feat: Add comprehensive product advisories for improved scanner functionality

- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.

docs/implplan/archived/updates/2025-10-18-docs-guild.md

@@ -0,0 +1,14 @@
+# Docs Guild Update — 2025-10-18
+
+**Subject:** ADR process + events schema validation shipped  
+**Audience:** Docs Guild, DevEx, Platform Events
+
+- Published the ADR contribution guide at `docs/adr/index.md` and enriched the template to capture authorship, deciders, and alternatives. All new cross-module decisions should follow this workflow.
+- Linked the ADR hub from `docs/README.md` so operators and engineers can discover the process without digging through directories.
+- Extended Docs CI (`.gitea/workflows/docs.yml`) to compile event schemas with Ajv (including `ajv-formats`) and documented the local loop in `docs/events/README.md`.
+- Captured the mirror/offline workflow in `docs/ci/20_CI_RECIPES.md` so runners know how to install the Ajv toolchain and publish previews without internet access.
+- Validated `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1` schemas locally to unblock Platform Events acknowledgements.
+
+Next steps:
+- Platform Events to confirm Notify/Scheduler consumers have visibility into the schema docs.
+- DevEx to add ADR announcement blurb to the next sprint recap if broader broadcast is needed.

docs/implplan/archived/updates/2025-10-19-docs-guild.md

@@ -0,0 +1,12 @@
+# Docs Guild Update — 2025-10-19
+
+**Subject:** Event envelope reference & canonical samples
+**Audience:** Docs Guild, Platform Events, Runtime Guild
+
+- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields.
+- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas.
+- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions.
+
+Next steps:
+- Platform Events to embed the canonical samples into their contract tests.
+- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off.

docs/implplan/archived/updates/2025-10-19-platform-events.md

@@ -0,0 +1,10 @@
+# Platform Events Update — 2025-10-19
+
+**Subject:** Canonical event samples enforced across tests & CI  
+**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild
+
+- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`.
+- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations.
+- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned.
+
+No additional follow-ups — downstream teams can rely on the committed samples for integration coverage.

docs/implplan/archived/updates/2025-10-19-scanner-policy.md

@@ -0,0 +1,5 @@
+# 2025-10-19 – Scanner ↔ Policy Sync
+
+- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync.
+- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring.
+- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship.

docs/implplan/archived/updates/2025-10-19-scheduler-storage.md

@@ -0,0 +1,8 @@
+# Scheduler Storage Update — 2025-10-19
+
+**Subject:** Mongo bootstrap + canonical fixtures  
+**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams
+
+- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks.
+- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact.
+- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup.

docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md

@@ -0,0 +1,14 @@
+# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates
+
+## Summary
+- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks.
+- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
+- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs.
+
+## Operator impact
+- No configuration changes are required; existing YAML and environment-based settings continue to function.
+- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.
+
+## Developer notes
+- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`.
+- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set.

docs/implplan/archived/updates/2025-10-20-scanner-events.md

@@ -0,0 +1,5 @@
+# 2025-10-20 – Scanner Platform Events Hardening
+
+- Scanner WebService now wires a reusable `IRedisConnectionFactory`, simplifying redis transport testing and reuse for future adapters.
+- `/api/v1/reports` integration test (`ReportsEndpointPublishesPlatformEvents`) asserts both report-ready and scan-completed envelopes carry DSSE payloads, scope metadata, and deterministic verdicts.
+- Task `SCANNER-EVENTS-15-201` closed after verifying `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj`.

docs/implplan/archived/updates/2025-10-22-docs-guild.md

@@ -0,0 +1,13 @@
+# Docs Guild Update — 2025-10-22
+
+**Subject:** Concelier Authority toggle rollout polish  
+**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
+
+- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
+- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
+- Refreshed `docs/modules/concelier/operations/authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
+- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 2025‑10‑22 bundle before promoting it to mirrors.
+
+Next steps:
+- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
+- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.

docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md

@@ -0,0 +1,15 @@
+# 2025-10-26 — Authority graph scopes documentation refresh
+
+## Summary
+
+- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations).
+- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults.
+- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services.
+
+## Next steps
+
+| Team | Follow-up | Target |
+|------|-----------|--------|
+| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 |
+| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up |
+| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up |

docs/implplan/archived/updates/2025-10-26-scheduler-graph-jobs.md

@@ -0,0 +1,34 @@
+# 2025-10-26 — Scheduler Graph Job DTOs ready for integration
+
+## Summary
+
+SCHED-MODELS-21-001 delivered the new `GraphBuildJob`/`GraphOverlayJob` contracts and SCHED-MODELS-21-002 publishes the accompanying documentation + samples for downstream teams.
+
+Key links:
+
+- Schema doc: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md`
+- Samples (round-trip tested): `samples/api/scheduler/graph-build-job.json`, `samples/api/scheduler/graph-overlay-job.json`
+- Event schema + sample: `docs/events/scheduler.graph.job.completed@1.json`, `docs/events/samples/scheduler.graph.job.completed@1.sample.json`
+- API doc: `src/Scheduler/StellaOps.Scheduler.WebService/docs/SCHED-WEB-21-001-GRAPH-APIS.md`
+- Tests: `StellaOps.Scheduler.Models.Tests/SamplePayloadTests.cs`, `GraphJobStateMachineTests.cs`
+
+## Action items
+
+| Guild | Request | Owner | Target |
+| --- | --- | --- | --- |
+| Scheduler WebService | Wire DTOs into upcoming `/graphs` job APIs (SCHED-WEB-21-001/002). | Scheduler Models Guild | Sprint 21 stand-up |
+| Scheduler Worker | Align planners/executors with `GraphJobStateMachine` and new metadata fields. | Scheduler Models Guild | Sprint 21 stand-up |
+| Cartographer | Confirm expectations for `graphSnapshotId`, `cartographerJobId`, overlay triggers. | Scheduler Models Guild | Cartographer sync 2025-10-27 |
+
+### Notification log
+
+- 2025-10-26 — Posted summary + action items to `#scheduler-guild` and `#cartographer-guild` using the snippet below. Both messages linked back to the schema doc and event sample for follow-up.
+- 2025-10-26 — Shared the API doc link with WebService guild thread for endpoint contract review before Cartographer wiring. Highlighted new `POST /graphs/hooks/completed` + `GET /graphs/overlays/lag` behaviour and correlation IDs.
+
+> Suggested message for Slack `#scheduler-guild` & `#cartographer-guild`:
+>
+> ```
+> Graph job DTOs/docs are live (SCHED-MODELS-21-001/002). Samples under samples/api/scheduler, schema notes in src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md. Please review before wiring SCHED-WEB-21-001/201. GraphJobStateMachine enforces status/attempt invariants—shout if you need additional states.
+> ```
+
+Record notifications here once posted.

docs/implplan/archived/updates/2025-10-27-console-security-signoff.md

@@ -0,0 +1,48 @@
+# Console Security Checklist Sign-off — 2025-10-27
+
+## Summary
+
+- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build.
+- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
+- Result: **PASS** – console may progress with Sprint 23 release gating.
+
+## Authority client validation
+
+- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
+- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
+
+## CSP enforcement
+
+- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
+- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
+
+## Fresh-auth timer
+
+- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
+- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
+
+## DPoP binding test
+
+- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
+- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
+
+## Offline mode exercise
+
+- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
+- Imported Offline Kit manifest; parity checks report `OK` status.
+
+## Evidence parity
+
+- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
+- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
+
+## Monitoring & alerts
+
+- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
+- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
+
+## Sign-off
+
+- Reviewed by **Security Guild** (lead: `@sec-lfox`).  
+- Sign-off recorded in Sprint 23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`).
+

docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md

@@ -0,0 +1,15 @@
+# 2025-10-27 — Orchestrator operator scope & audit metadata
+
+## Summary
+
+- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
+- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
+- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
+
+## Next steps
+
+| Team | Follow-up | Target |
+|------|-----------|--------|
+| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
+| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
+| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |

docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md

@@ -0,0 +1,15 @@
+# 2025-10-27 — Policy scope migration guidance
+
+## Summary
+
+- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
+- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
+- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
+
+## Next steps
+
+| Team | Follow-up | Target |
+|------|-----------|--------|
+| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
+| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
+| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |

docs/implplan/archived/updates/2025-10-27-task-packs-docs.md

@@ -0,0 +1,15 @@
+# Docs Guild Update — Task Pack Docs (2025-10-27)
+
+- Added Task Pack core documentation set:
+  - `/docs/task-packs/spec.md`
+  - `/docs/task-packs/authoring-guide.md`
+  - `/docs/task-packs/registry.md`
+  - `/docs/task-packs/runbook.md`
+  - `/docs/security/pack-signing-and-rbac.md`
+  - `/docs/modules/cli/operations/release-and-packaging.md`
+- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
+- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
+- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
+- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
+
+Artifacts: [Spec](../task-packs/spec.md), [Authoring guide](../task-packs/authoring-guide.md), [Registry](../task-packs/registry.md), [Runbook](../task-packs/runbook.md), [Signing/RBAC](../security/pack-signing-and-rbac.md), [CLI release runbook](../modules/cli/operations/release-and-packaging.md).

