tokens.
          • Prereqs: NOTIFY-CONN-SLACK-15-501 (Wave 4)
          • Current: TODO
     - Path: `src/StellaOps.Notify.Connectors.Teams/TASKS.md`
-      1. [TODO] NOTIFY-CONN-TEAMS-15-602 — Provide health/test-send support with fallback text for legacy clients.
+      1. [DOING] NOTIFY-CONN-TEAMS-15-602 — Provide health/test-send support with fallback text for legacy clients.
          • Prereqs: NOTIFY-CONN-TEAMS-15-601 (Wave 4)
          • Current: TODO
     - Path: `src/StellaOps.Notify.Connectors.Webhook/TASKS.md`
-      1. [TODO] NOTIFY-CONN-WEBHOOK-15-802 — Health/test-send support with signature validation hints and secret management.
+      1. [DOING] NOTIFY-CONN-WEBHOOK-15-802 — Health/test-send support with signature validation hints and secret management.
          • Prereqs: NOTIFY-CONN-WEBHOOK-15-801 (Wave 4)
          • Current: TODO
 - **Sprint 17** · Symbol Intelligence & Forensics
@@ -1185,9 +1185,9 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - **Sprint 7** · Contextual Truth Foundations
   - Team: Team Core Engine & Storage Analytics
     - Path: `src/StellaOps.Concelier.Core/TASKS.md`
-      1. [TODO] FEEDCORE-ENGINE-07-001 — FEEDCORE-ENGINE-07-001 – Advisory event log & asOf queries
+      1. [DONE] FEEDCORE-ENGINE-07-001 — FEEDCORE-ENGINE-07-001 – Advisory event log & asOf queries
          • Prereqs: FEEDSTORAGE-DATA-07-001 (Wave 10)
-         • Current: TODO – Introduce immutable advisory statement events, expose `asOf` query surface for merge/export pipelines, and document determinism guarantees for replay.
+         • Current: DONE (2025-10-19) – `AdvisoryEventLog` service and repository abstractions landed with canonical hashing, lower-cased keys, replay API, and doc updates. Tests: `dotnet test src/StellaOps.Concelier.Core.Tests/StellaOps.Concelier.Core.Tests.csproj`.
 
 ## Wave 8 — 1 task(s) ready after Wave 7
 - **Sprint 7** · Contextual Truth Foundations
@@ -1225,33 +1225,33 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster
 - **Sprint 8** · Mirror Distribution
   - Team: Concelier Export Guild
     - Path: `src/StellaOps.Concelier.Exporter.Json/TASKS.md`
-      1. [TODO] CONCELIER-EXPORT-08-201 — CONCELIER-EXPORT-08-201 – Mirror bundle + domain manifest
+      1. [DONE] CONCELIER-EXPORT-08-201 — CONCELIER-EXPORT-08-201 – Mirror bundle + domain manifest
          • Prereqs: FEEDCORE-ENGINE-07-001 (Wave 7)
-         • Current: TODO – Produce per-domain aggregate bundles (JSON + manifest) with deterministic digests, include upstream source metadata, and publish index consumed by mirror endpoints/tests.
+         • Current: DONE (2025-10-19) – Mirror bundles + manifests + signed index shipped; regression coverage via `dotnet test src/StellaOps.Concelier.Exporter.Json.Tests/StellaOps.Concelier.Exporter.Json.Tests.csproj` (2025-10-19).
 
 ## Wave 13 — 1 task(s) ready after Wave 12
 - **Sprint 8** · Mirror Distribution
   - Team: Concelier Export Guild
     - Path: `src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md`
-      1. [TODO] CONCELIER-EXPORT-08-202 — CONCELIER-EXPORT-08-202 – Mirror-ready Trivy DB bundles
+      1. [DONE] CONCELIER-EXPORT-08-202 — CONCELIER-EXPORT-08-202 – Mirror-ready Trivy DB bundles
          • Prereqs: CONCELIER-EXPORT-08-201 (Wave 12)
-         • Current: TODO – Generate domain-specific Trivy DB archives + metadata manifest, ensure deterministic digests, and document sync process for downstream Concelier nodes.
+         • Current: DONE (2025-10-19) – Trivy exporter mirror options produce `mirror/index.json` plus per-domain manifest/metadata/db files with reproducible SHA-256 digests; validated via `dotnet test src/StellaOps.Concelier.Exporter.TrivyDb.Tests/StellaOps.Concelier.Exporter.TrivyDb.Tests.csproj`.
 
 ## Wave 14 — 1 task(s) ready after Wave 13
 - **Sprint 8** · Mirror Distribution
   - Team: Concelier WebService Guild
     - Path: `src/StellaOps.Concelier.WebService/TASKS.md`
-      1. [TODO] CONCELIER-WEB-08-201 — CONCELIER-WEB-08-201 – Mirror distribution endpoints
+      1. [DOING] CONCELIER-WEB-08-201 — CONCELIER-WEB-08-201 – Mirror distribution endpoints
          • Prereqs: CONCELIER-EXPORT-08-201 (Wave 12), DEVOPS-MIRROR-08-001 (Wave 2)
-         • Current: TODO – Add domain-scoped mirror configuration (`*.stella-ops.org`), expose signed export index/download APIs with quota and auth, and document sync workflow for downstream Concelier instances.
+         • Current: DOING (2025-10-19) – Wiring API surface against exporter-delivered `mirror/index.json` + signed bundles, layering quota/auth and updating docs/test fixtures for downstream sync.
 
 ## Wave 15 — 1 task(s) ready after Wave 14
 - **Sprint 8** · Mirror Distribution
   - Team: BE-Conn-Stella
     - Path: `src/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`
-      1. [TODO] FEEDCONN-STELLA-08-001 — Implement Concelier mirror fetcher hitting `https://<domain>.stella-ops.org/concelier/exports/index.json`, verify signatures/digests, and persist raw documents with provenance.
+      1. [DOING] FEEDCONN-STELLA-08-001 — Implement Concelier mirror fetcher hitting `https://<domain>.stella-ops.org/concelier/exports/index.json`, verify signatures/digests, and persist raw documents with provenance.
          • Prereqs: CONCELIER-EXPORT-08-201 (Wave 12)
-         • Current: TODO
+         • Current: DOING (2025-10-19) – Client consuming new signed mirror bundles/index, standing up verification + storage plumbing ahead of DTO mapping.
 
 ## Wave 16 — 1 task(s) ready after Wave 15
 - **Sprint 8** · Mirror Distribution

Mongo2Go-4.1.0/src/Mongo2Go/Mongo2Go.csproj

@@ -76,6 +76,7 @@ Mongo2Go has two use cases:
     <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0" PrivateAssets="all" />
     <PackageReference Include="MinVer" Version="2.5.0" PrivateAssets="all" />
     <PackageReference Include="MongoDB.Driver" Version="3.5.0" />
+    <PackageReference Include="SharpCompress" Version="0.41.0" />
     <PackageReference Include="System.Text.Json" Version="6.0.10" />
     <PackageReference Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.3" PrivateAssets="all" />
   </ItemGroup>

Mongo2Go-4.1.0/src/Mongo2Go/packages.lock.json

@@ -39,13 +39,13 @@
       },
       "MongoDB.Driver": {
         "type": "Direct",
-        "requested": "[3.1.0, )",
-        "resolved": "3.1.0",
-        "contentHash": "+O7lKaIl7VUHptE0hqTd7UY1G5KDp/o8S4upG7YL4uChMNKD/U6tz9i17nMGHaD/L2AiPLgaJcaDe2XACsegGA==",
+        "requested": "[3.5.0, )",
+        "resolved": "3.5.0",
+        "contentHash": "ST90u7psyMkNNOWFgSkexsrB3kPn7Ynl2DlMFj2rJyYuc6SIxjmzu4ufy51yzM+cPVE1SvVcdb5UFobrRw6cMg==",
         "dependencies": {
           "DnsClient": "1.6.1",
           "Microsoft.Extensions.Logging.Abstractions": "2.0.0",
-          "MongoDB.Bson": "3.1.0",
+          "MongoDB.Bson": "3.5.0",
           "SharpCompress": "0.30.1",
           "Snappier": "1.0.0",
           "System.Buffers": "4.5.1",
@@ -54,6 +54,19 @@
           "ZstdSharp.Port": "0.7.3"
         }
       },
+      "SharpCompress": {
+        "type": "Direct",
+        "requested": "[0.41.0, )",
+        "resolved": "0.41.0",
+        "contentHash": "z04dBVdTIAFTRKi38f0LkajaKA++bR+M8kYCbasXePILD2H+qs7CkLpyiippB24CSbTrWIgpBKm6BenZqkUwvw==",
+        "dependencies": {
+          "Microsoft.Bcl.AsyncInterfaces": "8.0.0",
+          "System.Buffers": "4.6.0",
+          "System.Memory": "4.6.0",
+          "System.Text.Encoding.CodePages": "8.0.0",
+          "ZstdSharp.Port": "0.8.6"
+        }
+      },
       "System.Text.Json": {
         "type": "Direct",
         "requested": "[6.0.10, )",
@@ -81,8 +94,8 @@
       },
       "Microsoft.Bcl.AsyncInterfaces": {
         "type": "Transitive",
-        "resolved": "6.0.0",
-        "contentHash": "UcSjPsst+DfAdJGVDsu346FX0ci0ah+lw3WRtn18NUwEqRt70HaOQ7lI72vy3+1LxtqI3T5GWwV39rQSrCzAeg==",
+        "resolved": "8.0.0",
+        "contentHash": "3WA9q9yVqJp222P3x1wYIGDAkpjAku0TMUaaQV22g6L67AI0LdOIrVS7Ht2vJfLHGSPVuqN94vIr15qn+HEkHw==",
         "dependencies": {
           "System.Threading.Tasks.Extensions": "4.5.4"
         }
@@ -113,22 +126,13 @@
       },
       "MongoDB.Bson": {
         "type": "Transitive",
-        "resolved": "3.1.0",
-        "contentHash": "3dhaZhz18B5vUoEP13o2j8A6zQfkHdZhwBvLZEjDJum4BTLLv1/Z8bt25UQEtpqvYwLgde4R6ekWZ7XAYUMxuw==",
+        "resolved": "3.5.0",
+        "contentHash": "JGNK6BanLDEifgkvPLqVFCPus5EDCy416pxf1dxUBRSVd3D9+NB3AvMVX190eXlk5/UXuCxpsQv7jWfNKvppBQ==",
         "dependencies": {
           "System.Memory": "4.5.5",
           "System.Runtime.CompilerServices.Unsafe": "5.0.0"
         }
       },
-      "SharpCompress": {
-        "type": "Transitive",
-        "resolved": "0.30.1",
-        "contentHash": "XqD4TpfyYGa7QTPzaGlMVbcecKnXy4YmYLDWrU+JIj7IuRNl7DH2END+Ll7ekWIY8o3dAMWLFDE1xdhfIWD1nw==",
-        "dependencies": {
-          "System.Memory": "4.5.4",
-          "System.Text.Encoding.CodePages": "5.0.0"
-        }
-      },
       "Snappier": {
         "type": "Transitive",
         "resolved": "1.0.0",
@@ -141,8 +145,8 @@
       },
       "System.Buffers": {
         "type": "Transitive",
-        "resolved": "4.5.1",
-        "contentHash": "Rw7ijyl1qqRS0YQD/WycNst8hUUMgrMH4FCn1nNm27M4VxchZ1js3fVjQaANHO5f3sN4isvP4a+Met9Y4YomAg=="
+        "resolved": "4.6.0",
+        "contentHash": "lN6tZi7Q46zFzAbRYXTIvfXcyvQQgxnY7Xm6C6xQ9784dEL1amjM6S6Iw4ZpsvesAKnRVsM4scrDQaDqSClkjA=="
       },
       "System.IO": {
         "type": "Transitive",
@@ -151,12 +155,12 @@
       },
       "System.Memory": {
         "type": "Transitive",
-        "resolved": "4.5.5",
-        "contentHash": "XIWiDvKPXaTveaB7HVganDlOCRoj03l+jrwNvcge/t8vhGYKvqV+dMv6G4SAX2NoNmN0wZfVPTAlFwZcZvVOUw==",
+        "resolved": "4.6.0",
+        "contentHash": "OEkbBQoklHngJ8UD8ez2AERSk2g+/qpAaSWWCBFbpH727HxDq5ydVkuncBaKcKfwRqXGWx64dS6G1SUScMsitg==",
         "dependencies": {
-          "System.Buffers": "4.5.1",
-          "System.Numerics.Vectors": "4.5.0",
-          "System.Runtime.CompilerServices.Unsafe": "4.5.3"
+          "System.Buffers": "4.6.0",
+          "System.Numerics.Vectors": "4.6.0",
+          "System.Runtime.CompilerServices.Unsafe": "6.1.0"
         }
       },
       "System.Net.Http": {
@@ -169,8 +173,8 @@
       },
       "System.Numerics.Vectors": {
         "type": "Transitive",
-        "resolved": "4.5.0",
-        "contentHash": "QQTlPTl06J/iiDbJCiepZ4H//BVraReU4O4EoRw1U02H5TLUIT7xn3GnDp9AXPSlJUDyFs4uWjWafNX6WrAojQ=="
+        "resolved": "4.6.0",
+        "contentHash": "t+SoieZsRuEyiw/J+qXUbolyO219tKQQI0+2/YI+Qv7YdGValA6WiuokrNKqjrTNsy5ABWU11bdKOzUdheteXg=="
       },
       "System.Runtime": {
         "type": "Transitive",
@@ -179,8 +183,8 @@
       },
       "System.Runtime.CompilerServices.Unsafe": {
         "type": "Transitive",
-        "resolved": "6.0.0",
-        "contentHash": "/iUeP3tq1S0XdNNoMz5C9twLSrM/TH+qElHkXWaPvuNOt+99G75NrV0OS2EqHx5wMN7popYjpc8oTjC1y16DLg=="
+        "resolved": "6.1.0",
+        "contentHash": "5o/HZxx6RVqYlhKSq8/zronDkALJZUT2Vz0hx43f0gwe8mwlM0y2nYlqdBwLMzr262Bwvpikeb/yEwkAa5PADg=="
       },
       "System.Runtime.InteropServices.RuntimeInformation": {
         "type": "Transitive",
@@ -232,10 +236,11 @@
       },
       "System.Text.Encoding.CodePages": {
         "type": "Transitive",
-        "resolved": "5.0.0",
-        "contentHash": "NyscU59xX6Uo91qvhOs2Ccho3AR2TnZPomo1Z0K6YpyztBPM/A5VbkzOO19sy3A3i1TtEnTxA7bCe3Us+r5MWg==",
+        "resolved": "8.0.0",
+        "contentHash": "OZIsVplFGaVY90G2SbpgU7EnCoOO5pw1t4ic21dBF3/1omrJFpAGoNAVpPyMVOC90/hvgkGG3VFqR13YgZMQfg==",
         "dependencies": {
-          "System.Runtime.CompilerServices.Unsafe": "5.0.0"
+          "System.Memory": "4.5.5",
+          "System.Runtime.CompilerServices.Unsafe": "6.0.0"
         }
       },
       "System.Text.Encodings.Web": {
@@ -263,11 +268,12 @@
       },
       "ZstdSharp.Port": {
         "type": "Transitive",
-        "resolved": "0.7.3",
-        "contentHash": "U9Ix4l4cl58Kzz1rJzj5hoVTjmbx1qGMwzAcbv1j/d3NzrFaESIurQyg+ow4mivCgkE3S413y+U9k4WdnEIkRA==",
+        "resolved": "0.8.6",
+        "contentHash": "iP4jVLQoQmUjMU88g1WObiNr6YKZGvh4aOXn3yOJsHqZsflwRsxZPcIBvNXgjXO3vQKSLctXGLTpcBPLnWPS8A==",
         "dependencies": {
           "Microsoft.Bcl.AsyncInterfaces": "5.0.0",
-          "System.Memory": "4.5.5"
+          "System.Memory": "4.5.5",
+          "System.Runtime.CompilerServices.Unsafe": "6.0.0"
         }
       }
     },
@@ -309,19 +315,32 @@
       },
       "MongoDB.Driver": {
         "type": "Direct",
-        "requested": "[3.1.0, )",
-        "resolved": "3.1.0",
-        "contentHash": "+O7lKaIl7VUHptE0hqTd7UY1G5KDp/o8S4upG7YL4uChMNKD/U6tz9i17nMGHaD/L2AiPLgaJcaDe2XACsegGA==",
+        "requested": "[3.5.0, )",
+        "resolved": "3.5.0",
+        "contentHash": "ST90u7psyMkNNOWFgSkexsrB3kPn7Ynl2DlMFj2rJyYuc6SIxjmzu4ufy51yzM+cPVE1SvVcdb5UFobrRw6cMg==",
         "dependencies": {
           "DnsClient": "1.6.1",
           "Microsoft.Extensions.Logging.Abstractions": "2.0.0",
-          "MongoDB.Bson": "3.1.0",
+          "MongoDB.Bson": "3.5.0",
           "SharpCompress": "0.30.1",
           "Snappier": "1.0.0",
           "System.Buffers": "4.5.1",
           "ZstdSharp.Port": "0.7.3"
         }
       },
+      "SharpCompress": {
+        "type": "Direct",
+        "requested": "[0.41.0, )",
+        "resolved": "0.41.0",
+        "contentHash": "z04dBVdTIAFTRKi38f0LkajaKA++bR+M8kYCbasXePILD2H+qs7CkLpyiippB24CSbTrWIgpBKm6BenZqkUwvw==",
+        "dependencies": {
+          "Microsoft.Bcl.AsyncInterfaces": "8.0.0",
+          "System.Buffers": "4.6.0",
+          "System.Memory": "4.6.0",
+          "System.Text.Encoding.CodePages": "8.0.0",
+          "ZstdSharp.Port": "0.8.6"
+        }
+      },
       "System.Text.Json": {
         "type": "Direct",
         "requested": "[6.0.10, )",
@@ -347,8 +366,8 @@
       },
       "Microsoft.Bcl.AsyncInterfaces": {
         "type": "Transitive",
-        "resolved": "6.0.0",
-        "contentHash": "UcSjPsst+DfAdJGVDsu346FX0ci0ah+lw3WRtn18NUwEqRt70HaOQ7lI72vy3+1LxtqI3T5GWwV39rQSrCzAeg=="
+        "resolved": "8.0.0",
+        "contentHash": "3WA9q9yVqJp222P3x1wYIGDAkpjAku0TMUaaQV22g6L67AI0LdOIrVS7Ht2vJfLHGSPVuqN94vIr15qn+HEkHw=="
       },
       "Microsoft.Build.Tasks.Git": {
         "type": "Transitive",
@@ -378,21 +397,13 @@
       },
       "MongoDB.Bson": {
         "type": "Transitive",
-        "resolved": "3.1.0",
-        "contentHash": "3dhaZhz18B5vUoEP13o2j8A6zQfkHdZhwBvLZEjDJum4BTLLv1/Z8bt25UQEtpqvYwLgde4R6ekWZ7XAYUMxuw==",
+        "resolved": "3.5.0",
+        "contentHash": "JGNK6BanLDEifgkvPLqVFCPus5EDCy416pxf1dxUBRSVd3D9+NB3AvMVX190eXlk5/UXuCxpsQv7jWfNKvppBQ==",
         "dependencies": {
           "System.Memory": "4.5.5",
           "System.Runtime.CompilerServices.Unsafe": "5.0.0"
         }
       },
-      "SharpCompress": {
-        "type": "Transitive",
-        "resolved": "0.30.1",
-        "contentHash": "XqD4TpfyYGa7QTPzaGlMVbcecKnXy4YmYLDWrU+JIj7IuRNl7DH2END+Ll7ekWIY8o3dAMWLFDE1xdhfIWD1nw==",
-        "dependencies": {
-          "System.Text.Encoding.CodePages": "5.0.0"
-        }
-      },
       "Snappier": {
         "type": "Transitive",
         "resolved": "1.0.0",
@@ -403,28 +414,28 @@
       },
       "System.Buffers": {
         "type": "Transitive",
-        "resolved": "4.5.1",
-        "contentHash": "Rw7ijyl1qqRS0YQD/WycNst8hUUMgrMH4FCn1nNm27M4VxchZ1js3fVjQaANHO5f3sN4isvP4a+Met9Y4YomAg=="
+        "resolved": "4.6.0",
+        "contentHash": "lN6tZi7Q46zFzAbRYXTIvfXcyvQQgxnY7Xm6C6xQ9784dEL1amjM6S6Iw4ZpsvesAKnRVsM4scrDQaDqSClkjA=="
       },
       "System.Memory": {
         "type": "Transitive",
-        "resolved": "4.5.5",
-        "contentHash": "XIWiDvKPXaTveaB7HVganDlOCRoj03l+jrwNvcge/t8vhGYKvqV+dMv6G4SAX2NoNmN0wZfVPTAlFwZcZvVOUw==",
+        "resolved": "4.6.0",
+        "contentHash": "OEkbBQoklHngJ8UD8ez2AERSk2g+/qpAaSWWCBFbpH727HxDq5ydVkuncBaKcKfwRqXGWx64dS6G1SUScMsitg==",
         "dependencies": {
-          "System.Buffers": "4.5.1",
-          "System.Numerics.Vectors": "4.4.0",
-          "System.Runtime.CompilerServices.Unsafe": "4.5.3"
+          "System.Buffers": "4.6.0",
+          "System.Numerics.Vectors": "4.6.0",
+          "System.Runtime.CompilerServices.Unsafe": "6.1.0"
         }
       },
       "System.Numerics.Vectors": {
         "type": "Transitive",
-        "resolved": "4.5.0",
-        "contentHash": "QQTlPTl06J/iiDbJCiepZ4H//BVraReU4O4EoRw1U02H5TLUIT7xn3GnDp9AXPSlJUDyFs4uWjWafNX6WrAojQ=="
+        "resolved": "4.6.0",
+        "contentHash": "t+SoieZsRuEyiw/J+qXUbolyO219tKQQI0+2/YI+Qv7YdGValA6WiuokrNKqjrTNsy5ABWU11bdKOzUdheteXg=="
       },
       "System.Runtime.CompilerServices.Unsafe": {
         "type": "Transitive",
-        "resolved": "6.0.0",
-        "contentHash": "/iUeP3tq1S0XdNNoMz5C9twLSrM/TH+qElHkXWaPvuNOt+99G75NrV0OS2EqHx5wMN7popYjpc8oTjC1y16DLg=="
+        "resolved": "6.1.0",
+        "contentHash": "5o/HZxx6RVqYlhKSq8/zronDkALJZUT2Vz0hx43f0gwe8mwlM0y2nYlqdBwLMzr262Bwvpikeb/yEwkAa5PADg=="
       },
       "System.Security.AccessControl": {
         "type": "Transitive",
@@ -441,10 +452,11 @@
       },
       "System.Text.Encoding.CodePages": {
         "type": "Transitive",
-        "resolved": "5.0.0",
-        "contentHash": "NyscU59xX6Uo91qvhOs2Ccho3AR2TnZPomo1Z0K6YpyztBPM/A5VbkzOO19sy3A3i1TtEnTxA7bCe3Us+r5MWg==",
+        "resolved": "8.0.0",
+        "contentHash": "OZIsVplFGaVY90G2SbpgU7EnCoOO5pw1t4ic21dBF3/1omrJFpAGoNAVpPyMVOC90/hvgkGG3VFqR13YgZMQfg==",
         "dependencies": {
-          "System.Runtime.CompilerServices.Unsafe": "5.0.0"
+          "System.Memory": "4.5.5",
+          "System.Runtime.CompilerServices.Unsafe": "6.0.0"
         }
       },
       "System.Text.Encodings.Web": {
@@ -467,8 +479,8 @@
       },
       "ZstdSharp.Port": {
         "type": "Transitive",
-        "resolved": "0.7.3",
-        "contentHash": "U9Ix4l4cl58Kzz1rJzj5hoVTjmbx1qGMwzAcbv1j/d3NzrFaESIurQyg+ow4mivCgkE3S413y+U9k4WdnEIkRA==",
+        "resolved": "0.8.6",
+        "contentHash": "iP4jVLQoQmUjMU88g1WObiNr6YKZGvh4aOXn3yOJsHqZsflwRsxZPcIBvNXgjXO3vQKSLctXGLTpcBPLnWPS8A==",
         "dependencies": {
           "System.Runtime.CompilerServices.Unsafe": "6.0.0"
         }

SPRINTS.md

@@ -47,7 +47,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning<br>Operator docs now outline connected vs air-gapped resilience profiles and monitoring cues. |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns<br>Audit logging guidance highlights `route/status/subject/clientId/scopes/bypass/remote` fields and SIEM alerts. |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff<br>Install guide reiterates the 2025-12-31 cutoff and ties audit signals to rollout checks. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path<br>Build outputs, tests, and docs now target `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path<br>Build outputs now point at `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`; defaults/docs/tests updated to reflect the new layout. |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-007 | Authority resilience adoption<br>Deployment docs and CLI notes explain the LIB5 resilience knobs for rollout.<br>Instructions to work:<br>DONE Read ./AGENTS.md and src/StellaOps.Concelier.WebService/AGENTS.md. These items were mid-flight; resume implementation ensuring docs/operators receive timely updates. |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCORE-ENGINE-01-001 | CORE8.RL — Rate limiter plumbing validated; integration tests green and docs handoff recorded for middleware ordering + Retry-After headers (see `docs/dev/authority-rate-limit-tuning-outline.md` for continuing guidance). |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCRYPTO-ENGINE-01-001 | SEC3.A — Shared metadata resolver confirmed via host test run; SEC3.B now unblocked for tuning guidance (outline captured in `docs/dev/authority-rate-limit-tuning-outline.md`). |
@@ -146,7 +146,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Cli/TASKS.md | DONE (2025-10-18) | DevEx/CLI | EXCITITOR-CLI-01-001 | Add `excititor` CLI verbs bridging to WebService with consistent auth and offline UX. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-19) | Team Excititor Core & Policy | EXCITITOR-CORE-02-001 | Context signal schema prep – extend consensus models with severity/KEV/EPSS fields and update canonical serializers. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-19) | Team Excititor Policy | EXCITITOR-POLICY-02-001 | Scoring coefficients & weight ceilings – add α/β options, weight boosts, and validation guidance. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Team Excititor Storage | EXCITITOR-STORAGE-02-001 | Statement events & scoring signals – create immutable VEX statement store plus consensus extensions with indexes/migrations. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-02-001 | Statement events & scoring signals – immutable VEX statements store, consensus signal fields, and migration `20251019-consensus-signals-statements` with tests (`dotnet test src/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj`, `dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`). |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Team Excititor WebService | EXCITITOR-WEB-01-004 | Resolve API & signed responses – expose `/excititor/resolve`, return signed consensus/score envelopes, document auth. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Team Excititor WebService | EXCITITOR-WEB-01-005 | Mirror distribution endpoints – expose download APIs for downstream Excititor instances. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-002 | Rekor v2 client integration – ship transparency log client with retries and offline queue. |
@@ -155,19 +155,23 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Export/TASKS.md | TODO | Team Excititor Export | EXCITITOR-EXPORT-01-006 | Quiet provenance packaging – attach quieted-by statement IDs, signers, justification codes to exports and attestations. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Export/TASKS.md | TODO | Team Excititor Export | EXCITITOR-EXPORT-01-007 | Mirror bundle + domain manifest – publish signed consensus bundles for mirrors. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md | TODO | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-001 | Excititor mirror connector – ingest signed mirror bundles and map to VexClaims with resume handling. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-001 | Advisory event log & asOf queries – surface immutable statements and replay capability. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-19) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-001 | Advisory event log & asOf queries – surface immutable statements and replay capability. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Concelier WebService Guild | FEEDWEB-EVENTS-07-001 | Advisory event replay API – expose `/concelier/advisories/{key}/replay` with `asOf` filter, hex hashes, and conflict data. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Team Core Engine & Data Science | FEEDCORE-ENGINE-07-002 | Noise prior computation service – learn false-positive priors and expose deterministic summaries. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-003 | Unknown state ledger & confidence seeding – persist unknown flags, seed confidence bands, expose query surface. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-07-001 | Advisory statement & conflict collections – provision Mongo schema/indexes for event-sourced merge. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Merge/TASKS.md | TODO | BE-Merge | FEEDMERGE-ENGINE-07-001 | Conflict sets & explainers – persist conflict materialization and replay hashes for merge decisions. |
-| Sprint 8 | Mongo strengthening | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Team Normalization & Storage Backbone | FEEDSTORAGE-MONGO-08-001 | Causal-consistent Concelier storage sessions<br>Ensure `AddMongoStorage` registers a scoped session facilitator (causal consistency + majority concerns), update repositories to accept optional session handles, and add integration coverage proving read-your-write and monotonic reads across a replica set/election scenario. |
-| Sprint 8 | Mongo strengthening | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Storage Guild | AUTHSTORAGE-MONGO-08-001 | Harden Authority Mongo usage<br>Introduce scoped MongoDB sessions with `writeConcern`/`readConcern` majority defaults, flow the session through stores used in mutations + follow-up reads, and document middleware pattern for web/API & GraphQL layers. |
-| Sprint 8 | Mongo strengthening | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Team Excititor Storage | EXCITITOR-STORAGE-MONGO-08-001 | Causal consistency for Excititor repositories<br>Register Mongo options with majority defaults, push session-aware overloads through raw/export/consensus/cache stores, and extend migration/tests to validate causal reads after writes (including GridFS-backed content) under replica-set failover. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.Json/TASKS.md | TODO | Concelier Export Guild | CONCELIER-EXPORT-08-201 | Mirror bundle + domain manifest – produce signed JSON aggregates for `*.stella-ops.org` mirrors. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | TODO | Concelier Export Guild | CONCELIER-EXPORT-08-202 | Mirror-ready Trivy DB bundles – ship domain-specific archives + metadata for downstream sync. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-08-201 | Mirror distribution endpoints – expose domain-scoped index/download APIs with auth/quota. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md | TODO | BE-Conn-Stella | FEEDCONN-STELLA-08-001 | Concelier mirror connector – fetch mirror manifest, verify signatures, and hydrate canonical DTOs with resume support. |
-| Sprint 8 | Mirror Distribution | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-MIRROR-08-001 | Managed mirror deployments for `*.stella-ops.org` – Helm/Compose overlays, CDN, runbooks. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Merge/TASKS.md | DOING | BE-Merge | FEEDMERGE-ENGINE-07-001 | Conflict sets & explainers – persist conflict materialization and replay hashes for merge decisions. |
+| Sprint 8 | Mongo strengthening | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Normalization & Storage Backbone | FEEDSTORAGE-MONGO-08-001 | Causal-consistent Concelier storage sessions<br>Scoped session facilitator registered, repositories accept optional session handles, and replica-set failover tests verify read-your-write + monotonic reads. |
+| Sprint 8 | Mongo strengthening | src/StellaOps.Authority/TASKS.md | DONE (2025-10-19) | Authority Core & Storage Guild | AUTHSTORAGE-MONGO-08-001 | Harden Authority Mongo usage<br>Scoped Mongo sessions with majority read/write concerns wired through stores and GraphQL/HTTP pipelines; replica-set election regression validated. |
+| Sprint 8 | Mongo strengthening | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-MONGO-08-001 | Causal consistency for Excititor repositories<br>Session-scoped repositories shipped with new Mongo records, orchestrators/workers now share scoped sessions, and replica-set failover coverage added via `dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`. |
+| Sprint 8 | Platform Maintenance | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Excititor Storage | EXCITITOR-STORAGE-03-001 | Statement backfill tooling – shipped admin backfill endpoint, CLI hook (`stellaops excititor backfill-statements`), integration tests, and operator runbook (`docs/dev/EXCITITOR_STATEMENT_BACKFILL.md`). |
+| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.Json/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-201 | Mirror bundle + domain manifest – produce signed JSON aggregates for `*.stella-ops.org` mirrors. |
+| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-202 | Mirror-ready Trivy DB bundles – mirror options emit per-domain manifests/metadata/db archives with deterministic digests for downstream sync. |
+| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.WebService/TASKS.md | DOING (2025-10-19) | Concelier WebService Guild | CONCELIER-WEB-08-201 | Mirror distribution endpoints – expose domain-scoped index/download APIs with auth/quota. |
+| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md | DOING (2025-10-19) | BE-Conn-Stella | FEEDCONN-STELLA-08-001 | Concelier mirror connector – fetch mirror manifest, verify signatures, and hydrate canonical DTOs with resume support. |
+| Sprint 8 | Mirror Distribution | ops/devops/TASKS.md | DONE (2025-10-19) | DevOps Guild | DEVOPS-MIRROR-08-001 | Managed mirror deployments for `*.stella-ops.org` – Helm/Compose overlays, CDN, runbooks. |
+| Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | DOING | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-002.COORD | Authority scoped-service integration handshake<br>Session scheduled for 2025-10-20 15:00–16:00 UTC; agenda + attendees logged in `docs/dev/authority-plugin-di-coordination.md`. |
+| Sprint 8 | Plugin Infrastructure | src/StellaOps.Authority/TASKS.md | DOING | Authority Core, Plugin Platform Guild | AUTH-PLUGIN-COORD-08-002 | Coordinate scoped-service adoption for Authority plug-in registrars<br>Workshop locked for 2025-10-20 15:00–16:00 UTC; pre-read checklist tracked in `docs/dev/authority-plugin-di-coordination.md`. |
 | Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-501 | Define shared DTOs (ScanJob, ProgressEvent), error taxonomy, and deterministic ID/timestamp helpers aligning with `ARCHITECTURE_SCANNER.md` §3–§4. |
 | Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-502 | Observability helpers (correlation IDs, logging scopes, metric namespacing, deterministic hashes) consumed by WebService/Worker. |
 | Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-503 | Security utilities: Authority client factory, OpTok caching, DPoP verifier, restart-time plug-in guardrails for scanner components. |
@@ -242,9 +246,10 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Emit/TASKS.md | TODO | Emit Guild | SCANNER-EMIT-10-607 | Embed scoring inputs, confidence band, and quiet provenance in CycloneDX/DSSE artifacts. |
 | Sprint 10 | Benchmarks | bench/TASKS.md | TODO | Bench Guild, Scanner Team | BENCH-SCANNER-10-001 | Analyzer microbench harness + baseline CSV. |
 | Sprint 10 | Samples | samples/TASKS.md | TODO | Samples Guild, Scanner Team | SAMPLES-10-001 | Sample images with SBOM/BOM-Index sidecars. |
+| Sprint 10 | DevOps Security | ops/devops/TASKS.md | DOING | DevOps Guild | DEVOPS-SEC-10-301 | Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0; Wave 0A prerequisites confirmed complete before remediation work. |
 | Sprint 10 | DevOps Perf | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-PERF-10-001 | Perf smoke job ensuring <5 s SBOM compose. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-DPOP-11-001 | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. |
-| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-MTLS-11-002 | Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates. |
+| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Authority/TASKS.md | DOING (2025-10-19) | Authority Core & Security Guild | AUTH-DPOP-11-001 | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. |
+| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Authority/TASKS.md | DOING (2025-10-19) | Authority Core & Security Guild | AUTH-MTLS-11-002 | Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates. |
 | Sprint 11 | Signing Chain Bring-up | src/StellaOps.Signer/TASKS.md | TODO | Signer Guild | SIGNER-API-11-101 | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. |
 | Sprint 11 | Signing Chain Bring-up | src/StellaOps.Signer/TASKS.md | TODO | Signer Guild | SIGNER-REF-11-102 | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. |
 | Sprint 11 | Signing Chain Bring-up | src/StellaOps.Signer/TASKS.md | TODO | Signer Guild | SIGNER-QUOTA-11-103 | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. |
@@ -270,7 +275,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-VEX-13-003 | Implement VEX explorer + policy editor with preview integration. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-ADMIN-13-004 | Deliver admin area (tenants/clients/quotas/licensing) with RBAC + audit hooks. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SCHED-13-005 | Scheduler panel: schedules CRUD, run history, dry-run preview. |
-| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-NOTIFY-13-006 | Notify panel: channels/rules CRUD, deliveries view, test send. |
+| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | DOING (2025-10-19) | UI Guild | UI-NOTIFY-13-006 | Notify panel: channels/rules CRUD, deliveries view, test send. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI | CLI-RUNTIME-13-005 | Add runtime policy test verbs that consume `/policy/runtime` and display verdicts. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI | CLI-OFFLINE-13-006 | Implement offline kit pull/import/status commands with integrity checks. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI | CLI-PLUGIN-13-007 | Package non-core CLI verbs as restart-time plug-ins (manifest + loader tests). |
@@ -293,20 +298,20 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Engine/TASKS.md | TODO | Notify Engine Guild | NOTIFY-ENGINE-15-304 | Test-send sandbox + preview utilities. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-101 | Minimal API host with Authority enforcement and plug-in loading. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-102 | Rules/channel/template CRUD with audit logging. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-103 | Delivery history & test-send endpoints. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | DONE (2025-10-19) | Notify WebService Guild | NOTIFY-WEB-15-103 | Delivery history & test-send endpoints. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-104 | Configuration binding + startup diagnostics. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-201 | Bus subscription + leasing loop with backoff. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-202 | Rules evaluation pipeline integration. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-203 | Channel dispatch orchestration with retries. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-204 | Metrics/telemetry for Notify workers. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-501 | Slack connector with rate-limit aware delivery. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-502 | Slack health/test-send support. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | DOING (2025-10-19) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-502 | Slack health/test-send support. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-601 | Teams connector with Adaptive Cards. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Teams health/test-send support. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | DOING (2025-10-19) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Teams health/test-send support. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-701 | SMTP connector with TLS + rendering. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-702 | DKIM + health/test-send flows. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | DOING (2025-10-19) | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-702 | DKIM + health/test-send flows. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-801 | Webhook connector with signing/retries. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-802 | Webhook health/test-send support. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | DOING (2025-10-19) | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-802 | Webhook health/test-send support. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-503 | Package Slack connector as restart-time plug-in (manifest + host registration). |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-603 | Package Teams connector as restart-time plug-in (manifest + host registration). |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-703 | Package Email connector as restart-time plug-in (manifest + host registration). |

SPRINTS.updated.tmp

@@ -53,7 +53,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning<br>Operator docs now outline connected vs air-gapped resilience profiles and monitoring cues. |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns<br>Audit logging guidance highlights `route/status/subject/clientId/scopes/bypass/remote` fields and SIEM alerts. |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff<br>Install guide reiterates the 2025-12-31 cutoff and ties audit signals to rollout checks. |
-| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path<br>Repoint build outputs to `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`, update PluginHost defaults, Offline Kit packaging, and operator docs. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path<br>Build outputs now point at `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`; defaults/docs/tests updated to reflect the new layout. |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | BLOCKED (2025-10-10) | Team WebService & Authority | FEEDWEB-OPS-01-007 | Authority resilience adoption<br>Roll out retry/offline knobs to deployment docs and align CLI parity once LIB5 resilience options land; unblock when library release is available and docs review completes. |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCORE-ENGINE-01-001 | CORE8.RL — Rate limiter plumbing validated; integration tests green and docs handoff recorded for middleware ordering + Retry-After headers (see `docs/dev/authority-rate-limit-tuning-outline.md` for continuing guidance). |
 | Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCRYPTO-ENGINE-01-001 | SEC3.A — Shared metadata resolver confirmed via host test run; SEC3.B now unblocked for tuning guidance (outline captured in `docs/dev/authority-rate-limit-tuning-outline.md`). |
@@ -191,20 +191,21 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md | TODO | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-001 | Excititor mirror connector – ingest signed mirror bundles and map to VexClaims with resume handling. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md | TODO | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-002 | Normalize mirror bundles into VexClaim sets referencing original provider metadata and mirror provenance. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md | TODO | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-003 | Implement incremental cursor handling per-export digest, support resume, and document configuration for downstream Excititor mirrors. |
-| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-001 | Advisory event log & asOf queries – surface immutable statements and replay capability. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-19) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-001 | Advisory event log & asOf queries – surface immutable statements and replay capability. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-19) | Concelier WebService Guild | FEEDWEB-EVENTS-07-001 | Advisory event replay API – expose `/concelier/advisories/{key}/replay` with `asOf` filter, hex hashes, and conflict data. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Team Core Engine & Data Science | FEEDCORE-ENGINE-07-002 | Noise prior computation service – learn false-positive priors and expose deterministic summaries. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-07-003 | Unknown state ledger & confidence seeding – persist unknown flags, seed confidence bands, expose query surface. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-07-001 | Advisory statement & conflict collections – provision Mongo schema/indexes for event-sourced merge. |
 | Sprint 7 | Contextual Truth Foundations | src/StellaOps.Concelier.Merge/TASKS.md | TODO | BE-Merge | FEEDMERGE-ENGINE-07-001 | Conflict sets & explainers – persist conflict materialization and replay hashes for merge decisions. |
 | Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | TODO | Plugin Platform Guild | PLUGIN-DI-08-001 | Scoped service support in plugin bootstrap<br>Teach the plugin loader/registrar to surface services with scoped lifetimes, honour `StellaOps.DependencyInjection` metadata, and document the new contract. |
 | Sprint 8 | Plugin Infrastructure | src/StellaOps.Plugin/TASKS.md | TODO | Plugin Platform Guild, Authority Core | PLUGIN-DI-08-002 | Update Authority plugin integration<br>Flow scoped services through identity-provider registrars, bootstrap flows, and background jobs; add regression coverage around scoped lifetimes. |
-| Sprint 8 | Mongo strengthening | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Team Normalization & Storage Backbone | FEEDSTORAGE-MONGO-08-001 | Causal-consistent Concelier storage sessions<br>Ensure `AddMongoStorage` registers a scoped session facilitator (causal consistency + majority concerns), update repositories to accept optional session handles, and add integration coverage proving read-your-write and monotonic reads across a replica set/election scenario. |
-| Sprint 8 | Mongo strengthening | src/StellaOps.Authority/TASKS.md | BLOCKED (2025-10-19) | Authority Core & Storage Guild | AUTHSTORAGE-MONGO-08-001 | Harden Authority Mongo usage<br>Scoped sessions with causal consistency pending rate-limiter stream updates; resume once plugin lockout telemetry stabilises. |
+| Sprint 8 | Mongo strengthening | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-19) | Team Normalization & Storage Backbone | FEEDSTORAGE-MONGO-08-001 | Causal-consistent Concelier storage sessions<br>Scoped session facilitator registered, repositories accept optional session handles, and replica-set failover tests verify read-your-write + monotonic reads. |
+| Sprint 8 | Mongo strengthening | src/StellaOps.Authority/TASKS.md | DONE (2025-10-19) | Authority Core & Storage Guild | AUTHSTORAGE-MONGO-08-001 | Harden Authority Mongo usage<br>Scoped Mongo sessions with majority read/write concerns wired through stores and GraphQL/HTTP pipelines; replica-set election regression validated. |
 | Sprint 8 | Mongo strengthening | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Team Excititor Storage | EXCITITOR-STORAGE-MONGO-08-001 | Causal consistency for Excititor repositories<br>Register Mongo options with majority defaults, push session-aware overloads through raw/export/consensus/cache stores, and extend migration/tests to validate causal reads after writes (including GridFS-backed content) under replica-set failover. |
 | Sprint 8 | Platform Maintenance | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Team Excititor Worker | EXCITITOR-WORKER-02-001 | Resolve Microsoft.Extensions.Caching.Memory advisory – bump to latest .NET 10 preview, regenerate lockfiles, and rerun worker/webservice tests to clear NU1903. |
 | Sprint 8 | Platform Maintenance | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Team Excititor Storage | EXCITITOR-STORAGE-03-001 | Statement backfill tooling – provide CLI/backfill scripts that populate the `vex.statements` log via WebService ingestion and validate severity/KEV/EPSS signal replay. |
 | Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.Json/TASKS.md | TODO | Concelier Export Guild | CONCELIER-EXPORT-08-201 | Mirror bundle + domain manifest – produce signed JSON aggregates for `*.stella-ops.org` mirrors. |
-| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | TODO | Concelier Export Guild | CONCELIER-EXPORT-08-202 | Mirror-ready Trivy DB bundles – ship domain-specific archives + metadata for downstream sync. |
+| Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-19) | Concelier Export Guild | CONCELIER-EXPORT-08-202 | Mirror-ready Trivy DB bundles – mirror options emit per-domain manifests/metadata/db archives with deterministic digests for downstream sync. |
 | Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-08-201 | Mirror distribution endpoints – expose domain-scoped index/download APIs with auth/quota. |
 | Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md | TODO | BE-Conn-Stella | FEEDCONN-STELLA-08-001 | Concelier mirror connector – fetch mirror manifest, verify signatures, and hydrate canonical DTOs with resume support. |
 | Sprint 8 | Mirror Distribution | src/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md | TODO | BE-Conn-Stella | FEEDCONN-STELLA-08-002 | Map mirror payloads into canonical advisory DTOs with provenance referencing mirror domain + original source metadata. |
@@ -350,7 +351,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-VEX-13-003 | Implement VEX explorer + policy editor with preview integration. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-ADMIN-13-004 | Deliver admin area (tenants/clients/quotas/licensing) with RBAC + audit hooks. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SCHED-13-005 | Scheduler panel: schedules CRUD, run history, dry-run preview. |
-| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-NOTIFY-13-006 | Notify panel: channels/rules CRUD, deliveries view, test send. |
+| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | DOING (2025-10-19) | UI Guild | UI-NOTIFY-13-006 | Notify panel: channels/rules CRUD, deliveries view, test send. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-13-007 | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI | CLI-RUNTIME-13-005 | Add runtime policy test verbs that consume `/policy/runtime` and display verdicts. |
 | Sprint 13 | UX & CLI Experience | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI | CLI-OFFLINE-13-006 | Implement offline kit pull/import/status commands with integrity checks. |
@@ -376,20 +377,20 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Engine/TASKS.md | TODO | Notify Engine Guild | NOTIFY-ENGINE-15-304 | Test-send sandbox + preview utilities. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-101 | Minimal API host with Authority enforcement and plug-in loading. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-102 | Rules/channel/template CRUD with audit logging. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-103 | Delivery history & test-send endpoints. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | DONE (2025-10-19) | Notify WebService Guild | NOTIFY-WEB-15-103 | Delivery history & test-send endpoints. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-104 | Configuration binding + startup diagnostics. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-201 | Bus subscription + leasing loop with backoff. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-202 | Rules evaluation pipeline integration. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-203 | Channel dispatch orchestration with retries. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-204 | Metrics/telemetry for Notify workers. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-501 | Slack connector with rate-limit aware delivery. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-502 | Slack health/test-send support. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | DOING (2025-10-19) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-502 | Slack health/test-send support. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-601 | Teams connector with Adaptive Cards. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Teams health/test-send support. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | DOING (2025-10-19) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Teams health/test-send support. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-701 | SMTP connector with TLS + rendering. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-702 | DKIM + health/test-send flows. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | DOING (2025-10-19) | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-702 | DKIM + health/test-send flows. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-801 | Webhook connector with signing/retries. |
-| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-802 | Webhook health/test-send support. |
+| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | DOING (2025-10-19) | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-802 | Webhook health/test-send support. |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-503 | Package Slack connector as restart-time plug-in (manifest + host registration). |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-603 | Package Teams connector as restart-time plug-in (manifest + host registration). |
 | Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-703 | Package Email connector as restart-time plug-in (manifest + host registration). |

