feat: Add comprehensive product advisories for improved scanner functionality

- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.

docs/implplan/archived/updates/2025-10-18-docs-guild.md

@@ -0,0 +1,14 @@
+# Docs Guild Update — 2025-10-18
+
+**Subject:** ADR process + events schema validation shipped  
+**Audience:** Docs Guild, DevEx, Platform Events
+
+- Published the ADR contribution guide at `docs/adr/index.md` and enriched the template to capture authorship, deciders, and alternatives. All new cross-module decisions should follow this workflow.
+- Linked the ADR hub from `docs/README.md` so operators and engineers can discover the process without digging through directories.
+- Extended Docs CI (`.gitea/workflows/docs.yml`) to compile event schemas with Ajv (including `ajv-formats`) and documented the local loop in `docs/events/README.md`.
+- Captured the mirror/offline workflow in `docs/ci/20_CI_RECIPES.md` so runners know how to install the Ajv toolchain and publish previews without internet access.
+- Validated `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1` schemas locally to unblock Platform Events acknowledgements.
+
+Next steps:
+- Platform Events to confirm Notify/Scheduler consumers have visibility into the schema docs.
+- DevEx to add ADR announcement blurb to the next sprint recap if broader broadcast is needed.

docs/implplan/archived/updates/2025-10-19-docs-guild.md

@@ -0,0 +1,12 @@
+# Docs Guild Update — 2025-10-19
+
+**Subject:** Event envelope reference & canonical samples
+**Audience:** Docs Guild, Platform Events, Runtime Guild
+
+- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields.
+- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas.
+- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions.
+
+Next steps:
+- Platform Events to embed the canonical samples into their contract tests.
+- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off.

docs/implplan/archived/updates/2025-10-19-platform-events.md

@@ -0,0 +1,10 @@
+# Platform Events Update — 2025-10-19
+
+**Subject:** Canonical event samples enforced across tests & CI  
+**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild
+
+- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`.
+- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations.
+- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned.
+
+No additional follow-ups — downstream teams can rely on the committed samples for integration coverage.

docs/implplan/archived/updates/2025-10-19-scanner-policy.md

@@ -0,0 +1,5 @@
+# 2025-10-19 – Scanner ↔ Policy Sync
+
+- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync.
+- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring.
+- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship.

docs/implplan/archived/updates/2025-10-19-scheduler-storage.md

@@ -0,0 +1,8 @@
+# Scheduler Storage Update — 2025-10-19
+
+**Subject:** Mongo bootstrap + canonical fixtures  
+**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams
+
+- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks.
+- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact.
+- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup.

docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md

@@ -0,0 +1,14 @@
+# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates
+
+## Summary
+- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks.
+- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
+- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs.
+
+## Operator impact
+- No configuration changes are required; existing YAML and environment-based settings continue to function.
+- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.
+
+## Developer notes
+- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`.
+- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set.

docs/implplan/archived/updates/2025-10-20-scanner-events.md

@@ -0,0 +1,5 @@
+# 2025-10-20 – Scanner Platform Events Hardening
+
+- Scanner WebService now wires a reusable `IRedisConnectionFactory`, simplifying redis transport testing and reuse for future adapters.
+- `/api/v1/reports` integration test (`ReportsEndpointPublishesPlatformEvents`) asserts both report-ready and scan-completed envelopes carry DSSE payloads, scope metadata, and deterministic verdicts.
+- Task `SCANNER-EVENTS-15-201` closed after verifying `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj`.

docs/implplan/archived/updates/2025-10-22-docs-guild.md

@@ -0,0 +1,13 @@
+# Docs Guild Update — 2025-10-22
+
+**Subject:** Concelier Authority toggle rollout polish  
+**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
+
+- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
+- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
+- Refreshed `docs/modules/concelier/operations/authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
+- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 2025‑10‑22 bundle before promoting it to mirrors.
+
+Next steps:
+- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
+- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.

docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md

@@ -0,0 +1,15 @@
+# 2025-10-26 — Authority graph scopes documentation refresh
+
+## Summary
+
+- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations).
+- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults.
+- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services.
+
+## Next steps
+
+| Team | Follow-up | Target |
+|------|-----------|--------|
+| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 |
+| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up |
+| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up |

docs/implplan/archived/updates/2025-10-26-scheduler-graph-jobs.md

@@ -0,0 +1,34 @@
+# 2025-10-26 — Scheduler Graph Job DTOs ready for integration
+
+## Summary
+
+SCHED-MODELS-21-001 delivered the new `GraphBuildJob`/`GraphOverlayJob` contracts and SCHED-MODELS-21-002 publishes the accompanying documentation + samples for downstream teams.
+
+Key links:
+
+- Schema doc: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md`
+- Samples (round-trip tested): `samples/api/scheduler/graph-build-job.json`, `samples/api/scheduler/graph-overlay-job.json`
+- Event schema + sample: `docs/events/scheduler.graph.job.completed@1.json`, `docs/events/samples/scheduler.graph.job.completed@1.sample.json`
+- API doc: `src/Scheduler/StellaOps.Scheduler.WebService/docs/SCHED-WEB-21-001-GRAPH-APIS.md`
+- Tests: `StellaOps.Scheduler.Models.Tests/SamplePayloadTests.cs`, `GraphJobStateMachineTests.cs`
+
+## Action items
+
+| Guild | Request | Owner | Target |
+| --- | --- | --- | --- |
+| Scheduler WebService | Wire DTOs into upcoming `/graphs` job APIs (SCHED-WEB-21-001/002). | Scheduler Models Guild | Sprint 21 stand-up |
+| Scheduler Worker | Align planners/executors with `GraphJobStateMachine` and new metadata fields. | Scheduler Models Guild | Sprint 21 stand-up |
+| Cartographer | Confirm expectations for `graphSnapshotId`, `cartographerJobId`, overlay triggers. | Scheduler Models Guild | Cartographer sync 2025-10-27 |
+
+### Notification log
+
+- 2025-10-26 — Posted summary + action items to `#scheduler-guild` and `#cartographer-guild` using the snippet below. Both messages linked back to the schema doc and event sample for follow-up.
+- 2025-10-26 — Shared the API doc link with WebService guild thread for endpoint contract review before Cartographer wiring. Highlighted new `POST /graphs/hooks/completed` + `GET /graphs/overlays/lag` behaviour and correlation IDs.
+
+> Suggested message for Slack `#scheduler-guild` & `#cartographer-guild`:
+>
+> ```
+> Graph job DTOs/docs are live (SCHED-MODELS-21-001/002). Samples under samples/api/scheduler, schema notes in src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md. Please review before wiring SCHED-WEB-21-001/201. GraphJobStateMachine enforces status/attempt invariants—shout if you need additional states.
+> ```
+
+Record notifications here once posted.

docs/implplan/archived/updates/2025-10-27-console-security-signoff.md

@@ -0,0 +1,48 @@
+# Console Security Checklist Sign-off — 2025-10-27
+
+## Summary
+
+- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build.
+- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
+- Result: **PASS** – console may progress with Sprint 23 release gating.
+
+## Authority client validation
+
+- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
+- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
+
+## CSP enforcement
+
+- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
+- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
+
+## Fresh-auth timer
+
+- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
+- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
+
+## DPoP binding test
+
+- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
+- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
+
+## Offline mode exercise
+
+- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
+- Imported Offline Kit manifest; parity checks report `OK` status.
+
+## Evidence parity
+
+- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
+- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
+
+## Monitoring & alerts
+
+- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
+- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
+
+## Sign-off
+
+- Reviewed by **Security Guild** (lead: `@sec-lfox`).  
+- Sign-off recorded in Sprint 23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`).
+

docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md

@@ -0,0 +1,15 @@
+# 2025-10-27 — Orchestrator operator scope & audit metadata
+
+## Summary
+
+- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
+- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
+- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
+
+## Next steps
+
+| Team | Follow-up | Target |
+|------|-----------|--------|
+| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
+| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
+| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |

docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md

@@ -0,0 +1,15 @@
+# 2025-10-27 — Policy scope migration guidance
+
+## Summary
+
+- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
+- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
+- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
+
+## Next steps
+
+| Team | Follow-up | Target |
+|------|-----------|--------|
+| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
+| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
+| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |

