feat(graph): introduce graph.inspect.v1 contract and schema for SBOM relationships

- Added graph.inspect.v1 documentation outlining payload structure and determinism rules.
- Created JSON schema for graph.inspect.v1 to enforce payload validation.
- Defined mapping rules for graph relationships, advisories, and VEX statements.

feat(notifications): establish remediation blueprint for gaps NR1-NR10

- Documented requirements, evidence, and tests for Notifier runtime.
- Specified deliverables and next steps for addressing identified gaps.

docs(notifications): organize operations and schemas documentation

- Created README files for operations, schemas, and security notes to clarify deliverables and policies.

feat(advisory): implement PostgreSQL caching for Link-Not-Merge linksets

- Created database schema for advisory linkset cache.
- Developed repository for managing advisory linkset cache operations.
- Added tests to ensure correct functionality of the AdvisoryLinksetCacheRepository.

docs/modules/evidence-locker/attestation-contract.md

@@ -3,34 +3,37 @@
 Scope: Evidence Bundle v1 produced by Evidence Locker and consumed by Concelier, Excititor, Export Center, CLI, and Policy Engine.
 
 ## Predicates & subjects
-- **Subject**: OCI manifest digest (`sha256:<digest>`) of the bundle, plus optional replay pack digest.
+- **Subject (mandatory):** Merkle root derived from `checksums.txt` (sha256 of the sorted file) for the sealed bundle. OCI digest of the tarball remains recorded as `bundle_oci_digest` inside the predicate for registry mirroring but is not the DSSE subject.
 - **Predicates (DSSE/In-Toto)**
-  - `stellaops.evidence.bundle.v1`: declares bundle layout (manifests, CAS paths, replay log offsets).
-  - `stellaops.evidence.transparency.v1`: optional Rekor log inclusion proof (UUID, log index, root hash at inclusion).
-  - `stellaops.evidence.integrity.v1`: hashes for each payload (SBOMs, VEX, policy packs, telemetry snapshots), keyed by logical path.
+  - `stellaops.evidence.bundle.v1`: declares bundle layout (manifests, CAS paths, replay log offsets, Merkle recipe, chunking strategy).
+  - `stellaops.evidence.transparency.v1`: Rekor/log inclusion proof (UUID, log index, root hash at inclusion). Required when network-permitted; when offline, include `reason="offline"` and omit log pointers.
+  - `stellaops.evidence.integrity.v1`: hashes for each payload (SBOMs, VEX, policy packs, telemetry snapshots), keyed by canonical path; must match entries in `bundle.manifest.schema.json`.
 
 ## Required claim set
 - `bundle_id` (UUID v4)
 - `produced_at` (UTC ISO-8601)
 - `producer` (`evidence-locker:<region>`)
-- `subject_digest` (OCI digest string)
-- `hashes` (map: logical path → sha256)
+- `subject_merkle_root` (sha256 from checksums.txt)
+- `hashes` (map: canonicalPath → sha256) sorted lexicographically
 - `sbom` (array of SPDX/CycloneDX digests and mediaTypes)
 - `vex` (array of VEX doc digests and schema versions)
-- `replay_manifest` (optional; digest + sequence number)
-- `transparency` (optional; Rekor UUID, logIndex, rootHash)
+- `replay_manifest` (optional; digest + sequence number, ledger URI, dsseEnvelope)
+- `transparency` (optional; Rekor UUID, logIndex, rootHash, inclusionProof) or `reason="offline"`
 - `signing_profile` (`sovereign-default` | `fips` | `gost` | `pq-experimental`)
 
 ## Bundling & signing rules
-- DSSE envelope using the module’s configured crypto provider; keys must be short-lived (<24h) and recorded in provider registry.
-- Hash list and subject digest MUST match the on-disk CAS objects; deterministic sort by logical path.
-- Rekor entry is optional; when absent, set `transparency=null` and add `transparency_reason="offline"` to provenance note.
+- DSSE envelope is **mandatory** for every sealed bundle using the configured `ICryptoProviderRegistry` profile; keys must be short-lived (<24h) and recorded in provider registry.
+- Subject = sha256(Merkle root) from `checksums.txt`; verifier must recompute to match.
+- Hash list must match `bundle.manifest.schema.json` (entries + optional `hashSummary`), sorted by `canonicalPath`.
+- Rekor/logging policy:
+  - If outbound log is allowed, submit to configured log and embed UUID/logIndex/rootHash in `transparency`.
+  - If outbound log is disallowed/offline, set `transparency` to null and include `reason="offline"` plus `log_policy="skip"` inside the predicate.
 
