feat(graph): introduce graph.inspect.v1 contract and schema for SBOM relationships

- Added graph.inspect.v1 documentation outlining payload structure and determinism rules.
- Created JSON schema for graph.inspect.v1 to enforce payload validation.
- Defined mapping rules for graph relationships, advisories, and VEX statements.

feat(notifications): establish remediation blueprint for gaps NR1-NR10

- Documented requirements, evidence, and tests for Notifier runtime.
- Specified deliverables and next steps for addressing identified gaps.

docs(notifications): organize operations and schemas documentation

- Created README files for operations, schemas, and security notes to clarify deliverables and policies.

feat(advisory): implement PostgreSQL caching for Link-Not-Merge linksets

- Created database schema for advisory linkset cache.
- Developed repository for managing advisory linkset cache operations.
- Added tests to ensure correct functionality of the AdvisoryLinksetCacheRepository.

docs/implplan/SPRINT_0116_0001_0005_concelier_v.md

@@ -43,11 +43,12 @@
 | 13 | CONCELIER-WEB-OAS-63-001 | BLOCKED | Depends on 62-001 | WebService · API Governance | Emit deprecation headers/notifications steering clients to LNM APIs. |
 | 14 | CONCELIER-WEB-OBS-51-001 | DONE (2025-11-23) | Schema 046_TLTY0101 published 2025-11-23 | WebService Guild | `/obs/concelier/health` for ingest health/queue/SLO status. |
 | 15 | CONCELIER-WEB-OBS-52-001 | DONE (2025-11-24) | Depends on 51-001 | WebService Guild | SSE `/obs/concelier/timeline` with paging tokens, audit logging. |
-| 16 | CONCELIER-AIAI-31-002 | BLOCKED (2025-12-04) | No linkset store/cache backend exists; choose Mongo vs Postgres target and add cache collection/index + read-through wiring. | Concelier Core · Concelier WebService Guilds | Implement Link-Not-Merge linkset cache per `docs/modules/concelier/operations/lnm-cache-plan.md`, expose read-through on `/v1/lnm/linksets`, add metrics `lnm.cache.*`, and cover with deterministic tests. |
+| 16 | CONCELIER-AIAI-31-002 | DOING (2025-12-04) | Postgres linkset cache backend added; next wire WebService read-through + telemetry `lnm.cache.*`. | Concelier Core · Concelier WebService Guilds | Implement Link-Not-Merge linkset cache per `docs/modules/concelier/operations/lnm-cache-plan.md`, expose read-through on `/v1/lnm/linksets`, add metrics `lnm.cache.*`, and cover with deterministic tests. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Implemented Postgres LNM linkset cache backend (`AdvisoryLinksetCacheRepository` + migration 002); added integration tests. Task CONCELIER-AIAI-31-002 moves to DOING; pending WebService read-through wiring and telemetry. | Implementer |
 | 2025-12-04 | Added CONCELIER-AIAI-31-002 to Delivery Tracker and marked BLOCKED; cache plan exists but no linkset store/cache backend (Mongo/Postgres) is registered, so Link-Not-Merge cache cannot be implemented yet. | Project Mgmt |
 | 2025-12-03 | Added Wave Coordination (A observability done; B AirGap blocked; C AOC regression blocked on validator; D OAS alignment blocked). No status changes. | Project Mgmt |
 | 2025-11-25 | AOC validator (WEB-AOC-19-002) missing; blocked chain noted. | Implementer |
@@ -60,7 +61,7 @@
 - AirGap tasks blocked until sealed-mode + staleness metadata defined; do not expose bundles without provenance.
 - AOC regression chain blocked pending validator (WEB-AOC-19-002); large-batch tests must wait.
 - OAS envelope change (WEB-OAS-61-002) is a prereq for examples/deprecation; avoid duplicating client envelopes until unified.
-- Linkset cache (CONCELIER-AIAI-31-002) cannot proceed until a concrete store exists (Mongo vs Postgres) and cache collection/index contract is picked; current services register only `NullLinksetLookup`, so `/v1/lnm/linksets` lacks cache backing.
+- Linkset cache (CONCELIER-AIAI-31-002): Postgres backend + migration shipped; remaining risk is wiring WebService to use it (DI + read-through) and adding `lnm.cache.*` metrics to avoid cache skew.
 
 ## Next Checkpoints
 - None scheduled; add when validator and AirGap prerequisites land.

docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md

@@ -39,6 +39,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Published `graph.inspect.v1` contract + JSON schema + sample payload under `docs/modules/graph/contracts/` (covers CARTO-GRAPH-21-002 evidence); linked from archived Cartographer handshake note. No wave status change. | Project Mgmt |
 | 2025-12-02 | System cosign v3.0.2 installed at `/usr/local/bin/cosign` (requires `--bundle`); repo fallback v2.6.0 kept at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). Added `tools/cosign/cosign.key.example`, helper script `tools/cosign/sign-signals.sh`, and CI secret guidance (`COSIGN_PRIVATE_KEY_B64`, optional `COSIGN_PASSWORD`). COSIGN-INSTALL-140 set to DONE. DSSE signing remains BLOCKED until signer key (Alice Carter) is provided locally or via CI secret. | Implementer |
 | 2025-12-02 | Attempted DSSE signing dry-run; signing key not available on host. Marked tasks 5–7 BLOCKED pending delivery of signer private key per Signals Guild (supply via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`). | Implementer |
 | 2025-12-02 | Refreshed Decisions & Risks after signer assignment; DSSE signing fixed for 2025-12-05 and decay/unknowns/heuristics remain BLOCKED pending `cosign` availability in offline kit. | Project Mgmt |
@@ -79,6 +80,7 @@
 ## Decisions & Risks
 - Graph/Zastava remain on scanner surface mock bundle v1; real cache ETA and manifests are overdue, parity validation cannot start.
 - Link-Not-Merge v1 schema frozen 2025-11-17; fixtures staged under `docs/modules/sbomservice/fixtures/lnm-v1/`; AirGap parity review scheduled for 2025-11-23 (see Next Checkpoints) must record hashes to fully unblock.
+- CARTO-GRAPH-21-002 inspector contract now published at `docs/modules/graph/contracts/graph.inspect.v1.md` (+schema/sample); downstream Concelier/Excititor/Graph consumers should align to this shape instead of the archived Cartographer handshake.
 - SBOM runtime/signals prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap review runbook ready (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`). Wave moves to TODO pending review completion and fixture hash upload.
 - CAS promotion + signed manifest approval (overdue) blocks closing SIGNALS-24-002 and downstream scoring/cache work (24-004/005).
 - Cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`); repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). DSSE signing deadline remains 2025-12-05; tasks 5–7 are BLOCKED until signer key material (Alice Carter) is provided locally/CI via `COSIGN_PRIVATE_KEY_B64`. Helper script `tools/cosign/sign-signals.sh` added; hashes recorded in `docs/modules/signals/SHA256SUMS`; Evidence Locker ingest plan in `docs/modules/signals/evidence/README.md`.

docs/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md

@@ -13,7 +13,12 @@
 - docs/README.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
-- docs/modules/taskrunner/architecture.md (if available)
+- docs/modules/platform/architecture.md
+- docs/modules/taskrunner/architecture.md
+- docs/product-advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md
+- docs/task-packs/spec.md
+- docs/task-packs/authoring-guide.md
+- docs/task-packs/runbook.md
 - src/TaskRunner/StellaOps.TaskRunner/AGENTS.md
 
 ## Delivery Tracker
@@ -41,7 +46,7 @@
 
 ## Upcoming Checkpoints
 - Kickoff to be scheduled after Sprint 0157 completion signal (TBD; see AT-01).
-- Tenancy policy review target: 2025-12-05 (see AT-02).
+- Tenancy policy review target: 2025-12-05 (UTC) (see AT-02).
 
 ## Action Tracker
 | ID | Action | Owner | Due (UTC) | Status | Notes |
@@ -69,3 +74,4 @@
 | 2025-11-30 | Marked OBS-54-001, OBS-55-001, and TEN-48-001 BLOCKED pending Sprint 0157 close-out (timeline/attestation schema) and tenancy policy; updated interlocks/action tracker. | Project Mgmt |
 | 2025-11-30 | Synced `tasks-all.md` entries to BLOCKED status and canonical sprint filename. | Project Mgmt |
 | 2025-11-30 | Propagated TaskRunner II blockers into `docs/implplan/blocked_tree.md` for cross-sprint visibility. | Project Mgmt |
+| 2025-12-04 | Added TaskRunner required reading (platform architecture, advisory, task-pack docs) and clarified tenancy review checkpoint; blockers unchanged pending Sprint 0157 close-out. | Project Mgmt |

docs/implplan/SPRINT_0160_0001_0001_export_evidence.md

@@ -27,9 +27,9 @@
 | P3 | PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR | DONE (2025-11-20) | Prep note published at `docs/events/prep/2025-11-20-advisoryai-orchestrator-followup.md`. | Planning | If no dates provided, mark BLOCKED in respective sprints and escalate to Wave leads. <br><br> Document artefact/deliverable for Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) and publish location so downstream tasks can proceed. |
 | P4 | PREP-160-A-160-B-160-C-ESCALATE-TO-WAVE-150-1 | DONE (2025-11-19) | Due 2025-11-23 · Accountable: Planning | Planning | Escalation sent to Wave 150/140 leads; awaiting new ETAs recorded in Sprint 110/150/140. |
 | 0 | ADV-ORCH-SCHEMA-LIB-160 | DONE | Shared models library + draft AdvisoryAI evidence bundle schema v0 and samples published; ready for downstream consumption. | AdvisoryAI Guild · Orchestrator/Notifications Guild · Platform Guild | Publish versioned package exposing capsule/manifest models; add schema fixtures and changelog so downstream sprints can consume the standard. |
-| 1 | 160.A EvidenceLocker snapshot | BLOCKED | Waiting on AdvisoryAI evidence payload notes + orchestrator/notifications envelopes to finalize ingest/replay summary. | Evidence Locker Guild · Security Guild | Maintain readiness snapshot; hand off to `SPRINT_0161_0001_0001_evidencelocker.md` & `SPRINT_187_evidence_locker_cli_integration.md`. |
-| 2 | 160.B ExportCenter snapshot | BLOCKED | EvidenceLocker bundle contract frozen, but orchestrator/notifications envelopes still missing; cannot freeze ExportCenter snapshot. | Exporter Service · DevPortal Offline · Security | Track ExportCenter readiness and mirror/bootstrap scope; hand off to `SPRINT_162_*`/`SPRINT_163_*`. |
-| 3 | 160.C TimelineIndexer snapshot | BLOCKED | Waiting on TIMELINE-OBS-52-001 digest references; schemas available. Prep migrations/RLS draft. | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_165_timelineindexer.md`. |
+| 1 | 160.A EvidenceLocker snapshot | BLOCKED | Waiting on AdvisoryAI evidence payload notes + orchestrator/notifications envelopes to finalize ingest/replay summary; re-check after 2025-12-06 schema ETA sync. | Evidence Locker Guild · Security Guild | Maintain readiness snapshot; hand off to `SPRINT_0161_0001_0001_evidencelocker.md` & `SPRINT_187_evidence_locker_cli_integration.md`. |
+| 2 | 160.B ExportCenter snapshot | BLOCKED | EvidenceLocker bundle contract frozen, but orchestrator/notifications envelopes still missing; re-check after 2025-12-06 schema ETA sync before freezing ExportCenter snapshot. | Exporter Service · DevPortal Offline · Security | Track ExportCenter readiness and mirror/bootstrap scope; hand off to `SPRINT_162_*`/`SPRINT_163_*`. |
+| 3 | 160.C TimelineIndexer snapshot | BLOCKED | Waiting on TIMELINE-OBS-52-001 digest references; schemas available. Prep migrations/RLS draft; re-check after 2025-12-06 schema ETA sync. | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_165_timelineindexer.md`. |
 | 4 | AGENTS-implplan | DONE | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | Local charter present; contributors must read before editing sprint docs. |
 
 ### Wave Coordination
@@ -102,51 +102,51 @@
 | TIMELINE-OBS-53-001 | Evidence linkage endpoint | BLOCKED (2025-11-30) | Timeline Indexer + Evidence Locker Guilds |
 
 ## Interlocks & Readiness Signals
-| Dependency | Owner / Source | Impacts | Status / Next signal |
-| --- | --- | --- | --- |
-| Orchestrator capsule & notifications schema (`docs/events/orchestrator-scanner-events.md`) | Orchestrator Service Guild · Notifications Guild (Sprint 150.A + 140 wave) | 160.A, 160.B, 160.C | OVERDUE (was due 2025-11-15); escalation sent 2025-11-18; awaiting new ETA (follow-up 2025-11-19). |
-| AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | AdvisoryAI Guild | 160.A, 160.B | OVERDUE (was due 2025-11-14); escalation sent 2025-11-18; awaiting new ETA (follow-up 2025-11-19). |
-| Replay ledger spec alignment (`docs/replay/DETERMINISTIC_REPLAY.md`, `/docs/runbooks/replay_ops.md`) | Replay Delivery Guild (Sprint 187) | 160.A | Replay ops runbook exists (2025-11-03); EvidenceLocker must incorporate retention API shape before DOING. Track in EVID-REPLAY-187-001. |
-| Crypto routing parity (`docs/security/crypto-routing-audit-2025-11-07.md`) | Security Guild + Export/Evidence teams (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`) | 160.A, 160.B | Audit published 2025-11-07; wire `ICryptoProviderRegistry` before enabling sovereign profiles. Readiness review on 2025-11-18. |
-| DevPortal verification CLI scaffolding (`DVOFF-64-002`) | DevPortal Offline Guild (Sprint 162) | 160.B | Prototype pending; keep `stella devportal verify bundle.tgz` ready once bundle contracts are signed. |
+| Dependency | Owner / Source | Impacts | Status / Next signal |
+| --- | --- | --- | --- |
+| Orchestrator capsule & notifications schema (`docs/events/orchestrator-scanner-events.md`) | Orchestrator Service Guild · Notifications Guild (Sprint 150.A + 140 wave) | 160.A, 160.B, 160.C | OVERDUE; re-escalated 2025-12-04. Require ETA by 2025-12-06 or escalate to steering on 2025-12-07. |
+| AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | AdvisoryAI Guild | 160.A, 160.B | OVERDUE; re-escalated 2025-12-04. Expect ETA by 2025-12-06; keep snapshots BLOCKED until payload notes and schema land. |
+| Replay ledger spec alignment (`docs/replay/DETERMINISTIC_REPLAY.md`, `/docs/runbooks/replay_ops.md`) | Replay Delivery Guild (Sprint 187) | 160.A | Replay ops runbook exists (2025-11-03); EvidenceLocker must incorporate retention API shape before DOING. Track in EVID-REPLAY-187-001. |
+| Crypto routing parity (`docs/security/crypto-routing-audit-2025-11-07.md`) | Security Guild + Export/Evidence teams (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`) | 160.A, 160.B | Review on 2025-11-18 slipped; reschedule for 2025-12-08 with registry sample due 2025-12-06. Keep sovereign modes off until approved. |
+| DevPortal verification CLI scaffolding (`DVOFF-64-002`) | DevPortal Offline Guild (Sprint 162) | 160.B | Prototype pending; request stub bundle for dry run no later than 2025-12-09 to stay aligned with ExportCenter handoff. |
 