docs/implplan/archived/updates/2025-10-27-task-packs-docs.md

@@ -0,0 +1,15 @@
+# Docs Guild Update — Task Pack Docs (2025-10-27)
+
+- Added Task Pack core documentation set:
+  - `/docs/task-packs/spec.md`
+  - `/docs/task-packs/authoring-guide.md`
+  - `/docs/task-packs/registry.md`
+  - `/docs/task-packs/runbook.md`
+  - `/docs/security/pack-signing-and-rbac.md`
+  - `/docs/modules/cli/operations/release-and-packaging.md`
+- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
+- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
+- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
+- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
+
+Artifacts: [Spec](../task-packs/spec.md), [Authoring guide](../task-packs/authoring-guide.md), [Registry](../task-packs/registry.md), [Runbook](../task-packs/runbook.md), [Signing/RBAC](../security/pack-signing-and-rbac.md), [CLI release runbook](../modules/cli/operations/release-and-packaging.md).

docs/implplan/archived/updates/2025-10-28-docs-guild.md

@@ -0,0 +1,26 @@
+# Docs Guild Update — 2025-10-28
+
+## Console security posture draft
+
+- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist.
+- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120 s OpTok, 300 s fresh-auth window) and confirm scope bundles before closing the sprint task.
+- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`).
+
+## Console CLI parity matrix
+
+- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`).
+- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot.
+
+## Accessibility refresh
+
+- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance.
+- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102.
+
+Artifacts:
+
+- Doc: `/docs/security/console-security.md`
+- Doc: `/docs/cli-vs-ui-parity.md`
+- Doc: `/docs/accessibility.md`
+- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE)
+
+cc: `@authority-core`, `@security-guild`, `@docs-guild`

docs/implplan/archived/updates/2025-10-29-export-center-provenance.md

@@ -0,0 +1,9 @@
+# 2025-10-29 – Export Center provenance/signing doc
+
+## Summary
+- Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
+- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
+
+## Follow-ups
+- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
+- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.

docs/implplan/archived/updates/2025-10-29-notify-docs.md

@@ -0,0 +1,10 @@
+# 2025-10-29 – Notifications Studio docs sync prep
+
+## Summary
+- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint 39.
+- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
+- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
+
+## Follow-ups
+- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
+- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.

docs/implplan/archived/updates/2025-10-29-scheduler-policy-doc-refresh.md

@@ -0,0 +1,21 @@
+# 2025-10-29 — Scheduler/Policy Guild Doc Refresh
+
+## Summary
+- Extended `SCHED-MODELS-20-001` with environment metadata guidance, lifecycle semantics, and diff payload breakdown for Policy Engine runs.
+- Confirmed `StellaOps.Scheduler.Models.Tests` to keep sample fixtures in sync with the documentation.
+- Ready for distribution to Scheduler (Models/Worker/WebService) and Policy Engine guilds; link this update when posting to internal channels.
+
+## Suggested announcement
+> **Channel(s):** `#scheduler-guild`, `#policy-engine`  
+> **Message:**  
+> ```
+> Policy Engine run DTO docs just picked up a refresh (environment metadata, lifecycle+retry table, diff payload notes).  
+> • Doc: src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md  
+> • Samples: samples/api/scheduler/policy-*.json  
+> • Tests: dotnet test src/Scheduler/__Tests/StellaOps.Scheduler.Models.Tests  
+> Please review for orchestration + API consumer work; ping back if other fields need coverage.  
+> ```
+
+## Follow-up
+- [ ] Confirm both guilds acknowledge the documentation update.
+- [ ] Fold any feedback into Sprint 21 scheduler schema backlog if additional DTO changes are requested.

