Add integration tests for migration categories and execution

- Implemented MigrationCategoryTests to validate migration categorization for startup, release, seed, and data migrations. - Added tests for edge cases, including null, empty, and whitespace migration names. - Created StartupMigrationHostTests to verify the behavior of the migration host with real PostgreSQL instances using Testcontainers. - Included tests for migration execution, schema creation, and handling of pending release migrations. - Added SQL migration files for testing: creating a test table, adding a column, a release migration, and seeding data.
2025-12-04 19:10:54 +02:00
parent 600f3a7a3c
commit 75f6942769
301 changed files with 32810 additions and 1128 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -4,7 +4,23 @@
      "Bash(dotnet build:*)",
      "Bash(dotnet restore:*)",
      "Bash(chmod:*)",
-      "Bash(cat:*)"
+      "Bash(cat:*)",
      "Bash(dotnet nuget:*)",
      "Bash(cd /mnt/c/dev/New\\ folder/git.stella-ops.org && python3:*)",
      "Bash(cd:*)",
      "Bash(grep:*)",
      "Bash(src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs )",
      "Bash(src/Cli/StellaOps.Cli/Configuration/CliProfile.cs )",
      "Bash(src/Cli/StellaOps.Cli/Configuration/GlobalOptions.cs )",
      "Bash(src/Cli/StellaOps.Cli/Output/CliError.cs )",
      "Bash(src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs )",
      "Bash(src/Cli/StellaOps.Cli/Services/OrchestratorClient.cs )",
      "Bash(src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs )",
      "Bash(src/Cli/StellaOps.Cli/Services/VexObservationsClient.cs )",
      "Bash(src/Cli/StellaOps.Cli/Telemetry/TraceparentHttpMessageHandler.cs)",
      "Bash(python3:*)",
      "Bash(dotnet list:*)",
      "WebSearch"
    ],
    "deny": [],
    "ask": []
--- a/NuGet.config
+++ b/NuGet.config
@@ -3,9 +3,17 @@
  <packageSources>
    <clear />
    <add key="local" value="local-nugets" />
-    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+    <add key="ablera-mirror" value="https://mirrors.ablera.dev/nuget/nuget-mirror/v3/index.json" />
  </packageSources>
  <config>
    <add key="globalPackagesFolder" value="local-nugets/packages" />
  </config>
  <packageSourceMapping>
    <packageSource key="local">
      <package pattern="*" />
    </packageSource>
    <packageSource key="ablera-mirror">
      <package pattern="*" />
    </packageSource>
  </packageSourceMapping>
 </configuration>
--- a/docs/07_HIGH_LEVEL_ARCHITECTURE.md
+++ b/docs/07_HIGH_LEVEL_ARCHITECTURE.md
@@ -54,7 +54,8 @@
 * **Fulcio** (Sigstore CA) — issues short‑lived signing certs (keyless).
 * **Rekor v2** (tile‑backed transparency log).
 * **RustFS** — offline-first object store with deterministic REST API (S3/MinIO fallback available for legacy installs).
-* **MongoDB** — catalog, advisories, VEX, scheduler, notify.
+* **PostgreSQL** (≥15) — control-plane storage with per-module schema isolation (auth, vuln, vex, scheduler, notify, policy). See [Database Architecture](#database-architecture-postgresql).
 * **MongoDB** (≥7) — legacy catalog support; being phased out in favor of PostgreSQL for control-plane domains.
 * **Queue** — Redis Streams / NATS / RabbitMQ (pluggable).
 * **OCI Registry** — must support **Referrers API** (discover SBOMs/signatures).
@@ -229,7 +230,7 @@ LS --> IA: PoE (mTLS client cert or JWT with cnf=K_inst), CRL/OCSP/introspect
 ---
-## 6) Storage & catalogs (RustFS/Mongo)
+## 6) Storage & catalogs (RustFS/PostgreSQL)
 **RustFS layout (default)**
@@ -243,16 +244,62 @@ rustfs://stellaops/
  attest/<artifactSha256>.dsse.json
 ```
-**Catalog (Mongo)**
+### Database Architecture (PostgreSQL)
-* `artifacts` (type/format/sha/size/rekor/ttl/immutable/refCount/createdAt)
+StellaOps uses PostgreSQL for all control-plane data with **per-module schema isolation**. Each module owns and manages only its own schema, ensuring clear ownership and independent migration lifecycles.
-* `images`, `layers`, `links`, `lifecycleRules`
+
-* **Scheduler:** `schedules`, `runs`, `locks`, `impact_cursors`
+**Schema topology:**
-* **Notify:** `rules`, `deliveries`, `channels`, `templates`
+
 ```
 ┌─────────────────────────────────────────────────────────────────┐
 │                    PostgreSQL Cluster                            │
 │  ┌─────────────────────────────────────────────────────────────┐│
 │  │                    stellaops (database)                      ││
 │  │  ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐           ││
 │  │  │  auth   │ │  vuln   │ │   vex   │ │scheduler│           ││
 │  │  └─────────┘ └─────────┘ └─────────┘ └─────────┘           ││
 │  │  ┌─────────┐ ┌─────────┐ ┌─────────┐                       ││
 │  │  │ notify  │ │ policy  │ │  audit  │                       ││
 │  │  └─────────┘ └─────────┘ └─────────┘                       ││
 │  └─────────────────────────────────────────────────────────────┘│
 └─────────────────────────────────────────────────────────────────┘
 ```
 **Schema ownership:**
 | Schema | Owner Module | Purpose |
 |--------|--------------|---------|
 | `auth` | Authority | Identity, authentication, authorization, licensing, sessions |
 | `vuln` | Concelier | Vulnerability advisories, CVSS, affected packages, sources |
 | `vex` | Excititor | VEX statements, graphs, observations, evidence, consensus |
 | `scheduler` | Scheduler | Jobs, triggers, workers, locks, execution history |
 | `notify` | Notify | Channels, templates, rules, deliveries, escalations |
 | `policy` | Policy | Policy packs, rules, risk profiles, evaluations |
 | `audit` | Shared | Cross-cutting audit log (optional) |
 **Key design principles:**
 1. **Module isolation** — Each module controls only its own schema. Cross-schema queries are rare and explicitly documented.
 2. **Multi-tenancy** — Single database, single schema set, `tenant_id` column on all tenant-scoped tables with row-level security.
 3. **Forward-only migrations** — No down migrations; fixes are applied as new forward migrations.
 4. **Advisory lock coordination** — Startup migrations use `pg_try_advisory_lock(hashtext('schema_name'))` to prevent concurrent execution.
 5. **Air-gap compatible** — All migrations embedded in assemblies, no external network dependencies.
 **Migration categories:**
 | Category | Prefix | Execution | Description |
 |----------|--------|-----------|-------------|
 | Startup (A) | `001-099` | Automatic at boot | Non-breaking DDL (CREATE IF NOT EXISTS, ADD COLUMN nullable) |
 | Release (B) | `100-199` | Manual via CLI | Breaking changes (DROP, ALTER TYPE), require maintenance window |
 | Seed | `S001-S999` | After schema | Reference data with ON CONFLICT DO NOTHING |
 | Data (C) | `DM001-DM999` | Background job | Batched data transformations, resumable |
 **Detailed documentation:** See [`docs/db/`](db/README.md) for full specification, coding rules, and phase-by-phase conversion tasks.
 **Retention**
 * RustFS applies retention via `X-RustFS-Retain-Seconds`; Scanner.WebService GC decrements `refCount` and deletes unreferenced metadata; S3/MinIO fallback retains native Object Lock when enabled.
 * PostgreSQL retention managed via time-based partitioning for high-volume tables (runs, execution_logs) with monthly partition drops.
 ---
@@ -381,20 +428,20 @@ Binary header + purl table + roaring bitmaps; optional `usedByEntrypoint` flags
 ```yaml
 services:
-  authority:       { image: stellaops/authority }
+  authority:       { image: stellaops/authority, depends_on: [postgres] }
  fulcio:          { image: sigstore/fulcio }
  rekor:           { image: sigstore/rekor-v2 }
  minio:           { image: minio/minio, command: server /data --console-address ":9001" }
-  mongo:           { image: mongo:7 }
+  postgres:        { image: postgres:15-alpine, environment: { POSTGRES_DB: stellaops, POSTGRES_USER: stellaops } }
  signer:          { image: stellaops/signer, depends_on: [authority, fulcio] }
  attestor:        { image: stellaops/attestor, depends_on: [rekor, signer] }
-  scanner-web:     { image: stellaops/scanner-web, depends_on: [mongo, minio, signer, attestor] }
+  scanner-web:     { image: stellaops/scanner-web, depends_on: [postgres, minio, signer, attestor] }
  scanner-worker:  { image: stellaops/scanner-worker, deploy: { replicas: 4 }, depends_on: [scanner-web] }
-  concelier:       { image: stellaops/concelier-web, depends_on: [mongo] }
+  concelier:       { image: stellaops/concelier-web, depends_on: [postgres] }
-  excititor:       { image: stellaops/excititor-web, depends_on: [mongo] }
+  excititor:       { image: stellaops/excititor-web, depends_on: [postgres] }
-  scheduler-web:   { image: stellaops/scheduler-web, depends_on: [mongo] }
+  scheduler-web:   { image: stellaops/scheduler-web, depends_on: [postgres] }
  scheduler-worker:{ image: stellaops/scheduler-worker, deploy: { replicas: 2 }, depends_on: [scheduler-web] }
-  notify-web:      { image: stellaops/notify-web, depends_on: [mongo] }
+  notify-web:      { image: stellaops/notify-web, depends_on: [postgres] }
  notify-worker:   { image: stellaops/notify-worker, deploy: { replicas: 2 }, depends_on: [notify-web] }
  ui:              { image: stellaops/ui, depends_on: [scanner-web, concelier, excititor, scheduler-web, notify-web] }
 ```
--- a/docs/adr/0001-postgresql-for-control-plane.md
+++ b/docs/adr/0001-postgresql-for-control-plane.md
@@ -0,0 +1,207 @@
 # ADR-0001: PostgreSQL for Control-Plane Storage
 ## Status
 Accepted
 ## Date
 2025-12-04
 ## Authors
 - Platform Team
 ## Deciders
 - Architecture Guild
 - Platform Team
 ## Context
 StellaOps control-plane services (Authority, Scheduler, Notify, Concelier/Excititor, Policy) require persistent storage for:
 - Identity and authorization data (users, roles, tokens, sessions)
 - Job scheduling and execution state
 - Notification rules, templates, and delivery tracking
 - Vulnerability advisories and VEX statements
 - Policy packs, rules, and evaluation history
 **Triggers for this decision:**
 1. **Licensing trust & ecosystem stability** — PostgreSQL is licensed under the permissive PostgreSQL License (similar to MIT/BSD), OSI-approved, with no vendor lock-in concerns. MongoDB's SSPL license (2018) is not OSI-approved and creates uncertainty for self-hosted/sovereign deployments. For a platform emphasizing sovereignty and auditability, database licensing must be beyond reproach.