 ## Upcoming Checkpoints (UTC)
-| Date | Session / Owner | Target outcome | Fallback / Escalation |
-| --- | --- | --- | --- |
-| 2025-11-14 | AdvisoryAI stand-up (AdvisoryAI Guild) | Freeze evidence bundle schema + payload notes so EvidenceLocker can finalize DSSE manifests (blocked). | MISSED; reschedule immediately and log in Sprint 110 + this sprint. |
-| 2025-11-15 | Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) | Publish capsule envelopes & notification contracts required by EvidenceLocker ingest, ExportCenter notifications, TimelineIndexer ordering (blocked). | PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF |
-| 2025-11-18 | Sovereign crypto readiness review (Security Guild + Evidence/Export teams) | Validate `ICryptoProviderRegistry` wiring plan for `EVID-CRYPTO-90-001` & `EXPORT-CRYPTO-90-001`; green-light sovereign modes (blocked). | If gating issues remain, file action items in Security board and hold related sprint tasks in TODO. |
-| 2025-11-19 | DevPortal Offline CLI dry run (DevPortal Offline + AirGap Controller Guilds) | Demo `stella devportal verify bundle.tgz` using sample manifest to prove readiness once EvidenceLocker spec lands (blocked awaiting schema). | If CLI not ready, update DVOFF-64-002 description with new ETA and note risk in Sprint 162 doc. |
-| 2025-11-19 | Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) | Secure revised dates for schema/envelope drops; update this sprint + Sprint 110/150/140. | PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR |
+| Date | Session / Owner | Target outcome | Fallback / Escalation |
+| --- | --- | --- | --- |
+| 2025-12-06 | Schema ETA sync (AdvisoryAI + Orchestrator/Notifications leads) | Confirm drop dates for AdvisoryAI payload notes and Orchestrator/Notifications capsule envelopes to unblock snapshots. | If no ETA, escalate to steering on 2025-12-07 and keep 160.A/B/C BLOCKED. |
+| 2025-12-08 | Sovereign crypto readiness review (Security + Evidence/Export teams) | Approve `ICryptoProviderRegistry` wiring plan and provider matrix for `EVID-CRYPTO-90-001`/`EXPORT-CRYPTO-90-001`. | If not approved, publish interim provider whitelist and defer sovereign modes. |
+| 2025-12-09 | DevPortal Offline CLI dry run (DevPortal Offline + AirGap Controller Guilds) | Demo `stella devportal verify bundle.tgz` against stub bundle to prep ExportCenter handoff. | If bundle not available, use stub from EvidenceLocker sample and log risk in Sprint 162. |
+| 2025-12-10 | Wave 160 snapshot refresh (EvidenceLocker, ExportCenter, TimelineIndexer leads) | Publish updated readiness snapshots or restate BLOCKED with evidence; sync Sprint 161/162/165 trackers. | If still blocked, record blockade summary and extend checkpoint to 2025-12-13. |
 
 ## Action Tracker
-| Wave | Immediate action | Owner(s) | Due | Status |
-| --- | --- | --- | --- | --- |
-| 160.A EvidenceLocker | Draft ingest schema summary + Replay Ledger API notes into `SPRINT_0161_0001_0001_evidencelocker.md` once orchestrator + AdvisoryAI schemas land. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | OVERDUE (schemas not delivered) |
-| 160.A EvidenceLocker | Validate crypto provider registry plan for `EVID-CRYPTO-90-001` ahead of the Nov-18 review. | Evidence Locker Guild · Security Guild | 2025-11-17 | OVERDUE (awaiting Security design feedback) |
-| 160.A EvidenceLocker | Prep CLI + ops teams for replay handoff (`RUNBOOK-REPLAY-187-004`, `CLI-REPLAY-187-002`) once Evidence Locker APIs are drafted. | CLI Guild · Ops Guild · Evidence Locker Guild | 2025-11-18 | Pending |
-| 160.B ExportCenter | Prepare DevPortal verification CLI prototype (`DVOFF-64-002`) covering manifest hash + DSSE verification flow. | DevPortal Offline Guild · AirGap Controller Guild | 2025-11-19 | In progress (design draft shared; waiting on bundle schema) |
-| 160.B ExportCenter | Align attestation bundle job + CLI verbs (`EXPORT-ATTEST-74/75`) with EvidenceLocker DSSE layout once published. | Exporter Service Guild · Attestation Bundle Guild · CLI Guild | 2025-11-20 | Pending |
-| 160.B ExportCenter | Stage crypto routing hooks in exporter service (`EXPORT-CRYPTO-90-001`) tied to the Nov-18 review. | Exporter Service Guild · Security Guild | 2025-11-18 | Pending |
-| 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | Pending |
-| 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | Pending |
-| 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-11-20 | Pending |
-| AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
-| ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
-| ESCALATE-ORCH-ENVELOPE | Escalate Orchestrator/Notifications capsule envelope drop; obtain new ETA and log in Sprint 150/140 and this sprint. | Orchestrator Service · Notifications Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
+| Wave | Immediate action | Owner(s) | Due | Status |
+| --- | --- | --- | --- | --- |
+| 160.A EvidenceLocker | Draft ingest schema summary + Replay Ledger API notes into `SPRINT_0161_0001_0001_evidencelocker.md` once orchestrator + AdvisoryAI schemas land. | Evidence Locker Guild · Replay Delivery Guild | 2025-12-10 | BLOCKED (waiting on AdvisoryAI payload notes + Orchestrator envelopes) |
+| 160.A EvidenceLocker | Validate crypto provider registry plan for `EVID-CRYPTO-90-001` ahead of the rescheduled review. | Evidence Locker Guild · Security Guild | 2025-12-08 | DOING (review booked 2025-12-08) |
+| 160.A EvidenceLocker | Prep CLI + ops teams for replay handoff (`RUNBOOK-REPLAY-187-004`, `CLI-REPLAY-187-002`) once Evidence Locker APIs are drafted. | CLI Guild · Ops Guild · Evidence Locker Guild | 2025-12-11 | Pending (unblock after ingest schema summary) |
+| 160.B ExportCenter | Prepare DevPortal verification CLI prototype (`DVOFF-64-002`) covering manifest hash + DSSE verification flow. | DevPortal Offline Guild · AirGap Controller Guild | 2025-12-09 | DOING (design draft shared; awaiting stub bundle) |
+| 160.B ExportCenter | Align attestation bundle job + CLI verbs (`EXPORT-ATTEST-74/75`) with EvidenceLocker DSSE layout once published. | Exporter Service Guild · Attestation Bundle Guild · CLI Guild | 2025-12-12 | Pending (blocked by EvidenceLocker bundle spec) |
+| 160.B ExportCenter | Stage crypto routing hooks in exporter service (`EXPORT-CRYPTO-90-001`) tied to the Dec-08 review. | Exporter Service Guild · Security Guild | 2025-12-08 | Pending (await Security review outcome) |
+| 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | DONE (2025-11-30) |
+| 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | DONE (2025-12-03) |
+| 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-10 | BLOCKED (awaiting manifest references from EvidenceLocker) |
+| CROSS | Capture AdvisoryAI + Orchestrator ETA responses and log in Sprint 110/150/140 + this sprint. | Planning · AdvisoryAI Guild · Orchestrator/Notifications Guild | 2025-12-06 | DOING (re-escalated 2025-12-04) |
+| AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
+| ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
+| ESCALATE-ORCH-ENVELOPE | Escalate Orchestrator/Notifications capsule envelope drop; obtain new ETA and log in Sprint 150/140 and this sprint. | Orchestrator Service · Notifications Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
 
 ## Decisions & Risks
-| Item | Status / Decision | Notes |
-| --- | --- | --- |
-| Naming & template alignment | DONE (2025-11-17) | File renamed to `SPRINT_0160_0001_0001_export_evidence.md` and normalized to standard sprint template. |
-| AdvisoryAI schema freeze | BLOCKED | Must land before EvidenceLocker/ExportCenter DOING moves; track in Interlocks and Sprint 110. |
-| Orchestrator/Notifications envelopes | BLOCKED | Required for EvidenceLocker ingest, ExportCenter notifications, and TimelineIndexer ordering. |
-| Crypto routing design readiness | BLOCKED | Await 2025-11-18 review to green-light `ICryptoProviderRegistry` wiring (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`). |
-| Risks | See table below | Retained from prior snapshot. |
-| AGENTS.md for docs/implplan | DONE | `docs/implplan/AGENTS.md` added (2025-11-17); read before editing sprint docs. |
-| AdvisoryAI schema checkpoint (2025-11-14) | OVERDUE | Reschedule required; tracked via `ESCALATE-ADV-AI-SCHEMA` action. |
-| Orchestrator/Notifications checkpoint (2025-11-15) | OVERDUE | Reschedule required; tracked via `ESCALATE-ORCH-ENVELOPE` action. |
-| Escalation responses | PENDING | Awaiting ETA confirmations from AdvisoryAI and Orchestrator/Notifications leads; follow-up due 2025-11-19 if no response. |
+| Item | Status / Decision | Notes |
+| --- | --- | --- |
+| Naming & template alignment | DONE (2025-11-17) | File renamed to `SPRINT_0160_0001_0001_export_evidence.md` and normalized to standard sprint template. |
+| AdvisoryAI schema freeze | BLOCKED | Must land before EvidenceLocker/ExportCenter DOING moves; track in Interlocks and Sprint 110. |
+| Orchestrator/Notifications envelopes | BLOCKED | Required for EvidenceLocker ingest, ExportCenter notifications, and TimelineIndexer ordering. |
+| Crypto routing design readiness | BLOCKED | Review slipped; rescheduled to 2025-12-08 to green-light `ICryptoProviderRegistry` wiring (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`). |
+| Risks | See table below | Retained from prior snapshot. |
+| AGENTS.md for docs/implplan | DONE | `docs/implplan/AGENTS.md` added (2025-11-17); read before editing sprint docs. |
+| AdvisoryAI schema checkpoint (2025-11-14) | OVERDUE | Reschedule in progress; re-escalated 2025-12-04 with ETA ask for 2025-12-06. |
+| Orchestrator/Notifications checkpoint (2025-11-15) | OVERDUE | Reschedule in progress; re-escalated 2025-12-04 with ETA ask for 2025-12-06. |
+| Escalation responses | PENDING | Awaiting ETA confirmations from AdvisoryAI and Orchestrator/Notifications leads; next follow-up 2025-12-06 (steering escalation 2025-12-07 if silent). |
 
 ### Risk table
 | Risk | Impacted wave(s) | Severity | Mitigation / Owner |
@@ -160,6 +160,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | Re-baselined Wave 160 status; added Dec-06/08/09/10 checkpoints, re-escalated schema/envelope ETAs, refreshed Action Tracker (Timeline tasks marked DONE). | Project PM |
 | 2025-11-30 | Marked ExportCenter and TimelineIndexer snapshot tasks BLOCKED pending AdvisoryAI + Orchestrator schemas and EvidenceLocker digest; no unblocked work in wave 160. | Implementer |
 | 2025-11-20 | Confirmed PREP-ORCHESTRATOR-NOTIFICATIONS-SCHEMA-HANDOF and PREP-ESCALATION-FOLLOW-UP-ADVISORYAI-ORCHESTR still unclaimed; moved both to DOING to proceed with Wave 150/140 escalations. | Planning |
 | 2025-11-20 | Published prep artefacts for P1–P3: security coordination (`docs/modules/evidence-locker/prep/2025-11-20-security-coordination.md`), orchestrator/notifications handoff (`docs/events/prep/2025-11-20-orchestrator-notifications-schema-handoff.md`), and escalation follow-up (`docs/events/prep/2025-11-20-advisoryai-orchestrator-followup.md`). Marked P1–P3 DONE. | Implementer |

docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md

@@ -36,7 +36,7 @@
 | 4 | RUNBOOK-REPLAY-187-004 | BLOCKED | PREP-RUNBOOK-REPLAY-187-004-DEPENDS-ON-RETENT | Docs Guild · Ops Guild | Publish `/docs/runbooks/replay_ops.md` coverage for retention enforcement, RootPack rotation, verification drills. |
 | 5 | CRYPTO-REGISTRY-DECISION-161 | DONE | Decision recorded in `docs/security/crypto-registry-decision-2025-11-18.md`; publish contract defaults. | Security Guild · Evidence Locker Guild | Capture decision from 2025-11-18 review; emit changelog + reference implementation for downstream parity. |
 | 6 | EVID-CRYPTO-90-001 | DONE | Implemented; `MerkleTreeCalculator` now uses `ICryptoProviderRegistry` for sovereign crypto routing. | Evidence Locker Guild · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash` for sovereign crypto providers. |
-| 7 | EVID-GAPS-161-007 | DOING (2025-12-04) | See EB1–EB10 plan `docs/modules/evidence-locker/eb-gaps-161-007-plan.md`; schemas + offline guide drafted. | Product Mgmt · Evidence Locker Guild · CLI Guild | Address EB1–EB10 from `docs/product-advisories/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`: publish `bundle.manifest.schema.json` + `checksums.schema.json` (canonical JSON), hash/Merkle recipe doc, mandatory DSSE predicate/log policy, replay provenance block, chunking/CAS rules, incident-mode signed activation/exit, tenant isolation + redaction manifest, offline verifier script (`docs/modules/evidence-locker/verify-offline.md`), golden bundles/replay fixtures under `tests/EvidenceLocker/Bundles/Golden`, and SemVer/change-log updates. |
+| 7 | EVID-GAPS-161-007 | DOING (2025-12-04) | See EB1–EB10 plan `docs/modules/evidence-locker/eb-gaps-161-007-plan.md`; schemas + offline guide drafted. | Product Mgmt · Evidence Locker Guild · CLI Guild | Address EB1–EB10 from `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`: publish `bundle.manifest.schema.json` + `checksums.schema.json` (canonical JSON), hash/Merkle recipe doc, mandatory DSSE predicate/log policy, replay provenance block, chunking/CAS rules, incident-mode signed activation/exit, tenant isolation + redaction manifest, offline verifier script (`docs/modules/evidence-locker/verify-offline.md`), golden bundles/replay fixtures under `tests/EvidenceLocker/Bundles/Golden`, and SemVer/change-log updates. |
 
