feat: Add Scanner CI runner and related artifacts

- Implemented `run-scanner-ci.sh` to build and run tests for the Scanner solution with a warmed NuGet cache.
- Created `excititor-vex-traces.json` dashboard for monitoring Excititor VEX observations.
- Added Docker Compose configuration for the OTLP span sink in `docker-compose.spansink.yml`.
- Configured OpenTelemetry collector in `otel-spansink.yaml` to receive and process traces.
- Developed `run-spansink.sh` script to run the OTLP span sink for Excititor traces.
- Introduced `FileSystemRiskBundleObjectStore` for storing risk bundle artifacts in the filesystem.
- Built `RiskBundleBuilder` for creating risk bundles with associated metadata and providers.
- Established `RiskBundleJob` to execute the risk bundle creation and storage process.
- Defined models for risk bundle inputs, entries, and manifests in `RiskBundleModels.cs`.
- Implemented signing functionality for risk bundle manifests with `HmacRiskBundleManifestSigner`.
- Created unit tests for `RiskBundleBuilder`, `RiskBundleJob`, and signing functionality to ensure correctness.
- Added filesystem artifact reader tests to validate manifest parsing and artifact listing.
- Included test manifests for egress scenarios in the task runner tests.
- Developed timeline query service tests to verify tenant and event ID handling.

docs/modules/attestor/AGENTS.md

@@ -8,6 +8,7 @@ Attestor moves signed evidence through the trust chain by accepting DSSE bundles
 - [Architecture](./architecture.md)
 - [Implementation plan](./implementation_plan.md)
 - [Task board](./TASKS.md)
+- [Observability runbook](./operations/observability.md) (offline import friendly)
 
 ## How to get started
 1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module.

docs/modules/attestor/architecture.md

@@ -477,11 +477,11 @@ sequenceDiagram
 
 ---
 
-## 11) Failure modes & responses
-
-| Condition                             | Return                  | Details                                                   |          |              |
-| ------------------------------------- | ----------------------- | --------------------------------------------------------- | -------- | ------------ |
-| mTLS/OpTok invalid                    | `401 invalid_token`     | Include `WWW-Authenticate` DPoP challenge when applicable |          |              |
+## 11) Failure modes & responses
+
+| Condition                             | Return                  | Details                                                   |          |              |
+| ------------------------------------- | ----------------------- | --------------------------------------------------------- | -------- | ------------ |
+| mTLS/OpTok invalid                    | `401 invalid_token`     | Include `WWW-Authenticate` DPoP challenge when applicable |          |              |
 | Bundle not signed by trusted identity | `403 chain_untrusted`   | DSSE accepted only from Signer identities                 |          |              |
 | Duplicate bundle                      | `409 duplicate_bundle`  | Return existing `uuid` (idempotent)                       |          |              |
 | Rekor unreachable/timeout             | `502 rekor_unavailable` | Retry with backoff; surface `Retry-After`                 |          |              |
@@ -529,5 +529,14 @@ sequenceDiagram
 
 * **Dual‑log** write (primary + mirror) and **cross‑log proof** packaging.
 * **Cloud endorsement**: send `{uuid, artifactSha256}` to Stella Ops cloud; store returned endorsement id for marketing/chain‑of‑custody.
-* **Checkpoint pinning**: periodically pin latest Rekor checkpoints to an external audit store for independent monitoring.
+* **Checkpoint pinning**: periodically pin latest Rekor checkpoints to an external audit store for independent monitoring.
+
+---
+
+## 16) Observability (stub)
+
+- Runbook + dashboard placeholder for offline import: `operations/observability.md`, `operations/dashboards/attestor-observability.json`.
+- Metrics to surface: signing latency p95/p99, verification failure rate, transparency log submission lag, key rotation age, queue backlog, attestation bundle size histogram.
+- Health endpoints: `/health/liveness`, `/health/readiness`, `/status`; verification probe `/api/attestations/verify` once demo bundle is available (see runbook).
+- Alert hints: signing latency > 1s p99, verification failure spikes, tlog submission lag >10s, key rotation age over policy threshold, backlog above configured threshold.
 

docs/modules/attestor/implementation_plan.md

@@ -67,11 +67,16 @@
 - **Performance:** throughput benchmarks, cache hit-rate monitoring, large batch verification.
 - **Chaos:** inject Rekor outages, network failures, corrupt bundles; ensure graceful degradation and auditable alerts.
 
-## Definition of done
-- Phased milestones delivered with telemetry, documentation, and runbooks in place.
-- CLI/Console parity verified; Offline Kit procedures validated in sealed environment.
-- Cross-module dependencies acknowledged in ./TASKS.md and ../../TASKS.md.
-- Documentation set refreshed (overview, architecture, key management, transparency, CLI/UI) with imposed rule statement.
+## Definition of done
+- Phased milestones delivered with telemetry, documentation, and runbooks in place.
+- CLI/Console parity verified; Offline Kit procedures validated in sealed environment.
+- Cross-module dependencies acknowledged in ./TASKS.md and ../../TASKS.md.
+- Documentation set refreshed (overview, architecture, key management, transparency, CLI/UI) with imposed rule statement.
+
+## Sprint alignment (2025-11-30)
+- Docs sprint: `docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md`; statuses mirrored in `docs/modules/attestor/TASKS.md`.
+- Observability evidence stub lives in `operations/observability.md` with Grafana placeholder under `operations/dashboards/`; finalize after next demo outputs.
+- ATTESTOR-OPS-0001 remains BLOCKED until next demo provides observability data; update sprint/TASKS when available.
 
 ---