 2. **Schema complexity** — Control-plane domains have well-defined, relational schemas with referential integrity requirements (foreign keys, cascading deletes, constraints).
 3. **Query patterns** — Complex joins, aggregations, and window functions are common (e.g., finding all images affected by a newly published CVE).
 4. **ACID requirements** — Job scheduling, token issuance, and notification delivery require strong transactional guarantees.
 5. **Multi-tenancy** — Row-level security (RLS) needed for tenant isolation without schema-per-tenant overhead.
 6. **Migration tooling** — Need deterministic, forward-only migrations with advisory lock coordination for multi-instance deployments.
 7. **Air-gap operation** — All schema and data must be embeddable in assemblies without external network dependencies.
 8. **Auditability** — PostgreSQL's mature ecosystem includes proven audit logging, compliance tooling, and forensic capabilities trusted by regulated industries.
 ## Decision
 **Adopt PostgreSQL (≥15) as the primary database for all StellaOps control-plane domains.**
 Key architectural choices:
 ### 1. Per-Module Schema Isolation
 Each module owns exactly one PostgreSQL schema:
 | Schema | Owner | Description |
 |--------|-------|-------------|
 | `auth` | Authority | Identity, authentication, authorization, licensing |
 | `vuln` | Concelier | Vulnerability advisories, sources, affected packages |
 | `vex` | Excititor | VEX statements, graphs, observations, consensus |
 | `scheduler` | Scheduler | Jobs, triggers, workers, execution history |
 | `notify` | Notify | Channels, templates, rules, deliveries |
 | `policy` | Policy | Policy packs, rules, risk profiles |
 | `audit` | Shared | Cross-cutting audit log (optional) |
 **Rationale:**
 - Clear ownership boundaries
 - Independent migration lifecycles
 - Schema-level access control
 - Simplified testing and development
 ### 2. Multi-Tenancy via tenant_id Column
 Single database, single schema set, `tenant_id` column on all tenant-scoped tables.
 ```sql
 -- Session-level tenant context
 SET app.tenant_id = '<tenant-uuid>';
 -- Row-level security (defense in depth)
 CREATE POLICY tenant_isolation ON <table>
    USING (tenant_id = current_setting('app.tenant_id')::uuid);
 ```
 **Rationale:**
 - Simplest operational model
 - Shared connection pooling
 - Easy cross-tenant queries for admin operations
 - Composite indexes on `(tenant_id, ...)` for query performance
 ### 3. Forward-Only Migrations with Advisory Locks
 Migrations are embedded in assemblies and executed at startup with PostgreSQL advisory locks:
 ```sql
 SELECT pg_try_advisory_lock(hashtext('auth'));  -- Per-schema lock
 ```
 **Migration categories:**
 - **Startup (001-099)**: Automatic, non-breaking DDL
 - **Release (100-199)**: Manual CLI, breaking changes
 - **Seed (S001-S999)**: Reference data
 - **Data (DM001-DM999)**: Batched background jobs
 **Rationale:**
 - No down migrations needed (forward-only with fix-forward)
 - Advisory locks prevent concurrent migrations across instances
 - Checksum validation catches unauthorized modifications
 - Air-gap compatible (no external migration service needed)
 ### 4. RustFS for Binary Artifacts
 PostgreSQL stores metadata and indexes; RustFS stores binary artifacts (SBOMs, attestations, reports):
 ```
 PostgreSQL: Schema definitions, relationships, indexes, audit trails
 RustFS:     sbom.cdx.json.zst, inventory.cdx.pb, bom-index.bin, *.dsse.json
 ```
 **Rationale:**
 - Right tool for each job
 - PostgreSQL excellent for structured queries
 - Object storage better for large binary blobs
 - Clear separation of concerns
 ## Consequences
 ### Positive
 1. **Licensing trust** — PostgreSQL License is permissive, OSI-approved, and universally accepted. No vendor lock-in, no license ambiguity for sovereign deployments. Trusted by governments, regulated industries, and security-conscious organizations.
 2. **Ecosystem stability** — 30+ years of development, included in all major distributions, no license rug-pulls. Community governance ensures long-term trust.
 3. **Relational integrity** — Foreign keys, constraints, and transactions ensure data consistency.
 4. **Query flexibility** — Complex joins, CTEs, window functions, and full-text search available natively.
 5. **Operational maturity** — Well-understood backup, replication, and monitoring ecosystem.
 6. **Row-level security** — Built-in multi-tenancy support without application-layer hacks.
 7. **Schema evolution** — Mature migration tooling with online DDL capabilities.
 8. **Performance** — Excellent query planning, connection pooling (PgBouncer), and indexing options.
 9. **Auditability** — Proven audit logging extensions (pgAudit), compliance certifications, forensic tooling.
 ### Negative
 1. **Schema rigidity** — Changes require migrations; less flexible than document stores for rapidly evolving schemas.
 2. **Operational overhead** — Requires PostgreSQL expertise for tuning, vacuuming, and monitoring.
 3. **Connection limits** — Need PgBouncer for high-concurrency workloads.
 ### Follow-up Actions
 - [x] Create `docs/db/` documentation directory with specification, rules, and conversion plan
 - [x] Define migration infrastructure in `StellaOps.Infrastructure.Postgres`
 - [ ] Complete phased conversion from MongoDB per `docs/db/tasks/PHASE_*.md`
 - [ ] Update deployment guides for PostgreSQL requirements
 - [ ] Add PostgreSQL health checks to all control-plane services
 ### Rollback Criteria
 Revert to MongoDB (or hybrid) if:
 - Migration performance unacceptable (> 60s startup time)
 - Query complexity exceeds PostgreSQL capabilities
 - Operational burden exceeds team capacity
 ## Alternatives Considered
 ### Option A: Continue with MongoDB
 **Pros:**
 - Already in use for some components
 - Flexible schema
 - Good for document-centric workloads
 **Cons:**
 - **Licensing uncertainty** — MongoDB's SSPL (Server Side Public License, 2018) is not OSI-approved. Creates legal ambiguity for sovereign/self-hosted deployments, especially in regulated industries and government contexts where license provenance matters.
 - **Ecosystem trust erosion** — SSPL switch caused major distributions (Debian, Fedora, RHEL) to drop MongoDB packages. Sovereign customers may have policies against non-OSI licenses.
 - No referential integrity (app-enforced)
 - Limited join capabilities
 - Multi-tenancy requires additional logic
 - No row-level security
 - Less mature migration tooling
 **Rejected because:** Licensing uncertainty is incompatible with StellaOps' sovereign-first positioning. Control-plane domains are also fundamentally relational with strong consistency requirements.
 ### Option B: Hybrid (PostgreSQL + MongoDB)
 **Pros:**
 - Use each database for appropriate workloads
 - Gradual migration possible
 **Cons:**
 - Two databases to operate and monitor
 - Complex deployment
 - Cross-database consistency challenges
 - Higher operational burden
 **Rejected because:** Unified PostgreSQL approach is simpler and sufficient for all control-plane needs.
 ### Option C: CockroachDB / YugabyteDB
 **Pros:**
 - PostgreSQL-compatible
 - Built-in horizontal scaling
 - Multi-region capabilities
 **Cons:**
 - Additional operational complexity
 - Less mature than PostgreSQL
 - Overkill for current scale
 - Air-gap deployment challenges
 **Rejected because:** PostgreSQL provides sufficient scale and simpler operations for current requirements. Can revisit if horizontal scaling becomes necessary.
 ## References
 - [`docs/db/README.md`](../db/README.md) — Database documentation index
 - [`docs/db/SPECIFICATION.md`](../db/SPECIFICATION.md) — Schema design specification
 - [`docs/db/MIGRATION_STRATEGY.md`](../db/MIGRATION_STRATEGY.md) — Migration execution strategy
 - [`docs/db/RULES.md`](../db/RULES.md) — Database coding rules
 - [`docs/07_HIGH_LEVEL_ARCHITECTURE.md`](../07_HIGH_LEVEL_ARCHITECTURE.md) — High-level architecture overview
--- a/docs/adr/index.md
+++ b/docs/adr/index.md
@@ -34,8 +34,15 @@ Small, module-local refactors that do not modify public behaviour can live in co
 - [ ] Consequences call out migration or rollback steps.
 - [ ] Announcement posted to Docs Guild updates (or sprint log).
 ## ADR Index
 | ADR | Title | Status | Date |
 |-----|-------|--------|------|
 | [0001](./0001-postgresql-for-control-plane.md) | PostgreSQL for Control-Plane Storage | Accepted | 2025-12-04 |
 ## Related resources
 - [Docs Guild Task Board](../TASKS.md)
 - [High-Level Architecture Overview](../07_HIGH_LEVEL_ARCHITECTURE.md)
 - [Database Documentation](../db/README.md)
 - [Coding Standards](../18_CODING_STANDARDS.md)
 - [Release Engineering Playbook](../13_RELEASE_ENGINEERING_PLAYBOOK.md)
--- a/docs/db/MIGRATION_STRATEGY.md
+++ b/docs/db/MIGRATION_STRATEGY.md
@@ -0,0 +1,498 @@
 # PostgreSQL Migration Strategy
 **Version:** 1.0
 **Last Updated:** 2025-12-03
 **Status:** Active
 ## Overview
 This document defines the migration strategy for StellaOps PostgreSQL databases. It covers initial setup, per-release migrations, multi-instance coordination, and air-gapped operation.