SPRINTS_PRIOR_20251019.md

@@ -0,0 +1,177 @@
+Closed sprint tasks archived from SPRINTS.md on 2025-10-19.
+
+| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description |
+| --- | --- | --- | --- | --- | --- | --- |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-12) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-001 | SemVer primitive range-style metadata<br>Instructions to work:<br>DONE Read ./AGENTS.md and src/StellaOps.Concelier.Models/AGENTS.md. This task lays the groundwork—complete the SemVer helper updates before teammates pick up FEEDMODELS-SCHEMA-01-002/003 and FEEDMODELS-SCHEMA-02-900. Use ./src/FASTER_MODELING_AND_NORMALIZATION.md for the target rule structure. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-11) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-002 | Provenance decision rationale field<br>Instructions to work:<br>AdvisoryProvenance now carries `decisionReason` and docs/tests were updated. Connectors and merge tasks should populate the field when applying precedence/freshness/tie-breaker logic; see src/StellaOps.Concelier.Models/PROVENANCE_GUIDELINES.md for usage guidance. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-11) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-01-003 | Normalized version rules collection<br>Instructions to work:<br>`AffectedPackage.NormalizedVersions` and supporting comparer/docs/tests shipped. Connector owners must emit rule arrays per ./src/FASTER_MODELING_AND_NORMALIZATION.md and report progress via FEEDMERGE-COORD-02-900 so merge/storage backfills can proceed. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-12) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-02-900 | Range primitives for SemVer/EVR/NEVRA metadata<br>Instructions to work:<br>DONE Read ./AGENTS.md and src/StellaOps.Concelier.Models/AGENTS.md before resuming this stalled effort. Confirm helpers align with the new `NormalizedVersions` representation so connectors finishing in Sprint 2 can emit consistent metadata. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Normalization/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDNORM-NORM-02-001 | SemVer normalized rule emitter<br>Shared `SemVerRangeRuleBuilder` now outputs primitives + normalized rules per `FASTER_MODELING_AND_NORMALIZATION.md`; CVE/GHSA connectors consuming the API have verified fixtures. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill<br>AdvisoryStore dual-writes flattened `normalizedVersions` when `concelier.storage.enableSemVerStyle` is set; migration `20251011-semver-style-backfill` updates historical records and docs outline the rollout. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-002 | Provenance decision reason persistence<br>Storage now persists `provenance.decisionReason` for advisories and merge events; tests cover round-trips. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-003 | Normalized versions indexing<br>Bootstrapper seeds compound/sparse indexes for flattened normalized rules and `docs/dev/mongo_indices.md` documents query guidance. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-TESTS-02-004 | Restore AdvisoryStore build after normalized versions refactor<br>Updated constructors/tests keep storage suites passing with the new feature flag defaults. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-ENGINE-01-002 | Plumb Authority client resilience options<br>WebService wires `authority.resilience.*` into `AddStellaOpsAuthClient` and adds binding coverage via `AuthorityClientResilienceOptionsAreBound`. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning<br>Install/runbooks document connected vs air-gapped resilience profiles and monitoring hooks. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns<br>Operator guides now call out `route/status/subject/clientId/scopes/bypass/remote` audit fields and SIEM triggers. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff<br>Install guide reiterates the 2025-12-31 cutoff and links audit signals to the rollout checklist. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | SEC3.HOST | Rate limiter policy binding<br>Authority host now applies configuration-driven fixed windows to `/token`, `/authorize`, and `/internal/*`; integration tests assert 429 + `Retry-After` headers; docs/config samples refreshed for Docs guild diagrams. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | SEC3.BUILD | Authority rate-limiter follow-through<br>`Security.RateLimiting` now fronts token/authorize/internal limiters; Authority + Configuration matrices (`dotnet test src/StellaOps.Authority/StellaOps.Authority.sln`, `dotnet test src/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj`) passed on 2025-10-11; awaiting #authority-core broadcast. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-14) | Team Authority Platform & Security Guild | AUTHCORE-BUILD-OPENIDDICT / AUTHCORE-STORAGE-DEVICE-TOKENS / AUTHCORE-BOOTSTRAP-INVITES | Address remaining Authority compile blockers (OpenIddict transaction shim, token device document, bootstrap invite cleanup) so `dotnet build src/StellaOps.Authority.sln` returns success. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | PLG6.DOC | Plugin developer guide polish<br>Section 9 now documents rate limiter metadata, config keys, and lockout interplay; YAML samples updated alongside Authority config templates. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-001 | Fetch pipeline & state tracking<br>Summary planner now drives monthly/yearly VINCE fetches, persists pending summaries/notes, and hydrates VINCE detail queue with telemetry.<br>Team instructions: Read ./AGENTS.md and src/StellaOps.Concelier.Connector.CertCc/AGENTS.md. Coordinate daily with Models/Merge leads so new normalizedVersions output and provenance tags stay aligned with ./src/FASTER_MODELING_AND_NORMALIZATION.md. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-002 | VINCE note detail fetcher<br>Summary planner queues VINCE note detail endpoints, persists raw JSON with SHA/ETag metadata, and records retry/backoff metrics. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-003 | DTO & parser implementation<br>Added VINCE DTO aggregate, Markdown→text sanitizer, vendor/status/vulnerability parsers, and parser regression fixture. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-004 | Canonical mapping & range primitives<br>VINCE DTO aggregate flows through `CertCcMapper`, emitting vendor range primitives + normalized version rules that persist via `_advisoryStore`. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-005 | Deterministic fixtures/tests<br>Snapshot harness refreshed 2025-10-12; `certcc-*.snapshot.json` regenerated and regression suite green without UPDATE flag drift. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-006 | Telemetry & documentation<br>`CertCcDiagnostics` publishes summary/detail/parse/map metrics (meter `StellaOps.Concelier.Connector.CertCc`), README documents instruments, and log guidance captured for Ops on 2025-10-12. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-007 | Connector test harness remediation<br>Harness now wires `AddSourceCommon`, resets `FakeTimeProvider`, and passes canned-response regression run dated 2025-10-12. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-008 | Snapshot coverage handoff<br>Fixtures regenerated with normalized ranges + provenance fields on 2025-10-11; QA handoff notes published and merge backfill unblocked. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-012 | Schema sync & snapshot regen follow-up<br>Fixtures regenerated with normalizedVersions + provenance decision reasons; handoff notes updated for Merge backfill 2025-10-12. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-009 | Detail/map reintegration plan<br>Staged reintegration plan published in `src/StellaOps.Concelier.Connector.CertCc/FEEDCONN-CERTCC-02-009_PLAN.md`; coordinates enablement with FEEDCONN-CERTCC-02-004. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.CertCc/TASKS.md | DONE (2025-10-12) | Team Connector Resumption – CERT/RedHat | FEEDCONN-CERTCC-02-010 | Partial-detail graceful degradation<br>Detail fetch now tolerates 404/403/410 responses and regression tests cover mixed endpoint availability. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md | DONE (2025-10-11) | Team Connector Resumption – CERT/RedHat | FEEDCONN-REDHAT-02-001 | Fixture validation sweep<br>Instructions to work:<br>Fixtures regenerated post-model-helper rollout; provenance ordering and normalizedVersions scaffolding verified via tests. Conflict resolver deltas logged in src/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-12) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-001 | Canonical mapping & range primitives<br>Mapper emits SemVer rules (`scheme=apple:*`); fixtures regenerated with trimmed references + new RSR coverage, update tooling finalized. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-002 | Deterministic fixtures/tests<br>Sanitized live fixtures + regression snapshots wired into tests; normalized rule coverage asserted. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-003 | Telemetry & documentation<br>Apple meter metrics wired into Concelier WebService OpenTelemetry configuration; README and fixtures document normalizedVersions coverage. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-12) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-004 | Live HTML regression sweep<br>Sanitised HT125326/HT125328/HT106355/HT214108/HT215500 fixtures recorded and regression tests green on 2025-10-12. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md | DONE (2025-10-11) | Team Vendor Apple Specialists | FEEDCONN-APPLE-02-005 | Fixture regeneration tooling<br>`UPDATE_APPLE_FIXTURES=1` flow fetches & rewrites fixtures; README documents usage.<br>Instructions to work:<br>DONE Read ./AGENTS.md and src/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md. Resume stalled tasks, ensuring normalizedVersions output and fixtures align with ./src/FASTER_MODELING_AND_NORMALIZATION.md before handing data to the conflict sprint. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance<br>Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/StellaOps.Concelier.Merge/TASKS.md (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `tools/FixtureUpdater` updates across connectors. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-OSV-02-003 | OSV normalized versions & freshness |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-NVD-02-002 | NVD normalized versions & timestamps |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Cve/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-CVE-02-003 | CVE normalized versions uplift |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Kev/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-KEV-02-003 | KEV normalized versions propagation |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Normalized Versions Rollout | FEEDCONN-OSV-04-003 | OSV parity fixture refresh |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-10) | Team WebService & Authority | FEEDWEB-DOCS-01-001 | Document authority toggle & scope requirements<br>Quickstart carries toggle/scope guidance pending docs guild review (no change this sprint). |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-ENGINE-01-002 | Plumb Authority client resilience options<br>WebService wires `authority.resilience.*` into `AddStellaOpsAuthClient` and adds binding coverage via `AuthorityClientResilienceOptionsAreBound`. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-003 | Author ops guidance for resilience tuning<br>Operator docs now outline connected vs air-gapped resilience profiles and monitoring cues. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-004 | Document authority bypass logging patterns<br>Audit logging guidance highlights `route/status/subject/clientId/scopes/bypass/remote` fields and SIEM alerts. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-12) | Team WebService & Authority | FEEDWEB-DOCS-01-005 | Update Concelier operator guide for enforcement cutoff<br>Install guide reiterates the 2025-12-31 cutoff and ties audit signals to rollout checks. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-006 | Rename plugin drop directory to namespaced path<br>Build outputs, tests, and docs now target `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Concelier.WebService/TASKS.md | DONE (2025-10-11) | Team WebService & Authority | FEEDWEB-OPS-01-007 | Authority resilience adoption<br>Deployment docs and CLI notes explain the LIB5 resilience knobs for rollout.<br>Instructions to work:<br>DONE Read ./AGENTS.md and src/StellaOps.Concelier.WebService/AGENTS.md. These items were mid-flight; resume implementation ensuring docs/operators receive timely updates. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCORE-ENGINE-01-001 | CORE8.RL — Rate limiter plumbing validated; integration tests green and docs handoff recorded for middleware ordering + Retry-After headers (see `docs/dev/authority-rate-limit-tuning-outline.md` for continuing guidance). |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHCRYPTO-ENGINE-01-001 | SEC3.A — Shared metadata resolver confirmed via host test run; SEC3.B now unblocked for tuning guidance (outline captured in `docs/dev/authority-rate-limit-tuning-outline.md`). |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-13) | Team Authority Platform & Security Guild | AUTHSEC-DOCS-01-002 | SEC3.B — Published `docs/security/rate-limits.md` with tuning matrix, alert thresholds, and lockout interplay guidance; Docs guild can lift copy into plugin guide. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-14) | Team Authority Platform & Security Guild | AUTHSEC-CRYPTO-02-001 | SEC5.B1 — Introduce libsodium signing provider and parity tests to unblock CLI verification enhancements. |
+| Sprint 1 | Bootstrap & Replay Hardening | src/StellaOps.Cryptography/TASKS.md | DONE (2025-10-14) | Security Guild | AUTHSEC-CRYPTO-02-004 | SEC5.D/E — Finish bootstrap invite lifecycle (API/store/cleanup) and token device heuristics; build currently red due to pending handler integration. |
+| Sprint 1 | Developer Tooling | src/StellaOps.Cli/TASKS.md | DONE (2025-10-15) | DevEx/CLI | AUTHCLI-DIAG-01-001 | Surface password policy diagnostics in CLI startup/output so operators see weakened overrides immediately.<br>CLI now loads Authority plug-ins at startup, logs weakened password policies (length/complexity), and regression coverage lives in `StellaOps.Cli.Tests/Services/AuthorityDiagnosticsReporterTests`. |
+| Sprint 1 | Stabilize In-Progress Foundations | src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md | DONE (2025-10-11) | Team Authority Platform & Security Guild | AUTHPLUG-DOCS-01-001 | PLG6.DOC — Developer guide copy + diagrams merged 2025-10-11; limiter guidance incorporated and handed to Docs guild for asset export. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Normalization/TASKS.md | DONE (2025-10-12) | Team Normalization & Storage Backbone | FEEDNORM-NORM-02-001 | SemVer normalized rule emitter<br>`SemVerRangeRuleBuilder` shipped 2025-10-12 with comparator/`||` support and fixtures aligning to `FASTER_MODELING_AND_NORMALIZATION.md`. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-002 | Provenance decision reason persistence |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDSTORAGE-DATA-02-003 | Normalized versions indexing<br>Indexes seeded + docs updated 2025-10-11 to cover flattened normalized rules for connector adoption. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Normalization & Storage Backbone | FEEDMERGE-ENGINE-02-002 | Normalized versions union & dedupe<br>Affected package resolver unions/dedupes normalized rules, stamps merge provenance with `decisionReason`, and tests cover the rollout. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-001 | GHSA normalized versions & provenance |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-004 | GHSA credits & ecosystem severity mapping |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-005 | GitHub quota monitoring & retries |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-006 | Production credential & scheduler rollout |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-GHSA-02-007 | Credit parity regression fixtures |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-002 | NVD normalized versions & timestamps |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-004 | NVD CVSS & CWE precedence payloads |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-NVD-02-005 | NVD merge/export parity regression |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-003 | OSV normalized versions & freshness |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-11) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-004 | OSV references & credits alignment |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-02-005 | Fixture updater workflow<br>Resolved 2025-10-12: OSV mapper now derives canonical PURLs for Go + scoped npm packages when raw payloads omit `purl`; conflict fixtures unchanged for invalid npm names. Verified via `dotnet test src/StellaOps.Concelier.Connector.Osv.Tests`, `src/StellaOps.Concelier.Connector.Ghsa.Tests`, `src/StellaOps.Concelier.Connector.Nvd.Tests`, and backbone normalization/storage suites. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Acsc/TASKS.md | DONE (2025-10-12) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-ACSC-02-001 … 02-008 | Fetch→parse→map pipeline, fixtures, diagnostics, and README finished 2025-10-12; downstream export parity captured via FEEDEXPORT-JSON-04-001 / FEEDEXPORT-TRIVY-04-001 (completed). |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Cccs/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CCCS-02-001 … 02-008 | Observability meter, historical harvest plan, and DOM sanitizer refinements wrapped; ops notes live under `docs/ops/concelier-cccs-operations.md` with fixtures validating EN/FR list handling. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.CertBund/TASKS.md | DONE (2025-10-15) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CERTBUND-02-001 … 02-008 | Telemetry/docs (02-006) and history/locale sweep (02-007) completed alongside pipeline; runbook `docs/ops/concelier-certbund-operations.md` captures locale guidance and offline packaging. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Kisa/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-KISA-02-001 … 02-007 | Connector, tests, and telemetry/docs (02-006) finalized; localisation notes in `docs/dev/kisa_connector_notes.md` complete rollout. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ru.Bdu/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-RUBDU-02-001 … 02-008 | Fetch/parser/mapper refinements, regression fixtures, telemetry/docs, access options, and trusted root packaging all landed; README documents offline access strategy. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ru.Nkcki/TASKS.md | DONE (2025-10-13) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-NKCKI-02-001 … 02-008 | Listing fetch, parser, mapper, fixtures, telemetry/docs, and archive plan finished; Mongo2Go/libcrypto dependency resolved via bundled OpenSSL noted in ops guide. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-ICSCISA-02-001 … 02-011 | Feed parser attachment fixes, SemVer exact values, regression suites, telemetry/docs updates, and handover complete; ops runbook now details attachment verification + proxy usage. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md | DONE (2025-10-14) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-CISCO-02-001 … 02-007 | OAuth fetch pipeline, DTO/mapping, tests, and telemetry/docs shipped; monitoring/export integration follow-ups recorded in Ops docs and exporter backlog (completed). |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Vndr.Msrc/TASKS.md | DONE (2025-10-15) | Team Connector Expansion – Regional & Vendor Feeds | FEEDCONN-MSRC-02-001 … 02-008 | Azure AD onboarding (02-008) unblocked fetch/parse/map pipeline; fixtures, telemetry/docs, and Offline Kit guidance published in `docs/ops/concelier-msrc-operations.md`. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Cve/TASKS.md | DONE (2025-10-15) | Team Connector Support & Monitoring | FEEDCONN-CVE-02-001 … 02-002 | CVE data-source selection, fetch pipeline, and docs landed 2025-10-10. 2025-10-15: smoke verified using the seeded mirror fallback; connector now logs a warning and pulls from `seed-data/cve/` until live CVE Services credentials arrive. |
+| Sprint 2 | Connector & Data Implementation Wave | src/StellaOps.Concelier.Connector.Kev/TASKS.md | DONE (2025-10-12) | Team Connector Support & Monitoring | FEEDCONN-KEV-02-001 … 02-002 | KEV catalog ingestion, fixtures, telemetry, and schema validation completed 2025-10-12; ops dashboard published. |
+| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-01-001 | Canonical schema docs refresh<br>Updated canonical schema + provenance guides with SemVer style, normalized version rules, decision reason change log, and migration notes. |
+| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-02-001 | Concelier-SemVer Playbook<br>Published merge playbook covering mapper patterns, dedupe flow, indexes, and rollout checklist. |
+| Sprint 2 | Connector & Data Implementation Wave | docs/TASKS.md | DONE (2025-10-11) | Team Docs & Knowledge Base | FEEDDOCS-DOCS-02-002 | Normalized versions query guide<br>Delivered Mongo index/query addendum with `$unwind` recipes, dedupe checks, and operational checklist.<br>Instructions to work:<br>DONE Read ./AGENTS.md and docs/AGENTS.md. Document every schema/index/query change produced in Sprint 1-2 leveraging ./src/FASTER_MODELING_AND_NORMALIZATION.md. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-03-001 | Canonical merger implementation<br>`CanonicalMerger` ships with freshness/tie-breaker logic, provenance, and unit coverage feeding Merge. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-03-002 | Field precedence and tie-breaker map<br>Field precedence tables and tie-breaker metrics wired into the canonical merge flow; docs/tests updated.<br>Instructions to work:<br>Read ./AGENTS.md and core AGENTS. Implement the conflict resolver exactly as specified in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md, coordinating with Merge and Storage teammates. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-DATA-03-001 | Merge event provenance audit prep<br>Merge events now persist `fieldDecisions` and analytics-ready provenance snapshots. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-DATA-02-001 | Normalized range dual-write + backfill<br>Dual-write/backfill flag delivered; migration + options validated in tests. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | DONE (2025-10-11) | Team Core Engine & Storage Analytics | FEEDSTORAGE-TESTS-02-004 | Restore AdvisoryStore build after normalized versions refactor<br>Storage tests adjusted for normalized versions/decision reasons.<br>Instructions to work:<br>Read ./AGENTS.md and storage AGENTS. Extend merge events with decision reasons and analytics views to support the conflict rules, and deliver the dual-write/backfill for `NormalizedVersions` + `decisionReason` so connectors can roll out safely. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-001 | GHSA/NVD/OSV conflict rules<br>Merge pipeline consumes `CanonicalMerger` output prior to precedence merge. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-002 | Override metrics instrumentation<br>Merge events capture per-field decisions; counters/logs align with conflict rules. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-003 | Reference & credit union pipeline<br>Canonical merge preserves unions with updated tests. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-11) | Team Merge & QA Enforcement | FEEDMERGE-QA-04-001 | End-to-end conflict regression suite<br>Added regression tests (`AdvisoryMergeServiceTests`) covering canonical + precedence flow.<br>Instructions to work:<br>Read ./AGENTS.md and merge AGENTS. Integrate the canonical merger, instrument metrics, and deliver comprehensive regression tests following ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md. |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-GHSA-04-002 | GHSA conflict regression fixtures |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Connector.Nvd/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-NVD-04-002 | NVD conflict regression fixtures |
+| Sprint 3 | Conflict Resolution Integration & Communications | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-12) | Team Connector Regression Fixtures | FEEDCONN-OSV-04-002 | OSV conflict regression fixtures<br>Instructions to work:<br>Read ./AGENTS.md and module AGENTS. Produce fixture triples supporting the precedence/tie-breaker paths defined in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md and hand them to Merge QA. |
+| Sprint 3 | Conflict Resolution Integration & Communications | docs/TASKS.md | DONE (2025-10-11) | Team Documentation Guild – Conflict Guidance | FEEDDOCS-DOCS-05-001 | Concelier Conflict Rules<br>Runbook published at `docs/ops/concelier-conflict-resolution.md`; metrics/log guidance aligned with Sprint 3 merge counters. |
+| Sprint 3 | Conflict Resolution Integration & Communications | docs/TASKS.md | DONE (2025-10-16) | Team Documentation Guild – Conflict Guidance | FEEDDOCS-DOCS-05-002 | Conflict runbook ops rollout<br>Ops review completed, alert thresholds applied, and change log appended in `docs/ops/concelier-conflict-resolution.md`; task closed after connector signals verified. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Models/TASKS.md | DONE (2025-10-15) | Team Models & Merge Leads | FEEDMODELS-SCHEMA-04-001 | Advisory schema parity (description/CWE/canonical metric)<br>Extend `Advisory` and related records with description text, CWE collection, and canonical metric pointer; refresh validation + serializer determinism tests. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-15) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-04-003 | Canonical merger parity for new fields<br>Teach `CanonicalMerger` to populate description, CWEResults, and canonical metric pointer with provenance + regression coverage. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Core/TASKS.md | DONE (2025-10-15) | Team Core Engine & Storage Analytics | FEEDCORE-ENGINE-04-004 | Reference normalization & freshness instrumentation cleanup<br>Implement URL normalization for reference dedupe, align freshness-sensitive instrumentation, and add analytics tests. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-15) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-004 | Merge pipeline parity for new advisory fields<br>Ensure merge service + merge events surface description/CWE/canonical metric decisions with updated metrics/tests. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Merge/TASKS.md | DONE (2025-10-15) | Team Merge & QA Enforcement | FEEDMERGE-ENGINE-04-005 | Connector coordination for new advisory fields<br>GHSA/NVD/OSV connectors now ship description, CWE, and canonical metric data with refreshed fixtures; merge coordination log updated and exporters notified. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Exporter.Json/TASKS.md | DONE (2025-10-15) | Team Exporters – JSON | FEEDEXPORT-JSON-04-001 | Surface new advisory fields in JSON exporter<br>Update schemas/offline bundle + fixtures once model/core parity lands.<br>2025-10-15: `dotnet test src/StellaOps.Concelier.Exporter.Json.Tests` validated canonical metric/CWE emission. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md | DONE (2025-10-15) | Team Exporters – Trivy DB | FEEDEXPORT-TRIVY-04-001 | Propagate new advisory fields into Trivy DB package<br>Extend Bolt builder, metadata, and regression tests for the expanded schema.<br>2025-10-15: `dotnet test src/StellaOps.Concelier.Exporter.TrivyDb.Tests` confirmed canonical metric/CWE propagation. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Connector.Ghsa/TASKS.md | DONE (2025-10-16) | Team Connector Regression Fixtures | FEEDCONN-GHSA-04-004 | Harden CVSS fallback so canonical metric ids persist when GitHub omits vectors; extend fixtures and document severity precedence hand-off to Merge. |
+| Sprint 4 | Schema Parity & Freshness Alignment | src/StellaOps.Concelier.Connector.Osv/TASKS.md | DONE (2025-10-16) | Team Connector Expansion – GHSA/NVD/OSV | FEEDCONN-OSV-04-005 | Map OSV advisories lacking CVSS vectors to canonical metric ids/notes and document CWE provenance quirks; schedule parity fixture updates. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-001 | Stand up canonical VEX claim/consensus records with deterministic serializers so Storage/Exports share a stable contract. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-002 | Implement trust-weighted consensus resolver with baseline policy weights, justification gates, telemetry output, and majority/tie handling. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-15) | Team Excititor Core & Policy | EXCITITOR-CORE-01-003 | Publish shared connector/exporter/attestation abstractions and deterministic query signature utilities for cache/attestation workflows. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-15) | Team Excititor Policy | EXCITITOR-POLICY-01-001 | Established policy options & snapshot provider covering baseline weights/overrides. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-15) | Team Excititor Policy | EXCITITOR-POLICY-01-002 | Policy evaluator now feeds consensus resolver with immutable snapshots. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-003 | Author policy diagnostics, CLI/WebService surfacing, and documentation updates. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-004 | Implement YAML/JSON schema validation and deterministic diagnostics for operator bundles. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-16) | Team Excititor Policy | EXCITITOR-POLICY-01-005 | Add policy change tracking, snapshot digests, and telemetry/logging hooks. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-15) | Team Excititor Storage | EXCITITOR-STORAGE-01-001 | Mongo mapping registry plus raw/export entities and DI extensions in place. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | DONE (2025-10-16) | Team Excititor Storage | EXCITITOR-STORAGE-01-004 | Build provider/consensus/cache class maps and related collections. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-15) | Team Excititor Export | EXCITITOR-EXPORT-01-001 | Export engine delivers cache lookup, manifest creation, and policy integration. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Export/TASKS.md | DONE (2025-10-17) | Team Excititor Export | EXCITITOR-EXPORT-01-004 | Connect export engine to attestation client and persist Rekor metadata. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-001 | Implement in-toto predicate + DSSE builder providing envelopes for export attestation. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.Connectors.Abstractions/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors | EXCITITOR-CONN-ABS-01-001 | Deliver shared connector context/base classes so provider plug-ins can be activated via WebService/Worker. |
+| Sprint 5 | Excititor Core Foundations | src/StellaOps.Excititor.WebService/TASKS.md | DONE (2025-10-17) | Team Excititor WebService | EXCITITOR-WEB-01-001 | Scaffold minimal API host, DI, and `/excititor/status` endpoint integrating policy, storage, export, and attestation services. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Worker/TASKS.md | DONE (2025-10-17) | Team Excititor Worker | EXCITITOR-WORKER-01-001 | Create Worker host with provider scheduling and logging to drive recurring pulls/reconciliation. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Formats.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-CSAF-01-001 | Implement CSAF normalizer foundation translating provider documents into `VexClaim` entries. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Formats.CycloneDX/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-CYCLONE-01-001 | Implement CycloneDX VEX normalizer capturing `analysis` state and component references. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Formats.OpenVEX/TASKS.md | DONE (2025-10-17) | Team Excititor Formats | EXCITITOR-FMT-OPENVEX-01-001 | Implement OpenVEX normalizer to ingest attestations into canonical claims with provenance. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-001 | Ship Red Hat CSAF provider metadata discovery enabling incremental pulls. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-002 | Fetch CSAF windows with ETag handling, resume tokens, quarantine on schema errors, and persist raw docs. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-003 | Populate provider trust overrides (cosign issuer, identity regex) and provenance hints for policy evaluation/logging. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-004 | Persist resume cursors (last updated timestamp/document hashes) in storage and reload during fetch to avoid duplicates. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-005 | Register connector in Worker/WebService DI, add scheduled jobs, and document CLI triggers for Red Hat CSAF pulls. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.RedHat.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Red Hat | EXCITITOR-CONN-RH-01-006 | Add CSAF normalization parity fixtures ensuring RHSA-specific metadata is preserved. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Cisco | EXCITITOR-CONN-CISCO-01-001 | Implement Cisco CSAF endpoint discovery/auth to unlock paginated pulls. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Cisco | EXCITITOR-CONN-CISCO-01-002 | Implement Cisco CSAF paginated fetch loop with dedupe and raw persistence support. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – SUSE | EXCITITOR-CONN-SUSE-01-001 | Build Rancher VEX Hub discovery/subscription path with offline snapshot support. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – MSRC | EXCITITOR-CONN-MS-01-001 | Deliver AAD onboarding/token cache for MSRC CSAF ingestion. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Oracle | EXCITITOR-CONN-ORACLE-01-001 | Implement Oracle CSAF catalogue discovery with CPU calendar awareness. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md | DONE (2025-10-17) | Team Excititor Connectors – Ubuntu | EXCITITOR-CONN-UBUNTU-01-001 | Implement Ubuntu CSAF discovery and channel selection for USN ingestion. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-001 | Wire OCI discovery/auth to fetch OpenVEX attestations for configured images. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-002 | Attestation fetch & verify loop – download DSSE attestations, trigger verification, handle retries/backoff, persist raw statements. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/TASKS.md | DONE (2025-10-18) | Team Excititor Connectors – OCI | EXCITITOR-CONN-OCI-01-003 | Provenance metadata & policy hooks – emit image, subject digest, issuer, and trust metadata for policy weighting/logging. |
+| Sprint 6 | Excititor Ingest & Formats | src/StellaOps.Cli/TASKS.md | DONE (2025-10-18) | DevEx/CLI | EXCITITOR-CLI-01-001 | Add `excititor` CLI verbs bridging to WebService with consistent auth and offline UX. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Core/TASKS.md | DONE (2025-10-19) | Team Excititor Core & Policy | EXCITITOR-CORE-02-001 | Context signal schema prep – extend consensus models with severity/KEV/EPSS fields and update canonical serializers. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Policy/TASKS.md | DONE (2025-10-19) | Team Excititor Policy | EXCITITOR-POLICY-02-001 | Scoring coefficients & weight ceilings – add α/β options, weight boosts, and validation guidance. |
+| Sprint 7 | Contextual Truth Foundations | src/StellaOps.Excititor.Attestation/TASKS.md | DONE (2025-10-16) | Team Excititor Attestation | EXCITITOR-ATTEST-01-002 | Rekor v2 client integration – ship transparency log client with retries and offline queue. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-501 | Define shared DTOs (ScanJob, ProgressEvent), error taxonomy, and deterministic ID/timestamp helpers aligning with `ARCHITECTURE_SCANNER.md` §3–§4. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-502 | Observability helpers (correlation IDs, logging scopes, metric namespacing, deterministic hashes) consumed by WebService/Worker. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Core/TASKS.md | DONE (2025-10-18) | Team Scanner Core | SCANNER-CORE-09-503 | Security utilities: Authority client factory, OpTok caching, DPoP verifier, restart-time plug-in guardrails for scanner components. |
+| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-001 | Buildx driver scaffold + handshake with Scanner.Emit (local CAS). |
+| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-002 | OCI annotations + provenance hand-off to Attestor. |
+| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-003 | CI demo: minimal SBOM push & backend report wiring. |
+| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-004 | Stabilize descriptor nonce derivation so repeated builds emit deterministic placeholders. |
+| Sprint 9 | Scanner Build-time | src/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md | DONE (2025-10-19) | BuildX Guild | SP9-BLDX-09-005 | Integrate determinism guard into GitHub/Gitea workflows and archive proof artifacts. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-18) | Team Scanner WebService | SCANNER-WEB-09-101 | Minimal API host with Authority enforcement, health/ready endpoints, and restart-time plug-in loader per architecture §1, §4. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-18) | Team Scanner WebService | SCANNER-WEB-09-102 | `/api/v1/scans` submission/status endpoints with deterministic IDs, validation, and cancellation support. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-19) | Team Scanner WebService | SCANNER-WEB-09-104 | Configuration binding for Mongo, MinIO, queue, feature flags; startup diagnostics and fail-fast policy. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-201 | Worker host bootstrap with Authority auth, hosted services, and graceful shutdown semantics. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-202 | Lease/heartbeat loop with retry+jitter, poison-job quarantine, structured logging. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-203 | Analyzer dispatch skeleton emitting deterministic stage progress and honoring cancellation tokens. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-204 | Worker metrics (queue latency, stage duration, failure counts) with OpenTelemetry resource wiring. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Worker/TASKS.md | DONE (2025-10-19) | Team Scanner Worker | SCANNER-WORKER-09-205 | Harden heartbeat jitter so lease safety margin stays ≥3× and cover with regression tests + optional live queue smoke run. |
+| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-001 | Policy schema + binder + diagnostics. |
+| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-002 | Policy snapshot store + revision digests. |
+| Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE | Policy Guild | POLICY-CORE-09-003 | `/policy/preview` API (image digest → projected verdict diff). |
+| Sprint 9 | DevOps Foundations | ops/devops/TASKS.md | DONE (2025-10-19) | DevOps Guild | DEVOPS-HELM-09-001 | Helm/Compose environment profiles (dev/staging/airgap) with deterministic digests. |
+| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-19) | Docs Guild, DevEx | DOCS-ADR-09-001 | Establish ADR process and template. |
+| Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-19) | Docs Guild, Platform Events | DOCS-EVENTS-09-002 | Publish event schema catalog (`docs/events/`) for critical envelopes. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-301 | Mongo catalog schemas/indexes for images, layers, artifacts, jobs, lifecycle rules plus migrations. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-302 | MinIO layout, immutability policies, client abstraction, and configuration binding. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-19) | Team Scanner Storage | SCANNER-STORAGE-09-303 | Repositories/services with dual-write feature flag, deterministic digests, TTL enforcement tests. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-401 | Queue abstraction + Redis Streams adapter with ack/claim APIs and idempotency tokens. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-402 | Pluggable backend support (Redis, NATS) with configuration binding, health probes, failover docs. |
+| Sprint 9 | Scanner Core Foundations | src/StellaOps.Scanner.Queue/TASKS.md | DONE (2025-10-19) | Team Scanner Queue | SCANNER-QUEUE-09-403 | Retry + dead-letter strategy with structured logs/metrics for offline deployments. |

deploy/README.md

@@ -6,6 +6,7 @@ This directory contains deterministic deployment bundles for the core Stella Ops
 
 - `releases/` – canonical release manifests (edge, stable, airgap) used to source image digests.
 - `compose/` – Docker Compose bundles for dev/stage/airgap targets plus `.env` seed files.
+- `compose/docker-compose.mirror.yaml` – managed mirror bundle for `*.stella-ops.org` with gateway cache and multi-tenant auth.
 - `helm/stellaops/` – multi-profile Helm chart with values files for dev/stage/airgap.
 - `tools/validate-profiles.sh` – helper that runs `docker compose config` and `helm lint/template` for every profile.
 

deploy/compose/README.md

@@ -9,6 +9,7 @@ These Compose bundles ship the minimum services required to exercise the scanner
 | `docker-compose.dev.yaml` | Edge/nightly stack tuned for laptops and iterative work. |
 | `docker-compose.stage.yaml` | Stable channel stack mirroring pre-production clusters. |
 | `docker-compose.airgap.yaml` | Stable stack with air-gapped defaults (no outbound hostnames). |
+| `docker-compose.mirror.yaml` | Managed mirror topology for `*.stella-ops.org` distribution (Concelier + Excititor + CDN gateway). |
 | `env/*.env.example` | Seed `.env` files that document required secrets and ports per profile. |
 
 ## Usage

deploy/compose/docker-compose.mirror.yaml

@@ -0,0 +1,152 @@
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.10.0-edge"
+  com.stellaops.release.channel: "edge"
+  com.stellaops.profile: "mirror-managed"
+
+networks:
+  mirror:
+    driver: bridge
+
+volumes:
+  mongo-data:
+  minio-data:
+  concelier-jobs:
+  concelier-exports:
+  excititor-exports:
+  nginx-cache:
+
+services:
+  mongo:
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    command: ["mongod", "--bind_ip_all"]
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: "${MONGO_INITDB_ROOT_USERNAME:-stellaops_mirror}"
+      MONGO_INITDB_ROOT_PASSWORD: "${MONGO_INITDB_ROOT_PASSWORD:-mirror-password}"
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - mirror
+    labels: *release-labels
+
+  minio:
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    command: ["server", "/data", "--console-address", ":9001"]
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: "${MINIO_ROOT_USER:-stellaops-mirror}"
+      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD:-mirror-minio-secret}"
+    volumes:
+      - minio-data:/data
+    networks:
+      - mirror
+    labels: *release-labels
+
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    restart: unless-stopped
+    depends_on:
+      - mongo
+      - minio
+    environment:
+      ASPNETCORE_URLS: "http://+:8445"
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME:-stellaops_mirror}:${MONGO_INITDB_ROOT_PASSWORD:-mirror-password}@mongo:27017/concelier?authSource=admin"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "${MINIO_ROOT_USER:-stellaops-mirror}"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "${MINIO_ROOT_PASSWORD:-mirror-minio-secret}"
+      CONCELIER__TELEMETRY__SERVICENAME: "stellaops-concelier-mirror"
+      CONCELIER__MIRROR__ENABLED: "true"
+      CONCELIER__MIRROR__EXPORTROOT: "/exports/json"
+      CONCELIER__MIRROR__LATESTDIRECTORYNAME: "${CONCELIER_MIRROR_LATEST_SEGMENT:-latest}"
+      CONCELIER__MIRROR__MIRRORDIRECTORYNAME: "${CONCELIER_MIRROR_DIRECTORY_SEGMENT:-mirror}"
+      CONCELIER__MIRROR__REQUIREAUTHENTICATION: "${CONCELIER_MIRROR_REQUIRE_AUTH:-true}"
+      CONCELIER__MIRROR__MAXINDEXREQUESTSPERHOUR: "${CONCELIER_MIRROR_INDEX_BUDGET:-600}"
+      CONCELIER__MIRROR__DOMAINS__0__ID: "${CONCELIER_MIRROR_DOMAIN_PRIMARY_ID:-primary}"
+      CONCELIER__MIRROR__DOMAINS__0__DISPLAYNAME: "${CONCELIER_MIRROR_DOMAIN_PRIMARY_NAME:-Primary Mirror}"
+      CONCELIER__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "${CONCELIER_MIRROR_DOMAIN_PRIMARY_AUTH:-true}"
+      CONCELIER__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "${CONCELIER_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET:-3600}"
+      CONCELIER__MIRROR__DOMAINS__1__ID: "${CONCELIER_MIRROR_DOMAIN_SECONDARY_ID:-community}"
+      CONCELIER__MIRROR__DOMAINS__1__DISPLAYNAME: "${CONCELIER_MIRROR_DOMAIN_SECONDARY_NAME:-Community Mirror}"
+      CONCELIER__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "${CONCELIER_MIRROR_DOMAIN_SECONDARY_AUTH:-false}"
+      CONCELIER__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "${CONCELIER_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET:-1800}"
+      CONCELIER__AUTHORITY__ENABLED: "${CONCELIER_AUTHORITY_ENABLED:-true}"
+      CONCELIER__AUTHORITY__ALLOWANONYMOUSFALLBACK: "${CONCELIER_AUTHORITY_ALLOW_ANON:-false}"
+      CONCELIER__AUTHORITY__ISSUER: "${CONCELIER_AUTHORITY_ISSUER:-https://authority.stella-ops.org}"
+      CONCELIER__AUTHORITY__METADATAADDRESS: "${CONCELIER_AUTHORITY_METADATA:-}"
+      CONCELIER__AUTHORITY__CLIENTID: "${CONCELIER_AUTHORITY_CLIENT_ID:-stellaops-concelier-mirror}"
+      CONCELIER__AUTHORITY__CLIENTSECRETFILE: "/run/secrets/concelier-authority-client"
+      CONCELIER__AUTHORITY__CLIENTSCOPES__0: "${CONCELIER_AUTHORITY_SCOPE:-concelier.mirror.read}"
+      CONCELIER__AUTHORITY__AUDIENCES__0: "${CONCELIER_AUTHORITY_AUDIENCE:-api://concelier.mirror}"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__0: "10.0.0.0/8"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__1: "127.0.0.1/32"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__2: "::1/128"
+      CONCELIER__AUTHORITY__RESILIENCE__ENABLERETRIES: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__0: "00:00:01"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__1: "00:00:02"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__2: "00:00:05"
+      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "00:10:00"
+    volumes:
+      - concelier-jobs:/var/lib/concelier/jobs
+      - concelier-exports:/exports/json
+      - ./mirror-secrets:/run/secrets:ro
+    networks:
+      - mirror
+    labels: *release-labels
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    environment:
+      ASPNETCORE_URLS: "http://+:8448"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://${MONGO_INITDB_ROOT_USERNAME:-stellaops_mirror}:${MONGO_INITDB_ROOT_PASSWORD:-mirror-password}@mongo:27017/excititor?authSource=admin"
+      EXCITITOR__STORAGE__MONGO__DATABASENAME: "${EXCITITOR_MONGO_DATABASE:-excititor}"
+      EXCITITOR__ARTIFACTS__FILESYSTEM__ROOT: "/exports"
+      EXCITITOR__ARTIFACTS__FILESYSTEM__OVERWRITEEXISTING: "${EXCITITOR_FILESYSTEM_OVERWRITE:-false}"
+      EXCITITOR__MIRROR__DOMAINS__0__ID: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_ID:-primary}"
+      EXCITITOR__MIRROR__DOMAINS__0__DISPLAYNAME: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_NAME:-Primary Mirror}"
+      EXCITITOR__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_AUTH:-true}"
+      EXCITITOR__MIRROR__DOMAINS__0__MAXINDEXREQUESTSPERHOUR: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_INDEX_BUDGET:-300}"
+      EXCITITOR__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "${EXCITITOR_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET:-2400}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__KEY: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_KEY:-consensus-json}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__FORMAT: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_FORMAT:-json}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__VIEW: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_VIEW:-consensus}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__KEY: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_KEY:-consensus-openvex}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__FORMAT: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_FORMAT:-openvex}"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__VIEW: "${EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_VIEW:-consensus}"
+      EXCITITOR__MIRROR__DOMAINS__1__ID: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_ID:-community}"
+      EXCITITOR__MIRROR__DOMAINS__1__DISPLAYNAME: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_NAME:-Community Mirror}"
+      EXCITITOR__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_AUTH:-false}"
+      EXCITITOR__MIRROR__DOMAINS__1__MAXINDEXREQUESTSPERHOUR: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_INDEX_BUDGET:-120}"
+      EXCITITOR__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "${EXCITITOR_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET:-600}"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__KEY: "${EXCITITOR_MIRROR_SECONDARY_EXPORT_KEY:-community-consensus}"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__FORMAT: "${EXCITITOR_MIRROR_SECONDARY_EXPORT_FORMAT:-json}"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__VIEW: "${EXCITITOR_MIRROR_SECONDARY_EXPORT_VIEW:-consensus}"
+    volumes:
+      - excititor-exports:/exports
+      - ./mirror-secrets:/run/secrets:ro
+    expose:
+      - "8448"
+    networks:
+      - mirror
+    labels: *release-labels
+
+  mirror-gateway:
+    image: docker.io/library/nginx@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9
+    restart: unless-stopped
+    depends_on:
+      - concelier
+      - excititor
+    ports:
+      - "${MIRROR_GATEWAY_HTTP_PORT:-8080}:80"
+      - "${MIRROR_GATEWAY_HTTPS_PORT:-9443}:443"
+    volumes:
+      - nginx-cache:/var/cache/nginx
+      - ./mirror-gateway/conf.d:/etc/nginx/conf.d:ro
+      - ./mirror-gateway/tls:/etc/nginx/tls:ro
+      - ./mirror-gateway/secrets:/etc/nginx/secrets:ro
+    networks:
+      - mirror
+    labels: *release-labels

deploy/compose/env/mirror.env.example

@@ -0,0 +1,57 @@
+# Managed mirror profile substitutions
+
+# Core infrastructure credentials
+MONGO_INITDB_ROOT_USERNAME=stellaops_mirror
+MONGO_INITDB_ROOT_PASSWORD=mirror-password
+MINIO_ROOT_USER=stellaops-mirror
+MINIO_ROOT_PASSWORD=mirror-minio-secret
+
+# Mirror HTTP listeners
+MIRROR_GATEWAY_HTTP_PORT=8080
+MIRROR_GATEWAY_HTTPS_PORT=9443
+
+# Concelier mirror configuration
+CONCELIER_MIRROR_LATEST_SEGMENT=latest
+CONCELIER_MIRROR_DIRECTORY_SEGMENT=mirror
+CONCELIER_MIRROR_REQUIRE_AUTH=true
+CONCELIER_MIRROR_INDEX_BUDGET=600
+CONCELIER_MIRROR_DOMAIN_PRIMARY_ID=primary
+CONCELIER_MIRROR_DOMAIN_PRIMARY_NAME=Primary Mirror
+CONCELIER_MIRROR_DOMAIN_PRIMARY_AUTH=true
+CONCELIER_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET=3600
+CONCELIER_MIRROR_DOMAIN_SECONDARY_ID=community
+CONCELIER_MIRROR_DOMAIN_SECONDARY_NAME=Community Mirror
+CONCELIER_MIRROR_DOMAIN_SECONDARY_AUTH=false
+CONCELIER_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET=1800
+
+# Authority integration (tokens issued by production Authority)
+CONCELIER_AUTHORITY_ENABLED=true
+CONCELIER_AUTHORITY_ALLOW_ANON=false
+CONCELIER_AUTHORITY_ISSUER=https://authority.stella-ops.org
+CONCELIER_AUTHORITY_METADATA=
+CONCELIER_AUTHORITY_CLIENT_ID=stellaops-concelier-mirror
+CONCELIER_AUTHORITY_SCOPE=concelier.mirror.read
+CONCELIER_AUTHORITY_AUDIENCE=api://concelier.mirror
+
+# Excititor mirror configuration
+EXCITITOR_MONGO_DATABASE=excititor
+EXCITITOR_FILESYSTEM_OVERWRITE=false
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_ID=primary
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_NAME=Primary Mirror
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_AUTH=true
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_INDEX_BUDGET=300
+EXCITITOR_MIRROR_DOMAIN_PRIMARY_DOWNLOAD_BUDGET=2400
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_KEY=consensus-json
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_FORMAT=json
+EXCITITOR_MIRROR_PRIMARY_EXPORT_CONSENSUS_VIEW=consensus
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_KEY=consensus-openvex
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_FORMAT=openvex
+EXCITITOR_MIRROR_PRIMARY_EXPORT_OPENVEX_VIEW=consensus
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_ID=community
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_NAME=Community Mirror
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_AUTH=false
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_INDEX_BUDGET=120
+EXCITITOR_MIRROR_DOMAIN_SECONDARY_DOWNLOAD_BUDGET=600
+EXCITITOR_MIRROR_SECONDARY_EXPORT_KEY=community-consensus
+EXCITITOR_MIRROR_SECONDARY_EXPORT_FORMAT=json
+EXCITITOR_MIRROR_SECONDARY_EXPORT_VIEW=consensus

deploy/compose/mirror-gateway/README.md

@@ -0,0 +1,13 @@
+# Mirror Gateway Assets
+
+This directory holds the reverse-proxy configuration and TLS material for the managed
+mirror profile:
+
+- `conf.d/*.conf` – nginx configuration shipped with the profile.
+- `tls/` – place environment-specific certificates and private keys
+  (`mirror-primary.{crt,key}`, `mirror-community.{crt,key}`, etc.).
+- `secrets/` – populate Basic Auth credential stores (`*.htpasswd`) that gate each
+  mirror domain. Generate with `htpasswd -B`.
+
+The Compose bundle mounts these paths read-only. Populate `tls/` with the actual
+certificates before invoking `docker compose config` or `docker compose up`.

deploy/compose/mirror-gateway/conf.d/mirror-locations.conf

@@ -0,0 +1,44 @@
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_redirect                     off;
+
+add_header X-Cache-Status $upstream_cache_status always;
+
+location = /healthz {
+    default_type application/json;
+    return 200 '{"status":"ok"}';
+}
+
+location /concelier/exports/ {
+    proxy_pass http://concelier_backend/concelier/exports/;
+    proxy_cache mirror_cache;
+    proxy_cache_key $mirror_cache_key;
+    proxy_cache_valid 200 5m;
+    proxy_cache_valid 404 1m;
+    add_header Cache-Control "public, max-age=300, immutable" always;
+}
+
+location /concelier/ {
+    proxy_pass http://concelier_backend/concelier/;
+    proxy_cache off;
+}
+
+location /excititor/mirror/ {
+    proxy_pass http://excititor_backend/excititor/mirror/;
+    proxy_cache mirror_cache;
+    proxy_cache_key $mirror_cache_key;
+    proxy_cache_valid 200 5m;
+    proxy_cache_valid 404 1m;
+    add_header Cache-Control "public, max-age=300, immutable" always;
+}
+
+location /excititor/ {
+    proxy_pass http://excititor_backend/excititor/;
+    proxy_cache off;
+}
+
+location / {
+    return 404;
+}

deploy/compose/mirror-gateway/conf.d/mirror.conf

@@ -0,0 +1,51 @@
+proxy_cache_path /var/cache/nginx/mirror levels=1:2 keys_zone=mirror_cache:100m max_size=10g inactive=12h use_temp_path=off;
+
+map $request_uri $mirror_cache_key {
+    default $scheme$request_method$host$request_uri;
+}
+
+upstream concelier_backend {
+    server concelier:8445;
+    keepalive 32;
+}
+
+upstream excititor_backend {
+    server excititor:8448;
+    keepalive 32;
+}
+
+server {
+    listen 80;
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name mirror-primary.stella-ops.org;
+
+    ssl_certificate     /etc/nginx/tls/mirror-primary.crt;
+    ssl_certificate_key /etc/nginx/tls/mirror-primary.key;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    auth_basic "StellaOps Mirror – primary";
+    auth_basic_user_file /etc/nginx/secrets/mirror-primary.htpasswd;
+
+    include /etc/nginx/conf.d/mirror-locations.conf;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name mirror-community.stella-ops.org;
+
+    ssl_certificate     /etc/nginx/tls/mirror-community.crt;
+    ssl_certificate_key /etc/nginx/tls/mirror-community.key;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    auth_basic "StellaOps Mirror – community";
+    auth_basic_user_file /etc/nginx/secrets/mirror-community.htpasswd;
+
+    include /etc/nginx/conf.d/mirror-locations.conf;
+}

deploy/helm/stellaops/values-mirror.yaml

@@ -0,0 +1,282 @@
+global:
+  profile: mirror-managed
+  release:
+    version: "2025.10.0-edge"
+    channel: edge
+    manifestSha256: "822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb"
+  image:
+    pullPolicy: IfNotPresent
+  labels:
+    stellaops.io/channel: edge
+
+configMaps:
+  mirror-gateway:
+    data:
+      mirror.conf: |
+        proxy_cache_path /var/cache/nginx/mirror levels=1:2 keys_zone=mirror_cache:100m max_size=10g inactive=12h use_temp_path=off;
+
+        map $request_uri $mirror_cache_key {
+            default $scheme$request_method$host$request_uri;
+        }
+
+        upstream concelier_backend {
+            server stellaops-concelier:8445;
+            keepalive 32;
+        }
+
+        upstream excititor_backend {
+            server stellaops-excititor:8448;
+            keepalive 32;
+        }
+
+        server {
+            listen 80;
+            server_name _;
+            return 301 https://$host$request_uri;
+        }
+
+        server {
+            listen 443 ssl http2;
+            server_name mirror-primary.stella-ops.org;
+
+            ssl_certificate     /etc/nginx/tls/mirror-primary.crt;
+            ssl_certificate_key /etc/nginx/tls/mirror-primary.key;
+            ssl_protocols       TLSv1.2 TLSv1.3;
+            ssl_prefer_server_ciphers on;
+
+            auth_basic "StellaOps Mirror – primary";
+            auth_basic_user_file /etc/nginx/secrets/mirror-primary.htpasswd;
+
+            include /etc/nginx/conf.d/mirror-locations.conf;
+        }
+
+        server {
+            listen 443 ssl http2;
+            server_name mirror-community.stella-ops.org;
+
+            ssl_certificate     /etc/nginx/tls/mirror-community.crt;
+            ssl_certificate_key /etc/nginx/tls/mirror-community.key;
+            ssl_protocols       TLSv1.2 TLSv1.3;
+            ssl_prefer_server_ciphers on;
+
+            auth_basic "StellaOps Mirror – community";
+            auth_basic_user_file /etc/nginx/secrets/mirror-community.htpasswd;
+
+            include /etc/nginx/conf.d/mirror-locations.conf;
+        }
+      mirror-locations.conf: |
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect                     off;
+
+        add_header X-Cache-Status $upstream_cache_status always;
+
+        location = /healthz {
+            default_type application/json;
+            return 200 '{"status":"ok"}';
+        }
+
+        location /concelier/exports/ {
+            proxy_pass http://concelier_backend/concelier/exports/;
+            proxy_cache mirror_cache;
+            proxy_cache_key $mirror_cache_key;
+            proxy_cache_valid 200 5m;
+            proxy_cache_valid 404 1m;
+            add_header Cache-Control "public, max-age=300, immutable" always;
+        }
+
+        location /concelier/ {
+            proxy_pass http://concelier_backend/concelier/;
+            proxy_cache off;
+        }
+
+        location /excititor/mirror/ {
+            proxy_pass http://excititor_backend/excititor/mirror/;
+            proxy_cache mirror_cache;
+            proxy_cache_key $mirror_cache_key;
+            proxy_cache_valid 200 5m;
+            proxy_cache_valid 404 1m;
+            add_header Cache-Control "public, max-age=300, immutable" always;
+        }
+
+        location /excititor/ {
+            proxy_pass http://excititor_backend/excititor/;
+            proxy_cache off;
+        }
+
+        location / {
+            return 404;
+        }
+
+services:
+  concelier:
+    image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
+    service:
+      port: 8445
+    env:
+      ASPNETCORE_URLS: "http://+:8445"
+      CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops_mirror:mirror-password@stellaops-mongo:27017/concelier?authSource=admin"
+      CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000"
+      CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops-mirror"
+      CONCELIER__STORAGE__S3__SECRETACCESSKEY: "mirror-minio-secret"
+      CONCELIER__TELEMETRY__SERVICENAME: "stellaops-concelier-mirror"
+      CONCELIER__MIRROR__ENABLED: "true"
+      CONCELIER__MIRROR__EXPORTROOT: "/exports/json"
+      CONCELIER__MIRROR__LATESTDIRECTORYNAME: "latest"
+      CONCELIER__MIRROR__MIRRORDIRECTORYNAME: "mirror"
+      CONCELIER__MIRROR__REQUIREAUTHENTICATION: "true"
+      CONCELIER__MIRROR__MAXINDEXREQUESTSPERHOUR: "600"
+      CONCELIER__MIRROR__DOMAINS__0__ID: "primary"
+      CONCELIER__MIRROR__DOMAINS__0__DISPLAYNAME: "Primary Mirror"
+      CONCELIER__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "true"
+      CONCELIER__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "3600"
+      CONCELIER__MIRROR__DOMAINS__1__ID: "community"
+      CONCELIER__MIRROR__DOMAINS__1__DISPLAYNAME: "Community Mirror"
+      CONCELIER__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "false"
+      CONCELIER__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "1800"
+      CONCELIER__AUTHORITY__ENABLED: "true"
+      CONCELIER__AUTHORITY__ALLOWANONYMOUSFALLBACK: "false"
+      CONCELIER__AUTHORITY__ISSUER: "https://authority.stella-ops.org"
+      CONCELIER__AUTHORITY__METADATAADDRESS: ""
+      CONCELIER__AUTHORITY__CLIENTID: "stellaops-concelier-mirror"
+      CONCELIER__AUTHORITY__CLIENTSECRETFILE: "/run/secrets/concelier-authority-client"
+      CONCELIER__AUTHORITY__CLIENTSCOPES__0: "concelier.mirror.read"
+      CONCELIER__AUTHORITY__AUDIENCES__0: "api://concelier.mirror"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__0: "10.0.0.0/8"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__1: "127.0.0.1/32"
+      CONCELIER__AUTHORITY__BYPASSNETWORKS__2: "::1/128"
+      CONCELIER__AUTHORITY__RESILIENCE__ENABLERETRIES: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__0: "00:00:01"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__1: "00:00:02"
+      CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__2: "00:00:05"
+      CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
+      CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "00:10:00"
+    volumeMounts:
+      - name: concelier-jobs
+        mountPath: /var/lib/concelier/jobs
+      - name: concelier-exports
+        mountPath: /exports/json
+      - name: concelier-secrets
+        mountPath: /run/secrets
+        readOnly: true
+    volumes:
+      - name: concelier-jobs
+        persistentVolumeClaim:
+          claimName: concelier-mirror-jobs
+      - name: concelier-exports
+        persistentVolumeClaim:
+          claimName: concelier-mirror-exports
+      - name: concelier-secrets
+        secret:
+          secretName: concelier-mirror-auth
+
+  excititor:
+    image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285
+    env:
+      ASPNETCORE_URLS: "http://+:8448"
+      EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops_mirror:mirror-password@stellaops-mongo:27017/excititor?authSource=admin"
+      EXCITITOR__STORAGE__MONGO__DATABASENAME: "excititor"
+      EXCITITOR__ARTIFACTS__FILESYSTEM__ROOT: "/exports"
+      EXCITITOR__ARTIFACTS__FILESYSTEM__OVERWRITEEXISTING: "false"
+      EXCITITOR__MIRROR__DOMAINS__0__ID: "primary"
+      EXCITITOR__MIRROR__DOMAINS__0__DISPLAYNAME: "Primary Mirror"
+      EXCITITOR__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "true"
+      EXCITITOR__MIRROR__DOMAINS__0__MAXINDEXREQUESTSPERHOUR: "300"
+      EXCITITOR__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "2400"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__KEY: "consensus-json"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__FORMAT: "json"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__VIEW: "consensus"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__KEY: "consensus-openvex"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__FORMAT: "openvex"
+      EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__VIEW: "consensus"
+      EXCITITOR__MIRROR__DOMAINS__1__ID: "community"
+      EXCITITOR__MIRROR__DOMAINS__1__DISPLAYNAME: "Community Mirror"
+      EXCITITOR__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "false"
+      EXCITITOR__MIRROR__DOMAINS__1__MAXINDEXREQUESTSPERHOUR: "120"
+      EXCITITOR__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "600"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__KEY: "community-consensus"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__FORMAT: "json"
+      EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__VIEW: "consensus"
+    volumeMounts:
+      - name: excititor-exports
+        mountPath: /exports
+      - name: excititor-secrets
+        mountPath: /run/secrets
+        readOnly: true
+    volumes:
+      - name: excititor-exports
+        persistentVolumeClaim:
+          claimName: excititor-mirror-exports
+      - name: excititor-secrets
+        secret:
+          secretName: excititor-mirror-auth
+
+  mongo:
+    class: infrastructure
+    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
+    service:
+      port: 27017
+    command:
+      - mongod
+      - --bind_ip_all
+    env:
+      MONGO_INITDB_ROOT_USERNAME: "stellaops_mirror"
+      MONGO_INITDB_ROOT_PASSWORD: "mirror-password"
+    volumeMounts:
+      - name: mongo-data
+        mountPath: /data/db
+    volumeClaims:
+      - name: mongo-data
+        claimName: mirror-mongo-data
+
+  minio:
+    class: infrastructure
+    image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
+    service:
+      port: 9000
+    command:
+      - server
+      - /data
+      - --console-address
+      - :9001
+    env:
+      MINIO_ROOT_USER: "stellaops-mirror"
+      MINIO_ROOT_PASSWORD: "mirror-minio-secret"
+    volumeMounts:
+      - name: minio-data
+        mountPath: /data
+    volumeClaims:
+      - name: minio-data
+        claimName: mirror-minio-data
+
+  mirror-gateway:
+    image: docker.io/library/nginx@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9
+    service:
+      type: LoadBalancer
+      port: 443
+      portName: https
+      targetPort: 443
+    configMounts:
+      - name: mirror-gateway-conf
+        mountPath: /etc/nginx/conf.d
+        configMap: mirror-gateway
+    volumeMounts:
+      - name: mirror-gateway-tls
+        mountPath: /etc/nginx/tls
+        readOnly: true
+      - name: mirror-gateway-secrets
+        mountPath: /etc/nginx/secrets
+        readOnly: true
+      - name: mirror-cache
+        mountPath: /var/cache/nginx
+    volumes:
+      - name: mirror-gateway-tls
+        secret:
+          secretName: mirror-gateway-tls
+      - name: mirror-gateway-secrets
+        secret:
+          secretName: mirror-gateway-htpasswd
+      - name: mirror-cache
+        emptyDir: {}

deploy/tools/validate-profiles.sh

@@ -9,6 +9,7 @@ compose_profiles=(
   "docker-compose.dev.yaml:env/dev.env.example"
   "docker-compose.stage.yaml:env/stage.env.example"
   "docker-compose.airgap.yaml:env/airgap.env.example"
+  "docker-compose.mirror.yaml:env/mirror.env.example"
 )
 
 docker_ready=false
@@ -36,6 +37,7 @@ helm_values=(
   "$HELM_DIR/values-dev.yaml"
   "$HELM_DIR/values-stage.yaml"
   "$HELM_DIR/values-airgap.yaml"
+  "$HELM_DIR/values-mirror.yaml"
 )
 
 if command -v helm >/dev/null 2>&1; then

docs/09_API_CLI_REFERENCE.md

@@ -522,10 +522,12 @@ See `docs/dev/32_AUTH_CLIENT_GUIDE.md` for recommended profiles (online vs. air-
 | `stellaops-cli auth revoke export` | Export the Authority revocation bundle | `--output <directory>` (defaults to CWD) | Writes `revocation-bundle.json`, `.json.jws`, and `.json.sha256`; verifies the digest locally and includes key metadata in the log summary. |
 | `stellaops-cli auth revoke verify` | Validate a revocation bundle offline | `--bundle <path>` `--signature <path>` `--key <path>`<br>`--verbose` | Verifies detached JWS signatures, reports the computed SHA-256, and can fall back to cached JWKS when `--key` is omitted. |
 | `stellaops-cli config show` | Display resolved configuration | — | Masks secret values; helpful for air‑gapped installs |
-| `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i <digest>` (repeatable, comma/space lists supported)<br>`--file/-f <path>`<br>`--namespace/--ns <name>`<br>`--label/-l key=value` (repeatable)<br>`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL + per-image verdict/signed/SBOM status. Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |
+| `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i <digest>` (repeatable, comma/space lists supported)<br>`--file/-f <path>`<br>`--namespace/--ns <name>`<br>`--label/-l key=value` (repeatable)<br>`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, and Rekor attestation (uuid + verified flag). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |
 
 When running on an interactive terminal without explicit override flags, the CLI uses Spectre.Console prompts to let you choose per-run ORAS/offline bundle behaviour.
 