docs/implplan/archived/updates/2025-10-28-docs-guild.md

@@ -0,0 +1,26 @@
+# Docs Guild Update — 2025-10-28
+
+## Console security posture draft
+
+- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist.
+- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120 s OpTok, 300 s fresh-auth window) and confirm scope bundles before closing the sprint task.
+- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`).
+
+## Console CLI parity matrix
+
+- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`).
+- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot.
+
+## Accessibility refresh
+
+- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance.
+- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102.
+
+Artifacts:
+
+- Doc: `/docs/security/console-security.md`
+- Doc: `/docs/cli-vs-ui-parity.md`
+- Doc: `/docs/accessibility.md`
+- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE)
+
+cc: `@authority-core`, `@security-guild`, `@docs-guild`

docs/implplan/archived/updates/2025-10-29-export-center-provenance.md

@@ -0,0 +1,9 @@
+# 2025-10-29 – Export Center provenance/signing doc
+
+## Summary
+- Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
+- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
+
+## Follow-ups
+- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
+- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.

docs/implplan/archived/updates/2025-10-29-notify-docs.md

@@ -0,0 +1,10 @@
+# 2025-10-29 – Notifications Studio docs sync prep
+
+## Summary
+- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint 39.
+- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
+- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
+
+## Follow-ups
+- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
+- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.

docs/implplan/archived/updates/2025-10-29-scheduler-policy-doc-refresh.md

@@ -0,0 +1,21 @@
+# 2025-10-29 — Scheduler/Policy Guild Doc Refresh
+
+## Summary
+- Extended `SCHED-MODELS-20-001` with environment metadata guidance, lifecycle semantics, and diff payload breakdown for Policy Engine runs.
+- Confirmed `StellaOps.Scheduler.Models.Tests` to keep sample fixtures in sync with the documentation.
+- Ready for distribution to Scheduler (Models/Worker/WebService) and Policy Engine guilds; link this update when posting to internal channels.
+
+## Suggested announcement
+> **Channel(s):** `#scheduler-guild`, `#policy-engine`  
+> **Message:**  
+> ```
+> Policy Engine run DTO docs just picked up a refresh (environment metadata, lifecycle+retry table, diff payload notes).  
+> • Doc: src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md  
+> • Samples: samples/api/scheduler/policy-*.json  
+> • Tests: dotnet test src/Scheduler/__Tests/StellaOps.Scheduler.Models.Tests  
+> Please review for orchestration + API consumer work; ping back if other fields need coverage.  
+> ```
+
+## Follow-up
+- [ ] Confirm both guilds acknowledge the documentation update.
+- [ ] Fold any feedback into Sprint 21 scheduler schema backlog if additional DTO changes are requested.

docs/implplan/archived/updates/2025-10-30-devops-governance.md

@@ -0,0 +1,17 @@
+# 30 Oct 2025 — Governance rules anchor consolidated
+
+**What changed**
+
+- Published `docs/devops/contracts-and-rules.md` capturing the Sprint 33 governance rules:
+  1. API Gateway remains a proxy; Policy Engine composes overlays/simulations.
+  2. AOC ingestion persists upstream truth only (no merge/deduplicate logic).
+  3. Graph platform standardised on Graph Indexer + Graph API (Cartographer retired).
+- Updated backlog hygiene note (`docs/backlog/2025-10-cleanup.md`) and archived the Cartographer handshake plan to point at the new graph platform.
+- Logged the rules in `ops/devops/TASKS.md` and corresponding sprint file `docs/implplan/SPRINT_*.md`, removing duplicate references to Cartographer as an active service.
+
+**Reviewers / acknowledgements**
+
+- Platform Leads (DevOps + Graph) confirmed the retirement of Cartographer in favour of Graph Indexer + Graph API.
+- Policy Engine Guild acknowledged the proxy-only Gateway posture and downstream overlay ownership.
+
+See `DEVOPS-RULES-33-001` for the owning task.

docs/implplan/archived/updates/2025-10-31-console-security-refresh.md

@@ -0,0 +1,12 @@
+# 2025-10-31 — Console Security Docs Refresh
+
+## Summary
+- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
+- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
+- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
+- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
+
+## Impact
+- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
+- Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off.
+- Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access.

docs/implplan/archived/updates/2025-10-cleanup.md

@@ -0,0 +1,17 @@
+# Backlog Cleanup — 26 October 2025
+
+This note captures the Sprint backlog hygiene pass applied on 26 October 2025. The goal was to eliminate legacy tasks that violated the aggregation-only contract (AOC), duplicated scope, or conflicted with the current module ownership map.
+
+## Summary
+- **Console replaces legacy Angular UI.** Sprint 13 UI tasks (`UI-SCANS-13-002`, `UI-VEX-13-003`, `UI-ADMIN-13-004`, `UI-SCHED-13-005`) are retired. Console Sprint 23 (`CONSOLE-CORE-23-001..005`, `CONSOLE-FEAT-23-101..109`, `CONSOLE-REL-23-301..303`) owns the experience.
+- **Policy CLI runtime verbs consolidated.** `CLI-RUNTIME-13-005` is superseded by `CLI-POLICY-20-002` and Policy Studio flows (`CLI-POLICY-27-00x`).
+- **Notifier supersedes legacy Notify.* modules.** All Sprint 15 `StellaOps.Notify.*` tasks are archived. Replacement work lives in Notifications Studio / Notifier Sprints 38–40 (`NOTIFY-SVC-38-00x`, `NOTIFY-SVC-39-00x`, `NOTIFY-SVC-40-00x`, plus `WEB/CLI-NOTIFY-3x-00x`).
+- **Graph platform realigned.** Cartographer backlog items are archived; Graph Indexer + Graph API own graph storage, overlays, and explorer flows. Update open work to reference `GRAPH-*` tasks and the governance note in `docs/devops/contracts-and-rules.md`.
+- **Dedicated Vuln Explorer service.** Gateway/UI/CLI entries that attempted to inline Vuln Explorer logic (`WEB-GRAPH-24-003`, `UI-GRAPH-24-005`, `CLI-VULN-24-003`) now defer to Sprint 29 Vuln Explorer (`VULN-API-29-00x`, `CONSOLE-VULN-29-00x`, `CLI-VULN-29-00x`).
+- **AOC enforcement.** Ingestion-layer tasks attempting to compute derived severity/safe-fix metadata (`CONCELIER-VULN-29-003`, `EXCITITOR-VULN-29-003`) were removed; the Policy Engine overlay backlog (`POLICY-ENGINE-29-001..003`) is the canonical home.
+- **CI/Offline adjustments.** `DEVOPS-UI-13-006` and `DEVOPS-OFFLINE-18-003` moved under Console release tasks (`CONSOLE-QA-23-401`, `DEVOPS-CONSOLE-23-001`, `CONSOLE-REL-23-302`).
+
+## Follow-up
+- Update module task boards only under their active backlogs (`src/Notifier/StellaOps.Notifier`, Cartographer, Vuln Explorer).
+- Ensure future ingestion tasks reference AOC guardrails and avoid derived semantics.
+- Cross-check correspoding sprint file `../implplan/SPRINT_*.md` after adding new tasks to keep tables consistent with module `TASKS.md` files.