 ## Principles
 1. **Forward-Only**: No down migrations. Fixes are applied as new forward migrations.
 2. **Idempotent**: All migrations must be safe to re-run (use `IF NOT EXISTS`, `ON CONFLICT DO NOTHING`).
 3. **Deterministic**: Same input produces identical schema state across environments.
 4. **Air-Gap Compatible**: All migrations embedded in assemblies, no external dependencies.
 5. **Zero-Downtime**: Non-breaking migrations run at startup; breaking changes require coordination.
 ## Migration Categories
 ### Category A: Startup Migrations (Automatic)
 Run automatically when application starts. Must complete within 60 seconds.
 **Allowed Operations:**
 - `CREATE SCHEMA IF NOT EXISTS`
 - `CREATE TABLE IF NOT EXISTS`
 - `CREATE INDEX IF NOT EXISTS`
 - `CREATE INDEX CONCURRENTLY` (non-blocking)
 - `ALTER TABLE ADD COLUMN` (nullable or with default)
 - `CREATE TYPE ... IF NOT EXISTS` (enums)
 - Adding new enum values (`ALTER TYPE ... ADD VALUE IF NOT EXISTS`)
 - Insert seed data with `ON CONFLICT DO NOTHING`
 **Forbidden Operations:**
 - `DROP TABLE/COLUMN/INDEX`
 - `ALTER TABLE DROP COLUMN`
 - `ALTER TABLE ALTER COLUMN TYPE`
 - `TRUNCATE`
 - Large data migrations (> 10,000 rows affected)
 - Any operation requiring `ACCESS EXCLUSIVE` lock for extended periods
 ### Category B: Release Migrations (Manual/CLI)
 Require explicit execution via CLI before deployment. Used for breaking changes.
 **Typical Operations:**
 - Dropping deprecated columns/tables
 - Column type changes
 - Large data backfills
 - Index rebuilds
 - Table renames
 - Constraint modifications
 ### Category C: Data Migrations (Batched)
 Long-running data transformations that run as background jobs.
 **Characteristics:**
 - Batched processing (1000-10000 rows per batch)
 - Resumable after interruption
 - Progress tracking
 - Can run alongside application
 ## Migration File Structure
 ```
 src/<Module>/__Libraries/StellaOps.<Module>.Storage.Postgres/
 ├── Migrations/
 │   ├── 001_initial_schema.sql          # Category A
 │   ├── 002_add_audit_columns.sql       # Category A
 │   ├── 003_add_search_index.sql        # Category A
 │   └── 100_drop_legacy_columns.sql     # Category B (100+ = manual)
 ├── Seeds/
 │   ├── 001_default_roles.sql           # Seed data
 │   └── 002_builtin_policies.sql        # Seed data
 └── DataMigrations/
    └── DM001_BackfillTenantIds.cs      # Category C (code-based)
 ```
 ### Naming Convention
 | Prefix | Category | Description |
 |--------|----------|-------------|
 | `001-099` | A (Startup) | Automatic, non-breaking |
 | `100-199` | B (Release) | Manual, breaking changes |
 | `200-299` | B (Release) | Major version migrations |
 | `S001-S999` | Seed | Reference data |
 | `DM001-DM999` | C (Data) | Batched data migrations |
 ## Execution Flow
 ### Application Startup
 ```
 ┌─────────────────────────────────────────────────────────────┐
 │                    Application Startup                       │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  1. Acquire Advisory Lock (pg_try_advisory_lock)            │
 │     Key: hash of schema name                                 │
 │     If lock fails: wait up to 120s, then fail startup       │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  2. Create schema_migrations table if not exists             │
 │     Columns: migration_name, applied_at, checksum, category │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  3. Load embedded migrations (001-099 only)                  │
 │     - Sort by name                                           │
 │     - Compute checksums                                      │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  4. Compare with applied migrations                          │
 │     - Detect checksum mismatches (FATAL ERROR)              │
 │     - Identify pending migrations                            │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  5. Check for pending Category B migrations                  │
 │     - If any 100+ migrations are pending: FAIL STARTUP      │
 │     - Log: "Run 'stellaops migrate' before deployment"      │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  6. Execute pending Category A migrations                    │
 │     - Each in transaction                                    │
 │     - Record in schema_migrations                            │
 │     - Log timing                                             │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  7. Execute seed data (if not already applied)               │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  8. Release Advisory Lock                                    │
 └─────────────────────────────────────────────────────────────┘
                              │
                              ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  9. Continue Application Startup                             │
 └─────────────────────────────────────────────────────────────┘
 ```
 ### Release Migration (CLI)
 ```bash
 # Before deployment - run breaking migrations
 stellaops system migrations-run --module Authority --category release
 # Verify migration state
 stellaops system migrations-status --module Authority
 # Dry run (show what would be executed)
 stellaops system migrations-run --module Authority --dry-run
 ```
 ## Multi-Instance Coordination
 ### Advisory Locks
 Each module uses a unique advisory lock key derived from its schema name:
 ```sql
 -- Lock key calculation
 SELECT pg_try_advisory_lock(hashtext('auth'));        -- Authority
 SELECT pg_try_advisory_lock(hashtext('scheduler'));   -- Scheduler
 SELECT pg_try_advisory_lock(hashtext('vuln'));        -- Concelier
 SELECT pg_try_advisory_lock(hashtext('policy'));      -- Policy
 SELECT pg_try_advisory_lock(hashtext('notify'));      -- Notify
 ```
 ### Race Condition Handling
 ```
 Instance A                      Instance B
    │                               │
    ├─ Acquire lock (success) ──►   │
    │                               ├─ Acquire lock (BLOCKED)
    ├─ Run migrations               │     Wait up to 120s
    │                               │
    ├─ Release lock ────────────►   │
    │                               ├─ Acquire lock (success)
    │                               ├─ Check migrations (none pending)
    │                               ├─ Release lock
    │                               │
    ▼                               ▼
  Running                        Running
 ```
 ## Schema Migrations Table
 Each schema maintains its own migration history:
 ```sql
 CREATE TABLE IF NOT EXISTS {schema}.schema_migrations (
    migration_name TEXT PRIMARY KEY,
    category TEXT NOT NULL DEFAULT 'startup',
    checksum TEXT NOT NULL,
    applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    applied_by TEXT,
    duration_ms INT,
    CONSTRAINT valid_category CHECK (category IN ('startup', 'release', 'seed', 'data'))
 );
 CREATE INDEX IF NOT EXISTS idx_schema_migrations_applied_at
    ON {schema}.schema_migrations(applied_at DESC);
 ```
 ## Module-Specific Schemas
 | Module | Schema | Lock Key | Tables |
 |--------|--------|----------|--------|
 | Authority | `auth` | `hashtext('auth')` | tenants, users, roles, tokens, sessions |
 | Scheduler | `scheduler` | `hashtext('scheduler')` | jobs, triggers, workers, locks |
 | Concelier | `vuln` | `hashtext('vuln')` | advisories, affected, aliases, sources |
 | Policy | `policy` | `hashtext('policy')` | packs, versions, rules, evaluations |
 | Notify | `notify` | `hashtext('notify')` | templates, channels, deliveries |
 | Excititor | `vex` | `hashtext('vex')` | statements, documents, products |
 ## Release Workflow
 ### Pre-Deployment
 ```bash
 # 1. Review pending migrations
 stellaops system migrations-status --module all
 # 2. Backup database (if required)
 pg_dump -Fc stellaops > backup_$(date +%Y%m%d).dump
 # 3. Run release migrations in maintenance window
 stellaops system migrations-run --category release --module all
 # 4. Verify schema state
 stellaops system migrations-verify --module all
 ```
 ### Deployment
 1. Deploy new application version
 2. Application startup runs Category A migrations automatically
 3. Health checks pass after migrations complete
 ### Post-Deployment
 ```bash
 # Check migration status
 stellaops system migrations-status --module all
 # Run any data migrations (background)
 stellaops system migrations-run --category data --module all
 ```
 ## Rollback Strategy
 Since we use forward-only migrations, rollback is achieved through:
 1. **Fix-Forward**: Deploy a new migration that reverses the problematic change
 2. **Blue/Green Deployment**: Switch back to previous version (requires backward-compatible migrations)
 3. **Point-in-Time Recovery**: Restore from backup (last resort)
 ### Backward Compatibility Window
 For zero-downtime deployments, migrations must be backward compatible for N-1 version:
 ```
 Version N:   Adds new nullable column 'status_v2'
 Version N+1: Application uses 'status_v2', keeps 'status' populated
 Version N+2: Migration removes 'status' column (Category B)
 ```
 ## Air-Gapped Operation
 All migrations are embedded as assembly resources:
 ```xml
 <!-- In .csproj file -->
 <ItemGroup>
  <EmbeddedResource Include="Migrations\*.sql" LogicalName="%(Filename)%(Extension)" />
  <EmbeddedResource Include="Seeds\*.sql" LogicalName="%(Filename)%(Extension)" />
 </ItemGroup>
 ```
 No network access required during migration execution.
 ## Monitoring & Observability
 ### Metrics
 | Metric | Type | Description |
 |--------|------|-------------|
 | `stellaops_migration_duration_seconds` | Histogram | Time to run migration |
 | `stellaops_migration_pending_count` | Gauge | Number of pending migrations |
 | `stellaops_migration_applied_total` | Counter | Total migrations applied |
 | `stellaops_migration_failed_total` | Counter | Total migration failures |
 ### Logging
 ```
 [INF] Migration: Acquiring lock for schema 'auth'
 [INF] Migration: Lock acquired, checking pending migrations
 [INF] Migration: 2 pending migrations found
 [INF] Migration: Applying 003_add_audit_columns.sql (checksum: a1b2c3...)
 [INF] Migration: 003_add_audit_columns.sql completed in 245ms
 [INF] Migration: Applying 004_add_search_index.sql (checksum: d4e5f6...)