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
@@ -87,6 +87,7 @@
 | 2025-11-20 | Completed PREP-EVID-REPLAY-187-001, PREP-CLI-REPLAY-187-002, and PREP-RUNBOOK-REPLAY-187-004; published prep docs at `docs/modules/evidence-locker/replay-payload-contract.md`, `docs/modules/cli/guides/replay-cli-prep.md`, and `docs/runbooks/replay_ops_prep_187_004.md`. | Implementer |
 | 2025-11-20 | Added schema readiness and replay delivery prep notes for Evidence Locker Guild; see `docs/modules/evidence-locker/prep/2025-11-20-schema-readiness-blockers.md` and `.../2025-11-20-replay-delivery-sync.md`. Marked PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO and PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU DONE. | Implementer |
 | 2025-11-27 | Completed EVID-CRYPTO-90-001: Extended `ICryptoProviderRegistry` with `ContentHashing` capability and `ResolveHasher` method; created `ICryptoHasher` interface with `DefaultCryptoHasher` implementation; wired `MerkleTreeCalculator` to use crypto registry for sovereign crypto routing; added `EvidenceCryptoOptions` for algorithm/provider configuration. | Implementer |
-| 2025-12-01 | Added EVID-GAPS-161-007 to capture EB1–EB10 remediation from `docs/product-advisories/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`. | Product Mgmt |
+| 2025-12-01 | Added EVID-GAPS-161-007 to capture EB1–EB10 remediation from `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`. | Product Mgmt |
 | 2025-12-02 | Scoped EVID-GAPS-161-007 deliverables: schemas + DSSE, Merkle recipe, replay provenance, chunk/CAS rules, incident governance, tenant redaction, offline verifier doc, golden fixtures path, and SemVer/change-log updates. | Project Mgmt |
 | 2025-12-04 | Moved EVID-GAPS-161-007 to DOING; drafted EB1/EB2 schemas, offline verifier guide, gap plan, and golden fixtures path. | Project Mgmt |
+| 2025-12-04 | Updated attestation, replay, incident-mode docs with DSSE subject=Merkle root, log policy, replay provenance block, and signed incident toggles; added CAS/Merkle rules to bundle packaging. | Implementer |

docs/implplan/SPRINT_0171_0001_0001_notifier_i.md

@@ -34,12 +34,12 @@
 | 11 | NOTIFY-RISK-68-001 | BLOCKED (2025-11-22) | Depends on 67-001. | Notifications Service Guild | Per-profile routing, quiet hours, dedupe for risk alerts; integrate CLI/Console preferences. |
 | 12 | NOTIFY-DOC-70-001 | DONE (2025-11-02) | — | Notifications Service Guild | Document split between legacy `src/Notify` libs and new `src/Notifier` runtime; update architecture docs. |
 | 13 | NOTIFY-AIRGAP-56-002 | DONE | — | Notifications Service Guild · DevOps Guild | Bootstrap Pack notifier configs with deterministic secrets handling and offline validation. |
-| 14 | NOTIFY-GAPS-171-014 | BLOCKED (2025-12-04) | Waiting on NR1–NR10 details in `31-Nov-2025 FINDINGS.md` + schema/catalog refresh | Notifications Service Guild / src/Notifier/StellaOps.Notifier | Remediate NR1–NR10: publish signed schemas + canonical JSON, enforce tenant scoping/approvals, deterministic rendering, quotas/backpressure + DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulations + evidence for rule/template changes. |
+| 14 | NOTIFY-GAPS-171-014 | TODO | NR1–NR10 defined in `31-Nov-2025 FINDINGS.md` + `docs/notifications/gaps-nr1-nr10.md`; implement schema/catalog + evidence bundle | Notifications Service Guild / src/Notifier/StellaOps.Notifier | Remediate NR1–NR10: publish signed schemas + canonical JSON, enforce tenant scoping/approvals, deterministic rendering, quotas/backpressure + DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulations + evidence for rule/template changes. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-12-04 | Marked NOTIFY-GAPS-171-014 BLOCKED pending publication of NR1–NR10 details in `31-Nov-2025 FINDINGS.md` and schema/catalog refresh. | Implementer |
+| 2025-12-04 | Authored NR1–NR10 section and blueprint (`docs/notifications/gaps-nr1-nr10.md`); unblocked NOTIFY-GAPS-171-014 and set status to TODO. | Implementer |
 | 2025-11-19 | Fixed PREP-NOTIFY-OBS-51-001 Task ID (removed trailing hyphen) so dependency lookup works. | Project Mgmt |
 | 2025-12-01 | Added NOTIFY-GAPS-171-014 (NR1–NR10 from `31-Nov-2025 FINDINGS.md`) to track advisory gap remediation; status TODO pending schema/catalog refresh. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
@@ -72,7 +72,7 @@
 - Risk alerts depend on POLICY-RISK-40-002 export; schedule slip would re-baseline RISK tasks.
 - Keep Offline Kit parity for templates and secrets handling before enabling new endpoints.
 - Advisory gap remediation (NR1–NR10) added as NOTIFY-GAPS-171-014; requires schema/catalog refresh, tenant/approval enforcement, deterministic rendering, quotas/backpressure/DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulation evidence before activation.
- - NOTIFY-GAPS-171-014 is currently blocked because NR1–NR10 findings are not yet defined in `31-Nov-2025 FINDINGS.md`; schema/catalog refresh must accompany that publication before remediation can start.
+- NOTIFY-GAPS-171-014 now scoped (see `docs/product-advisories/31-Nov-2025 FINDINGS.md` + `docs/notifications/gaps-nr1-nr10.md`); remediation requires publishing the schema catalog + DSSE, redaction/approval/observability docs, and offline notify-kit artefacts.
 