docs/implplan/archived/updates/2025-11-01-orch-admin-scope.md

@@ -0,0 +1,19 @@
+# 2025-11-01 · Authority adds Orch.Admin quota controls
+
+**What changed**
+
+- Introduced new `orch:quota` scope and expanded `Orch.Admin` role for Orchestrator quota, burst, and historical backfill adjustments.
+- Client credential requests for `orch:quota` now require `quota_reason` (≤256 chars) and accept optional `quota_ticket` (≤128 chars). Authority records both values under `quota.reason` / `quota.ticket` audit properties.
+- Added dedicated `orch:backfill` scope. Tokens must include `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars); Authority persists them as `backfill.reason` / `backfill.ticket` claims and audit properties alongside operator metadata.
+- Tokens embedding `orch:quota` or `orch:backfill` expose the corresponding reason/ticket claims so downstream services and audit tooling can trace quota increases or emergency backfills.
+- Console, CLI, and configuration samples include the updated role plus environment variables (`STELLAOPS_ORCH_QUOTA_REASON`, `STELLAOPS_ORCH_QUOTA_TICKET`, `STELLAOPS_ORCH_BACKFILL_REASON`, `STELLAOPS_ORCH_BACKFILL_TICKET`) for automation.
+
+**Why**
+
+Quotas and replay backfills materially affect tenant isolation and platform capacity. Capturing explicit operator intent keeps change windows reviewable and aligns with platform audit requirements.
+
+**Actions**
+
+1. Update Authority configuration/offline bundles to seed `Orch.Admin` role for the handful of ops identities that manage quotas.
+2. Adjust automation to pass `quota_reason`/`quota_ticket` when exchanging tokens for `orch:quota` and `backfill_reason`/`backfill_ticket` for `orch:backfill`.
+3. Monitor `authority.client_credentials.grant` records for the new `quota.*` and `backfill.*` audit properties when reviewing change windows.

docs/implplan/archived/updates/2025-11-02-pack-scope-profiles.md

@@ -0,0 +1,18 @@
+# 2025-11-02 · Pack scope catalogue & CLI profiles
+
+**What changed**
+
+- Authority configuration samples (`etc/authority.yaml.sample`) now seed Pack roles (`pack-viewer`, `pack-operator`, `pack-publisher`, `pack-approver`, `pack-admin`) with deterministic scope bundles.
+- Added `AddPacksResourcePolicies` helper in `StellaOps.Auth.ServerIntegration` so Packs Registry/Task Runner services can register consistent authorization policies; accompanying unit tests validate the policy catalogue.
+- Documented Task Pack CLI profiles (`docs/modules/cli/guides/packs-profiles.md`) and added quick-reference guidance in the CLI manual for setting `StellaOps:Authority:Scope` via profiles or environment variables.
+- Updated Authority scope docs and samples to reflect the new roles, keeping offline/air-gap defaults aligned.
+
+**Why**
+
+Task Pack rollout requires explicit RBAC and short-lived tokens per workflow (publish, run, approve). Providing ready-to-use roles, policies, and CLI profiles removes guesswork for operators and ensures tokens carry the correct scopes by default.
+
+**Actions**
+
+1. Refresh Authority configuration in each environment from the updated sample (or add the roles manually) so Pack clients can request tokens.
+2. Roll out the CLI profiles or equivalent configuration in automation (`STELLA_PROFILE=packs-operator`, etc.) before enabling pack workflows.
+3. Update Task Runner/Packs Registry services to call `AddPacksResourcePolicies()` when wiring authorization.

docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md

@@ -0,0 +1,28 @@
+# Authority Plugin LDAP Review — 2025-11-03
+
+## Attendees
+- Auth Guild core (Authority Host Crew)
+- Security Guild (Identity Controls)
+- DevEx Docs Guild
+- Plugin Team 4 (Auth Libraries & Identity Providers)
+
+## Agenda
+- Confirm LDAP plugin charter and offline/sovereign requirements.
+- Resolve outstanding decisions (audit mirror, mutual TLS, group mapping).
+- Capture follow-up implementation tasks and documentation deliverables.
+
+## Discussion Summary
+1. **Audit mirror parity** — All provisioning flows must emit Mongo audit records even when LDAP is the write source. Records store actor, tenant, DN, operation, hashed secret reference, and correlation IDs matching Authority audit events.
+2. **Mutual TLS requirements** — Regulated installations (FIPS/eIDAS/GOST) require client certificate bindings. Plugin must accept secret-backed PFX stores, optional chain send, and deterministic trust-store configuration (`system` vs bundled roots). Runtime must fail fast when TLS is misconfigured.
+3. **Role mapping flexibility** — Deterministic regex mappings allow deriving canonical Authority roles from LDAP DNs without custom scripting. Regex capture groups map to `{role}` substitutions; evaluation order is deterministic (dictionary map → regex map) to preserve predictability.
+4. **Offline cache expectations** — Mongo-backed cache must record TTL and emit metrics when falling back to cached entries. Cache invalidation respects `cache.ttlSeconds` configuration.
+
+## Follow-up Tasks
+- `PLG7.IMPL-001` — Scaffold plugin + tests, configuration binding (client cert, trust store, insecure toggle validation).
+- `PLG7.IMPL-002` — Implement credential store + mutual TLS enforcement with deterministic retry/backoff and structured logging.
+- `PLG7.IMPL-003` — Deliver claims enricher with regex mapping, cache layer, and associated tests/fixtures.
+- `PLG7.IMPL-004` — Implement client provisioning store with LDAP write toggles, Mongo audit mirror, and bootstrap validation.
+- `PLG7.IMPL-005` — Update developer guide, samples, and release notes with LDAP configuration guidance (mutual TLS, regex mapping, audit mirror).
+
+## Next Checkpoint
+- Status review scheduled 2025-11-10 to assess scaffolding progress and mutual TLS handshake tests.

docs/implplan/archived/updates/2025-11-03-vuln-explorer-access-controls.md

@@ -0,0 +1,5 @@
+# 2025-11-03 – Vuln Explorer access controls refresh
+
+- Expanded `docs/11_AUTHORITY.md` with attachment signing tokens, ledger verification workflow, and a Vuln Explorer security checklist.
+- Added scope guidance for attachment tokens in `docs/security/authority-scopes.md` and updated the Vuln Explorer architecture dossier.
+- Refreshed `etc/authority.yaml.sample` comments to highlight ABAC attributes and attachment token verification requirements.

docs/implplan/archived/updates/2025-11-05-excitor-consensus-beta.md

@@ -0,0 +1,12 @@
+# 2025-11-05 – Excitor consensus API beta
+
+**Subject:** Excitor consensus export/API preview ships  \
+**Audience:** Docs Guild, VEX Lens Guild, Policy Engine Guild, Export Center Guild
+
+- Published `docs/modules/excitor/README.md` update capturing the Link-Not-Merge consensus milestone and pointing to the beta API surface.
+- Added `docs/vex/consensus-json.md` sample describing the canonical `consensus_state` payload (`rollupStatus`, `sources[]`, `policyRevisionId`, `consensusDigest`) emitted by the preview endpoint.
+- Documented DSSE packaging plus Export Center hooks so attested consensus bundles can ride along with devportal/offline exports once Excitor workers emit DSSE manifests (`docs/modules/export-center/devportal-offline.md`).
+
+**Follow-ups**
+- [ ] Coordinate with Policy Engine (`POLICY-ENGINE-30-101`) to reference consensus policy weighting knobs before GA.
+- [ ] Produce CLI quickstart once `stella vex consensus` verbs land (CLI backlog `CLI-VEX-30-002`).

docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md

@@ -0,0 +1,12 @@
+# 2025-11-07 – Concelier advisory chunks API
+
+**Subject:** Paragraph-anchored advisory chunks land for Advisory AI
+**Audience:** Concelier WebService Guild, Advisory AI Guild, Observability Guild
+
+- Shipped /advisories/{advisoryKey}/chunks with tenant enforcement, AdvisoryRead scopes, and filters for sections/formats/limits/minLength so Advisory AI can pull paragraph anchors plus source metadata deterministically.
+- Registered AdvisoryChunkBuilder behind new advisoryChunks configuration (chunk/observation/min-length caps) to keep offline and air-gapped deployments tunable without code changes.
+- Added regression coverage that seeds synthetic observations with embedded paragraphs to validate anchors, metadata, and source ordering before Advisory AI consumes the API; module README now points at this release note.
+
+**Follow-ups**
+- [ ] CONCELIER-AIAI-31-002 – surface structured workaround/fix fields plus caching for downstream retrievers.
+- [x] CONCELIER-AIAI-31-003 – wire chunk request metrics/logs and guardrail telemetry once the API stabilizes. (2025-11-10: request/latency/source histograms + structured guardrail logs shipped.)

docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md

@@ -0,0 +1,12 @@
+# 2025-11-09 — Authority LDAP Plug-in Readiness (PLG7.IMPL-005)
+
+## Summary
+- Added a dedicated LDAP quick-reference section to the Authority plug-in developer guide covering mutual TLS requirements, DN→role regex mappings, Mongo-backed claim caching, and the client-provisioning audit mirror.
+- Refreshed the sample manifest at `etc/authority.plugins/ldap.yaml` so operators see cache-enabled defaults, placeholder usage for regex mappings, and audit-mirror notes that match the implementation.
+- Documented that Offline Kits now ship the LDAP plug-in binaries plus the curated manifest, enabling air-gapped installs to drop the assets directly into `plugins/authority/**`.
+- Logged the shipment in release notes so Security/Docs guilds can reference the change and testers can align their smoke runs.
+
+## Impact
+- Documentation now tells operators exactly how to enable mutual TLS, configure regex mappings, and size caches/audit mirrors before turning the plug-in on.
+- Offline Kit consumers understand that LDAP plug-in artefacts are part of the bundle and no longer have to copy manifests manually across environments.
+- Sprint 100 tracker reflects PLG7.IMPL-005 as DONE, unblocking Authority/Docs sign-off for the LDAP plug-in workstream.

docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md

@@ -0,0 +1,19 @@
+# 2025-11-12 – Notifications Attestation Template Suite
+
+## Summary
+- Introduced the canonical `tmpl-attest-*` template family covering verification failures, expiring attestations, key rotations, and transparency anomalies.
+- Synchronized overview, rules, and architecture docs so operators, rule authors, and implementers share the same guidance for attestation-triggered notifications.
+- Captured Offline Kit expectations and helper usage so the upcoming NOTIFY-ATTEST-74-002 wiring work has stable artefacts to reference.
+
+## Details
+- `docs/notifications/templates.md` now includes Section 7 with required fields, helper references, Slack/Email/Webhook samples, and Offline Kit packaging notes for the attestation lifecycle templates.
+- Baseline exported templates for each required channel now live under `offline/notifier/templates/attestation/*.template.json` so Offline Kit consumers inherit the canonical payloads immediately.
+- `docs/notifications/overview.md` highlights that template capabilities include the attestation suite and reiterates determinism requirements around the `tmpl-attest-*` keys.
+- `docs/notifications/rules.md` adds Section 4.0, mandating the new template keys for `attestor.*` and `authority.keys.*` events so rules do not drift.
+- `docs/notifications/architecture.md` references the template suite inside the rendering pipeline description, reminding service owners to populate attestation context fields.
+- Sprint trackers (`SPRINT_170_notifications_telemetry.md`, `SPRINT_171_notifier_i.md`) note the documentation progress for NOTIFY-ATTEST-74-001.
+
+## Follow-ups
+- [ ] Finalise the attestation event schema on 2025‑11‑13 so the documented templates can be localised and promoted to Offline Kits.
+- [ ] Export the new templates into Offline Kit manifests (`offline/notifier/templates/attestation/`) once schemas lock.
+- [ ] Update rule/controller defaults so attestation-triggered rules reference the documented template keys by default.

docs/implplan/archived/updates/SPRINT_100_identity_signing.md

@@ -0,0 +1,52 @@
+# Sprint 100 - Identity & Signing
+
+_Last updated: November 9, 2025. Implementation order is DOING → TODO → BLOCKED._
+
+Active items are mirrored to `docs/implplan/archived/tasks.md` (refreshed 2025-11-09) now that Sprint 100 is closed.
+
+Sprint 100 tracks Identity & Signing readiness; sections below list only in-flight tasks.
+
+## 100.B) Authority.I
+Dependency: None specified; follow module prerequisites.
+Focus: Identity & Signing focus on Authority (phase I).
+
+| # | Task ID & handle | State | Key dependency / next step | Owners |
+| --- | --- | --- | --- | --- |
+| 1 | AUTH-AIRGAP-57-001 | DONE (2025-11-08) | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) |
+| 2 | AUTH-PACKS-43-001 | DONE (2025-11-09) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
+
+## 100.B) Authority.II
+Dependency: None specified; follow module prerequisites.
+Focus: Identity & Signing focus on Authority (phase II).
+
+| # | Task ID & handle | State | Key dependency / next step | Owners |
+| --- | --- | --- | --- | --- |
+| 1 | AUTH-DPOP-11-001 | DONE (2025-11-08) | DPoP validation now runs for every `/token` grant, interactive tokens inherit `cnf.jkt`/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
+| 2 | AUTH-MTLS-11-002 | DONE (2025-11-08) | Refresh grants now enforce the original client certificate, tokens persist `x5t#S256`/hex metadata via shared helper, and docs/JWKS guidance call out the mTLS binding expectations. (Deps: AUTH-DPOP-11-001.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
+| 3 | PLG4-6.CAPABILITIES | DONE (2025-11-08) | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 4 | PLG6.DIAGRAM | DONE (2025-11-03) | Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under `docs/assets/authority`; dev guide now references final exports. | Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 5 | PLG7.RFC | DONE (2025-11-03) | LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. | BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 6 | SEC2.PLG | DONE (2025-11-09) | StandardCredentialAuditLogger now pushes `authority.plugin.standard.password_verification` events via `IAuthEventSink`, pulling client/tenant/network metadata from `AuthorityCredentialAuditContextAccessor`; success/failure/lockout scenarios are covered by new unit tests. | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 7 | SEC3.PLG | DONE (2025-11-09) | Lockout/rate-limit telemetry emits deterministic `plugin.retry_after_seconds` + `plugin.lockout_until` properties, maps failure codes to the extended `AuthEventOutcome` set, and is validated by updated credential store/audit logger tests. | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 8 | SEC5.PLG | DONE (2025-11-09) | Plugin guide + threat model document bootstrap safeguards, Argon2 password policy expectations, and the credential audit contract (`plugin.*` properties) so SOC/offline reviewers can trace mitigations end-to-end. | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 9 | PLG7.IMPL-003 | DONE (2025-11-09) | Claims enricher ships with DN map + regex substitutions, Mongo claims cache (TTL + capacity enforcement) wired through DI, plus unit tests covering enrichment + cache eviction. | BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 10 | PLG7.IMPL-004 | DONE (2025-11-09) | LDAP plug-in now ships `clientProvisioning.*` options, a Mongo-audited `LdapClientProvisioningStore`, capability gating, and docs/tests covering LDAP writes + cache shims. | BE-Auth Plugin, DevOps Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap) |
+| 11 | PLG7.IMPL-005 | DONE (2025-11-09) | LDAP plug-in docs refreshed (mutual TLS, regex mappings, cache/audit mirror guidance), sample manifest updated, Offline Kit + release notes now reference the bundled plug-in assets. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
+| 12 | PLG7.IMPL-006 | DONE (2025-11-09) | LDAP bootstrap provisioning added (write probe, Mongo audit mirror, capability downgrade + health status) with docs/tests + sample manifest updates. | BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap) |
+
+- 2025-11-08: PLG4-6.CAPABILITIES marked DONE – bootstrap capability surfaced in code/docs, registry logs updated, and bootstrap APIs now gate on providers that advertise it (`dotnet test` across plugins + Authority core).
+- 2025-11-08: AUTH-AIRGAP-57-001 landed — new `airGap.sealedMode` options, file-backed evidence ingestion, client metadata gating, docs/tests, and audit telemetry ensure sealed tenants cannot mint tokens until `authority-sealed-ci.json` passes.
+- 2025-11-09: PLG7.IMPL-003 + PLG7.IMPL-004 complete — LDAP claims enricher/cache + client provisioning store with audit mirror, LDAP DN escapes, DI wiring, and plugin docs/tests refreshed.
+- 2025-11-09: PLG7.IMPL-003 complete — LDAP claims enricher + Mongo cache wired (DI + tests), regex placeholder compatibility finalised, sample config/docs updated, and plugin tests green (`StellaOps.Authority.Plugin.Ldap.Tests`).
+- 2025-11-09: PLG7.IMPL-005 complete — Developer guide, sample manifest, Offline Kit notes, and release updates now cover LDAP mutual TLS, regex mappings, caching, and the audit mirror workflow.
+- 2025-11-09: PLG7.IMPL-006 complete — LDAP plug-in now provisions bootstrap users with hashed audit mirrors, capability probes that prove write access before advertising `clientProvisioning`/`bootstrap`, degraded health signalling when directories are read-only, updated docs, and passing targeted tests.
+- 2025-11-09: AUTH-PACKS-43-001 complete — Authority `/token` now requires `pack_run_id`/`pack_gate_id`/`pack_plan_hash` for `packs.approve`, scope handler enforces a 5‑minute fresh-auth window, docs (`docs/security/pack-signing-and-rbac.md`, `docs/task-packs/runbook.md`) describe the procedure, and CLI/tests cover the new claims.
+
+## 100.D) __Libraries
+Dependency: None specified; follow module prerequisites.
+Focus: Identity & Signing focus on __Libraries.
+
+| # | Task ID & handle | State | Key dependency / next step | Owners |
+| --- | --- | --- | --- | --- |
+| 1 | KMS-73-001 | DONE (2025-11-03) | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) |
+| 2 | KMS-73-002 | DONE (2025-11-03) | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) |

docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md

@@ -0,0 +1,242 @@
+# Sprint 110 - Ingestion & Evidence
+
+Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
+
+## Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 110.A AdvisoryAI | Advisory AI Guild · Docs Guild · SBOM Service Guild | Sprint 100.A – Attestor (closed 2025-11-09 per `docs/implplan/archived/SPRINT_100_identity_signing.md`) | DOING | Guardrail regression suite (AIAI-31-009) closed 2025-11-12 with the new `AdvisoryAI:Guardrails` configuration; console doc (DOCS-AIAI-31-004) remains DOING while SBOM/CLI/Policy/DevOps dependencies unblock screenshots/runbook work. |
+| 110.B Concelier | Concelier Core & WebService Guilds · Observability Guild · AirGap Guilds (Importer/Policy/Time) | Sprint 100.A – Attestor | DOING | Paragraph chunk API shipped 2025-11-07; structured field/caching (CONCELIER-AIAI-31-002) is mid-implementation, telemetry (CONCELIER-AIAI-31-003) closed 2025-11-12, and air-gap/console/attestation tracks are held by Link-Not-Merge + Cartographer schema. |
+| 110.C Excititor | Excititor WebService/Core Guilds · Observability Guild · Evidence Locker Guild | Sprint 100.A – Attestor | DOING | Normalized justification projections (EXCITITOR-AIAI-31-001) landed; chunk API, telemetry, docs, attestation, and mirror backlog stay queued behind Link-Not-Merge / Evidence Locker prerequisites. |
+| 110.D Mirror | Mirror Creator Guild · Exporter Guild · CLI Guild · AirGap Time Guild | Sprint 100.A – Attestor | TODO | Wave remains TODO—MIRROR-CRT-56-001 has no owner, so DSSE/TUF, OCI/time-anchor, CLI, and scheduling integrations cannot proceed. |
+
+## Status snapshot (2025-11-13)
+
+- **Advisory AI (110.A)** – Guardrail regression suite AIAI-31-009 closed on 2025-11-12 with the `AdvisoryAI:Guardrails` binding and sub-400 ms batch budgets; DOCS-AIAI-31-004 is the lone DOING item, blocked on Console screenshots (CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001) plus SBOM evidence. SBOM-AIAI-31-003 and DOCS-AIAI-31-005/006/008/009 stay BLOCKED until SBOM-AIAI-31-001, CLI-VULN-29-001, CLI-VEX-30-001, POLICY-ENGINE-31-001, and DEVOPS-AIAI-31-001 land (ETAs requested for 2025-11-14).
+- **Concelier (110.B)** – Paragraph chunk API shipped on 2025-11-07 and telemetry (CONCELIER-AIAI-31-003) landed 2025-11-12; structured field/caching (CONCELIER-AIAI-31-002) is DOING but cannot release until Link-Not-Merge plus Cartographer schema (`CARTO-GRAPH-21-002`) finalize. Air-gap (CONCELIER-AIRGAP-56..58), console (CONCELIER-CONSOLE-23-001..003), attestation (CONCELIER-ATTEST-73-001/002), and overdue connector refreshes (FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008) remain TODO.
+- **Excititor (110.C)** – Normalized VEX justifications (EXCITITOR-AIAI-31-001) are live; chunk API, telemetry, docs, attestation, air-gap, and connector parity tracks (EXCITITOR-AIAI-31-002/003/004, `EXCITITOR-ATTEST-*`, `EXCITITOR-AIRGAP-*`, `EXCITITOR-CONN-TRUST-01-001`) are queued behind the same Link-Not-Merge schema plus Evidence Locker contract.
+- **Mirror (110.D)** – MIRROR-CRT-56-001 still lacks an owner, so DSSE/TUF, OCI/time-anchor, CLI, Export Center, and AirGap Time integrations (MIRROR-CRT-56/57/58, EXPORT-OBS-51/54, AIRGAP-TIME-57-001) cannot start; kickoff moved to 2025-11-15 unless staffing is resolved sooner.
+
+### Wave health (RAG snapshot)
+
+| Wave | Health | Drivers |
+| --- | --- | --- |
+| 110.A AdvisoryAI | 🔶 Watching | Only DOCS-AIAI-31-004 is active; waiting on SBOM/CLI/Policy/DevOps ETAs to restart remaining doc/SBOM tasks. |
+| 110.B Concelier | 🔶 Watching | Structured caching is in-flight but Link-Not-Merge schema + connector refreshes remain unresolved. |
+| 110.C Excititor | 🔶 Watching | Downstream work entirely gated by Link-Not-Merge + Evidence Locker contract; ready to move once schemas approved. |
+| 110.D Mirror | 🔴 Blocked | MIRROR-CRT-56-001 still unstaffed; kickoff on 2025-11-15 must assign owner or sprint slips. |
+
+### Wave task tracker (refreshed 2025-11-13)
+
+#### 110.A AdvisoryAI
+
+| Task ID | State | Notes |
+| --- | --- | --- |
+| DOCS-AIAI-31-004 | DOING | Console guardrail doc drafted; screenshots/runbook copy blocked on CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, and SBOM evidence feeds. |
+| AIAI-31-009 | DONE (2025-11-12) | Guardrail regression suite + `AdvisoryAI:Guardrails` config binding merged with perf budgets. |
+| AIAI-31-008 | TODO | Remote inference packaging waits on policy knobs (AIAI-31-006/007). |
+| SBOM-AIAI-31-003 | BLOCKED | Needs SBOM-AIAI-31-001 outputs plus CLI-VULN/CLI-VEX deliverables. |
+| DOCS-AIAI-31-005/006/008/009 | BLOCKED | Await SBOM/CLI/Policy/DevOps artifacts listed above. |
+
+#### 110.B Concelier
+
+| Task ID | State | Notes |
+| --- | --- | --- |
+| CONCELIER-AIAI-31-002 | DOING | Structured field/caching implementation underway; blocked on Link-Not-Merge schema + CARTO-GRAPH-21-002. |
+| CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Telemetry counters/histograms live for Advisory AI dashboards. |
+| CONCELIER-AIRGAP-56-001..58-001 | TODO | Air-gap bundles waiting on schema + attestation payloads. |
+| CONCELIER-CONSOLE-23-001..003 | TODO | Console overlays blocked by Link-Not-Merge delivery. |
+| CONCELIER-ATTEST-73-001/002 | TODO | Attestation metadata wiring queued behind structured caching. |
+| FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Connector provenance refreshes overdue; need feed owner schedule. |
+
+#### 110.C Excititor
+
+| Task ID | State | Notes |
+| --- | --- | --- |
+| EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Normalized VEX justification projections live at `/v1/vex/observations/{vulnerabilityId}/{productKey}`. |
+| EXCITITOR-AIAI-31-002 | TODO | Chunk API pending Link-Not-Merge schema + Evidence Locker ingest plan. |
+| EXCITITOR-AIAI-31-003 | TODO | Telemetry/guardrail instrumentation blocked on chunk schema readiness. |
+| EXCITITOR-AIAI-31-004 | TODO | Docs/OpenAPI alignment follows chunk API. |
+| EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | TODO | Attestation payload work waiting on chunk normalization + Evidence Locker scope. |
+| EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | TODO | Air-gap + connector parity require Link-Not-Merge + attestation readiness. |
+
+#### 110.D Mirror
+
+| Task ID | State | Notes |
+| --- | --- | --- |
+| MIRROR-CRT-56-001 | TODO | Deterministic assembler lacks owner; kickoff reset to 2025-11-15. |
+| MIRROR-CRT-56-002 | TODO | DSSE/TUF design blocked on MIRROR-CRT-56-001 code path. |
+| MIRROR-CRT-57-001/002 | TODO | OCI/time-anchor workstreams depend on assembler completion. |
+| MIRROR-CRT-58-001/002 | TODO | Export/CLI automation waiting on MIRROR-CRT-56-001. |
+| EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | TODO | Require assembler baseline and staffing commitments. |
+
+### In-flight focus (DOING items)
+
+| Task ID | Remaining work | Blockers | Target date | Owners |
+| --- | --- | --- | --- | --- |
+| DOCS-AIAI-31-004 | Capture Console screenshots + guardrail ribbon copy, finalize runbook text. | CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 outputs; SBOM evidence feeds. | 2025-11-15 | Docs Guild · Advisory AI Guild |
+| CONCELIER-AIAI-31-002 | Implement structured field/caching API + regression fixtures. | Link-Not-Merge schema (`CONCELIER-GRAPH-21-001/002`, `CARTO-GRAPH-21-002`). | 2025-11-16 | Concelier Core · Concelier WebService Guilds |
+| CONCELIER-GRAPH-21-001/002 · CARTO-GRAPH-21-002 | Finalize projection schema + change events, publish migration guide. | Cross-guild review on 2025-11-14. | 2025-11-14 | Concelier Core · Cartographer Guild · SBOM Service Guild |
+| MIRROR-CRT-56-001 staffing | Assign engineering owner, scope kickoff, and start assembler implementation. | Needs Mirror/Exporter/AirGap leadership approval. | 2025-11-15 | Mirror Creator Guild · Exporter Guild |
+
+### Dependency status watchlist (2025-11-13)
+
+| Dependency | Status | Impacted work | Owner(s) / follow-up |
+| --- | --- | --- | --- |
+| SBOM/CLI/Policy/DevOps deliverables (SBOM-AIAI-31-001/003, CLI-VULN-29-001, CLI-VEX-30-001, POLICY-ENGINE-31-001, DEVOPS-AIAI-31-001) | ETAs requested for 2025-11-14. | DOCS-AIAI-31-004/005/006/008/009, SBOM-AIAI-31-003, AIAI-31-008. | SBOM Service · CLI · Policy · DevOps guilds |