 [INF] Migration: 004_add_search_index.sql completed in 1823ms
 [INF] Migration: All migrations applied, releasing lock
 ```
 ### Alerts
 - Migration lock held > 5 minutes
 - Migration failure
 - Checksum mismatch detected
 - Pending Category B migrations blocking startup
 ## Development Workflow
 ### Creating a New Migration
 ```bash
 # 1. Create migration file
 touch src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres/Migrations/005_add_mfa_columns.sql
 # 2. Write idempotent SQL
 cat > 005_add_mfa_columns.sql << 'EOF'
 -- Migration: 005_add_mfa_columns
 -- Category: startup
 -- Description: Add MFA support columns to users table
 ALTER TABLE auth.users ADD COLUMN IF NOT EXISTS mfa_enabled BOOLEAN NOT NULL DEFAULT FALSE;
 ALTER TABLE auth.users ADD COLUMN IF NOT EXISTS mfa_secret TEXT;
 ALTER TABLE auth.users ADD COLUMN IF NOT EXISTS mfa_backup_codes TEXT[];
 CREATE INDEX IF NOT EXISTS idx_users_mfa_enabled ON auth.users(mfa_enabled) WHERE mfa_enabled = TRUE;
 EOF
 # 3. Test locally
 dotnet run --project src/Authority/StellaOps.Authority.WebService
 # 4. Verify migration applied
 stellaops system migrations-status --module Authority
 ```
 ### Testing Migrations
 ```bash
 # Run integration tests with migrations
 dotnet test --filter "Category=Migration"
 # Test idempotency (run twice)
 stellaops system migrations-run --module Authority
 stellaops system migrations-run --module Authority  # Should be no-op
 ```
 ## Troubleshooting
 ### Lock Timeout
 ```
 ERROR: Could not acquire migration lock within 120 seconds
 ```
 **Cause**: Another instance is running migrations or crashed while holding lock.
 **Resolution**:
 ```sql
 -- Check active locks
 SELECT * FROM pg_locks WHERE locktype = 'advisory';
 -- Force release (use with caution)
 SELECT pg_advisory_unlock_all();
 ```
 ### Checksum Mismatch
 ```
 ERROR: Migration checksum mismatch for '003_add_audit_columns.sql'
  Expected: a1b2c3d4e5f6...
  Found:    x9y8z7w6v5u4...
 ```
 **Cause**: Migration file was modified after being applied.
 **Resolution**:
 1. Never modify applied migrations
 2. If intentional, update checksum manually in `schema_migrations`
 3. Create new migration with fix instead
 ### Pending Release Migrations
 ```
 ERROR: Cannot start application - pending release migrations require manual execution
  Pending: 100_drop_legacy_columns.sql
  Run: stellaops system migrations-run --module Authority --category release
 ```
 **Resolution**: Run CLI migration command before deployment.
 ## Integration Guide
 ### Adding Startup Migrations to a Module
 ```csharp
 // In Program.cs or Startup.cs
 using StellaOps.Infrastructure.Postgres.Migrations;
 // Option 1: Using PostgresOptions
 services.AddStartupMigrations(
    schemaName: "auth",
    moduleName: "Authority",
    migrationsAssembly: typeof(AuthorityDataSource).Assembly,
    configureOptions: options =>
    {
        options.LockTimeoutSeconds = 120;
        options.FailOnPendingReleaseMigrations = true;
    });
 // Option 2: Using custom options type
 services.AddStartupMigrations<AuthorityOptions>(
    schemaName: "auth",
    moduleName: "Authority",
    migrationsAssembly: typeof(AuthorityDataSource).Assembly,
    connectionStringSelector: opts => opts.Storage.ConnectionString);
 // Add migration status service for health checks
 services.AddMigrationStatus<PostgresOptions>(
    schemaName: "auth",
    moduleName: "Authority",
    migrationsAssembly: typeof(AuthorityDataSource).Assembly,
    connectionStringSelector: opts => opts.ConnectionString);
 ```
 ### Embedding Migrations in Assembly
 ```xml
 <!-- In .csproj file -->
 <ItemGroup>
  <EmbeddedResource Include="Migrations\*.sql" LogicalName="%(Filename)%(Extension)" />
  <EmbeddedResource Include="Seeds\*.sql" LogicalName="%(Filename)%(Extension)" />
 </ItemGroup>
 ```
 ### Health Check Integration
 ```csharp
 // Add migration status to health checks
 services.AddHealthChecks()
    .AddCheck("migrations", async (cancellationToken) =>
    {
        var status = await migrationStatusService.GetStatusAsync(cancellationToken);
        if (status.HasBlockingIssues)
        {
            return HealthCheckResult.Unhealthy(
                $"Pending release migrations: {status.PendingReleaseCount}, " +
                $"Checksum errors: {status.ChecksumErrors.Count}");
        }
        if (status.PendingStartupCount > 0)
        {
            return HealthCheckResult.Degraded(
                $"Pending startup migrations: {status.PendingStartupCount}");
        }
        return HealthCheckResult.Healthy($"Applied: {status.AppliedCount}");
    });
 ```
 ## Implementation Files
 | File | Description |
 |------|-------------|
 | `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationRunner.cs` | Core migration execution logic |
 | `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationCategory.cs` | Migration category enum and helpers |
 | `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/StartupMigrationHost.cs` | IHostedService for automatic migrations |
 | `src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationServiceExtensions.cs` | DI registration extensions |
 ## Reference
 - [PostgreSQL Advisory Locks](https://www.postgresql.org/docs/current/explicit-locking.html#ADVISORY-LOCKS)
 - [Zero-Downtime Migrations](https://docs.stellaops.org/operations/migrations)
 - [StellaOps CLI Reference](../09_API_CLI_REFERENCE.md)
--- a/docs/db/README.md
+++ b/docs/db/README.md
@@ -2,6 +2,8 @@
 This directory contains all documentation related to the StellaOps database architecture, including the MongoDB to PostgreSQL conversion project.
 > **ADR Reference:** See [ADR-0001: PostgreSQL for Control-Plane Storage](../adr/0001-postgresql-for-control-plane.md) for the architectural decision rationale.
 ## Document Index
 | Document | Purpose |
--- a/docs/implplan/BLOCKED_DEPENDENCY_TREE.md
+++ b/docs/implplan/BLOCKED_DEPENDENCY_TREE.md
@@ -0,0 +1,502 @@
 # BLOCKED Tasks Dependency Tree
 > **Last Updated:** 2025-12-04
 > **Purpose:** This document maps all BLOCKED tasks and their root causes to help teams prioritize unblocking work.
 ## How to Use This Document
 Before starting work on any BLOCKED task, check this tree to understand:
 1. What is the **root blocker** (external dependency, missing spec, staffing, etc.)
 2. What **chain of tasks** depends on it
 3. Which team/guild owns the root blocker
 ---
 ## Legend
 - **Root Blocker** — External/system cause (missing spec, staffing, disk space, etc.)
 - **Chained Blocked** — Blocked by another BLOCKED task
 - **Module** — Module/guild name
 ---
 ## 1. SIGNALS & RUNTIME FACTS (SGSI0101) — Critical Path
 **Root Blocker:** `PREP-SIGNALS-24-002` (CAS promotion pending)
 ```
 PREP-SIGNALS-24-002 (CAS promotion pending)
    +-- 24-002: Surface cache availability
        +-- 24-003: Runtime facts ingestion + provenance enrichment
            +-- 24-004: Authority scopes + 24-003
                +-- 24-005: 24-004 scoring outputs
 ```
 **Root Blocker:** `SGSI0101 provenance feed/contract pending`
 ```
 SGSI0101 provenance feed/contract pending
    +-- 56-001: Telemetry provenance
    +-- 401-004: Replay Core (awaiting runtime facts + GAP-REP-004)
 ```
 **Impact:** 6+ tasks in Signals, Telemetry, Replay Core guilds
 **To Unblock:** Deliver CAS promotion and SGSI0101 provenance contract
 ---
 ## 2. API GOVERNANCE (APIG0101) — DevPortal & SDK Chain
 **Root Blocker:** `APIG0101 outputs` (API baseline missing)
 ```
 APIG0101 outputs (API baseline)
    +-- 62-001: DevPortal API baseline
    |   +-- 62-002: Blocked until 62-001
    |       +-- 63-001: Platform integration
    |           +-- 63-002: SDK Generator integration
    |
    +-- 63-003: SDK Generator (APIG0101 outputs)
        +-- 63-004: SDK Generator outstanding
 ```
 **Impact:** 6 tasks in DevPortal + SDK Generator guilds
 **To Unblock:** Deliver APIG0101 API baseline outputs
 ---
 ## 3. VEX LENS CHAIN (30-00x Series)
 **Root Blocker:** `VEX normalization + issuer directory + API governance specs`
 ```
 VEX normalization + issuer directory + API governance specs
    +-- 30-001: VEX Lens base
        +-- 30-002
            +-- 30-003 (Issuer Directory)
                +-- 30-004 (Policy)
                    +-- 30-005