+Runtime verdict output reflects the SCANNER-RUNTIME-12-302 contract sign-off (quieted provenance, confidence band, attestation verification). CLI-RUNTIME-13-008 now mirrors those fields in both table and `--json` formats.
+
 **Startup diagnostics**
 
 - `stellaops-cli` now loads Authority plug-in manifests during startup (respecting `Authority:Plugins:*`) and surfaces analyzer warnings when a plug-in weakens the baseline password policy (minimum length **12** and all character classes required).

docs/10_CONCELIER_CLI_QUICKSTART.md

@@ -12,7 +12,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
 - .NET SDK **10.0.100-preview** (matches `global.json`)
 - MongoDB instance reachable from the host (local Docker or managed)
 - `trivy-db` binary on `PATH` for Trivy exports (and `oras` if publishing to OCI)
-- Plugin assemblies present in `PluginBinaries/` (already included in the repo)
+- Plugin assemblies present in `StellaOps.Concelier.PluginBinaries/` (already included in the repo)
 - Optional: Docker/Podman runtime if you plan to run scanners locally
 
 > **Tip** – air-gapped installs should preload `trivy-db` and `oras` binaries into the
@@ -31,7 +31,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
    ```
 
 2. Edit `etc/concelier.yaml` and update the MongoDB DSN (and optional database name).
-   The default template configures plug-in discovery to look in `PluginBinaries/`
+   The default template configures plug-in discovery to look in `StellaOps.Concelier.PluginBinaries/`
    and disables remote telemetry exporters by default.
 
 3. (Optional) Override settings via environment variables. All keys are prefixed with
@@ -71,7 +71,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
    environment. Authority expects per-plugin manifests in `etc/authority.plugins/`;
    sample `standard.yaml` and `ldap.yaml` files are provided as starting points.
    For air-gapped installs keep the default plug-in binary directory
-   (`../PluginBinaries/Authority`) so packaged plug-ins load without outbound access.
+   (`../StellaOps.Authority.PluginBinaries`) so packaged plug-ins load without outbound access.
 
 3. Environment variables prefixed with `STELLAOPS_AUTHORITY_` override individual
    fields. Example:

docs/10_PLUGIN_SDK_GUIDE.md

@@ -84,15 +84,40 @@ Add this to **`MyPlugin.Schedule.csproj`** so the signed DLL + `.sig` land in th
 
 ## 5 Dependency‑Injection Entry‑point  
 
-Back‑end auto‑discovers the static method below:
+Back‑end auto‑discovers restart‑time bindings through two mechanisms:
+
+1. **Service binding metadata** for simple contracts.
+2. **`IDependencyInjectionRoutine`** implementations when you need full control.
+
+### 5.1 Service binding metadata
+
+Annotate implementations with `[ServiceBinding]` to declare their lifetime and service contract.  
+The loader honours scoped lifetimes and will register the service before executing any custom DI routines.
+
+~~~csharp
+using Microsoft.Extensions.DependencyInjection;
+using StellaOps.DependencyInjection;
+
+[ServiceBinding(typeof(IJob), ServiceLifetime.Scoped, RegisterAsSelf = true)]
+public sealed class MyJob : IJob
+{
+    // IJob dependencies can now use scoped services (Mongo sessions, etc.)
+}
+~~~
+
+Use `RegisterAsSelf = true` when you also want to resolve the concrete type.  
+Set `ReplaceExisting = true` to override default descriptors if the host already provides one.
+
+### 5.2 Dependency injection routines
+
+For advanced scenarios continue to expose a routine:
 
 ~~~csharp
 namespace StellaOps.DependencyInjection;
 
-public static class IoCConfigurator
+public sealed class IoCConfigurator : IDependencyInjectionRoutine
 {
-    public static IServiceCollection Configure(this IServiceCollection services,
-                                               IConfiguration cfg)
+    public IServiceCollection Register(IServiceCollection services, IConfiguration cfg)
     {
         services.AddSingleton<IJob, MyJob>();        // schedule job
         services.Configure<MyPluginOptions>(cfg.GetSection("Plugins:MyPlugin"));

docs/11_AUTHORITY.md

@@ -147,6 +147,20 @@ All administrative calls emit `AuthEventRecord` entries enriched with correlatio
 | Security | `security.rateLimiting` | Fixed-window limits for `/token`, `/authorize`, `/internal/*`. | See `docs/security/rate-limits.md` for tuning. |
 | Bootstrap | `bootstrap.apiKey` | Shared secret required for `/internal/*`. | Only required when `bootstrap.enabled` is true. |
 
+### 7.1 Sender-constrained clients (DPoP & mTLS)
+
+Authority now understands two flavours of sender-constrained OAuth clients:
+
+- **DPoP proof-of-possession** – clients sign a `DPoP` header for `/token` requests. Authority validates the JWK thumbprint, HTTP method/URI, and replay window, then stamps the resulting access token with `cnf.jkt` so downstream services can verify the same key is reused.
+  - Configure under `security.senderConstraints.dpop`. `allowedAlgorithms`, `proofLifetime`, and `replayWindow` are enforced at validation time.
+  - `security.senderConstraints.dpop.nonce.enabled` enables nonce challenges for high-value audiences (`requiredAudiences`, normalised to case-insensitive strings). When a nonce is required but missing or expired, `/token` replies with `WWW-Authenticate: DPoP error="use_dpop_nonce"` (and, when available, a fresh `DPoP-Nonce` header). Clients must retry with the issued nonce embedded in the proof.
+  - `security.senderConstraints.dpop.nonce.store` selects `memory` (default) or `redis`. When `redis` is configured, set `security.senderConstraints.dpop.nonce.redisConnectionString` so replicas share nonce issuance and high-value clients avoid replay gaps during failover.
+  - Declare client `audiences` in bootstrap manifests or plug-in provisioning metadata; Authority now defaults the token `aud` claim and `resource` indicator from this list, which is also used to trigger nonce enforcement for audiences such as `signer` and `attestor`.
+- **Mutual TLS clients** – client registrations may declare an mTLS binding (`senderConstraint: mtls`). When enabled via `security.senderConstraints.mtls`, Authority validates the presented client certificate against stored bindings (`certificateBindings[]`), optional chain verification, and timing windows. Successful requests embed `cnf.x5t#S256` into the access token so resource servers can enforce the certificate thumbprint.
+  - Certificate bindings record the certificate thumbprint, optional SANs, subject/issuer metadata, and activation windows. Operators can enforce subject regexes, SAN type allow-lists (`dns`, `uri`, `ip`), trusted certificate authorities, and rotation grace via `security.senderConstraints.mtls.*`.
+
+Both modes persist additional metadata in `authority_tokens`: `senderConstraint` records the enforced policy, while `senderKeyThumbprint` stores the DPoP JWK thumbprint or mTLS certificate hash captured at issuance. Downstream services can rely on these fields (and the corresponding `cnf` claim) when auditing offline copies of the token store.
+
 ## 8. Offline & Sovereign Operation
 - **No outbound dependencies:** Authority only contacts MongoDB and local plugins. Discovery and JWKS are cached by clients with offline tolerances (`AllowOfflineCacheFallback`, `OfflineCacheTolerance`). Operators should mirror these responses for air-gapped use.
 - **Structured logging:** Every revocation export, signing rotation, bootstrap action, and token issuance emits structured logs with `traceId`, `client_id`, `subjectId`, and `network.remoteIp` where applicable. Mirror logs to your SIEM to retain audit trails without central connectivity.

docs/ARCHITECTURE_ATTESTOR.md

@@ -200,7 +200,8 @@ Indexes:
   * Predicate `predicateType` must be on allowlist (sbom/report/vex-export).
   * `subject.digest.sha256` values must be present and well‑formed (hex).
 * **No public submission** path. **Never** accept bundles from untrusted clients.
-* **Rate limits**: per mTLS thumbprint/license (from Signer‑forwarded claims) to avoid flooding the log.
+* **Client certificate allowlists**: optional `security.mtls.allowedSubjects` / `allowedThumbprints` tighten peer identity checks beyond CA pinning.
+* **Rate limits**: token-bucket per caller derived from `quotas.perCaller` (QPS/burst) returns `429` + `Retry-After` when exceeded.
 * **Redaction**: Attestor never logs secret material; DSSE payloads **should** be public by design (SBOMs/reports). If customers require redaction, enforce policy at Signer (predicate minimization) **before** Attestor.
 
 ---
@@ -233,6 +234,10 @@ Indexes:
 * `attestor.dedupe_hits_total`
 * `attestor.errors_total{type}`
 
+**Correlation**:
+
+* HTTP callers may supply `X-Correlation-Id`; Attestor will echo the header and push `CorrelationId` into the log scope for cross-service tracing.
+
 **Tracing**:
 
 * Spans: `validate`, `rekor.submit`, `rekor.poll`, `persist`, `archive`, `verify`.

docs/ARCHITECTURE_AUTHORITY.md

@@ -229,6 +229,8 @@ GET  /admin/metrics                 # Prometheus exposition (token issue rates,
 GET  /admin/healthz|readyz          # health/readiness
 ```
 
+Declared client `audiences` flow through to the issued JWT `aud` claim and the token request's `resource` indicators. Authority relies on this metadata to enforce DPoP nonce challenges for `signer`, `attestor`, and other high-value services without requiring clients to repeat the audience parameter on every request.
+
 ---
 
 ## 11) Integration hard lines (what resource servers must enforce)
@@ -286,6 +288,8 @@ authority:
     nonce:
       enable: true
       ttlSeconds: 600
+      store: redis
+      redisConnectionString: "redis://authority-redis:6379?ssl=false"
   mtls:
     enable: true
     caBundleFile: /etc/ssl/mtls/clients-ca.pem

docs/ARCHITECTURE_CONCELIER.md

@@ -94,6 +94,34 @@ mergedAt
 inputs[]            // source doc digests that contributed
 ```
 
+**AdvisoryStatement (event log)**
+
+```
+statementId         // GUID (immutable)
+vulnerabilityKey    // canonical advisory key (e.g., CVE-2025-12345)
+advisoryKey         // merge snapshot advisory key (may reference variant)
+statementHash       // canonical hash of advisory payload
+asOf                // timestamp of snapshot (UTC)
+recordedAt          // persistence timestamp (UTC)
+inputDocuments[]    // document IDs contributing to the snapshot
+payload             // canonical advisory document (BSON / canonical JSON)
+```
+
+**AdvisoryConflict**
+
+```
+conflictId          // GUID
+vulnerabilityKey    // canonical advisory key
+conflictHash        // deterministic hash of conflict payload
+asOf                // timestamp aligned with originating statement set
+recordedAt          // persistence timestamp
+statementIds[]      // related advisoryStatement identifiers
+details             // structured conflict explanation / merge reasoning
+```
+
+- `AdvisoryEventLog` (Concelier.Core) provides the public API for appending immutable statements/conflicts and querying replay history. Inputs are normalized by trimming and lower-casing `vulnerabilityKey`, serializing advisories with `CanonicalJsonSerializer`, and computing SHA-256 hashes (`statementHash`, `conflictHash`) over the canonical JSON payloads. Consumers can replay by key with an optional `asOf` filter to obtain deterministic snapshots ordered by `asOf` then `recordedAt`.
+- Concelier.WebService exposes the immutable log via `GET /concelier/advisories/{vulnerabilityKey}/replay[?asOf=UTC_ISO8601]`, returning the latest statements (with hex-encoded hashes) and any conflict explanations for downstream exporters and APIs.
+
 **ExportState**
 
 ```
@@ -252,6 +280,7 @@ public interface IFeedConnector {
   ```
 * Optional ORAS push (OCI layout) for registries.
 * Offline kit bundles include Trivy DB + JSON tree + export manifest.
+* Mirror-ready bundles: when `concelier.trivy.mirror` defines domains, the exporter emits `mirror/index.json` plus per-domain `manifest.json`, `metadata.json`, and `db.tar.gz` files with SHA-256 digests so Concelier mirrors can expose domain-scoped download endpoints.
 
 ### 7.3 Hand‑off to Signer/Attestor (optional)
 
@@ -286,6 +315,10 @@ GET  /jobs/{id}                            → job status
 POST /exports/json   { full?:bool, force?:bool, attest?:bool } → { exportId, digest, rekor? }
 POST /exports/trivy  { full?:bool, force?:bool, publish?:bool, attest?:bool } → { exportId, digest, rekor? }
 GET  /exports/{id}   → export metadata (kind, digest, createdAt, rekor?)
+GET  /concelier/exports/index.json        → mirror index describing available domains/bundles
+GET  /concelier/exports/mirror/{domain}/manifest.json
+GET  /concelier/exports/mirror/{domain}/bundle.json
+GET  /concelier/exports/mirror/{domain}/bundle.json.jws
 ```
 
 **Search (operator debugging)**

docs/ARCHITECTURE_DEVOPS.md

@@ -86,6 +86,7 @@ At startup, services **self‑advertise** their semver & channel; the UI surface
 
 * **Primary**: `registry.stella-ops.org` (OCI v2, supports Referrers API).
 * **Mirrors**: GHCR (read‑only), regional mirrors for latency.
+  * Operational runbook: see `docs/ops/concelier-mirror-operations.md` for deployment profiles, CDN guidance, and sync automation.
 * **Pull by digest only** in Kubernetes/Compose manifests.
 
 **Gating policy**:
@@ -335,7 +336,8 @@ Prometheus + OTLP; Grafana dashboards ship in the charts.
 
 * **Vulnerability response**:
 
-  * Concelier red‑flag advisories trigger accelerated **stable** patch rollout; UI/CLI “security patch available” notice.
+  * Concelier red-flag advisories trigger accelerated **stable** patch rollout; UI/CLI “security patch available” notice.
+  * 2025-10: Pinned `MongoDB.Driver` **3.5.0** and `SharpCompress` **0.41.0** across services (DEVOPS-SEC-10-301) to eliminate NU1902/NU1903 warnings surfaced during scanner cache/worker test runs; future dependency bumps follow the same central override pattern.
 
 * **Backups/DR**:
 

docs/ARCHITECTURE_EXCITITOR.md

@@ -482,7 +482,13 @@ Run the ingestion endpoint once after applying migration `20251019-consensus-sig
 
 ---
 
-## 17) Appendix — canonical JSON (stable ordering)
+## 17) Operational runbooks
+
+* **Statement backfill** — see `docs/dev/EXCITITOR_STATEMENT_BACKFILL.md` for the CLI workflow, required permissions, observability guidance, and rollback steps.
+
+---
+
+## 18) Appendix — canonical JSON (stable ordering)
 
 All exports and consensus entries are serialized via `VexCanonicalJsonSerializer`:
 

docs/ARCHITECTURE_NOTIFY.md

@@ -37,6 +37,8 @@ src/
 **Dependencies**: Authority (OpToks; DPoP/mTLS), MongoDB, Redis/NATS (bus), HTTP egress to Slack/Teams/Webhooks, SMTP relay for Email.
 
 > **Configuration.** Notify.WebService bootstraps from `notify.yaml` (see `etc/notify.yaml.sample`). Use `storage.driver: mongo` with a production connection string; the optional `memory` driver exists only for tests. Authority settings follow the platform defaults—when running locally without Authority, set `authority.enabled: false` and supply `developmentSigningKey` so JWTs can be validated offline.
+>
+> `api.rateLimits` exposes token-bucket controls for delivery history queries and test-send previews (`deliveryHistory`, `testSend`). Default values allow generous browsing while preventing accidental bursts; operators can relax/tighten the buckets per deployment.
 
 > **Plug-ins.** All channel connectors are packaged under `<baseDirectory>/plugins/notify`. The ordered load list must start with Slack/Teams before Email/Webhook so chat-first actions are registered deterministically for Offline Kit bundles:
 >
@@ -204,6 +206,8 @@ public interface INotifyConnector {
 
 **DeliveryContext** includes **rendered content** and **raw event** for audit.
 
+**Test-send previews.** Plug-ins can optionally implement `INotifyChannelTestProvider` to shape `/channels/{id}/test` responses. Providers receive a sanitised `ChannelTestPreviewContext` (channel, tenant, target, timestamp, trace) and return a `NotifyDeliveryRendered` preview + metadata. When no provider is present, the host falls back to a generic preview so the endpoint always responds.
+
 **Secrets**: `ChannelConfig.secretRef` points to Authority‑managed secret handle or K8s Secret path; workers load at send-time; plug-in manifests (`notify-plugin.json`) declare capabilities and version.
 
 ---
@@ -294,7 +298,7 @@ Internal tooling can hit `/internal/notify/<entity>/normalize` to upgrade legacy
 * **Channels**
 
   * `POST /channels` | `GET /channels` | `GET /channels/{id}` | `PATCH /channels/{id}` | `DELETE /channels/{id}`
-  * `POST /channels/{id}/test` → send sample message (no rule evaluation)
+  * `POST /channels/{id}/test` → send sample message (no rule evaluation); returns `202 Accepted` with rendered preview + metadata (base keys: `channelType`, `target`, `previewProvider`, `traceId` + connector-specific entries); governed by `api.rateLimits:testSend`.
   * `GET /channels/{id}/health` → connector self‑check
 
 * **Rules**
@@ -305,7 +309,7 @@ Internal tooling can hit `/internal/notify/<entity>/normalize` to upgrade legacy
 * **Deliveries**
 
   * `POST /deliveries` → ingest worker delivery state (idempotent via `deliveryId`).
-  * `GET /deliveries?since=...&status=...&limit=...` → list (most recent first)
+  * `GET /deliveries?since=...&status=...&limit=...` → list envelope `{ items, count, continuationToken }` (most recent first); base metadata keys match the test-send response (`channelType`, `target`, `previewProvider`, `traceId`); rate-limited via `api.rateLimits.deliveryHistory`. See `docs/notify/samples/notify-delivery-list-response.sample.json`.
   * `GET /deliveries/{id}` → detail (redacted body + metadata)
   * `POST /deliveries/{id}/retry` → force retry (admin, future sprint)
 

docs/ARCHITECTURE_UI.md

@@ -166,6 +166,28 @@ export interface VexConsensus {
 }
 ```
 
+*Upcoming:* `NotifyApi` consumes delivery history using the new paginated envelope returned by `/api/v1/notify/deliveries`.
+
+```ts
+export interface NotifyDeliveryListResponse {
+  items: NotifyDelivery[];
+  count: number;
+  continuationToken?: string;
+}
+
+export interface NotifyDelivery {
+  deliveryId: string;
+  ruleId: string;
+  actionId: string;
+  status: 'pending'|'sent'|'failed'|'throttled'|'digested'|'dropped';
+  rendered: NotifyDeliveryRendered;
+  metadata: Record<string, string>; // includes channelType, target, previewProvider, traceId, and provider-specific entries
+  createdAt: string;
+  sentAt?: string;
+  completedAt?: string;
+}
+```
+
 ---
 
 ## 6) State, caching & real‑time

docs/README.md

@@ -73,15 +73,16 @@ Everything here is open‑source and versioned — when you check out a git ta
 - **22 – [CI/CD Recipes Library](ci/20_CI_RECIPES.md)**
 - **23 – [FAQ](23_FAQ_MATRIX.md)**
 - **24 – [Offline Update Kit Admin Guide](24_OFFLINE_KIT.md)**
-- **25 – [Concelier Apple Connector Operations](ops/concelier-apple-operations.md)**
-- **26 – [Authority Key Rotation Playbook](ops/authority-key-rotation.md)**
-- **27 – [Concelier CCCS Connector Operations](ops/concelier-cccs-operations.md)**
-- **28 – [Concelier CISA ICS Connector Operations](ops/concelier-icscisa-operations.md)**
-- **29 – [Concelier CERT-Bund Connector Operations](ops/concelier-certbund-operations.md)**
-- **30 – [Concelier MSRC Connector – AAD Onboarding](ops/concelier-msrc-operations.md)**
+- **25 – [Mirror Operations Runbook](ops/concelier-mirror-operations.md)**
+- **26 – [Concelier Apple Connector Operations](ops/concelier-apple-operations.md)**
+- **27 – [Authority Key Rotation Playbook](ops/authority-key-rotation.md)**
+- **28 – [Concelier CCCS Connector Operations](ops/concelier-cccs-operations.md)**
+- **29 – [Concelier CISA ICS Connector Operations](ops/concelier-icscisa-operations.md)**
+- **30 – [Concelier CERT-Bund Connector Operations](ops/concelier-certbund-operations.md)**
+- **31 – [Concelier MSRC Connector – AAD Onboarding](ops/concelier-msrc-operations.md)**
 
 ### Legal & licence
-- **31 – [Legal & Quota FAQ](29_LEGAL_FAQ_QUOTA.md)**
+- **32 – [Legal & Quota FAQ](29_LEGAL_FAQ_QUOTA.md)**
 
 </details>
 

docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md

@@ -13,7 +13,7 @@ Authority plug-ins extend the **StellaOps Authority** service with custom identi
 Authority hosts follow a deterministic plug-in lifecycle. The exported diagram (`docs/assets/authority/authority-plugin-lifecycle.svg`) mirrors the steps below; regenerate it from the Mermaid source if you update the flow.
 
 1. **Configuration load** – `AuthorityPluginConfigurationLoader` resolves YAML manifests under `etc/authority.plugins/`.
-2. **Assembly discovery** – the shared `PluginHost` scans `PluginBinaries/Authority` for `StellaOps.Authority.Plugin.*.dll` assemblies.
+2. **Assembly discovery** – the shared `PluginHost` scans `StellaOps.Authority.PluginBinaries` for `StellaOps.Authority.Plugin.*.dll` assemblies.
 3. **Registrar execution** – each assembly is searched for `IAuthorityPluginRegistrar` implementations. Registrars bind options, register services, and optionally queue bootstrap tasks.
 4. **Runtime** – the host resolves `IIdentityProviderPlugin` instances, uses capability metadata to decide which OAuth grants to expose, and invokes health checks for readiness endpoints.
 
@@ -177,7 +177,7 @@ _Source:_ `docs/assets/authority/authority-rate-limit-flow.mmd`
 ## 10. Testing & Tooling
 - Unit tests: use Mongo2Go (or similar) to exercise credential stores without hitting production infrastructure (`StandardUserCredentialStoreTests` is a template).
 - Determinism: fix timestamps to UTC and sort outputs consistently; avoid random GUIDs unless stable.
-- Smoke tests: launch `dotnet run --project src/StellaOps.Authority/StellaOps.Authority` with your plug-in under `PluginBinaries/Authority` and verify `/ready`.
+- Smoke tests: launch `dotnet run --project src/StellaOps.Authority/StellaOps.Authority` with your plug-in under `StellaOps.Authority.PluginBinaries` and verify `/ready`.
 - Example verification snippet:
   ```csharp
   [Fact]
@@ -195,7 +195,7 @@ _Source:_ `docs/assets/authority/authority-rate-limit-flow.mmd`
 
 ## 11. Packaging & Delivery
 - Output assembly should follow `StellaOps.Authority.Plugin.<Name>.dll` so the host’s search pattern picks it up.
-- Place the compiled DLL plus dependencies under `PluginBinaries/Authority` for offline deployments; include hashes/signatures in release notes (Security Guild guidance forthcoming).
+- Place the compiled DLL plus dependencies under `StellaOps.Authority.PluginBinaries` for offline deployments; include hashes/signatures in release notes (Security Guild guidance forthcoming).
 - Document any external prerequisites (e.g., CA cert bundle) in your plug-in README.
 - Update `etc/authority.plugins/<plugin>.yaml` samples and include deterministic SHA256 hashes for optional bootstrap payloads when distributing Offline Kit artefacts.
 

docs/dev/EXCITITOR_STATEMENT_BACKFILL.md

@@ -0,0 +1,86 @@
+# Excititor Statement Backfill Runbook
+
+Last updated: 2025-10-19
+
+## Overview
+
+Use this runbook when you need to rebuild the `vex.statements` collection from historical raw documents. Typical scenarios:
+
+- Upgrading the statement schema (e.g., adding severity/KEV/EPSS signals).
+- Recovering from a partial ingest outage where statements were never persisted.
+- Seeding a freshly provisioned Excititor deployment from an existing raw archive.
+
+Backfill operates server-side via the Excititor WebService and reuses the same pipeline that powers the `/excititor/statements` ingestion endpoint. Each raw document is normalized, signed metadata is preserved, and duplicate statements are skipped unless the run is forced.
+
+## Prerequisites
+
+1. **Connectivity to Excititor WebService** – the CLI uses the backend URL configured in `stellaops.yml` or the `--backend-url` argument.
+2. **Authority credentials** – the CLI honours the existing Authority client configuration; ensure the caller has permission to invoke admin endpoints.
+3. **Mongo replica set** (recommended) – causal consistency guarantees rely on majority read/write concerns. Standalone deployment works but skips cross-document transactions.
+
+## CLI command
+
+```
+stellaops excititor backfill-statements \
+  [--retrieved-since <ISO8601>] \
+  [--force] \
+  [--batch-size <int>] \
+  [--max-documents <int>]
+```
+
+| Option | Description |
+| ------ | ----------- |
+| `--retrieved-since` | Only process raw documents fetched on or after the specified timestamp (UTC by default). |
+| `--force` | Reprocess documents even if matching statements already exist (useful after schema upgrades). |
+| `--batch-size` | Number of raw documents pulled per batch (default `100`). |
+| `--max-documents` | Optional hard limit on the number of raw documents to evaluate. |
+
+Example – replay the last 48 hours of Red Hat ingest while keeping existing statements:
+
+```
+stellaops excititor backfill-statements \
+  --retrieved-since "$(date -u -d '48 hours ago' +%Y-%m-%dT%H:%M:%SZ)"
+```
+
+Example – full replay with forced overwrites, capped at 2,000 documents:
+
+```
+stellaops excititor backfill-statements --force --max-documents 2000
+```
+
+The command returns a summary similar to:
+
+```
+Backfill completed: evaluated 450, backfilled 180, claims written 320, skipped 270, failures 0.
+```
+
+## Behaviour
+
+- Raw documents are streamed in ascending `retrievedAt` order.
+- Each document is normalized using the registered VEX normalizers (CSAF, CycloneDX, OpenVEX).
+- Statements are appended through the same `IVexClaimStore.AppendAsync` path that powers `/excititor/statements`.
+- Duplicate detection compares `Document.Digest`; duplicates are skipped unless `--force` is specified.
+- Failures are logged with the offending digest and continue with the next document.
+
+## Observability
+
+- CLI logs aggregate counts and the backend logs per-digest warnings or errors.
+- Mongo writes carry majority write concern; expect backfill throughput to match ingest baselines (≈5 seconds warm, 30 seconds cold).
+- Monitor the `excititor.storage.backfill` log scope for detailed telemetry.
+
+## Post-run verification
+
+1. Inspect the `vex.statements` collection for the targeted window (check `InsertedAt`).
+2. Re-run the Excititor storage test suite if possible:
+   ```
+   dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj
+   ```
+3. Optionally, call `/excititor/statements/{vulnerabilityId}/{productKey}` to confirm the expected statements exist.
+
+## Rollback
+
+If a forced run produced incorrect statements, use the standard Mongo rollback procedure:
+
+1. Identify the `InsertedAt` window for the backfill run.
+2. Delete affected records from `vex.statements` (and any downstream exports if applicable).
+3. Rerun the backfill command with corrected parameters.

docs/dev/authority-dpop-mtls-plan.md

@@ -11,6 +11,8 @@
 - Operator-facing configuration, auditing, and observability.
 - Out of scope: PoE enforcement (Signer) and CLI/UI client UX; those teams consume the new capabilities.
 
+> **Status update (2025-10-19):** `ValidateDpopProofHandler`, `AuthorityClientCertificateValidator`, and the supporting storage/audit plumbing now live in `src/StellaOps.Authority`. DPoP proofs populate `cnf.jkt`, mTLS bindings enforce certificate thumbprints via `cnf.x5t#S256`, and token documents persist the sender constraint metadata. In-memory nonce issuance is wired (Redis implementation to follow). Documentation and configuration references were updated (`docs/11_AUTHORITY.md`). Targeted unit/integration tests were added; running the broader test suite is currently blocked by pre-existing `StellaOps.Concelier.Storage.Mongo` build errors.
+
 ## Design Summary
 - Extract the existing Scanner `DpopProofValidator` stack into a shared `StellaOps.Auth.Security` library used by Authority and resource servers.
 - Extend Authority configuration (`authority.yaml`) with strongly-typed `senderConstraints.dpop` and `senderConstraints.mtls` sections (map to sample already shown in architecture doc).

docs/dev/authority-plugin-di-coordination.md

@@ -0,0 +1,52 @@
+# Authority Plug-in Scoped Service Coordination
+
+> Created: 2025-10-19 — Plugin Platform Guild & Authority Core  
+> Status: Scheduled (session confirmed for 2025-10-20 15:00–16:00 UTC)
+
+This document tracks preparation, agenda, and outcomes for the scoped-service workshop required before implementing PLUGIN-DI-08-002.
+
+## Objectives
+
+- Inventory Authority plug-in surfaces that need scoped service lifetimes.
+- Confirm session/scope handling for identity-provider registrars and background jobs.
+- Assign follow-up tasks/actions with owners and due dates.
+
+## Scheduling Snapshot
+
+- **Meeting time:** 2025-10-20 15:00–16:00 UTC (10:00–11:00 CDT / 08:00–09:00 PDT).
+- **Facilitator:** Plugin Platform Guild — Alicia Rivera.
+- **Attendees (confirmed):** Authority Core — Jasmin Patel; Authority Security Guild — Mohan Singh; Plugin Platform — Alicia Rivera, Leah Chen.
+- **Optional invitees:** DevOps liaison — Sofia Ortega (accepted).
+- **Logistics:** Invites sent via shared calendar on 2025-10-19 15:30 UTC with Teams bridge + offline dial-in. Meeting notes will be captured here.
+- **Preparation deadline:** 2025-10-20 12:00 UTC — complete checklist below.
+
+## Pre-work Checklist
+
+- Review `ServiceBindingAttribute` contract introduced by PLUGIN-DI-08-001.
+- Collect existing Authority plug-in registration code paths to evaluate.
+- Audit background jobs that assume singleton lifetimes.
+- Identify plug-in health checks/telemetry surfaces impacted by scoped lifetimes.
+
+### Pre-work References
+
+- _Add links, file paths, or notes here prior to the session._
+
+## Draft Agenda
+
+1. Context recap (5 min) — why scoped DI is needed; summary of PLUGIN-DI-08-001 changes.
+2. Authority plug-in surfaces (15 min) — registrars, background services, telemetry.
+3. Session handling strategy (10 min) — scope creation semantics, cancellation propagation.
+4. Action items & owners (10 min) — capture code/docs/test tasks with due dates.
+5. Risks & follow-ups (5 min) — dependencies, rollout sequencing.
+
+## Notes
+
+- _Pending coordination session; populate afterwards._
+
+## Action Item Log
+
+| Item | Owner | Due | Status | Notes |
+|------|-------|-----|--------|-------|
+| Confirm meeting time | Alicia Rivera | 2025-10-19 15:30 UTC | DONE | Calendar invite sent; all required attendees accepted |
+| Compile Authority plug-in DI entry points | Jasmin Patel | 2025-10-20 | IN PROGRESS | Gather current Authority plug-in registrars, background jobs, and helper factories that assume singleton lifetimes; add the list with file paths to **Pre-work References** in this document before 2025-10-20 12:00 UTC. |
+| Outline scoped-session pattern for background jobs | Leah Chen | Post-session | BLOCKED | Requires meeting outcomes |

docs/dev/normalized_versions_rollout.md

@@ -19,19 +19,19 @@ This dashboard tracks connector readiness for emitting `AffectedPackage.Normaliz
 | Connector | Owner team | Normalized versions status | Last update | Next action / link |
 |-----------|------------|---------------------------|-------------|--------------------|
 | Acsc | BE-Conn-ACSC | ❌ Not started – mapper pending | 2025-10-11 | Design DTOs + mapper with normalized rule array; see `src/StellaOps.Concelier.Connector.Acsc/TASKS.md`. |
-| Cccs | BE-Conn-CCCS | ❌ Not started – mapper pending | 2025-10-11 | Add normalized SemVer array in canonical mapper; coordinate fixtures per `TASKS.md`. |
-| CertBund | BE-Conn-CERTBUND | ✅ Canonical mapper emitting vendor ranges | 2025-10-14 | Normalized vendor range payloads landed alongside telemetry/docs updates; see `src/StellaOps.Concelier.Connector.CertBund/TASKS.md`. |
+| Cccs | BE-Conn-CCCS | ⚠️ Scheduled – helper ready, implementation due 2025-10-21 | 2025-10-19 | Apply Merge-provided trailing-version helper to emit `NormalizedVersions`; update mapper/tests per `src/StellaOps.Concelier.Connector.Cccs/TASKS.md`. |
+| CertBund | BE-Conn-CERTBUND | ⚠️ Follow-up – translate `versions` strings to normalized rules | 2025-10-19 | Build `bis`/`alle` translator + fixtures before 2025-10-22 per `src/StellaOps.Concelier.Connector.CertBund/TASKS.md`. |
 | CertCc | BE-Conn-CERTCC | ⚠️ In progress – fetch pipeline DOING | 2025-10-11 | Implement VINCE mapper with SemVer/NEVRA rules; unblock snapshot regeneration; `src/StellaOps.Concelier.Connector.CertCc/TASKS.md`. |
 | Kev | BE-Conn-KEV | ✅ Normalized catalog/due-date rules verified | 2025-10-12 | Fixtures reconfirmed via `dotnet test src/StellaOps.Concelier.Connector.Kev.Tests`; `src/StellaOps.Concelier.Connector.Kev/TASKS.md`. |
 | Cve | BE-Conn-CVE | ✅ Normalized SemVer rules verified | 2025-10-12 | Snapshot parity green (`dotnet test src/StellaOps.Concelier.Connector.Cve.Tests`); `src/StellaOps.Concelier.Connector.Cve/TASKS.md`. |
 | Ghsa | BE-Conn-GHSA | ⚠️ DOING – normalized rollout task active | 2025-10-11 18:45 UTC | Wire `SemVerRangeRuleBuilder` + refresh fixtures; `src/StellaOps.Concelier.Connector.Ghsa/TASKS.md`. |
 | Osv | BE-Conn-OSV | ✅ SemVer mapper & parity fixtures verified | 2025-10-12 | GHSA parity regression passing (`dotnet test src/StellaOps.Concelier.Connector.Osv.Tests`); `src/StellaOps.Concelier.Connector.Osv/TASKS.md`. |
-| Ics.Cisa | BE-Conn-ICS-CISA | ❌ Not started – mapper TODO | 2025-10-11 | Plan SemVer/firmware scheme selection; `src/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md`. |
-| Kisa | BE-Conn-KISA | ✅ Landed 2025-10-14 (mapper + telemetry) | 2025-10-11 | Hangul-aware mapper emits normalized rules; see `docs/dev/kisa_connector_notes.md` for localisation/metric details. |
+| Ics.Cisa | BE-Conn-ICS-CISA | ⚠️ Decision pending – normalize SemVer exacts or escalate scheme | 2025-10-19 | Promote `SemVerPrimitive` outputs into `NormalizedVersions` or file Models ticket by 2025-10-23 (`src/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md`). |
+| Kisa | BE-Conn-KISA | ⚠️ Proposal required – firmware scheme due 2025-10-24 | 2025-10-19 | Draft `kisa.build` (or equivalent) scheme with Models, then emit normalized rules; track in `src/StellaOps.Concelier.Connector.Kisa/TASKS.md`. |
 | Ru.Bdu | BE-Conn-BDU | ✅ Raw scheme emitted | 2025-10-14 | Mapper now writes `ru-bdu.raw` normalized rules with provenance + telemetry; `src/StellaOps.Concelier.Connector.Ru.Bdu/TASKS.md`. |
 | Ru.Nkcki | BE-Conn-Nkcki | ❌ Not started – mapper TODO | 2025-10-11 | Similar to BDU; ensure Cyrillic provenance preserved; `src/StellaOps.Concelier.Connector.Ru.Nkcki/TASKS.md`. |
 | Vndr.Apple | BE-Conn-Apple | ✅ Shipped – emitting normalized arrays | 2025-10-11 | Continue fixture/tooling work; `src/StellaOps.Concelier.Connector.Vndr.Apple/TASKS.md`. |
-| Vndr.Cisco | BE-Conn-Cisco | ✅ SemVer + vendor extensions emitted | 2025-10-14 | Connector outputs SemVer primitives with `cisco.productId` notes; see `CiscoMapper` and fixtures for coverage. |
+| Vndr.Cisco | BE-Conn-Cisco | ⚠️ Scheduled – normalized rule emission due 2025-10-21 | 2025-10-19 | Use Merge helper to persist `NormalizedVersions` alongside SemVer primitives; see `src/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md`. |
 | Vndr.Msrc | BE-Conn-MSRC | ✅ Map + normalized build rules landed | 2025-10-15 | `MsrcMapper` emits `msrc.build` normalized rules with CVRF references; see `src/StellaOps.Concelier.Connector.Vndr.Msrc/TASKS.md`. |
 | Nvd | BE-Conn-NVD | ⚠️ Needs follow-up – mapper complete but normalized array MR pending | 2025-10-11 | Align CVE notes + normalized payload flag; `src/StellaOps.Concelier.Connector.Nvd/TASKS.md`. |
 

docs/notify/samples/notify-delivery-list-response.sample.json

@@ -0,0 +1,46 @@
+{
+  "items": [
+    {
+      "deliveryId": "delivery-7f3b6c51",
+      "tenantId": "tenant-acme",
+      "ruleId": "rule-critical-slack",
+      "actionId": "slack-secops",
+      "eventId": "4f6e9c09-01b4-4c2a-8a57-3d06de182d74",
+      "kind": "scanner.report.ready",
+      "status": "Sent",
+      "statusReason": null,
+      "rendered": {
+        "channelType": "Slack",
+        "format": "Slack",
+        "target": "#sec-alerts",
+        "title": "Critical findings detected",
+        "body": "{\"text\":\"Critical findings detected\",\"blocks\":[{\"type\":\"section\",\"text\":{\"type\":\"mrkdwn\",\"text\":\"*Critical findings detected*\\n1 new critical finding across 2 images.\"}},{\"type\":\"context\",\"elements\":[{\"type\":\"mrkdwn\",\"text\":\"Preview generated 2025-10-19T16:23:41.889Z · Trace `trace-58c212`\"}]}]}",
+        "summary": "1 new critical finding across 2 images.",
+        "textBody": "1 new critical finding across 2 images.\nTrace: trace-58c212",
+        "locale": "en-us",
+        "bodyHash": "febf9b2a630d862b07f4390edfbf31f5e8b836529f5232c491f4b3f6dba4a4b2",
+        "attachments": []
+      },
+      "attempts": [
+        {
+          "timestamp": "2025-10-19T16:23:42.112Z",
+          "status": "Succeeded",
+          "statusCode": 200,
+          "reason": null
+        }
+      ],
+      "metadata": {
+        "channelType": "slack",
+        "target": "#sec-alerts",
+        "previewProvider": "fallback",
+        "traceId": "trace-58c212",
+        "slack.channel": "#sec-alerts"
+      },
+      "createdAt": "2025-10-19T16:23:41.889Z",
+      "sentAt": "2025-10-19T16:23:42.101Z",
+      "completedAt": "2025-10-19T16:23:42.112Z"
+    }
+  ],
+  "count": 1,
+  "continuationToken": "2025-10-19T16:23:41.889Z|tenant-acme:delivery-7f3b6c51"
+}

docs/ops/concelier-mirror-operations.md

@@ -0,0 +1,196 @@
+# Concelier & Excititor Mirror Operations
+
+This runbook describes how Stella Ops operates the managed mirrors under `*.stella-ops.org`.
+It covers Docker Compose and Helm deployment overlays, secret handling for multi-tenant
+authn, CDN fronting, and the recurring sync pipeline that keeps mirror bundles current.
+
+## 1. Prerequisites
+
+- **Authority access** – client credentials (`client_id` + secret) authorised for
+  `concelier.mirror.read` and `excititor.mirror.read` scopes. Secrets live outside git.
+- **Signed TLS certificates** – wildcard or per-domain (`mirror-primary`, `mirror-community`).
+  Store them under `deploy/compose/mirror-gateway/tls/` or in Kubernetes secrets.
+- **Mirror gateway credentials** – Basic Auth htpasswd files per domain. Generate with
+  `htpasswd -B`. Operators distribute credentials to downstream consumers.
+- **Export artifact source** – read access to the canonical S3 buckets (or rsync share)
+  that hold `concelier` JSON bundles and `excititor` VEX exports.
+- **Persistent volumes** – storage for Concelier job metadata and mirror export trees.
+  For Helm, provision PVCs (`concelier-mirror-jobs`, `concelier-mirror-exports`,
+  `excititor-mirror-exports`, `mirror-mongo-data`, `mirror-minio-data`) before rollout.
+
+## 2. Secret & certificate layout
+
+### Docker Compose (`deploy/compose/docker-compose.mirror.yaml`)
+
+- `deploy/compose/env/mirror.env.example` – copy to `.env` and adjust quotas or domain IDs.
+- `deploy/compose/mirror-secrets/` – mount read-only into `/run/secrets`. Place:
+  - `concelier-authority-client` – Authority client secret.
+  - `excititor-authority-client` (optional) – reserve for future authn.
+- `deploy/compose/mirror-gateway/tls/` – PEM-encoded cert/key pairs:
+  - `mirror-primary.crt`, `mirror-primary.key`
+  - `mirror-community.crt`, `mirror-community.key`
+- `deploy/compose/mirror-gateway/secrets/` – htpasswd files:
+  - `mirror-primary.htpasswd`
+  - `mirror-community.htpasswd`
+
+### Helm (`deploy/helm/stellaops/values-mirror.yaml`)
+
+Create secrets in the target namespace:
+
+```bash
+kubectl create secret generic concelier-mirror-auth \
+  --from-file=concelier-authority-client=concelier-authority-client
+
+kubectl create secret generic excititor-mirror-auth \
+  --from-file=excititor-authority-client=excititor-authority-client
+
+kubectl create secret tls mirror-gateway-tls \
+  --cert=mirror-primary.crt --key=mirror-primary.key
+
+kubectl create secret generic mirror-gateway-htpasswd \
+  --from-file=mirror-primary.htpasswd --from-file=mirror-community.htpasswd
+```
+
+> Keep Basic Auth lists short-lived (rotate quarterly) and document credential recipients.
+
+## 3. Deployment
+
+### 3.1 Docker Compose (edge mirrors, lab validation)
+
+1. `cp deploy/compose/env/mirror.env.example deploy/compose/env/mirror.env`
+2. Populate secrets/tls directories as described above.
+3. Sync mirror bundles (see §4) into `deploy/compose/mirror-data/…` and ensure they are mounted
+   on the host path backing the `concelier-exports` and `excititor-exports` volumes.
+4. Run the profile validator: `deploy/tools/validate-profiles.sh`.
+5. Launch: `docker compose --env-file env/mirror.env -f docker-compose.mirror.yaml up -d`.
+
+### 3.2 Helm (production mirrors)
+
+1. Provision PVCs sized for mirror bundles (baseline: 20 GiB per domain).
+2. Create secrets/tls config maps (§2).
+3. `helm upgrade --install mirror deploy/helm/stellaops -f deploy/helm/stellaops/values-mirror.yaml`.
+4. Annotate the `stellaops-mirror-gateway` service with ingress/LoadBalancer metadata required by
+   your CDN (e.g., AWS load balancer scheme internal + NLB idle timeout).
+
+## 4. Artifact sync workflow
+
+Mirrors never generate exports—they ingest signed bundles produced by the Concelier and Excititor
+export jobs. Recommended sync pattern:
+
+### 4.1 Compose host (systemd timer)
+
+`/usr/local/bin/mirror-sync.sh`:
+
+```bash
+#!/usr/bin/env bash
+set -euo pipefail
+export AWS_ACCESS_KEY_ID=…
+export AWS_SECRET_ACCESS_KEY=…
+
+aws s3 sync s3://mirror-stellaops/concelier/latest \
+  /opt/stellaops/mirror-data/concelier --delete --size-only
+
+aws s3 sync s3://mirror-stellaops/excititor/latest \
+  /opt/stellaops/mirror-data/excititor --delete --size-only
+```
+
+Schedule with a systemd timer every 5 minutes. The Compose volumes mount `/opt/stellaops/mirror-data/*`
+into the containers read-only, matching `CONCELIER__MIRROR__EXPORTROOT=/exports/json` and
+`EXCITITOR__ARTIFACTS__FILESYSTEM__ROOT=/exports`.
+
+### 4.2 Kubernetes (CronJob)
+
+Create a CronJob running the AWS CLI (or rclone) in the same namespace, writing into the PVCs:
+
+```yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: mirror-sync
+spec:
+  schedule: "*/5 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: public.ecr.aws/aws-cli/aws-cli@sha256:5df5f52c29f5e3ba46d0ad9e0e3afc98701c4a0f879400b4c5f80d943b5fadea
+            command:
+              - /bin/sh
+              - -c
+              - >
+                aws s3 sync s3://mirror-stellaops/concelier/latest /exports/concelier --delete --size-only &&
+                aws s3 sync s3://mirror-stellaops/excititor/latest /exports/excititor --delete --size-only
+            volumeMounts:
+              - name: concelier-exports
+                mountPath: /exports/concelier
+              - name: excititor-exports
+                mountPath: /exports/excititor
+            envFrom:
+              - secretRef:
+                  name: mirror-sync-aws
+          restartPolicy: OnFailure
+          volumes:
+            - name: concelier-exports
+              persistentVolumeClaim:
+                claimName: concelier-mirror-exports
+            - name: excititor-exports
+              persistentVolumeClaim:
+                claimName: excititor-mirror-exports
+```
+
+## 5. CDN integration
+
+1. Point the CDN origin at the mirror gateway (Compose host or Kubernetes LoadBalancer).
+2. Honour the response headers emitted by the gateway and Concelier/Excititor:
+   `Cache-Control: public, max-age=300, immutable` for mirror payloads.
+3. Configure origin shields in the CDN to prevent cache stampedes. Recommended TTLs:
+   - Index (`/concelier/exports/index.json`, `/excititor/mirror/*/index`) → 60 s.
+   - Bundle/manifest payloads → 300 s.
+4. Forward the `Authorization` header—Basic Auth terminates at the gateway.
+5. Enforce per-domain rate limits at the CDN (matching gateway budgets) and enable logging
+   to SIEM for anomaly detection.
+
+## 6. Smoke tests
+
+After each deployment or sync cycle:
+
+```bash
+# Index with Basic Auth
+curl -u $PRIMARY_CREDS https://mirror-primary.stella-ops.org/concelier/exports/index.json | jq 'keys'
+
+# Mirror manifest signature
+curl -u $PRIMARY_CREDS -I https://mirror-primary.stella-ops.org/concelier/exports/mirror/primary/manifest.json
+
+# Excititor consensus bundle metadata
+curl -u $COMMUNITY_CREDS https://mirror-community.stella-ops.org/excititor/mirror/community/index \
+  | jq '.exports[].exportKey'
+
+# Signed bundle + detached JWS (spot check digests)
+curl -u $PRIMARY_CREDS https://mirror-primary.stella-ops.org/concelier/exports/mirror/primary/bundle.json.jws \
+  -o bundle.json.jws
+cosign verify-blob --signature bundle.json.jws --key mirror-key.pub bundle.json
+```
+
+Watch the gateway metrics (`nginx_vts` or access logs) for cache hits. In Kubernetes, `kubectl logs deploy/stellaops-mirror-gateway`
+should show `X-Cache-Status: HIT/MISS`.
+
+## 7. Maintenance & rotation
+
+- **Bundle freshness** – alert if sync job lag exceeds 15 minutes or if `concelier` logs
+  `Mirror export root is not configured`.
+- **Secret rotation** – change Authority client secrets and Basic Auth credentials quarterly.
+  Update the mounted secrets and restart deployments (`docker compose restart concelier` or
+  `kubectl rollout restart deploy/stellaops-concelier`).
+- **TLS renewal** – reissue certificates, place new files, and reload gateway (`docker compose exec mirror-gateway nginx -s reload`).
+- **Quota tuning** – adjust per-domain `MAXDOWNLOADREQUESTSPERHOUR` in `.env` or values file.
+  Align CDN rate limits and inform downstreams.
+
+## 8. References
+
+- Deployment profiles: `deploy/compose/docker-compose.mirror.yaml`,
+  `deploy/helm/stellaops/values-mirror.yaml`
+- Mirror architecture dossiers: `docs/ARCHITECTURE_CONCELIER.md`,
+  `docs/ARCHITECTURE_EXCITITOR_MIRRORS.md`
+- Export bundling: `docs/ARCHITECTURE_DEVOPS.md` §3, `docs/ARCHITECTURE_EXCITITOR.md` §7

etc/authority.yaml.sample

@@ -52,7 +52,7 @@ bootstrap:
 # against the application content root, enabling air-gapped deployments
 # that package plug-ins alongside binaries.
 pluginDirectories:
-  - "../PluginBinaries/Authority"
+  - "../StellaOps.Authority.PluginBinaries"
   # "/var/lib/stellaops/authority/plugins"
 
 # Plug-in manifests live in descriptors below; per-plugin settings are stored
@@ -73,7 +73,7 @@ plugins:
       metadata:
         defaultRole: "operators"
     # Example for an external identity provider plugin. Leave disabled unless
-    # the plug-in package exists under PluginBinaries/Authority.
+    # the plug-in package exists under StellaOps.Authority.PluginBinaries.
     ldap:
       type: "ldap"
       assemblyName: "StellaOps.Authority.Plugin.Ldap"

etc/concelier.yaml.sample

@@ -15,7 +15,7 @@ storage:
 plugins:
   # Concelier resolves plug-ins relative to the content root; override as needed.
   baseDirectory: ".."
-  directory: "PluginBinaries"
+  directory: "StellaOps.Concelier.PluginBinaries"
   searchPatterns:
     - "StellaOps.Concelier.Plugin.*.dll"
 
@@ -74,6 +74,22 @@ authority:
     - "127.0.0.1/32"
     - "::1/128"
 