 ## Next Checkpoints
 | Date (UTC) | Milestone | Owner(s) |

docs/implplan/SPRINT_0209_0001_0001_ui_i.md

@@ -1,123 +1,125 @@
-# Sprint 0209.0001.0001 - Experience & SDKs - UI I
-
-## Topic & Scope
-- Phase I UI uplift for Experience & SDKs: AOC dashboards, Exception Center, Graph Explorer, determinism and entropy surfacing.
-- Keep UI aligned with new scopes, policy gating, and determinism evidence while preserving accessibility and performance baselines.
-- Active items only; completed/historic work live in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
-- **Working directory:** `src/UI/StellaOps.UI`.
-
-## Dependencies & Concurrency
-- Upstream sprints: 120.A AirGap, 130.A Scanner, 150.A Orchestrator, 170.A Notifier.
-- SDK inputs: SPRINT_0208_0001_0001_sdk Wave B parity matrix and SDKGEN-64-002 outputs feed Console data providers and scope exports.
-- Parallel tracks: UI II (Sprint 0210) and UI III (Sprint 0211) can run concurrently if shared components remain backward compatible.
-- Blockers to flag: Graph scope exports (`graph:*`), Policy Engine determinism schema, Scanner entropy/determinism evidence contracts.
-
-## Documentation Prerequisites
-- `docs/README.md`
-- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/modules/platform/architecture-overview.md`
-- `docs/modules/ui/architecture.md`
-- `docs/modules/ui/README.md`
-- `docs/modules/ui/implementation_plan.md`
-- `docs/modules/scanner/deterministic-sbom-compose.md`
-- `docs/modules/scanner/entropy.md`
-- `docs/modules/graph/architecture.md`
-- `docs/15_UI_GUIDE.md`
-- `docs/18_CODING_STANDARDS.md`
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| 1 | UI-AOC-19-001 | DONE | Align tiles with AOC service metrics | UI Guild (src/UI/StellaOps.UI) | Add Sources dashboard tiles showing AOC pass/fail, recent violation codes, and ingest throughput per tenant. |
-| 2 | UI-AOC-19-002 | DONE | UI-AOC-19-001 | UI Guild (src/UI/StellaOps.UI) | Implement violation drill-down view highlighting offending document fields and provenance metadata. |
-| 3 | UI-AOC-19-003 | DONE | UI-AOC-19-002 | UI Guild (src/UI/StellaOps.UI) | Add "Verify last 24h" action triggering AOC verifier endpoint and surfacing CLI parity guidance. |
-| 4 | UI-EXC-25-001 | DONE | - | UI Guild; Governance Guild (src/UI/StellaOps.UI) | Build Exception Center (list + kanban) with filters, sorting, workflow transitions, and audit views. |
-| 5 | UI-EXC-25-002 | DONE | UI-EXC-25-001 | UI Guild (src/UI/StellaOps.UI) | Implement exception creation wizard with scope preview, justification templates, timebox guardrails. |
-| 6 | UI-EXC-25-003 | DONE | UI-EXC-25-002 | UI Guild (src/UI/StellaOps.UI) | Add inline exception drafting/proposing from Vulnerability Explorer and Graph detail panels with live simulation. |
-| 7 | UI-EXC-25-004 | DONE | UI-EXC-25-003 | UI Guild (src/UI/StellaOps.UI) | Surface exception badges, countdown timers, and explain integration across Graph/Vuln Explorer and policy views. |
-| 8 | UI-EXC-25-005 | DONE | UI-EXC-25-004 | UI Guild; Accessibility Guild (src/UI/StellaOps.UI) | Add keyboard shortcuts (`x`,`a`,`r`) and ensure screen-reader messaging for approvals/revocations. |
-| 9 | UI-GRAPH-21-001 | DONE | Shared `StellaOpsScopes` exports ready | UI Guild (src/UI/StellaOps.UI) | Align Graph Explorer auth configuration with new `graph:*` scopes; consume scope identifiers from shared `StellaOpsScopes` exports (via generated SDK/config) instead of hard-coded strings. |
-| 10 | UI-GRAPH-24-001 | BLOCKED | Missing Angular workspace and generated SDK scopes (`graph:*`); cannot render canvas without project skeleton. | UI Guild; SBOM Service Guild (src/UI/StellaOps.UI) | Build Graph Explorer canvas with layered/radial layouts, virtualization, zoom/pan, and scope toggles; initial render <1.5s for sample asset. |
-| 11 | UI-GRAPH-24-002 | BLOCKED | Upstream 24-001 blocked; overlays depend on canvas + policy data contracts. | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Implement overlays (Policy, Evidence, License, Exposure), simulation toggle, path view, and SBOM diff/time-travel with accessible tooltips/AOC indicators. |
-| 12 | UI-GRAPH-24-003 | BLOCKED | Upstream 24-002 blocked; workspace absent so filters/permalinks cannot be wired. | UI Guild (src/UI/StellaOps.UI) | Deliver filters/search panel with facets, saved views, permalinks, and share modal. |
-| 13 | UI-GRAPH-24-004 | BLOCKED | Upstream 24-003 blocked; side panels require base canvas + filters. | UI Guild (src/UI/StellaOps.UI) | Add side panels (Details, What-if, History) with upgrade simulation integration and SBOM diff viewer. |
-| 14 | UI-GRAPH-24-006 | BLOCKED | Upstream graph tasks blocked; accessibility/hotkeys depend on canvas implementation. | UI Guild; Accessibility Guild (src/UI/StellaOps.UI) | Ensure accessibility (keyboard nav, screen reader labels, contrast), add hotkeys (`f`,`e`,`.`), and analytics instrumentation. |
-| 15 | UI-LNM-22-001 | DONE | - | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Build Evidence panel showing policy decision with advisory observations/linksets side-by-side, conflict badges, AOC chain, and raw doc download links (DOCS-LNM-22-005 awaiting UI screenshots/flows). |
-| 16 | UI-SBOM-DET-01 | DONE | - | UI Guild (src/UI/StellaOps.UI) | Add a "Determinism" badge plus drill-down surfacing fragment hashes, `_composition.json`, and Merkle root consistency when viewing scan details. |
-| 17 | UI-POLICY-DET-01 | DONE | UI-SBOM-DET-01 | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Wire policy gate indicators and remediation hints into Release/Policy flows, blocking publishes when determinism checks fail; coordinate with Policy Engine schema updates. |
-| 18 | UI-ENTROPY-40-001 | DONE | - | UI Guild (src/UI/StellaOps.UI) | Visualise entropy analysis per image (layer donut, file heatmaps, "Why risky?" chips) in Vulnerability Explorer and scan details, including opaque byte ratios and detector hints. |
-| 19 | UI-ENTROPY-40-002 | DONE | UI-ENTROPY-40-001 | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Add policy banners/tooltips explaining entropy penalties (block/warn thresholds, mitigation steps) and link to raw `entropy.report.json` evidence downloads. |
-| 20 | UI-MICRO-GAPS-0209-011 | BLOCKED | Canonical 30-Nov-2025 UI Micro-Interactions advisory missing; Angular workspace absent; requires token catalog and a11y test harness | UI Guild; UX Guild; Accessibility Guild | Close MI1–MI10: define motion tokens + reduced-motion rules, perf budgets, offline/latency/error patterns, component mapping, telemetry schema/flags, deterministic seeds/snapshots, micro-copy localisation, and theme/contrast guidance; add Storybook/Playwright checks. |
-
-## Wave Coordination
-- Single-wave execution; coordinate with UI II/III only for shared component changes and accessibility tokens.
-
-## Wave Detail Snapshots
-- Not applicable (single wave).
-
-## Interlocks
-- SDK generation (SPRINT_0208_0001_0001_sdk): parity matrix + SDKGEN-64-002 outputs feed Console data providers and scope exports for UI-GRAPH-* tasks.
-- Graph Explorer scope exports and SDK generation (`graph:*`).
-- Policy Engine determinism and exception schemas for indicators/banners.
-- Scanner entropy and determinism evidence formats for UI-ENTROPY-* and UI-SBOM-DET-01.
-- AOC verifier endpoint parity for UI-AOC-19-003.
-
-## Upcoming Checkpoints
-- 2025-11-29 15:00 UTC - UI/Graph scopes handoff review (owners: UI Guild, Graph owner).
-- 2025-12-04 16:00 UTC - Policy determinism UI enablement go/no-go (owners: UI Guild, Policy Guild).
-
-## Action Tracker
-| # | Action | Owner | Due | Status |
-| --- | --- | --- | --- | --- |
-| 1 | Confirm `StellaOpsScopes` export availability for UI-GRAPH-21-001 | UI Guild | 2025-11-29 | BLOCKED (missing Angular workspace/SDK outputs) |
-| 2 | Align Policy Engine determinism schema changes for UI-POLICY-DET-01 | Policy Guild | 2025-12-03 | BLOCKED (workspace absent; awaiting determinism schema freeze) |
-| 3 | Deliver entropy evidence fixture snapshot for UI-ENTROPY-40-001 | Scanner Guild | 2025-11-28 | BLOCKED (fixtures unavailable locally; workspace missing) |
-| 4 | Provide AOC verifier endpoint parity notes for UI-AOC-19-003 | Notifier Guild | 2025-11-27 | BLOCKED (UI workspace unavailable to consume parity notes) |
-| 5 | Receive SDK parity matrix (Wave B, SPRINT_0208_0001_0001_sdk) to unblock Console data providers and scope exports | UI Guild · SDK Generator Guild | 2025-12-16 | BLOCKED (awaiting SDK parity delivery + workspace restore) |
-| 6 | Publish canonical UI Micro-Interactions advisory (MI1–MI10) with motion tokens, reduced-motion rules, and fixtures referenced by this sprint | Product Mgmt · UX Guild | 2025-12-06 | TODO |
-| 7 | Restore Angular workspace under `src/UI/StellaOps.UI` to enable Storybook/Playwright harness and token catalog | UI Guild | 2025-12-05 | TODO |
-
-## Decisions & Risks
-| Risk | Impact | Mitigation / Next Step |
-| --- | --- | --- |
+# Sprint 0209.0001.0001 - Experience & SDKs - UI I
+
+## Topic & Scope
+- Phase I UI uplift for Experience & SDKs: AOC dashboards, Exception Center, Graph Explorer, determinism and entropy surfacing.
+- Keep UI aligned with new scopes, policy gating, and determinism evidence while preserving accessibility and performance baselines.
+- Active items only; completed/historic work live in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
+- **Working directory:** `src/Web/StellaOps.Web`.
+
+## Dependencies & Concurrency
+- Upstream sprints: 120.A AirGap, 130.A Scanner, 150.A Orchestrator, 170.A Notifier.
+- SDK inputs: SPRINT_0208_0001_0001_sdk Wave B parity matrix and SDKGEN-64-002 outputs feed Console data providers and scope exports.
+- Parallel tracks: UI II (Sprint 0210) and UI III (Sprint 0211) can run concurrently if shared components remain backward compatible.
+- Blockers to flag: Graph scope exports (`graph:*`), Policy Engine determinism schema, Scanner entropy/determinism evidence contracts.
+
+## Documentation Prerequisites
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/ui/architecture.md`
+- `docs/modules/ui/README.md`
+- `docs/modules/ui/implementation_plan.md`
+- `docs/modules/scanner/deterministic-sbom-compose.md`
+- `docs/modules/scanner/entropy.md`
+- `docs/modules/graph/architecture.md`
+- `docs/15_UI_GUIDE.md`
+- `docs/18_CODING_STANDARDS.md`
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | UI-AOC-19-001 | DONE | Align tiles with AOC service metrics | UI Guild (src/Web/StellaOps.Web) | Add Sources dashboard tiles showing AOC pass/fail, recent violation codes, and ingest throughput per tenant. |
+| 2 | UI-AOC-19-002 | DONE | UI-AOC-19-001 | UI Guild (src/Web/StellaOps.Web) | Implement violation drill-down view highlighting offending document fields and provenance metadata. |
+| 3 | UI-AOC-19-003 | DONE | UI-AOC-19-002 | UI Guild (src/Web/StellaOps.Web) | Add "Verify last 24h" action triggering AOC verifier endpoint and surfacing CLI parity guidance. |
+| 4 | UI-EXC-25-001 | DONE | - | UI Guild; Governance Guild (src/Web/StellaOps.Web) | Build Exception Center (list + kanban) with filters, sorting, workflow transitions, and audit views. |
+| 5 | UI-EXC-25-002 | DONE | UI-EXC-25-001 | UI Guild (src/Web/StellaOps.Web) | Implement exception creation wizard with scope preview, justification templates, timebox guardrails. |
+| 6 | UI-EXC-25-003 | DONE | UI-EXC-25-002 | UI Guild (src/Web/StellaOps.Web) | Add inline exception drafting/proposing from Vulnerability Explorer and Graph detail panels with live simulation. |
+| 7 | UI-EXC-25-004 | DONE | UI-EXC-25-003 | UI Guild (src/Web/StellaOps.Web) | Surface exception badges, countdown timers, and explain integration across Graph/Vuln Explorer and policy views. |
+| 8 | UI-EXC-25-005 | DONE | UI-EXC-25-004 | UI Guild; Accessibility Guild (src/Web/StellaOps.Web) | Add keyboard shortcuts (`x`,`a`,`r`) and ensure screen-reader messaging for approvals/revocations. |
+| 9 | UI-GRAPH-21-001 | DONE | Shared `StellaOpsScopes` exports ready | UI Guild (src/Web/StellaOps.Web) | Align Graph Explorer auth configuration with new `graph:*` scopes; consume scope identifiers from shared `StellaOpsScopes` exports (via generated SDK/config) instead of hard-coded strings. |
+| 10 | UI-GRAPH-24-001 | BLOCKED | Awaiting generated `graph:*` scope SDK exports (SPRINT_0208_0001_0001_sdk); canvas perf tuning pending until scopes land. | UI Guild; SBOM Service Guild (src/Web/StellaOps.Web) | Build Graph Explorer canvas with layered/radial layouts, virtualization, zoom/pan, and scope toggles; initial render <1.5s for sample asset. |
+| 11 | UI-GRAPH-24-002 | BLOCKED | Upstream 24-001 blocked; overlays depend on canvas + policy data contracts. | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Implement overlays (Policy, Evidence, License, Exposure), simulation toggle, path view, and SBOM diff/time-travel with accessible tooltips/AOC indicators. |
+| 12 | UI-GRAPH-24-003 | BLOCKED | Upstream 24-002 blocked; filters/permalinks follow canvas + SDK scope availability. | UI Guild (src/Web/StellaOps.Web) | Deliver filters/search panel with facets, saved views, permalinks, and share modal. |
+| 13 | UI-GRAPH-24-004 | BLOCKED | Upstream 24-003 blocked; side panels require base canvas + filters. | UI Guild (src/Web/StellaOps.Web) | Add side panels (Details, What-if, History) with upgrade simulation integration and SBOM diff viewer. |
+| 14 | UI-GRAPH-24-006 | BLOCKED | Upstream graph tasks blocked; accessibility/hotkeys depend on canvas implementation. | UI Guild; Accessibility Guild (src/Web/StellaOps.Web) | Ensure accessibility (keyboard nav, screen reader labels, contrast), add hotkeys (`f`,`e`,`.`), and analytics instrumentation. |
+| 15 | UI-LNM-22-001 | DONE | - | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Build Evidence panel showing policy decision with advisory observations/linksets side-by-side, conflict badges, AOC chain, and raw doc download links (DOCS-LNM-22-005 awaiting UI screenshots/flows). |
+| 16 | UI-SBOM-DET-01 | DONE | - | UI Guild (src/Web/StellaOps.Web) | Add a "Determinism" badge plus drill-down surfacing fragment hashes, `_composition.json`, and Merkle root consistency when viewing scan details. |
+| 17 | UI-POLICY-DET-01 | DONE | UI-SBOM-DET-01 | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Wire policy gate indicators and remediation hints into Release/Policy flows, blocking publishes when determinism checks fail; coordinate with Policy Engine schema updates. |
+| 18 | UI-ENTROPY-40-001 | DONE | - | UI Guild (src/Web/StellaOps.Web) | Visualise entropy analysis per image (layer donut, file heatmaps, "Why risky?" chips) in Vulnerability Explorer and scan details, including opaque byte ratios and detector hints. |
+| 19 | UI-ENTROPY-40-002 | DONE | UI-ENTROPY-40-001 | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Add policy banners/tooltips explaining entropy penalties (block/warn thresholds, mitigation steps) and link to raw `entropy.report.json` evidence downloads. |
+| 20 | UI-MICRO-GAPS-0209-011 | BLOCKED | Canonical 30-Nov-2025 UI Micro-Interactions advisory published; still need motion token catalog plus a11y/Storybook/Playwright harness in `src/Web/StellaOps.Web`. | UI Guild; UX Guild; Accessibility Guild | Close MI1–MI10: define motion tokens + reduced-motion rules, perf budgets, offline/latency/error patterns, component mapping, telemetry schema/flags, deterministic seeds/snapshots, micro-copy localisation, and theme/contrast guidance; add Storybook/Playwright checks. |
+
+## Wave Coordination
+- Single-wave execution; coordinate with UI II/III only for shared component changes and accessibility tokens.
+
+## Wave Detail Snapshots
+- Not applicable (single wave).
+
+## Interlocks
+- SDK generation (SPRINT_0208_0001_0001_sdk): parity matrix + SDKGEN-64-002 outputs feed Console data providers and scope exports for UI-GRAPH-* tasks.
+- Graph Explorer scope exports and SDK generation (`graph:*`).
+- Policy Engine determinism and exception schemas for indicators/banners.
+- Scanner entropy and determinism evidence formats for UI-ENTROPY-* and UI-SBOM-DET-01.
+- AOC verifier endpoint parity for UI-AOC-19-003.
+
+## Next Checkpoints
+- 2025-11-29 15:00 UTC - UI/Graph scopes handoff review (owners: UI Guild, Graph owner).
+- 2025-12-04 16:00 UTC - Policy determinism UI enablement go/no-go (owners: UI Guild, Policy Guild).
+
+## Action Tracker
+| # | Action | Owner | Due | Status |
+| --- | --- | --- | --- | --- |
+| 1 | Confirm `StellaOpsScopes` export availability for UI-GRAPH-21-001 | UI Guild | 2025-11-29 | BLOCKED (awaiting generated `graph:*` SDK scope exports from SPRINT_0208_0001_0001_sdk) |