                        +-- 30-006 (Findings Ledger)
                            +-- 30-007
                                +-- 30-008 (Policy)
                                    +-- 30-009 (Observability)
                                        +-- 30-010 (QA)
                                            +-- 30-011 (DevOps)
 ```
 **Impact:** 11 tasks — full VEX Lens series
 **To Unblock:** Publish VEX normalization spec, issuer directory contract, and API governance specs
 ---
 ## 4. DEPLOYMENT CHAIN (44-xxx to 45-xxx)
 **Root Blocker:** `Upstream module releases` (service list/version pins)
 ```
 Upstream module releases (service list/version pins)
    +-- 44-001: Compose deployment base
    |   +-- 44-002
    |       +-- 44-003
    |           +-- 45-001
    |               +-- 45-002 (Security)
    |                   +-- 45-003 (Observability)
    |
    +-- COMPOSE-44-001 (parallel blocker)
 ```
 **Impact:** 7 tasks in Deployment Guild
 **To Unblock:** Publish consolidated service list and version pins from upstream modules
 ---
 ## 5. AIRGAP ECOSYSTEM
 ### 5.1 Controller Chain
 **Root Blocker:** `Disk full` (workspace cleanup needed)
 ```
 Disk full (workspace cleanup needed)
    +-- AIRGAP-CTL-57-001: Startup diagnostics
        +-- AIRGAP-CTL-57-002: Seal/unseal telemetry
            +-- AIRGAP-CTL-58-001: Time anchor persistence
 ```
 ### 5.2 Importer Chain
 **Root Blocker:** `Disk space + controller telemetry`
 ```
 Disk space + controller telemetry
    +-- AIRGAP-IMP-57-002: Object-store loader
        +-- AIRGAP-IMP-58-001: Import API + CLI
            +-- AIRGAP-IMP-58-002: Timeline events
 ```
 ### 5.3 Time Chain
 **Root Blocker:** `Controller telemetry + disk space`
 ```
 Controller telemetry + disk space
    +-- AIRGAP-TIME-57-002: Time anchor telemetry
        +-- AIRGAP-TIME-58-001: Drift baseline
            +-- AIRGAP-TIME-58-002: Staleness notifications
 ```
 ### 5.4 CLI AirGap Chain
 **Root Blocker:** `Mirror bundle contract/spec` not available
 ```
 Mirror bundle contract/spec not available
    +-- CLI-AIRGAP-56-001: stella mirror create
        +-- CLI-AIRGAP-56-002: Telemetry sealed mode
            +-- CLI-AIRGAP-57-001: stella airgap import
                +-- CLI-AIRGAP-57-002: stella airgap seal
                    +-- CLI-AIRGAP-58-001: stella airgap export evidence
 ```
 ### 5.5 Docs AirGap
 **Root Blocker:** `CLI airgap contract` (CLI-AIRGAP-56/57)
 ```
 CLI airgap contract (CLI-AIRGAP-56/57)
    +-- AIRGAP-57-003: CLI & ops inputs
        +-- AIRGAP-57-004: Ops Guild
 ```
 **Impact:** 17+ tasks in AirGap ecosystem
 **To Unblock:**
 1. Clean up disk space
 2. Publish mirror bundle contract/spec
 3. Complete CLI-AIRGAP-56-001
 ---
 ## 6. CLI ATTESTOR CHAIN
 **Root Blocker:** `Scanner analyzer compile failures + attestor SDK transport contract`
 ```
 Scanner analyzer compile failures + attestor SDK transport contract
    +-- CLI-ATTEST-73-001: stella attest sign
        +-- CLI-ATTEST-73-002: stella attest verify
            +-- CLI-ATTEST-74-001: stella attest list
                +-- CLI-ATTEST-74-002: stella attest fetch
 ```
 **Impact:** 4 tasks in CLI Attestor Guild
 **To Unblock:** Fix scanner analyzer compile issues; publish attestor SDK transport contract
 ---
 ## 7. TASK RUNNER CHAINS
 ### 7.1 AirGap
 **Root Blocker:** `TASKRUN-AIRGAP-56-002`
 ```
 TASKRUN-AIRGAP-56-002
    +-- TASKRUN-AIRGAP-57-001: Sealed environment check
        +-- TASKRUN-AIRGAP-58-001: Evidence bundles
 ```
 ### 7.2 OAS Chain
 **Root Blocker:** `TASKRUN-41-001` (DONE - chain should unblock)
 ```
 TASKRUN-41-001 (DONE)
    +-- TASKRUN-OAS-61-001: Task Runner OAS docs
        +-- TASKRUN-OAS-61-002: OpenAPI well-known
            +-- TASKRUN-OAS-62-001: SDK examples
                +-- TASKRUN-OAS-63-001: Deprecation handling
 ```
 ### 7.3 Observability Chain
 **Root Blocker:** `Timeline event schema + evidence-pointer contract`
 ```
 Timeline event schema + evidence-pointer contract
    +-- TASKRUN-OBS-52-001: Timeline events
        +-- TASKRUN-OBS-53-001: Evidence locker snapshots
            +-- TASKRUN-OBS-54-001: DSSE attestations
            |   +-- TASKRUN-OBS-55-001: Incident mode
            +-- TASKRUN-TEN-48-001: Tenant context
 ```
 **Impact:** 10+ tasks in Task Runner Guild
 **To Unblock:** Publish timeline event schema and evidence-pointer contract
 ---
 ## 8. SCANNER CHAINS
 **Root Blocker:** `PHP analyzer bootstrap spec/fixtures`
 ```
 PHP analyzer bootstrap spec/fixtures (composer/VFS schema)
    +-- SCANNER-ANALYZERS-PHP-27-001
 ```
 **Root Blocker:** `18-503/504/505/506 outputs` (EntryTrace baseline)
 ```
 18-503/504/505/506 outputs (EntryTrace baseline)
    +-- SCANNER-ENTRYTRACE-18-508
 ```
 **Root Blocker:** `Task definition/contract missing`
 ```
 Task definition/contract missing
    +-- SCANNER-SURFACE-01
 ```
 **Root Blocker:** `SCANNER-ANALYZERS-JAVA-21-007`
 ```
 SCANNER-ANALYZERS-JAVA-21-007
    +-- ANALYZERS-JAVA-21-008
 ```
 **Root Blocker:** `Local dotnet tests hanging`
 ```
 SCANNER-ANALYZERS-LANG-10-309 (DONE, but local tests hanging)
    +-- ANALYZERS-LANG-11-001
 ```
 **Impact:** 5 tasks in Scanner Guild
 **To Unblock:**
 1. Publish PHP analyzer bootstrap spec
 2. Complete EntryTrace 18-503/504/505/506
 3. Define SCANNER-SURFACE-01 contract
 4. Complete JAVA-21-007
 5. Fix local dotnet test environment
 ---
 ## 8.1 CLI COMPILE FAILURES (Detailed Analysis)
 > **Analysis Date:** 2025-12-04
 > **Status:** ✅ **RESOLVED** (2025-12-04)
 > **Resolution:** See `docs/implplan/CLI_AUTH_MIGRATION_PLAN.md`
 The CLI (`src/Cli/StellaOps.Cli`) had significant API drift from its dependencies. This has been resolved.
 ### Remediation Summary (All Fixed)
 | Library | Issue | Status |
 |---------|-------|--------|
 | `StellaOps.Auth.Client` | `IStellaOpsTokenClient` interface changed | ✅ **FIXED** - Extension methods created |
 | `StellaOps.Cli.Output` | `CliError` constructor change | ✅ **FIXED** |
 | `System.CommandLine` | API changes in 2.0.0-beta5+ | ✅ **FIXED** |
 | `Spectre.Console` | `Table.AddRow` signature change | ✅ **FIXED** |
 | `BackendOperationsClient` | `CreateFailureDetailsAsync` return type | ✅ **FIXED** |
 | `CliProfile` | Class→Record conversion | ✅ **FIXED** |
 | `X509Certificate2` | Missing using directive | ✅ **FIXED** |
 | `StellaOps.PolicyDsl` | `PolicyIssue` properties changed | ✅ **FIXED** |
 | `CommandHandlers` | Method signature mismatches | ✅ **FIXED** |
 ### Build Result
 **Build succeeded with 0 errors, 6 warnings** (warnings are non-blocking)
 ### Previously Blocked Tasks (Now Unblocked)
 ```
 CLI Compile Failures (RESOLVED)
    +-- CLI-ATTEST-73-001: stella attest sign           → UNBLOCKED
    +-- CLI-ATTEST-73-002: stella attest verify         → UNBLOCKED
    +-- CLI-AIAI-31-001: Advisory AI CLI integration    → UNBLOCKED
    +-- CLI-AIRGAP-56-001: stella mirror create         → UNBLOCKED
    +-- CLI-401-007: Reachability evidence chain        → UNBLOCKED
    +-- CLI-401-021: Reachability chain CI/attestor     → UNBLOCKED
 ```
 ### Key Changes Made
 1. Created `src/Cli/StellaOps.Cli/Extensions/StellaOpsTokenClientExtensions.cs` with compatibility shims
 2. Updated 8 service files to use new Auth.Client API pattern
 3. Fixed CommandFactory.cs method call argument order/types
 4. Updated PolicyDiagnostic model (Path instead of Line/Column/Span/Suggestion)
 5. Fixed CommandHandlers.cs static type and diagnostic rendering
 ---
 ## 9. CONCELIER RISK CHAIN
 **Root Blocker:** `POLICY-20-001 outputs + AUTH-TEN-47-001 + shared signals library`
 ```
 POLICY-20-001 + AUTH-TEN-47-001 + shared signals library
    +-- CONCELIER-RISK-66-001: Vendor CVSS/KEV data
        +-- CONCELIER-RISK-66-002: Fix-availability metadata
        +-- CONCELIER-RISK-67-001: Coverage/conflict metrics
        +-- CONCELIER-RISK-68-001: Advisory signal pickers
            +-- CONCELIER-RISK-69-001 (continues)
 ```
 **Impact:** 5+ tasks in Concelier Core Guild
 **To Unblock:** Complete POLICY-20-001, AUTH-TEN-47-001, and adopt shared signals library
 ---
 ## 10. WEB/GRAPH CHAIN
 **Root Blocker:** Upstream dependencies (unspecified)
 ```
 Upstream dependencies
    +-- WEB-GRAPH-21-001: Graph gateway routes
        +-- WEB-GRAPH-21-002: Parameter validation