docs/implplan/archived/updates/2025-10-30-devops-governance.md

@@ -0,0 +1,17 @@
+# 30 Oct 2025 — Governance rules anchor consolidated
+
+**What changed**
+
+- Published `docs/devops/contracts-and-rules.md` capturing the Sprint 33 governance rules:
+  1. API Gateway remains a proxy; Policy Engine composes overlays/simulations.
+  2. AOC ingestion persists upstream truth only (no merge/deduplicate logic).
+  3. Graph platform standardised on Graph Indexer + Graph API (Cartographer retired).
+- Updated backlog hygiene note (`docs/backlog/2025-10-cleanup.md`) and archived the Cartographer handshake plan to point at the new graph platform.
+- Logged the rules in `ops/devops/TASKS.md` and corresponding sprint file `docs/implplan/SPRINT_*.md`, removing duplicate references to Cartographer as an active service.
+
+**Reviewers / acknowledgements**
+
+- Platform Leads (DevOps + Graph) confirmed the retirement of Cartographer in favour of Graph Indexer + Graph API.
+- Policy Engine Guild acknowledged the proxy-only Gateway posture and downstream overlay ownership.
+
+See `DEVOPS-RULES-33-001` for the owning task.

docs/implplan/archived/updates/2025-10-31-console-security-refresh.md

@@ -0,0 +1,12 @@
+# 2025-10-31 — Console Security Docs Refresh
+
+## Summary
+- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
+- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
+- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
+- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
+
+## Impact
+- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
+- Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off.
+- Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access.

docs/implplan/archived/updates/2025-10-cleanup.md

@@ -0,0 +1,17 @@
+# Backlog Cleanup — 26 October 2025
+
+This note captures the Sprint backlog hygiene pass applied on 26 October 2025. The goal was to eliminate legacy tasks that violated the aggregation-only contract (AOC), duplicated scope, or conflicted with the current module ownership map.
+
+## Summary
+- **Console replaces legacy Angular UI.** Sprint 13 UI tasks (`UI-SCANS-13-002`, `UI-VEX-13-003`, `UI-ADMIN-13-004`, `UI-SCHED-13-005`) are retired. Console Sprint 23 (`CONSOLE-CORE-23-001..005`, `CONSOLE-FEAT-23-101..109`, `CONSOLE-REL-23-301..303`) owns the experience.
+- **Policy CLI runtime verbs consolidated.** `CLI-RUNTIME-13-005` is superseded by `CLI-POLICY-20-002` and Policy Studio flows (`CLI-POLICY-27-00x`).
+- **Notifier supersedes legacy Notify.* modules.** All Sprint 15 `StellaOps.Notify.*` tasks are archived. Replacement work lives in Notifications Studio / Notifier Sprints 38–40 (`NOTIFY-SVC-38-00x`, `NOTIFY-SVC-39-00x`, `NOTIFY-SVC-40-00x`, plus `WEB/CLI-NOTIFY-3x-00x`).
+- **Graph platform realigned.** Cartographer backlog items are archived; Graph Indexer + Graph API own graph storage, overlays, and explorer flows. Update open work to reference `GRAPH-*` tasks and the governance note in `docs/devops/contracts-and-rules.md`.
+- **Dedicated Vuln Explorer service.** Gateway/UI/CLI entries that attempted to inline Vuln Explorer logic (`WEB-GRAPH-24-003`, `UI-GRAPH-24-005`, `CLI-VULN-24-003`) now defer to Sprint 29 Vuln Explorer (`VULN-API-29-00x`, `CONSOLE-VULN-29-00x`, `CLI-VULN-29-00x`).
+- **AOC enforcement.** Ingestion-layer tasks attempting to compute derived severity/safe-fix metadata (`CONCELIER-VULN-29-003`, `EXCITITOR-VULN-29-003`) were removed; the Policy Engine overlay backlog (`POLICY-ENGINE-29-001..003`) is the canonical home.
+- **CI/Offline adjustments.** `DEVOPS-UI-13-006` and `DEVOPS-OFFLINE-18-003` moved under Console release tasks (`CONSOLE-QA-23-401`, `DEVOPS-CONSOLE-23-001`, `CONSOLE-REL-23-302`).
+
+## Follow-up
+- Update module task boards only under their active backlogs (`src/Notifier/StellaOps.Notifier`, Cartographer, Vuln Explorer).
+- Ensure future ingestion tasks reference AOC guardrails and avoid derived semantics.
+- Cross-check correspoding sprint file `../implplan/SPRINT_*.md` after adding new tasks to keep tables consistent with module `TASKS.md` files.