+| Link-Not-Merge schema (CONCELIER-LNM-21-001..003, CONCELIER-GRAPH-21-001/002, CARTO-GRAPH-21-002) | Review on 2025-11-14. | CONCELIER-AIAI-31-002, CONCELIER-AIRGAP-56..58, EXCITITOR-AIAI-31-002/003/004, EXCITITOR-ATTEST-*, Mirror consumers. | Concelier Core · Cartographer Guild · Platform Events Guild |
+| Connector refreshes (FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008) | Overdue since 2025-10-23/24. | Advisory AI feed coverage + telemetry accuracy. | Concelier Feed Owners |
+| MIRROR-CRT-56-001 staffing | Owner not yet assigned; kickoff moved to 2025-11-15. | Entire Mirror wave + Export Center + AirGap Time work. | Mirror Creator Guild · Exporter Guild · AirGap Time Guild |
+| Evidence Locker attestation contract | Drafting; needs Excititor + Concelier alignment. | EXCITITOR-ATTEST-* and CONCELIER-ATTEST-73-001/002. | Evidence Locker Guild · Excititor Guild · Concelier Guild |
+
+### Upcoming checkpoints (2025-11-13 → 2025-11-15)
+
+| Date (UTC) | Session | Goal / expected exit | Impacted wave(s) | Prep owner(s) |
+| --- | --- | --- | --- | --- |
+| 2025-11-14 | Advisory AI customer surfaces follow-up | Capture SBOM/CLI/Policy/DevOps ETAs so DOCS-AIAI backlog can resume. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
+| 2025-11-14 | Link-Not-Merge schema review | Approve CARTO-GRAPH-21-002 + CONCELIER-GRAPH-21-001/002 payloads, document migration. | 110.B · 110.C | Concelier Core · Cartographer Guild · SBOM Service Guild |
+| 2025-11-15 | Excititor attestation sequencing | Sequence EXCITITOR-AIAI-31-002/003 and slot EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 with Evidence Locker. | 110.C | Excititor Web/Core · Evidence Locker Guild |
+| 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, confirm EXPORT-OBS/AIRGAP-TIME staffing, outline DSSE/TUF + OCI milestones. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
+
+### Meeting prep checklist
+
+| Session | Pre-reads / artifacts | Open questions | Prep owner(s) |
+| --- | --- | --- | --- |
+| Advisory AI customer surfaces (2025-11-14) | SBOM-AIAI-31-001 projection draft, CLI-VULN/CLI-VEX scope notes, POLICY-ENGINE-31-001 knob proposal, DEVOPS-AIAI-31-001 runbook outline. | Exact delivery dates for each artifact? Any blockers requiring interim screenshots or mock SBOM data? | Advisory AI Guild · SBOM Service · CLI · Policy · DevOps guilds |
+| Link-Not-Merge schema review (2025-11-14) | Latest `CONCELIER-GRAPH-21-001/002` + `CARTO-GRAPH-21-002` payloads, migration guide draft, event contract examples. | Are there unresolved fields/tenant tags? How will backfill/replay be handled? Do Advisory AI consumers need an adapter? | Concelier Core · Cartographer Guild · SBOM Service Guild · Platform Events Guild |
+| Excititor attestation sequencing (2025-11-15) | EXCITITOR-AIAI-31-002/003 design notes, Evidence Locker contract draft, attestation backlog order (`EXCITITOR-ATTEST-*`). | Which attestation payload ships first? What telemetry/rollout gates are required? How will Evidence Locker validate manifests? | Excititor Web/Core · Evidence Locker Guild |
+| Mirror evidence kickoff (2025-11-15) | MIRROR-CRT-56-001 scope brief, EXPORT-OBS-51/54 staffing plan, AIRGAP-TIME-57-001 requirements, DSSE/TUF design outline. | Who owns MIRROR-CRT-56-001? Can Export/AirGap lend engineers immediately? Do we need interim manual bundles before assembler lands? | Mirror Creator · Exporter · AirGap Time · Security guilds |
+
+### Target outcomes (through 2025-11-15)
+
+| Deliverable | Target date | Status | Dependencies / notes |
+| --- | --- | --- | --- |
+| DOCS-AIAI-31-004 publication | 2025-11-15 | DOING | Needs Console screenshots + SBOM feeds once SBOM/CLI ETAs are confirmed. |
+| SBOM/CLI/Policy/DevOps ETA commitments | 2025-11-14 | PENDING | Advisory AI follow-up must end with written delivery dates. |
+| Link-Not-Merge schema approval | 2025-11-14 | PENDING | Requires agreement on CONCELIER-GRAPH-21-001/002 + CARTO-GRAPH-21-002 payloads. |
+| Excititor attestation sequencing plan | 2025-11-15 | PENDING | Dependent on Evidence Locker contract + attestation backlog ordering. |
+| MIRROR-CRT-56-001 owner assignment | 2025-11-15 | PENDING | Must exit kickoff with named engineer + sprint scope. |
+
+### Awaiting updates (blocking follow-ups)
+
+| Update needed | Why it matters | Requested from | When requested |
+| --- | --- | --- | --- |
+| Written SBOM-AIAI-31-001/003, CLI-VULN-29-001, CLI-VEX-30-001, POLICY-ENGINE-31-001, DEVOPS-AIAI-31-001 ETAs | Unblocks DOCS-AIAI-31-004/005/006/008/009 and SBOM-AIAI-31-003 | SBOM Service, CLI, Policy, DevOps guild leads | 2025-11-13 stand-up |
+| Confirmation that Link-Not-Merge pre-read comments are resolved | Determines whether schema can be approved on 2025-11-14 | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-13 meeting prep |
+| Evidence Locker sign-off on attestation contract draft | Required before Excititor attestation sequencing on 2025-11-15 | Evidence Locker Guild | 2025-11-13 |
+| Mirror/Exporter leadership agreement on MIRROR-CRT-56-001 owner | Without it, the 2025-11-15 kickoff has no accountable engineer | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | 2025-11-13 |
+
+### Pre-read distribution status (as of 2025-11-13 22:31 UTC)
+
+| Session | Pre-read packet | Status | Owner(s) |
+| --- | --- | --- | --- |
+| Advisory AI follow-up (2025-11-14) | SBOM kit draft + CLI/Policy/DevOps notes | Docs compiled; waiting for guild leads to append ETA fields before sharing. | Advisory AI Guild |
+| Link-Not-Merge review (2025-11-14) | Schema redlines + migration doc | Circulated to Concelier/Cartographer/SBOM; comments due morning of 2025-11-14. | Concelier Core · Cartographer Guild |
+| Excititor attestation sequencing (2025-11-15) | Evidence Locker contract draft + backlog order | Draft complete; Evidence Locker reviewing telemetry requirements. | Excititor Web/Core · Evidence Locker Guild |
+| Mirror kickoff (2025-11-15) | MIRROR-CRT-56-001 scope brief + staffing proposal | Outline sent to Mirror/Exporter leadership; pending confirmation of available engineers. | Mirror Creator Guild · Exporter Guild |
+
+### Decisions needed (before 2025-11-15)
+
+| Decision | Blocking work | Accountable owner(s) | Due date |
+| --- | --- | --- | --- |
+| Provide SBOM/CLI/Policy/DevOps delivery dates | DOCS-AIAI-31-004/005/006/008/009, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guilds | 2025-11-14 |
+| Approve Link-Not-Merge + CARTO schema | CONCELIER-AIAI-31-002, EXCITITOR-AIAI-31-002/003/004, air-gap + attestation tasks | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
+| Assign MIRROR-CRT-56-001 owner | All Mirror/Export/AirGap downstream work | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | 2025-11-15 |
+| Confirm Evidence Locker attestation scope | EXCITITOR-ATTEST-* and CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-15 |
+| Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-15 |
+
+### Action item tracker (status as of 2025-11-13)
+
+| Item | Status | Next step | Owner(s) | Due |
+| --- | --- | --- | --- | --- |
+| SBOM-AIAI-31-001 projection kit | Pending ETA | Provide delivery date + artifact checklist during 2025-11-14 call. | SBOM Service Guild | 2025-11-14 |
+| CLI-VULN-29-001 / CLI-VEX-30-001 scope alignment | In progress | Confirm parameter set + release vehicle to unblock docs. | CLI Guild | 2025-11-14 |
+| POLICY-ENGINE-31-001 guardrail knob | Drafting | Share config snippet + rollout plan with Advisory AI. | Policy Guild | 2025-11-14 |
+| DEVOPS-AIAI-31-001 deployment runbooks | Not started | Outline automation coverage and ops checklist. | DevOps Guild | 2025-11-15 |
+| Link-Not-Merge schema redlines | Circulated | Sign off during 2025-11-14 review, publish migration notes. | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
+| MIRROR-CRT-56-001 staffing plan | Not started | Name owner + confirm initial sprint scope. | Mirror Creator Guild · Exporter Guild | 2025-11-15 |
+
+### Standup agenda (2025-11-13)
+
+| Track | Questions to cover | Owner ready to report |
+| --- | --- | --- |
+| 110.A Advisory AI | Are SBOM/CLI/Policy/DevOps guilds ready to commit ETAs so DOCS-AIAI backlog can resume? | Advisory AI Guild · Docs Guild |
+| 110.B Concelier | Link-Not-Merge review prep status and connector refresh recovery plan? | Concelier Core · Concelier WebService Guilds |