            +-- WEB-GRAPH-21-003: Error mapping
                +-- WEB-GRAPH-21-004: Policy Engine proxy
 ```
 **Root Blocker:** `WEB-POLICY-20-004`
 ```
 WEB-POLICY-20-004
    +-- WEB-POLICY-23-001: Policy packs API
        +-- WEB-POLICY-23-002: Activation endpoint
 ```
 **Impact:** 6 tasks in BE-Base Platform Guild
 **To Unblock:** Complete WEB-POLICY-20-004 and upstream graph dependencies
 ---
 ## 11. STAFFING / PROGRAM MANAGEMENT BLOCKERS
 **Root Blocker:** `PGMI0101 staffing confirmation`
 ```
 PGMI0101 staffing confirmation
    +-- 54-001: Exporter/AirGap/CLI coordination
    +-- 64-002: DevPortal Offline
    +-- AIRGAP-46-001: Mirror staffing + DSSE plan
 ```
 **Root Blocker:** `PROGRAM-STAFF-1001` (staffing not assigned)
 ```
 PROGRAM-STAFF-1001 (staffing not assigned)
    +-- 54-001 (same as above)
 ```
 **Impact:** 3 tasks
 **To Unblock:** Confirm staffing assignments via Program Management Guild
 ---
 ## 12. BENCHMARK CHAIN
 **Root Blocker:** `CAGR0101 outputs` (Graph platform)
 ```
 CAGR0101 outputs (Graph platform)
    +-- BENCH-GRAPH-21-001: Graph benchmark harness
        +-- BENCH-GRAPH-21-002: UI load benchmark
 ```
 **Impact:** 2 tasks in Bench Guild
 **To Unblock:** Complete CAGR0101 Graph platform outputs
 ---
 ## 13. FINDINGS LEDGER
 **Root Blocker:** `LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors`
 ```
 LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors
    +-- 58 series: LEDGER-AIRGAP chain
    +-- AIRGAP-58-001: Concelier bundle contract
        +-- AIRGAP-58-002
        +-- AIRGAP-58-003
        +-- AIRGAP-58-004
 ```
 **Impact:** 5 tasks in Findings Ledger + AirGap guilds
 **To Unblock:** Publish LEDGER-AIRGAP-56-002 staleness spec and time anchor contract
 ---
 ## 14. MISCELLANEOUS BLOCKED TASKS
 | Task ID | Root Blocker | Guild |
 |---------|--------------|-------|
 | FEED-REMEDIATION-1001 | Scope missing; needs remediation runbook | Concelier Feed Owners |
 | CLI-41-001 | Pending clarified scope | Docs/DevEx Guild |
 | CLI-42-001 | Pending clarified scope | Docs Guild |
 | CLI-AIAI-31-001 | Scanner analyzers compile failures | DevEx/CLI Guild |
 | CLI-401-007 | Reachability evidence chain contract | UI & CLI Guilds |
 | CLI-401-021 | Reachability chain CI/attestor contract | CLI/DevOps Guild |
 | SVC-35-001 | Unspecified | Exporter Service Guild |
 | VEX-30-001 | Unspecified | Console/BE-Base Guild |
 | VULN-29-001 | Unspecified | Console/BE-Base Guild |
 | WEB-RISK-66-001 | npm ci hangs; Angular tests broken | BE-Base/Policy Guild |
 | CONCELIER-LNM-21-003 | Requires #8 heuristics | Concelier Core Guild |
 ---
 ## Summary Statistics
 | Root Blocker Category | Root Blockers | Downstream Tasks |
 |----------------------|---------------|------------------|
 | SGSI0101 (Signals/Runtime) | 2 | ~6 |
 | APIG0101 (API Governance) | 1 | 6 |
 | VEX Specs | 1 | 11 |
 | Deployment/Compose | 1 | 7 |
 | AirGap Ecosystem | 4 | 17+ |
 | Scanner Compile/Specs | 5 | 5 |
 | Task Runner Contracts | 3 | 10+ |
 | Staffing/Program Mgmt | 2 | 3 |
 | Disk Full | 1 | 6 |
 | Graph/Policy Upstream | 2 | 6 |
 | Miscellaneous | 11 | 11 |
 **Total BLOCKED tasks:** ~100+
 ---
 ## Priority Unblocking Actions
 These root blockers, if resolved, will unblock the most downstream tasks:
 1. **SGSI0101** — Unblocks Signals chain + Telemetry + Replay Core (~6 tasks)
 2. **APIG0101** — Unblocks DevPortal + SDK Generator (6 tasks)
 3. **VEX normalization spec** — Unblocks 11 VEX Lens tasks
 4. **Mirror bundle contract** — Unblocks CLI AirGap + Importer chains (~8 tasks)
 5. **Disk cleanup** — Unblocks AirGap Controller/Time chains (6 tasks)
 6. **Scanner analyzer fixes** — Unblocks CLI Attestor + Advisory AI (5+ tasks)
 7. **Upstream module releases** — Unblocks Deployment chain (7 tasks)
 8. **Timeline event schema** — Unblocks Task Runner Observability (5 tasks)
 ---
 ## Cross-Reference
 - Sprint files reference this document for BLOCKED task context
 - Update this file when root blockers are resolved
 - Notify dependent guilds when unblocking occurs
--- a/docs/implplan/CLI_AUTH_MIGRATION_PLAN.md
+++ b/docs/implplan/CLI_AUTH_MIGRATION_PLAN.md
@@ -0,0 +1,143 @@
 # CLI Auth.Client Migration Plan
 > **Created:** 2025-12-04
 > **Status:** COMPLETED
 > **Completed:** 2025-12-04
 ## Problem Statement
 The CLI services used an older `IStellaOpsTokenClient` API that no longer exists. This document outlines the migration strategy and tracks completion.
 ## Summary of Changes
 ### Files Created
 - `src/Cli/StellaOps.Cli/Extensions/StellaOpsTokenClientExtensions.cs` - Compatibility shim methods
 ### Files Modified
 #### Service Files (Auth.Client API Migration)
 1. `OrchestratorClient.cs` - Updated scope references
 2. `VexObservationsClient.cs` - Updated to use `GetAccessTokenAsync(string)` extension, removed `IsSuccess` check
 3. `SbomerClient.cs` - Fixed `GetTokenAsync` to use `AccessToken` property
 4. `ExceptionClient.cs` - Updated token acquisition pattern
 5. `NotifyClient.cs` - Updated token acquisition pattern
 6. `ObservabilityClient.cs` - Updated token acquisition pattern
 7. `PackClient.cs` - Updated token acquisition pattern
 8. `SbomClient.cs` - Updated token acquisition pattern
 #### Command Handlers (Signature Fixes)
 9. `CommandHandlers.cs`:
   - Fixed `CreateLogger<CommandHandlers>()` static type error (line 80)
   - Fixed PolicyDsl diagnostic rendering (removed Line/Column/Suggestion, added Path)
 10. `CommandFactory.cs`:
    - Fixed `HandleExceptionsListAsync` argument order and count
    - Fixed `HandleExceptionsCreateAsync` argument order, expiration type conversion
    - Fixed `HandleExceptionsPromoteAsync` argument order
    - Fixed `HandleExceptionsExportAsync` argument order and count
    - Fixed `HandleExceptionsImportAsync` argument order
 #### Model Updates
 11. `PolicyWorkspaceModels.cs` - Updated `PolicyDiagnostic` class (replaced Line/Column/Span/Suggestion with Path)
 ## Old API (Removed)
 ```csharp
 // Methods that no longer exist
 Task<StellaOpsTokenResult> GetTokenAsync(StellaOpsTokenRequest request, CancellationToken ct);
 Task<StellaOpsTokenResult> GetAccessTokenAsync(string[] scopes, CancellationToken ct);
 // Types that no longer exist
 class StellaOpsTokenRequest { string[] Scopes; }
 static class StellaOpsScope { const string OrchRead = "orch:read"; }
 // Properties removed from StellaOpsTokenResult
 bool IsSuccess;
 ```
 ## New API (Current)
 ```csharp
 interface IStellaOpsTokenClient
 {
    Task<StellaOpsTokenResult> RequestClientCredentialsTokenAsync(
        string? scope = null,
        IReadOnlyDictionary<string, string>? additionalParameters = null,
        CancellationToken cancellationToken = default);
    ValueTask<StellaOpsTokenCacheEntry?> GetCachedTokenAsync(string key, CancellationToken ct);
    ValueTask CacheTokenAsync(string key, StellaOpsTokenCacheEntry entry, CancellationToken ct);
 }
 // StellaOpsTokenResult record properties:
 // - AccessToken (string)
 // - TokenType (string)
 // - ExpiresAtUtc (DateTimeOffset)
 // - Scopes (IReadOnlyList<string>)
 ```
 ## Migration Approach
 ### Extension Methods Created
 ```csharp
 public static class StellaOpsTokenClientExtensions
 {
    // Single scope version
    public static async Task<StellaOpsTokenResult> GetAccessTokenAsync(
        this IStellaOpsTokenClient client,
        string scope,
        CancellationToken cancellationToken = default);
    // Multi-scope version
    public static async Task<StellaOpsTokenResult> GetAccessTokenAsync(
        this IStellaOpsTokenClient client,
        IEnumerable<string> scopes,
        CancellationToken cancellationToken = default);
    // Cached token version
    public static async Task<StellaOpsTokenCacheEntry> GetCachedAccessTokenAsync(
        this IStellaOpsTokenClient client,
        string scope,
        CancellationToken cancellationToken = default);
    // Parameterless version
    public static async Task<StellaOpsTokenResult> GetTokenAsync(
        this IStellaOpsTokenClient client,
        CancellationToken cancellationToken = default);
 }
 ```
 ### Scope Constants
 Used `StellaOpsScopes` from `StellaOps.Auth.Abstractions` namespace (e.g., `StellaOpsScopes.OrchRead`, `StellaOpsScopes.VexRead`).