docs/implplan/archived/updates/2025-11-01-orch-admin-scope.md

@@ -0,0 +1,19 @@
+# 2025-11-01 · Authority adds Orch.Admin quota controls
+
+**What changed**
+
+- Introduced new `orch:quota` scope and expanded `Orch.Admin` role for Orchestrator quota, burst, and historical backfill adjustments.
+- Client credential requests for `orch:quota` now require `quota_reason` (≤256 chars) and accept optional `quota_ticket` (≤128 chars). Authority records both values under `quota.reason` / `quota.ticket` audit properties.
+- Added dedicated `orch:backfill` scope. Tokens must include `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars); Authority persists them as `backfill.reason` / `backfill.ticket` claims and audit properties alongside operator metadata.
+- Tokens embedding `orch:quota` or `orch:backfill` expose the corresponding reason/ticket claims so downstream services and audit tooling can trace quota increases or emergency backfills.
+- Console, CLI, and configuration samples include the updated role plus environment variables (`STELLAOPS_ORCH_QUOTA_REASON`, `STELLAOPS_ORCH_QUOTA_TICKET`, `STELLAOPS_ORCH_BACKFILL_REASON`, `STELLAOPS_ORCH_BACKFILL_TICKET`) for automation.
+
+**Why**
+
+Quotas and replay backfills materially affect tenant isolation and platform capacity. Capturing explicit operator intent keeps change windows reviewable and aligns with platform audit requirements.
+
+**Actions**
+
+1. Update Authority configuration/offline bundles to seed `Orch.Admin` role for the handful of ops identities that manage quotas.
+2. Adjust automation to pass `quota_reason`/`quota_ticket` when exchanging tokens for `orch:quota` and `backfill_reason`/`backfill_ticket` for `orch:backfill`.
+3. Monitor `authority.client_credentials.grant` records for the new `quota.*` and `backfill.*` audit properties when reviewing change windows.

docs/implplan/archived/updates/2025-11-02-pack-scope-profiles.md

@@ -0,0 +1,18 @@
+# 2025-11-02 · Pack scope catalogue & CLI profiles
+
+**What changed**
+
+- Authority configuration samples (`etc/authority.yaml.sample`) now seed Pack roles (`pack-viewer`, `pack-operator`, `pack-publisher`, `pack-approver`, `pack-admin`) with deterministic scope bundles.
+- Added `AddPacksResourcePolicies` helper in `StellaOps.Auth.ServerIntegration` so Packs Registry/Task Runner services can register consistent authorization policies; accompanying unit tests validate the policy catalogue.
+- Documented Task Pack CLI profiles (`docs/modules/cli/guides/packs-profiles.md`) and added quick-reference guidance in the CLI manual for setting `StellaOps:Authority:Scope` via profiles or environment variables.
+- Updated Authority scope docs and samples to reflect the new roles, keeping offline/air-gap defaults aligned.
+
+**Why**
+
+Task Pack rollout requires explicit RBAC and short-lived tokens per workflow (publish, run, approve). Providing ready-to-use roles, policies, and CLI profiles removes guesswork for operators and ensures tokens carry the correct scopes by default.
+
+**Actions**
+
+1. Refresh Authority configuration in each environment from the updated sample (or add the roles manually) so Pack clients can request tokens.
+2. Roll out the CLI profiles or equivalent configuration in automation (`STELLA_PROFILE=packs-operator`, etc.) before enabling pack workflows.
+3. Update Task Runner/Packs Registry services to call `AddPacksResourcePolicies()` when wiring authorization.

docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md

@@ -0,0 +1,28 @@
+# Authority Plugin LDAP Review — 2025-11-03
+
+## Attendees
+- Auth Guild core (Authority Host Crew)
+- Security Guild (Identity Controls)
+- DevEx Docs Guild
+- Plugin Team 4 (Auth Libraries & Identity Providers)
+
+## Agenda
+- Confirm LDAP plugin charter and offline/sovereign requirements.
+- Resolve outstanding decisions (audit mirror, mutual TLS, group mapping).
+- Capture follow-up implementation tasks and documentation deliverables.
+
+## Discussion Summary
+1. **Audit mirror parity** — All provisioning flows must emit Mongo audit records even when LDAP is the write source. Records store actor, tenant, DN, operation, hashed secret reference, and correlation IDs matching Authority audit events.
+2. **Mutual TLS requirements** — Regulated installations (FIPS/eIDAS/GOST) require client certificate bindings. Plugin must accept secret-backed PFX stores, optional chain send, and deterministic trust-store configuration (`system` vs bundled roots). Runtime must fail fast when TLS is misconfigured.
+3. **Role mapping flexibility** — Deterministic regex mappings allow deriving canonical Authority roles from LDAP DNs without custom scripting. Regex capture groups map to `{role}` substitutions; evaluation order is deterministic (dictionary map → regex map) to preserve predictability.
+4. **Offline cache expectations** — Mongo-backed cache must record TTL and emit metrics when falling back to cached entries. Cache invalidation respects `cache.ttlSeconds` configuration.
+
+## Follow-up Tasks
+- `PLG7.IMPL-001` — Scaffold plugin + tests, configuration binding (client cert, trust store, insecure toggle validation).
+- `PLG7.IMPL-002` — Implement credential store + mutual TLS enforcement with deterministic retry/backoff and structured logging.
+- `PLG7.IMPL-003` — Deliver claims enricher with regex mapping, cache layer, and associated tests/fixtures.
+- `PLG7.IMPL-004` — Implement client provisioning store with LDAP write toggles, Mongo audit mirror, and bootstrap validation.
+- `PLG7.IMPL-005` — Update developer guide, samples, and release notes with LDAP configuration guidance (mutual TLS, regex mapping, audit mirror).
+
+## Next Checkpoint
+- Status review scheduled 2025-11-10 to assess scaffolding progress and mutual TLS handshake tests.

docs/implplan/archived/updates/2025-11-03-vuln-explorer-access-controls.md

@@ -0,0 +1,5 @@
+# 2025-11-03 – Vuln Explorer access controls refresh
+
+- Expanded `docs/11_AUTHORITY.md` with attachment signing tokens, ledger verification workflow, and a Vuln Explorer security checklist.
+- Added scope guidance for attachment tokens in `docs/security/authority-scopes.md` and updated the Vuln Explorer architecture dossier.
+- Refreshed `etc/authority.yaml.sample` comments to highlight ABAC attributes and attachment token verification requirements.

docs/implplan/archived/updates/2025-11-05-excitor-consensus-beta.md

@@ -0,0 +1,12 @@
+# 2025-11-05 – Excitor consensus API beta
+
+**Subject:** Excitor consensus export/API preview ships  \
+**Audience:** Docs Guild, VEX Lens Guild, Policy Engine Guild, Export Center Guild
+
+- Published `docs/modules/excitor/README.md` update capturing the Link-Not-Merge consensus milestone and pointing to the beta API surface.
+- Added `docs/vex/consensus-json.md` sample describing the canonical `consensus_state` payload (`rollupStatus`, `sources[]`, `policyRevisionId`, `consensusDigest`) emitted by the preview endpoint.
+- Documented DSSE packaging plus Export Center hooks so attested consensus bundles can ride along with devportal/offline exports once Excitor workers emit DSSE manifests (`docs/modules/export-center/devportal-offline.md`).
+
+**Follow-ups**
+- [ ] Coordinate with Policy Engine (`POLICY-ENGINE-30-101`) to reference consensus policy weighting knobs before GA.
+- [ ] Produce CLI quickstart once `stella vex consensus` verbs land (CLI backlog `CLI-VEX-30-002`).

docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md

@@ -0,0 +1,12 @@
+# 2025-11-07 – Concelier advisory chunks API
+
+**Subject:** Paragraph-anchored advisory chunks land for Advisory AI
+**Audience:** Concelier WebService Guild, Advisory AI Guild, Observability Guild
+
+- Shipped /advisories/{advisoryKey}/chunks with tenant enforcement, AdvisoryRead scopes, and filters for sections/formats/limits/minLength so Advisory AI can pull paragraph anchors plus source metadata deterministically.
+- Registered AdvisoryChunkBuilder behind new advisoryChunks configuration (chunk/observation/min-length caps) to keep offline and air-gapped deployments tunable without code changes.
+- Added regression coverage that seeds synthetic observations with embedded paragraphs to validate anchors, metadata, and source ordering before Advisory AI consumes the API; module README now points at this release note.
+
+**Follow-ups**
+- [ ] CONCELIER-AIAI-31-002 – surface structured workaround/fix fields plus caching for downstream retrievers.
+- [x] CONCELIER-AIAI-31-003 – wire chunk request metrics/logs and guardrail telemetry once the API stabilizes. (2025-11-10: request/latency/source histograms + structured guardrail logs shipped.)

docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md

@@ -0,0 +1,12 @@
+# 2025-11-09 — Authority LDAP Plug-in Readiness (PLG7.IMPL-005)
+
+## Summary
+- Added a dedicated LDAP quick-reference section to the Authority plug-in developer guide covering mutual TLS requirements, DN→role regex mappings, Mongo-backed claim caching, and the client-provisioning audit mirror.
+- Refreshed the sample manifest at `etc/authority.plugins/ldap.yaml` so operators see cache-enabled defaults, placeholder usage for regex mappings, and audit-mirror notes that match the implementation.
+- Documented that Offline Kits now ship the LDAP plug-in binaries plus the curated manifest, enabling air-gapped installs to drop the assets directly into `plugins/authority/**`.
+- Logged the shipment in release notes so Security/Docs guilds can reference the change and testers can align their smoke runs.
+
+## Impact
+- Documentation now tells operators exactly how to enable mutual TLS, configure regex mappings, and size caches/audit mirrors before turning the plug-in on.
+- Offline Kit consumers understand that LDAP plug-in artefacts are part of the bundle and no longer have to copy manifests manually across environments.
+- Sprint 100 tracker reflects PLG7.IMPL-005 as DONE, unblocking Authority/Docs sign-off for the LDAP plug-in workstream.

docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md

@@ -0,0 +1,19 @@
+# 2025-11-12 – Notifications Attestation Template Suite
+
+## Summary
+- Introduced the canonical `tmpl-attest-*` template family covering verification failures, expiring attestations, key rotations, and transparency anomalies.
+- Synchronized overview, rules, and architecture docs so operators, rule authors, and implementers share the same guidance for attestation-triggered notifications.
+- Captured Offline Kit expectations and helper usage so the upcoming NOTIFY-ATTEST-74-002 wiring work has stable artefacts to reference.
+
+## Details
+- `docs/notifications/templates.md` now includes Section 7 with required fields, helper references, Slack/Email/Webhook samples, and Offline Kit packaging notes for the attestation lifecycle templates.
+- Baseline exported templates for each required channel now live under `offline/notifier/templates/attestation/*.template.json` so Offline Kit consumers inherit the canonical payloads immediately.
+- `docs/notifications/overview.md` highlights that template capabilities include the attestation suite and reiterates determinism requirements around the `tmpl-attest-*` keys.
+- `docs/notifications/rules.md` adds Section 4.0, mandating the new template keys for `attestor.*` and `authority.keys.*` events so rules do not drift.
+- `docs/notifications/architecture.md` references the template suite inside the rendering pipeline description, reminding service owners to populate attestation context fields.
+- Sprint trackers (`SPRINT_170_notifications_telemetry.md`, `SPRINT_171_notifier_i.md`) note the documentation progress for NOTIFY-ATTEST-74-001.
+
+## Follow-ups
+- [ ] Finalise the attestation event schema on 2025‑11‑13 so the documented templates can be localised and promoted to Offline Kits.
+- [ ] Export the new templates into Offline Kit manifests (`offline/notifier/templates/attestation/`) once schemas lock.
+- [ ] Update rule/controller defaults so attestation-triggered rules reference the documented template keys by default.

docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md

@@ -15,8 +15,8 @@ MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create|verify` commands wi
 MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. Dependencies: MIRROR-CRT-56-002, EXPORT-OBS-54-001. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator)
 
 
-If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md
+If all tasks are done - read next sprint section - SPRINT_0120_0000_0001_policy_reasoning.md
 
 > 2025-11-04: AIAI-31-004A DONE – WebService/Worker wiring plus filesystem queue operational; metrics/logs added; tests executed via `dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj --no-restore`.
 
-> 2025-11-04: AIAI-31-006 DONE – REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.
+> 2025-11-04: AIAI-31-006 DONE – REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.