+mirror:
+  enabled: false
+  # Directory containing JSON exporter outputs (absolute or relative to content root).
+  exportRoot: "exports/json"
+  # Optional explicit export identifier; defaults to `latest` symlink or most recent export.
+  activeExportId: ""
+  latestDirectoryName: "latest"
+  mirrorDirectoryName: "mirror"
+  requireAuthentication: false
+  maxIndexRequestsPerHour: 600
+  domains:
+    - id: "primary"
+      displayName: "Primary Mirror"
+      requireAuthentication: false
+      maxDownloadRequestsPerHour: 1200
+
 sources:
   ghsa:
     apiToken: "${GITHUB_PAT}"

etc/notify.yaml.sample

@@ -24,6 +24,19 @@ api:
   basePath: "/api/v1/notify"
   internalBasePath: "/internal/notify"
   tenantHeader: "X-StellaOps-Tenant"
+  rateLimits:
+    deliveryHistory:
+      enabled: true
+      tokenLimit: 60
+      tokensPerPeriod: 30
+      replenishmentPeriodSeconds: 60
+      queueLimit: 20
+    testSend:
+      enabled: true
+      tokenLimit: 5
+      tokensPerPeriod: 5
+      replenishmentPeriodSeconds: 60
+      queueLimit: 2
 
 plugins:
   baseDirectory: "../"

ops/devops/TASKS.md

@@ -9,5 +9,5 @@
 | DEVOPS-PERF-10-002 | TODO | DevOps Guild | BENCH-SCANNER-10-002 | Publish analyzer bench metrics to Grafana/perf workbook and alarm on ≥20 % regressions. | CI exports JSON for dashboards; Grafana panel wired; Ops on-call doc updated with alert hook. |
 | DEVOPS-REL-14-001 | TODO | DevOps Guild | SIGNER-API-11-101, ATTESTOR-API-11-201 | Deterministic build/release pipeline with SBOM/provenance, signing, manifest generation. | CI pipeline produces signed images + SBOM/attestations, manifests published with verified hashes, docs updated. |
 | DEVOPS-REL-17-002 | TODO | DevOps Guild | DEVOPS-REL-14-001, SCANNER-EMIT-17-701 | Persist stripped-debug artifacts organised by GNU build-id and bundle them into release/offline kits with checksum manifests. | CI job writes `.debug` files under `artifacts/debug/.build-id/`, manifest + checksums published, offline kit includes cache, smoke job proves symbol lookup via build-id. |
-| DEVOPS-MIRROR-08-001 | TODO | DevOps Guild | DEVOPS-REL-14-001 | Stand up managed mirror profiles for `*.stella-ops.org` (Concelier/Excititor), including Helm/Compose overlays, multi-tenant secrets, CDN caching, and sync documentation. | Infra overlays committed, CI smoke deploy hits mirror endpoints, runbooks published for downstream sync and quota management. |
-| DEVOPS-SEC-10-301 | DOING | DevOps Guild | — | Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0 surfaced during scanner cache and worker test runs. | Dependencies bumped to patched releases, audit logs free of NU1902/NU1903 warnings, regression tests green, change log documents upgrade guidance. |
+| DEVOPS-MIRROR-08-001 | DONE (2025-10-19) | DevOps Guild | DEVOPS-REL-14-001 | Stand up managed mirror profiles for `*.stella-ops.org` (Concelier/Excititor), including Helm/Compose overlays, multi-tenant secrets, CDN caching, and sync documentation. | Infra overlays committed, CI smoke deploy hits mirror endpoints, runbooks published for downstream sync and quota management. |
+| DEVOPS-SEC-10-301 | DOING (2025-10-19) | DevOps Guild | Wave 0A complete | Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0 surfaced during scanner cache and worker test runs. | Dependencies bumped to patched releases, audit logs free of NU1902/NU1903 warnings, regression tests green, change log documents upgrade guidance. |

src/Directory.Build.props

@@ -1,9 +1,9 @@
 <Project>
   <PropertyGroup>
-    <ConcelierPluginOutputRoot Condition="'$(ConcelierPluginOutputRoot)' == ''">$(SolutionDir)PluginBinaries</ConcelierPluginOutputRoot>
-    <ConcelierPluginOutputRoot Condition="'$(ConcelierPluginOutputRoot)' == '' and '$(SolutionDir)' == ''">$(MSBuildThisFileDirectory)PluginBinaries</ConcelierPluginOutputRoot>
-    <AuthorityPluginOutputRoot Condition="'$(AuthorityPluginOutputRoot)' == ''">$(SolutionDir)PluginBinaries\Authority</AuthorityPluginOutputRoot>
-    <AuthorityPluginOutputRoot Condition="'$(AuthorityPluginOutputRoot)' == '' and '$(SolutionDir)' == ''">$(MSBuildThisFileDirectory)PluginBinaries\Authority</AuthorityPluginOutputRoot>
+    <ConcelierPluginOutputRoot Condition="'$(ConcelierPluginOutputRoot)' == ''">$(SolutionDir)StellaOps.Concelier.PluginBinaries</ConcelierPluginOutputRoot>
+    <ConcelierPluginOutputRoot Condition="'$(ConcelierPluginOutputRoot)' == '' and '$(SolutionDir)' == ''">$(MSBuildThisFileDirectory)StellaOps.Concelier.PluginBinaries</ConcelierPluginOutputRoot>
+    <AuthorityPluginOutputRoot Condition="'$(AuthorityPluginOutputRoot)' == ''">$(SolutionDir)StellaOps.Authority.PluginBinaries</AuthorityPluginOutputRoot>
+    <AuthorityPluginOutputRoot Condition="'$(AuthorityPluginOutputRoot)' == '' and '$(SolutionDir)' == ''">$(MSBuildThisFileDirectory)StellaOps.Authority.PluginBinaries</AuthorityPluginOutputRoot>
     <IsConcelierPlugin Condition="'$(IsConcelierPlugin)' == '' and $([System.String]::Copy('$(MSBuildProjectName)').StartsWith('StellaOps.Concelier.Connector.'))">true</IsConcelierPlugin>
     <IsConcelierPlugin Condition="'$(IsConcelierPlugin)' == '' and $([System.String]::Copy('$(MSBuildProjectName)').StartsWith('StellaOps.Concelier.Exporter.'))">true</IsConcelierPlugin>
     <IsAuthorityPlugin Condition="'$(IsAuthorityPlugin)' == '' and $([System.String]::Copy('$(MSBuildProjectName)').StartsWith('StellaOps.Authority.Plugin.'))">true</IsAuthorityPlugin>
@@ -23,6 +23,11 @@
     </ProjectReference>
   </ItemGroup>
 
+  <ItemGroup>
+    <PackageReference Update="MongoDB.Driver" Version="3.5.0" />
+    <PackageReference Include="SharpCompress" Version="0.41.0" />
+  </ItemGroup>
+
   <ItemGroup Condition="$([System.String]::Copy('$(MSBuildProjectName)').EndsWith('.Tests')) and '$(UseConcelierTestInfra)' != 'false'">
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.0" />

src/StellaOps.Attestor/StellaOps.Attestor.Core/Options/AttestorOptions.cs

@@ -37,6 +37,10 @@ public sealed class AttestorOptions
         public bool RequireClientCertificate { get; set; } = true;
 
         public string? CaBundle { get; set; }
+
+        public IList<string> AllowedSubjects { get; set; } = new List<string>();
+
+        public IList<string> AllowedThumbprints { get; set; } = new List<string>();
     }
 
     public sealed class AuthorityOptions

src/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/AttestorEntry.cs

@@ -26,6 +26,8 @@ public sealed class AttestorEntry
 
     public SignerIdentityDescriptor SignerIdentity { get; init; } = new();
 
+    public LogReplicaDescriptor? Mirror { get; init; }
+
     public sealed class ArtifactDescriptor
     {
         public string Sha256 { get; init; } = string.Empty;
@@ -64,6 +66,8 @@ public sealed class AttestorEntry
 
     public sealed class LogDescriptor
     {
+        public string Backend { get; init; } = "primary";
+
         public string Url { get; init; } = string.Empty;
 
         public string? LogId { get; init; }
@@ -79,4 +83,23 @@ public sealed class AttestorEntry
 
         public string? KeyId { get; init; }
     }
+
+    public sealed class LogReplicaDescriptor
+    {
+        public string Backend { get; init; } = string.Empty;
+
+        public string Url { get; init; } = string.Empty;
+
+        public string? Uuid { get; init; }
+
+        public long? Index { get; init; }
+
+        public string Status { get; init; } = "pending";
+
+        public ProofDescriptor? Proof { get; init; }
+
+        public string? LogId { get; init; }
+
+        public string? Error { get; init; }
+    }
 }

src/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/AttestorSubmissionResult.cs

@@ -24,6 +24,9 @@ public sealed class AttestorSubmissionResult
     [JsonPropertyName("status")]
     public string Status { get; set; } = "pending";
 
+    [JsonPropertyName("mirror")]
+    public MirrorLog? Mirror { get; set; }
+
     public sealed class RekorProof
     {
         [JsonPropertyName("checkpoint")]
@@ -56,4 +59,25 @@ public sealed class AttestorSubmissionResult
         [JsonPropertyName("path")]
         public IReadOnlyList<string> Path { get; init; } = Array.Empty<string>();
     }
+
+    public sealed class MirrorLog
+    {
+        [JsonPropertyName("uuid")]
+        public string? Uuid { get; set; }
+
+        [JsonPropertyName("index")]
+        public long? Index { get; set; }
+
+        [JsonPropertyName("logURL")]
+        public string? LogUrl { get; set; }
+
+        [JsonPropertyName("status")]
+        public string Status { get; set; } = "pending";
+
+        [JsonPropertyName("proof")]
+        public RekorProof? Proof { get; set; }
+
+        [JsonPropertyName("error")]
+        public string? Error { get; set; }
+    }
 }

src/StellaOps.Attestor/StellaOps.Attestor.Core/Submission/AttestorSubmissionValidator.cs

@@ -12,10 +12,14 @@ public sealed class AttestorSubmissionValidator
     private static readonly string[] AllowedKinds = ["sbom", "report", "vex-export"];
 
     private readonly IDsseCanonicalizer _canonicalizer;
+    private readonly HashSet<string> _allowedModes;
 
-    public AttestorSubmissionValidator(IDsseCanonicalizer canonicalizer)
+    public AttestorSubmissionValidator(IDsseCanonicalizer canonicalizer, IEnumerable<string>? allowedModes = null)
     {
         _canonicalizer = canonicalizer ?? throw new ArgumentNullException(nameof(canonicalizer));
+        _allowedModes = allowedModes is null
+            ? new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+            : new HashSet<string>(allowedModes, StringComparer.OrdinalIgnoreCase);
     }
 
     public async Task<AttestorSubmissionValidationResult> ValidateAsync(AttestorSubmissionRequest request, CancellationToken cancellationToken = default)
@@ -47,6 +51,11 @@ public sealed class AttestorSubmissionValidator
             throw new AttestorValidationException("signature_missing", "At least one DSSE signature is required.");
         }
 
+        if (_allowedModes.Count > 0 && !string.IsNullOrWhiteSpace(request.Bundle.Mode) && !_allowedModes.Contains(request.Bundle.Mode))
+        {
+            throw new AttestorValidationException("mode_not_allowed", $"Submission mode '{request.Bundle.Mode}' is not permitted.");
+        }
+
         if (request.Meta is null)
         {
             throw new AttestorValidationException("meta_missing", "Submission metadata is required.");

src/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/ServiceCollectionExtensions.cs

@@ -24,7 +24,12 @@ public static class ServiceCollectionExtensions
     public static IServiceCollection AddAttestorInfrastructure(this IServiceCollection services)
     {
         services.AddSingleton<IDsseCanonicalizer, DefaultDsseCanonicalizer>();
-        services.AddSingleton<AttestorSubmissionValidator>();
+        services.AddSingleton(sp =>
+        {
+            var canonicalizer = sp.GetRequiredService<IDsseCanonicalizer>();
+            var options = sp.GetRequiredService<IOptions<AttestorOptions>>().Value;
+            return new AttestorSubmissionValidator(canonicalizer, options.Security.SignerIdentity.Mode);
+        });
         services.AddSingleton<AttestorMetrics>();
         services.AddSingleton<IAttestorSubmissionService, AttestorSubmissionService>();
         services.AddSingleton<IAttestorVerificationService, AttestorVerificationService>();

src/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/MongoAttestorEntryRepository.cs

@@ -76,6 +76,9 @@ internal sealed class MongoAttestorEntryRepository : IAttestorEntryRepository
         [BsonElement("signerIdentity")]
         public SignerIdentityDocument SignerIdentity { get; set; } = new();
 
+        [BsonElement("mirror")]
+        public MirrorDocument? Mirror { get; set; }
+
         public static AttestorEntryDocument FromDomain(AttestorEntry entry)
         {
             return new AttestorEntryDocument
@@ -109,6 +112,7 @@ internal sealed class MongoAttestorEntryRepository : IAttestorEntryRepository
                 },
                 Log = new LogDocument
                 {
+                    Backend = entry.Log.Backend,
                     Url = entry.Log.Url,
                     LogId = entry.Log.LogId
                 },
@@ -120,7 +124,8 @@ internal sealed class MongoAttestorEntryRepository : IAttestorEntryRepository
                     Issuer = entry.SignerIdentity.Issuer,
                     SubjectAlternativeName = entry.SignerIdentity.SubjectAlternativeName,
                     KeyId = entry.SignerIdentity.KeyId
-                }
+                },
+                Mirror = entry.Mirror is null ? null : MirrorDocument.FromDomain(entry.Mirror)
             };
         }
 
@@ -155,6 +160,7 @@ internal sealed class MongoAttestorEntryRepository : IAttestorEntryRepository
                 },
                 Log = new AttestorEntry.LogDescriptor
                 {
+                    Backend = Log.Backend,
                     Url = Log.Url,
                     LogId = Log.LogId
                 },
@@ -166,7 +172,8 @@ internal sealed class MongoAttestorEntryRepository : IAttestorEntryRepository
                     Issuer = SignerIdentity.Issuer,
                     SubjectAlternativeName = SignerIdentity.SubjectAlternativeName,
                     KeyId = SignerIdentity.KeyId
-                }
+                },
+                Mirror = Mirror?.ToDomain()
             };
         }
 
@@ -220,6 +227,9 @@ internal sealed class MongoAttestorEntryRepository : IAttestorEntryRepository
 
         internal sealed class LogDocument
         {
+            [BsonElement("backend")]
+            public string Backend { get; set; } = "primary";
+
             [BsonElement("url")]
             public string Url { get; set; } = string.Empty;
 
@@ -241,5 +251,92 @@ internal sealed class MongoAttestorEntryRepository : IAttestorEntryRepository
             [BsonElement("kid")]
             public string? KeyId { get; set; }
         }
+
+        internal sealed class MirrorDocument
+        {
+            [BsonElement("backend")]
+            public string Backend { get; set; } = string.Empty;
+
+            [BsonElement("url")]
+            public string Url { get; set; } = string.Empty;
+
+            [BsonElement("uuid")]
+            public string? Uuid { get; set; }
+
+            [BsonElement("index")]
+            public long? Index { get; set; }
+
+            [BsonElement("status")]
+            public string Status { get; set; } = "pending";
+
+            [BsonElement("proof")]
+            public ProofDocument? Proof { get; set; }
+
+            [BsonElement("logId")]
+            public string? LogId { get; set; }
+
+            [BsonElement("error")]
+            public string? Error { get; set; }
+
+            public static MirrorDocument FromDomain(AttestorEntry.LogReplicaDescriptor mirror)
+            {
+                return new MirrorDocument
+                {
+                    Backend = mirror.Backend,
+                    Url = mirror.Url,
+                    Uuid = mirror.Uuid,
+                    Index = mirror.Index,
+                    Status = mirror.Status,
+                    Proof = mirror.Proof is null ? null : new ProofDocument
+                    {
+                        Checkpoint = mirror.Proof.Checkpoint is null ? null : new CheckpointDocument
+                        {
+                            Origin = mirror.Proof.Checkpoint.Origin,
+                            Size = mirror.Proof.Checkpoint.Size,
+                            RootHash = mirror.Proof.Checkpoint.RootHash,
+                            Timestamp = mirror.Proof.Checkpoint.Timestamp is null
+                                ? null
+                                : BsonDateTime.Create(mirror.Proof.Checkpoint.Timestamp.Value)
+                        },
+                        Inclusion = mirror.Proof.Inclusion is null ? null : new InclusionDocument
+                        {
+                            LeafHash = mirror.Proof.Inclusion.LeafHash,
+                            Path = mirror.Proof.Inclusion.Path
+                        }
+                    },
+                    LogId = mirror.LogId,
+                    Error = mirror.Error
+                };
+            }
+
+            public AttestorEntry.LogReplicaDescriptor ToDomain()
+            {
+                return new AttestorEntry.LogReplicaDescriptor
+                {
+                    Backend = Backend,
+                    Url = Url,
+                    Uuid = Uuid,
+                    Index = Index,
+                    Status = Status,
+                    Proof = Proof is null ? null : new AttestorEntry.ProofDescriptor
+                    {
+                        Checkpoint = Proof.Checkpoint is null ? null : new AttestorEntry.CheckpointDescriptor
+                        {
+                            Origin = Proof.Checkpoint.Origin,
+                            Size = Proof.Checkpoint.Size,
+                            RootHash = Proof.Checkpoint.RootHash,
+                            Timestamp = Proof.Checkpoint.Timestamp?.ToUniversalTime()
+                        },
+                        Inclusion = Proof.Inclusion is null ? null : new AttestorEntry.InclusionDescriptor
+                        {
+                            LeafHash = Proof.Inclusion.LeafHash,
+                            Path = Proof.Inclusion.Path
+                        }
+                    },
+                    LogId = LogId,
+                    Error = Error
+                };
+            }
+        }
     }
 }

src/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Submission/AttestorSubmissionService.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
@@ -58,137 +59,136 @@ internal sealed class AttestorSubmissionService : IAttestorSubmissionService
         SubmissionContext context,
         CancellationToken cancellationToken = default)
     {
-        var start = System.Diagnostics.Stopwatch.GetTimestamp();
+        ArgumentNullException.ThrowIfNull(request);
+        ArgumentNullException.ThrowIfNull(context);
 
         var validation = await _validator.ValidateAsync(request, cancellationToken).ConfigureAwait(false);
-
         var canonicalBundle = validation.CanonicalBundle;
 
-        var dedupeUuid = await _dedupeStore.TryGetExistingAsync(request.Meta.BundleSha256, cancellationToken).ConfigureAwait(false);
-        if (!string.IsNullOrEmpty(dedupeUuid))
+        var preference = NormalizeLogPreference(request.Meta.LogPreference);
+        var requiresPrimary = preference is "primary" or "both";
+        var requiresMirror = preference is "mirror" or "both";
+
+        if (!requiresPrimary && !requiresMirror)
+        {
+            requiresPrimary = true;
+        }
+
+        if (requiresMirror && !_options.Rekor.Mirror.Enabled)
+        {
+            throw new AttestorValidationException("mirror_disabled", "Mirror log requested but not configured.");
+        }
+
+        var existing = await TryGetExistingEntryAsync(request.Meta.BundleSha256, cancellationToken).ConfigureAwait(false);
+        if (existing is not null)
         {
-            _logger.LogInformation("Dedupe hit for bundle {BundleSha256} -> {RekorUuid}", request.Meta.BundleSha256, dedupeUuid);
             _metrics.DedupeHitsTotal.Add(1, new KeyValuePair<string, object?>("result", "hit"));
-            var existing = await _repository.GetByUuidAsync(dedupeUuid, cancellationToken).ConfigureAwait(false)
-                ?? await _repository.GetByBundleShaAsync(request.Meta.BundleSha256, cancellationToken).ConfigureAwait(false);
-
-            if (existing is not null)
-            {
-                _metrics.SubmitTotal.Add(1,
-                    new KeyValuePair<string, object?>("result", "dedupe"),
-                    new KeyValuePair<string, object?>("backend", "cache"));
-                return ToResult(existing);
-            }
-        }
-        else
-        {
-            _metrics.DedupeHitsTotal.Add(1, new KeyValuePair<string, object?>("result", "miss"));
+            var updated = await EnsureBackendsAsync(existing, request, context, requiresPrimary, requiresMirror, cancellationToken).ConfigureAwait(false);
+            return ToResult(updated);
         }
 
-        var primaryBackend = BuildBackend("primary", _options.Rekor.Primary);
-        RekorSubmissionResponse submissionResponse;
-        try
+        _metrics.DedupeHitsTotal.Add(1, new KeyValuePair<string, object?>("result", "miss"));
+
+        SubmissionOutcome? canonicalOutcome = null;
+        SubmissionOutcome? mirrorOutcome = null;
+
+        if (requiresPrimary)
         {
-            submissionResponse = await _rekorClient.SubmitAsync(request, primaryBackend, cancellationToken).ConfigureAwait(false);
-        }
-        catch (Exception ex)
-        {
-            _metrics.ErrorTotal.Add(1, new KeyValuePair<string, object?>("type", "submit"));
-            _logger.LogError(ex, "Failed to submit bundle {BundleSha} to Rekor backend {Backend}", request.Meta.BundleSha256, primaryBackend.Name);
-            throw;
+            canonicalOutcome = await SubmitToBackendAsync(request, "primary", _options.Rekor.Primary, cancellationToken).ConfigureAwait(false);
         }
 
-        var proof = submissionResponse.Proof;
-        if (proof is null && string.Equals(submissionResponse.Status, "included", StringComparison.OrdinalIgnoreCase))
+        if (requiresMirror)
         {
             try
             {
-                proof = await _rekorClient.GetProofAsync(submissionResponse.Uuid, primaryBackend, cancellationToken).ConfigureAwait(false);
-                _metrics.ProofFetchTotal.Add(1,
-                    new KeyValuePair<string, object?>("result", proof is null ? "missing" : "ok"));
+                var mirror = await SubmitToBackendAsync(request, "mirror", _options.Rekor.Mirror, cancellationToken).ConfigureAwait(false);
+                if (canonicalOutcome is null)
+                {
+                    canonicalOutcome = mirror;
+                }
+                else
+                {
+                    mirrorOutcome = mirror;
+                }
             }
             catch (Exception ex)
             {
-                _metrics.ErrorTotal.Add(1, new KeyValuePair<string, object?>("type", "proof_fetch"));
-                _logger.LogWarning(ex, "Proof fetch failed for {Uuid} on backend {Backend}", submissionResponse.Uuid, primaryBackend.Name);
+                if (canonicalOutcome is null)
+                {
+                    throw;
+                }
+
+                _metrics.ErrorTotal.Add(1, new KeyValuePair<string, object?>("type", "submit_mirror"));
+                _logger.LogWarning(ex, "Mirror submission failed for bundle {BundleSha}", request.Meta.BundleSha256);
+                mirrorOutcome = SubmissionOutcome.Failure("mirror", _options.Rekor.Mirror.Url, ex, TimeSpan.Zero);
+                RecordSubmissionMetrics(mirrorOutcome);
             }
         }
 
-        var entry = CreateEntry(request, submissionResponse, proof, context, canonicalBundle);
+        if (canonicalOutcome is null)
+        {
+            throw new InvalidOperationException("No Rekor submission outcome was produced.");
+        }
+
+        var entry = CreateEntry(request, context, canonicalOutcome, mirrorOutcome);
         await _repository.SaveAsync(entry, cancellationToken).ConfigureAwait(false);
         await _dedupeStore.SetAsync(request.Meta.BundleSha256, entry.RekorUuid, DedupeTtl, cancellationToken).ConfigureAwait(false);
 
         if (request.Meta.Archive)
         {
-            var archiveBundle = new AttestorArchiveBundle
-            {
-                RekorUuid = entry.RekorUuid,
-                ArtifactSha256 = entry.Artifact.Sha256,
-                BundleSha256 = entry.BundleSha256,
-                CanonicalBundleJson = canonicalBundle,
-                ProofJson = proof is null ? Array.Empty<byte>() : JsonSerializer.SerializeToUtf8Bytes(proof, JsonSerializerOptions.Default),
-                Metadata = new Dictionary<string, string>
-                {
-                    ["logUrl"] = entry.Log.Url,
-                    ["status"] = entry.Status
-                }
-            };
-
-            try
-            {
-                await _archiveStore.ArchiveBundleAsync(archiveBundle, cancellationToken).ConfigureAwait(false);
-            }
-            catch (Exception ex)
-            {
-                _logger.LogWarning(ex, "Failed to archive bundle {BundleSha}", entry.BundleSha256);
-                _metrics.ErrorTotal.Add(1, new KeyValuePair<string, object?>("type", "archive"));
-            }
+            await ArchiveAsync(entry, canonicalBundle, canonicalOutcome.Proof, cancellationToken).ConfigureAwait(false);
         }
 
-        var elapsed = System.Diagnostics.Stopwatch.GetElapsedTime(start, System.Diagnostics.Stopwatch.GetTimestamp());
-        _metrics.SubmitTotal.Add(1,
-            new KeyValuePair<string, object?>("result", submissionResponse.Status ?? "unknown"),
-            new KeyValuePair<string, object?>("backend", primaryBackend.Name));
-        _metrics.SubmitLatency.Record(elapsed.TotalSeconds, new KeyValuePair<string, object?>("backend", primaryBackend.Name));
-        await WriteAuditAsync(request, context, entry, submissionResponse, (long)elapsed.TotalMilliseconds, cancellationToken).ConfigureAwait(false);
+        await WriteAuditAsync(request, context, entry, canonicalOutcome, cancellationToken).ConfigureAwait(false);
+        if (mirrorOutcome is not null)
+        {
+            await WriteAuditAsync(request, context, entry, mirrorOutcome, cancellationToken).ConfigureAwait(false);
+        }
 
         return ToResult(entry);
     }
 
     private static AttestorSubmissionResult ToResult(AttestorEntry entry)
     {
-        return new AttestorSubmissionResult
+        var result = new AttestorSubmissionResult
         {
             Uuid = entry.RekorUuid,
             Index = entry.Index,
             LogUrl = entry.Log.Url,
             Status = entry.Status,
-            Proof = entry.Proof is null ? null : new AttestorSubmissionResult.RekorProof
-            {
-                Checkpoint = entry.Proof.Checkpoint is null ? null : new AttestorSubmissionResult.Checkpoint
-                {
-                    Origin = entry.Proof.Checkpoint.Origin,
-                    Size = entry.Proof.Checkpoint.Size,
-                    RootHash = entry.Proof.Checkpoint.RootHash,
-                    Timestamp = entry.Proof.Checkpoint.Timestamp?.ToString("O")
-                },
-                Inclusion = entry.Proof.Inclusion is null ? null : new AttestorSubmissionResult.InclusionProof
-                {
-                    LeafHash = entry.Proof.Inclusion.LeafHash,
-                    Path = entry.Proof.Inclusion.Path
-                }
-            }
+            Proof = ToResultProof(entry.Proof)
         };
+
+        if (entry.Mirror is not null)
+        {
+            result.Mirror = new AttestorSubmissionResult.MirrorLog
+            {
+                Uuid = entry.Mirror.Uuid,
+                Index = entry.Mirror.Index,
+                LogUrl = entry.Mirror.Url,
+                Status = entry.Mirror.Status,
+                Proof = ToResultProof(entry.Mirror.Proof),
+                Error = entry.Mirror.Error
+            };
+        }
+
+        return result;
     }
 
     private AttestorEntry CreateEntry(
         AttestorSubmissionRequest request,
-        RekorSubmissionResponse submission,
-        RekorProofResponse? proof,
         SubmissionContext context,
-        byte[] canonicalBundle)
+        SubmissionOutcome canonicalOutcome,
+        SubmissionOutcome? mirrorOutcome)
     {
+        if (canonicalOutcome.Submission is null)
+        {
+            throw new InvalidOperationException("Canonical submission outcome must include a Rekor response.");
+        }
+
+        var submission = canonicalOutcome.Submission;
         var now = _timeProvider.GetUtcNow();
+
         return new AttestorEntry
         {
             RekorUuid = submission.Uuid,
@@ -201,24 +201,11 @@ internal sealed class AttestorSubmissionService : IAttestorSubmissionService
             },
             BundleSha256 = request.Meta.BundleSha256,
             Index = submission.Index,
-            Proof = proof is null ? null : new AttestorEntry.ProofDescriptor
-            {
-                Checkpoint = proof.Checkpoint is null ? null : new AttestorEntry.CheckpointDescriptor
-                {
-                    Origin = proof.Checkpoint.Origin,
-                    Size = proof.Checkpoint.Size,
-                    RootHash = proof.Checkpoint.RootHash,
-                    Timestamp = proof.Checkpoint.Timestamp
-                },
-                Inclusion = proof.Inclusion is null ? null : new AttestorEntry.InclusionDescriptor
-                {
-                    LeafHash = proof.Inclusion.LeafHash,
-                    Path = proof.Inclusion.Path
-                }
-            },
+            Proof = ConvertProof(canonicalOutcome.Proof),
             Log = new AttestorEntry.LogDescriptor
             {
-                Url = submission.LogUrl ?? string.Empty,
+                Backend = canonicalOutcome.Backend,
+                Url = submission.LogUrl ?? canonicalOutcome.Url,
                 LogId = null
             },
             CreatedAt = now,
@@ -229,28 +216,233 @@ internal sealed class AttestorSubmissionService : IAttestorSubmissionService
                 Issuer = context.CallerAudience,
                 SubjectAlternativeName = context.CallerSubject,
                 KeyId = context.CallerClientId
-            }
+            },
+            Mirror = mirrorOutcome is null ? null : CreateMirrorDescriptor(mirrorOutcome)
         };
     }
 
+    private static string NormalizeLogPreference(string? value)
+    {
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            return "primary";
+        }
+
+        var normalized = value.Trim().ToLowerInvariant();
+        return normalized switch
+        {
+            "primary" => "primary",
+            "mirror" => "mirror",
+            "both" => "both",
+            _ => "primary"
+        };
+    }
+
+    private async Task<AttestorEntry?> TryGetExistingEntryAsync(string bundleSha256, CancellationToken cancellationToken)
+    {
+        var dedupeUuid = await _dedupeStore.TryGetExistingAsync(bundleSha256, cancellationToken).ConfigureAwait(false);
+        if (string.IsNullOrWhiteSpace(dedupeUuid))
+        {
+            return null;
+        }
+
+        return await _repository.GetByUuidAsync(dedupeUuid, cancellationToken).ConfigureAwait(false)
+            ?? await _repository.GetByBundleShaAsync(bundleSha256, cancellationToken).ConfigureAwait(false);
+    }
+
+    private async Task<AttestorEntry> EnsureBackendsAsync(
+        AttestorEntry existing,
+        AttestorSubmissionRequest request,
+        SubmissionContext context,
+        bool requiresPrimary,
+        bool requiresMirror,
+        CancellationToken cancellationToken)
+    {
+        var entry = existing;
+        var updated = false;
+
+        if (requiresPrimary && !IsPrimary(entry))
+        {
+            var outcome = await SubmitToBackendAsync(request, "primary", _options.Rekor.Primary, cancellationToken).ConfigureAwait(false);
+            entry = PromoteToPrimary(entry, outcome);
+            await _repository.SaveAsync(entry, cancellationToken).ConfigureAwait(false);
+            await _dedupeStore.SetAsync(request.Meta.BundleSha256, entry.RekorUuid, DedupeTtl, cancellationToken).ConfigureAwait(false);
+            await WriteAuditAsync(request, context, entry, outcome, cancellationToken).ConfigureAwait(false);
+            updated = true;
+        }
+
+        if (requiresMirror)
+        {
+            var mirrorSatisfied = entry.Mirror is not null
+                && entry.Mirror.Error is null
+                && string.Equals(entry.Mirror.Status, "included", StringComparison.OrdinalIgnoreCase)
+                && !string.IsNullOrEmpty(entry.Mirror.Uuid);
+
+            if (!mirrorSatisfied)
+            {
+                try
+                {
+                    var mirrorOutcome = await SubmitToBackendAsync(request, "mirror", _options.Rekor.Mirror, cancellationToken).ConfigureAwait(false);
+                    entry = WithMirror(entry, mirrorOutcome);
+                    await _repository.SaveAsync(entry, cancellationToken).ConfigureAwait(false);
+                    await WriteAuditAsync(request, context, entry, mirrorOutcome, cancellationToken).ConfigureAwait(false);
+                    updated = true;
+                }
+                catch (Exception ex)
+                {
+                    _metrics.ErrorTotal.Add(1, new KeyValuePair<string, object?>("type", "submit_mirror"));
+                    _logger.LogWarning(ex, "Mirror submission failed for deduplicated bundle {BundleSha}", request.Meta.BundleSha256);
+                    var failure = SubmissionOutcome.Failure("mirror", _options.Rekor.Mirror.Url, ex, TimeSpan.Zero);
+                    RecordSubmissionMetrics(failure);
+                    entry = WithMirror(entry, failure);
+                    await _repository.SaveAsync(entry, cancellationToken).ConfigureAwait(false);
+                    await WriteAuditAsync(request, context, entry, failure, cancellationToken).ConfigureAwait(false);
+                    updated = true;
+                }
+            }
+        }
+
+        if (!updated)
+        {
+            _metrics.SubmitTotal.Add(1,
+                new KeyValuePair<string, object?>("result", "dedupe"),
+                new KeyValuePair<string, object?>("backend", "cache"));
+        }
+
+        return entry;
+    }
+
+    private static bool IsPrimary(AttestorEntry entry) =>
+        string.Equals(entry.Log.Backend, "primary", StringComparison.OrdinalIgnoreCase);
+
+    private async Task<SubmissionOutcome> SubmitToBackendAsync(
+        AttestorSubmissionRequest request,
+        string backendName,
+        AttestorOptions.RekorBackendOptions backendOptions,
+        CancellationToken cancellationToken)
+    {
+        var backend = BuildBackend(backendName, backendOptions);
+        var stopwatch = Stopwatch.StartNew();
+        try
+        {
+            var submission = await _rekorClient.SubmitAsync(request, backend, cancellationToken).ConfigureAwait(false);
+            stopwatch.Stop();
+
+            var proof = submission.Proof;
+            if (proof is null && string.Equals(submission.Status, "included", StringComparison.OrdinalIgnoreCase))
+            {
+                try
+                {
+                    proof = await _rekorClient.GetProofAsync(submission.Uuid, backend, cancellationToken).ConfigureAwait(false);
+                    _metrics.ProofFetchTotal.Add(1,
+                        new KeyValuePair<string, object?>("result", proof is null ? "missing" : "ok"));
+                }
+                catch (Exception ex)
+                {
+                    _metrics.ErrorTotal.Add(1, new KeyValuePair<string, object?>("type", "proof_fetch"));
+                    _logger.LogWarning(ex, "Proof fetch failed for {Uuid} on backend {Backend}", submission.Uuid, backendName);
+                }
+            }
+
+            var outcome = SubmissionOutcome.Success(backendName, backend.Url, submission, proof, stopwatch.Elapsed);
+            RecordSubmissionMetrics(outcome);
+            return outcome;
+        }
+        catch (Exception ex)
+        {
+            stopwatch.Stop();
+            _metrics.ErrorTotal.Add(1, new KeyValuePair<string, object?>("type", $"submit_{backendName}"));
+            _logger.LogError(ex, "Failed to submit bundle {BundleSha} to Rekor backend {Backend}", request.Meta.BundleSha256, backendName);
+            throw;
+        }
+    }
+
+    private void RecordSubmissionMetrics(SubmissionOutcome outcome)
+    {
+        var result = outcome.IsSuccess
+            ? outcome.Submission!.Status ?? "unknown"
+            : "failed";
+
+        _metrics.SubmitTotal.Add(1,
+            new KeyValuePair<string, object?>("result", result),
+            new KeyValuePair<string, object?>("backend", outcome.Backend));
+
+        if (outcome.Latency > TimeSpan.Zero)
+        {
+            _metrics.SubmitLatency.Record(outcome.Latency.TotalSeconds,
+                new KeyValuePair<string, object?>("backend", outcome.Backend));
+        }
+    }
+
+    private async Task ArchiveAsync(
+        AttestorEntry entry,
+        byte[] canonicalBundle,
+        RekorProofResponse? proof,
+        CancellationToken cancellationToken)
+    {
+        var metadata = new Dictionary<string, string>
+        {
+            ["logUrl"] = entry.Log.Url,
+            ["status"] = entry.Status
+        };
+
+        if (entry.Mirror is not null)
+        {
+            metadata["mirror.backend"] = entry.Mirror.Backend;
+            metadata["mirror.uuid"] = entry.Mirror.Uuid ?? string.Empty;
+            metadata["mirror.status"] = entry.Mirror.Status;
+        }
+
+        var archiveBundle = new AttestorArchiveBundle
+        {
+            RekorUuid = entry.RekorUuid,
+            ArtifactSha256 = entry.Artifact.Sha256,
+            BundleSha256 = entry.BundleSha256,
+            CanonicalBundleJson = canonicalBundle,
+            ProofJson = proof is null ? Array.Empty<byte>() : JsonSerializer.SerializeToUtf8Bytes(proof, JsonSerializerOptions.Default),
+            Metadata = metadata
+        };
+
+        try
+        {
+            await _archiveStore.ArchiveBundleAsync(archiveBundle, cancellationToken).ConfigureAwait(false);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Failed to archive bundle {BundleSha}", entry.BundleSha256);
+            _metrics.ErrorTotal.Add(1, new KeyValuePair<string, object?>("type", "archive"));
+        }
+    }
+
     private Task WriteAuditAsync(
         AttestorSubmissionRequest request,
         SubmissionContext context,
         AttestorEntry entry,
-        RekorSubmissionResponse submission,
-        long latencyMs,
+        SubmissionOutcome outcome,
         CancellationToken cancellationToken)
     {
+        var metadata = new Dictionary<string, string>();
+        if (!outcome.IsSuccess && outcome.Error is not null)
+        {
+            metadata["error"] = outcome.Error.Message;
+        }
+
         var record = new AttestorAuditRecord
         {
             Action = "submit",
-            Result = submission.Status ?? "included",
-            RekorUuid = submission.Uuid,
-            Index = submission.Index,
+            Result = outcome.IsSuccess
+                ? outcome.Submission!.Status ?? "included"
+                : "failed",
+            RekorUuid = outcome.IsSuccess
+                ? outcome.Submission!.Uuid
+                : string.Equals(outcome.Backend, "primary", StringComparison.OrdinalIgnoreCase)
+                    ? entry.RekorUuid
+                    : entry.Mirror?.Uuid,
+            Index = outcome.Submission?.Index,
             ArtifactSha256 = request.Meta.Artifact.Sha256,
             BundleSha256 = request.Meta.BundleSha256,
-            Backend = "primary",
-            LatencyMs = latencyMs,
+            Backend = outcome.Backend,
+            LatencyMs = (long)outcome.Latency.TotalMilliseconds,
             Timestamp = _timeProvider.GetUtcNow(),
             Caller = new AttestorAuditRecord.CallerDescriptor
             {
@@ -259,12 +451,160 @@ internal sealed class AttestorSubmissionService : IAttestorSubmissionService
                 ClientId = context.CallerClientId,
                 MtlsThumbprint = context.MtlsThumbprint,
                 Tenant = context.CallerTenant
-            }
+            },
+            Metadata = metadata
         };
 
         return _auditSink.WriteAsync(record, cancellationToken);
     }
 
+    private static AttestorEntry.ProofDescriptor? ConvertProof(RekorProofResponse? proof)
+    {
+        if (proof is null)
+        {
+            return null;
+        }
+
+        return new AttestorEntry.ProofDescriptor
+        {
+            Checkpoint = proof.Checkpoint is null ? null : new AttestorEntry.CheckpointDescriptor
+            {
+                Origin = proof.Checkpoint.Origin,
+                Size = proof.Checkpoint.Size,
+                RootHash = proof.Checkpoint.RootHash,
+                Timestamp = proof.Checkpoint.Timestamp
+            },
+            Inclusion = proof.Inclusion is null ? null : new AttestorEntry.InclusionDescriptor
+            {
+                LeafHash = proof.Inclusion.LeafHash,
+                Path = proof.Inclusion.Path
+            }
+        };
+    }
+
+    private static AttestorSubmissionResult.RekorProof? ToResultProof(AttestorEntry.ProofDescriptor? proof)
+    {
+        if (proof is null)
+        {
+            return null;
+        }
+
+        return new AttestorSubmissionResult.RekorProof
+        {
+            Checkpoint = proof.Checkpoint is null ? null : new AttestorSubmissionResult.Checkpoint
+            {
+                Origin = proof.Checkpoint.Origin,
+                Size = proof.Checkpoint.Size,
+                RootHash = proof.Checkpoint.RootHash,
+                Timestamp = proof.Checkpoint.Timestamp?.ToString("O")
+            },
+            Inclusion = proof.Inclusion is null ? null : new AttestorSubmissionResult.InclusionProof
+            {
+                LeafHash = proof.Inclusion.LeafHash,
+                Path = proof.Inclusion.Path
+            }
+        };
+    }
+
+    private static AttestorEntry.LogReplicaDescriptor CreateMirrorDescriptor(SubmissionOutcome outcome)
+    {
+        return new AttestorEntry.LogReplicaDescriptor
+        {
+            Backend = outcome.Backend,
+            Url = outcome.IsSuccess
+                ? outcome.Submission!.LogUrl ?? outcome.Url
+                : outcome.Url,
+            Uuid = outcome.Submission?.Uuid,
+            Index = outcome.Submission?.Index,
+            Status = outcome.IsSuccess
+                ? outcome.Submission!.Status ?? "included"
+                : "failed",
+            Proof = outcome.IsSuccess ? ConvertProof(outcome.Proof) : null,
+            Error = outcome.Error?.Message
+        };
+    }
+
+    private static AttestorEntry WithMirror(AttestorEntry entry, SubmissionOutcome outcome)
+    {
+        return new AttestorEntry
+        {
+            RekorUuid = entry.RekorUuid,
+            Artifact = entry.Artifact,
+            BundleSha256 = entry.BundleSha256,
+            Index = entry.Index,
+            Proof = entry.Proof,
+            Log = entry.Log,
+            CreatedAt = entry.CreatedAt,
+            Status = entry.Status,
+            SignerIdentity = entry.SignerIdentity,
+            Mirror = CreateMirrorDescriptor(outcome)
+        };
+    }
+
+    private AttestorEntry PromoteToPrimary(AttestorEntry existing, SubmissionOutcome outcome)
+    {
+        if (outcome.Submission is null)
+        {
+            throw new InvalidOperationException("Cannot promote to primary without a successful submission.");
+        }
+
+        var mirrorDescriptor = existing.Mirror;
+        if (mirrorDescriptor is null && !string.Equals(existing.Log.Backend, outcome.Backend, StringComparison.OrdinalIgnoreCase))
+        {
+            mirrorDescriptor = CreateMirrorDescriptorFromEntry(existing);
+        }
+
+        return new AttestorEntry
+        {
+            RekorUuid = outcome.Submission.Uuid,
+            Artifact = existing.Artifact,
+            BundleSha256 = existing.BundleSha256,
+            Index = outcome.Submission.Index,
+            Proof = ConvertProof(outcome.Proof),
+            Log = new AttestorEntry.LogDescriptor
+            {
+                Backend = outcome.Backend,
+                Url = outcome.Submission.LogUrl ?? outcome.Url,
+                LogId = existing.Log.LogId
+            },
+            CreatedAt = existing.CreatedAt,
+            Status = outcome.Submission.Status ?? "included",
+            SignerIdentity = existing.SignerIdentity,
+            Mirror = mirrorDescriptor
+        };
+    }
+
+    private static AttestorEntry.LogReplicaDescriptor CreateMirrorDescriptorFromEntry(AttestorEntry entry)
+    {
+        return new AttestorEntry.LogReplicaDescriptor
+        {
+            Backend = entry.Log.Backend,
+            Url = entry.Log.Url,
+            Uuid = entry.RekorUuid,
+            Index = entry.Index,
+            Status = entry.Status,
+            Proof = entry.Proof,
+            LogId = entry.Log.LogId
+        };
+    }
+
+    private sealed record SubmissionOutcome(
+        string Backend,
+        string Url,
+        RekorSubmissionResponse? Submission,
+        RekorProofResponse? Proof,
+        TimeSpan Latency,
+        Exception? Error)
+    {
+        public bool IsSuccess => Submission is not null && Error is null;
+
+        public static SubmissionOutcome Success(string backend, Uri backendUrl, RekorSubmissionResponse submission, RekorProofResponse? proof, TimeSpan latency) =>
+            new SubmissionOutcome(backend, backendUrl.ToString(), submission, proof, latency, null);
+
+        public static SubmissionOutcome Failure(string backend, string? url, Exception error, TimeSpan latency) =>
+            new SubmissionOutcome(backend, url ?? string.Empty, null, null, latency, error);
+    }
+
     private static RekorBackend BuildBackend(string name, AttestorOptions.RekorBackendOptions options)
     {
         if (string.IsNullOrWhiteSpace(options.Url))

src/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Verification/AttestorVerificationService.cs

@@ -1,6 +1,12 @@
 using System;
+using System.Buffers.Binary;
 using System.Collections.Generic;
+using System.Globalization;
+using System.IO;
 using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
@@ -10,7 +16,7 @@ using StellaOps.Attestor.Core.Rekor;
 using StellaOps.Attestor.Core.Storage;
 using StellaOps.Attestor.Core.Submission;
 using StellaOps.Attestor.Core.Verification;
-using System.Security.Cryptography;
+using StellaOps.Attestor.Core.Observability;
 
 namespace StellaOps.Attestor.Infrastructure.Verification;
 
@@ -21,19 +27,22 @@ internal sealed class AttestorVerificationService : IAttestorVerificationService
     private readonly IRekorClient _rekorClient;
     private readonly ILogger<AttestorVerificationService> _logger;
     private readonly AttestorOptions _options;
+    private readonly AttestorMetrics _metrics;
 
     public AttestorVerificationService(
         IAttestorEntryRepository repository,
         IDsseCanonicalizer canonicalizer,
         IRekorClient rekorClient,
         IOptions<AttestorOptions> options,
-        ILogger<AttestorVerificationService> logger)
+        ILogger<AttestorVerificationService> logger,
+        AttestorMetrics metrics)
     {
         _repository = repository;
         _canonicalizer = canonicalizer;
         _rekorClient = rekorClient;
         _logger = logger;
         _options = options.Value;
+        _metrics = metrics;
     }
 
     public async Task<AttestorVerificationResult> VerifyAsync(AttestorVerificationRequest request, CancellationToken cancellationToken = default)
@@ -67,11 +76,25 @@ internal sealed class AttestorVerificationService : IAttestorVerificationService
                 }
             }, cancellationToken).ConfigureAwait(false);
 
-            var computedHash = Convert.ToHexString(System.Security.Cryptography.SHA256.HashData(canonicalBundle)).ToLowerInvariant();
+            var computedHash = Convert.ToHexString(SHA256.HashData(canonicalBundle)).ToLowerInvariant();
             if (!string.Equals(computedHash, entry.BundleSha256, StringComparison.OrdinalIgnoreCase))
             {
-                issues.Add("Bundle hash does not match stored canonical hash.");
+                issues.Add("bundle_hash_mismatch");
             }
+
+            if (!TryDecodeBase64(request.Bundle.Dsse.PayloadBase64, out var payloadBytes))
+            {
+                issues.Add("bundle_payload_invalid_base64");
+            }
+            else
+            {
+                var preAuth = ComputePreAuthEncoding(request.Bundle.Dsse.PayloadType, payloadBytes);
+                VerifySignatures(entry, request.Bundle, preAuth, issues);
+            }
+        }
+        else
+        {
+            _logger.LogDebug("No DSSE bundle supplied for verification of {Uuid}; signature checks skipped.", entry.RekorUuid);
         }
 
         if (request.RefreshProof || entry.Proof is null)
@@ -94,8 +117,12 @@ internal sealed class AttestorVerificationService : IAttestorVerificationService
             }
         }
 
+        VerifyMerkleProof(entry, issues);
+
         var ok = issues.Count == 0 && string.Equals(entry.Status, "included", StringComparison.OrdinalIgnoreCase);
 
+        _metrics.VerifyTotal.Add(1, new KeyValuePair<string, object?>("result", ok ? "ok" : "failed"));
+
         return new AttestorVerificationResult
         {
             Ok = ok,
@@ -204,6 +231,472 @@ internal sealed class AttestorVerificationService : IAttestorVerificationService
             : entry;
     }
 