 ## Build Results
 **Build succeeded with 0 errors, 6 warnings:**
 - 3x CS8629 nullable warnings in OutputRenderer.cs
 - 1x CS0618 obsolete warning (VulnRead → VulnView)
 - 1x SYSLIB0057 obsolete X509Certificate2 constructor
 - 1x CS0219 unused variable warning
 ## Implementation Checklist
 - [x] Create `StellaOpsTokenClientExtensions.cs`
 - [x] Verify `StellaOpsScopes` exists in Auth.Abstractions
 - [x] Update OrchestratorClient.cs
 - [x] Update VexObservationsClient.cs
 - [x] Update SbomerClient.cs
 - [x] Update ExceptionClient.cs
 - [x] Update NotifyClient.cs
 - [x] Update ObservabilityClient.cs
 - [x] Update PackClient.cs
 - [x] Update SbomClient.cs
 - [x] Fix CommandHandlers static type error
 - [x] Fix PolicyDsl API changes (PolicyIssue properties)
 - [x] Fix HandleExceptionsListAsync signature
 - [x] Fix HandleExceptionsCreateAsync signature
 - [x] Fix HandleExceptionsPromoteAsync signature
 - [x] Fix HandleExceptionsExportAsync signature
 - [x] Fix HandleExceptionsImportAsync signature
 - [x] Update PolicyDiagnostic model
 - [x] Build verification passed
--- a/docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
+++ b/docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
@@ -21,6 +21,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/modules/advisory-ai/architecture.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
+++ b/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
@@ -25,6 +25,8 @@
 - `src/Concelier/AGENTS.md` (module charter, testing/guardrail rules)
 - `docs/modules/concelier/link-not-merge-schema.md` (LNM schema v1, frozen 2025-11-17)
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
+++ b/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
@@ -23,6 +23,8 @@
 - docs/modules/concelier/architecture.md (ingestion, observability, orchestrator notes)
 - Current OpenAPI spec + SDK docs referenced by CONCELIER-OAS-61/62/63
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
+++ b/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
@@ -23,6 +23,8 @@
 - docs/modules/concelier/architecture.md (policy/risk/tenant scope sections)
 - docs/dev/raw-linkset-backfill-plan.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
+++ b/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
@@ -24,6 +24,8 @@
 - docs/modules/concelier/architecture.md (airgap, AOC, observability)
 - Link-Not-Merge API specs and error envelope guidelines
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md
+++ b/docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md
@@ -24,6 +24,8 @@
 - docs/modules/concelier/architecture.md (connectors, evidence locker integration)
 - docs/migration/no-merge.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0119_0001_0004_excititor_iv.md
+++ b/docs/implplan/SPRINT_0119_0001_0004_excititor_iv.md
@@ -24,6 +24,8 @@
 - `docs/modules/excititor/implementation_plan.md`
 - Excititor component `AGENTS.md` files (Core, WebService, Worker).
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0119_0001_0005_excititor_v.md
+++ b/docs/implplan/SPRINT_0119_0001_0005_excititor_v.md
@@ -24,6 +24,8 @@
 - `docs/modules/excititor/implementation_plan.md`
 - Excititor component `AGENTS.md` files (WebService, Core, Storage).
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0119_0001_0006_excititor_vi.md
+++ b/docs/implplan/SPRINT_0119_0001_0006_excititor_vi.md
@@ -23,6 +23,8 @@
 - `docs/modules/excititor/implementation_plan.md`
 - Excititor component `AGENTS.md` files (WebService).
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md
@@ -44,6 +44,8 @@
 - `docs/modules/findings-ledger/airgap-provenance.md`
 - `docs/observability/policy.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0121_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0121_0001_0001_policy_reasoning.md
@@ -26,6 +26,8 @@
 - docs/modules/findings-ledger/workflow-inference.md
 - src/Findings/StellaOps.Findings.Ledger/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0121_0001_0002_policy_reasoning_blockers.md
+++ b/docs/implplan/SPRINT_0121_0001_0002_policy_reasoning_blockers.md
@@ -20,6 +20,8 @@
 - `docs/modules/findings-ledger/prep/ledger-attestations-http.md`
 - `docs/modules/findings-ledger/prep/ledger-risk-prep.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0122_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0122_0001_0001_policy_reasoning.md
@@ -27,6 +27,8 @@
 - docs/modules/findings-ledger/workflow-inference.md
 - src/Findings/StellaOps.Findings.Ledger/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0123_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0123_0001_0001_policy_reasoning.md
@@ -25,6 +25,8 @@
 - `docs/modules/policy/architecture.md`
 - Any export/air-gap/attestation contract docs once published.
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0124_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0124_0001_0001_policy_reasoning.md
@@ -20,6 +20,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/policy/architecture.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Interlocks
 - POLICY-CONSOLE-23-001 (Console export/simulation contract from BE-Base Platform) satisfied on 2025-12-02 via `docs/modules/policy/contracts/policy-console-23-001-console-api.md`.
--- a/docs/implplan/SPRINT_0125_0001_0001_mirror.md
+++ b/docs/implplan/SPRINT_0125_0001_0001_mirror.md
@@ -17,6 +17,8 @@
 - `docs/modules/devops/architecture.md`
 - `docs/modules/policy/architecture.md` (for provenance expectations)
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0125_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0125_0001_0001_policy_reasoning.md
@@ -21,6 +21,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/policy/architecture.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0126_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0126_0001_0001_policy_reasoning.md
@@ -18,6 +18,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/policy/architecture.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0127_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0127_0001_0001_policy_reasoning.md
@@ -17,6 +17,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/policy/architecture.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0128_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0128_0001_0001_policy_reasoning.md
@@ -20,6 +20,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/policy/architecture.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md
@@ -21,6 +21,8 @@
 - `docs/modules/policy/architecture.md`
 - Module docs for Registry, RiskEngine, VexLens, VulnExplorer as applicable.
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
+++ b/docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
@@ -25,6 +25,8 @@
 - docs/modules/scanner/architecture.md
 - src/Scanner/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md
+++ b/docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md
@@ -26,6 +26,8 @@
 - docs/modules/scanner/architecture.md
 - Ensure module-level AGENTS.md exists for `src/Scanner`; if missing, complete the governance task below.
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0133_0001_0001_scanner_surface.md
+++ b/docs/implplan/SPRINT_0133_0001_0001_scanner_surface.md
@@ -16,6 +16,8 @@
 - docs/modules/scanner/architecture.md
 - src/Scanner/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0134_0001_0001_scanner_surface.md
+++ b/docs/implplan/SPRINT_0134_0001_0001_scanner_surface.md
@@ -16,6 +16,8 @@
 - docs/modules/scanner/architecture.md
 - src/Scanner/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0135_0001_0001_scanner_surface.md
+++ b/docs/implplan/SPRINT_0135_0001_0001_scanner_surface.md
@@ -16,6 +16,8 @@
 - docs/modules/scanner/architecture.md
 - src/Scanner/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md
+++ b/docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md
@@ -16,6 +16,8 @@
 - docs/modules/scanner/architecture.md
 - src/Scanner/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0138_0000_0001_scanner_ruby_parity.md
+++ b/docs/implplan/SPRINT_0138_0000_0001_scanner_ruby_parity.md
@@ -16,6 +16,8 @@
 - `docs/modules/scanner/architecture.md`; `docs/modules/scanner/operations/dsse-rekor-operator-guide.md`.
 - AGENTS for involved components: `src/Scanner/StellaOps.Scanner.Worker/AGENTS.md`, `src/Scanner/StellaOps.Scanner.WebService/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart/AGENTS.md`, `src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md`.
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
+++ b/docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
@@ -21,6 +21,8 @@
 - docs/modules/concelier/architecture.md
 - docs/modules/zastava/architecture.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md
+++ b/docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md
@@ -18,6 +18,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
+++ b/docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
@@ -16,6 +16,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/modules/sbomservice/architecture.md (module dossier).
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0143_0000_0001_signals.md
+++ b/docs/implplan/SPRINT_0143_0000_0001_signals.md
@@ -16,6 +16,8 @@
 - src/Signals/StellaOps.Signals/AGENTS.md.
 - CAS waiver/remediation checklist dated 2025-11-17 for SIGNALS-24-002/004/005 scope.
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md
+++ b/docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md
@@ -19,6 +19,8 @@
 - src/Zastava/StellaOps.Zastava.Observer/AGENTS.md
 - src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0150_0001_0001_mirror_dsse.md
+++ b/docs/implplan/SPRINT_0150_0001_0001_mirror_dsse.md
@@ -14,6 +14,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - Any mirror DSSE drafts (if available).
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
+++ b/docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
@@ -18,6 +18,8 @@
 - docs/modules/taskrunner/architecture.md
 - docs/modules/registry/architecture.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0150_0001_0002_mirror_time.md
+++ b/docs/implplan/SPRINT_0150_0001_0002_mirror_time.md
@@ -14,6 +14,8 @@
 - docs/modules/mirror/milestone-0-thin-bundle.md
 - docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0150_0001_0003_mirror_orch.md
+++ b/docs/implplan/SPRINT_0150_0001_0003_mirror_orch.md
@@ -14,6 +14,8 @@
 - docs/modules/export-center/architecture.md
 - docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md
+++ b/docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md
@@ -16,6 +16,8 @@
 - docs/modules/graph/architecture.md
 - docs/modules/telemetry/architecture.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0152_0001_0002_orchestrator_ii.md
+++ b/docs/implplan/SPRINT_0152_0001_0002_orchestrator_ii.md
@@ -17,6 +17,8 @@
 - docs/modules/orchestrator/architecture.md
 - src/Orchestrator/StellaOps.Orchestrator/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md
+++ b/docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md
@@ -16,6 +16,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - Module charter: `src/Orchestrator/StellaOps.Orchestrator/AGENTS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0154_0001_0001_packsregistry.md
+++ b/docs/implplan/SPRINT_0154_0001_0001_packsregistry.md
@@ -18,6 +18,8 @@
 - docs/modules/devops/architecture.md
 - Any PacksRegistry AGENTS.md (if present under src/PacksRegistry).