+| 2 | Align Policy Engine determinism schema changes for UI-POLICY-DET-01 | Policy Guild | 2025-12-03 | BLOCKED (awaiting determinism schema freeze) |
+| 3 | Deliver entropy evidence fixture snapshot for UI-ENTROPY-40-001 | Scanner Guild | 2025-11-28 | BLOCKED (fixtures unavailable locally) |
+| 4 | Provide AOC verifier endpoint parity notes for UI-AOC-19-003 | Notifier Guild | 2025-11-27 | BLOCKED (parity notes pending delivery) |
+| 5 | Receive SDK parity matrix (Wave B, SPRINT_0208_0001_0001_sdk) to unblock Console data providers and scope exports | UI Guild · SDK Generator Guild | 2025-12-16 | BLOCKED (awaiting SDK parity delivery) |
+| 6 | Publish canonical UI Micro-Interactions advisory (MI1–MI10) with motion tokens, reduced-motion rules, and fixtures referenced by this sprint | Product Mgmt · UX Guild | 2025-12-06 | DONE |
+| 7 | Align sprint working directory to `src/Web/StellaOps.Web` and verify workspace present (was `src/UI/StellaOps.UI`) | UI Guild | 2025-12-05 | DONE (2025-12-04) |
+
+## Decisions & Risks
+| Risk | Impact | Mitigation / Next Step |
+| --- | --- | --- |
 | Graph scope exports slip | Blocks UI-GRAPH-21-001 -> UI-GRAPH-24-006 chain | Track via Action #1; stub scopes via generated SDK if needed. |
 | Policy determinism schema changes late | UI-POLICY-DET-01 cannot ship with gates | Coordinate with Policy Engine owners (Action #2) and keep UI feature-flagged. |
 | Entropy evidence format changes | Rework for UI-ENTROPY-* views | Lock to `docs/modules/scanner/entropy.md`; add contract test fixtures before UI wiring. |
-| Angular workspace missing | UI-GRAPH-24-* blocked | Restore Angular workspace under `src/UI/StellaOps.UI` and deliver generated `graph:*` scope exports before continuing Graph UI work. |
-| Canonical UI Micro-Interactions advisory missing | UI-MICRO-GAPS-0209-011 cannot be scoped; MI1–MI10 acceptance unclear | Action #6 to publish advisory; keep task BLOCKED until canonical document and fixtures land. |
-
-## Execution Log
+| Working directory mismatch (UI vs Web) causes contributors to edit wrong path | Duplicate effort or missing workspace for new tasks | Sprint now points to `src/Web/StellaOps.Web`; Action #7 closed; broadcast path in AGENTS/TASKS updates. |
+| Micro-interaction implementation inputs incomplete | UI-MICRO-GAPS-0209-011 blocked on motion token catalog + a11y/Storybook/Playwright harness despite advisory availability | Keep Action #6 closed; open follow-on tasks for token catalog + harness once SDK scopes land. |
+
+## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-12-04 | Began UI-MICRO-GAPS-0209-011; canonical 30-Nov-2025 UI Micro-Interactions advisory is missing and Angular workspace `src/UI/StellaOps.UI` is empty. Marked task BLOCKED; added Actions #6–#7 to publish advisory and restore workspace before scoping MI1–MI10 tokens/tests. | Project mgmt |
-| 2025-12-03 | Marked UI-GRAPH-24-001/002/003/004/006 BLOCKED: Angular workspace is absent under `src/UI/StellaOps.UI` and generated `graph:*` scope SDK exports are missing; cannot render canvas or overlays until workspace and SDK parity land. | Implementer |
+| 2025-12-04 | Confirmed canonical Angular workspace is `src/Web/StellaOps.Web` (not `src/UI/StellaOps.UI`); updated working directory, blockers, and Action #7 accordingly. Graph blockers now tied to generated `graph:*` SDK scopes. | Project mgmt |
+| 2025-12-04 | Published canonical UI Micro-Interactions advisory (`docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md`). UI-MICRO-GAPS-0209-011 remains BLOCKED pending motion token catalog + a11y/Storybook/Playwright harness in `src/Web/StellaOps.Web`. | Project mgmt |
+| 2025-12-04 | Earlier note: UI-MICRO-GAPS-0209-011 was marked BLOCKED when advisory was still pending and `src/UI/StellaOps.UI` was empty; superseded by publication + path correction the same day. | Project mgmt |
+| 2025-12-03 | Marked UI-GRAPH-24-001/002/003/004/006 BLOCKED: UI path was empty and `graph:*` scope SDK exports were missing; will re-evaluate after path correction and SDK delivery. | Implementer |
 | 2025-11-27 | UI-GRAPH-21-001: Created stub `StellaOpsScopes` exports and integrated auth configuration into Graph Explorer. Created `scopes.ts` with: typed scope constants (`GRAPH_READ`, `GRAPH_WRITE`, `GRAPH_ADMIN`, `GRAPH_EXPORT`, `GRAPH_SIMULATE` and scopes for SBOM, Scanner, Policy, Exception, Release, AOC, Admin domains), scope groupings (`GRAPH_VIEWER`, `GRAPH_EDITOR`, `GRAPH_ADMIN`, `RELEASE_MANAGER`, `SECURITY_ADMIN`), human-readable labels, and helper functions (`hasScope`, `hasAllScopes`, `hasAnyScope`). Created `auth.service.ts` with `AuthService` interface and `MockAuthService` implementation providing: user info with tenant context, scope-based permission methods (`canViewGraph`, `canEditGraph`, `canExportGraph`, `canSimulate`). Integrated into `GraphExplorerComponent` via `AUTH_SERVICE` injection token: added computed signals for scope-based permissions (`canViewGraph`, `canEditGraph`, `canExportGraph`, `canSimulate`, `canCreateException`), current user info, and user scopes list. Stub implementation allows Graph Explorer development to proceed; will be replaced by generated SDK exports from SPRINT_0208_0001_0001_sdk. Files added: `src/app/core/auth/scopes.ts`, `src/app/core/auth/auth.service.ts`, `src/app/core/auth/index.ts`. Files updated: `graph-explorer.component.ts`. | UI Guild |
-| 2025-11-27 | UI-AOC-19-001/002/003: Implemented Sources dashboard with AOC metrics tiles, violation drill-down, and "Verify last 24h" action. Created domain models (`aoc.models.ts`) for AocDashboardSummary, AocPassFailSummary, AocViolationCode, IngestThroughput, AocSource, AocCheckResult, VerificationRequest, ViolationDetail, OffendingField, and ProvenanceMetadata. Created mock API service (`aoc.client.ts`) with fixtures showing pass/fail metrics, 5 violation codes (AOC-001 through AOC-020), 4 tenant throughput records, 4 sources (registry, pipeline, manual), and sample check results. Built `AocDashboardComponent` (`/sources` route) with 3 tiles: (1) Pass/Fail tile with large pass rate percentage, trend indicator (improving/stable/degrading), mini 7-day chart, passed/failed/pending counts; (2) Recent Violations tile with severity badges, violation codes, names, counts, and modal detail view; (3) Ingest Throughput tile with total documents/bytes and per-tenant breakdown table. Added Sources section showing source cards with type icons, pass rates, recent violation chips, and last check time. Implemented "Verify Last 24h" button triggering verification endpoint with progress feedback and CLI parity command display (`stella aoc verify --since 24h --output json`). Created `ViolationDetailComponent` (`/sources/violations/:code` route) showing all occurrences of a violation code with: offending fields list (JSON path, expected vs actual values, reason), provenance metadata (source type/URI, build ID, commit SHA, pipeline URL), and suggested fix. Files added: `src/app/core/api/aoc.{models,client}.ts`, `src/app/features/sources/aoc-dashboard.component.{ts,html,scss}`, `violation-detail.component.ts`, `index.ts`. Routes registered at `/sources` and `/sources/violations/:code`. | UI Guild |
-| 2025-11-27 | UI-POLICY-DET-01: Implemented Release flow with policy gate indicators and remediation hints for determinism blocking. Created domain models (`release.models.ts`) for Release, ReleaseArtifact, PolicyEvaluation, PolicyGateResult, RemediationHint, RemediationStep, and DeterminismFeatureFlags. Created mock API service (`release.client.ts`) with fixtures for passing/blocked/mixed releases showing determinism gate scenarios. Built `ReleaseFlowComponent` (`/releases` route) with list/detail views: list shows release cards with gate status pips and blocking indicators; detail view shows artifact tabs, policy gate evaluations, determinism evidence (Merkle root, fragment verification count, failed layers), and publish/bypass actions. Created `PolicyGateIndicatorComponent` with expandable gate details, status icons, blocking badges, and feature flag info display. Created `RemediationHintsComponent` with severity badges, estimated effort, numbered remediation steps with CLI commands (copy-to-clipboard), documentation links, automated action buttons, and exception request option. Feature-flagged via `DeterminismFeatureFlags` (blockOnFailure, warnOnly, bypassRoles). Bypass modal allows requesting exceptions with justification. Files added: `src/app/core/api/release.{models,client}.ts`, `src/app/features/releases/release-flow.component.{ts,html,scss}`, `policy-gate-indicator.component.ts`, `remediation-hints.component.ts`, `index.ts`. Routes registered at `/releases` and `/releases/:releaseId`. | UI Guild |
+| 2025-11-27 | UI-AOC-19-001/002/003: Implemented Sources dashboard with AOC metrics tiles, violation drill-down, and "Verify last 24h" action. Created domain models (`aoc.models.ts`) for AocDashboardSummary, AocPassFailSummary, AocViolationCode, IngestThroughput, AocSource, AocCheckResult, VerificationRequest, ViolationDetail, OffendingField, and ProvenanceMetadata. Created mock API service (`aoc.client.ts`) with fixtures showing pass/fail metrics, 5 violation codes (AOC-001 through AOC-020), 4 tenant throughput records, 4 sources (registry, pipeline, manual), and sample check results. Built `AocDashboardComponent` (`/sources` route) with 3 tiles: (1) Pass/Fail tile with large pass rate percentage, trend indicator (improving/stable/degrading), mini 7-day chart, passed/failed/pending counts; (2) Recent Violations tile with severity badges, violation codes, names, counts, and modal detail view; (3) Ingest Throughput tile with total documents/bytes and per-tenant breakdown table. Added Sources section showing source cards with type icons, pass rates, recent violation chips, and last check time. Implemented "Verify Last 24h" button triggering verification endpoint with progress feedback and CLI parity command display (`stella aoc verify --since 24h --output json`). Created `ViolationDetailComponent` (`/sources/violations/:code` route) showing all occurrences of a violation code with: offending fields list (JSON path, expected vs actual values, reason), provenance metadata (source type/URI, build ID, commit SHA, pipeline URL), and suggested fix. Files added: `src/app/core/api/aoc.{models,client}.ts`, `src/app/features/sources/aoc-dashboard.component.{ts,html,scss}`, `violation-detail.component.ts`, `index.ts`. Routes registered at `/sources` and `/sources/violations/:code`. | UI Guild |
+| 2025-11-27 | UI-POLICY-DET-01: Implemented Release flow with policy gate indicators and remediation hints for determinism blocking. Created domain models (`release.models.ts`) for Release, ReleaseArtifact, PolicyEvaluation, PolicyGateResult, RemediationHint, RemediationStep, and DeterminismFeatureFlags. Created mock API service (`release.client.ts`) with fixtures for passing/blocked/mixed releases showing determinism gate scenarios. Built `ReleaseFlowComponent` (`/releases` route) with list/detail views: list shows release cards with gate status pips and blocking indicators; detail view shows artifact tabs, policy gate evaluations, determinism evidence (Merkle root, fragment verification count, failed layers), and publish/bypass actions. Created `PolicyGateIndicatorComponent` with expandable gate details, status icons, blocking badges, and feature flag info display. Created `RemediationHintsComponent` with severity badges, estimated effort, numbered remediation steps with CLI commands (copy-to-clipboard), documentation links, automated action buttons, and exception request option. Feature-flagged via `DeterminismFeatureFlags` (blockOnFailure, warnOnly, bypassRoles). Bypass modal allows requesting exceptions with justification. Files added: `src/app/core/api/release.{models,client}.ts`, `src/app/features/releases/release-flow.component.{ts,html,scss}`, `policy-gate-indicator.component.ts`, `remediation-hints.component.ts`, `index.ts`. Routes registered at `/releases` and `/releases/:releaseId`. | UI Guild |
 | 2025-11-27 | UI-ENTROPY-40-002: Implemented entropy policy banner with threshold explanations and mitigation steps. Created `EntropyPolicyBannerComponent` showing: pass/warn/block decision based on configurable thresholds (default block at 15% image opaque ratio, warn at 30% file opaque ratio), detailed reasons for decision, recommended mitigations (provide provenance, unpack binaries, include debug symbols), current vs threshold comparisons, expandable details with suppression options info, and tooltip explaining entropy concepts. Banner auto-evaluates entropy evidence and displays appropriate styling (green/yellow/red). Includes download link to `entropy.report.json` for offline audits. Integrated into scan-detail-page above entropy panel. Files updated: `scan-detail-page.component.{ts,html}`. Files added: `entropy-policy-banner.component.ts`. | UI Guild |
 | 2025-12-01 | Added UI-MICRO-GAPS-0209-011 to address MI1–MI10 micro-interaction gaps from `31-Nov-2025 FINDINGS.md`; status TODO pending token catalog, reduced-motion/perf budgets, telemetry schema, and deterministic test harness. | Project Mgmt |
-| 2025-11-27 | UI-ENTROPY-40-001: Implemented entropy visualization with layer donut chart, file heatmaps, and "Why risky?" chips. Extended `scanner.models.ts` with `EntropyEvidence`, `EntropyReport`, `EntropyLayerSummaryReport`, `EntropyFile`, `EntropyWindow`, and `EntropyLayerSummary` interfaces. Created `EntropyPanelComponent` with 3 views (Summary, Layers, Files): Summary shows layer donut chart with opaque ratio distribution, risk indicator chips (packed, no-symbols, stripped, UPX packer detection), entropy penalty and opaque ratio stats. Layers view shows per-layer bar charts with opaque bytes and indicators. Files view shows expandable file cards with entropy heatmaps (green-to-red gradient), file flags, and high-entropy window tables. Added mock entropy data to scan fixtures (low-risk and high-risk scenarios). Integrated panel into scan-detail-page. Files updated: `scanner.models.ts`, `scan-fixtures.ts`, `scan-detail-page.component.{ts,html,scss}`. Files added: `entropy-panel.component.ts`. | UI Guild |
-| 2025-11-27 | UI-SBOM-DET-01: Implemented Determinism badge with drill-down view surfacing fragment hashes, `_composition.json`, and Merkle root consistency. Extended `scanner.models.ts` with `DeterminismEvidence`, `CompositionManifest`, and `FragmentAttestation` interfaces. Created `DeterminismBadgeComponent` with expandable details showing: Merkle root with consistency status, content hash, composition manifest URI with fragment count, fragment attestations list with DSSE verification status per layer, and Stella properties (`stellaops:stella.contentHash`, `stellaops:composition.manifest`, `stellaops:merkle.root`). Added mock determinism data to scan fixtures (verified and failed scenarios). Integrated badge into scan-detail-page. Files updated: `scanner.models.ts`, `scan-fixtures.ts`, `scan-detail-page.component.{ts,html,scss}`. Files added: `determinism-badge.component.ts`. | UI Guild |
-| 2025-11-27 | UI-LNM-22-001: Implemented Evidence panel showing policy decision with advisory observations/linksets side-by-side, conflict badges, AOC chain, and raw doc download links. Created domain models (`evidence.models.ts`) for Observation, Linkset, PolicyEvidence, AocChainEntry with SOURCE_INFO metadata. Created mock API service (`evidence.client.ts`) with detailed Log4Shell (CVE-2021-44228) example data from ghsa/nvd/osv sources. Built `EvidencePanelComponent` with 4 tabs (Observations, Linkset, Policy, AOC Chain), side-by-side/stacked observation view toggle, conflict banner with expandable details, severity badges, provenance metadata display, and raw JSON download. Added `EvidencePageComponent` wrapper for direct routing with loading/error states. Files added: `src/app/core/api/evidence.{models,client}.ts`, `src/app/features/evidence/evidence-panel.component.{ts,html,scss}`, `evidence-page.component.ts`, `index.ts`. Route registered at `/evidence/:advisoryId`. | UI Guild |
-| 2025-11-26 | UI-EXC-25-005: Implemented keyboard shortcuts (X=create, A=approve, R=reject, Esc=close) and screen-reader messaging for Exception Center. Added `@HostListener` for global keyboard event handling with input field detection to avoid conflicts. Added ARIA live region for screen-reader announcements on all workflow transitions (approve, reject, revoke, submit for review). Added visual keyboard hints bar showing available shortcuts. All transition methods now announce their actions to screen readers before/after execution. Enhanced buttons with `aria-label` attributes including keyboard shortcut hints. Files updated: `exception-center.component.ts` (keyboard handlers, announceToScreenReader method, OnDestroy cleanup), `exception-center.component.html` (ARIA live region, keyboard hints bar, aria-labels), `exception-center.component.scss` (sr-only class, keyboard-hints styling). | UI Guild |