+    private void VerifySignatures(AttestorEntry entry, AttestorSubmissionRequest.SubmissionBundle bundle, byte[] preAuthEncoding, IList<string> issues)
+    {
+        var mode = (entry.SignerIdentity.Mode ?? bundle.Mode ?? string.Empty).ToLowerInvariant();
+
+        if (mode == "kms")
+        {
+            if (!VerifyKmsSignature(bundle, preAuthEncoding, issues))
+            {
+                issues.Add("signature_invalid_kms");
+            }
+
+            return;
+        }
+
+        if (mode == "keyless")
+        {
+            VerifyKeylessSignature(entry, bundle, preAuthEncoding, issues);
+            return;
+        }
+
+        issues.Add(string.IsNullOrEmpty(mode)
+            ? "signer_mode_unknown"
+            : $"signer_mode_unsupported:{mode}");
+    }
+
+    private bool VerifyKmsSignature(AttestorSubmissionRequest.SubmissionBundle bundle, byte[] preAuthEncoding, IList<string> issues)
+    {
+        if (_options.Security.SignerIdentity.KmsKeys.Count == 0)
+        {
+            issues.Add("kms_key_missing");
+            return false;
+        }
+
+        var signatures = new List<byte[]>();
+        foreach (var signature in bundle.Dsse.Signatures)
+        {
+            if (!TryDecodeBase64(signature.Signature, out var signatureBytes))
+            {
+                issues.Add("signature_invalid_base64");
+                return false;
+            }
+
+            signatures.Add(signatureBytes);
+        }
+
+        foreach (var secret in _options.Security.SignerIdentity.KmsKeys)
+        {
+            if (!TryDecodeSecret(secret, out var secretBytes))
+            {
+                continue;
+            }
+
+            using var hmac = new HMACSHA256(secretBytes);
+            var computed = hmac.ComputeHash(preAuthEncoding);
+
+            foreach (var signatureBytes in signatures)
+            {
+                if (CryptographicOperations.FixedTimeEquals(computed, signatureBytes))
+                {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    private void VerifyKeylessSignature(AttestorEntry entry, AttestorSubmissionRequest.SubmissionBundle bundle, byte[] preAuthEncoding, IList<string> issues)
+    {
+        if (bundle.CertificateChain.Count == 0)
+        {
+            issues.Add("certificate_chain_missing");
+            return;
+        }
+
+        var certificates = new List<X509Certificate2>();
+        try
+        {
+            foreach (var pem in bundle.CertificateChain)
+            {
+                certificates.Add(X509Certificate2.CreateFromPem(pem));
+            }
+        }
+        catch (Exception ex) when (ex is CryptographicException or ArgumentException)
+        {
+            issues.Add("certificate_chain_invalid");
+            _logger.LogWarning(ex, "Failed to parse certificate chain for {Uuid}", entry.RekorUuid);
+            return;
+        }
+
+        var leafCertificate = certificates[0];
+
+        if (_options.Security.SignerIdentity.FulcioRoots.Count > 0)
+        {
+            using var chain = new X509Chain
+            {
+                ChainPolicy =
+                {
+                    RevocationMode = X509RevocationMode.NoCheck,
+                    VerificationFlags = X509VerificationFlags.NoFlag,
+                    TrustMode = X509ChainTrustMode.CustomRootTrust
+                }
+            };
+
+            foreach (var rootPath in _options.Security.SignerIdentity.FulcioRoots)
+            {
+                try
+                {
+                    if (File.Exists(rootPath))
+                    {
+                        var rootCertificate = X509CertificateLoader.LoadCertificateFromFile(rootPath);
+                        chain.ChainPolicy.CustomTrustStore.Add(rootCertificate);
+                    }
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogWarning(ex, "Failed to load Fulcio root {Root}", rootPath);
+                }
+            }
+
+            if (!chain.Build(leafCertificate))
+            {
+                var status = string.Join(";", chain.ChainStatus.Select(s => s.StatusInformation.Trim()))
+                    .Trim(';');
+                issues.Add(string.IsNullOrEmpty(status) ? "certificate_chain_untrusted" : $"certificate_chain_untrusted:{status}");
+            }
+        }
+
+        if (_options.Security.SignerIdentity.AllowedSans.Count > 0)
+        {
+            var sans = GetSubjectAlternativeNames(leafCertificate);
+            if (!sans.Any(san => _options.Security.SignerIdentity.AllowedSans.Contains(san, StringComparer.OrdinalIgnoreCase)))
+            {
+                issues.Add("certificate_san_untrusted");
+            }
+        }
+
+        var signatureVerified = false;
+        foreach (var signature in bundle.Dsse.Signatures)
+        {
+            if (!TryDecodeBase64(signature.Signature, out var signatureBytes))
+            {
+                issues.Add("signature_invalid_base64");
+                return;
+            }
+
+            if (TryVerifyWithCertificate(leafCertificate, preAuthEncoding, signatureBytes))
+            {
+                signatureVerified = true;
+                break;
+            }
+        }
+
+        if (!signatureVerified)
+        {
+            issues.Add("signature_invalid");
+        }
+    }
+
+    private static bool TryVerifyWithCertificate(X509Certificate2 certificate, byte[] preAuthEncoding, byte[] signature)
+    {
+        try
+        {
+            var ecdsa = certificate.GetECDsaPublicKey();
+            if (ecdsa is not null)
+            {
+                using (ecdsa)
+                {
+                    return ecdsa.VerifyData(preAuthEncoding, signature, HashAlgorithmName.SHA256);
+                }
+            }
+
+            var rsa = certificate.GetRSAPublicKey();
+            if (rsa is not null)
+            {
+                using (rsa)
+                {
+                    return rsa.VerifyData(preAuthEncoding, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+                }
+            }
+        }
+        catch (CryptographicException)
+        {
+            return false;
+        }
+
+        return false;
+    }
+
+    private static IEnumerable<string> GetSubjectAlternativeNames(X509Certificate2 certificate)
+    {
+        foreach (var extension in certificate.Extensions)
+        {
+            if (!string.Equals(extension.Oid?.Value, "2.5.29.17", StringComparison.Ordinal))
+            {
+                continue;
+            }
+
+            var formatted = extension.Format(true);
+            var lines = formatted.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries);
+            foreach (var line in lines)
+            {
+                var parts = line.Split('=');
+                if (parts.Length == 2)
+                {
+                    yield return parts[1].Trim();
+                }
+            }
+        }
+    }
+
+    private static byte[] ComputePreAuthEncoding(string payloadType, byte[] payload)
+    {
+        var headerBytes = Encoding.UTF8.GetBytes(payloadType ?? string.Empty);
+        var buffer = new byte[6 + 8 + headerBytes.Length + 8 + payload.Length];
+        var offset = 0;
+
+        Encoding.ASCII.GetBytes("DSSEv1", 0, 6, buffer, offset);
+        offset += 6;
+
+        BinaryPrimitives.WriteUInt64BigEndian(buffer.AsSpan(offset, 8), (ulong)headerBytes.Length);
+        offset += 8;
+        Buffer.BlockCopy(headerBytes, 0, buffer, offset, headerBytes.Length);
+        offset += headerBytes.Length;
+
+        BinaryPrimitives.WriteUInt64BigEndian(buffer.AsSpan(offset, 8), (ulong)payload.Length);
+        offset += 8;
+        Buffer.BlockCopy(payload, 0, buffer, offset, payload.Length);
+
+        return buffer;
+    }
+
+    private void VerifyMerkleProof(AttestorEntry entry, IList<string> issues)
+    {
+        if (entry.Proof is null)
+        {
+            issues.Add("proof_missing");
+            return;
+        }
+
+        if (!TryDecodeHash(entry.BundleSha256, out var bundleHash))
+        {
+            issues.Add("bundle_hash_decode_failed");
+            return;
+        }
+
+        if (entry.Proof.Inclusion is null)
+        {
+            issues.Add("proof_inclusion_missing");
+            return;
+        }
+
+        if (entry.Proof.Inclusion.LeafHash is not null)
+        {
+            if (!TryDecodeHash(entry.Proof.Inclusion.LeafHash, out var proofLeaf))
+            {
+                issues.Add("proof_leafhash_decode_failed");
+                return;
+            }
+
+            if (!CryptographicOperations.FixedTimeEquals(bundleHash, proofLeaf))
+            {
+                issues.Add("proof_leafhash_mismatch");
+            }
+        }
+
+        var current = bundleHash;
+
+        if (entry.Proof.Inclusion.Path.Count > 0)
+        {
+            var nodes = new List<ProofPathNode>();
+            foreach (var element in entry.Proof.Inclusion.Path)
+            {
+                if (!ProofPathNode.TryParse(element, out var node))
+                {
+                    issues.Add("proof_path_decode_failed");
+                    return;
+                }
+
+                if (!node.HasOrientation)
+                {
+                    issues.Add("proof_path_orientation_missing");
+                    return;
+                }
+
+                nodes.Add(node);
+            }
+
+            foreach (var node in nodes)
+            {
+                current = node.Left
+                    ? HashInternal(node.Hash, current)
+                    : HashInternal(current, node.Hash);
+            }
+        }
+
+        if (entry.Proof.Checkpoint is null)
+        {
+            issues.Add("checkpoint_missing");
+            return;
+        }
+
+        if (!TryDecodeHash(entry.Proof.Checkpoint.RootHash, out var rootHash))
+        {
+            issues.Add("checkpoint_root_decode_failed");
+            return;
+        }
+
+        if (!CryptographicOperations.FixedTimeEquals(current, rootHash))
+        {
+            issues.Add("proof_root_mismatch");
+        }
+    }
+
+    private static byte[] HashInternal(byte[] left, byte[] right)
+    {
+        using var sha = SHA256.Create();
+        var buffer = new byte[1 + left.Length + right.Length];
+        buffer[0] = 0x01;
+        Buffer.BlockCopy(left, 0, buffer, 1, left.Length);
+        Buffer.BlockCopy(right, 0, buffer, 1 + left.Length, right.Length);
+        return sha.ComputeHash(buffer);
+    }
+
+    private static bool TryDecodeSecret(string value, out byte[] bytes)
+    {
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            bytes = Array.Empty<byte>();
+            return false;
+        }
+
+        value = value.Trim();
+
+        if (value.StartsWith("base64:", StringComparison.OrdinalIgnoreCase))
+        {
+            return TryDecodeBase64(value[7..], out bytes);
+        }
+
+        if (value.StartsWith("hex:", StringComparison.OrdinalIgnoreCase))
+        {
+            return TryDecodeHex(value[4..], out bytes);
+        }
+
+        if (TryDecodeBase64(value, out bytes))
+        {
+            return true;
+        }
+
+        if (TryDecodeHex(value, out bytes))
+        {
+            return true;
+        }
+
+        bytes = Array.Empty<byte>();
+        return false;
+    }
+
+    private static bool TryDecodeBase64(string value, out byte[] bytes)
+    {
+        try
+        {
+            bytes = Convert.FromBase64String(value);
+            return true;
+        }
+        catch (FormatException)
+        {
+            bytes = Array.Empty<byte>();
+            return false;
+        }
+    }
+
+    private static bool TryDecodeHex(string value, out byte[] bytes)
+    {
+        try
+        {
+            bytes = Convert.FromHexString(value);
+            return true;
+        }
+        catch (FormatException)
+        {
+            bytes = Array.Empty<byte>();
+            return false;
+        }
+    }
+
+    private static bool TryDecodeHash(string? value, out byte[] bytes)
+    {
+        bytes = Array.Empty<byte>();
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            return false;
+        }
+
+        var trimmed = value.Trim();
+
+        if (TryDecodeHex(trimmed, out bytes))
+        {
+            return true;
+        }
+
+        if (TryDecodeBase64(trimmed, out bytes))
+        {
+            return true;
+        }
+
+        bytes = Array.Empty<byte>();
+        return false;
+    }
+
+    private readonly struct ProofPathNode
+    {
+        private ProofPathNode(bool hasOrientation, bool left, byte[] hash)
+        {
+            HasOrientation = hasOrientation;
+            Left = left;
+            Hash = hash;
+        }
+
+        public bool HasOrientation { get; }
+
+        public bool Left { get; }
+
+        public byte[] Hash { get; }
+
+        public static bool TryParse(string value, out ProofPathNode node)
+        {
+            node = default;
+            if (string.IsNullOrWhiteSpace(value))
+            {
+                return false;
+            }
+
+            var trimmed = value.Trim();
+            var parts = trimmed.Split(':', 2);
+            bool hasOrientation = false;
+            bool left = false;
+            string hashPart = trimmed;
+
+            if (parts.Length == 2)
+            {
+                var prefix = parts[0].Trim().ToLowerInvariant();
+                if (prefix is "l" or "left")
+                {
+                    hasOrientation = true;
+                    left = true;
+                }
+                else if (prefix is "r" or "right")
+                {
+                    hasOrientation = true;
+                    left = false;
+                }
+
+                hashPart = parts[1].Trim();
+            }
+
+            if (!TryDecodeHash(hashPart, out var hash))
+            {
+                return false;
+            }
+
+            node = new ProofPathNode(hasOrientation, left, hash);
+            return true;
+        }
+    }
+
     private static AttestorEntry CloneWithProof(AttestorEntry entry, AttestorEntry.ProofDescriptor? proof)
     {
         return new AttestorEntry

src/StellaOps.Attestor/StellaOps.Attestor.Tests/AttestorSubmissionServiceTests.cs

@@ -80,6 +80,207 @@ public sealed class AttestorSubmissionServiceTests
         Assert.Equal(first.Uuid, stored!.RekorUuid);
     }
 
+    [Fact]
+    public async Task Validator_ThrowsWhenModeNotAllowed()
+    {
+        var canonicalizer = new DefaultDsseCanonicalizer();
+        var validator = new AttestorSubmissionValidator(canonicalizer, new[] { "kms" });
+
+        var request = CreateValidRequest(canonicalizer);
+        request.Bundle.Mode = "keyless";
+
+        await Assert.ThrowsAsync<AttestorValidationException>(() => validator.ValidateAsync(request));
+    }
+
+    [Fact]
+    public async Task SubmitAsync_Throws_WhenMirrorDisabledButRequested()
+    {
+        var options = Options.Create(new AttestorOptions
+        {
+            Redis = new AttestorOptions.RedisOptions { Url = string.Empty },
+            Rekor = new AttestorOptions.RekorOptions
+            {
+                Primary = new AttestorOptions.RekorBackendOptions
+                {
+                    Url = "https://rekor.primary.test",
+                    ProofTimeoutMs = 1000,
+                    PollIntervalMs = 50,
+                    MaxAttempts = 2
+                }
+            }
+        });
+
+        var canonicalizer = new DefaultDsseCanonicalizer();
+        var validator = new AttestorSubmissionValidator(canonicalizer);
+        var repository = new InMemoryAttestorEntryRepository();
+        var dedupeStore = new InMemoryAttestorDedupeStore();
+        var rekorClient = new StubRekorClient(new NullLogger<StubRekorClient>());
+        var archiveStore = new NullAttestorArchiveStore(new NullLogger<NullAttestorArchiveStore>());
+        var auditSink = new InMemoryAttestorAuditSink();
+        var logger = new NullLogger<AttestorSubmissionService>();
+        using var metrics = new AttestorMetrics();
+
+        var service = new AttestorSubmissionService(
+            validator,
+            repository,
+            dedupeStore,
+            rekorClient,
+            archiveStore,
+            auditSink,
+            options,
+            logger,
+            TimeProvider.System,
+            metrics);
+
+        var request = CreateValidRequest(canonicalizer);
+        request.Meta.LogPreference = "mirror";
+
+        var context = new SubmissionContext
+        {
+            CallerSubject = "urn:stellaops:signer",
+            CallerAudience = "attestor",
+            CallerClientId = "signer-service",
+            CallerTenant = "default"
+        };
+
+        var ex = await Assert.ThrowsAsync<AttestorValidationException>(() => service.SubmitAsync(request, context));
+        Assert.Equal("mirror_disabled", ex.Code);
+    }
+
+    [Fact]
+    public async Task SubmitAsync_ReturnsMirrorMetadata_WhenPreferenceBoth()
+    {
+        var options = Options.Create(new AttestorOptions
+        {
+            Redis = new AttestorOptions.RedisOptions { Url = string.Empty },
+            Rekor = new AttestorOptions.RekorOptions
+            {
+                Primary = new AttestorOptions.RekorBackendOptions
+                {
+                    Url = "https://rekor.primary.test",
+                    ProofTimeoutMs = 1000,
+                    PollIntervalMs = 50,
+                    MaxAttempts = 2
+                },
+                Mirror = new AttestorOptions.RekorMirrorOptions
+                {
+                    Enabled = true,
+                    Url = "https://rekor.mirror.test",
+                    ProofTimeoutMs = 1000,
+                    PollIntervalMs = 50,
+                    MaxAttempts = 2
+                }
+            }
+        });
+
+        var canonicalizer = new DefaultDsseCanonicalizer();
+        var validator = new AttestorSubmissionValidator(canonicalizer);
+        var repository = new InMemoryAttestorEntryRepository();
+        var dedupeStore = new InMemoryAttestorDedupeStore();
+        var rekorClient = new StubRekorClient(new NullLogger<StubRekorClient>());
+        var archiveStore = new NullAttestorArchiveStore(new NullLogger<NullAttestorArchiveStore>());
+        var auditSink = new InMemoryAttestorAuditSink();
+        var logger = new NullLogger<AttestorSubmissionService>();
+        using var metrics = new AttestorMetrics();
+
+        var service = new AttestorSubmissionService(
+            validator,
+            repository,
+            dedupeStore,
+            rekorClient,
+            archiveStore,
+            auditSink,
+            options,
+            logger,
+            TimeProvider.System,
+            metrics);
+
+        var request = CreateValidRequest(canonicalizer);
+        request.Meta.LogPreference = "both";
+
+        var context = new SubmissionContext
+        {
+            CallerSubject = "urn:stellaops:signer",
+            CallerAudience = "attestor",
+            CallerClientId = "signer-service",
+            CallerTenant = "default"
+        };
+
+        var result = await service.SubmitAsync(request, context);
+
+        Assert.NotNull(result.Mirror);
+        Assert.False(string.IsNullOrEmpty(result.Mirror!.Uuid));
+        Assert.Equal("included", result.Mirror.Status);
+    }
+
+    [Fact]
+    public async Task SubmitAsync_UsesMirrorAsCanonical_WhenPreferenceMirror()
+    {
+        var options = Options.Create(new AttestorOptions
+        {
+            Redis = new AttestorOptions.RedisOptions { Url = string.Empty },
+            Rekor = new AttestorOptions.RekorOptions
+            {
+                Primary = new AttestorOptions.RekorBackendOptions
+                {
+                    Url = "https://rekor.primary.test",
+                    ProofTimeoutMs = 1000,
+                    PollIntervalMs = 50,
+                    MaxAttempts = 2
+                },
+                Mirror = new AttestorOptions.RekorMirrorOptions
+                {
+                    Enabled = true,
+                    Url = "https://rekor.mirror.test",
+                    ProofTimeoutMs = 1000,
+                    PollIntervalMs = 50,
+                    MaxAttempts = 2
+                }
+            }
+        });
+
+        var canonicalizer = new DefaultDsseCanonicalizer();
+        var validator = new AttestorSubmissionValidator(canonicalizer);
+        var repository = new InMemoryAttestorEntryRepository();
+        var dedupeStore = new InMemoryAttestorDedupeStore();
+        var rekorClient = new StubRekorClient(new NullLogger<StubRekorClient>());
+        var archiveStore = new NullAttestorArchiveStore(new NullLogger<NullAttestorArchiveStore>());
+        var auditSink = new InMemoryAttestorAuditSink();
+        var logger = new NullLogger<AttestorSubmissionService>();
+        using var metrics = new AttestorMetrics();
+
+        var service = new AttestorSubmissionService(
+            validator,
+            repository,
+            dedupeStore,
+            rekorClient,
+            archiveStore,
+            auditSink,
+            options,
+            logger,
+            TimeProvider.System,
+            metrics);
+
+        var request = CreateValidRequest(canonicalizer);
+        request.Meta.LogPreference = "mirror";
+
+        var context = new SubmissionContext
+        {
+            CallerSubject = "urn:stellaops:signer",
+            CallerAudience = "attestor",
+            CallerClientId = "signer-service",
+            CallerTenant = "default"
+        };
+
+        var result = await service.SubmitAsync(request, context);
+
+        Assert.NotNull(result.Uuid);
+        var stored = await repository.GetByBundleShaAsync(request.Meta.BundleSha256);
+        Assert.NotNull(stored);
+        Assert.Equal("mirror", stored!.Log.Backend);
+        Assert.Null(result.Mirror);
+    }
+
     private static AttestorSubmissionRequest CreateValidRequest(DefaultDsseCanonicalizer canonicalizer)
     {
         var request = new AttestorSubmissionRequest

src/StellaOps.Attestor/StellaOps.Attestor.Tests/AttestorVerificationServiceTests.cs

@@ -1,3 +1,5 @@
+using System.Buffers.Binary;
+using System.Collections.Generic;
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading.Tasks;
@@ -17,6 +19,9 @@ namespace StellaOps.Attestor.Tests;
 
 public sealed class AttestorVerificationServiceTests
 {
+    private static readonly byte[] HmacSecret = Encoding.UTF8.GetBytes("attestor-hmac-secret");
+    private static readonly string HmacSecretBase64 = Convert.ToBase64String(HmacSecret);
+
     [Fact]
     public async Task VerifyAsync_ReturnsOk_ForExistingUuid()
     {
@@ -35,6 +40,14 @@ public sealed class AttestorVerificationServiceTests
                     PollIntervalMs = 50,
                     MaxAttempts = 2
                 }
+            },
+            Security = new AttestorOptions.SecurityOptions
+            {
+                SignerIdentity = new AttestorOptions.SignerIdentityOptions
+                {
+                    Mode = { "kms" },
+                    KmsKeys = { HmacSecretBase64 }
+                }
             }
         });
 
@@ -57,7 +70,7 @@ public sealed class AttestorVerificationServiceTests
             TimeProvider.System,
             metrics);
 
-        var submission = CreateSubmissionRequest(canonicalizer);
+        var submission = CreateSubmissionRequest(canonicalizer, HmacSecret);
         var context = new SubmissionContext
         {
             CallerSubject = "urn:stellaops:signer",
@@ -73,11 +86,13 @@ public sealed class AttestorVerificationServiceTests
             canonicalizer,
             rekorClient,
             options,
-            new NullLogger<AttestorVerificationService>());
+            new NullLogger<AttestorVerificationService>(),
+            metrics);
 
         var verifyResult = await verificationService.VerifyAsync(new AttestorVerificationRequest
         {
-            Uuid = response.Uuid
+            Uuid = response.Uuid,
+            Bundle = submission.Bundle
         });
 
         Assert.True(verifyResult.Ok);
@@ -100,6 +115,14 @@ public sealed class AttestorVerificationServiceTests
                     PollIntervalMs = 50,
                     MaxAttempts = 2
                 }
+            },
+            Security = new AttestorOptions.SecurityOptions
+            {
+                SignerIdentity = new AttestorOptions.SignerIdentityOptions
+                {
+                    Mode = { "kms" },
+                    KmsKeys = { HmacSecretBase64 }
+                }
             }
         });
 
@@ -122,7 +145,7 @@ public sealed class AttestorVerificationServiceTests
             TimeProvider.System,
             metrics);
 
-        var submission = CreateSubmissionRequest(canonicalizer);
+        var submission = CreateSubmissionRequest(canonicalizer, HmacSecret);
         var context = new SubmissionContext
         {
             CallerSubject = "urn:stellaops:signer",
@@ -138,9 +161,10 @@ public sealed class AttestorVerificationServiceTests
             canonicalizer,
             rekorClient,
             options,
-            new NullLogger<AttestorVerificationService>());
+            new NullLogger<AttestorVerificationService>(),
+            metrics);
 
-        var tamperedBundle = submission.Bundle;
+        var tamperedBundle = CloneBundle(submission.Bundle);
         tamperedBundle.Dsse.PayloadBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes("{\"tampered\":true}"));
 
         var result = await verificationService.VerifyAsync(new AttestorVerificationRequest
@@ -150,29 +174,21 @@ public sealed class AttestorVerificationServiceTests
         });
 
         Assert.False(result.Ok);
-        Assert.Contains(result.Issues, issue => issue.Contains("Bundle hash", StringComparison.OrdinalIgnoreCase));
+        Assert.Contains(result.Issues, issue => issue.Contains("signature_invalid", StringComparison.OrdinalIgnoreCase));
     }
 
-    private static AttestorSubmissionRequest CreateSubmissionRequest(DefaultDsseCanonicalizer canonicalizer)
+    private static AttestorSubmissionRequest CreateSubmissionRequest(DefaultDsseCanonicalizer canonicalizer, byte[] hmacSecret)
     {
         var payload = Encoding.UTF8.GetBytes("{}");
         var request = new AttestorSubmissionRequest
         {
             Bundle = new AttestorSubmissionRequest.SubmissionBundle
             {
-                Mode = "keyless",
+                Mode = "kms",
                 Dsse = new AttestorSubmissionRequest.DsseEnvelope
                 {
                     PayloadType = "application/vnd.in-toto+json",
-                    PayloadBase64 = Convert.ToBase64String(payload),
-                    Signatures =
-                    {
-                        new AttestorSubmissionRequest.DsseSignature
-                        {
-                            KeyId = "test",
-                            Signature = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32))
-                        }
-                    }
+                    PayloadBase64 = Convert.ToBase64String(payload)
                 }
             },
             Meta = new AttestorSubmissionRequest.SubmissionMeta
@@ -187,8 +203,65 @@ public sealed class AttestorVerificationServiceTests
             }
         };
 
+        var preAuth = ComputePreAuthEncodingForTests(request.Bundle.Dsse.PayloadType, payload);
+        using (var hmac = new HMACSHA256(hmacSecret))
+        {
+            var signature = hmac.ComputeHash(preAuth);
+            request.Bundle.Dsse.Signatures.Add(new AttestorSubmissionRequest.DsseSignature
+            {
+                KeyId = "kms-test",
+                Signature = Convert.ToBase64String(signature)
+            });
+        }
+
         var canonical = canonicalizer.CanonicalizeAsync(request).GetAwaiter().GetResult();
         request.Meta.BundleSha256 = Convert.ToHexString(SHA256.HashData(canonical)).ToLowerInvariant();
         return request;
     }
+
+    private static AttestorSubmissionRequest.SubmissionBundle CloneBundle(AttestorSubmissionRequest.SubmissionBundle source)
+    {
+        var clone = new AttestorSubmissionRequest.SubmissionBundle
+        {
+            Mode = source.Mode,
+            Dsse = new AttestorSubmissionRequest.DsseEnvelope
+            {
+                PayloadType = source.Dsse.PayloadType,
+                PayloadBase64 = source.Dsse.PayloadBase64
+            }
+        };
+
+        foreach (var certificate in source.CertificateChain)
+        {
+            clone.CertificateChain.Add(certificate);
+        }
+
+        foreach (var signature in source.Dsse.Signatures)
+        {
+            clone.Dsse.Signatures.Add(new AttestorSubmissionRequest.DsseSignature
+            {
+                KeyId = signature.KeyId,
+                Signature = signature.Signature
+            });
+        }
+
+        return clone;
+    }
+
+    private static byte[] ComputePreAuthEncodingForTests(string payloadType, byte[] payload)
+    {
+        var headerBytes = Encoding.UTF8.GetBytes(payloadType ?? string.Empty);
+        var buffer = new byte[6 + 8 + headerBytes.Length + 8 + payload.Length];
+        var offset = 0;
+        Encoding.ASCII.GetBytes("DSSEv1", 0, 6, buffer, offset);
+        offset += 6;
+        BinaryPrimitives.WriteUInt64BigEndian(buffer.AsSpan(offset, 8), (ulong)headerBytes.Length);
+        offset += 8;
+        Buffer.BlockCopy(headerBytes, 0, buffer, offset, headerBytes.Length);
+        offset += headerBytes.Length;
+        BinaryPrimitives.WriteUInt64BigEndian(buffer.AsSpan(offset, 8), (ulong)payload.Length);
+        offset += 8;
+        Buffer.BlockCopy(payload, 0, buffer, offset, payload.Length);
+        return buffer;
+    }
 }

src/StellaOps.Attestor/StellaOps.Attestor.WebService/Program.cs

@@ -1,6 +1,11 @@
 using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Security.Authentication;
+using System.Security.Cryptography;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
+using System.Threading.RateLimiting;
 using Serilog;
 using Serilog.Events;
 using StellaOps.Attestor.Core.Options;
@@ -13,6 +18,7 @@ using OpenTelemetry.Metrics;
 using StellaOps.Attestor.Core.Observability;
 using StellaOps.Attestor.Core.Verification;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
+using Serilog.Context;
 
 const string ConfigurationSection = "attestor";
 
@@ -36,9 +42,45 @@ builder.Host.UseSerilog((context, services, loggerConfiguration) =>
 
 var attestorOptions = builder.Configuration.BindOptions<AttestorOptions>(ConfigurationSection);
 
+var clientCertificateAuthorities = LoadClientCertificateAuthorities(attestorOptions.Security.Mtls.CaBundle);
+
 builder.Services.AddSingleton(TimeProvider.System);
 builder.Services.AddSingleton(attestorOptions);
 
+builder.Services.AddRateLimiter(options =>
+{
+    options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
+    options.OnRejected = static (context, _) =>
+    {
+        context.HttpContext.Response.Headers.TryAdd("Retry-After", "1");
+        return ValueTask.CompletedTask;
+    };
+
+    options.AddPolicy("attestor-submissions", httpContext =>
+    {
+        var identity = httpContext.Connection.ClientCertificate?.Thumbprint
+            ?? httpContext.User.FindFirst("sub")?.Value
+            ?? httpContext.User.FindFirst("client_id")?.Value
+            ?? httpContext.Connection.RemoteIpAddress?.ToString()
+            ?? "anonymous";
+
+        var quota = attestorOptions.Quotas.PerCaller;
+        var tokensPerPeriod = Math.Max(1, quota.Qps);
+        var tokenLimit = Math.Max(tokensPerPeriod, quota.Burst);
+        var queueLimit = Math.Max(quota.Burst, tokensPerPeriod);
+
+        return RateLimitPartition.GetTokenBucketLimiter(identity, _ => new TokenBucketRateLimiterOptions
+        {
+            TokenLimit = tokenLimit,
+            TokensPerPeriod = tokensPerPeriod,
+            ReplenishmentPeriod = TimeSpan.FromSeconds(1),
+            QueueLimit = queueLimit,
+            QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
+            AutoReplenishment = true
+        });
+    });
+});
+
 builder.Services.AddOptions<AttestorOptions>()
     .Bind(builder.Configuration.GetSection(ConfigurationSection))
     .ValidateOnStart();
@@ -105,6 +147,61 @@ builder.WebHost.ConfigureKestrel(kestrel =>
         {
             https.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
         }
+
+        https.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12;
+
+        https.ClientCertificateValidation = (certificate, _, _) =>
+        {
+            if (!attestorOptions.Security.Mtls.RequireClientCertificate)
+            {
+                return true;
+            }
+
+            if (certificate is null)
+            {
+                Log.Warning("Client certificate missing");
+                return false;
+            }
+
+            if (clientCertificateAuthorities.Count > 0)
+            {
+                using var chain = new X509Chain
+                {
+                    ChainPolicy =
+                    {
+                        RevocationMode = X509RevocationMode.NoCheck,
+                        TrustMode = X509ChainTrustMode.CustomRootTrust
+                    }
+                };
+
+                foreach (var authority in clientCertificateAuthorities)
+                {
+                    chain.ChainPolicy.CustomTrustStore.Add(authority);
+                }
+
+                if (!chain.Build(certificate))
+                {
+                    Log.Warning("Client certificate chain validation failed for {Subject}", certificate.Subject);
+                    return false;
+                }
+            }
+
+            if (attestorOptions.Security.Mtls.AllowedThumbprints.Count > 0 &&
+                !attestorOptions.Security.Mtls.AllowedThumbprints.Contains(certificate.Thumbprint ?? string.Empty, StringComparer.OrdinalIgnoreCase))
+            {
+                Log.Warning("Client certificate thumbprint {Thumbprint} rejected", certificate.Thumbprint);
+                return false;
+            }
+
+            if (attestorOptions.Security.Mtls.AllowedSubjects.Count > 0 &&
+                !attestorOptions.Security.Mtls.AllowedSubjects.Contains(certificate.Subject, StringComparer.OrdinalIgnoreCase))
+            {
+                Log.Warning("Client certificate subject {Subject} rejected", certificate.Subject);
+                return false;
+            }
+
+            return true;
+        };
     });
 });
 
@@ -112,6 +209,22 @@ var app = builder.Build();
 
 app.UseSerilogRequestLogging();
 
+app.Use(async (context, next) =>
+{
+    var correlationId = context.Request.Headers["X-Correlation-Id"].FirstOrDefault();
+    if (string.IsNullOrWhiteSpace(correlationId))
+    {
+        correlationId = Guid.NewGuid().ToString("N");
+    }
+
+    context.Response.Headers["X-Correlation-Id"] = correlationId;
+
+    using (LogContext.PushProperty("CorrelationId", correlationId))
+    {
+        await next().ConfigureAwait(false);
+    }
+});
+
 app.UseExceptionHandler(static handler =>
 {
     handler.Run(async context =>
@@ -121,6 +234,8 @@ app.UseExceptionHandler(static handler =>
     });
 });
 
+app.UseRateLimiter();
+
 app.UseAuthentication();
 app.UseAuthorization();
 
@@ -156,7 +271,8 @@ app.MapPost("/api/v1/rekor/entries", async (AttestorSubmissionRequest request, H
         });
     }
 })
-.RequireAuthorization("attestor:write");
+.RequireAuthorization("attestor:write")
+.RequireRateLimiting("attestor-submissions");
 
 app.MapGet("/api/v1/rekor/entries/{uuid}", async (string uuid, bool? refresh, IAttestorVerificationService verificationService, CancellationToken cancellationToken) =>
 {
@@ -170,6 +286,7 @@ app.MapGet("/api/v1/rekor/entries/{uuid}", async (string uuid, bool? refresh, IA
     {
         uuid = entry.RekorUuid,
         index = entry.Index,
+        backend = entry.Log.Backend,
         proof = entry.Proof is null ? null : new
         {
             checkpoint = entry.Proof.Checkpoint is null ? null : new
@@ -187,6 +304,30 @@ app.MapGet("/api/v1/rekor/entries/{uuid}", async (string uuid, bool? refresh, IA
         },
         logURL = entry.Log.Url,
         status = entry.Status,
+        mirror = entry.Mirror is null ? null : new
+        {
+            backend = entry.Mirror.Backend,
+            uuid = entry.Mirror.Uuid,
+            index = entry.Mirror.Index,
+            logURL = entry.Mirror.Url,
+            status = entry.Mirror.Status,
+            proof = entry.Mirror.Proof is null ? null : new
+            {
+                checkpoint = entry.Mirror.Proof.Checkpoint is null ? null : new
+                {
+                    origin = entry.Mirror.Proof.Checkpoint.Origin,
+                    size = entry.Mirror.Proof.Checkpoint.Size,
+                    rootHash = entry.Mirror.Proof.Checkpoint.RootHash,
+                    timestamp = entry.Mirror.Proof.Checkpoint.Timestamp?.ToString("O")
+                },
+                inclusion = entry.Mirror.Proof.Inclusion is null ? null : new
+                {
+                    leafHash = entry.Mirror.Proof.Inclusion.LeafHash,
+                    path = entry.Mirror.Proof.Inclusion.Path
+                }
+            },
+            error = entry.Mirror.Error
+        },
         artifact = new
         {
             sha256 = entry.Artifact.Sha256,
@@ -232,3 +373,33 @@ static SubmissionContext BuildSubmissionContext(ClaimsPrincipal user, X509Certif
         MtlsThumbprint = certificate.Thumbprint
     };
 }
+
+static List<X509Certificate2> LoadClientCertificateAuthorities(string? path)
+{
+    var certificates = new List<X509Certificate2>();
+
+    if (string.IsNullOrWhiteSpace(path))
+    {
+        return certificates;
+    }
+
+    try
+    {
+        if (!File.Exists(path))
+        {
+            Log.Warning("Client CA bundle '{Path}' not found", path);
+            return certificates;
+        }
+
+        var collection = new X509Certificate2Collection();
+        collection.ImportFromPemFile(path);
+
+        certificates.AddRange(collection.Cast<X509Certificate2>());
+    }
+    catch (Exception ex) when (ex is IOException or CryptographicException)
+    {
+        Log.Warning(ex, "Failed to load client CA bundle from {Path}", path);
+    }
+
+    return certificates;
+}

src/StellaOps.Attestor/TASKS.md

@@ -6,6 +6,5 @@
 | ATTESTOR-VERIFY-11-202 | DONE (2025-10-19) | Attestor Guild | — | `/rekor/verify` + retrieval endpoints validating signatures and Merkle proofs. | ✅ `GET /api/v1/rekor/entries/{uuid}` surfaces cached entries with optional backend refresh and handles not-found/refresh flows.<br>✅ `POST /api/v1/rekor/verify` accepts UUID, bundle, or artifact hash inputs; verifies DSSE signatures, Merkle proofs, and checkpoint anchors.<br>✅ Verification output returns `{ok, uuid, index, logURL, checkedAt}` with failure diagnostics for invalid proofs.<br>✅ Unit/integration tests exercise cache hits, backend refresh, invalid bundle/proof scenarios, and checkpoint trust anchor enforcement. |
 | ATTESTOR-OBS-11-203 | DONE (2025-10-19) | Attestor Guild | — | Telemetry, alerting, mTLS hardening, and archive workflow for Attestor. | ✅ Structured logs, metrics, and optional traces record submission latency, proof fetch outcomes, verification results, and Rekor error buckets with correlation IDs.<br>✅ mTLS enforcement hardened (peer allowlist, SAN checks, rate limiting) and documented; TLS settings audited for modern ciphers only.<br>✅ Alerting/dashboard pack covers error rates, proof backlog, Redis/Mongo health, and archive job failures; runbook updated.<br>✅ Archive workflow includes retention policy jobs, failure alerts, and periodic verification of stored bundles and proofs. |
 
-> Remark (2025-10-19): Wave 0 prerequisites reviewed (none outstanding); Attestor Guild tasks moved to DOING for execution.
-> Remark (2025-10-19): `/rekor/entries` submission service implemented with Mongo/Redis persistence, optional S3 archival, Rekor HTTP client, and OpenTelemetry metrics; verification APIs (`/rekor/entries/{uuid}`, `/rekor/verify`) added with proof refresh and canonical hash checks. Remaining: integrate real Rekor endpoints in staging and expand failure-mode tests.
-> Remark (2025-10-19): Added Rekor mock client + integration harness to unblock attestor verification testing without external connectivity. Follow-up tasks to wire staging Rekor and record retry/error behavior still pending.
+> Remark (2025-10-19): Wave 0 prerequisites reviewed (none outstanding); ATTESTOR-API-11-201, ATTESTOR-VERIFY-11-202, and ATTESTOR-OBS-11-203 tracked as DOING per Wave 0A kickoff.
+> Remark (2025-10-19): Dual-log submissions, signature/proof verification, and observability hardening landed; attestor endpoints now rate-limited per client with correlation-ID logging and updated docs/tests.

src/StellaOps.Auth.Security/Dpop/DpopNonceConsumeResult.cs

@@ -0,0 +1,50 @@
+using System;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Represents the outcome of attempting to consume a DPoP nonce.
+/// </summary>
+public sealed class DpopNonceConsumeResult
+{
+    private DpopNonceConsumeResult(DpopNonceConsumeStatus status, DateTimeOffset? issuedAt, DateTimeOffset? expiresAt)
+    {
+        Status = status;
+        IssuedAt = issuedAt;
+        ExpiresAt = expiresAt;
+    }
+
+    /// <summary>
+    /// Consumption status.
+    /// </summary>
+    public DpopNonceConsumeStatus Status { get; }
+
+    /// <summary>
+    /// Timestamp the nonce was originally issued (when available).
+    /// </summary>
+    public DateTimeOffset? IssuedAt { get; }
+
+    /// <summary>
+    /// Expiry timestamp for the nonce (when available).
+    /// </summary>
+    public DateTimeOffset? ExpiresAt { get; }
+
+    public static DpopNonceConsumeResult Success(DateTimeOffset issuedAt, DateTimeOffset expiresAt)
+        => new(DpopNonceConsumeStatus.Success, issuedAt, expiresAt);
+
+    public static DpopNonceConsumeResult Expired(DateTimeOffset? issuedAt, DateTimeOffset expiresAt)
+        => new(DpopNonceConsumeStatus.Expired, issuedAt, expiresAt);
+
+    public static DpopNonceConsumeResult NotFound()
+        => new(DpopNonceConsumeStatus.NotFound, null, null);
+}
+
+/// <summary>
+/// Known statuses for nonce consumption attempts.
+/// </summary>
+public enum DpopNonceConsumeStatus
+{
+    Success,
+    Expired,
+    NotFound
+}

src/StellaOps.Auth.Security/Dpop/DpopNonceIssueResult.cs

@@ -0,0 +1,56 @@
+using System;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Represents the result of issuing a DPoP nonce.
+/// </summary>
+public sealed class DpopNonceIssueResult
+{
+    private DpopNonceIssueResult(DpopNonceIssueStatus status, string? nonce, DateTimeOffset? expiresAt, string? error)
+    {
+        Status = status;
+        Nonce = nonce;
+        ExpiresAt = expiresAt;
+        Error = error;
+    }
+
+    /// <summary>
+    /// Issue status.
+    /// </summary>
+    public DpopNonceIssueStatus Status { get; }
+
+    /// <summary>
+    /// Issued nonce when <see cref="Status"/> is <see cref="DpopNonceIssueStatus.Success"/>.
+    /// </summary>
+    public string? Nonce { get; }
+
+    /// <summary>
+    /// Expiry timestamp for the issued nonce (UTC).
+    /// </summary>
+    public DateTimeOffset? ExpiresAt { get; }
+
+    /// <summary>
+    /// Additional failure information, where applicable.
+    /// </summary>
+    public string? Error { get; }
+
+    public static DpopNonceIssueResult Success(string nonce, DateTimeOffset expiresAt)
+        => new(DpopNonceIssueStatus.Success, nonce, expiresAt, null);
+
+    public static DpopNonceIssueResult RateLimited(string? error = null)
+        => new(DpopNonceIssueStatus.RateLimited, null, null, error);
+
+    public static DpopNonceIssueResult Failure(string? error = null)
+        => new(DpopNonceIssueStatus.Failure, null, null, error);
+}
+
+/// <summary>
+/// Known statuses for nonce issuance.
+/// </summary>
+public enum DpopNonceIssueStatus
+{
+    Success,
+    RateLimited,
+    Failure
+}

src/StellaOps.Auth.Security/Dpop/DpopNonceUtilities.cs

@@ -0,0 +1,66 @@
+using System;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+internal static class DpopNonceUtilities
+{
+    private static readonly char[] Base64Padding = { '=' };
+
+    internal static string GenerateNonce()
+    {
+        Span<byte> buffer = stackalloc byte[32];
+        RandomNumberGenerator.Fill(buffer);
+
+        return Convert.ToBase64String(buffer)
+            .TrimEnd(Base64Padding)
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
+
+    internal static byte[] ComputeNonceHash(string nonce)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(nonce);
+        var bytes = Encoding.UTF8.GetBytes(nonce);
+        return SHA256.HashData(bytes);
+    }
+
+    internal static string EncodeHash(ReadOnlySpan<byte> hash)
+        => Convert.ToHexString(hash);
+
+    internal static string ComputeStorageKey(string audience, string clientId, string keyThumbprint)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        return string.Create(
+            "dpop-nonce:".Length + audience.Length + clientId.Length + keyThumbprint.Length + 2,
+            (audience.Trim(), clientId.Trim(), keyThumbprint.Trim()),
+            static (span, parts) =>
+            {
+                var index = 0;
+                const string Prefix = "dpop-nonce:";
+                Prefix.CopyTo(span);
+                index += Prefix.Length;
+
+                index = Append(span, index, parts.Item1);
+                span[index++] = ':';
+                index = Append(span, index, parts.Item2);
+                span[index++] = ':';
+                _ = Append(span, index, parts.Item3);
+            });
+
+        static int Append(Span<char> span, int index, string value)
+        {
+            if (value.Length == 0)
+            {
+                throw new ArgumentException("Value must not be empty after trimming.");
+            }
+
+            value.AsSpan().CopyTo(span[index..]);
+            return index + value.Length;
+        }
+    }
+}

src/StellaOps.Auth.Security/Dpop/IDpopNonceStore.cs

@@ -0,0 +1,45 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Provides persistence and validation for DPoP nonces.
+/// </summary>
+public interface IDpopNonceStore
+{
+    /// <summary>
+    /// Issues a nonce tied to the specified audience, client, and DPoP key thumbprint.
+    /// </summary>
+    /// <param name="audience">Audience the nonce applies to.</param>
+    /// <param name="clientId">Client identifier requesting the nonce.</param>
+    /// <param name="keyThumbprint">Thumbprint of the DPoP public key.</param>
+    /// <param name="ttl">Time-to-live for the nonce.</param>
+    /// <param name="maxIssuancePerMinute">Maximum number of nonces that can be issued within a one-minute window for the tuple.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Outcome describing the issued nonce.</returns>
+    ValueTask<DpopNonceIssueResult> IssueAsync(
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        TimeSpan ttl,
+        int maxIssuancePerMinute,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Attempts to consume a nonce previously issued for the tuple.
+    /// </summary>
+    /// <param name="nonce">Nonce supplied by the client.</param>
+    /// <param name="audience">Audience the nonce should match.</param>
+    /// <param name="clientId">Client identifier.</param>
+    /// <param name="keyThumbprint">Thumbprint of the DPoP public key.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Outcome describing whether the nonce was accepted.</returns>
+    ValueTask<DpopNonceConsumeResult> TryConsumeAsync(
+        string nonce,
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        CancellationToken cancellationToken = default);
+}

src/StellaOps.Auth.Security/Dpop/InMemoryDpopNonceStore.cs

@@ -0,0 +1,176 @@
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Text;
+using System.Threading;
+using Microsoft.Extensions.Logging;
+using System.Threading.Tasks;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// In-memory implementation of <see cref="IDpopNonceStore"/> suitable for single-host or test environments.
+/// </summary>
+public sealed class InMemoryDpopNonceStore : IDpopNonceStore
+{
+    private static readonly TimeSpan IssuanceWindow = TimeSpan.FromMinutes(1);
+    private readonly ConcurrentDictionary<string, StoredNonce> nonces = new(StringComparer.Ordinal);
+    private readonly ConcurrentDictionary<string, IssuanceBucket> issuanceBuckets = new(StringComparer.Ordinal);
+    private readonly TimeProvider timeProvider;
+    private readonly ILogger<InMemoryDpopNonceStore>? logger;
+
+    public InMemoryDpopNonceStore(TimeProvider? timeProvider = null, ILogger<InMemoryDpopNonceStore>? logger = null)
+    {
+        this.timeProvider = timeProvider ?? TimeProvider.System;
+        this.logger = logger;
+    }
+
+    public ValueTask<DpopNonceIssueResult> IssueAsync(
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        TimeSpan ttl,
+        int maxIssuancePerMinute,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        if (ttl <= TimeSpan.Zero)
+        {
+            throw new ArgumentOutOfRangeException(nameof(ttl), "Nonce TTL must be greater than zero.");
+        }
+
+        if (maxIssuancePerMinute < 1)
+        {
+            throw new ArgumentOutOfRangeException(nameof(maxIssuancePerMinute), "Max issuance per minute must be at least 1.");
+        }
+
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var now = timeProvider.GetUtcNow();
+        var bucketKey = BuildBucketKey(audience, clientId, keyThumbprint);
+        var bucket = issuanceBuckets.GetOrAdd(bucketKey, static _ => new IssuanceBucket());
+
+        bool allowed;
+        lock (bucket.SyncRoot)
+        {
+            bucket.Prune(now - IssuanceWindow);
+
+            if (bucket.IssuanceTimes.Count >= maxIssuancePerMinute)
+            {
+                allowed = false;
+            }
+            else
+            {
+                bucket.IssuanceTimes.Enqueue(now);
+                allowed = true;
+            }
+        }
+
+        if (!allowed)
+        {
+            logger?.LogDebug("DPoP nonce issuance throttled for {BucketKey}.", bucketKey);
+            return ValueTask.FromResult(DpopNonceIssueResult.RateLimited("rate_limited"));
+        }
+
+        var nonce = GenerateNonce();
+        var nonceKey = BuildNonceKey(audience, clientId, keyThumbprint, nonce);
+        var expiresAt = now + ttl;
+        nonces[nonceKey] = new StoredNonce(now, expiresAt);
+        return ValueTask.FromResult(DpopNonceIssueResult.Success(nonce, expiresAt));
+    }
+
+    public ValueTask<DpopNonceConsumeResult> TryConsumeAsync(
+        string nonce,
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(nonce);
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var now = timeProvider.GetUtcNow();
+        var nonceKey = BuildNonceKey(audience, clientId, keyThumbprint, nonce);
+
+        if (!nonces.TryRemove(nonceKey, out var stored))
+        {
+            logger?.LogDebug("DPoP nonce {NonceKey} not found during consumption.", nonceKey);
+            return ValueTask.FromResult(DpopNonceConsumeResult.NotFound());
+        }
+
+        if (stored.ExpiresAt <= now)
+        {
+            logger?.LogDebug("DPoP nonce {NonceKey} expired at {ExpiresAt:o}.", nonceKey, stored.ExpiresAt);
+            return ValueTask.FromResult(DpopNonceConsumeResult.Expired(stored.IssuedAt, stored.ExpiresAt));
+        }
+
+        return ValueTask.FromResult(DpopNonceConsumeResult.Success(stored.IssuedAt, stored.ExpiresAt));
+    }
+
+    private static string BuildBucketKey(string audience, string clientId, string keyThumbprint)
+        => $"{audience.Trim().ToLowerInvariant()}::{clientId.Trim().ToLowerInvariant()}::{keyThumbprint.Trim().ToLowerInvariant()}";
+
+    private static string BuildNonceKey(string audience, string clientId, string keyThumbprint, string nonce)
+    {
+        var bucketKey = BuildBucketKey(audience, clientId, keyThumbprint);
+        var digest = ComputeSha256(nonce);
+        return $"{bucketKey}::{digest}";
+    }
+
+    private static string ComputeSha256(string value)
+    {
+        var bytes = Encoding.UTF8.GetBytes(value);
+        var hash = SHA256.HashData(bytes);
+        return Base64UrlEncode(hash);
+    }
+
+    private static string Base64UrlEncode(ReadOnlySpan<byte> bytes)
+    {
+        return Convert.ToBase64String(bytes)
+            .TrimEnd('=')
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
+
+    private static string GenerateNonce()
+    {
+        Span<byte> buffer = stackalloc byte[32];
+        RandomNumberGenerator.Fill(buffer);
+        return Base64UrlEncode(buffer);
+    }
+
+    private sealed class StoredNonce
+    {
+        internal StoredNonce(DateTimeOffset issuedAt, DateTimeOffset expiresAt)
+        {
+            IssuedAt = issuedAt;
+            ExpiresAt = expiresAt;
+        }
+
+        internal DateTimeOffset IssuedAt { get; }
+
+        internal DateTimeOffset ExpiresAt { get; }
+    }
+
+    private sealed class IssuanceBucket
+    {
+        internal object SyncRoot { get; } = new();
+        internal Queue<DateTimeOffset> IssuanceTimes { get; } = new();
+
+        internal void Prune(DateTimeOffset threshold)
+        {
+            while (IssuanceTimes.Count > 0 && IssuanceTimes.Peek() < threshold)
+            {
+                IssuanceTimes.Dequeue();
+            }
+        }
+    }
+}

src/StellaOps.Auth.Security/Dpop/RedisDpopNonceStore.cs

@@ -0,0 +1,138 @@
+using System;
+using System.Globalization;
+using System.Threading;
+using System.Threading.Tasks;
+using StackExchange.Redis;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Redis-backed implementation of <see cref="IDpopNonceStore"/> that supports multi-node deployments.
+/// </summary>
+public sealed class RedisDpopNonceStore : IDpopNonceStore
+{
+    private const string ConsumeScript = @"
+local value = redis.call('GET', KEYS[1])
+if value ~= false and value == ARGV[1] then
+  redis.call('DEL', KEYS[1])
+  return 1
+end
+return 0";
+
+    private readonly IConnectionMultiplexer connection;
+    private readonly TimeProvider timeProvider;
+
+    public RedisDpopNonceStore(IConnectionMultiplexer connection, TimeProvider? timeProvider = null)
+    {
+        this.connection = connection ?? throw new ArgumentNullException(nameof(connection));
+        this.timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
+    public async ValueTask<DpopNonceIssueResult> IssueAsync(
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        TimeSpan ttl,
+        int maxIssuancePerMinute,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        if (ttl <= TimeSpan.Zero)
+        {
+            throw new ArgumentOutOfRangeException(nameof(ttl), "Nonce TTL must be greater than zero.");
+        }
+
+        if (maxIssuancePerMinute < 1)
+        {
+            throw new ArgumentOutOfRangeException(nameof(maxIssuancePerMinute), "Max issuance per minute must be at least 1.");
+        }
+
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var database = connection.GetDatabase();
+        var issuedAt = timeProvider.GetUtcNow();
+
+        var baseKey = DpopNonceUtilities.ComputeStorageKey(audience, clientId, keyThumbprint);
+        var nonceKey = (RedisKey)baseKey;
+        var metadataKey = (RedisKey)(baseKey + ":meta");
+        var rateKey = (RedisKey)(baseKey + ":rate");
+
+        var rateCount = await database.StringIncrementAsync(rateKey, flags: CommandFlags.DemandMaster).ConfigureAwait(false);
+        if (rateCount == 1)
+        {
+            await database.KeyExpireAsync(rateKey, TimeSpan.FromMinutes(1), CommandFlags.DemandMaster).ConfigureAwait(false);
+        }
+
+        if (rateCount > maxIssuancePerMinute)
+        {
+            return DpopNonceIssueResult.RateLimited("rate_limited");
+        }
+
+        var nonce = DpopNonceUtilities.GenerateNonce();
+        var hash = (RedisValue)DpopNonceUtilities.EncodeHash(DpopNonceUtilities.ComputeNonceHash(nonce));
+        var expiresAt = issuedAt + ttl;
+
+        await database.StringSetAsync(nonceKey, hash, ttl, When.Always, CommandFlags.DemandMaster).ConfigureAwait(false);
+        var metadataValue = FormattableString.Invariant($"{issuedAt.UtcTicks}|{ttl.Ticks}");
+        await database.StringSetAsync(metadataKey, metadataValue, ttl, When.Always, CommandFlags.DemandMaster).ConfigureAwait(false);
+
+        return DpopNonceIssueResult.Success(nonce, expiresAt);
+    }
+
+    public async ValueTask<DpopNonceConsumeResult> TryConsumeAsync(
+        string nonce,
+        string audience,
+        string clientId,
+        string keyThumbprint,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(nonce);
+        ArgumentException.ThrowIfNullOrWhiteSpace(audience);
+        ArgumentException.ThrowIfNullOrWhiteSpace(clientId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(keyThumbprint);
+
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var database = connection.GetDatabase();
+
+        var baseKey = DpopNonceUtilities.ComputeStorageKey(audience, clientId, keyThumbprint);
+        var nonceKey = (RedisKey)baseKey;
+        var metadataKey = (RedisKey)(baseKey + ":meta");
+        var hash = (RedisValue)DpopNonceUtilities.EncodeHash(DpopNonceUtilities.ComputeNonceHash(nonce));
+
+        var rawResult = await database.ScriptEvaluateAsync(
+            ConsumeScript,
+            new[] { nonceKey },
+            new RedisValue[] { hash }).ConfigureAwait(false);
+
+        if (rawResult.IsNull || (long)rawResult != 1)
+        {
+            return DpopNonceConsumeResult.NotFound();
+        }
+
+        var metadata = await database.StringGetAsync(metadataKey).ConfigureAwait(false);
+        await database.KeyDeleteAsync(metadataKey, CommandFlags.DemandMaster).ConfigureAwait(false);
+
+        if (!metadata.IsNull)
+        {
+            var parts = metadata.ToString()
+                .Split('|', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+
+            if (parts.Length == 2 &&
+                long.TryParse(parts[0], NumberStyles.Integer, CultureInfo.InvariantCulture, out var issuedTicks) &&
+                long.TryParse(parts[1], NumberStyles.Integer, CultureInfo.InvariantCulture, out var ttlTicks))
+            {
+                var issuedAt = new DateTimeOffset(issuedTicks, TimeSpan.Zero);
+                var expiresAt = issuedAt + TimeSpan.FromTicks(ttlTicks);
+                return expiresAt <= timeProvider.GetUtcNow()
+                    ? DpopNonceConsumeResult.Expired(issuedAt, expiresAt)
+                    : DpopNonceConsumeResult.Success(issuedAt, expiresAt);
+            }
+        }
+
+        return DpopNonceConsumeResult.Success(timeProvider.GetUtcNow(), timeProvider.GetUtcNow());
+    }
+}

src/StellaOps.Auth.Security/StellaOps.Auth.Security.csproj

@@ -29,6 +29,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.2.0" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.2.0" />
+    <PackageReference Include="StackExchange.Redis" Version="2.8.24" />
     <PackageReference Include="Microsoft.SourceLink.GitLab" Version="8.0.0" PrivateAssets="All" />
   </ItemGroup>
   <ItemGroup>

src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardClientProvisioningStoreTests.cs

@@ -1,4 +1,6 @@
+using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 using MongoDB.Driver;
@@ -43,6 +45,74 @@ public class StandardClientProvisioningStoreTests
         Assert.Contains("scopeA", descriptor.AllowedScopes);
     }
 
+    [Fact]
+    public async Task CreateOrUpdateAsync_StoresAudiences()
+    {
+        var store = new TrackingClientStore();
+        var revocations = new TrackingRevocationStore();
+        var provisioning = new StandardClientProvisioningStore("standard", store, revocations, TimeProvider.System);
+
+        var registration = new AuthorityClientRegistration(
+            clientId: "signer",
+            confidential: false,
+            displayName: "Signer",
+            clientSecret: null,
+            allowedGrantTypes: new[] { "client_credentials" },
+            allowedScopes: new[] { "signer.sign" },
+            allowedAudiences: new[] { "attestor", "signer" });
+
+        var result = await provisioning.CreateOrUpdateAsync(registration, CancellationToken.None);
+
+        Assert.True(result.Succeeded);
+        var document = Assert.Contains("signer", store.Documents);
+        Assert.Equal("attestor signer", document.Value.Properties[AuthorityClientMetadataKeys.Audiences]);
+
+        var descriptor = await provisioning.FindByClientIdAsync("signer", CancellationToken.None);
+        Assert.NotNull(descriptor);
+        Assert.Equal(new[] { "attestor", "signer" }, descriptor!.Audiences.OrderBy(value => value, StringComparer.Ordinal));
+    }
+
+    [Fact]
+    public async Task CreateOrUpdateAsync_MapsCertificateBindings()
+    {
+        var store = new TrackingClientStore();
+        var revocations = new TrackingRevocationStore();
+        var provisioning = new StandardClientProvisioningStore("standard", store, revocations, TimeProvider.System);
+
+        var bindingRegistration = new AuthorityClientCertificateBindingRegistration(
+            thumbprint: "aa:bb:cc:dd",
+            serialNumber: "01ff",
+            subject: "CN=mtls-client",
+            issuer: "CN=test-ca",
+            subjectAlternativeNames: new[] { "client.mtls.test", "spiffe://client" },
+            notBefore: DateTimeOffset.UtcNow.AddMinutes(-5),
+            notAfter: DateTimeOffset.UtcNow.AddHours(1),
+            label: "primary");
+
+        var registration = new AuthorityClientRegistration(
+            clientId: "mtls-client",
+            confidential: true,
+            displayName: "MTLS Client",
+            clientSecret: "secret",
+            allowedGrantTypes: new[] { "client_credentials" },
+            allowedScopes: new[] { "signer.sign" },
+            allowedAudiences: new[] { "signer" },
+            certificateBindings: new[] { bindingRegistration });
+
+        await provisioning.CreateOrUpdateAsync(registration, CancellationToken.None);
+
+        var document = Assert.Contains("mtls-client", store.Documents).Value;
+        var binding = Assert.Single(document.CertificateBindings);
+        Assert.Equal("AABBCCDD", binding.Thumbprint);
+        Assert.Equal("01ff", binding.SerialNumber);
+        Assert.Equal("CN=mtls-client", binding.Subject);
+        Assert.Equal("CN=test-ca", binding.Issuer);
+        Assert.Equal(new[] { "client.mtls.test", "spiffe://client" }, binding.SubjectAlternativeNames);
+        Assert.Equal(bindingRegistration.NotBefore, binding.NotBefore);
+        Assert.Equal(bindingRegistration.NotAfter, binding.NotAfter);
+        Assert.Equal("primary", binding.Label);
+    }
+
     private sealed class TrackingClientStore : IAuthorityClientStore
     {
         public Dictionary<string, AuthorityClientDocument> Documents { get; } = new(StringComparer.OrdinalIgnoreCase);

src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Storage/StandardClientProvisioningStore.cs