 ## Verification plan
 - Verify DSSE signature against provider registry (per profile) and check key expiry.
-- Recompute sha256 for every CAS object; fail if any mismatch.
-- If `transparency` present, verify inclusion proof against bundled Rekor root; fail closed on mismatch.
-- Emit verification report JSON and store beside bundle as `verify.json` (deterministic key order).
+- Recompute sha256 for every manifest entry and the Merkle root; fail if subject differs.
+- If `transparency` present, verify inclusion proof against bundled Rekor root; fail closed on mismatch. If absent, require `reason="offline"` and `log_policy="skip"`.
+- Emit verification report JSON (deterministic key order) and store beside bundle as `verify.json`.
 
 ## Fixtures
 - Sample bundle + report: `docs/samples/evidence-locker/bundle-v1-sample.tar.gz` (sha256 TBD at publish time).

docs/modules/evidence-locker/bundle-packaging.md

@@ -38,7 +38,7 @@ The endpoint reuses `EvidenceBundlePackagingService` and caches the packaged obj
 
 ## Verification guidance
 
-Upcoming EB1–EB10 remediation (Sprint 0161; advisory `docs/product-advisories/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`):
+Upcoming EB1–EB10 remediation (Sprint 0161; advisory `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`):
 - Publish `bundle.manifest.schema.json` and `checksums.schema.json` with canonical JSON rules and signatures.
 - Document the Merkle hash recipe and DSSE predicate/log policy.
 - Ship an offline verifier script and golden bundles/replay fixtures to prove determinism.
@@ -61,6 +61,13 @@ Use the resulting root as the DSSE subject and store `checksums.txt` inside the
 
 These steps match the offline procedure described in `docs/forensics/evidence-locker.md` (Portable Evidence section). Update that guide whenever packaging fields change.
 
+### Merkle + CAS rules (EB3/EB6)
+- **Canonical inventory:** `checksums.txt` MUST be generated from the manifest entries sorted lexicographically by `canonicalPath`.
+- **Subject binding:** DSSE subject is `sha256(checksums.txt)` (Merkle root); OCI digest of `bundle.tgz` is secondary metadata only.
+- **Chunking strategy:** Default `strategy=none`. When chunked CAS storage is enabled, record `chunking.strategy`, `chunkSizeBytes`, and `casDigestAlgorithm` in `checksums.schema.json`; chunk hashes are folded deterministically (fixed-size or buzhash) before the per-entry sha256 is calculated.
+- **Compression invariants:** tar → gzip with pinned mtime (`2025-01-01T00:00:00Z`), `0644` perms, uid/gid `0:0`, UTF-8 headers; failing these invalidates fixtures.
+- **Stable tooling:** CI must pin `tar`, `gzip`, and hashing tool versions; regenerate golden fixtures only when these pins change and record the versions in `tests/EvidenceLocker/Bundles/Golden/expected.json`.
+
 ## Portable bundle (`portable-bundle-v1.tgz`)
 
 When sealed or air-gapped environments need a redacted evidence artifact, request:

docs/modules/evidence-locker/incident-mode.md

@@ -8,6 +8,7 @@ Incident mode is a service-wide switch that increases forensic fidelity when Ste
 2. **Debug artefacts.** Snapshot requests emit an `incident/request-*.json` payload into the object store. The payload captures the normalized request metadata/materials plus the incident stamp so offline replay tooling has everything it needs. The manifest surfaces the artefact under the `incident/` section and packaging streams it alongside the canonical bundle files.
 3. **Manifest metadata.** Bundles carry `incident.mode`, `incident.changedAt`, and `incident.retentionExtensionDays` metadata so verifiers and auditors can see exactly when the mode toggled and how long retention was extended.
 4. **Operational signals.** Activation/deactivation events are published to the Timeline Indexer (and, via the notifier stub, to the future Notify integration). The `IEvidenceTimelinePublisher` now emits `evidence.incident.mode` with `state` and retention attributes, giving Ops a canonical audit trail.
+5. **Signed activation/exit (EB7).** Incident toggles MUST be recorded inside the bundle manifest (`incident` block) and in the DSSE predicate with signer identity and timestamp. Offline environments must still include the activation record even when no Rekor entry is possible; when online, include transparency log pointers alongside the incident record.
 