-| 2025-11-26 | UI-EXC-25-004: Implemented exception badges with countdown timers and explain integration across Vulnerability Explorer and Graph Explorer. Created reusable `ExceptionBadgeComponent` with expandable view, live countdown timer (updates every minute), severity/status indicators, accessibility support (ARIA labels, keyboard navigation), and expiring-soon visual warnings. Created `ExceptionExplainComponent` modal with scope explanation, impact stats, timeline, approval info, and severity-based warnings. Integrated components into both explorers with badge data mapping and explain modal overlays. Files added: `shared/components/exception-badge.component.ts`, `shared/components/exception-explain.component.ts`, `shared/components/index.ts`. Updated `vulnerability-explorer.component.{ts,html,scss}` and `graph-explorer.component.{ts,html,scss}` with badge/explain integration. | UI Guild |
-| 2025-11-26 | UI-EXC-25-003: Implemented inline exception drafting from Vulnerability Explorer and Graph Explorer. Created reusable `ExceptionDraftInlineComponent` with context-aware pre-population (vulnIds, componentPurls, assetIds), quick justification templates, timebox presets, and live impact simulation showing affected findings count/policy impact/coverage estimate. Created new Vulnerability Explorer (`/vulnerabilities` route) with 10 mock CVEs, severity/status filters, detail panel with affected components, and inline exception drafting. Created Graph Explorer (`/graph` route) with hierarchy/flat views, layer toggles (assets/components/vulnerabilities), severity filters, and context-aware inline exception drafting from any selected node. Files added: `exception-draft-inline.component.{ts,html,scss}`, `vulnerability.{models,client}.ts`, `vulnerability-explorer.component.{ts,html,scss}`, `graph-explorer.component.{ts,html,scss}`. Routes registered at `/vulnerabilities` and `/graph`. | UI Guild |
-| 2025-11-26 | UI-EXC-25-002: Implemented exception creation wizard with 5-step flow (basics, scope, justification, timebox, review). Features: 6 justification templates (risk-accepted, compensating-control, false-positive, scheduled-fix, internal-only, custom), scope preview with tenant/asset/component/global types, timebox guardrails (max 365 days, warnings for >90 days), timebox presets (7/14/30/90 days), auto-renewal config with max renewals, and final review step before creation. Files added: `exception-wizard.component.{ts,html,scss}`. Wizard integrated into Exception Center via modal overlay with "Create Exception" button. | UI Guild |
-| 2025-11-26 | UI-EXC-25-001: Implemented Exception Center with list view, kanban board, filters (status/severity/search), sorting, workflow transitions (draft->pending_review->approved/rejected), and audit trail panel. Files added: `src/Web/StellaOps.Web/src/app/features/exceptions/exception-center.component.{ts,html,scss}`, `src/app/core/api/exception.{models,client}.ts`, `src/app/testing/exception-fixtures.ts`. Route registered at `/exceptions`. Mock API service provides deterministic fixtures. Tests pending on clean CI runner. | UI Guild |
-| 2025-11-22 | Renamed to `SPRINT_0209_0001_0001_ui_i.md` and normalised to sprint template; no task status changes. | Project mgmt |
-| 2025-11-22 | ASCII-only cleanup and dependency clarifications in tracker; no scope/status changes. | Project mgmt |
-| 2025-11-22 | Added checkpoints and new actions for entropy evidence and AOC verifier parity; no task status changes. | Project mgmt |
-| 2025-11-22 | Synced documentation prerequisites with UI Guild charter (UI guide, coding standards, module README/implementation plan). | Project mgmt |
-| 2025-11-22 | Normalised `tasks-all.md` entries for this sprint to ASCII (quotes/arrows/dots). | Project mgmt |
-| 2025-11-22 | Deduplicated `tasks-all.md` rows for this sprint (kept first occurrence per Task ID); no status changes. | Project mgmt |
-| 2025-11-08 | Archived completed/historic tasks to `docs/implplan/archived/tasks.md`. | Planning |
-| 2025-11-22 | Added SDK interlock (SPRINT_0208_0001_0001_sdk) and Action #5 for parity matrix delivery to UI data providers. | Project mgmt |
-| 2025-11-27 | UI-AOC-19-001 DONE: Created Sources dashboard with AOC pass/fail tiles, violation codes, ingest throughput. Files: `aoc.models.ts`, `aoc.client.ts`, `sources-dashboard.component.{ts,html,scss}`. Added route at `/dashboard/sources`. | Claude Code |
-| 2025-11-27 | UI-SBOM-DET-01 DONE: Created Determinism badge component with expandable details showing Merkle root, fragment hashes, composition metadata, and issues. Files: `determinism.models.ts`, `determinism-badge.component.{ts,html,scss}`. | Claude Code |
-| 2025-11-27 | UI-ENTROPY-40-001 DONE: Created Entropy panel with score ring, layer donut chart, high-entropy files heatmap, and detector hint chips. Files: `entropy.models.ts`, `entropy-panel.component.{ts,html,scss}`. | Claude Code |
-| 2025-11-27 | UI-AOC-19-002 DONE: Created violation drill-down with by-violation/by-document views, field highlighting, provenance metadata, and remediation hints. Extended `aoc.models.ts`, created `violation-drilldown.component.{ts,html,scss}`. | Claude Code |
-| 2025-11-27 | UI-POLICY-DET-01 DONE: Created policy gate indicator with determinism/entropy details, blocking issue display, and remediation steps. Files: `policy.models.ts`, `policy-gate-indicator.component.{ts,html,scss}`. | Claude Code |
-| 2025-11-27 | UI-ENTROPY-40-002 DONE: Created entropy policy banner with threshold visualization, score bar, mitigation steps, and evidence download. Files: `entropy-policy-banner.component.{ts,html,scss}`. | Claude Code |
-| 2025-11-27 | UI-AOC-19-003 DONE: Created verify action component with progress, results display, CLI parity guidance panel. Files: `verify-action.component.{ts,html,scss}`. | Claude Code |
-| 2025-11-27 | UI-EXC-25-001 DONE: Created Exception Center with list/kanban views, filters, sorting, workflow transitions, status chips. Files: `exception.models.ts`, `exception-center.component.{ts,html,scss}`. | Claude Code |
-| 2025-11-27 | UI-EXC-25-002 DONE: Created Exception wizard with 5-step flow (type, scope, justification, timebox, review), templates, timebox presets. Files: `exception-wizard.component.{ts,html,scss}`. | Claude Code |
+| 2025-11-27 | UI-ENTROPY-40-001: Implemented entropy visualization with layer donut chart, file heatmaps, and "Why risky?" chips. Extended `scanner.models.ts` with `EntropyEvidence`, `EntropyReport`, `EntropyLayerSummaryReport`, `EntropyFile`, `EntropyWindow`, and `EntropyLayerSummary` interfaces. Created `EntropyPanelComponent` with 3 views (Summary, Layers, Files): Summary shows layer donut chart with opaque ratio distribution, risk indicator chips (packed, no-symbols, stripped, UPX packer detection), entropy penalty and opaque ratio stats. Layers view shows per-layer bar charts with opaque bytes and indicators. Files view shows expandable file cards with entropy heatmaps (green-to-red gradient), file flags, and high-entropy window tables. Added mock entropy data to scan fixtures (low-risk and high-risk scenarios). Integrated panel into scan-detail-page. Files updated: `scanner.models.ts`, `scan-fixtures.ts`, `scan-detail-page.component.{ts,html,scss}`. Files added: `entropy-panel.component.ts`. | UI Guild |
+| 2025-11-27 | UI-SBOM-DET-01: Implemented Determinism badge with drill-down view surfacing fragment hashes, `_composition.json`, and Merkle root consistency. Extended `scanner.models.ts` with `DeterminismEvidence`, `CompositionManifest`, and `FragmentAttestation` interfaces. Created `DeterminismBadgeComponent` with expandable details showing: Merkle root with consistency status, content hash, composition manifest URI with fragment count, fragment attestations list with DSSE verification status per layer, and Stella properties (`stellaops:stella.contentHash`, `stellaops:composition.manifest`, `stellaops:merkle.root`). Added mock determinism data to scan fixtures (verified and failed scenarios). Integrated badge into scan-detail-page. Files updated: `scanner.models.ts`, `scan-fixtures.ts`, `scan-detail-page.component.{ts,html,scss}`. Files added: `determinism-badge.component.ts`. | UI Guild |
+| 2025-11-27 | UI-LNM-22-001: Implemented Evidence panel showing policy decision with advisory observations/linksets side-by-side, conflict badges, AOC chain, and raw doc download links. Created domain models (`evidence.models.ts`) for Observation, Linkset, PolicyEvidence, AocChainEntry with SOURCE_INFO metadata. Created mock API service (`evidence.client.ts`) with detailed Log4Shell (CVE-2021-44228) example data from ghsa/nvd/osv sources. Built `EvidencePanelComponent` with 4 tabs (Observations, Linkset, Policy, AOC Chain), side-by-side/stacked observation view toggle, conflict banner with expandable details, severity badges, provenance metadata display, and raw JSON download. Added `EvidencePageComponent` wrapper for direct routing with loading/error states. Files added: `src/app/core/api/evidence.{models,client}.ts`, `src/app/features/evidence/evidence-panel.component.{ts,html,scss}`, `evidence-page.component.ts`, `index.ts`. Route registered at `/evidence/:advisoryId`. | UI Guild |
+| 2025-11-26 | UI-EXC-25-005: Implemented keyboard shortcuts (X=create, A=approve, R=reject, Esc=close) and screen-reader messaging for Exception Center. Added `@HostListener` for global keyboard event handling with input field detection to avoid conflicts. Added ARIA live region for screen-reader announcements on all workflow transitions (approve, reject, revoke, submit for review). Added visual keyboard hints bar showing available shortcuts. All transition methods now announce their actions to screen readers before/after execution. Enhanced buttons with `aria-label` attributes including keyboard shortcut hints. Files updated: `exception-center.component.ts` (keyboard handlers, announceToScreenReader method, OnDestroy cleanup), `exception-center.component.html` (ARIA live region, keyboard hints bar, aria-labels), `exception-center.component.scss` (sr-only class, keyboard-hints styling). | UI Guild |
+| 2025-11-26 | UI-EXC-25-004: Implemented exception badges with countdown timers and explain integration across Vulnerability Explorer and Graph Explorer. Created reusable `ExceptionBadgeComponent` with expandable view, live countdown timer (updates every minute), severity/status indicators, accessibility support (ARIA labels, keyboard navigation), and expiring-soon visual warnings. Created `ExceptionExplainComponent` modal with scope explanation, impact stats, timeline, approval info, and severity-based warnings. Integrated components into both explorers with badge data mapping and explain modal overlays. Files added: `shared/components/exception-badge.component.ts`, `shared/components/exception-explain.component.ts`, `shared/components/index.ts`. Updated `vulnerability-explorer.component.{ts,html,scss}` and `graph-explorer.component.{ts,html,scss}` with badge/explain integration. | UI Guild |
+| 2025-11-26 | UI-EXC-25-003: Implemented inline exception drafting from Vulnerability Explorer and Graph Explorer. Created reusable `ExceptionDraftInlineComponent` with context-aware pre-population (vulnIds, componentPurls, assetIds), quick justification templates, timebox presets, and live impact simulation showing affected findings count/policy impact/coverage estimate. Created new Vulnerability Explorer (`/vulnerabilities` route) with 10 mock CVEs, severity/status filters, detail panel with affected components, and inline exception drafting. Created Graph Explorer (`/graph` route) with hierarchy/flat views, layer toggles (assets/components/vulnerabilities), severity filters, and context-aware inline exception drafting from any selected node. Files added: `exception-draft-inline.component.{ts,html,scss}`, `vulnerability.{models,client}.ts`, `vulnerability-explorer.component.{ts,html,scss}`, `graph-explorer.component.{ts,html,scss}`. Routes registered at `/vulnerabilities` and `/graph`. | UI Guild |
+| 2025-11-26 | UI-EXC-25-002: Implemented exception creation wizard with 5-step flow (basics, scope, justification, timebox, review). Features: 6 justification templates (risk-accepted, compensating-control, false-positive, scheduled-fix, internal-only, custom), scope preview with tenant/asset/component/global types, timebox guardrails (max 365 days, warnings for >90 days), timebox presets (7/14/30/90 days), auto-renewal config with max renewals, and final review step before creation. Files added: `exception-wizard.component.{ts,html,scss}`. Wizard integrated into Exception Center via modal overlay with "Create Exception" button. | UI Guild |
+| 2025-11-26 | UI-EXC-25-001: Implemented Exception Center with list view, kanban board, filters (status/severity/search), sorting, workflow transitions (draft->pending_review->approved/rejected), and audit trail panel. Files added: `src/Web/StellaOps.Web/src/app/features/exceptions/exception-center.component.{ts,html,scss}`, `src/app/core/api/exception.{models,client}.ts`, `src/app/testing/exception-fixtures.ts`. Route registered at `/exceptions`. Mock API service provides deterministic fixtures. Tests pending on clean CI runner. | UI Guild |
+| 2025-11-22 | Renamed to `SPRINT_0209_0001_0001_ui_i.md` and normalised to sprint template; no task status changes. | Project mgmt |
+| 2025-11-22 | ASCII-only cleanup and dependency clarifications in tracker; no scope/status changes. | Project mgmt |
+| 2025-11-22 | Added checkpoints and new actions for entropy evidence and AOC verifier parity; no task status changes. | Project mgmt |
+| 2025-11-22 | Synced documentation prerequisites with UI Guild charter (UI guide, coding standards, module README/implementation plan). | Project mgmt |
+| 2025-11-22 | Normalised `tasks-all.md` entries for this sprint to ASCII (quotes/arrows/dots). | Project mgmt |
+| 2025-11-22 | Deduplicated `tasks-all.md` rows for this sprint (kept first occurrence per Task ID); no status changes. | Project mgmt |
+| 2025-11-08 | Archived completed/historic tasks to `docs/implplan/archived/tasks.md`. | Planning |
+| 2025-11-22 | Added SDK interlock (SPRINT_0208_0001_0001_sdk) and Action #5 for parity matrix delivery to UI data providers. | Project mgmt |
+| 2025-11-27 | UI-AOC-19-001 DONE: Created Sources dashboard with AOC pass/fail tiles, violation codes, ingest throughput. Files: `aoc.models.ts`, `aoc.client.ts`, `sources-dashboard.component.{ts,html,scss}`. Added route at `/dashboard/sources`. | Claude Code |
+| 2025-11-27 | UI-SBOM-DET-01 DONE: Created Determinism badge component with expandable details showing Merkle root, fragment hashes, composition metadata, and issues. Files: `determinism.models.ts`, `determinism-badge.component.{ts,html,scss}`. | Claude Code |
+| 2025-11-27 | UI-ENTROPY-40-001 DONE: Created Entropy panel with score ring, layer donut chart, high-entropy files heatmap, and detector hint chips. Files: `entropy.models.ts`, `entropy-panel.component.{ts,html,scss}`. | Claude Code |
+| 2025-11-27 | UI-AOC-19-002 DONE: Created violation drill-down with by-violation/by-document views, field highlighting, provenance metadata, and remediation hints. Extended `aoc.models.ts`, created `violation-drilldown.component.{ts,html,scss}`. | Claude Code |
+| 2025-11-27 | UI-POLICY-DET-01 DONE: Created policy gate indicator with determinism/entropy details, blocking issue display, and remediation steps. Files: `policy.models.ts`, `policy-gate-indicator.component.{ts,html,scss}`. | Claude Code |
+| 2025-11-27 | UI-ENTROPY-40-002 DONE: Created entropy policy banner with threshold visualization, score bar, mitigation steps, and evidence download. Files: `entropy-policy-banner.component.{ts,html,scss}`. | Claude Code |
+| 2025-11-27 | UI-AOC-19-003 DONE: Created verify action component with progress, results display, CLI parity guidance panel. Files: `verify-action.component.{ts,html,scss}`. | Claude Code |
+| 2025-11-27 | UI-EXC-25-001 DONE: Created Exception Center with list/kanban views, filters, sorting, workflow transitions, status chips. Files: `exception.models.ts`, `exception-center.component.{ts,html,scss}`. | Claude Code |
+| 2025-11-27 | UI-EXC-25-002 DONE: Created Exception wizard with 5-step flow (type, scope, justification, timebox, review), templates, timebox presets. Files: `exception-wizard.component.{ts,html,scss}`. | Claude Code |