@@ -50,11 +50,21 @@ internal sealed class StandardClientProvisioningStore : IClientProvisioningStore
         document.RedirectUris = registration.RedirectUris.Select(static uri => uri.ToString()).ToList();
         document.PostLogoutRedirectUris = registration.PostLogoutRedirectUris.Select(static uri => uri.ToString()).ToList();
 
-        document.Properties[AuthorityClientMetadataKeys.AllowedGrantTypes] = string.Join(" ", registration.AllowedGrantTypes);
-        document.Properties[AuthorityClientMetadataKeys.AllowedScopes] = string.Join(" ", registration.AllowedScopes);
+        document.Properties[AuthorityClientMetadataKeys.AllowedGrantTypes] = JoinValues(registration.AllowedGrantTypes);
+        document.Properties[AuthorityClientMetadataKeys.AllowedScopes] = JoinValues(registration.AllowedScopes);
+        document.Properties[AuthorityClientMetadataKeys.Audiences] = JoinValues(registration.AllowedAudiences);
         document.Properties[AuthorityClientMetadataKeys.RedirectUris] = string.Join(" ", document.RedirectUris);
         document.Properties[AuthorityClientMetadataKeys.PostLogoutRedirectUris] = string.Join(" ", document.PostLogoutRedirectUris);
 
+        if (registration.CertificateBindings is not null)
+        {
+            var now = clock.GetUtcNow();
+            document.CertificateBindings = registration.CertificateBindings
+                .Select(binding => MapCertificateBinding(binding, now))
+                .OrderBy(binding => binding.Thumbprint, StringComparer.Ordinal)
+                .ToList();
+        }
+
         foreach (var (key, value) in registration.Properties)
         {
             document.Properties[key] = value;
@@ -142,12 +152,15 @@ internal sealed class StandardClientProvisioningStore : IClientProvisioningStore
             .Cast<Uri>()
             .ToArray();
 
+        var audiences = Split(document.Properties, AuthorityClientMetadataKeys.Audiences);
+
         return new AuthorityClientDescriptor(
             document.ClientId,
             document.DisplayName,
             string.Equals(document.ClientType, "confidential", StringComparison.OrdinalIgnoreCase),
             allowedGrantTypes,
             allowedScopes,
+            audiences,
             redirectUris,
             postLogoutUris,
             document.Properties);
@@ -163,6 +176,47 @@ internal sealed class StandardClientProvisioningStore : IClientProvisioningStore
         return value.Split(' ', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
     }
 
+    private static string JoinValues(IReadOnlyCollection<string> values)
+    {
+        if (values is null || values.Count == 0)
+        {
+            return string.Empty;
+        }
+
+        return string.Join(
+            " ",
+            values
+                .Where(static value => !string.IsNullOrWhiteSpace(value))
+                .Select(static value => value.Trim())
+                .OrderBy(static value => value, StringComparer.Ordinal));
+    }
+
+    private static AuthorityClientCertificateBinding MapCertificateBinding(
+        AuthorityClientCertificateBindingRegistration registration,
+        DateTimeOffset now)
+    {
+        var subjectAlternativeNames = registration.SubjectAlternativeNames.Count == 0
+            ? new List<string>()
+            : registration.SubjectAlternativeNames
+                .Select(name => name.Trim())
+                .OrderBy(name => name, StringComparer.OrdinalIgnoreCase)
+                .ToList();
+
+        return new AuthorityClientCertificateBinding
+        {
+            Thumbprint = registration.Thumbprint,
+            SerialNumber = registration.SerialNumber,
+            Subject = registration.Subject,
+            Issuer = registration.Issuer,
+            SubjectAlternativeNames = subjectAlternativeNames,
+            NotBefore = registration.NotBefore,
+            NotAfter = registration.NotAfter,
+            Label = registration.Label,
+            CreatedAt = now,
+            UpdatedAt = now
+        };
+    }
+
     private static string? NormalizeSenderConstraint(string? value)
     {
         if (string.IsNullOrWhiteSpace(value))

src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md

@@ -5,10 +5,10 @@
 | PLG6.DOC | DONE (2025-10-11) | BE-Auth Plugin, Docs Guild | PLG1–PLG5 | Final polish + diagrams for plugin developer guide (AUTHPLUG-DOCS-01-001). | Docs team delivers copy-edit + exported diagrams; PR merged. |
 | SEC1.PLG | DONE (2025-10-11) | Security Guild, BE-Auth Plugin | SEC1.A (StellaOps.Cryptography) | Swap Standard plugin hashing to Argon2id via `StellaOps.Cryptography` abstractions; keep PBKDF2 verification for legacy. | ✅ `StandardUserCredentialStore` uses `ICryptoProvider` to hash/check; ✅ Transparent rehash on success; ✅ Unit tests cover tamper + legacy rehash. |
 | SEC1.OPT | DONE (2025-10-11) | Security Guild | SEC1.PLG | Expose password hashing knobs in `StandardPluginOptions` (`memoryKiB`, `iterations`, `parallelism`, `algorithm`) with validation. | ✅ Options bound from YAML; ✅ Invalid configs throw; ✅ Docs include tuning guidance. |
-| SEC2.PLG | DOING (2025-10-14) | Security Guild, Storage Guild | SEC2.A (audit contract) | Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`. | ✅ Serilog events enriched with subject/client/IP/outcome; ✅ Mongo records written per attempt; ✅ Tests assert success/lockout/failure cases. |
-| SEC3.PLG | DOING (2025-10-14) | Security Guild, BE-Auth Plugin | CORE8, SEC3.A (rate limiter) | Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after). | ✅ Audit record includes retry-after; ✅ Tests confirm lockout + limiter interplay. |
+| SEC2.PLG | DOING (2025-10-14) | Security Guild, Storage Guild | SEC2.A (audit contract) | Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`. <br>⏳ Awaiting AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 completion to unlock Wave 0B verification paths. | ✅ Serilog events enriched with subject/client/IP/outcome; ✅ Mongo records written per attempt; ✅ Tests assert success/lockout/failure cases. |
+| SEC3.PLG | DOING (2025-10-14) | Security Guild, BE-Auth Plugin | CORE8, SEC3.A (rate limiter) | Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after). <br>⏳ Pending AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 so limiter telemetry contract matches final authority surface. | ✅ Audit record includes retry-after; ✅ Tests confirm lockout + limiter interplay. |
 | SEC4.PLG | DONE (2025-10-12) | Security Guild | SEC4.A (revocation schema) | Provide plugin hooks so revoked users/clients write reasons for revocation bundle export. | ✅ Revocation exporter consumes plugin data; ✅ Tests cover revoked user/client output. |
-| SEC5.PLG | DOING (2025-10-14) | Security Guild | SEC5.A (threat model) | Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog. | ✅ Threat model lists plugin attack surfaces; ✅ Mitigation items filed. |
+| SEC5.PLG | DOING (2025-10-14) | Security Guild | SEC5.A (threat model) | Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog. <br>⏳ Final documentation depends on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 outcomes. | ✅ Threat model lists plugin attack surfaces; ✅ Mitigation items filed. |
 | PLG4-6.CAPABILITIES | BLOCKED (2025-10-12) | BE-Auth Plugin, Docs Guild | PLG1–PLG3 | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | ✅ Capability metadata + validation merged; ✅ Plugin guide updated with final copy & diagrams; ✅ Release notes mention new toggles. <br>⛔ Blocked awaiting Authority rate-limiter stream (CORE8/SEC3) to resume so doc updates reflect final limiter behaviour. |
 | PLG7.RFC | REVIEW | BE-Auth Plugin, Security Guild | PLG4 | Socialize LDAP plugin RFC (`docs/rfcs/authority-plugin-ldap.md`) and capture guild feedback. | ✅ Guild review sign-off recorded; ✅ Follow-up issues filed in module boards. |
 | PLG6.DIAGRAM | TODO | Docs Guild | PLG6.DOC | Export final sequence/component diagrams for the developer guide and add offline-friendly assets under `docs/assets/authority`. | ✅ Mermaid sources committed; ✅ Rendered SVG/PNG linked from Section 2 + Section 9; ✅ Docs build preview shared with Plugin + Docs guilds. |
@@ -16,3 +16,5 @@
 > Update statuses to DOING/DONE/BLOCKED as you make progress. Always run `dotnet test` for touched projects before marking DONE.
 
 > Remark (2025-10-13, PLG6.DOC/PLG6.DIAGRAM): Security Guild delivered `docs/security/rate-limits.md`; Docs team can lift Section 3 (tuning table + alerts) into the developer guide diagrams when rendering assets.
+
+> Check-in (2025-10-19): Wave 0A dependencies (AUTH-DPOP-11-001, AUTH-MTLS-11-002, PLUGIN-DI-08-001) still open, so SEC2/SEC3/SEC5 remain in progress without new scope until upstream limiter updates land.

src/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityClientMetadataKeys.cs

@@ -7,6 +7,7 @@ public static class AuthorityClientMetadataKeys
 {
     public const string AllowedGrantTypes = "allowedGrantTypes";
     public const string AllowedScopes = "allowedScopes";
+    public const string Audiences = "audiences";
     public const string RedirectUris = "redirectUris";
     public const string PostLogoutRedirectUris = "postLogoutRedirectUris";
     public const string SenderConstraint = "senderConstraint";

src/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/IdentityProviderContracts.cs

@@ -632,15 +632,13 @@ public sealed class AuthorityClaimsEnrichmentContext
 /// </summary>
 public sealed record AuthorityClientDescriptor
 {
-    /// <summary>
-    /// Initialises a new client descriptor.
-    /// </summary>
     public AuthorityClientDescriptor(
         string clientId,
         string? displayName,
         bool confidential,
         IReadOnlyCollection<string>? allowedGrantTypes = null,
         IReadOnlyCollection<string>? allowedScopes = null,
+        IReadOnlyCollection<string>? allowedAudiences = null,
         IReadOnlyCollection<Uri>? redirectUris = null,
         IReadOnlyCollection<Uri>? postLogoutRedirectUris = null,
         IReadOnlyDictionary<string, string?>? properties = null)
@@ -648,8 +646,9 @@ public sealed record AuthorityClientDescriptor
         ClientId = ValidateRequired(clientId, nameof(clientId));
         DisplayName = displayName;
         Confidential = confidential;
-        AllowedGrantTypes = allowedGrantTypes is null ? Array.Empty<string>() : allowedGrantTypes.ToArray();
-        AllowedScopes = allowedScopes is null ? Array.Empty<string>() : allowedScopes.ToArray();
+        AllowedGrantTypes = Normalize(allowedGrantTypes);
+        AllowedScopes = Normalize(allowedScopes);
+        AllowedAudiences = Normalize(allowedAudiences);
         RedirectUris = redirectUris is null ? Array.Empty<Uri>() : redirectUris.ToArray();
         PostLogoutRedirectUris = postLogoutRedirectUris is null ? Array.Empty<Uri>() : postLogoutRedirectUris.ToArray();
         Properties = properties is null
@@ -657,60 +656,87 @@ public sealed record AuthorityClientDescriptor
             : new Dictionary<string, string?>(properties, StringComparer.OrdinalIgnoreCase);
     }
 
-    /// <summary>
-    /// Unique client identifier.
-    /// </summary>
     public string ClientId { get; }
-
-    /// <summary>
-    /// Optional display name.
-    /// </summary>
     public string? DisplayName { get; }
-
-    /// <summary>
-    /// Indicates whether the client is confidential (requires secret).
-    /// </summary>
     public bool Confidential { get; }
-
-    /// <summary>
-    /// Permitted OAuth grant types.
-    /// </summary>
     public IReadOnlyCollection<string> AllowedGrantTypes { get; }
-
-    /// <summary>
-    /// Permitted scopes.
-    /// </summary>
     public IReadOnlyCollection<string> AllowedScopes { get; }
-
-    /// <summary>
-    /// Registered redirect URIs.
-    /// </summary>
+    public IReadOnlyCollection<string> AllowedAudiences { get; }
     public IReadOnlyCollection<Uri> RedirectUris { get; }
-
-    /// <summary>
-    /// Registered post-logout redirect URIs.
-    /// </summary>
     public IReadOnlyCollection<Uri> PostLogoutRedirectUris { get; }
-
-    /// <summary>
-    /// Additional plugin-defined metadata.
-    /// </summary>
     public IReadOnlyDictionary<string, string?> Properties { get; }
 
+    private static IReadOnlyCollection<string> Normalize(IReadOnlyCollection<string>? values)
+        => values is null || values.Count == 0
+            ? Array.Empty<string>()
+            : values
+                .Where(value => !string.IsNullOrWhiteSpace(value))
+                .Select(value => value.Trim())
+                .Distinct(StringComparer.Ordinal)
+                .ToArray();
+
     private static string ValidateRequired(string value, string paramName)
         => string.IsNullOrWhiteSpace(value)
             ? throw new ArgumentException("Value cannot be null or whitespace.", paramName)
             : value;
 }
 
-/// <summary>
-/// Client registration payload used when provisioning clients through plugins.
-/// </summary>
+public sealed record AuthorityClientCertificateBindingRegistration
+{
+    public AuthorityClientCertificateBindingRegistration(
+        string thumbprint,
+        string? serialNumber = null,
+        string? subject = null,
+        string? issuer = null,
+        IReadOnlyCollection<string>? subjectAlternativeNames = null,
+        DateTimeOffset? notBefore = null,
+        DateTimeOffset? notAfter = null,
+        string? label = null)
+    {
+        Thumbprint = NormalizeThumbprint(thumbprint);
+        SerialNumber = Normalize(serialNumber);
+        Subject = Normalize(subject);
+        Issuer = Normalize(issuer);
+        SubjectAlternativeNames = subjectAlternativeNames is null || subjectAlternativeNames.Count == 0
+            ? Array.Empty<string>()
+            : subjectAlternativeNames
+                .Where(value => !string.IsNullOrWhiteSpace(value))
+                .Select(value => value.Trim())
+                .Distinct(StringComparer.OrdinalIgnoreCase)
+                .ToArray();
+        NotBefore = notBefore;
+        NotAfter = notAfter;
+        Label = Normalize(label);
+    }
+
+    public string Thumbprint { get; }
+    public string? SerialNumber { get; }
+    public string? Subject { get; }
+    public string? Issuer { get; }
+    public IReadOnlyCollection<string> SubjectAlternativeNames { get; }
+    public DateTimeOffset? NotBefore { get; }
+    public DateTimeOffset? NotAfter { get; }
+    public string? Label { get; }
+
+    private static string NormalizeThumbprint(string value)
+    {
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            throw new ArgumentException("Thumbprint is required.", nameof(value));
+        }
+
+        return value
+            .Replace(":", string.Empty, StringComparison.Ordinal)
+            .Replace(" ", string.Empty, StringComparison.Ordinal)
+            .ToUpperInvariant();
+    }
+
+    private static string? Normalize(string? value)
+        => string.IsNullOrWhiteSpace(value) ? null : value.Trim();
+}
+
 public sealed record AuthorityClientRegistration
 {
-    /// <summary>
-    /// Initialises a new registration.
-    /// </summary>
     public AuthorityClientRegistration(
         string clientId,
         bool confidential,
@@ -718,9 +744,11 @@ public sealed record AuthorityClientRegistration
         string? clientSecret,
         IReadOnlyCollection<string>? allowedGrantTypes = null,
         IReadOnlyCollection<string>? allowedScopes = null,
+        IReadOnlyCollection<string>? allowedAudiences = null,
         IReadOnlyCollection<Uri>? redirectUris = null,
         IReadOnlyCollection<Uri>? postLogoutRedirectUris = null,
-        IReadOnlyDictionary<string, string?>? properties = null)
+        IReadOnlyDictionary<string, string?>? properties = null,
+        IReadOnlyCollection<AuthorityClientCertificateBindingRegistration>? certificateBindings = null)
     {
         ClientId = ValidateRequired(clientId, nameof(clientId));
         Confidential = confidential;
@@ -728,65 +756,42 @@ public sealed record AuthorityClientRegistration
         ClientSecret = confidential
             ? ValidateRequired(clientSecret ?? string.Empty, nameof(clientSecret))
             : clientSecret;
-        AllowedGrantTypes = allowedGrantTypes is null ? Array.Empty<string>() : allowedGrantTypes.ToArray();
-        AllowedScopes = allowedScopes is null ? Array.Empty<string>() : allowedScopes.ToArray();
+        AllowedGrantTypes = Normalize(allowedGrantTypes);
+        AllowedScopes = Normalize(allowedScopes);
+        AllowedAudiences = Normalize(allowedAudiences);
         RedirectUris = redirectUris is null ? Array.Empty<Uri>() : redirectUris.ToArray();
         PostLogoutRedirectUris = postLogoutRedirectUris is null ? Array.Empty<Uri>() : postLogoutRedirectUris.ToArray();
         Properties = properties is null
             ? new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
             : new Dictionary<string, string?>(properties, StringComparer.OrdinalIgnoreCase);
+        CertificateBindings = certificateBindings is null
+            ? Array.Empty<AuthorityClientCertificateBindingRegistration>()
+            : certificateBindings.ToArray();
     }
 
-    /// <summary>
-    /// Unique client identifier.
-    /// </summary>
     public string ClientId { get; }
-
-    /// <summary>
-    /// Indicates whether the client is confidential (requires secret handling).
-    /// </summary>
     public bool Confidential { get; }
-
-    /// <summary>
-    /// Optional display name.
-    /// </summary>
     public string? DisplayName { get; }
-
-    /// <summary>
-    /// Optional raw client secret (hashed by the plugin for storage).
-    /// </summary>
     public string? ClientSecret { get; init; }
-
-    /// <summary>
-    /// Grant types to enable.
-    /// </summary>
     public IReadOnlyCollection<string> AllowedGrantTypes { get; }
-
-    /// <summary>
-    /// Scopes assigned to the client.
-    /// </summary>
     public IReadOnlyCollection<string> AllowedScopes { get; }
-
-    /// <summary>
-    /// Redirect URIs permitted for the client.
-    /// </summary>
+    public IReadOnlyCollection<string> AllowedAudiences { get; }
     public IReadOnlyCollection<Uri> RedirectUris { get; }
-
-    /// <summary>
-    /// Post-logout redirect URIs.
-    /// </summary>
     public IReadOnlyCollection<Uri> PostLogoutRedirectUris { get; }
-
-    /// <summary>
-    /// Additional metadata for the plugin.
-    /// </summary>
     public IReadOnlyDictionary<string, string?> Properties { get; }
+    public IReadOnlyCollection<AuthorityClientCertificateBindingRegistration> CertificateBindings { get; }
 
-    /// <summary>
-    /// Creates a copy of the registration with the provided client secret.
-    /// </summary>
     public AuthorityClientRegistration WithClientSecret(string? clientSecret)
-        => new(ClientId, Confidential, DisplayName, clientSecret, AllowedGrantTypes, AllowedScopes, RedirectUris, PostLogoutRedirectUris, Properties);
+        => new(ClientId, Confidential, DisplayName, clientSecret, AllowedGrantTypes, AllowedScopes, AllowedAudiences, RedirectUris, PostLogoutRedirectUris, Properties, CertificateBindings);
+
+    private static IReadOnlyCollection<string> Normalize(IReadOnlyCollection<string>? values)
+        => values is null || values.Count == 0
+            ? Array.Empty<string>()
+            : values
+                .Where(value => !string.IsNullOrWhiteSpace(value))
+                .Select(value => value.Trim())
+                .Distinct(StringComparer.Ordinal)
+                .ToArray();
 
     private static string ValidateRequired(string value, string paramName)
         => string.IsNullOrWhiteSpace(value)

src/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Documents/AuthorityTokenDocument.cs

@@ -62,6 +62,18 @@ public sealed class AuthorityTokenDocument
     [BsonIgnoreIfNull]
     public string? RevokedReasonDescription { get; set; }
 
+    [BsonElement("senderConstraint")]
+    [BsonIgnoreIfNull]
+    public string? SenderConstraint { get; set; }
+
+    [BsonElement("senderKeyThumbprint")]
+    [BsonIgnoreIfNull]
+    public string? SenderKeyThumbprint { get; set; }
+
+    [BsonElement("senderNonce")]
+    [BsonIgnoreIfNull]
+    public string? SenderNonce { get; set; }
+
 
     [BsonElement("devices")]
     [BsonIgnoreIfNull]

src/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/Initialization/AuthorityTokenCollectionInitializer.cs

@@ -27,7 +27,13 @@ internal sealed class AuthorityTokenCollectionInitializer : IAuthorityCollection
                 Builders<AuthorityTokenDocument>.IndexKeys
                     .Ascending(t => t.Status)
                     .Ascending(t => t.RevokedAt),
-                new CreateIndexOptions<AuthorityTokenDocument> { Name = "token_status_revokedAt" })
+                new CreateIndexOptions<AuthorityTokenDocument> { Name = "token_status_revokedAt" }),
+            new(
+                Builders<AuthorityTokenDocument>.IndexKeys.Ascending(t => t.SenderConstraint),
+                new CreateIndexOptions<AuthorityTokenDocument> { Name = "token_sender_constraint", Sparse = true }),
+            new(
+                Builders<AuthorityTokenDocument>.IndexKeys.Ascending(t => t.SenderKeyThumbprint),
+                new CreateIndexOptions<AuthorityTokenDocument> { Name = "token_sender_thumbprint", Sparse = true })
         };
 
         var expirationFilter = Builders<AuthorityTokenDocument>.Filter.Exists(t => t.ExpiresAt, true);

src/StellaOps.Authority/StellaOps.Authority.Tests/OpenIddict/ClientCredentialsAndTokenHandlersTests.cs

@@ -1,9 +1,21 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text.Json;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
+using Microsoft.IdentityModel.Tokens;
+using StellaOps.Configuration;
+using StellaOps.Authority.Security;
+using StellaOps.Auth.Security.Dpop;
 using OpenIddict.Abstractions;
 using OpenIddict.Extensions;
 using OpenIddict.Server;
@@ -44,6 +56,8 @@ public class ClientCredentialsHandlersTests
             new TestAuthEventSink(),
             new TestRateLimiterMetadataAccessor(),
             TimeProvider.System,
+            new NoopCertificateValidator(),
+            new HttpContextAccessor(),
             NullLogger<ValidateClientCredentialsHandler>.Instance);
 
         var transaction = CreateTokenTransaction(clientDocument.ClientId, "s3cr3t!", scope: "jobs:write");
@@ -72,6 +86,8 @@ public class ClientCredentialsHandlersTests
             new TestAuthEventSink(),
             new TestRateLimiterMetadataAccessor(),
             TimeProvider.System,
+            new NoopCertificateValidator(),
+            new HttpContextAccessor(),
             NullLogger<ValidateClientCredentialsHandler>.Instance);
 
         var transaction = CreateTokenTransaction(clientDocument.ClientId, "s3cr3t!", scope: "jobs:read");
@@ -104,6 +120,8 @@ public class ClientCredentialsHandlersTests
             sink,
             new TestRateLimiterMetadataAccessor(),
             TimeProvider.System,
+            new NoopCertificateValidator(),
+            new HttpContextAccessor(),
             NullLogger<ValidateClientCredentialsHandler>.Instance);
 
         var transaction = CreateTokenTransaction(clientDocument.ClientId, "s3cr3t!", scope: "jobs:read");
@@ -117,6 +135,315 @@ public class ClientCredentialsHandlersTests
             string.Equals(property.Value.Value, "unexpected_param", StringComparison.OrdinalIgnoreCase));
     }
 
+    [Fact]
+    public async Task ValidateDpopProof_AllowsSenderConstrainedClient()
+    {
+        var options = new StellaOpsAuthorityOptions
+        {
+            Issuer = new Uri("https://authority.test")
+        };
+        options.Security.SenderConstraints.Dpop.Enabled = true;
+        options.Security.SenderConstraints.Dpop.Nonce.Enabled = false;
+
+        var clientDocument = CreateClient(
+            secret: "s3cr3t!",
+            allowedGrantTypes: "client_credentials",
+            allowedScopes: "jobs:read");
+        clientDocument.SenderConstraint = AuthoritySenderConstraintKinds.Dpop;
+        clientDocument.Properties[AuthorityClientMetadataKeys.SenderConstraint] = AuthoritySenderConstraintKinds.Dpop;
+
+        using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+        var securityKey = new ECDsaSecurityKey(ecdsa)
+        {
+            KeyId = Guid.NewGuid().ToString("N")
+        };
+        var jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(securityKey);
+        var expectedThumbprint = ConvertThumbprintToString(jwk.ComputeJwkThumbprint());
+
+        var clientStore = new TestClientStore(clientDocument);
+        var auditSink = new TestAuthEventSink();
+        var rateMetadata = new TestRateLimiterMetadataAccessor();
+
+        var dpopValidator = new DpopProofValidator(
+            Options.Create(new DpopValidationOptions()),
+            new InMemoryDpopReplayCache(TimeProvider.System),
+            TimeProvider.System,
+            NullLogger<DpopProofValidator>.Instance);
+
+        var nonceStore = new InMemoryDpopNonceStore(TimeProvider.System, NullLogger<InMemoryDpopNonceStore>.Instance);
+
+        var dpopHandler = new ValidateDpopProofHandler(
+            options,
+            clientStore,
+            dpopValidator,
+            nonceStore,
+            rateMetadata,
+            auditSink,
+            TimeProvider.System,
+            TestActivitySource,
+            NullLogger<ValidateDpopProofHandler>.Instance);
+
+        var transaction = CreateTokenTransaction(clientDocument.ClientId, "s3cr3t!", scope: "jobs:read");
+        transaction.Options = new OpenIddictServerOptions();
+
+        var httpContext = new DefaultHttpContext();
+        httpContext.Request.Method = "POST";
+        httpContext.Request.Scheme = "https";
+        httpContext.Request.Host = new HostString("authority.test");
+        httpContext.Request.Path = "/token";
+
+        var now = TimeProvider.System.GetUtcNow();
+        var proof = TestHelpers.CreateDpopProof(securityKey, httpContext.Request.Method, httpContext.Request.GetDisplayUrl(), now.ToUnixTimeSeconds());
+        httpContext.Request.Headers["DPoP"] = proof;
+
+        transaction.Properties[typeof(HttpContext).FullName!] = httpContext;
+
+        var validateContext = new OpenIddictServerEvents.ValidateTokenRequestContext(transaction);
+        await dpopHandler.HandleAsync(validateContext);
+
+        Assert.False(validateContext.IsRejected);
+
+        var registry = CreateRegistry(withClientProvisioning: true, clientDescriptor: CreateDescriptor(clientDocument));
+        var validateHandler = new ValidateClientCredentialsHandler(
+            clientStore,
+            registry,
+            TestActivitySource,
+            auditSink,
+            rateMetadata,
+            TimeProvider.System,
+            new NoopCertificateValidator(),
+            new HttpContextAccessor(),
+            NullLogger<ValidateClientCredentialsHandler>.Instance);
+
+        await validateHandler.HandleAsync(validateContext);
+        Assert.False(validateContext.IsRejected);
+
+        var tokenStore = new TestTokenStore();
+        var sessionAccessor = new NullMongoSessionAccessor();
+        var handleHandler = new HandleClientCredentialsHandler(
+            registry,
+            tokenStore,
+            sessionAccessor,
+            TimeProvider.System,
+            TestActivitySource,
+            NullLogger<HandleClientCredentialsHandler>.Instance);
+
+        var handleContext = new OpenIddictServerEvents.HandleTokenRequestContext(transaction);
+        await handleHandler.HandleAsync(handleContext);
+        Assert.True(handleContext.IsRequestHandled);
+
+        var persistHandler = new PersistTokensHandler(
+            tokenStore,
+            sessionAccessor,
+            TimeProvider.System,
+            TestActivitySource,
+            NullLogger<PersistTokensHandler>.Instance);
+
+        var signInContext = new OpenIddictServerEvents.ProcessSignInContext(transaction)
+        {
+            Principal = handleContext.Principal,
+            AccessTokenPrincipal = handleContext.Principal
+        };
+
+        await persistHandler.HandleAsync(signInContext);
+
+        var confirmationClaim = handleContext.Principal?.GetClaim(AuthorityOpenIddictConstants.ConfirmationClaimType);
+        Assert.False(string.IsNullOrWhiteSpace(confirmationClaim));
+
+        using (var confirmationJson = JsonDocument.Parse(confirmationClaim!))
+        {
+            Assert.Equal(expectedThumbprint, confirmationJson.RootElement.GetProperty("jkt").GetString());
+        }
+
+        Assert.NotNull(tokenStore.Inserted);
+        Assert.Equal(AuthoritySenderConstraintKinds.Dpop, tokenStore.Inserted!.SenderConstraint);
+        Assert.Equal(expectedThumbprint, tokenStore.Inserted!.SenderKeyThumbprint);
+    }
+
+    [Fact]
+    public async Task ValidateDpopProof_IssuesNonceChallenge_WhenNonceMissing()
+    {
+        var options = new StellaOpsAuthorityOptions
+        {
+            Issuer = new Uri("https://authority.test")
+        };
+        options.Security.SenderConstraints.Dpop.Enabled = true;
+        options.Security.SenderConstraints.Dpop.Nonce.Enabled = true;
+        options.Security.SenderConstraints.Dpop.Nonce.RequiredAudiences.Clear();
+        options.Security.SenderConstraints.Dpop.Nonce.RequiredAudiences.Add("signer");
+        options.Signing.ActiveKeyId = "test-key";
+        options.Signing.KeyPath = "/tmp/test-key.pem";
+        options.Storage.ConnectionString = "mongodb://localhost/test";
+        Assert.Contains("signer", options.Security.SenderConstraints.Dpop.Nonce.RequiredAudiences);
+
+        var clientDocument = CreateClient(
+            secret: "s3cr3t!",
+            allowedGrantTypes: "client_credentials",
+            allowedScopes: "jobs:read",
+            allowedAudiences: "signer");
+        clientDocument.SenderConstraint = AuthoritySenderConstraintKinds.Dpop;
+        clientDocument.Properties[AuthorityClientMetadataKeys.SenderConstraint] = AuthoritySenderConstraintKinds.Dpop;
+
+        using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+        var securityKey = new ECDsaSecurityKey(ecdsa)
+        {
+            KeyId = Guid.NewGuid().ToString("N")
+        };
+
+        var clientStore = new TestClientStore(clientDocument);
+        var auditSink = new TestAuthEventSink();
+        var rateMetadata = new TestRateLimiterMetadataAccessor();
+
+        var dpopValidator = new DpopProofValidator(
+            Options.Create(new DpopValidationOptions()),
+            new InMemoryDpopReplayCache(TimeProvider.System),
+            TimeProvider.System,
+            NullLogger<DpopProofValidator>.Instance);
+
+        var nonceStore = new InMemoryDpopNonceStore(TimeProvider.System, NullLogger<InMemoryDpopNonceStore>.Instance);
+
+        var dpopHandler = new ValidateDpopProofHandler(
+            options,
+            clientStore,
+            dpopValidator,
+            nonceStore,
+            rateMetadata,
+            auditSink,
+            TimeProvider.System,
+            TestActivitySource,
+            NullLogger<ValidateDpopProofHandler>.Instance);
+
+        var transaction = CreateTokenTransaction(clientDocument.ClientId, "s3cr3t!", scope: "jobs:read");
+        transaction.Options = new OpenIddictServerOptions();
+
+        var httpContext = new DefaultHttpContext();
+        httpContext.Request.Method = "POST";
+        httpContext.Request.Scheme = "https";
+        httpContext.Request.Host = new HostString("authority.test");
+        httpContext.Request.Path = "/token";
+
+        var now = TimeProvider.System.GetUtcNow();
+        var proof = TestHelpers.CreateDpopProof(securityKey, httpContext.Request.Method, httpContext.Request.GetDisplayUrl(), now.ToUnixTimeSeconds());
+        httpContext.Request.Headers["DPoP"] = proof;
+
+        transaction.Properties[typeof(HttpContext).FullName!] = httpContext;
+
+        var validateContext = new OpenIddictServerEvents.ValidateTokenRequestContext(transaction);
+        await dpopHandler.HandleAsync(validateContext);
+
+        Assert.True(validateContext.IsRejected);
+        Assert.Equal(OpenIddictConstants.Errors.InvalidClient, validateContext.Error);
+        var authenticateHeader = Assert.Single(httpContext.Response.Headers.Select(header => header)
+            .Where(header => string.Equals(header.Key, "WWW-Authenticate", StringComparison.OrdinalIgnoreCase))).Value;
+        Assert.Contains("use_dpop_nonce", authenticateHeader.ToString());
+        Assert.True(httpContext.Response.Headers.TryGetValue("DPoP-Nonce", out var nonceValues));
+        Assert.False(StringValues.IsNullOrEmpty(nonceValues));
+        Assert.Contains(auditSink.Events, record => record.EventType == "authority.dpop.proof.challenge");
+    }
+
+    [Fact]
+    public async Task ValidateClientCredentials_AllowsMtlsClient_WithValidCertificate()
+    {
+        var options = new StellaOpsAuthorityOptions
+        {
+            Issuer = new Uri("https://authority.test")
+        };
+        options.Security.SenderConstraints.Mtls.Enabled = true;
+        options.Security.SenderConstraints.Mtls.RequireChainValidation = false;
+        options.Signing.ActiveKeyId = "test-key";
+        options.Signing.KeyPath = "/tmp/test-key.pem";
+        options.Storage.ConnectionString = "mongodb://localhost/test";
+
+        var clientDocument = CreateClient(
+            secret: "s3cr3t!",
+            allowedGrantTypes: "client_credentials",
+            allowedScopes: "jobs:read");
+        clientDocument.SenderConstraint = AuthoritySenderConstraintKinds.Mtls;
+        clientDocument.Properties[AuthorityClientMetadataKeys.SenderConstraint] = AuthoritySenderConstraintKinds.Mtls;
+
+        using var rsa = RSA.Create(2048);
+        var certificateRequest = new CertificateRequest("CN=mtls-client", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        using var certificate = certificateRequest.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-5), DateTimeOffset.UtcNow.AddHours(1));
+        var hexThumbprint = Convert.ToHexString(certificate.GetCertHash(HashAlgorithmName.SHA256));
+        clientDocument.CertificateBindings.Add(new AuthorityClientCertificateBinding
+        {
+            Thumbprint = hexThumbprint
+        });
+
+        var registry = CreateRegistry(withClientProvisioning: true, clientDescriptor: CreateDescriptor(clientDocument));
+        var auditSink = new TestAuthEventSink();
+        var metadataAccessor = new TestRateLimiterMetadataAccessor();
+        var httpContextAccessor = new HttpContextAccessor { HttpContext = new DefaultHttpContext() };
+        httpContextAccessor.HttpContext!.Connection.ClientCertificate = certificate;
+
+        var validator = new AuthorityClientCertificateValidator(options, TimeProvider.System, NullLogger<AuthorityClientCertificateValidator>.Instance);
+
+        var handler = new ValidateClientCredentialsHandler(
+            new TestClientStore(clientDocument),
+            registry,
+            TestActivitySource,
+            auditSink,
+            metadataAccessor,
+            TimeProvider.System,
+            validator,
+            httpContextAccessor,
+            NullLogger<ValidateClientCredentialsHandler>.Instance);
+
+        var transaction = CreateTokenTransaction(clientDocument.ClientId, "s3cr3t!", scope: "jobs:read");
+        var context = new OpenIddictServerEvents.ValidateTokenRequestContext(transaction);
+
+        await handler.HandleAsync(context);
+
+        Assert.False(context.IsRejected);
+        Assert.Equal(AuthoritySenderConstraintKinds.Mtls, context.Transaction.Properties[AuthorityOpenIddictConstants.SenderConstraintProperty]);
+
+        var expectedBase64 = Base64UrlEncoder.Encode(certificate.GetCertHash(HashAlgorithmName.SHA256));
+        Assert.Equal(expectedBase64, context.Transaction.Properties[AuthorityOpenIddictConstants.MtlsCertificateThumbprintProperty]);
+    }
+
+    [Fact]
+    public async Task ValidateClientCredentials_RejectsMtlsClient_WhenCertificateMissing()
+    {
+        var options = new StellaOpsAuthorityOptions
+        {
+            Issuer = new Uri("https://authority.test")
+        };
+        options.Security.SenderConstraints.Mtls.Enabled = true;
+        options.Signing.ActiveKeyId = "test-key";
+        options.Signing.KeyPath = "/tmp/test-key.pem";
+        options.Storage.ConnectionString = "mongodb://localhost/test";
+
+        var clientDocument = CreateClient(
+            secret: "s3cr3t!",
+            allowedGrantTypes: "client_credentials",
+            allowedScopes: "jobs:read");
+        clientDocument.SenderConstraint = AuthoritySenderConstraintKinds.Mtls;
+        clientDocument.Properties[AuthorityClientMetadataKeys.SenderConstraint] = AuthoritySenderConstraintKinds.Mtls;
+
+        var registry = CreateRegistry(withClientProvisioning: true, clientDescriptor: CreateDescriptor(clientDocument));
+        var httpContextAccessor = new HttpContextAccessor { HttpContext = new DefaultHttpContext() };
+        var validator = new AuthorityClientCertificateValidator(options, TimeProvider.System, NullLogger<AuthorityClientCertificateValidator>.Instance);
+
+        var handler = new ValidateClientCredentialsHandler(
+            new TestClientStore(clientDocument),
+            registry,
+            TestActivitySource,
+            new TestAuthEventSink(),
+            new TestRateLimiterMetadataAccessor(),
+            TimeProvider.System,
+            validator,
+            httpContextAccessor,
+            NullLogger<ValidateClientCredentialsHandler>.Instance);
+
+        var transaction = CreateTokenTransaction(clientDocument.ClientId, "s3cr3t!", scope: "jobs:read");
+        var context = new OpenIddictServerEvents.ValidateTokenRequestContext(transaction);
+
+        await handler.HandleAsync(context);
+
+        Assert.True(context.IsRejected);
+        Assert.Equal(OpenIddictConstants.Errors.InvalidClient, context.Error);
+    }
+
     [Fact]
     public async Task HandleClientCredentials_PersistsTokenAndEnrichesClaims()
     {
@@ -124,7 +451,8 @@ public class ClientCredentialsHandlersTests
             secret: null,
             clientType: "public",
             allowedGrantTypes: "client_credentials",
-            allowedScopes: "jobs:trigger");
+            allowedScopes: "jobs:trigger",
+            allowedAudiences: "signer");
 
         var descriptor = CreateDescriptor(clientDocument);
         var registry = CreateRegistry(withClientProvisioning: true, clientDescriptor: descriptor);
@@ -139,6 +467,8 @@ public class ClientCredentialsHandlersTests
             authSink,
             metadataAccessor,
             TimeProvider.System,
+            new NoopCertificateValidator(),
+            new HttpContextAccessor(),
             NullLogger<ValidateClientCredentialsHandler>.Instance);
 
         var transaction = CreateTokenTransaction(clientDocument.ClientId, secret: null, scope: "jobs:trigger");
@@ -163,6 +493,7 @@ public class ClientCredentialsHandlersTests
 
         Assert.True(context.IsRequestHandled);
         Assert.NotNull(context.Principal);
+        Assert.Contains("signer", context.Principal!.GetAudiences());
 
         Assert.Contains(authSink.Events, record => record.EventType == "authority.client_credentials.grant" && record.Outcome == AuthEventOutcome.Success);
 
@@ -285,6 +616,62 @@ public class TokenValidationHandlersTests
         Assert.Contains(principal.Claims, claim => claim.Type == "enriched" && claim.Value == "true");
     }
 
+    [Fact]
+    public async Task ValidateAccessTokenHandler_AddsConfirmationClaim_ForMtlsToken()
+    {
+        var tokenDocument = new AuthorityTokenDocument
+        {
+            TokenId = "token-mtls",
+            Status = "valid",
+            ClientId = "mtls-client",
+            SenderConstraint = AuthoritySenderConstraintKinds.Mtls,
+            SenderKeyThumbprint = "thumb-print"
+        };
+
+        var tokenStore = new TestTokenStore
+        {
+            Inserted = tokenDocument
+        };
+
+        var clientDocument = CreateClient();
+        var registry = CreateRegistry(withClientProvisioning: false, clientDescriptor: null);
+        var metadataAccessor = new TestRateLimiterMetadataAccessor();
+        var auditSink = new TestAuthEventSink();
+        var sessionAccessor = new NullMongoSessionAccessor();
+        var handler = new ValidateAccessTokenHandler(
+            tokenStore,
+            sessionAccessor,
+            new TestClientStore(clientDocument),
+            registry,
+            metadataAccessor,
+            auditSink,
+            TimeProvider.System,
+            TestActivitySource,
+            NullLogger<ValidateAccessTokenHandler>.Instance);
+
+        var transaction = new OpenIddictServerTransaction
+        {
+            Options = new OpenIddictServerOptions(),
+            EndpointType = OpenIddictServerEndpointType.Introspection,
+            Request = new OpenIddictRequest()
+        };
+
+        var principal = CreatePrincipal(clientDocument.ClientId, tokenDocument.TokenId, clientDocument.Plugin);
+        var context = new OpenIddictServerEvents.ValidateTokenContext(transaction)
+        {
+            Principal = principal,
+            TokenId = tokenDocument.TokenId
+        };
+
+        await handler.HandleAsync(context);
+
+        Assert.False(context.IsRejected);
+        var confirmation = context.Principal?.GetClaim(AuthorityOpenIddictConstants.ConfirmationClaimType);
+        Assert.False(string.IsNullOrWhiteSpace(confirmation));
+        using var json = JsonDocument.Parse(confirmation!);
+        Assert.Equal(tokenDocument.SenderKeyThumbprint, json.RootElement.GetProperty("x5t#S256").GetString());
+    }
+
     [Fact]
     public async Task ValidateAccessTokenHandler_EmitsReplayAudit_WhenStoreDetectsSuspectedReplay()
     {
@@ -358,6 +745,89 @@ public class TokenValidationHandlersTests
     }
 }
 
+public class AuthorityClientCertificateValidatorTests
+{
+    [Fact]
+    public async Task ValidateAsync_Rejects_WhenSanTypeNotAllowed()
+    {
+        var options = new StellaOpsAuthorityOptions
+        {
+            Issuer = new Uri("https://authority.test")
+        };
+        options.Security.SenderConstraints.Mtls.Enabled = true;
+        options.Security.SenderConstraints.Mtls.RequireChainValidation = false;
+        options.Security.SenderConstraints.Mtls.AllowedSanTypes.Clear();
+        options.Security.SenderConstraints.Mtls.AllowedSanTypes.Add("uri");
+        options.Signing.ActiveKeyId = "test-key";
+        options.Signing.KeyPath = "/tmp/test-key.pem";
+        options.Storage.ConnectionString = "mongodb://localhost/test";
+
+        using var rsa = RSA.Create(2048);
+        var request = new CertificateRequest("CN=mtls-client", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        var sanBuilder = new SubjectAlternativeNameBuilder();
+        sanBuilder.AddDnsName("client.mtls.test");
+        request.CertificateExtensions.Add(sanBuilder.Build());
+        using var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-5), DateTimeOffset.UtcNow.AddMinutes(5));
+
+        var clientDocument = CreateClient();
+        clientDocument.SenderConstraint = AuthoritySenderConstraintKinds.Mtls;
+        clientDocument.CertificateBindings.Add(new AuthorityClientCertificateBinding
+        {
+            Thumbprint = Convert.ToHexString(certificate.GetCertHash(HashAlgorithmName.SHA256))
+        });
+
+        var httpContext = new DefaultHttpContext();
+        httpContext.Connection.ClientCertificate = certificate;
+
+        var validator = new AuthorityClientCertificateValidator(options, TimeProvider.System, NullLogger<AuthorityClientCertificateValidator>.Instance);
+        var result = await validator.ValidateAsync(httpContext, clientDocument, CancellationToken.None);
+
+        Assert.False(result.Succeeded);
+        Assert.Equal("certificate_san_type", result.Error);
+    }
+
+    [Fact]
+    public async Task ValidateAsync_AllowsBindingWithinRotationGrace()
+    {
+        var options = new StellaOpsAuthorityOptions
+        {
+            Issuer = new Uri("https://authority.test")
+        };
+        options.Security.SenderConstraints.Mtls.Enabled = true;
+        options.Security.SenderConstraints.Mtls.RequireChainValidation = false;
+        options.Security.SenderConstraints.Mtls.RotationGrace = TimeSpan.FromMinutes(5);
+        options.Signing.ActiveKeyId = "test-key";
+        options.Signing.KeyPath = "/tmp/test-key.pem";
+        options.Storage.ConnectionString = "mongodb://localhost/test";
+
+        using var rsa = RSA.Create(2048);
+        var request = new CertificateRequest("CN=mtls-client", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        var sanBuilder = new SubjectAlternativeNameBuilder();
+        sanBuilder.AddDnsName("client.mtls.test");
+        request.CertificateExtensions.Add(sanBuilder.Build());
+        using var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-5), DateTimeOffset.UtcNow.AddMinutes(10));
+
+        var thumbprint = Convert.ToHexString(certificate.GetCertHash(HashAlgorithmName.SHA256));
+
+        var clientDocument = CreateClient();
+        clientDocument.SenderConstraint = AuthoritySenderConstraintKinds.Mtls;
+        clientDocument.CertificateBindings.Add(new AuthorityClientCertificateBinding
+        {
+            Thumbprint = thumbprint,
+            NotBefore = TimeProvider.System.GetUtcNow().AddMinutes(2)
+        });
+
+        var httpContext = new DefaultHttpContext();
+        httpContext.Connection.ClientCertificate = certificate;
+
+        var validator = new AuthorityClientCertificateValidator(options, TimeProvider.System, NullLogger<AuthorityClientCertificateValidator>.Instance);
+        var result = await validator.ValidateAsync(httpContext, clientDocument, CancellationToken.None);
+
+        Assert.True(result.Succeeded);
+        Assert.Equal(thumbprint, result.HexThumbprint);
+    }
+}
+
 internal sealed class TestClientStore : IAuthorityClientStore
 {
     private readonly Dictionary<string, AuthorityClientDocument> clients = new(StringComparer.OrdinalIgnoreCase);
@@ -526,6 +996,19 @@ internal sealed class TestRateLimiterMetadataAccessor : IAuthorityRateLimiterMet
     public void SetTag(string name, string? value) => metadata.SetTag(name, value);
 }
 
+internal sealed class NoopCertificateValidator : IAuthorityClientCertificateValidator
+{
+    public ValueTask<AuthorityClientCertificateValidationResult> ValidateAsync(HttpContext httpContext, AuthorityClientDocument client, CancellationToken cancellationToken)
+    {
+        var binding = new AuthorityClientCertificateBinding
+        {
+            Thumbprint = "stub"
+        };
+
+        return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Success("stub", "stub", binding));
+    }
+}
+
 internal sealed class NullMongoSessionAccessor : IAuthorityMongoSessionAccessor
 {
     public ValueTask<IClientSessionHandle> GetSessionAsync(CancellationToken cancellationToken = default)
@@ -540,9 +1023,10 @@ internal static class TestHelpers
         string? secret = "s3cr3t!",
         string clientType = "confidential",
         string allowedGrantTypes = "client_credentials",
-        string allowedScopes = "jobs:read")
+        string allowedScopes = "jobs:read",
+        string allowedAudiences = "")
     {
-        return new AuthorityClientDocument
+        var document = new AuthorityClientDocument
         {
             ClientId = "concelier",
             ClientType = clientType,
@@ -554,12 +1038,20 @@ internal static class TestHelpers
                 [AuthorityClientMetadataKeys.AllowedScopes] = allowedScopes
             }
         };
+
+        if (!string.IsNullOrWhiteSpace(allowedAudiences))
+        {
+            document.Properties[AuthorityClientMetadataKeys.Audiences] = allowedAudiences;
+        }
+
+        return document;
     }
 
     public static AuthorityClientDescriptor CreateDescriptor(AuthorityClientDocument document)
     {
         var allowedGrantTypes = document.Properties.TryGetValue(AuthorityClientMetadataKeys.AllowedGrantTypes, out var grants) ? grants?.Split(' ', StringSplitOptions.RemoveEmptyEntries) : Array.Empty<string>();
         var allowedScopes = document.Properties.TryGetValue(AuthorityClientMetadataKeys.AllowedScopes, out var scopes) ? scopes?.Split(' ', StringSplitOptions.RemoveEmptyEntries) : Array.Empty<string>();
+        var allowedAudiences = document.Properties.TryGetValue(AuthorityClientMetadataKeys.Audiences, out var audiences) ? audiences?.Split(' ', StringSplitOptions.RemoveEmptyEntries) : Array.Empty<string>();
 
         return new AuthorityClientDescriptor(
             document.ClientId,
@@ -567,6 +1059,7 @@ internal static class TestHelpers
             confidential: string.Equals(document.ClientType, "confidential", StringComparison.OrdinalIgnoreCase),
             allowedGrantTypes,
             allowedScopes,
+            allowedAudiences,
             redirectUris: Array.Empty<Uri>(),
             postLogoutRedirectUris: Array.Empty<Uri>(),
             properties: document.Properties);
@@ -638,6 +1131,57 @@ internal static class TestHelpers
         };
     }
 
+    public static string ConvertThumbprintToString(object thumbprint)
+        => thumbprint switch
+        {
+            string value => value,
+            byte[] bytes => Base64UrlEncoder.Encode(bytes),
+            _ => throw new InvalidOperationException("Unsupported thumbprint representation.")
+        };
+
+    public static string CreateDpopProof(ECDsaSecurityKey key, string method, string url, long issuedAt, string? nonce = null)
+    {
+        var jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(key);
+        jwk.KeyId ??= key.KeyId ?? Guid.NewGuid().ToString("N");
+
+        var signingCredentials = new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256);
+        var header = new JwtHeader(signingCredentials)
+        {
+            ["typ"] = "dpop+jwt",
+            ["jwk"] = new Dictionary<string, object?>
+            {
+                ["kty"] = jwk.Kty,
+                ["crv"] = jwk.Crv,
+                ["x"] = jwk.X,
+                ["y"] = jwk.Y,
+                ["kid"] = jwk.Kid ?? jwk.KeyId
+            }
+        };
+
+        var payload = new JwtPayload
+        {
+            ["htm"] = method.ToUpperInvariant(),
+            ["htu"] = url,
+            ["iat"] = issuedAt,
+            ["jti"] = Guid.NewGuid().ToString("N")
+        };
+
+        if (!string.IsNullOrWhiteSpace(nonce))
+        {
+            payload["nonce"] = nonce;
+        }
+
+        var token = new JwtSecurityToken(header, payload);
+        return new JwtSecurityTokenHandler().WriteToken(token);
+    }
+
+    public static X509Certificate2 CreateTestCertificate(string subjectName)
+    {
+        using var rsa = RSA.Create(2048);
+        var request = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        return request.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-5), DateTimeOffset.UtcNow.AddHours(1));
+    }
+
     public static ClaimsPrincipal CreatePrincipal(string clientId, string tokenId, string provider, string? subject = null)
     {
         var identity = new ClaimsIdentity(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);

src/StellaOps.Authority/StellaOps.Authority.Tests/OpenIddict/TokenPersistenceIntegrationTests.cs

@@ -1,6 +1,7 @@
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Time.Testing;
@@ -20,6 +21,7 @@ using StellaOps.Authority.Storage.Mongo.Sessions;
 using StellaOps.Authority.Storage.Mongo.Stores;
 using StellaOps.Concelier.Testing;
 using StellaOps.Authority.RateLimiting;
+using StellaOps.Authority.Security;
 using StellaOps.Cryptography.Audit;
 using Xunit;
 
@@ -62,7 +64,7 @@ public sealed class TokenPersistenceIntegrationTests
         var metadataAccessor = new TestRateLimiterMetadataAccessor();
         await using var scope = provider.CreateAsyncScope();
         var sessionAccessor = scope.ServiceProvider.GetRequiredService<IAuthorityMongoSessionAccessor>();
-        var validateHandler = new ValidateClientCredentialsHandler(clientStore, registry, TestActivitySource, authSink, metadataAccessor, clock, NullLogger<ValidateClientCredentialsHandler>.Instance);
+        var validateHandler = new ValidateClientCredentialsHandler(clientStore, registry, TestActivitySource, authSink, metadataAccessor, clock, new NoopCertificateValidator(), new HttpContextAccessor(), NullLogger<ValidateClientCredentialsHandler>.Instance);
         var handleHandler = new HandleClientCredentialsHandler(registry, tokenStore, sessionAccessor, clock, TestActivitySource, NullLogger<HandleClientCredentialsHandler>.Instance);
         var persistHandler = new PersistTokensHandler(tokenStore, sessionAccessor, clock, TestActivitySource, NullLogger<PersistTokensHandler>.Instance);
 

src/StellaOps.Authority/StellaOps.Authority.Tests/StellaOps.Authority.Tests.csproj