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0155_0001_0001_scheduler_i.md
+++ b/docs/implplan/SPRINT_0155_0001_0001_scheduler_i.md
@@ -16,6 +16,8 @@
 - docs/modules/scheduler/architecture.md
 - src/Scheduler/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0156_0001_0002_scheduler_ii.md
+++ b/docs/implplan/SPRINT_0156_0001_0002_scheduler_ii.md
@@ -16,6 +16,8 @@
 - docs/modules/scheduler/implementation_plan.md
 - docs/modules/platform/architecture-overview.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
+++ b/docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
@@ -16,6 +16,8 @@
 - docs/modules/taskrunner/architecture.md (if available)
 - src/TaskRunner/StellaOps.TaskRunner/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0157_0001_0002_taskrunner_blockers.md
+++ b/docs/implplan/SPRINT_0157_0001_0002_taskrunner_blockers.md
@@ -13,6 +13,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `src/TaskRunner/StellaOps.TaskRunner/AGENTS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md
+++ b/docs/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md
@@ -21,6 +21,8 @@
 - docs/task-packs/runbook.md
 - src/TaskRunner/StellaOps.TaskRunner/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
+++ b/docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
@@ -19,6 +19,8 @@
 - `docs/replay/DETERMINISTIC_REPLAY.md`, `docs/runbooks/replay_ops.md`
 - `docs/events/orchestrator-scanner-events.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md
+++ b/docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md
@@ -20,6 +20,8 @@
 - `docs/events/orchestrator-scanner-events.md`
 - `docs/modules/cli/architecture.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md
+++ b/docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md
@@ -18,6 +18,8 @@
 - EvidenceLocker bundle packaging (`docs/modules/evidence-locker/bundle-packaging.md`) once frozen
 - DevPortal offline guidance (DVOFF-64 series) as provided by DevPortal Offline Guild
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0163_0001_0001_exportcenter_ii.md
+++ b/docs/implplan/SPRINT_0163_0001_0001_exportcenter_ii.md
@@ -17,6 +17,8 @@
 - EvidenceLocker bundle packaging (`docs/modules/evidence-locker/bundle-packaging.md`) once frozen
 - Observability guidance/dashboards referenced by Observability Guild
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md
+++ b/docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md
@@ -16,6 +16,8 @@
 - docs/modules/export-center/architecture.md
 - src/ExportCenter/AGENTS.md (if present)
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
+++ b/docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
@@ -16,6 +16,8 @@
 - docs/modules/export-center/architecture.md (for evidence linkage)
 - src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md (if present)
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0170_0001_0001_notifications_telemetry.md
+++ b/docs/implplan/SPRINT_0170_0001_0001_notifications_telemetry.md
@@ -16,6 +16,8 @@
 - docs/modules/notifications/architecture.md
 - docs/modules/telemetry/architecture.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Track | Status | Key dependency / next step | Owners | Notes |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0171_0001_0001_notifier_i.md
+++ b/docs/implplan/SPRINT_0171_0001_0001_notifier_i.md
@@ -17,6 +17,8 @@
 - docs/notifications/templates.md
 - src/Notifier/StellaOps.Notifier/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0172_0001_0002_notifier_ii.md
+++ b/docs/implplan/SPRINT_0172_0001_0002_notifier_ii.md
@@ -15,6 +15,8 @@
 - docs/modules/notifications/architecture.md
 - src/Notifier/StellaOps.Notifier/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0173_0001_0003_notifier_iii.md
+++ b/docs/implplan/SPRINT_0173_0001_0003_notifier_iii.md
@@ -15,6 +15,8 @@
 - docs/modules/notifications/architecture.md
 - src/Notifier/StellaOps.Notifier/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0174_0001_0001_telemetry.md
+++ b/docs/implplan/SPRINT_0174_0001_0001_telemetry.md
@@ -16,6 +16,8 @@
 - docs/modules/telemetry/architecture.md
 - src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0180_0001_0001_telemetry_core.md
+++ b/docs/implplan/SPRINT_0180_0001_0001_telemetry_core.md
@@ -15,6 +15,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/modules/telemetry/architecture.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0185_0001_0001_shared_replay_primitives.md
+++ b/docs/implplan/SPRINT_0185_0001_0001_shared_replay_primitives.md
@@ -14,6 +14,8 @@
 - docs/modules/platform/architecture-overview.md (Replay CAS §5)
 - docs/replay/DETERMINISTIC_REPLAY.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
+++ b/docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
@@ -19,6 +19,8 @@
 - Product advisory: `docs/product-advisories/27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` (canonical for SPDX/VEX work)
 - SPDX 3.0.1 specification: https://spdx.github.io/spdx-spec/v3.0.1/
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0187_0001_0001_evidence_locker_cli_integration.md
+++ b/docs/implplan/SPRINT_0187_0001_0001_evidence_locker_cli_integration.md
@@ -16,6 +16,8 @@
 - docs/runbooks/replay_ops.md
 - docs/security/crypto-routing-audit-2025-11-07.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md
+++ b/docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md
@@ -21,6 +21,8 @@
 - FIRST CVSS v4.0 Calculator: https://www.first.org/cvss/calculator/4-0
 - Module AGENTS.md: Create `src/Policy/StellaOps.Policy.Scoring/AGENTS.md` as part of task 1
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0200_0001_0001_experience_sdks.md
+++ b/docs/implplan/SPRINT_0200_0001_0001_experience_sdks.md
@@ -15,6 +15,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/implplan/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0201_0001_0001_cli_i.md
+++ b/docs/implplan/SPRINT_0201_0001_0001_cli_i.md
@@ -17,6 +17,8 @@
 - `docs/modules/cli/architecture.md`.
 - `src/Cli/StellaOps.Cli/AGENTS.md` and `docs/implplan/AGENTS.md`.
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0202_0001_0001_cli_ii.md
+++ b/docs/implplan/SPRINT_0202_0001_0001_cli_ii.md
@@ -16,6 +16,8 @@
 - docs/modules/cli/architecture.md
 - src/Cli/StellaOps.Cli/AGENTS.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0206_0001_0001_devportal.md
+++ b/docs/implplan/SPRINT_0206_0001_0001_devportal.md
@@ -17,6 +17,8 @@
 - `docs/modules/platform/architecture.md`
 - `docs/modules/ui/architecture.md` (for shared UX conventions)
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0207_0001_0001_graph.md
+++ b/docs/implplan/SPRINT_0207_0001_0001_graph.md
@@ -20,6 +20,8 @@
 - `docs/modules/graph/implementation_plan.md`
 - `src/Graph/AGENTS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0208_0001_0001_sdk.md
+++ b/docs/implplan/SPRINT_0208_0001_0001_sdk.md
@@ -17,6 +17,8 @@
 - docs/modules/cli/architecture.md; docs/modules/ui/architecture.md.
 - API/OAS governance specs referenced by APIG0101 and portal contracts (DEVL0101) once published.
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0209_0001_0001_ui_i.md
+++ b/docs/implplan/SPRINT_0209_0001_0001_ui_i.md
@@ -25,6 +25,8 @@
 - `docs/15_UI_GUIDE.md`
 - `docs/18_CODING_STANDARDS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
+++ b/docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
@@ -25,6 +25,8 @@
 - `docs/schemas/audit-bundle-index.schema.json`
 - Advisory: "28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md"
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
+++ b/docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
@@ -25,6 +25,8 @@
 - `docs/15_UI_GUIDE.md`
 - `docs/18_CODING_STANDARDS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0212_0001_0001_web_i.md
+++ b/docs/implplan/SPRINT_0212_0001_0001_web_i.md
@@ -18,6 +18,8 @@
 - `docs/api/console/workspaces.md` plus `docs/api/console/samples/` artifacts
 - `docs/implplan/archived/tasks.md` for prior completions
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition / Evidence |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0213_0001_0002_web_ii.md
+++ b/docs/implplan/SPRINT_0213_0001_0002_web_ii.md
@@ -20,6 +20,8 @@
 - `docs/modules/export-center/architecture.md`
 - `src/Web/StellaOps.Web/AGENTS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0214_0001_0001_web_iii.md
+++ b/docs/implplan/SPRINT_0214_0001_0001_web_iii.md
@@ -18,6 +18,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `src/Web/StellaOps.Web/AGENTS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0215_0001_0001_vuln_triage_ux.md
+++ b/docs/implplan/SPRINT_0215_0001_0001_vuln_triage_ux.md
@@ -23,6 +23,8 @@
 - `docs/schemas/vex-decision.schema.json`
 - `docs/schemas/audit-bundle-index.schema.json`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0215_0001_0001_web_iv.md
+++ b/docs/implplan/SPRINT_0215_0001_0001_web_iv.md
@@ -18,6 +18,8 @@
 - `docs/modules/policy/architecture.md`
 - `src/Web/StellaOps.Web/AGENTS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0216_0001_0001_web_v.md
+++ b/docs/implplan/SPRINT_0216_0001_0001_web_v.md
@@ -18,6 +18,8 @@
 - `docs/modules/ui/architecture.md`
 - `src/Web/StellaOps.Web/AGENTS.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0301_0001_0001_docs_md_i.md
+++ b/docs/implplan/SPRINT_0301_0001_0001_docs_md_i.md
@@ -18,6 +18,8 @@
 - `docs/modules/scanner/architecture.md`
 - `docs/modules/airgap/architecture.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Task Board
 | Task ID | Status | Owner(s) | Dependencies | Notes |
 | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md
+++ b/docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md
@@ -18,6 +18,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md
+++ b/docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md
@@ -18,6 +18,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md
+++ b/docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md
@@ -18,6 +18,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md
+++ b/docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md
@@ -18,6 +18,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0317_0001_0001_docs_modules_concelier.md
+++ b/docs/implplan/SPRINT_0317_0001_0001_docs_modules_concelier.md
@@ -18,6 +18,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0320_0001_0001_docs_modules_export_center.md
+++ b/docs/implplan/SPRINT_0320_0001_0001_docs_modules_export_center.md
@@ -19,6 +19,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md
+++ b/docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md
@@ -17,6 +17,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0323_0001_0001_docs_modules_orchestrator.md
+++ b/docs/implplan/SPRINT_0323_0001_0001_docs_modules_orchestrator.md
@@ -16,6 +16,8 @@
 - docs/modules/orchestrator/implementation_plan.md
 - docs/modules/platform/architecture-overview.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0324_0001_0001_docs_modules_platform.md
+++ b/docs/implplan/SPRINT_0324_0001_0001_docs_modules_platform.md
@@ -18,6 +18,8 @@
 - `docs/modules/platform/implementation_plan.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0327_0001_0001_docs_modules_scanner.md
+++ b/docs/implplan/SPRINT_0327_0001_0001_docs_modules_scanner.md
@@ -16,6 +16,8 @@
 - docs/modules/platform/architecture-overview.md
 - docs/modules/scanner/architecture.md
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0328_0001_0001_docs_modules_scheduler.md
+++ b/docs/implplan/SPRINT_0328_0001_0001_docs_modules_scheduler.md
@@ -16,6 +16,8 @@
 - docs/modules/scheduler/implementation_plan.md
 - docs/modules/scheduler/AGENTS.md (this sprint refreshes it)
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0330_0001_0001_docs_modules_telemetry.md
+++ b/docs/implplan/SPRINT_0330_0001_0001_docs_modules_telemetry.md
@@ -18,6 +18,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md
+++ b/docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md
@@ -18,6 +18,8 @@
 - `docs/modules/platform/architecture-overview.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 > **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
--- a/Show More
+++ b/Show More