docs/implplan/SPRINT_0212_0001_0001_web_i.md

@@ -27,8 +27,8 @@
 | 4 | WEB-AOC-19-002 | DONE (2025-11-30) | Depends on WEB-AOC-19-001; align DSSE/CMS helper APIs. | BE-Base Platform Guild | Ship `ProvenanceBuilder`, checksum utilities, signature verification helper with tests. |
 | 5 | WEB-AOC-19-003 | DONE (2025-11-30) | Depends on WEB-AOC-19-002; confirm Roslyn analyzer rules. | QA Guild; BE-Base Platform Guild | Analyzer to prevent forbidden key writes; shared guard-validation fixtures. |
 | 6 | WEB-CONSOLE-23-001 | DONE (2025-11-28) | `/console/dashboard` and `/console/filters` endpoints implemented with tenant-scoped aggregates. | BE-Base Platform Guild; Product Analytics Guild | Tenant-scoped aggregates for findings, VEX overrides, advisory deltas, run health, policy change log. |
-| 7 | CONSOLE-VULN-29-001 | BLOCKED (2025-11-19) | Blocked on WEB-CONSOLE-23-001 contract and Concelier graph schema freeze. | Console Guild; BE-Base Platform Guild | `/console/vuln/*` workspace endpoints with filters/reachability badges and DTOs once schemas stabilize. |
-| 8 | CONSOLE-VEX-30-001 | BLOCKED (2025-11-19) | Blocked on WEB-CONSOLE-23-001 and Excititor console contract (SSE payload validation). | Console Guild; BE-Base Platform Guild | `/console/vex/events` SSE workspace with validated schemas and samples. |
+| 7 | CONSOLE-VULN-29-001 | BLOCKED (2025-12-04) | WEB-CONSOLE-23-001 shipped 2025-11-28; still waiting for Concelier graph schema snapshot from the 2025-12-03 freeze review before wiring `/console/vuln/*` endpoints. | Console Guild; BE-Base Platform Guild | `/console/vuln/*` workspace endpoints with filters/reachability badges and DTOs once schemas stabilize. |
+| 8 | CONSOLE-VEX-30-001 | BLOCKED (2025-12-04) | Excititor console contract delivered 2025-11-23; remain blocked on VEX Lens spec PLVL0103 + SSE payload validation notes from rescheduled 2025-12-04 alignment. | Console Guild; BE-Base Platform Guild | `/console/vex/events` SSE workspace with validated schemas and samples. |
 | 9 | WEB-CONSOLE-23-002 | DOING (2025-12-01) | Implementing frontend polling + SSE proxy; unit tests added. Remaining: wire route + verify against contract once backend snapshot lands. | BE-Base Platform Guild; Scheduler Guild | `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with queue lag metrics. |
 | 10 | WEB-CONSOLE-23-003 | TODO | Depends on WEB-CONSOLE-23-002; confirm bundle orchestration flow. | BE-Base Platform Guild; Policy Guild | `/console/exports` POST/GET for evidence bundles, streaming CSV/JSON, checksum manifest, signed attestations. |
 | 11 | WEB-CONSOLE-23-004 | TODO | Depends on WEB-CONSOLE-23-003; set caching and tie-break order. | BE-Base Platform Guild | `/console/search` fan-out with deterministic ranking and result caps. |
@@ -54,16 +54,17 @@
 - 2025-12-04 (rescheduled): Scheduler/Signals alignment on SSE topics + heartbeat/backoff defaults for WEB-CONSOLE-23-002.
 
 ## Action Tracker
-- Concelier graph schema freeze outcome + published snapshot (owner: Console Guild; due: 2025-12-02; status: follow-up for missed 2025-11-25 review).
-- Excititor SSE payload validation and topic alignment session rebooked (owner: BE-Base Platform; due: 2025-12-04; status: rescheduled from 2025-11-27).
+- Concelier graph schema freeze outcome + published snapshot (owner: Console Guild; due: 2025-12-05; status: follow-up after missed 2025-12-03 review; keep CONSOLE-VULN-29-001 blocked until posted to `docs/api/console/workspaces.md`).
+- Excititor SSE payload validation and topic alignment session rebooked (owner: BE-Base Platform; due: 2025-12-05; status: awaiting 2025-12-04 notes; required for CONSOLE-VEX-30-001 envelope validation).
+- VEX Lens spec PLVL0103 + SSE envelope excerpt for console streams (owner: VEX Lens Guild; due: 2025-12-06; status: new action to unblock CONSOLE-VEX-30-001 and keep samples consistent across `docs/api/console/samples/`).
 - Advisory AI gateway policy/contract snapshot for `/advisory/ai/*` routes (owner: BE-Base Platform; due: 2025-12-05; status: new action to unblock WEB-AIAI-31-001/002/003).
 - Restore workspace disk/PTY availability so Web console implementation can proceed (owner: DevOps Guild; due: 2025-12-02; status: in progress 2025-12-01).
 
 ## Decisions & Risks
 | Risk | Impact | Mitigation | Owner | Status |
 | --- | --- | --- | --- | --- |
-| Console contract freeze slips past 2025-11-25 | Blocks CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001, delays console workspaces | Rescheduled review to 2025-12-03; publish schema snapshot to `docs/api/console/workspaces.md`; keep blockers logged | Console Guild | Open (rescheduled 2025-11-30) |
-| SSE topic alignment delayed | WEB-CONSOLE-23-002/003/004 latency and reliability uncertain | Rescheduled alignment with Scheduler/Signals to 2025-12-04; add heartbeat/backoff defaults; capture examples in samples directory | BE-Base Platform Guild | Open (rescheduled 2025-11-30) |
+| Console contract freeze slips past 2025-11-25 | Blocks CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001, delays console workspaces | 2025-12-03 review missed publishing snapshot; follow-up due 2025-12-05 with schema hash and sample payloads in `docs/api/console/workspaces.md`; keep tasks BLOCKED until posted | Console Guild | Open (2025-12-04 follow-up) |
+| SSE topic alignment delayed | WEB-CONSOLE-23-002/003/004 latency and reliability uncertain | Rescheduled alignment with Scheduler/Signals to 2025-12-04; add heartbeat/backoff defaults; capture examples in samples directory | BE-Base Platform Guild | Open (awaiting 2025-12-04 alignment notes) |
 | Advisory AI gateway contract missing | WEB-AIAI-31-001/002/003 cannot start without gateway location, RBAC/ABAC rules, and rate-limit policy spec | Request gateway contract snapshot + policy doc; replan once provided | BE-Base Platform Guild | Open |
 | Workspace storage exhausted (no PTY/commands) | WEB-CONSOLE-23-002 tests/builds blocked locally; implementation via patches only | Free disk/rotate logs; rerun after capacity restored | DevOps Guild | Open (2025-12-01) |
 
@@ -71,6 +72,7 @@
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-12-02 | WEB-CONSOLE-23-002: added trace IDs on status/stream calls, heartbeat + exponential backoff reconnect in console run stream service, and new client/service unit tests. Backend commands still not run locally (disk constraint). | BE-Base Platform Guild |
+| 2025-12-04 | Re-reviewed CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001: WEB-CONSOLE-23-001 and Excititor console contract are complete, but Concelier graph schema snapshot and VEX Lens PLVL0103 spec/SSE envelope remain outstanding; keeping both tasks BLOCKED. | Project Mgmt |
 | 2025-12-01 | Started WEB-CONSOLE-23-002: added console status client (polling) + SSE run stream, store/service, and UI component; unit specs added. Commands/tests not executed locally due to PTY/disk constraint. | BE-Base Platform Guild |
 | 2025-11-07 | Enforced unknown-field detection, added shared `AocError` payload (HTTP + CLI), refreshed guard docs, and extended tests/endpoint helpers. | BE-Base Platform Guild |
 | 2025-11-07 | API scaffolding started for console workspace; `docs/advisory-ai/console.md` using placeholder responses while endpoints wire up. | Console Guild |

docs/implplan/SPRINT_0301_0001_0001_docs_md_i.md

@@ -22,7 +22,7 @@
 | Task ID | Status | Owner(s) | Dependencies | Notes |
 | --- | --- | --- | --- | --- |
 | DOCS-UNBLOCK-CLI-KNOBS-301 | DONE (2025-11-25) | CLI Guild · Policy Guild · DevEx Guild | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001 delivered 2025-11-24. | Packaged fixtures/changelogs consumed by DOCS-AIAI-31-005..009. |
-| DOCS-AIAI-31-004 | DONE (2025-12-04) | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 delivered. | Guardrail console guide refreshed with deterministic capture/payload + consolidated hash manifest (`docs/advisory-ai/console-fixtures.sha256`) and verification steps. |
+| DOCS-AIAI-31-004 | DONE (2025-12-04) | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 delivered. | Guardrail console guide now renders command-output snapshots (no inline screenshots) backed by deterministic capture/payload + consolidated hash manifest (`docs/advisory-ai/console-fixtures.sha256`) and verification steps. |
 | DOCS-AIAI-31-005 | DONE (2025-11-25) | Docs Guild · DevEx/CLI Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001 | CLI guide published with exit codes + offline hashes (`docs/advisory-ai/cli.md`). |
 | DOCS-AIAI-31-006 | DONE (2025-11-25) | Docs Guild · Policy Guild | DOCS-AIAI-31-005; POLICY-ENGINE-31-001 | Assistant parameter doc refreshed (`docs/policy/assistant-parameters.md`). |
 | DOCS-AIAI-31-008 | DONE (2025-11-25) | Docs Guild · SBOM Service Guild | DOCS-AIAI-31-007; SBOM-AIAI-31-001 | Remediation heuristics documented with fixtures (`docs/sbom/remediation-heuristics.md`). |
@@ -40,6 +40,8 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-04 | DOCS-AIAI-31-004 reopened to replace screenshot embeds with command-rendered markdown outputs; set task DOING during update. | Docs Guild |
+| 2025-12-04 | DOCS-AIAI-31-004 DONE: swapped inline screenshots for command-output snippets; hashes unchanged. | Docs Guild |
 | 2025-12-04 | DOCS-AIAI-31-004 DONE: added `docs/advisory-ai/console-fixtures.sha256`, hash table + verification snippet to console guide. | Docs Guild |
 | 2025-12-04 | Moved DOCS-AIAI-31-004 to DOING to add hash manifest/table for console fixtures; kept determinism protocol. | Docs Guild |
 | 2025-12-04 | Reopened DOCS-AIAI-31-004 to add fixture hash verification and renumber publication section; added `docs/AGENTS.md` for docs working directory; republished doc and kept task at DONE. | Docs Guild |