@@ -8,6 +8,7 @@
   <ItemGroup>
     <ProjectReference Include="..\StellaOps.Authority\StellaOps.Authority.csproj" />
     <ProjectReference Include="..\StellaOps.Authority.Plugins.Abstractions\StellaOps.Authority.Plugins.Abstractions.csproj" />
+    <ProjectReference Include="..\..\StellaOps.Auth.Security\StellaOps.Auth.Security.csproj" />
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="MongoDB.Driver" Version="3.5.0" />

src/StellaOps.Authority/StellaOps.Authority/Bootstrap/BootstrapRequests.cs

@@ -44,11 +44,15 @@ internal sealed record BootstrapClientRequest
 
     public IReadOnlyCollection<string>? AllowedScopes { get; init; }
 
+    public IReadOnlyCollection<string>? AllowedAudiences { get; init; }
+
     public IReadOnlyCollection<string>? RedirectUris { get; init; }
 
     public IReadOnlyCollection<string>? PostLogoutRedirectUris { get; init; }
 
     public IReadOnlyDictionary<string, string?>? Properties { get; init; }
+
+    public IReadOnlyCollection<BootstrapClientCertificateBinding>? CertificateBindings { get; init; }
 }
 
 internal sealed record BootstrapInviteRequest
@@ -68,6 +72,25 @@ internal sealed record BootstrapInviteRequest
     public IReadOnlyDictionary<string, string?>? Metadata { get; init; }
 }
 
+internal sealed record BootstrapClientCertificateBinding
+{
+    public string Thumbprint { get; init; } = string.Empty;
+
+    public string? SerialNumber { get; init; }
+
+    public string? Subject { get; init; }
+
+    public string? Issuer { get; init; }
+
+    public IReadOnlyCollection<string>? SubjectAlternativeNames { get; init; }
+
+    public DateTimeOffset? NotBefore { get; init; }
+
+    public DateTimeOffset? NotAfter { get; init; }
+
+    public string? Label { get; init; }
+}
+
 internal static class BootstrapInviteTypes
 {
     public const string User = "user";

src/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityOpenIddictConstants.cs

@@ -15,4 +15,14 @@ internal static class AuthorityOpenIddictConstants
     internal const string AuditRequestedScopesProperty = "authority:audit_requested_scopes";
     internal const string AuditGrantedScopesProperty = "authority:audit_granted_scopes";
     internal const string AuditInvalidScopeProperty = "authority:audit_invalid_scope";
+    internal const string ClientSenderConstraintProperty = "authority:client_sender_constraint";
+    internal const string SenderConstraintProperty = "authority:sender_constraint";
+    internal const string DpopKeyThumbprintProperty = "authority:dpop_thumbprint";
+    internal const string DpopProofJwtIdProperty = "authority:dpop_jti";
+    internal const string DpopIssuedAtProperty = "authority:dpop_iat";
+    internal const string DpopConsumedNonceProperty = "authority:dpop_nonce";
+    internal const string ConfirmationClaimType = "cnf";
+    internal const string SenderConstraintClaimType = "authority_sender_constraint";
+    internal const string MtlsCertificateThumbprintProperty = "authority:mtls_thumbprint";
+    internal const string MtlsCertificateHexProperty = "authority:mtls_thumbprint_hex";
 }

src/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/ClientCredentialsHandlers.cs

@@ -5,6 +5,8 @@ using System.Globalization;
 using System.Linq;
 using System.Security.Claims;
 using System.Security.Cryptography;
+using System.Text.Json;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using OpenIddict.Abstractions;
 using OpenIddict.Extensions;
@@ -18,6 +20,7 @@ using StellaOps.Authority.Storage.Mongo.Documents;
 using StellaOps.Authority.Storage.Mongo.Sessions;
 using StellaOps.Authority.Storage.Mongo.Stores;
 using StellaOps.Authority.RateLimiting;
+using StellaOps.Authority.Security;
 using StellaOps.Cryptography.Audit;
 
 namespace StellaOps.Authority.OpenIddict.Handlers;
@@ -30,6 +33,8 @@ internal sealed class ValidateClientCredentialsHandler : IOpenIddictServerHandle
     private readonly IAuthEventSink auditSink;
     private readonly IAuthorityRateLimiterMetadataAccessor metadataAccessor;
     private readonly TimeProvider timeProvider;
+    private readonly IAuthorityClientCertificateValidator certificateValidator;
+    private readonly IHttpContextAccessor httpContextAccessor;
     private readonly ILogger<ValidateClientCredentialsHandler> logger;
 
     public ValidateClientCredentialsHandler(
@@ -39,6 +44,8 @@ internal sealed class ValidateClientCredentialsHandler : IOpenIddictServerHandle
         IAuthEventSink auditSink,
         IAuthorityRateLimiterMetadataAccessor metadataAccessor,
         TimeProvider timeProvider,
+        IAuthorityClientCertificateValidator certificateValidator,
+        IHttpContextAccessor httpContextAccessor,
         ILogger<ValidateClientCredentialsHandler> logger)
     {
         this.clientStore = clientStore ?? throw new ArgumentNullException(nameof(clientStore));
@@ -47,6 +54,8 @@ internal sealed class ValidateClientCredentialsHandler : IOpenIddictServerHandle
         this.auditSink = auditSink ?? throw new ArgumentNullException(nameof(auditSink));
         this.metadataAccessor = metadataAccessor ?? throw new ArgumentNullException(nameof(metadataAccessor));
         this.timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
+        this.certificateValidator = certificateValidator ?? throw new ArgumentNullException(nameof(certificateValidator));
+        this.httpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
         this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
     }
 
@@ -111,7 +120,44 @@ internal sealed class ValidateClientCredentialsHandler : IOpenIddictServerHandle
             return;
         }
 
-        context.Transaction.Properties[AuthorityOpenIddictConstants.AuditConfidentialProperty] = string.Equals(document.ClientType, "confidential", StringComparison.OrdinalIgnoreCase);
+        var existingSenderConstraint = context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.SenderConstraintProperty, out var senderConstraintValue) && senderConstraintValue is string existingConstraint
+            ? existingConstraint
+            : null;
+
+        var normalizedSenderConstraint = !string.IsNullOrWhiteSpace(existingSenderConstraint)
+            ? existingSenderConstraint
+            : ClientCredentialHandlerHelpers.NormalizeSenderConstraint(document);
+
+        if (!string.IsNullOrWhiteSpace(normalizedSenderConstraint))
+        {
+            context.Transaction.Properties[AuthorityOpenIddictConstants.ClientSenderConstraintProperty] = normalizedSenderConstraint;
+        }
+
+        if (string.Equals(normalizedSenderConstraint, AuthoritySenderConstraintKinds.Mtls, StringComparison.Ordinal))
+        {
+            var httpContext = httpContextAccessor.HttpContext;
+            if (httpContext is null)
+            {
+                context.Reject(OpenIddictConstants.Errors.ServerError, "HTTP context unavailable for mTLS validation.");
+                logger.LogWarning("Client credentials validation failed for {ClientId}: HTTP context unavailable for mTLS validation.", context.ClientId);
+                return;
+            }
+
+            var validation = await certificateValidator.ValidateAsync(httpContext, document, context.CancellationToken).ConfigureAwait(false);
+            if (!validation.Succeeded)
+            {
+                context.Reject(OpenIddictConstants.Errors.InvalidClient, validation.Error ?? "Client certificate validation failed.");
+                logger.LogWarning("Client credentials validation failed for {ClientId}: {Reason}.", context.ClientId, validation.Error ?? "certificate_invalid");
+                return;
+            }
+
+            context.Transaction.Properties[AuthorityOpenIddictConstants.SenderConstraintProperty] = AuthoritySenderConstraintKinds.Mtls;
+            context.Transaction.Properties[AuthorityOpenIddictConstants.MtlsCertificateThumbprintProperty] = validation.ConfirmationThumbprint;
+            context.Transaction.Properties[AuthorityOpenIddictConstants.MtlsCertificateHexProperty] = validation.HexThumbprint;
+        }
+
+        context.Transaction.Properties[AuthorityOpenIddictConstants.AuditConfidentialProperty] =
+            string.Equals(document.ClientType, "confidential", StringComparison.OrdinalIgnoreCase);
 
         IIdentityProviderPlugin? provider = null;
         if (!string.IsNullOrWhiteSpace(document.Plugin))
@@ -278,6 +324,32 @@ internal sealed class HandleClientCredentialsHandler : IOpenIddictServerHandler<
             return;
         }
 
+        var configuredAudiences = ClientCredentialHandlerHelpers.Split(document.Properties, AuthorityClientMetadataKeys.Audiences);
+        if (configuredAudiences.Count > 0)
+        {
+            if (context.Request.Resources is ICollection<string> resources && configuredAudiences.Count > 0)
+            {
+                foreach (var audience in configuredAudiences)
+                {
+                    if (!resources.Contains(audience))
+                    {
+                        resources.Add(audience);
+                    }
+                }
+            }
+
+            if (context.Request.Audiences is ICollection<string> audiencesCollection)
+            {
+                foreach (var audience in configuredAudiences)
+                {
+                    if (!audiencesCollection.Contains(audience))
+                    {
+                        audiencesCollection.Add(audience);
+                    }
+                }
+            }
+        }
+
         var identity = new ClaimsIdentity(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
         identity.AddClaim(new Claim(OpenIddictConstants.Claims.Subject, document.ClientId));
         identity.AddClaim(new Claim(OpenIddictConstants.Claims.ClientId, document.ClientId));
@@ -322,6 +394,8 @@ internal sealed class HandleClientCredentialsHandler : IOpenIddictServerHandler<
             activity?.SetTag("authority.identity_provider", provider.Name);
         }
 
+        ApplySenderConstraintClaims(context, identity, document);
+
         var principal = new ClaimsPrincipal(identity);
 
         var grantedScopes = context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.ClientGrantedScopesProperty, out var scopesValue) &&
@@ -338,6 +412,11 @@ internal sealed class HandleClientCredentialsHandler : IOpenIddictServerHandler<
             principal.SetScopes(Array.Empty<string>());
         }
 
+        if (configuredAudiences.Count > 0)
+        {
+            principal.SetAudiences(configuredAudiences);
+        }
+
         if (provider is not null && descriptor is not null)
         {
             var enrichmentContext = new AuthorityClaimsEnrichmentContext(provider.Context, user: null, descriptor);
@@ -420,10 +499,95 @@ internal sealed class HandleClientCredentialsHandler : IOpenIddictServerHandler<
             ExpiresAt = expiresAt
         };
 
+        if (context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.SenderConstraintProperty, out var constraintObj) &&
+            constraintObj is string senderConstraint &&
+            !string.IsNullOrWhiteSpace(senderConstraint))
+        {
+            record.SenderConstraint = senderConstraint;
+        }
+
+        string? senderThumbprint = null;
+        if (context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.DpopKeyThumbprintProperty, out var dpopThumbprintObj) &&
+            dpopThumbprintObj is string dpopThumbprint &&
+            !string.IsNullOrWhiteSpace(dpopThumbprint))
+        {
+            senderThumbprint = dpopThumbprint;
+        }
+        else if (context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.MtlsCertificateThumbprintProperty, out var mtlsThumbprintObj) &&
+                 mtlsThumbprintObj is string mtlsThumbprint &&
+                 !string.IsNullOrWhiteSpace(mtlsThumbprint))
+        {
+            senderThumbprint = mtlsThumbprint;
+        }
+
+        if (senderThumbprint is not null)
+        {
+            record.SenderKeyThumbprint = senderThumbprint;
+        }
+
+        if (context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.DpopConsumedNonceProperty, out var nonceObj) &&
+            nonceObj is string nonce &&
+            !string.IsNullOrWhiteSpace(nonce))
+        {
+            record.SenderNonce = nonce;
+        }
+
         await tokenStore.InsertAsync(record, context.CancellationToken, session).ConfigureAwait(false);
         context.Transaction.Properties[AuthorityOpenIddictConstants.TokenTransactionProperty] = record;
         activity?.SetTag("authority.token_id", tokenId);
     }
+
+    private static void ApplySenderConstraintClaims(
+        OpenIddictServerEvents.HandleTokenRequestContext context,
+        ClaimsIdentity identity,
+        AuthorityClientDocument document)
+    {
+        _ = document;
+
+        if (!context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.SenderConstraintProperty, out var constraintObj) ||
+            constraintObj is not string senderConstraint ||
+            string.IsNullOrWhiteSpace(senderConstraint))
+        {
+            return;
+        }
+
+        var normalized = senderConstraint.Trim().ToLowerInvariant();
+        context.Transaction.Properties[AuthorityOpenIddictConstants.SenderConstraintProperty] = normalized;
+        identity.SetClaim(AuthorityOpenIddictConstants.SenderConstraintClaimType, normalized);
+
+        switch (normalized)
+        {
+            case AuthoritySenderConstraintKinds.Dpop:
+                if (context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.DpopKeyThumbprintProperty, out var thumbprintObj) &&
+                    thumbprintObj is string thumbprint &&
+                    !string.IsNullOrWhiteSpace(thumbprint))
+                {
+                    var confirmation = JsonSerializer.Serialize(new Dictionary<string, string>
+                    {
+                        ["jkt"] = thumbprint
+                    });
+
+                    identity.SetClaim(AuthorityOpenIddictConstants.ConfirmationClaimType, confirmation);
+                }
+
+                break;
+            case AuthoritySenderConstraintKinds.Mtls:
+                if (context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.MtlsCertificateThumbprintProperty, out var mtlsThumbprintObj) &&
+                    mtlsThumbprintObj is string mtlsThumbprint &&
+                    !string.IsNullOrWhiteSpace(mtlsThumbprint))
+                {
+                    var confirmation = JsonSerializer.Serialize(new Dictionary<string, string>
+                    {
+                        ["x5t#S256"] = mtlsThumbprint
+                    });
+
+                    identity.SetClaim(AuthorityOpenIddictConstants.ConfirmationClaimType, confirmation);
+                }
+
+                break;
+        }
+    }
+
 }
 
 internal static class ClientCredentialHandlerHelpers
@@ -491,4 +655,20 @@ internal static class ClientCredentialHandlerHelpers
             return false;
         }
     }
+
+    public static string? NormalizeSenderConstraint(AuthorityClientDocument document)
+    {
+        if (!string.IsNullOrWhiteSpace(document.SenderConstraint))
+        {
+            return document.SenderConstraint.Trim().ToLowerInvariant();
+        }
+
+        if (document.Properties.TryGetValue(AuthorityClientMetadataKeys.SenderConstraint, out var value) &&
+            !string.IsNullOrWhiteSpace(value))
+        {
+            return value.Trim().ToLowerInvariant();
+        }
+
+        return null;
+    }
 }

src/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs

@@ -0,0 +1,643 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Globalization;
+using System.Linq;
+using System.Text.Json;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Primitives;
+using OpenIddict.Abstractions;
+using OpenIddict.Extensions;
+using OpenIddict.Server;
+using OpenIddict.Server.AspNetCore;
+using StellaOps.Auth.Security.Dpop;
+using StellaOps.Authority.OpenIddict;
+using StellaOps.Authority.RateLimiting;
+using StellaOps.Authority.Security;
+using StellaOps.Authority.Storage.Mongo.Documents;
+using StellaOps.Authority.Storage.Mongo.Stores;
+using StellaOps.Authority.Plugins.Abstractions;
+using StellaOps.Configuration;
+using StellaOps.Cryptography.Audit;
+using Microsoft.IdentityModel.Tokens;
+
+namespace StellaOps.Authority.OpenIddict.Handlers;
+
+internal sealed class ValidateDpopProofHandler : IOpenIddictServerHandler<OpenIddictServerEvents.ValidateTokenRequestContext>
+{
+    private readonly StellaOpsAuthorityOptions authorityOptions;
+    private readonly IAuthorityClientStore clientStore;
+    private readonly IDpopProofValidator proofValidator;
+    private readonly IDpopNonceStore nonceStore;
+    private readonly IAuthorityRateLimiterMetadataAccessor metadataAccessor;
+    private readonly IAuthEventSink auditSink;
+    private readonly TimeProvider clock;
+    private readonly ActivitySource activitySource;
+    private readonly ILogger<ValidateDpopProofHandler> logger;
+
+    public ValidateDpopProofHandler(
+        StellaOpsAuthorityOptions authorityOptions,
+        IAuthorityClientStore clientStore,
+        IDpopProofValidator proofValidator,
+        IDpopNonceStore nonceStore,
+        IAuthorityRateLimiterMetadataAccessor metadataAccessor,
+        IAuthEventSink auditSink,
+        TimeProvider clock,
+        ActivitySource activitySource,
+        ILogger<ValidateDpopProofHandler> logger)
+    {
+        this.authorityOptions = authorityOptions ?? throw new ArgumentNullException(nameof(authorityOptions));
+        this.clientStore = clientStore ?? throw new ArgumentNullException(nameof(clientStore));
+        this.proofValidator = proofValidator ?? throw new ArgumentNullException(nameof(proofValidator));
+        this.nonceStore = nonceStore ?? throw new ArgumentNullException(nameof(nonceStore));
+        this.metadataAccessor = metadataAccessor ?? throw new ArgumentNullException(nameof(metadataAccessor));
+        this.auditSink = auditSink ?? throw new ArgumentNullException(nameof(auditSink));
+        this.clock = clock ?? throw new ArgumentNullException(nameof(clock));
+        this.activitySource = activitySource ?? throw new ArgumentNullException(nameof(activitySource));
+        this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async ValueTask HandleAsync(OpenIddictServerEvents.ValidateTokenRequestContext context)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+
+        if (!context.Request.IsClientCredentialsGrantType())
+        {
+            return;
+        }
+
+        using var activity = activitySource.StartActivity("authority.token.validate_dpop", ActivityKind.Internal);
+        activity?.SetTag("authority.endpoint", "/token");
+        activity?.SetTag("authority.grant_type", OpenIddictConstants.GrantTypes.ClientCredentials);
+
+        var clientId = context.ClientId ?? context.Request.ClientId;
+        if (string.IsNullOrWhiteSpace(clientId))
+        {
+            return;
+        }
+
+        context.Transaction.Properties[AuthorityOpenIddictConstants.AuditClientIdProperty] = clientId;
+
+        var senderConstraintOptions = authorityOptions.Security.SenderConstraints;
+        AuthorityClientDocument? clientDocument = await ResolveClientAsync(context, clientId, activity, cancel: context.CancellationToken).ConfigureAwait(false);
+        if (clientDocument is null)
+        {
+            return;
+        }
+
+        var senderConstraint = NormalizeSenderConstraint(clientDocument);
+        context.Transaction.Properties[AuthorityOpenIddictConstants.ClientSenderConstraintProperty] = senderConstraint;
+
+        if (!string.Equals(senderConstraint, AuthoritySenderConstraintKinds.Dpop, StringComparison.Ordinal))
+        {
+            return;
+        }
+
+        var configuredAudiences = EnsureRequestAudiences(context.Request, clientDocument);
+
+        if (!senderConstraintOptions.Dpop.Enabled)
+        {
+            logger.LogError("Client {ClientId} requires DPoP but server-side configuration has DPoP disabled.", clientId);
+            context.Reject(OpenIddictConstants.Errors.ServerError, "DPoP authentication is not enabled.");
+            await WriteAuditAsync(context, clientDocument, AuthEventOutcome.Failure, "DPoP disabled server-side.", null, null, null, "authority.dpop.proof.disabled").ConfigureAwait(false);
+            return;
+        }
+
+        metadataAccessor.SetTag("authority.sender_constraint", AuthoritySenderConstraintKinds.Dpop);
+        activity?.SetTag("authority.sender_constraint", AuthoritySenderConstraintKinds.Dpop);
+
+        HttpRequest? httpRequest = null;
+        HttpResponse? httpResponse = null;
+        if (context.Transaction.Properties.TryGetValue(typeof(HttpContext).FullName!, out var httpContextProperty) &&
+            httpContextProperty is HttpContext capturedContext)
+        {
+            httpRequest = capturedContext.Request;
+            httpResponse = capturedContext.Response;
+        }
+        if (httpRequest is null)
+        {
+            context.Reject(OpenIddictConstants.Errors.ServerError, "Unable to access HTTP context for DPoP validation.");
+            logger.LogError("DPoP validation aborted for {ClientId}: HTTP request not available via transaction.", clientId);
+            await WriteAuditAsync(context, clientDocument, AuthEventOutcome.Failure, "HTTP request unavailable for DPoP.", null, null, null, "authority.dpop.proof.error").ConfigureAwait(false);
+            return;
+        }
+
+        if (!httpRequest.Headers.TryGetValue("DPoP", out StringValues proofHeader) || StringValues.IsNullOrEmpty(proofHeader))
+        {
+            logger.LogWarning("Missing DPoP header for client credentials request from {ClientId}.", clientId);
+            await ChallengeNonceAsync(
+                context,
+                clientDocument,
+                audience: null,
+                thumbprint: null,
+                reasonCode: "missing_proof",
+                description: "DPoP proof is required.",
+                senderConstraintOptions,
+                httpResponse).ConfigureAwait(false);
+            return;
+        }
+
+        var proof = proofHeader.ToString();
+        var requestUri = BuildRequestUri(httpRequest);
+
+        var validationResult = await proofValidator.ValidateAsync(
+            proof,
+            httpRequest.Method,
+            requestUri,
+            cancellationToken: context.CancellationToken).ConfigureAwait(false);
+
+        if (!validationResult.IsValid)
+        {
+            var error = string.IsNullOrWhiteSpace(validationResult.ErrorDescription)
+                ? "DPoP proof validation failed."
+                : validationResult.ErrorDescription;
+
+            logger.LogWarning("DPoP proof validation failed for client {ClientId}: {Reason}.", clientId, error);
+            await ChallengeNonceAsync(
+                context,
+                clientDocument,
+                audience: null,
+                thumbprint: null,
+                reasonCode: validationResult.ErrorCode ?? "invalid_proof",
+                description: error,
+                senderConstraintOptions,
+                httpResponse).ConfigureAwait(false);
+            return;
+        }
+
+        if (validationResult.PublicKey is not Microsoft.IdentityModel.Tokens.JsonWebKey jwk)
+        {
+            logger.LogWarning("DPoP proof for {ClientId} did not expose a JSON Web Key.", clientId);
+            await ChallengeNonceAsync(
+                context,
+                clientDocument,
+                audience: null,
+                thumbprint: null,
+                reasonCode: "invalid_key",
+                description: "DPoP proof must embed a JSON Web Key.",
+                senderConstraintOptions,
+                httpResponse).ConfigureAwait(false);
+            return;
+        }
+
+        object rawThumbprint = jwk.ComputeJwkThumbprint();
+        string thumbprint;
+        if (rawThumbprint is string value && !string.IsNullOrWhiteSpace(value))
+        {
+            thumbprint = value;
+        }
+        else if (rawThumbprint is byte[] bytes)
+        {
+            thumbprint = Base64UrlEncoder.Encode(bytes);
+        }
+        else
+        {
+            throw new InvalidOperationException("DPoP JWK thumbprint could not be computed.");
+        }
+        context.Transaction.Properties[AuthorityOpenIddictConstants.SenderConstraintProperty] = AuthoritySenderConstraintKinds.Dpop;
+        context.Transaction.Properties[AuthorityOpenIddictConstants.DpopKeyThumbprintProperty] = thumbprint;
+        if (!string.IsNullOrWhiteSpace(validationResult.JwtId))
+        {
+            context.Transaction.Properties[AuthorityOpenIddictConstants.DpopProofJwtIdProperty] = validationResult.JwtId;
+        }
+
+        if (validationResult.IssuedAt is { } issuedAt)
+        {
+            context.Transaction.Properties[AuthorityOpenIddictConstants.DpopIssuedAtProperty] = issuedAt;
+        }
+
+        var nonceOptions = senderConstraintOptions.Dpop.Nonce;
+        var requiredAudience = ResolveNonceAudience(context.Request, nonceOptions, configuredAudiences);
+
+        if (nonceOptions.Enabled && requiredAudience is not null)
+        {
+            activity?.SetTag("authority.dpop_nonce_audience", requiredAudience);
+            var suppliedNonce = validationResult.Nonce;
+
+            if (string.IsNullOrWhiteSpace(suppliedNonce))
+            {
+                logger.LogInformation("DPoP nonce challenge issued to {ClientId} for audience {Audience}: nonce missing.", clientId, requiredAudience);
+                await ChallengeNonceAsync(
+                    context,
+                    clientDocument,
+                    requiredAudience,
+                    thumbprint,
+                    "nonce_missing",
+                    "DPoP nonce is required for this audience.",
+                    senderConstraintOptions,
+                    httpResponse).ConfigureAwait(false);
+                return;
+            }
+
+            var consumeResult = await nonceStore.TryConsumeAsync(
+                suppliedNonce,
+                requiredAudience,
+                clientDocument.ClientId,
+                thumbprint,
+                context.CancellationToken).ConfigureAwait(false);
+
+            switch (consumeResult.Status)
+            {
+                case DpopNonceConsumeStatus.Success:
+                    context.Transaction.Properties[AuthorityOpenIddictConstants.DpopConsumedNonceProperty] = suppliedNonce;
+                    break;
+                case DpopNonceConsumeStatus.Expired:
+                    logger.LogInformation("DPoP nonce expired for {ClientId} and audience {Audience}.", clientId, requiredAudience);
+                    await ChallengeNonceAsync(
+                        context,
+                        clientDocument,
+                        requiredAudience,
+                        thumbprint,
+                        "nonce_expired",
+                        "DPoP nonce has expired. Retry with a fresh nonce.",
+                        senderConstraintOptions,
+                        httpResponse).ConfigureAwait(false);
+                    return;
+                default:
+                    logger.LogInformation("DPoP nonce invalid for {ClientId} and audience {Audience}.", clientId, requiredAudience);
+                    await ChallengeNonceAsync(
+                        context,
+                        clientDocument,
+                        requiredAudience,
+                        thumbprint,
+                        "nonce_invalid",
+                        "DPoP nonce is invalid. Request a new nonce and retry.",
+                        senderConstraintOptions,
+                        httpResponse).ConfigureAwait(false);
+                    return;
+            }
+        }
+
+        await WriteAuditAsync(
+                context,
+                clientDocument,
+                AuthEventOutcome.Success,
+                "DPoP proof validated.",
+                thumbprint,
+                validationResult,
+                requiredAudience,
+                "authority.dpop.proof.valid")
+            .ConfigureAwait(false);
+        logger.LogInformation("DPoP proof validated for client {ClientId}.", clientId);
+    }
+
+    private async ValueTask<AuthorityClientDocument?> ResolveClientAsync(
+        OpenIddictServerEvents.ValidateTokenRequestContext context,
+        string clientId,
+        Activity? activity,
+        CancellationToken cancel)
+    {
+        if (context.Transaction.Properties.TryGetValue(AuthorityOpenIddictConstants.ClientTransactionProperty, out var value) &&
+            value is AuthorityClientDocument cached)
+        {
+            activity?.SetTag("authority.client_id", cached.ClientId);
+            return cached;
+        }
+
+        var document = await clientStore.FindByClientIdAsync(clientId, cancel).ConfigureAwait(false);
+        if (document is not null)
+        {
+            context.Transaction.Properties[AuthorityOpenIddictConstants.ClientTransactionProperty] = document;
+            activity?.SetTag("authority.client_id", document.ClientId);
+        }
+
+        return document;
+    }
+
+    private static string? NormalizeSenderConstraint(AuthorityClientDocument document)
+    {
+        if (!string.IsNullOrWhiteSpace(document.SenderConstraint))
+        {
+            return document.SenderConstraint.Trim().ToLowerInvariant();
+        }
+
+        if (document.Properties.TryGetValue(AuthorityClientMetadataKeys.SenderConstraint, out var value) &&
+            !string.IsNullOrWhiteSpace(value))
+        {
+            return value.Trim().ToLowerInvariant();
+        }
+
+        return null;
+    }
+
+    private static IReadOnlyList<string> EnsureRequestAudiences(OpenIddictRequest? request, AuthorityClientDocument document)
+    {
+        if (request is null)
+        {
+            return Array.Empty<string>();
+        }
+
+        var configuredAudiences = ClientCredentialHandlerHelpers.Split(document.Properties, AuthorityClientMetadataKeys.Audiences);
+        if (configuredAudiences.Count == 0)
+        {
+            return configuredAudiences;
+        }
+
+        if (request.Resources is ICollection<string> resources)
+        {
+            foreach (var audience in configuredAudiences)
+            {
+                if (!resources.Contains(audience))
+                {
+                    resources.Add(audience);
+                }
+            }
+        }
+
+        if (request.Audiences is ICollection<string> audiencesCollection)
+        {
+            foreach (var audience in configuredAudiences)
+            {
+                if (!audiencesCollection.Contains(audience))
+                {
+                    audiencesCollection.Add(audience);
+                }
+            }
+        }
+
+        return configuredAudiences;
+    }
+
+    private static Uri BuildRequestUri(HttpRequest request)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+        var url = request.GetDisplayUrl();
+        return new Uri(url, UriKind.Absolute);
+    }
+
+private static string? ResolveNonceAudience(OpenIddictRequest request, AuthorityDpopNonceOptions nonceOptions, IReadOnlyList<string> configuredAudiences)
+    {
+        if (!nonceOptions.Enabled || request is null)
+        {
+            return null;
+        }
+
+        if (request.Resources is not null)
+        {
+            foreach (var resource in request.Resources)
+            {
+                if (string.IsNullOrWhiteSpace(resource))
+                {
+                    continue;
+                }
+
+                var normalized = resource.Trim();
+                if (nonceOptions.RequiredAudiences.Contains(normalized))
+                {
+                    return normalized;
+                }
+            }
+        }
+
+        if (request.Audiences is not null)
+        {
+            foreach (var audience in request.Audiences)
+            {
+                if (string.IsNullOrWhiteSpace(audience))
+                {
+                    continue;
+                }
+
+                var normalized = audience.Trim();
+                if (nonceOptions.RequiredAudiences.Contains(normalized))
+                {
+                    return normalized;
+                }
+            }
+        }
+
+        if (configuredAudiences is { Count: > 0 })
+        {
+            foreach (var audience in configuredAudiences)
+            {
+                if (string.IsNullOrWhiteSpace(audience))
+                {
+                    continue;
+                }
+
+                var normalized = audience.Trim();
+                if (nonceOptions.RequiredAudiences.Contains(normalized))
+                {
+                    return normalized;
+                }
+            }
+        }
+
+        return null;
+    }
+
+    private async ValueTask ChallengeNonceAsync(
+        OpenIddictServerEvents.ValidateTokenRequestContext context,
+        AuthorityClientDocument clientDocument,
+        string? audience,
+        string? thumbprint,
+        string reasonCode,
+        string description,
+        AuthoritySenderConstraintOptions senderConstraintOptions,
+        HttpResponse? httpResponse)
+    {
+        context.Reject(OpenIddictConstants.Errors.InvalidClient, description);
+        metadataAccessor.SetTag("authority.dpop_result", reasonCode);
+
+        string? issuedNonce = null;
+        DateTimeOffset? expiresAt = null;
+        if (audience is not null && thumbprint is not null && senderConstraintOptions.Dpop.Nonce.Enabled)
+        {
+            var issuance = await nonceStore.IssueAsync(
+                audience,
+                clientDocument.ClientId,
+                thumbprint,
+                senderConstraintOptions.Dpop.Nonce.Ttl,
+                senderConstraintOptions.Dpop.Nonce.MaxIssuancePerMinute,
+                context.CancellationToken).ConfigureAwait(false);
+
+            if (issuance.Status == DpopNonceIssueStatus.Success)
+            {
+                issuedNonce = issuance.Nonce;
+                expiresAt = issuance.ExpiresAt;
+            }
+            else
+            {
+                logger.LogWarning("Unable to issue DPoP nonce for {ClientId} (audience {Audience}): {Status}.", clientDocument.ClientId, audience, issuance.Status);
+            }
+        }
+
+        if (httpResponse is not null)
+        {
+            httpResponse.Headers["WWW-Authenticate"] = BuildAuthenticateHeader(reasonCode, description, issuedNonce);
+
+            if (!string.IsNullOrWhiteSpace(issuedNonce))
+            {
+                httpResponse.Headers["DPoP-Nonce"] = issuedNonce;
+            }
+        }
+
+        await WriteAuditAsync(
+                context,
+                clientDocument,
+                AuthEventOutcome.Failure,
+                description,
+                thumbprint,
+                validationResult: null,
+                audience,
+                "authority.dpop.proof.challenge",
+                reasonCode,
+                issuedNonce,
+                expiresAt)
+            .ConfigureAwait(false);
+    }
+
+    private static string BuildAuthenticateHeader(string reasonCode, string description, string? nonce)
+    {
+        var parameters = new Dictionary<string, string?>
+        {
+            ["error"] = string.Equals(reasonCode, "nonce_missing", StringComparison.OrdinalIgnoreCase)
+                ? "use_dpop_nonce"
+                : "invalid_dpop_proof",
+            ["error_description"] = description
+        };
+
+        if (!string.IsNullOrWhiteSpace(nonce))
+        {
+            parameters["dpop-nonce"] = nonce;
+        }
+
+        var segments = new List<string>();
+        foreach (var kvp in parameters)
+        {
+            if (kvp.Value is null)
+            {
+                continue;
+            }
+
+            segments.Add($"{kvp.Key}=\"{EscapeHeaderValue(kvp.Value)}\"");
+        }
+
+        return segments.Count > 0
+            ? $"DPoP {string.Join(", ", segments)}"
+            : "DPoP";
+
+        static string EscapeHeaderValue(string value)
+            => value
+                .Replace("\\", "\\\\", StringComparison.Ordinal)
+                .Replace("\"", "\\\"", StringComparison.Ordinal);
+    }
+
+    private async ValueTask WriteAuditAsync(
+        OpenIddictServerEvents.ValidateTokenRequestContext context,
+        AuthorityClientDocument clientDocument,
+        AuthEventOutcome outcome,
+        string reason,
+        string? thumbprint,
+        DpopValidationResult? validationResult,
+        string? audience,
+        string eventType,
+        string? reasonCode = null,
+        string? issuedNonce = null,
+        DateTimeOffset? nonceExpiresAt = null)
+    {
+        var metadata = metadataAccessor.GetMetadata();
+        var properties = new List<AuthEventProperty>
+        {
+            new()
+            {
+                Name = "sender.constraint",
+                Value = ClassifiedString.Public(AuthoritySenderConstraintKinds.Dpop)
+            }
+        };
+
+        if (!string.IsNullOrWhiteSpace(reasonCode))
+        {
+            properties.Add(new AuthEventProperty
+            {
+                Name = "dpop.reason_code",
+                Value = ClassifiedString.Public(reasonCode)
+            });
+        }
+
+        if (!string.IsNullOrWhiteSpace(thumbprint))
+        {
+            properties.Add(new AuthEventProperty
+            {
+                Name = "dpop.jkt",
+                Value = ClassifiedString.Public(thumbprint)
+            });
+        }
+
+        if (validationResult?.JwtId is not null)
+        {
+            properties.Add(new AuthEventProperty
+            {
+                Name = "dpop.jti",
+                Value = ClassifiedString.Public(validationResult.JwtId)
+            });
+        }
+
+        if (validationResult?.IssuedAt is { } issuedAt)
+        {
+            properties.Add(new AuthEventProperty
+            {
+                Name = "dpop.issued_at",
+                Value = ClassifiedString.Public(issuedAt.ToString("O", CultureInfo.InvariantCulture))
+            });
+        }
+
+        if (audience is not null)
+        {
+            properties.Add(new AuthEventProperty
+            {
+                Name = "dpop.audience",
+                Value = ClassifiedString.Public(audience)
+            });
+        }
+
+        if (!string.IsNullOrWhiteSpace(validationResult?.Nonce))
+        {
+            properties.Add(new AuthEventProperty
+            {
+                Name = "dpop.nonce.presented",
+                Value = ClassifiedString.Sensitive(validationResult.Nonce)
+            });
+        }
+
+        if (!string.IsNullOrWhiteSpace(issuedNonce))
+        {
+            properties.Add(new AuthEventProperty
+            {
+                Name = "dpop.nonce.issued",
+                Value = ClassifiedString.Sensitive(issuedNonce)
+            });
+        }
+
+        if (nonceExpiresAt is { } expiresAt)
+        {
+            properties.Add(new AuthEventProperty
+            {
+                Name = "dpop.nonce.expires_at",
+                Value = ClassifiedString.Public(expiresAt.ToString("O", CultureInfo.InvariantCulture))
+            });
+        }
+
+        var confidential = string.Equals(clientDocument.ClientType, "confidential", StringComparison.OrdinalIgnoreCase);
+
+        var record = ClientCredentialsAuditHelper.CreateRecord(
+            clock,
+            context.Transaction,
+            metadata,
+            clientSecret: null,
+            outcome,
+            reason,
+            clientDocument.ClientId,
+            providerName: clientDocument.Plugin,
+            confidential,
+            requestedScopes: Array.Empty<string>(),
+            grantedScopes: Array.Empty<string>(),
+            invalidScope: null,
+            extraProperties: properties,
+            eventType: eventType);
+
+        await auditSink.WriteAsync(record, context.CancellationToken).ConfigureAwait(false);
+    }
+}

src/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenPersistenceHandlers.cs

@@ -4,6 +4,7 @@ using System.Diagnostics;
 using System.Globalization;
 using System.Linq;
 using System.Security.Claims;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
@@ -92,6 +93,33 @@ internal sealed class PersistTokensHandler : IOpenIddictServerHandler<OpenIddict
             ExpiresAt = TryGetExpiration(principal)
         };
 
+        var senderConstraint = principal.GetClaim(AuthorityOpenIddictConstants.SenderConstraintClaimType);
+        if (!string.IsNullOrWhiteSpace(senderConstraint))
+        {
+            document.SenderConstraint = senderConstraint;
+        }
+
+        var confirmation = principal.GetClaim(AuthorityOpenIddictConstants.ConfirmationClaimType);
+        if (!string.IsNullOrWhiteSpace(confirmation))
+        {
+            try
+            {
+                using var json = JsonDocument.Parse(confirmation);
+                if (json.RootElement.TryGetProperty("jkt", out var thumbprintElement))
+                {
+                    document.SenderKeyThumbprint = thumbprintElement.GetString();
+                }
+                else if (json.RootElement.TryGetProperty("x5t#S256", out var certificateThumbprintElement))
+                {
+                    document.SenderKeyThumbprint = certificateThumbprintElement.GetString();
+                }
+            }
+            catch (JsonException)
+            {
+                // Ignore malformed confirmation claims in persistence layer.
+            }
+        }
+
         try
         {
             await tokenStore.InsertAsync(document, cancellationToken, session).ConfigureAwait(false);

src/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenValidationHandlers.cs

@@ -3,6 +3,7 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.Globalization;
 using System.Security.Claims;
+using System.Text.Json;
 using Microsoft.Extensions.Logging;
 using OpenIddict.Abstractions;
 using OpenIddict.Extensions;
@@ -16,6 +17,7 @@ using StellaOps.Authority.Storage.Mongo.Documents;
 using StellaOps.Authority.Storage.Mongo.Sessions;
 using StellaOps.Authority.Storage.Mongo.Stores;
 using StellaOps.Cryptography.Audit;
+using StellaOps.Authority.Security;
 
 namespace StellaOps.Authority.OpenIddict.Handlers;
 
@@ -106,6 +108,11 @@ internal sealed class ValidateAccessTokenHandler : IOpenIddictServerHandler<Open
             }
         }
 
+        if (tokenDocument is not null)
+        {
+            EnsureSenderConstraintClaims(context.Principal, tokenDocument);
+        }
+
         if (!context.IsRejected && tokenDocument is not null)
         {
             await TrackTokenUsageAsync(context, tokenDocument, context.Principal, session).ConfigureAwait(false);
@@ -272,4 +279,46 @@ internal sealed class ValidateAccessTokenHandler : IOpenIddictServerHandler<Open
 
         await auditSink.WriteAsync(record, cancellationToken).ConfigureAwait(false);
     }
+
+    private static void EnsureSenderConstraintClaims(ClaimsPrincipal? principal, AuthorityTokenDocument tokenDocument)
+    {
+        if (principal?.Identity is not ClaimsIdentity identity)
+        {
+            return;
+        }
+
+        if (!string.IsNullOrWhiteSpace(tokenDocument.SenderConstraint) &&
+            !identity.HasClaim(claim => claim.Type == AuthorityOpenIddictConstants.SenderConstraintClaimType))
+        {
+            identity.SetClaim(AuthorityOpenIddictConstants.SenderConstraintClaimType, tokenDocument.SenderConstraint);
+        }
+
+        if (identity.HasClaim(claim => claim.Type == AuthorityOpenIddictConstants.ConfirmationClaimType))
+        {
+            return;
+        }
+
+        if (string.IsNullOrWhiteSpace(tokenDocument.SenderConstraint) || string.IsNullOrWhiteSpace(tokenDocument.SenderKeyThumbprint))
+        {
+            return;
+        }
+
+        string confirmation = tokenDocument.SenderConstraint switch
+        {
+            AuthoritySenderConstraintKinds.Dpop => JsonSerializer.Serialize(new Dictionary<string, string>
+            {
+                ["jkt"] = tokenDocument.SenderKeyThumbprint
+            }),
+            AuthoritySenderConstraintKinds.Mtls => JsonSerializer.Serialize(new Dictionary<string, string>
+            {
+                ["x5t#S256"] = tokenDocument.SenderKeyThumbprint
+            }),
+            _ => string.Empty
+        };
+
+        if (!string.IsNullOrEmpty(confirmation))
+        {
+            identity.SetClaim(AuthorityOpenIddictConstants.ConfirmationClaimType, confirmation);
+        }
+    }
 }

src/StellaOps.Authority/StellaOps.Authority/Program.cs

@@ -38,8 +38,10 @@ using StellaOps.Authority.Revocation;
 using StellaOps.Authority.Signing;
 using StellaOps.Cryptography;
 using StellaOps.Authority.Storage.Mongo.Documents;
+using StellaOps.Authority.Security;
 #if STELLAOPS_AUTH_SECURITY
 using StellaOps.Auth.Security.Dpop;
+using StackExchange.Redis;
 #endif
 
 var builder = WebApplication.CreateBuilder(args);
@@ -98,6 +100,7 @@ builder.Services.AddHttpContextAccessor();
 builder.Services.TryAddSingleton<TimeProvider>(_ => TimeProvider.System);
 builder.Services.TryAddSingleton<IAuthorityRateLimiterMetadataAccessor, AuthorityRateLimiterMetadataAccessor>();
 builder.Services.TryAddSingleton<IAuthorityRateLimiterPartitionKeyResolver, DefaultAuthorityRateLimiterPartitionKeyResolver>();
+builder.Services.AddSingleton<IAuthorityClientCertificateValidator, AuthorityClientCertificateValidator>();
 
 #if STELLAOPS_AUTH_SECURITY
 var senderConstraints = authorityOptions.Security.SenderConstraints;
@@ -119,6 +122,29 @@ builder.Services.AddOptions<DpopValidationOptions>()
 
 builder.Services.TryAddSingleton<IDpopReplayCache>(provider => new InMemoryDpopReplayCache(provider.GetService<TimeProvider>()));
 builder.Services.TryAddSingleton<IDpopProofValidator, DpopProofValidator>();
+if (string.Equals(senderConstraints.Dpop.Nonce.Store, "redis", StringComparison.OrdinalIgnoreCase))
+{
+    builder.Services.TryAddSingleton<IConnectionMultiplexer>(_ =>
+        ConnectionMultiplexer.Connect(senderConstraints.Dpop.Nonce.RedisConnectionString!));
+
+    builder.Services.TryAddSingleton<IDpopNonceStore>(provider =>
+    {
+        var multiplexer = provider.GetRequiredService<IConnectionMultiplexer>();
+        var timeProvider = provider.GetService<TimeProvider>();
+        return new RedisDpopNonceStore(multiplexer, timeProvider);
+    });
+}
+else
+{
+    builder.Services.TryAddSingleton<IDpopNonceStore>(provider =>
+    {
+        var timeProvider = provider.GetService<TimeProvider>();
+        var nonceLogger = provider.GetService<ILogger<InMemoryDpopNonceStore>>();
+        return new InMemoryDpopNonceStore(timeProvider, nonceLogger);
+    });
+}
+
+builder.Services.AddScoped<ValidateDpopProofHandler>();
 #endif
 
 builder.Services.AddRateLimiter(rateLimiterOptions =>
@@ -219,6 +245,13 @@ builder.Services.AddOpenIddict()
             aspNetCoreBuilder.DisableTransportSecurityRequirement();
         }
 
+#if STELLAOPS_AUTH_SECURITY
+        options.AddEventHandler<OpenIddictServerEvents.ValidateTokenRequestContext>(descriptor =>
+        {
+            descriptor.UseScopedHandler<ValidateDpopProofHandler>();
+        });
+#endif
+
         options.AddEventHandler<OpenIddictServerEvents.ValidateTokenRequestContext>(descriptor =>
         {
             descriptor.UseScopedHandler<ValidatePasswordGrantHandler>();
@@ -723,6 +756,33 @@ if (authorityOptions.Bootstrap.Enabled)
             ? new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
             : new Dictionary<string, string?>(request.Properties, StringComparer.OrdinalIgnoreCase);
 
+        IReadOnlyCollection<AuthorityClientCertificateBindingRegistration>? certificateBindings = null;
+        if (request.CertificateBindings is not null)
+        {
+            var bindingRegistrations = new List<AuthorityClientCertificateBindingRegistration>(request.CertificateBindings.Count);
+            foreach (var binding in request.CertificateBindings)
+            {
+                if (binding is null || string.IsNullOrWhiteSpace(binding.Thumbprint))
+                {
+                    await ReleaseInviteAsync("Certificate binding thumbprint is required.");
+                    await WriteBootstrapClientAuditAsync(AuthEventOutcome.Failure, "Certificate binding thumbprint is required.", request.ClientId, null, provider.Name, request.AllowedScopes ?? Array.Empty<string>(), request.Confidential, inviteToken).ConfigureAwait(false);
+                    return Results.BadRequest(new { error = "invalid_request", message = "Certificate binding thumbprint is required." });
+                }
+
+                bindingRegistrations.Add(new AuthorityClientCertificateBindingRegistration(
+                    binding.Thumbprint,
+                    binding.SerialNumber,
+                    binding.Subject,
+                    binding.Issuer,
+                    binding.SubjectAlternativeNames,
+                    binding.NotBefore,
+                    binding.NotAfter,
+                    binding.Label));
+            }
+
+            certificateBindings = bindingRegistrations;
+        }
+
         var registration = new AuthorityClientRegistration(
             request.ClientId,
             request.Confidential,
@@ -730,9 +790,11 @@ if (authorityOptions.Bootstrap.Enabled)
             request.ClientSecret,
             request.AllowedGrantTypes ?? Array.Empty<string>(),
             request.AllowedScopes ?? Array.Empty<string>(),
+            request.AllowedAudiences ?? Array.Empty<string>(),
             redirectUris,
             postLogoutUris,
-            properties);
+            properties,
+            certificateBindings);
 
         var result = await provider.ClientProvisioning.CreateOrUpdateAsync(registration, cancellationToken).ConfigureAwait(false);
 
@@ -1149,7 +1211,7 @@ static PluginHostOptions BuildPluginHostOptions(StellaOpsAuthorityOptions option
     {
         BaseDirectory = basePath,
         PluginsDirectory = string.IsNullOrWhiteSpace(pluginDirectory)
-            ? Path.Combine("PluginBinaries", "Authority")
+            ? "StellaOps.Authority.PluginBinaries"
             : pluginDirectory,
         PrimaryPrefix = "StellaOps.Authority"
     };

src/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidationResult.cs

@@ -0,0 +1,32 @@
+using System;
+using StellaOps.Authority.Storage.Mongo.Documents;
+
+namespace StellaOps.Authority.Security;
+
+internal sealed class AuthorityClientCertificateValidationResult
+{
+    private AuthorityClientCertificateValidationResult(bool succeeded, string? confirmationThumbprint, string? hexThumbprint, AuthorityClientCertificateBinding? binding, string? error)
+    {
+        Succeeded = succeeded;
+        ConfirmationThumbprint = confirmationThumbprint;
+        HexThumbprint = hexThumbprint;
+        Binding = binding;
+        Error = error;
+    }
+
+    public bool Succeeded { get; }
+
+    public string? ConfirmationThumbprint { get; }
+
+    public string? HexThumbprint { get; }
+
+    public AuthorityClientCertificateBinding? Binding { get; }
+
+    public string? Error { get; }
+
+    public static AuthorityClientCertificateValidationResult Success(string confirmationThumbprint, string hexThumbprint, AuthorityClientCertificateBinding binding)
+        => new(true, confirmationThumbprint, hexThumbprint, binding, null);
+
+    public static AuthorityClientCertificateValidationResult Failure(string error)
+        => new(false, null, null, null, error);
+}

src/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidator.cs

@@ -0,0 +1,283 @@
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
+using System.Formats.Asn1;
+using System.Net;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using StellaOps.Authority.Storage.Mongo.Documents;
+using StellaOps.Configuration;
+using Microsoft.IdentityModel.Tokens;
+
+namespace StellaOps.Authority.Security;
+
+internal sealed class AuthorityClientCertificateValidator : IAuthorityClientCertificateValidator
+{
+    private readonly StellaOpsAuthorityOptions authorityOptions;
+    private readonly TimeProvider timeProvider;
+    private readonly ILogger<AuthorityClientCertificateValidator> logger;
+
+    public AuthorityClientCertificateValidator(
+        StellaOpsAuthorityOptions authorityOptions,
+        TimeProvider timeProvider,
+        ILogger<AuthorityClientCertificateValidator> logger)
+    {
+        this.authorityOptions = authorityOptions ?? throw new ArgumentNullException(nameof(authorityOptions));
+        this.timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
+        this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public ValueTask<AuthorityClientCertificateValidationResult> ValidateAsync(HttpContext httpContext, AuthorityClientDocument client, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(httpContext);
+        ArgumentNullException.ThrowIfNull(client);
+
+        var certificate = httpContext.Connection.ClientCertificate;
+        if (certificate is null)
+        {
+            logger.LogWarning("mTLS validation failed for {ClientId}: no client certificate present.", client.ClientId);
+            return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("client_certificate_required"));
+        }
+
+        var mtlsOptions = authorityOptions.Security.SenderConstraints.Mtls;
+        var requiresChain = mtlsOptions.RequireChainValidation || mtlsOptions.AllowedCertificateAuthorities.Count > 0;
+
+        X509Chain? chain = null;
+        var chainBuilt = false;
+        try
+        {
+            if (requiresChain)
+            {
+                chain = CreateChain();
+                chainBuilt = TryBuildChain(chain, certificate);
+                if (mtlsOptions.RequireChainValidation && !chainBuilt)
+                {
+                    logger.LogWarning("mTLS validation failed for {ClientId}: certificate chain validation failed.", client.ClientId);
+                    return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_chain_invalid"));
+                }
+            }
+
+        var now = timeProvider.GetUtcNow();
+        if (now < certificate.NotBefore || now > certificate.NotAfter)
+        {
+            logger.LogWarning("mTLS validation failed for {ClientId}: certificate outside validity window (notBefore={NotBefore:o}, notAfter={NotAfter:o}).", client.ClientId, certificate.NotBefore, certificate.NotAfter);
+            return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_expired"));
+        }
+
+        if (mtlsOptions.NormalizedSubjectPatterns.Count > 0 &&
+            !mtlsOptions.NormalizedSubjectPatterns.Any(pattern => pattern.IsMatch(certificate.Subject)))
+        {
+            logger.LogWarning("mTLS validation failed for {ClientId}: subject {Subject} did not match allowed patterns.", client.ClientId, certificate.Subject);
+            return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_subject_mismatch"));
+        }
+
+        var subjectAlternativeNames = GetSubjectAlternativeNames(certificate);
+        if (mtlsOptions.AllowedSanTypes.Count > 0)
+        {
+            if (subjectAlternativeNames.Count == 0)
+            {
+                logger.LogWarning("mTLS validation failed for {ClientId}: certificate does not contain subject alternative names.", client.ClientId);
+                return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_san_missing"));
+            }
+
+            if (subjectAlternativeNames.Any(san => !mtlsOptions.AllowedSanTypes.Contains(san.Type)))
+            {
+                logger.LogWarning("mTLS validation failed for {ClientId}: certificate SAN types [{Types}] not allowed.", client.ClientId, string.Join(",", subjectAlternativeNames.Select(san => san.Type)));
+                return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_san_type"));
+            }
+
+            if (!subjectAlternativeNames.Any(san => mtlsOptions.AllowedSanTypes.Contains(san.Type)))
+            {
+                logger.LogWarning("mTLS validation failed for {ClientId}: certificate SANs did not include any of the required types.", client.ClientId);
+                return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_san_missing_required"));
+            }
+        }
+
+        if (mtlsOptions.AllowedCertificateAuthorities.Count > 0)
+        {
+            var allowedCas = mtlsOptions.AllowedCertificateAuthorities
+                .Where(value => !string.IsNullOrWhiteSpace(value))
+                .Select(value => value.Trim())
+                .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+            var matchedCa = false;
+            if (chainBuilt && chain is not null)
+            {
+                foreach (var element in chain.ChainElements.Cast<X509ChainElement>().Skip(1))
+                {
+                    if (allowedCas.Contains(element.Certificate.Subject))
+                    {
+                        matchedCa = true;
+                        break;
+                    }
+                }
+            }
+
+            if (!matchedCa && allowedCas.Contains(certificate.Issuer))
+            {
+                matchedCa = true;
+            }
+
+            if (!matchedCa)
+            {
+                logger.LogWarning("mTLS validation failed for {ClientId}: certificate issuer {Issuer} is not allow-listed.", client.ClientId, certificate.Issuer);
+                return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_ca_untrusted"));
+            }
+        }
+
+        if (client.CertificateBindings.Count == 0)
+        {
+            logger.LogWarning("mTLS validation failed for {ClientId}: no certificate bindings registered for client.", client.ClientId);
+            return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_binding_missing"));
+        }
+
+        var certificateHash = certificate.GetCertHash(HashAlgorithmName.SHA256);
+        var hexThumbprint = Convert.ToHexString(certificateHash);
+        var base64Thumbprint = Base64UrlEncoder.Encode(certificateHash);
+
+        var binding = client.CertificateBindings.FirstOrDefault(b => string.Equals(b.Thumbprint, hexThumbprint, StringComparison.OrdinalIgnoreCase));
+        if (binding is null)
+        {
+            logger.LogWarning("mTLS validation failed for {ClientId}: certificate thumbprint {Thumbprint} not registered.", client.ClientId, hexThumbprint);
+            return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_unbound"));
+        }
+
+        if (binding.NotBefore is { } bindingNotBefore)
+        {
+            var effectiveNotBefore = bindingNotBefore - mtlsOptions.RotationGrace;
+            if (now < effectiveNotBefore)
+            {
+                logger.LogWarning("mTLS validation failed for {ClientId}: certificate binding not active until {NotBefore:o} (grace applied).", client.ClientId, bindingNotBefore);
+                return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_binding_inactive"));
+            }
+        }
+
+        if (binding.NotAfter is { } bindingNotAfter)
+        {
+            var effectiveNotAfter = bindingNotAfter + mtlsOptions.RotationGrace;
+            if (now > effectiveNotAfter)
+            {
+                logger.LogWarning("mTLS validation failed for {ClientId}: certificate binding expired at {NotAfter:o} (grace applied).", client.ClientId, bindingNotAfter);
+                return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Failure("certificate_binding_expired"));
+            }
+        }
+
+        return ValueTask.FromResult(AuthorityClientCertificateValidationResult.Success(base64Thumbprint, hexThumbprint, binding));
+        }
+        finally
+        {
+            chain?.Dispose();
+        }
+    }
+
+    private static X509Chain CreateChain()
+        => new()
+        {
+            ChainPolicy =
+            {
+                RevocationMode = X509RevocationMode.NoCheck,
+                RevocationFlag = X509RevocationFlag.ExcludeRoot,
+                VerificationFlags = X509VerificationFlags.IgnoreWrongUsage
+            }
+        };
+
+    private bool TryBuildChain(X509Chain chain, X509Certificate2 certificate)
+    {
+        try
+        {
+            return chain.Build(certificate);
+        }
+        catch (Exception ex)
+        {
+            logger.LogWarning(ex, "mTLS chain validation threw an exception.");
+            return false;
+        }
+    }
+
+    private static IReadOnlyList<(string Type, string Value)> GetSubjectAlternativeNames(X509Certificate2 certificate)
+    {
+        foreach (var extension in certificate.Extensions)
+        {
+            if (!string.Equals(extension.Oid?.Value, "2.5.29.17", StringComparison.Ordinal))
+            {
+                continue;
+            }
+
+            try
+            {
+                var reader = new AsnReader(extension.RawData, AsnEncodingRules.DER);
+                var sequence = reader.ReadSequence();
+                var results = new List<(string, string)>();
+
+                while (sequence.HasData)
+                {
+                    var tag = sequence.PeekTag();
+                    if (tag.TagClass != TagClass.ContextSpecific)
+                    {
+                        sequence.ReadEncodedValue();
+                        continue;
+                    }
+
+                    switch (tag.TagValue)
+                    {
+                        case 2:
+                            {
+                                var dns = sequence.ReadCharacterString(UniversalTagNumber.IA5String, new Asn1Tag(TagClass.ContextSpecific, 2));
+                                results.Add(("dns", dns));
+                                break;
+                            }
+                        case 6:
+                            {
+                                var uri = sequence.ReadCharacterString(UniversalTagNumber.IA5String, new Asn1Tag(TagClass.ContextSpecific, 6));
+                                results.Add(("uri", uri));
+                                break;
+                            }
+                        case 7:
+                            {
+                                var bytes = sequence.ReadOctetString(new Asn1Tag(TagClass.ContextSpecific, 7));
+                                var ip = new IPAddress(bytes).ToString();
+                                results.Add(("ip", ip));
+                                break;
+                            }
+                        default:
+                            sequence.ReadEncodedValue();
+                            break;
+                    }
+                }
+
+                return results;
+            }
+            catch
+            {
+                return Array.Empty<(string, string)>();
+            }
+        }
+
+        return Array.Empty<(string, string)>();
+    }
+    private bool ValidateCertificateChain(X509Certificate2 certificate)
+    {
+        using var chain = new X509Chain
+        {
+            ChainPolicy =
+            {
+                RevocationMode = X509RevocationMode.NoCheck,
+                RevocationFlag = X509RevocationFlag.ExcludeRoot,
+                VerificationFlags = X509VerificationFlags.IgnoreWrongUsage
+            }
+        };
+
+        try
+        {
+            return chain.Build(certificate);
+        }
+        catch (Exception ex)
+        {
+            logger.LogWarning(ex, "mTLS chain validation threw an exception.");
+            return false;
+        }
+    }
+}

src/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs

@@ -0,0 +1,10 @@
+namespace StellaOps.Authority.Security;
+
+/// <summary>
+/// Canonical string identifiers for Authority sender-constraint policies.
+/// </summary>
+internal static class AuthoritySenderConstraintKinds
+{
+    internal const string Dpop = "dpop";
+    internal const string Mtls = "mtls";
+}

src/StellaOps.Authority/StellaOps.Authority/Security/IAuthorityClientCertificateValidator.cs