 Configuration lives under `EvidenceLocker:Incident`:
 
@@ -22,3 +23,8 @@ Configuration lives under `EvidenceLocker:Incident`:
 ```
 
 `IncidentModeManager` watches the options and raises events whenever the state flips. Tests cover retention math, timeline/notifier fan-out, and the new debug artefact path.
+
+## Recording rules (EB7)
+- Manifest fields (see `bundle.manifest.schema.json`): `incident.activatedAt`, `incident.activatedBy`, `incident.reason`, and optional `incident.deactivatedAt`, `incident.deactivatedBy`.
+- DSSE predicate: include `incident` block mirroring the manifest plus `signer` (provider/keyid) and `log_policy` (`submit` | `skip-offline`).
+- CLI/API: activation/deactivation commands must require a reason string and emit a signed record even when the state is unchanged (idempotent write with identical payload hash).

docs/modules/evidence-locker/replay-payload-contract.md

@@ -1,21 +1,24 @@
 # Replay Payload Contract (Prep for PREP-EVID-REPLAY-187-001)
 
-Status: **Ready for implementation** (2025-11-20)
+Status: **Ready for implementation** (2025-12-04 refresh for EB5)
 Owners: Evidence Locker Guild · Scanner Guild
-Scope: Define deterministic scanner record payload shape required to ingest replay bundles (Sprint 0187).
+Scope: Define deterministic scanner record payload shape required to ingest replay bundles (Sprint 0187) and to link replay provenance into bundle manifests and attestations (EB5).
 
 ## Payload shape
-- NDJSON per record; sorted by `recordedAtUtc` then `scanId`.
+- NDJSON per record; sorted by `recordedAtUtc` then `scanId` (stable ordering required by `docs/replay/DETERMINISTIC_REPLAY.md`).
 - Fields:
   - `scanId` (GUID), `tenantId`, `subjectDigest` (sha256:...), `scanKind` (sbom|vuln|policy),
-  - `startedAtUtc`, `completedAtUtc` (ISO-8601),
+  - `startedAtUtc`, `completedAtUtc`, `recordedAtUtc` (ISO-8601, UTC),
   - `artifacts`: array of `{ type: sbom|vex|log, digest, uri }`,
   - `provenance`: `{ dsseEnvelope, transparencyLog? }` (base64 DSSE; optional Rekor entry),
   - `summary`: `{ findings: int, advisories: int, policies: int }`.
-- Determinism: no wall-clock except the recorded timestamps above; DSSE envelope copied verbatim from scanner output.
+- Replay provenance (new, EB5):
+  - Evidence Locker records `replayProvenance` in the bundle manifest with `recordDigest`, optional `sequence`, `ledgerUri`, `dsseEnvelope`, and optional `transparencyLog { rekorUuid, logIndex, inclusionProof }`.
+  - The `recordDigest` is the sha256 of the canonical NDJSON content (as ingested) and becomes part of `hashSummary` in the manifest and the DSSE predicate.
+- Determinism: no wall-clock except the recorded timestamps above; DSSE envelope copied verbatim from scanner output; NDJSON must be UTF-8, LF line endings, and canonical key ordering per record.
 
 ## Acceptance criteria
 - Scanner Guild provides sample NDJSON (10 records) with DSSE envelope redacted allowed.
-- Evidence Locker can ingest and store bundle with deterministic ordering and hash (SHA256) across runs.
-- Contract published here and referenced in Sprint 0187 P1/P2/P3.
+- Evidence Locker can ingest and store bundle with deterministic ordering and hash (SHA256) across runs; recomputes `recordDigest` to bind replayProvenance.
+- Contract published here and referenced in Sprint 0187 P1/P2/P3 and manifests/attestations per EB5.