docs/implplan/tasks-all.md

@@ -82,7 +82,7 @@
 | AIAI-31-001 | DONE | 2025-11-09 | SPRINT_110_ingestion_evidence | Excititor Web/Core Guilds | src/AdvisoryAI/StellaOps.AdvisoryAI | Validate Excititor hand-off replay | Validate Excititor hand-off replay | ADAI0102 |
 | AIAI-31-002 | DONE | 2025-11-18 | SPRINT_110_ingestion_evidence | Concelier Core · Concelier WebService Guilds | src/AdvisoryAI/StellaOps.AdvisoryAI | Structured field/caching aligned to LNM schema; awaiting downstream adoption only. | CONCELIER-GRAPH-21-001; CARTO-GRAPH-21-002 | ADAI0102 |
 | AIAI-31-003 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Concelier Observability Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | Await observability evidence upload | Await observability evidence upload | ADAI0102 |
-| AIAI-31-004 | DONE (2025-11-22) | 2025-11-22 | SPRINT_110_ingestion_evidence | Docs Guild · Console Guild |  | Guardrail console doc published with fixtures and screenshots. | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001 | DOAI0101 |
+| AIAI-31-004 | DONE (2025-12-04) | 2025-12-04 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Console Guild | docs/advisory-ai | Guardrail console guide refreshed with deterministic captures plus consolidated hash manifest (`docs/advisory-ai/console-fixtures.sha256`) and verification steps. | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | DOAI0101 |
 | AIAI-31-005 | DONE (2025-11-25) | 2025-11-25 | SPRINT_110_ingestion_evidence | Docs Guild |  | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | DOAI0101 |
 | AIAI-31-006 | DONE | 2025-11-13 | SPRINT_0111_0001_0001_advisoryai | Docs Guild, Policy Guild (docs) |  | — | — | DOAI0101 |
 | AIAI-31-008 | DONE (2025-11-22) | 2025-11-22 | SPRINT_110_ingestion_evidence | Advisory AI Guild |  | Remote inference packaging delivered with on-prem container + manifests. | AIAI-31-006; AIAI-31-007 | DOAI0101 |
@@ -479,8 +479,8 @@
 | CONSOLE-23-005 | TODO |  | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Depends on #5 | Depends on #5 | CCSL0101 |
 | CONSOLE-OBS-52-001 | TODO |  | SPRINT_303_docs_tasks_md_iii | Console Ops Guild | docs/modules/ui | Needs TLTY0101 metrics | Needs TLTY0101 metrics | CCSL0101 |
 | CONSOLE-OBS-52-002 | TODO |  | SPRINT_303_docs_tasks_md_iii | Console Ops Guild | docs/modules/ui | Depends on #7 | Depends on #7 | CCSL0101 |
-| CONSOLE-VEX-30-001 | BLOCKED | 2025-11-19 | SPRINT_0212_0001_0001_web_i | Console Guild · VEX Lens Guild | src/Web/StellaOps.Web | Provide `/console/vex/*` APIs streaming VEX statements, justification summaries, and advisory links with SSE refresh hooks. Dependencies: WEB-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001. | Needs VEX Lens spec (PLVL0103) | CCSL0101 |
-| CONSOLE-VULN-29-001 | BLOCKED | 2025-11-19 | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Build `/console/vuln/*` APIs and filters surfacing tenant-scoped findings with policy/VEX badges so Docs/UI teams can document workflows. Dependencies: WEB-CONSOLE-23-001, CONCELIER-GRAPH-21-001. | Depends on CCWO0101 | CCSL0101 |
+| CONSOLE-VEX-30-001 | BLOCKED (2025-12-04) | 2025-12-04 | SPRINT_0212_0001_0001_web_i | Console Guild · VEX Lens Guild | src/Web/StellaOps.Web | Provide `/console/vex/*` APIs streaming VEX statements, justification summaries, and advisory links with SSE refresh hooks. Dependencies: WEB-CONSOLE-23-001 (done 2025-11-28), EXCITITOR-CONSOLE-23-001 (done 2025-11-23); awaiting VEX Lens spec PLVL0103 and SSE envelope validation from Scheduler/Signals alignment. | Needs VEX Lens spec (PLVL0103) | CCSL0101 |
+| CONSOLE-VULN-29-001 | BLOCKED (2025-12-04) | 2025-12-04 | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Build `/console/vuln/*` APIs and filters surfacing tenant-scoped findings with policy/VEX badges so Docs/UI teams can document workflows. Dependencies: WEB-CONSOLE-23-001 (done 2025-11-28); waiting on Concelier graph schema snapshot from 2025-12-03 freeze review. | Depends on CCWO0101 | CCSL0101 |
 | CONTAINERS-44-001 | DONE | 2025-11-18 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Wait for DVCP0101 compose template | Wait for DVCP0101 compose template | COWB0101 |
 | CONTAINERS-45-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Depends on #1 | Depends on #1 | COWB0101 |
 | CONTAINERS-46-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Needs RBRE0101 hashes | Needs RBRE0101 hashes | COWB0101 |
@@ -641,7 +641,7 @@
 | DOCS-0003 | TODO |  | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | — | — | DOCL0102 |
 | DOCS-401-008 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | QA & Docs Guilds (`docs`, `tests/README.md`) | `docs`, `tests/README.md` | — | — | DOCL0102 |
 | DOCS-401-022 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Attestor Guild (`docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md`) | `docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md` | — | — | DOCL0102 |
-| DOCS-AIAI-31-004 | DONE (2025-11-22) | 2025-11-22 | SPRINT_110_ingestion_evidence | Docs Guild · Console Guild |  | Guardrail console doc published with fixtures and screenshots. | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001 | DOAI0102 |
+| DOCS-AIAI-31-004 | DONE (2025-12-04) | 2025-12-04 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Console Guild | docs/advisory-ai | Guardrail console guide refreshed with deterministic captures plus consolidated hash manifest (`docs/advisory-ai/console-fixtures.sha256`) and verification steps. | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | DOAI0102 |
 | DOCS-AIAI-31-005 | DONE (2025-11-25) | 2025-11-25 | SPRINT_110_ingestion_evidence | Docs Guild |  | CLI/policy/ops docs refreshed with offline hashes and exit codes. | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | DOAI0102 |
 | DOCS-AIAI-31-006 | TODO | 2025-11-13 | SPRINT_0111_0001_0001_advisoryai | Docs Guild · Advisory AI Guild | docs/modules/advisory-ai | `/docs/policy/assistant-parameters.md` now documents inference modes, guardrail phrases, budgets, and cache/queue knobs (POLICY-ENGINE-31-001 inputs captured via `AdvisoryAiServiceOptions`). | Need latest telemetry outputs from ADAI0101 | DOAI0104 |
 | DOCS-AIAI-31-008 | BLOCKED | 2025-11-18 | SPRINT_0111_0001_0001_advisoryai | Docs Guild · SBOM Service Guild (docs) | docs | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | SBOM-AIAI-31-001 projection kit/fixtures | DOAI0104 |
@@ -2107,8 +2107,8 @@
 | WEB-AOC-19-005 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-AOC-19-006 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-AOC-19-007 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
-| WEB-CONSOLE-23-001 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Product Analytics Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide consolidated `/console/dashboard` and `/console/filters` APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints. |  |  |
-| WEB-CONSOLE-23-002 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Scheduler Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/console/status` polling endpoint and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff, queue lag metrics, and auth scope enforcement. Surface request IDs + retry headers. Dependencies: WEB-CONSOLE-23-001. |  |  |
+| WEB-CONSOLE-23-001 | DONE (2025-11-28) | 2025-11-28 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild · Product Analytics Guild | src/Web/StellaOps.Web | `/console/dashboard` and `/console/filters` aggregates shipped with tenant scoping, deterministic ordering, and 8 unit tests per sprint Execution Log 2025-11-28. | — |  |
+| WEB-CONSOLE-23-002 | DOING (2025-12-01) | 2025-12-01 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild · Scheduler Guild | src/Web/StellaOps.Web | Implementing `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff; awaiting storage cleanup to run tests. Dependencies: WEB-CONSOLE-23-001. | WEB-CONSOLE-23-001 |  |
 | WEB-CONSOLE-23-003 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. Dependencies: WEB-CONSOLE-23-002. |  |  |
 | WEB-CONSOLE-23-004 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. Dependencies: WEB-CONSOLE-23-003. |  |  |
 | WEB-CONSOLE-23-005 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, DevOps Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. Dependencies: WEB-CONSOLE-23-004. |  |  |
@@ -2297,7 +2297,7 @@
 | AIAI-31-001 | DONE | 2025-11-09 | SPRINT_110_ingestion_evidence | Excititor Web/Core Guilds | src/AdvisoryAI/StellaOps.AdvisoryAI | Validate Excititor hand-off replay | Validate Excititor hand-off replay | ADAI0102 |
 | AIAI-31-002 | DONE | 2025-11-18 | SPRINT_110_ingestion_evidence | Concelier Core · Concelier WebService Guilds | src/AdvisoryAI/StellaOps.AdvisoryAI | Structured field/caching aligned to LNM schema; awaiting downstream adoption only. | CONCELIER-GRAPH-21-001; CARTO-GRAPH-21-002 | ADAI0102 |
 | AIAI-31-003 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Concelier Observability Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | Await observability evidence upload | Await observability evidence upload | ADAI0102 |
-| AIAI-31-004 | DONE (2025-11-22) | 2025-11-22 | SPRINT_110_ingestion_evidence | Docs Guild · Console Guild |  | Guardrail console doc published with fixtures and screenshots. | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001 | DOAI0101 |
+| AIAI-31-004 | DONE (2025-12-04) | 2025-12-04 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Console Guild | docs/advisory-ai | Guardrail console guide refreshed with deterministic captures plus consolidated hash manifest (`docs/advisory-ai/console-fixtures.sha256`) and verification steps. | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | DOAI0101 |
 | AIAI-31-005 | DONE (2025-11-25) | 2025-11-25 | SPRINT_110_ingestion_evidence | Docs Guild |  | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | DOAI0101 |
 | AIAI-31-006 | DONE | 2025-11-13 | SPRINT_0111_0001_0001_advisoryai | Docs Guild, Policy Guild (docs) |  | — | — | DOAI0101 |
 | AIAI-31-008 | DONE (2025-11-22) | 2025-11-22 | SPRINT_110_ingestion_evidence | Advisory AI Guild |  | Remote inference packaging delivered with on-prem container + manifests. | AIAI-31-006; AIAI-31-007 | DOAI0101 |
@@ -2693,8 +2693,8 @@
 | CONSOLE-23-005 | TODO |  | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Depends on #5 | Depends on #5 | CCSL0101 |
 | CONSOLE-OBS-52-001 | TODO |  | SPRINT_303_docs_tasks_md_iii | Console Ops Guild | docs/modules/ui | Needs TLTY0101 metrics | Needs TLTY0101 metrics | CCSL0101 |
 | CONSOLE-OBS-52-002 | TODO |  | SPRINT_303_docs_tasks_md_iii | Console Ops Guild | docs/modules/ui | Depends on #7 | Depends on #7 | CCSL0101 |
-| CONSOLE-VEX-30-001 | BLOCKED | 2025-11-19 | SPRINT_0212_0001_0001_web_i | Console Guild · VEX Lens Guild | src/Web/StellaOps.Web | Provide `/console/vex/*` APIs streaming VEX statements, justification summaries, and advisory links with SSE refresh hooks. Dependencies: WEB-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001. | Needs VEX Lens spec (PLVL0103) | CCSL0101 |
-| CONSOLE-VULN-29-001 | BLOCKED | 2025-11-19 | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Build `/console/vuln/*` APIs and filters surfacing tenant-scoped findings with policy/VEX badges so Docs/UI teams can document workflows. Dependencies: WEB-CONSOLE-23-001, CONCELIER-GRAPH-21-001. | Depends on CCWO0101 | CCSL0101 |
+| CONSOLE-VEX-30-001 | BLOCKED (2025-12-04) | 2025-12-04 | SPRINT_0212_0001_0001_web_i | Console Guild · VEX Lens Guild | src/Web/StellaOps.Web | Provide `/console/vex/*` APIs streaming VEX statements, justification summaries, and advisory links with SSE refresh hooks. Dependencies: WEB-CONSOLE-23-001 (done 2025-11-28), EXCITITOR-CONSOLE-23-001 (done 2025-11-23); awaiting VEX Lens spec PLVL0103 and SSE envelope validation from Scheduler/Signals alignment. | Needs VEX Lens spec (PLVL0103) | CCSL0101 |
+| CONSOLE-VULN-29-001 | BLOCKED (2025-12-04) | 2025-12-04 | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Build `/console/vuln/*` APIs and filters surfacing tenant-scoped findings with policy/VEX badges so Docs/UI teams can document workflows. Dependencies: WEB-CONSOLE-23-001 (done 2025-11-28); waiting on Concelier graph schema snapshot from 2025-12-03 freeze review. | Depends on CCWO0101 | CCSL0101 |
 | CONTAINERS-44-001 | DONE | 2025-11-18 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Wait for DVCP0101 compose template | Wait for DVCP0101 compose template | COWB0101 |
 | CONTAINERS-45-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Depends on #1 | Depends on #1 | COWB0101 |
 | CONTAINERS-46-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Needs RBRE0101 hashes | Needs RBRE0101 hashes | COWB0101 |
@@ -2854,7 +2854,7 @@
 | DOCS-0003 | TODO |  | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | — | — | DOCL0102 |
 | DOCS-401-008 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | QA & Docs Guilds (`docs`, `tests/README.md`) | `docs`, `tests/README.md` | — | — | DOCL0102 |
 | DOCS-401-022 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild · Attestor Guild (`docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md`) | `docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md` | — | — | DOCL0102 |
-| DOCS-AIAI-31-004 | DONE (2025-11-22) | 2025-11-22 | SPRINT_110_ingestion_evidence | Docs Guild · Console Guild |  | Guardrail console doc published with fixtures and screenshots. | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001 | DOAI0102 |
+| DOCS-AIAI-31-004 | DONE (2025-12-04) | 2025-12-04 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Console Guild | docs/advisory-ai | Guardrail console guide refreshed with deterministic captures plus consolidated hash manifest (`docs/advisory-ai/console-fixtures.sha256`) and verification steps. | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | DOAI0102 |
 | DOCS-AIAI-31-005 | DONE (2025-11-25) | 2025-11-25 | SPRINT_110_ingestion_evidence | Docs Guild |  | CLI/policy/ops docs refreshed with offline hashes and exit codes. | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | DOAI0102 |
 | DOCS-AIAI-31-006 | TODO | 2025-11-13 | SPRINT_0111_0001_0001_advisoryai | Docs Guild · Advisory AI Guild | docs/modules/advisory-ai | `/docs/policy/assistant-parameters.md` now documents inference modes, guardrail phrases, budgets, and cache/queue knobs (POLICY-ENGINE-31-001 inputs captured via `AdvisoryAiServiceOptions`). | Need latest telemetry outputs from ADAI0101 | DOAI0104 |
 | DOCS-AIAI-31-008 | BLOCKED | 2025-11-18 | SPRINT_0111_0001_0001_advisoryai | Docs Guild · SBOM Service Guild (docs) | docs | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | SBOM-AIAI-31-001 projection kit/fixtures | DOAI0104 |
@@ -4284,8 +4284,8 @@
 | WEB-AOC-19-005 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-AOC-19-006 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-AOC-19-007 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
-| WEB-CONSOLE-23-001 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Product Analytics Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide consolidated `/console/dashboard` and `/console/filters` APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints. |  |  |
-| WEB-CONSOLE-23-002 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Scheduler Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/console/status` polling endpoint and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff, queue lag metrics, and auth scope enforcement. Surface request IDs + retry headers. Dependencies: WEB-CONSOLE-23-001. |  |  |
+| WEB-CONSOLE-23-001 | DONE (2025-11-28) | 2025-11-28 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild · Product Analytics Guild | src/Web/StellaOps.Web | `/console/dashboard` and `/console/filters` aggregates shipped with tenant scoping, deterministic ordering, and 8 unit tests per sprint Execution Log 2025-11-28. | — |  |
+| WEB-CONSOLE-23-002 | DOING (2025-12-01) | 2025-12-01 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild · Scheduler Guild | src/Web/StellaOps.Web | Implementing `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff; awaiting storage cleanup to run tests. Dependencies: WEB-CONSOLE-23-001. | WEB-CONSOLE-23-001 |  |
 | WEB-CONSOLE-23-003 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. Dependencies: WEB-CONSOLE-23-002. |  |  |
 | WEB-CONSOLE-23-004 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. Dependencies: WEB-CONSOLE-23-003. |  |  |
 | WEB-CONSOLE-23-005 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, DevOps Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. Dependencies: WEB-CONSOLE-23-004. |  |  |