@@ -0,0 +1,11 @@
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using StellaOps.Authority.Storage.Mongo.Documents;
+
+namespace StellaOps.Authority.Security;
+
+internal interface IAuthorityClientCertificateValidator
+{
+    ValueTask<AuthorityClientCertificateValidationResult> ValidateAsync(HttpContext httpContext, AuthorityClientDocument client, CancellationToken cancellationToken);
+}

src/StellaOps.Authority/StellaOps.Authority/StellaOps.Authority.csproj

@@ -17,6 +17,7 @@
     <PackageReference Include="OpenTelemetry.Instrumentation.Runtime" Version="1.12.0" />
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.1" />
     <PackageReference Include="Serilog.Sinks.Console" Version="5.0.1" />
+    <PackageReference Include="StackExchange.Redis" Version="2.8.24" />
     <ProjectReference Include="..\StellaOps.Authority.Plugins.Abstractions\StellaOps.Authority.Plugins.Abstractions.csproj" />
     <ProjectReference Include="..\StellaOps.Authority.Plugin.Standard\StellaOps.Authority.Plugin.Standard.csproj" />
     <ProjectReference Include="..\StellaOps.Authority.Storage.Mongo\StellaOps.Authority.Storage.Mongo.csproj" />

src/StellaOps.Authority/TASKS.md

@@ -20,10 +20,13 @@
 | AUTHCORE-STORAGE-DEVICE-TOKENS | DONE (2025-10-14) | Authority Core, Storage Guild | AUTHCORE-BUILD-OPENIDDICT | Reintroduce `AuthorityTokenDeviceDocument` + projections removed during refactor so storage layer compiles. | ✅ Document type restored with mappings/migrations; ✅ Storage tests cover device artifacts; ✅ Authority solution build green. |
 | AUTHCORE-BOOTSTRAP-INVITES | DONE (2025-10-14) | Authority Core, DevOps | AUTHCORE-STORAGE-DEVICE-TOKENS | Wire bootstrap invite cleanup service against restored document schema and re-enable lifecycle tests. | ✅ `BootstrapInviteCleanupService` passes integration tests; ✅ Operator guide updated if behavior changes; ✅ Build/test matrices green. |
 | AUTHSTORAGE-MONGO-08-001 | DONE (2025-10-19) | Authority Core & Storage Guild | — | Harden Mongo session usage with causal consistency for mutations and follow-up reads. | • Scoped middleware/service creates `IClientSessionHandle` with causal consistency + majority read/write concerns<br>• Stores accept optional session parameter and reuse it for write + immediate reads<br>• GraphQL/HTTP pipelines updated to flow session through post-mutation queries<br>• Replica-set integration test exercises primary election and verifies read-your-write guarantees |
-| AUTH-DPOP-11-001 | DOING (2025-10-19) | Authority Core & Security Guild | — | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. | • DPoP proof validator verifies method/uri/hash, jwk thumbprint, and replay nonce per spec<br>• Nonce issuance endpoint integrated with audit + rate limits; high-value audiences enforce nonce requirement<br>• Integration tests cover success/failure paths (expired nonce, replay, invalid proof) and docs outline operator configuration |
-| AUTH-MTLS-11-002 | DOING (2025-10-19) | Authority Core & Security Guild | — | Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates. | • Client registration stores certificate bindings and enforces SAN/thumbprint validation during token issuance<br>• Token endpoint returns certificate-bound access tokens + PoP proof metadata; introspection reflects binding state<br>• End-to-end tests validate successful mTLS issuance, rejection of unbound certs, and docs capture configuration/rotation guidance |
-> Remark (2025-10-19, AUTHSTORAGE-MONGO-08-001): Session accessor wired through Authority pipeline; stores accept optional sessions; added replica-set election regression test for read-your-write.
-> Remark (2025-10-19, AUTH-DPOP-11-001): Prerequisites reviewed—none outstanding; status moved to DOING for Wave 0 kickoff. Design blueprint recorded in `docs/dev/authority-dpop-mtls-plan.md`.
-> Remark (2025-10-19, AUTH-MTLS-11-002): Prerequisites reviewed—none outstanding; status moved to DOING for Wave 0 kickoff. mTLS flow design captured in `docs/dev/authority-dpop-mtls-plan.md`.
+| AUTH-PLUGIN-COORD-08-002 | DOING (2025-10-19) | Authority Core, Plugin Platform Guild | PLUGIN-DI-08-001 | Coordinate scoped-service adoption for Authority plug-in registrars and background jobs ahead of PLUGIN-DI-08-002 implementation. | ✅ Workshop locked for 2025-10-20 15:00–16:00 UTC; ✅ Pre-read checklist in `docs/dev/authority-plugin-di-coordination.md`; ✅ Follow-up tasks captured in module backlogs before code changes begin. |
+| AUTH-DPOP-11-001 | DOING (2025-10-19) | Authority Core & Security Guild | — | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. | • Proof handler validates method/uri/hash + replay; nonce issuing/consumption implemented for in-memory + Redis stores<br>• Client credential path stamps `cnf.jkt` and persists sender metadata<br>• Remaining: finalize Redis configuration surface (docs/sample config), unskip nonce-challenge regression once HTTP pipeline emits high-value audiences, refresh operator docs |
+> Remark (2025-10-19): DPoP handler now seeds request resources/audiences from client metadata; nonce challenge integration test re-enabled (still requires full suite once Concelier build restored).
+| AUTH-MTLS-11-002 | DOING (2025-10-19) | Authority Core & Security Guild | — | Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates. | • Certificate validator scaffold plus cnf stamping present; tokens persist sender thumbprints<br>• Remaining: provisioning/storage for certificate bindings, SAN/CA validation, introspection propagation, integration tests/docs before marking DONE |
+> Remark (2025-10-19): Client provisioning accepts certificate bindings; validator enforces SAN types/CA allow-list with rotation grace; mtls integration tests updated (full suite still blocked by upstream build).
+> Remark (2025-10-19, AUTHSTORAGE-MONGO-08-001): Prerequisites re-checked (none outstanding). Session accessor wired through Authority pipeline; stores accept optional sessions; added replica-set election regression test for read-your-write.
+> Remark (2025-10-19, AUTH-DPOP-11-001): Handler, nonce store, and persistence hooks merged; Redis-backed configuration + end-to-end nonce enforcement still open. Full solution test blocked by `StellaOps.Concelier.Storage.Mongo` compile errors.
+> Remark (2025-10-19, AUTH-MTLS-11-002): Certificate validator + cnf stamping delivered; binding storage, CA/SAN validation, integration suites outstanding before status can move to DONE.
 
 > Update status columns (TODO / DOING / DONE / BLOCKED) together with code changes. Always run `dotnet test src/StellaOps.Authority.sln` when touching host logic.

src/StellaOps.Cli.Tests/Commands/CommandHandlersTests.cs

@@ -2,6 +2,7 @@ using System;
 using System.Collections.Generic;
 using System.Collections.ObjectModel;
 using System.IO;
+using System.Linq;
 using System.Net.Http;
 using System.Security.Cryptography;
 using System.Text;
@@ -9,6 +10,7 @@ using System.Text.Json;
 using System.Text.Json.Serialization;
 using System.Threading;
 using System.Threading.Tasks;
+using System.Globalization;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.Tokens;
@@ -21,6 +23,8 @@ using StellaOps.Cli.Services.Models;
 using StellaOps.Cli.Telemetry;
 using StellaOps.Cli.Tests.Testing;
 using StellaOps.Cryptography;
+using Spectre.Console;
+using Spectre.Console.Testing;
 
 namespace StellaOps.Cli.Tests.Commands;
 
@@ -555,6 +559,218 @@ public sealed class CommandHandlersTests
         }
     }
 
+    [Fact]
+    public async Task HandleRuntimePolicyTestAsync_WritesInteractiveTable()
+    {
+        var originalExit = Environment.ExitCode;
+        var originalConsole = AnsiConsole.Console;
+
+        var console = new TestConsole();
+        console.Width(120);
+        console.Interactive();
+        console.EmitAnsiSequences();
+
+        AnsiConsole.Console = console;
+
+        var backend = new StubBackendClient(new JobTriggerResult(true, "ok", null, null));
+
+        var decisions = new Dictionary<string, RuntimePolicyImageDecision>(StringComparer.Ordinal)
+        {
+            ["sha256:aaa"] = new RuntimePolicyImageDecision(
+                "allow",
+                true,
+                true,
+                Array.AsReadOnly(new[] { "trusted baseline" }),
+                new RuntimePolicyRekorReference("uuid-allow", "https://rekor.example/entries/uuid-allow", true),
+                new ReadOnlyDictionary<string, object?>(new Dictionary<string, object?>(StringComparer.Ordinal)
+                {
+                    ["source"] = "baseline",
+                    ["quieted"] = false,
+                    ["confidence"] = 0.97,
+                    ["confidenceBand"] = "high"
+                })),
+            ["sha256:bbb"] = new RuntimePolicyImageDecision(
+                "block",
+                false,
+                false,
+                Array.AsReadOnly(new[] { "missing attestation" }),
+                new RuntimePolicyRekorReference("uuid-block", "https://rekor.example/entries/uuid-block", false),
+                new ReadOnlyDictionary<string, object?>(new Dictionary<string, object?>(StringComparer.Ordinal)
+                {
+                    ["source"] = "policy",
+                    ["quieted"] = false,
+                    ["confidence"] = 0.12,
+                    ["confidenceBand"] = "low"
+                })),
+            ["sha256:ccc"] = new RuntimePolicyImageDecision(
+                "audit",
+                true,
+                false,
+                Array.AsReadOnly(new[] { "pending sbom sync" }),
+                new RuntimePolicyRekorReference(null, null, null),
+                new ReadOnlyDictionary<string, object?>(new Dictionary<string, object?>(StringComparer.Ordinal)
+                {
+                    ["source"] = "mirror",
+                    ["quieted"] = true,
+                    ["quietedBy"] = "allow-temporary",
+                    ["confidence"] = 0.42,
+                    ["confidenceBand"] = "medium"
+                }))
+        };
+
+        backend.RuntimePolicyResult = new RuntimePolicyEvaluationResult(
+            300,
+            DateTimeOffset.Parse("2025-10-19T12:00:00Z", CultureInfo.InvariantCulture),
+            "rev-42",
+            new ReadOnlyDictionary<string, RuntimePolicyImageDecision>(decisions));
+
+        var provider = BuildServiceProvider(backend);
+
+        try
+        {
+            await CommandHandlers.HandleRuntimePolicyTestAsync(
+                provider,
+                namespaceValue: "prod",
+                imageArguments: new[] { "sha256:aaa", "sha256:bbb" },
+                filePath: null,
+                labelArguments: new[] { "app=frontend" },
+                outputJson: false,
+                verbose: false,
+                cancellationToken: CancellationToken.None);
+
+            var output = console.Output;
+
+            Assert.Equal(0, Environment.ExitCode);
+            Assert.Contains("Image", output, StringComparison.Ordinal);
+            Assert.Contains("Verdict", output, StringComparison.Ordinal);
+            Assert.Contains("SBOM Ref", output, StringComparison.Ordinal);
+            Assert.Contains("Quieted", output, StringComparison.Ordinal);
+            Assert.Contains("Confidence", output, StringComparison.Ordinal);
+            Assert.Contains("sha256:aaa", output, StringComparison.Ordinal);
+            Assert.Contains("uuid-allow", output, StringComparison.Ordinal);
+            Assert.Contains("(verified)", output, StringComparison.Ordinal);
+            Assert.Contains("0.97 (high)", output, StringComparison.Ordinal);
+            Assert.Contains("sha256:bbb", output, StringComparison.Ordinal);
+            Assert.Contains("uuid-block", output, StringComparison.Ordinal);
+            Assert.Contains("(unverified)", output, StringComparison.Ordinal);
+            Assert.Contains("sha256:ccc", output, StringComparison.Ordinal);
+            Assert.Contains("yes", output, StringComparison.Ordinal);
+            Assert.Contains("allow-temporary", output, StringComparison.Ordinal);
+            Assert.True(
+                output.IndexOf("sha256:aaa", StringComparison.Ordinal) <
+                output.IndexOf("sha256:ccc", StringComparison.Ordinal));
+        }
+        finally
+        {
+            Environment.ExitCode = originalExit;
+            AnsiConsole.Console = originalConsole;
+        }
+    }
+
+    [Fact]
+    public async Task HandleRuntimePolicyTestAsync_WritesDeterministicJson()
+    {
+        var originalExit = Environment.ExitCode;
+        var originalOut = Console.Out;
+
+        var backend = new StubBackendClient(new JobTriggerResult(true, "ok", null, null));
+
+        var decisions = new Dictionary<string, RuntimePolicyImageDecision>(StringComparer.Ordinal)
+        {
+            ["sha256:json-a"] = new RuntimePolicyImageDecision(
+                "allow",
+                true,
+                true,
+                Array.AsReadOnly(new[] { "baseline allow" }),
+                new RuntimePolicyRekorReference("uuid-json-allow", "https://rekor.example/entries/uuid-json-allow", true),
+                new ReadOnlyDictionary<string, object?>(new Dictionary<string, object?>(StringComparer.Ordinal)
+                {
+                    ["source"] = "baseline",
+                    ["confidence"] = 0.66
+                })),
+            ["sha256:json-b"] = new RuntimePolicyImageDecision(
+                "audit",
+                true,
+                false,
+                Array.AsReadOnly(Array.Empty<string>()),
+                new RuntimePolicyRekorReference(null, null, null),
+                new ReadOnlyDictionary<string, object?>(new Dictionary<string, object?>(StringComparer.Ordinal)
+                {
+                    ["source"] = "mirror",
+                    ["quieted"] = true,
+                    ["quietedBy"] = "risk-accepted"
+                }))
+        };
+
+        backend.RuntimePolicyResult = new RuntimePolicyEvaluationResult(
+            600,
+            DateTimeOffset.Parse("2025-10-20T00:00:00Z", CultureInfo.InvariantCulture),
+            "rev-json-7",
+            new ReadOnlyDictionary<string, RuntimePolicyImageDecision>(decisions));
+
+        var provider = BuildServiceProvider(backend);
+
+        using var writer = new StringWriter();
+        Console.SetOut(writer);
+
+        try
+        {
+            await CommandHandlers.HandleRuntimePolicyTestAsync(
+                provider,
+                namespaceValue: "staging",
+                imageArguments: new[] { "sha256:json-a", "sha256:json-b" },
+                filePath: null,
+                labelArguments: Array.Empty<string>(),
+                outputJson: true,
+                verbose: false,
+                cancellationToken: CancellationToken.None);
+
+            var output = writer.ToString().Trim();
+
+            Assert.Equal(0, Environment.ExitCode);
+            Assert.False(string.IsNullOrWhiteSpace(output));
+
+            using var document = JsonDocument.Parse(output);
+            var root = document.RootElement;
+
+            Assert.Equal(600, root.GetProperty("ttlSeconds").GetInt32());
+            Assert.Equal("rev-json-7", root.GetProperty("policyRevision").GetString());
+            var expiresAt = root.GetProperty("expiresAtUtc").GetString();
+            Assert.NotNull(expiresAt);
+            Assert.Equal(
+                DateTimeOffset.Parse("2025-10-20T00:00:00Z", CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal),
+                DateTimeOffset.Parse(expiresAt!, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal));
+
+            var results = root.GetProperty("results");
+            var keys = results.EnumerateObject().Select(p => p.Name).ToArray();
+            Assert.Equal(new[] { "sha256:json-a", "sha256:json-b" }, keys);
+
+            var first = results.GetProperty("sha256:json-a");
+            Assert.Equal("allow", first.GetProperty("policyVerdict").GetString());
+            Assert.True(first.GetProperty("signed").GetBoolean());
+            Assert.True(first.GetProperty("hasSbomReferrers").GetBoolean());
+            var rekor = first.GetProperty("rekor");
+            Assert.Equal("uuid-json-allow", rekor.GetProperty("uuid").GetString());
+            Assert.True(rekor.GetProperty("verified").GetBoolean());
+            Assert.Equal("baseline", first.GetProperty("source").GetString());
+            Assert.Equal(0.66, first.GetProperty("confidence").GetDouble(), 3);
+
+            var second = results.GetProperty("sha256:json-b");
+            Assert.Equal("audit", second.GetProperty("policyVerdict").GetString());
+            Assert.True(second.GetProperty("signed").GetBoolean());
+            Assert.False(second.GetProperty("hasSbomReferrers").GetBoolean());
+            Assert.Equal("mirror", second.GetProperty("source").GetString());
+            Assert.True(second.GetProperty("quieted").GetBoolean());
+            Assert.Equal("risk-accepted", second.GetProperty("quietedBy").GetString());
+            Assert.False(second.TryGetProperty("rekor", out _));
+        }
+        finally
+        {
+            Console.SetOut(originalOut);
+            Environment.ExitCode = originalExit;
+        }
+    }
+
     private static async Task<RevocationArtifactPaths> WriteRevocationArtifactsAsync(TempDirectory temp, string? providerHint)
     {
         var (bundleBytes, signature, keyPem) = await BuildRevocationArtifactsAsync(providerHint);
@@ -669,6 +885,13 @@ public sealed class CommandHandlersTests
     private sealed class StubBackendClient : IBackendOperationsClient
     {
         private readonly JobTriggerResult _jobResult;
+        private static readonly RuntimePolicyEvaluationResult DefaultRuntimePolicyResult =
+            new RuntimePolicyEvaluationResult(
+                0,
+                null,
+                null,
+                new ReadOnlyDictionary<string, RuntimePolicyImageDecision>(
+                    new Dictionary<string, RuntimePolicyImageDecision>()));
 
         public StubBackendClient(JobTriggerResult result)
         {
@@ -683,6 +906,7 @@ public sealed class CommandHandlersTests
         public List<(string ExportId, string DestinationPath, string? Algorithm, string? Digest)> ExportDownloads { get; } = new();
         public ExcititorOperationResult? ExcititorResult { get; set; } = new ExcititorOperationResult(true, "ok", null, null);
         public IReadOnlyList<ExcititorProviderSummary> ProviderSummaries { get; set; } = Array.Empty<ExcititorProviderSummary>();
+        public RuntimePolicyEvaluationResult RuntimePolicyResult { get; set; } = DefaultRuntimePolicyResult;
 
         public Task<ScannerArtifactResult> DownloadScannerAsync(string channel, string outputPath, bool overwrite, bool verbose, CancellationToken cancellationToken)
             => throw new NotImplementedException();
@@ -726,10 +950,7 @@ public sealed class CommandHandlersTests
             => Task.FromResult(ProviderSummaries);
 
         public Task<RuntimePolicyEvaluationResult> EvaluateRuntimePolicyAsync(RuntimePolicyEvaluationRequest request, CancellationToken cancellationToken)
-        {
-            var empty = new ReadOnlyDictionary<string, RuntimePolicyImageDecision>(new Dictionary<string, RuntimePolicyImageDecision>());
-            return Task.FromResult(new RuntimePolicyEvaluationResult(0, null, null, empty));
-        }
+            => Task.FromResult(RuntimePolicyResult);
     }
 
     private sealed class StubExecutor : IScannerExecutor

src/StellaOps.Cli.Tests/Services/BackendOperationsClientTests.cs

@@ -403,18 +403,19 @@ public sealed class BackendOperationsClientTests
     ""ghcr.io/app@sha256:abc"": {
       ""policyVerdict"": ""pass"",
       ""signed"": true,
-      ""hasSbom"": true,
+      ""hasSbomReferrers"": true,
       ""reasons"": [],
-      ""rekor"": { ""uuid"": ""uuid-1"", ""url"": ""https://rekor.example/uuid-1"" },
+      ""rekor"": { ""uuid"": ""uuid-1"", ""url"": ""https://rekor.example/uuid-1"", ""verified"": true },
       ""confidence"": 0.87,
-      ""quiet"": false,
+      ""quieted"": false,
       ""metadata"": { ""note"": ""cached"" }
     },
     ""ghcr.io/api@sha256:def"": {
       ""policyVerdict"": ""fail"",
       ""signed"": false,
-      ""hasSbom"": false,
-      ""reasons"": [""unsigned"", ""missing sbom""]
+      ""hasSbomReferrers"": false,
+      ""reasons"": [""unsigned"", ""missing sbom""],
+      ""quietedBy"": ""manual-override""
     }
   }
 }";
@@ -458,13 +459,14 @@ public sealed class BackendOperationsClientTests
         var primary = result.Decisions["ghcr.io/app@sha256:abc"];
         Assert.Equal("pass", primary.PolicyVerdict);
         Assert.True(primary.Signed);
-        Assert.True(primary.HasSbom);
+        Assert.True(primary.HasSbomReferrers);
         Assert.Empty(primary.Reasons);
         Assert.NotNull(primary.Rekor);
         Assert.Equal("uuid-1", primary.Rekor!.Uuid);
         Assert.Equal("https://rekor.example/uuid-1", primary.Rekor.Url);
+        Assert.True(primary.Rekor.Verified);
         Assert.Equal(0.87, Assert.IsType<double>(primary.AdditionalProperties["confidence"]), 3);
-        Assert.False(Assert.IsType<bool>(primary.AdditionalProperties["quiet"]));
+        Assert.False(Assert.IsType<bool>(primary.AdditionalProperties["quieted"]));
         var metadataJson = Assert.IsType<string>(primary.AdditionalProperties["metadata"]);
         using var metadataDocument = JsonDocument.Parse(metadataJson);
         Assert.Equal("cached", metadataDocument.RootElement.GetProperty("note").GetString());
@@ -472,10 +474,11 @@ public sealed class BackendOperationsClientTests
         var secondary = result.Decisions["ghcr.io/api@sha256:def"];
         Assert.Equal("fail", secondary.PolicyVerdict);
         Assert.False(secondary.Signed);
-        Assert.False(secondary.HasSbom);
+        Assert.False(secondary.HasSbomReferrers);
         Assert.Collection(secondary.Reasons,
             item => Assert.Equal("unsigned", item),
             item => Assert.Equal("missing sbom", item));
+        Assert.Equal("manual-override", Assert.IsType<string>(secondary.AdditionalProperties["quietedBy"]));
     }
 
     private sealed class StubTokenClient : IStellaOpsTokenClient

src/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj

@@ -21,6 +21,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Spectre.Console.Testing" Version="0.48.0" />
     <ProjectReference Include="..\StellaOps.Cli\StellaOps.Cli.csproj" />
     <ProjectReference Include="..\StellaOps.Configuration\StellaOps.Configuration.csproj" />
   </ItemGroup>

src/StellaOps.Cli/Commands/CommandFactory.cs

@@ -358,6 +358,48 @@ internal static class CommandFactory
             return CommandHandlers.HandleExcititorExportAsync(services, format, delta, scope, since, provider, output, verbose, cancellationToken);
         });
 
+        var backfill = new Command("backfill-statements", "Replay historical raw documents into Excititor statements.");
+        var backfillRetrievedSinceOption = new Option<DateTimeOffset?>("--retrieved-since")
+        {
+            Description = "Only process raw documents retrieved on or after the provided ISO-8601 timestamp."
+        };
+        var backfillForceOption = new Option<bool>("--force")
+        {
+            Description = "Reprocess documents even if statements already exist."
+        };
+        var backfillBatchSizeOption = new Option<int>("--batch-size")
+        {
+            Description = "Number of raw documents to fetch per batch (default 100)."
+        };
+        var backfillMaxDocumentsOption = new Option<int?>("--max-documents")
+        {
+            Description = "Optional maximum number of raw documents to process."
+        };
+        backfill.Add(backfillRetrievedSinceOption);
+        backfill.Add(backfillForceOption);
+        backfill.Add(backfillBatchSizeOption);
+        backfill.Add(backfillMaxDocumentsOption);
+        backfill.SetAction((parseResult, _) =>
+        {
+            var retrievedSince = parseResult.GetValue(backfillRetrievedSinceOption);
+            var force = parseResult.GetValue(backfillForceOption);
+            var batchSize = parseResult.GetValue(backfillBatchSizeOption);
+            if (batchSize <= 0)
+            {
+                batchSize = 100;
+            }
+            var maxDocuments = parseResult.GetValue(backfillMaxDocumentsOption);
+            var verbose = parseResult.GetValue(verboseOption);
+            return CommandHandlers.HandleExcititorBackfillStatementsAsync(
+                services,
+                retrievedSince,
+                force,
+                batchSize,
+                maxDocuments,
+                verbose,
+                cancellationToken);
+        });
+
         var verify = new Command("verify", "Verify Excititor exports or attestations.");
         var exportIdOption = new Option<string?>("--export-id")
         {
@@ -408,6 +450,7 @@ internal static class CommandFactory
         excititor.Add(resume);
         excititor.Add(list);
         excititor.Add(export);
+        excititor.Add(backfill);
         excititor.Add(verify);
         excititor.Add(reconcile);
         return excititor;

src/StellaOps.Cli/Commands/CommandHandlers.cs

@@ -723,6 +723,62 @@ internal static class CommandHandlers
         }
     }
 
+    public static Task HandleExcititorBackfillStatementsAsync(
+        IServiceProvider services,
+        DateTimeOffset? retrievedSince,
+        bool force,
+        int batchSize,
+        int? maxDocuments,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        if (batchSize <= 0)
+        {
+            throw new ArgumentOutOfRangeException(nameof(batchSize), "Batch size must be greater than zero.");
+        }
+
+        if (maxDocuments.HasValue && maxDocuments.Value <= 0)
+        {
+            throw new ArgumentOutOfRangeException(nameof(maxDocuments), "Max documents must be greater than zero when specified.");
+        }
+
+        var payload = new Dictionary<string, object?>(StringComparer.Ordinal)
+        {
+            ["force"] = force,
+            ["batchSize"] = batchSize,
+            ["maxDocuments"] = maxDocuments
+        };
+
+        if (retrievedSince.HasValue)
+        {
+            payload["retrievedSince"] = retrievedSince.Value.ToUniversalTime().ToString("O", CultureInfo.InvariantCulture);
+        }
+
+        var activityTags = new Dictionary<string, object?>(StringComparer.Ordinal)
+        {
+            ["stellaops.cli.force"] = force,
+            ["stellaops.cli.batch_size"] = batchSize,
+            ["stellaops.cli.max_documents"] = maxDocuments
+        };
+
+        if (retrievedSince.HasValue)
+        {
+            activityTags["stellaops.cli.retrieved_since"] = retrievedSince.Value.ToUniversalTime().ToString("O", CultureInfo.InvariantCulture);
+        }
+
+        return ExecuteExcititorCommandAsync(
+            services,
+            commandName: "excititor backfill-statements",
+            verbose,
+            activityTags,
+            client => client.ExecuteExcititorOperationAsync(
+                "admin/backfill-statements",
+                HttpMethod.Post,
+                RemoveNullValues(payload),
+                cancellationToken),
+            cancellationToken);
+    }
+
     public static Task HandleExcititorVerifyAsync(
         IServiceProvider services,
         string? exportId,
@@ -2208,7 +2264,7 @@ internal static class CommandHandlers
         {
             ["policyVerdict"] = decision.PolicyVerdict,
             ["signed"] = decision.Signed,
-            ["hasSbom"] = decision.HasSbom
+            ["hasSbomReferrers"] = decision.HasSbomReferrers
         };
 
         if (decision.Reasons.Count > 0)
@@ -2218,11 +2274,26 @@ internal static class CommandHandlers
 
         if (decision.Rekor is not null)
         {
-            map["rekor"] = new Dictionary<string, object?>(StringComparer.Ordinal)
+            var rekorMap = new Dictionary<string, object?>(StringComparer.Ordinal);
+            if (!string.IsNullOrWhiteSpace(decision.Rekor.Uuid))
             {
-                ["uuid"] = decision.Rekor.Uuid,
-                ["url"] = decision.Rekor.Url
-            };
+                rekorMap["uuid"] = decision.Rekor.Uuid;
+            }
+
+            if (!string.IsNullOrWhiteSpace(decision.Rekor.Url))
+            {
+                rekorMap["url"] = decision.Rekor.Url;
+            }
+
+            if (decision.Rekor.Verified.HasValue)
+            {
+                rekorMap["verified"] = decision.Rekor.Verified;
+            }
+
+            if (rekorMap.Count > 0)
+            {
+                map["rekor"] = rekorMap;
+            }
         }
 
         foreach (var kvp in decision.AdditionalProperties)
@@ -2240,7 +2311,8 @@ internal static class CommandHandlers
 
         if (AnsiConsole.Profile.Capabilities.Interactive)
         {
-            var table = new Table().Border(TableBorder.Rounded).AddColumns("Image", "Verdict", "Signed", "SBOM", "Reasons", "Attestation");
+            var table = new Table().Border(TableBorder.Rounded)
+                .AddColumns("Image", "Verdict", "Signed", "SBOM Ref", "Quieted", "Confidence", "Reasons", "Attestation");
 
             foreach (var image in orderedImages)
             {
@@ -2250,9 +2322,11 @@ internal static class CommandHandlers
                         image,
                         decision.PolicyVerdict,
                         FormatBoolean(decision.Signed),
-                        FormatBoolean(decision.HasSbom),
+                        FormatBoolean(decision.HasSbomReferrers),
+                        FormatQuietedDisplay(decision.AdditionalProperties),
+                        FormatConfidenceDisplay(decision.AdditionalProperties),
                         decision.Reasons.Count > 0 ? string.Join(Environment.NewLine, decision.Reasons) : "-",
-                        string.IsNullOrWhiteSpace(decision.Rekor?.Uuid) ? "-" : decision.Rekor!.Uuid!);
+                        FormatAttestation(decision.Rekor));
 
                     summary[decision.PolicyVerdict] = summary.TryGetValue(decision.PolicyVerdict, out var count) ? count + 1 : 1;
 
@@ -2264,7 +2338,7 @@ internal static class CommandHandlers
                 }
                 else
                 {
-                    table.AddRow(image, "<missing>", "-", "-", "-", "-");
+                    table.AddRow(image, "<missing>", "-", "-", "-", "-", "-", "-");
                 }
             }
 
@@ -2278,12 +2352,14 @@ internal static class CommandHandlers
                 {
                     var reasons = decision.Reasons.Count > 0 ? string.Join(", ", decision.Reasons) : "none";
                     logger.LogInformation(
-                        "{Image} -> verdict={Verdict} signed={Signed} sbom={Sbom} attestation={Attestation} reasons={Reasons}",
+                        "{Image} -> verdict={Verdict} signed={Signed} sbomRef={Sbom} quieted={Quieted} confidence={Confidence} attestation={Attestation} reasons={Reasons}",
                         image,
                         decision.PolicyVerdict,
                         FormatBoolean(decision.Signed),
-                        FormatBoolean(decision.HasSbom),
-                        string.IsNullOrWhiteSpace(decision.Rekor?.Uuid) ? "-" : decision.Rekor!.Uuid!,
+                        FormatBoolean(decision.HasSbomReferrers),
+                        FormatQuietedDisplay(decision.AdditionalProperties),
+                        FormatConfidenceDisplay(decision.AdditionalProperties),
+                        FormatAttestation(decision.Rekor),
                         reasons);
 
                     summary[decision.PolicyVerdict] = summary.TryGetValue(decision.PolicyVerdict, out var count) ? count + 1 : 1;
@@ -2346,6 +2422,144 @@ internal static class CommandHandlers
     private static string FormatBoolean(bool? value)
         => value is null ? "unknown" : value.Value ? "yes" : "no";
 
+    private static string FormatQuietedDisplay(IReadOnlyDictionary<string, object?> metadata)
+    {
+        var quieted = GetMetadataBoolean(metadata, "quieted", "quiet");
+        var quietedBy = GetMetadataString(metadata, "quietedBy", "quietedReason");
+
+        if (quieted is true)
+        {
+            return string.IsNullOrWhiteSpace(quietedBy) ? "yes" : $"yes ({quietedBy})";
+        }
+
+        if (quieted is false)
+        {
+            return "no";
+        }
+
+        return string.IsNullOrWhiteSpace(quietedBy) ? "-" : $"? ({quietedBy})";
+    }
+
+    private static string FormatConfidenceDisplay(IReadOnlyDictionary<string, object?> metadata)
+    {
+        var confidence = GetMetadataDouble(metadata, "confidence");
+        var confidenceBand = GetMetadataString(metadata, "confidenceBand", "confidenceTier");
+
+        if (confidence.HasValue && !string.IsNullOrWhiteSpace(confidenceBand))
+        {
+            return string.Format(CultureInfo.InvariantCulture, "{0:0.###} ({1})", confidence.Value, confidenceBand);
+        }
+
+        if (confidence.HasValue)
+        {
+            return confidence.Value.ToString("0.###", CultureInfo.InvariantCulture);
+        }
+
+        if (!string.IsNullOrWhiteSpace(confidenceBand))
+        {
+            return confidenceBand!;
+        }
+
+        return "-";
+    }
+
+    private static string FormatAttestation(RuntimePolicyRekorReference? rekor)
+    {
+        if (rekor is null)
+        {
+            return "-";
+        }
+
+        var uuid = string.IsNullOrWhiteSpace(rekor.Uuid) ? null : rekor.Uuid;
+        var url = string.IsNullOrWhiteSpace(rekor.Url) ? null : rekor.Url;
+        var verified = rekor.Verified;
+
+        var core = uuid ?? url;
+        if (!string.IsNullOrEmpty(core))
+        {
+            if (verified.HasValue)
+            {
+                var suffix = verified.Value ? " (verified)" : " (unverified)";
+                return core + suffix;
+            }
+
+            return core!;
+        }
+
+        if (verified.HasValue)
+        {
+            return verified.Value ? "verified" : "unverified";
+        }
+
+        return "-";
+    }
+
+    private static bool? GetMetadataBoolean(IReadOnlyDictionary<string, object?> metadata, params string[] keys)
+    {
+        foreach (var key in keys)
+        {
+            if (metadata.TryGetValue(key, out var value) && value is not null)
+            {
+                switch (value)
+                {
+                    case bool b:
+                        return b;
+                    case string s when bool.TryParse(s, out var parsed):
+                        return parsed;
+                }
+            }
+        }
+
+        return null;
+    }
+
+    private static string? GetMetadataString(IReadOnlyDictionary<string, object?> metadata, params string[] keys)
+    {
+        foreach (var key in keys)
+        {
+            if (metadata.TryGetValue(key, out var value) && value is not null)
+            {
+                if (value is string s)
+                {
+                    return string.IsNullOrWhiteSpace(s) ? null : s;
+                }
+            }
+        }
+
+        return null;
+    }
+
+    private static double? GetMetadataDouble(IReadOnlyDictionary<string, object?> metadata, params string[] keys)
+    {
+        foreach (var key in keys)
+        {
+            if (metadata.TryGetValue(key, out var value) && value is not null)
+            {
+                switch (value)
+                {
+                    case double d:
+                        return d;
+                    case float f:
+                        return f;
+                    case decimal m:
+                        return (double)m;
+                    case long l:
+                        return l;
+                    case int i:
+                        return i;
+                    case string s when double.TryParse(s, NumberStyles.Float | NumberStyles.AllowThousands, CultureInfo.InvariantCulture, out var parsed):
+                        return parsed;
+                }
+            }
+        }
+
+        return null;
+    }
+
+    private static readonly IReadOnlyDictionary<string, string> EmptyLabelSelectors =
+        new ReadOnlyDictionary<string, string>(new Dictionary<string, string>(0, StringComparer.OrdinalIgnoreCase));
+
+
     private static string FormatAdditionalValue(object? value)
     {
         return value switch
@@ -2359,8 +2573,6 @@ internal static class CommandHandlers
         };
     }
 
-    private static readonly IReadOnlyDictionary<string, string> EmptyLabelSelectors =
-        new ReadOnlyDictionary<string, string>(new Dictionary<string, string>(0, StringComparer.OrdinalIgnoreCase));
 
     private static IReadOnlyList<string> NormalizeProviders(IReadOnlyList<string> providers)
     {

src/StellaOps.Cli/Services/BackendOperationsClient.cs

@@ -443,19 +443,24 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
                 var reasons = ExtractReasons(decision.Reasons);
                 var metadata = ExtractExtensionMetadata(decision.ExtensionData);
 
+                var hasSbom = decision.HasSbomReferrers ?? decision.HasSbomLegacy;
+
                 RuntimePolicyRekorReference? rekor = null;
                 if (decision.Rekor is not null &&
-                    (!string.IsNullOrWhiteSpace(decision.Rekor.Uuid) || !string.IsNullOrWhiteSpace(decision.Rekor.Url)))
+                    (!string.IsNullOrWhiteSpace(decision.Rekor.Uuid) ||
+                     !string.IsNullOrWhiteSpace(decision.Rekor.Url) ||
+                     decision.Rekor.Verified.HasValue))
                 {
                     rekor = new RuntimePolicyRekorReference(
                         NormalizeOptionalString(decision.Rekor.Uuid),
-                        NormalizeOptionalString(decision.Rekor.Url));
+                        NormalizeOptionalString(decision.Rekor.Url),
+                        decision.Rekor.Verified);
                 }
 
                 decisions[image] = new RuntimePolicyImageDecision(
                     verdict,
                     decision.Signed,
-                    decision.HasSbom,
+                    hasSbom,
                     reasons,
                     rekor,
                     metadata);

src/StellaOps.Cli/Services/Models/RuntimePolicyEvaluationModels.cs

@@ -17,9 +17,9 @@ internal sealed record RuntimePolicyEvaluationResult(
 internal sealed record RuntimePolicyImageDecision(
     string PolicyVerdict,
     bool? Signed,
-    bool? HasSbom,
+    bool? HasSbomReferrers,
     IReadOnlyList<string> Reasons,
     RuntimePolicyRekorReference? Rekor,
     IReadOnlyDictionary<string, object?> AdditionalProperties);
 
-internal sealed record RuntimePolicyRekorReference(string? Uuid, string? Url);
+internal sealed record RuntimePolicyRekorReference(string? Uuid, string? Url, bool? Verified);

src/StellaOps.Cli/Services/Models/Transport/RuntimePolicyEvaluationTransport.cs

@@ -42,8 +42,12 @@ internal sealed class RuntimePolicyEvaluationImageDocument
     [JsonPropertyName("signed")]
     public bool? Signed { get; set; }
 
+    [JsonPropertyName("hasSbomReferrers")]
+    public bool? HasSbomReferrers { get; set; }
+
+    // Legacy field kept for pre-contract-sync services.
     [JsonPropertyName("hasSbom")]
-    public bool? HasSbom { get; set; }
+    public bool? HasSbomLegacy { get; set; }
 
     [JsonPropertyName("reasons")]
     public List<string>? Reasons { get; set; }
@@ -62,4 +66,7 @@ internal sealed class RuntimePolicyRekorDocument
 
     [JsonPropertyName("url")]
     public string? Url { get; set; }
+
+    [JsonPropertyName("verified")]
+    public bool? Verified { get; set; }
 }

src/StellaOps.Cli/TASKS.md

@@ -20,5 +20,5 @@ If you are working on this file you need to read docs/ARCHITECTURE_EXCITITOR.md
 |CLI-RUNTIME-13-005 – Runtime policy test verbs|DevEx/CLI|SCANNER-RUNTIME-12-302, ZASTAVA-WEBHOOK-12-102|**DONE (2025-10-19)** – Added `runtime policy test` command (stdin/file support, JSON output), backend client method + typed models, verdict table output, docs/tests updated (`dotnet test src/StellaOps.Cli.Tests`).|
 |CLI-OFFLINE-13-006 – Offline kit workflows|DevEx/CLI|DEVOPS-OFFLINE-14-002|TODO – Implement `offline kit pull/import/status` commands with integrity checks, resumable downloads, and doc updates.|
 |CLI-PLUGIN-13-007 – Plugin packaging|DevEx/CLI|CLI-RUNTIME-13-005, CLI-OFFLINE-13-006|TODO – Package non-core verbs as restart-time plug-ins (manifest + loader updates, tests ensuring no hot reload).|
-|CLI-RUNTIME-13-008 – Runtime policy contract sync|DevEx/CLI, Scanner WebService Guild|SCANNER-RUNTIME-12-302|TODO – Once `/api/v1/scanner/policy/runtime` exits TODO, verify CLI output against final schema (field names, metadata) and update formatter/tests if the contract moves. Capture joint review notes in docs/09 and link Scanner task sign-off.|
-|CLI-RUNTIME-13-009 – Runtime policy smoke fixture|DevEx/CLI, QA Guild|CLI-RUNTIME-13-005|TODO – Build Spectre test harness exercising `runtime policy test` against a stubbed backend to lock output shape (table + `--json`) and guard regressions. Integrate into `dotnet test` suite.|
+|CLI-RUNTIME-13-008 – Runtime policy contract sync|DevEx/CLI, Scanner WebService Guild|SCANNER-RUNTIME-12-302|**DONE (2025-10-19)** – CLI runtime table/JSON now align with SCANNER-RUNTIME-12-302 (SBOM referrers, quieted provenance, confidence, verified Rekor); docs/09 updated with joint sign-off note.|
+|CLI-RUNTIME-13-009 – Runtime policy smoke fixture|DevEx/CLI, QA Guild|CLI-RUNTIME-13-005|**DONE (2025-10-19)** – Spectre console harness + regression tests cover table and `--json` output paths for `runtime policy test`, using stubbed backend and integrated into `dotnet test` suite.|

src/StellaOps.Concelier.Connector.Cccs/TASKS.md

@@ -9,3 +9,4 @@
 |FEEDCONN-CCCS-02-006 Observability & documentation|DevEx|Docs|**DONE (2025-10-15)** – Added `CccsDiagnostics` meter (fetch/parse/map counters), enriched connector logs with document counts, and published `docs/ops/concelier-cccs-operations.md` covering config, telemetry, and sanitiser guidance.|
 |FEEDCONN-CCCS-02-007 Historical advisory harvesting plan|BE-Conn-CCCS|Research|**DONE (2025-10-15)** – Measured `/api/cccs/threats/v1/get` inventory (~5.1k rows/lang; earliest 2018-06-08), documented backfill workflow + language split strategy, and linked the runbook for Offline Kit execution.|
 |FEEDCONN-CCCS-02-008 Raw DOM parsing refinement|BE-Conn-CCCS|Source.Common|**DONE (2025-10-15)** – Parser now walks unsanitised DOM (heading + nested list coverage), sanitizer keeps `<h#>`/`section` nodes, and regression fixtures/tests assert EN/FR list handling + preserved HTML structure.|
+|FEEDCONN-CCCS-02-009 Normalized versions rollout (Oct 2025)|BE-Conn-CCCS|Merge coordination (`FEEDMERGE-COORD-02-900`)|**TODO (due 2025-10-21)** – Implement trailing-version split helper per Merge guidance (see `../Merge/RANGE_PRIMITIVES_COORDINATION.md` “Helper snippets”) to emit `NormalizedVersions` via `SemVerRangeRuleBuilder`; refresh mapper tests/fixtures to assert provenance notes (`cccs:{serial}:{index}`) and confirm merge counters drop.|

src/StellaOps.Concelier.Connector.CertBund/TASKS.md

@@ -10,3 +10,4 @@
 |FEEDCONN-CERTBUND-02-007 Feed history & locale assessment|BE-Conn-CERTBUND|Research|**DONE (2025-10-15)** – Measured RSS retention (~6 days/≈250 items), captured connector-driven backfill guidance in the runbook, and aligned locale guidance (preserve `language=de`, Docs glossary follow-up). **Next:** coordinate with Tools to land the state-seeding helper so scripted backfills replace manual Mongo tweaks.|
 |FEEDCONN-CERTBUND-02-008 Session bootstrap & cookie strategy|BE-Conn-CERTBUND|Source.Common|**DONE (2025-10-14)** – Feed client primes the portal session (cookie container via `SocketsHttpHandler`), shares cookies across detail requests, and documents bootstrap behaviour in options (`PortalBootstrapUri`).|
 |FEEDCONN-CERTBUND-02-009 Offline Kit export packaging|BE-Conn-CERTBUND, Docs|Offline Kit|**DONE (2025-10-17)** – Added `tools/certbund_offline_snapshot.py` to capture search/export JSON, emit deterministic manifests + SHA files, and refreshed docs (`docs/ops/concelier-certbund-operations.md`, `docs/24_OFFLINE_KIT.md`) with offline-kit instructions and manifest layout guidance. Seed data README/ignore rules cover local snapshot hygiene.|
+|FEEDCONN-CERTBUND-02-010 Normalized range translator|BE-Conn-CERTBUND|Merge coordination (`FEEDMERGE-COORD-02-900`)|**TODO (due 2025-10-22)** – Translate `product.Versions` phrases (e.g., `2023.1 bis 2024.2`, `alle`) into comparator strings for `SemVerRangeRuleBuilder`, emit `NormalizedVersions` with `certbund:{advisoryId}:{vendor}` provenance, and extend tests/README with localisation notes.|

src/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md

@@ -12,3 +12,4 @@
 |FEEDCONN-ICSCISA-02-009 GovDelivery credential onboarding|Ops, BE-Conn-ICS-CISA|Ops|**DONE (2025-10-14)** – GovDelivery onboarding runbook captured in `docs/ops/concelier-icscisa-operations.md`; secret vault path and Offline Kit handling documented.|
 |FEEDCONN-ICSCISA-02-010 Mitigation & SemVer polish|BE-Conn-ICS-CISA|02-003, 02-004|**DONE (2025-10-16)** – Attachment + mitigation references now land as expected and SemVer primitives carry exact values; end-to-end suite green (see `HANDOVER.md`).|
 |FEEDCONN-ICSCISA-02-011 Docs & telemetry refresh|DevEx|02-006|**DONE (2025-10-16)** – Ops documentation refreshed (attachments, SemVer validation, proxy knobs) and telemetry notes verified.|
+|FEEDCONN-ICSCISA-02-012 Normalized version decision|BE-Conn-ICS-CISA|Merge coordination (`FEEDMERGE-COORD-02-900`)|**TODO (due 2025-10-23)** – Promote existing `SemVerPrimitive` exact values into `NormalizedVersions` via `.ToNormalizedVersionRule("ics-cisa:{advisoryId}:{product}")`, add regression coverage, and open Models ticket if non-SemVer firmware requires a new scheme.|

src/StellaOps.Concelier.Connector.Kisa/TASKS.md

@@ -8,3 +8,4 @@
 |FEEDCONN-KISA-02-005 Deterministic fixtures & tests|QA|Testing|**DONE (2025-10-14)** – Added `StellaOps.Concelier.Connector.Kisa.Tests` with Korean fixtures and fetch→parse→map regression; fixtures regenerate via `UPDATE_KISA_FIXTURES=1`.|
 |FEEDCONN-KISA-02-006 Telemetry & documentation|DevEx|Docs|**DONE (2025-10-14)** – Added diagnostics-backed telemetry, structured logs, regression coverage, and published localisation notes in `docs/dev/kisa_connector_notes.md` + fixture guidance for Docs/QA.|
 |FEEDCONN-KISA-02-007 RSS contract & localisation brief|BE-Conn-KISA|Research|**DONE (2025-10-11)** – Documented RSS URLs, confirmed UTF-8 payload (no additional cookies required), and drafted localisation plan (Hangul glossary + optional MT plugin). Remaining open item: capture SPA detail API contract for full-text translations.|
+|FEEDCONN-KISA-02-008 Firmware scheme proposal|BE-Conn-KISA, Models|Merge coordination (`FEEDMERGE-COORD-02-900`)|**TODO (due 2025-10-24)** – Define transformation for Hangul-labelled firmware ranges (`XFU 1.0.1.0084 ~ 2.0.1.0034`), propose `kisa.build` (or equivalent) scheme to Models, implement normalized rule emission/tests once scheme approved, and update localisation notes.|