+| 110.C Excititor | Evidence Locker contract + attestation sequencing ready for 2025-11-15 session? | Excititor Web/Core Guilds · Evidence Locker Guild |
+| 110.D Mirror | Who is owning MIRROR-CRT-56-001 and what runway is needed? | Mirror Creator Guild · Exporter Guild |
+| Cross-track | Any new risks requiring leadership escalation before 2025-11-14 checkpoints? | Sprint 110 leads |
+
+### Standup agenda (2025-11-14)
+
+| Track | Confirmation needed | Follow-ups if “no” | Reporter |
+| --- | --- | --- | --- |
+| 110.A Advisory AI | Did SBOM/CLI/Policy/DevOps provide ETAs + artifact checklists? | Escalate to guild leads immediately; flag DOCS backlog as red. | Advisory AI Guild |
+| 110.B Concelier | Is Link-Not-Merge schema ready for review (no open comments)? | Capture blockers, inform Cartographer + Advisory AI, update schema review agenda. | Concelier Core |
+| 110.C Excititor | Has Evidence Locker ack’d the attestation contract + backlog order? | Schedule follow-up session pre-15th; unblock by providing interim contract. | Excititor Web/Core |
+| 110.D Mirror | Is MIRROR-CRT-56-001 owner confirmed before kickoff? | Escalate to Mirror/Exporter leadership; re-plan kickoff if still unstaffed. | Mirror Creator Guild |
+| Cross-track | Any new dependencies discovered that affect Nov 15 deliverables? | Add to Awaiting Updates + contingency plan. | Sprint 110 leads |
+
+### Standup agenda (2025-11-15)
+
+| Track | Key question | Owner ready to report |
+| --- | --- | --- |
+| 110.A Advisory AI | Did SBOM/CLI/Policy/DevOps artifacts land and unblock DOCS/SBOM backlog? | Advisory AI Guild · Docs Guild |
+| 110.B Concelier | Were Link-Not-Merge schemas approved and migrations kicked off? | Concelier Core · Cartographer Guild |
+| 110.C Excititor | Is the attestation sequencing plan locked with Evidence Locker sign-off? | Excititor Web/Core Guilds · Evidence Locker Guild |
+| 110.D Mirror | Is MIRROR-CRT-56-001 staffed with a sprint plan after kickoff? | Mirror Creator Guild · Exporter Guild · AirGap Time Guild |
+| Cross-track | Any spillover risks or re-scoping needed after the checkpoints? | Sprint 110 leads |
+
+### Outcome capture template (use after Nov 14–15 checkpoints)
+
+| Session | Date | Outcome | Follow-up tasks |
+| --- | --- | --- | --- |
+| Advisory AI follow-up | 2025-11-14 | _TBD_ | _TBD_ |
+| Link-Not-Merge review | 2025-11-14 | _TBD_ | _TBD_ |
+| Excititor attestation sequencing | 2025-11-15 | _TBD_ | _TBD_ |
+| Mirror evidence kickoff | 2025-11-15 | _TBD_ | _TBD_ |
+
+### Contingency playbook (reviewed 2025-11-13)
+
+| Risk trigger | Immediate response | Owner | Escalation window |
+| --- | --- | --- | --- |
+| Link-Not-Merge review slips | Document unresolved schema fields, escalate to runtime governance, evaluate interim adapter for Advisory AI. | Concelier Core · Cartographer Guild | Escalate by 2025-11-15 governance call. |
+| SBOM/CLI/Policy/DevOps ETAs miss 2025-11-14 | Flag DOCS-AIAI backlog as “red”, source temporary screenshots/mock data, escalate to Advisory AI leadership. | Docs Guild · Advisory AI Guild | Escalate by 2025-11-15 stand-up. |
+| MIRROR-CRT-56-001 still unstaffed on 2025-11-15 | Reassign engineers from Export/Excititor backlog, drop lower-priority Mirror scope, publish revised schedule. | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Escalate by 2025-11-15 kickoff retro. |
+| Connector refreshes slip another week | Limit Advisory AI exposure to stale feeds, publish customer comms, add feeds to incident review. | Concelier Feed Owners | Escalate by 2025-11-18. |
+| Evidence Locker contract stalls | Delay attestation tasks, focus on telemetry/docs, involve Platform Governance. | Evidence Locker Guild · Excititor Guild | Escalate by 2025-11-17. |
+
+## Downstream dependencies (2025-11-13)
+
+| Wave | Dependent sprint(s) | Impact if delayed |
+| --- | --- | --- |
+| 110.A AdvisoryAI | Advisory AI customer rollout (Docs, Console, CLI), `SPRINT_120_excititor_ii.md`, `SPRINT_140_runtime_signals.md` | SBOM/CLI/Policy/DevOps lag keeps Advisory AI docs + guardrails blocked and stalls downstream Scanner/Policy/Vuln Explorer adoption. |
+| 110.B Concelier | `SPRINT_140_runtime_signals.md`, `SPRINT_185_shared_replay_primitives.md`, Concelier console/air-gap/attest waves | Link-Not-Merge schema + observation APIs gate Concelier graph, telemetry, and orchestrator waves; Console/advisor UIs stay blocked. |
+| 110.C Excititor | `SPRINT_120_excititor_ii.md` → `SPRINT_124_excititor_vi.md` | VEX chunk/attestation phases cannot progress until chunk/telemetry deliverables land, delaying Lens, Policy, and Advisory AI parity. |
+| 110.D Mirror | `SPRINT_125_mirror.md` | Export Center, CLI, and air-gap bundles rely on MIRROR-CRT-56-001; no downstream mirror automation can begin until the deterministic assembler is complete. |
+
+## Interlocks & owners (2025-11-13)
+
+| Interlock | Participants | Needed artifact(s) | Status / notes |
+| --- | --- | --- | --- |
+| Advisory AI customer surfaces | Advisory AI Guild · SBOM Service Guild · CLI Guild · Policy Guild · DevOps Guild | `SBOM-AIAI-31-001`, `SBOM-AIAI-31-003`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `POLICY-ENGINE-31-001`, `DEVOPS-AIAI-31-001` | ETAs due 2025-11-14 to unblock DOCS-AIAI backlog and SBOM-AIAI-31-003. |
+| Link-Not-Merge contract | Concelier Core/WebService Guilds · Cartographer Guild · Platform Events Guild | `CONCELIER-LNM-21-001`→`21-203`, `CARTO-GRAPH-21-002`, `CONCELIER-GRAPH-21-001/002`, `CONCELIER-CONSOLE-23-001..003` | Schema review on 2025-11-14 to unblock CONCELIER-AIAI-31-002/003 and downstream console/air-gap tasks. |
+| VEX justification + attestation | Excititor Web/Core Guilds · Observability Guild · Evidence Locker Guild · Cartographer Guild | `EXCITITOR-AIAI-31-001`→`31-004`, `EXCITITOR-ATTEST-01-003`, `EXCITITOR-ATTEST-73-001/002`, `EXCITITOR-AIRGAP-56/57/58-*`, `EXCITITOR-CONN-TRUST-01-001` | Attestation sequencing meeting on 2025-11-15 to finalize Evidence Locker contract + backlog order. |
+| Mirror evidence kickoff | Mirror Creator Guild · Exporter Guild · AirGap Time Guild · Security Guild · CLI Guild | `MIRROR-CRT-56/57/58-*`, `EXPORT-OBS-51-001`, `EXPORT-OBS-54-001`, `AIRGAP-TIME-57-001`, `CLI-AIRGAP-56-001`, `PROV-OBS-53-001` | Kickoff scheduled 2025-11-15; objective is to assign MIRROR-CRT-56-001 owner and confirm downstream staffing. |
+
+## Coordination log
+
+| Date | Notes |
+| --- | --- |
+| 2025-11-13 | Snapshot, wave tracker, decision/action lists, and contingency plan refreshed ahead of 2025-11-14/15 checkpoints; awaiting SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, and Mirror staffing outcomes. |
+| 2025-11-09 | Sprint file captured initial wave detail references, interlocks, and risks pending SBOM/CLI/POLICY/DevOps, Link-Not-Merge, Excititor justification, and Mirror assembler commitments. |
+
+## Risk log (2025-11-13)
+
+| Risk | Impact | Mitigation / owner |
+| --- | --- | --- |
+| SBOM/CLI/Policy/DevOps deliverables slip past 2025-11-14 | Advisory AI docs + SBOM feeds remain blocked, delaying customer rollout + dependent sprints. | Capture ETAs during 2025-11-14 interlock; escalate to Advisory AI leadership if not committed. |
+| Link-Not-Merge schema delays (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Concelier/Excititor evidence APIs, console views, and air-gap tracks cannot progress; Advisory AI loses deterministic feeds. | Land schema review on 2025-11-14; publish migration plan and unblock CONCELIER-AIAI-31-002 + EXCITITOR-AIAI-31-002 immediately after approval. |
+| Excititor attestation backlog stalls | Advisory AI cannot cite VEX evidence; attestation + air-gap tasks idle; Mirror parity slips. | Use 2025-11-15 sequencing session to lock order, then reserve engineering capacity for attestation tickets. |
+| Mirror assembler lacks staffing (`MIRROR-CRT-56-001`) | DSSE/TUF, OCI/time-anchor, CLI, Export Center automations cannot start, blocking Sprint 125 altogether. | Assign owner during 2025-11-15 kickoff; reallocate Export/AirGap engineers if no volunteer surfaces. |
+| Connector provenance refreshes remain overdue | Advisory AI may serve stale evidence for ICSCISA/KISA feeds. | Feed owners to publish remediation plan and temporary mitigations by 2025-11-15 stand-up. |

docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md

@@ -0,0 +1,22 @@
+# Sprint 125 - Ingestion & Evidence · 110.D) Mirror
+
+Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
+
+[Ingestion & Evidence] 110.D) Mirror
+Depends on: Sprint 100.A - Attestor
+Summary: Ingestion & Evidence focus on Mirror.
+Task ID | State | Task description | Owners (Source)
+--- | --- | --- | ---
+MIRROR-CRT-56-001 | TODO | Implement deterministic bundle assembler supporting advisories, VEX, policy packs with Zstandard compression and manifest generation. Dependencies: EXPORT-OBS-51-001. | Mirror Creator Guild (src/Mirror/StellaOps.Mirror.Creator)
+MIRROR-CRT-56-002 | TODO | Integrate DSSE signing and TUF metadata generation (`root`, `snapshot`, `timestamp`, `targets`). Dependencies: MIRROR-CRT-56-001, PROV-OBS-53-001. | Mirror Creator Guild, Security Guild (src/Mirror/StellaOps.Mirror.Creator)
+MIRROR-CRT-57-001 | TODO | Add optional OCI image collection producing oci-archive layout with digests recorded in manifest. Dependencies: MIRROR-CRT-56-001. | Mirror Creator Guild, DevOps Guild (src/Mirror/StellaOps.Mirror.Creator)
+MIRROR-CRT-57-002 | TODO | Embed signed time anchor metadata (`meta/time-anchor.json`) sourced from trusted authority. Dependencies: MIRROR-CRT-56-002, AIRGAP-TIME-57-001. | Mirror Creator Guild, AirGap Time Guild (src/Mirror/StellaOps.Mirror.Creator)
+MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create|verify` commands with content selection flags, delta mode, and dry-run verification. Dependencies: MIRROR-CRT-56-002, CLI-AIRGAP-56-001. | Mirror Creator Guild, CLI Guild (src/Mirror/StellaOps.Mirror.Creator)
+MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. Dependencies: MIRROR-CRT-56-002, EXPORT-OBS-54-001. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator)
+
+
+If all tasks are done - read next sprint section - SPRINT_0120_0000_0001_policy_reasoning.md
+
+> 2025-11-04: AIAI-31-004A DONE – WebService/Worker wiring plus filesystem queue operational; metrics/logs added; tests executed via `dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj --no-restore`.
+
+> 2025-11-04: AIAI-31-006 DONE – REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata.

docs/implplan/archived/updates/SPRINT_130_scanner_surface.md

@@ -0,0 +1,20 @@
+# Sprint 130 - Scanner & Surface
+
+**Phase focus:** Scanner.I — Deno analyzer bring-up.
+- **Depends on:** Sprint 110.A · AdvisoryAI (schema + advisory feeds)
+- **Feeds:** Sprint 131 (Scanner.II) once artifacts below land.
+
+Execute the tasks below strictly in order; each artifact unblocks the next analyzer stage.
+
+| Order | Task ID | State | Summary | Owner / Source | Depends On |
+| --- | --- | --- | --- | --- | --- |
+| 1 | `SCANNER-ANALYZERS-DENO-26-001` | DONE | Build the deterministic input normalizer + VFS merger for `deno.json(c)`, import maps, lockfiles, vendor trees, `$DENO_DIR`, and OCI layers so analyzers have a canonical file view. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | — |
+| 2 | `SCANNER-ANALYZERS-DENO-26-002` | DONE | Implement the module graph resolver covering static/dynamic imports, npm bridge, cache lookups, built-ins, WASM/JSON assertions, and annotate edges with their resolution provenance. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-001 |
+| 3 | `SCANNER-ANALYZERS-DENO-26-003` | DONE | Ship the npm/node compatibility adapter that maps `npm:` specifiers, evaluates `exports` conditionals, and logs builtin usage for policy overlays. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-002 |
+| 4 | `SCANNER-ANALYZERS-DENO-26-004` | DONE | Add the permission/capability analyzer covering FS/net/env/process/crypto/FFI/workers plus dynamic-import + literal fetch heuristics with reason codes. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-003 |
+| 5 | `SCANNER-ANALYZERS-DENO-26-005` | DONE | Build bundle/binary inspectors for eszip and `deno compile` executables to recover graphs, configs, embedded resources, and snapshots. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-004 |
+| 6 | `SCANNER-ANALYZERS-DENO-26-006` | DONE | Implement the OCI/container adapter that stitches per-layer Deno caches, vendor trees, and compiled binaries back into provenance-aware analyzer inputs. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-005 |
+| 7 | `SCANNER-ANALYZERS-DENO-26-007` | DONE | Produce AOC-compliant observation writers (entrypoints, modules, capability edges, workers, warnings, binaries) with deterministic reason codes. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-006 |
+| 8 | `SCANNER-ANALYZERS-DENO-26-008` | DONE | Finalize fixture + benchmark suite (vendor/npm/FFI/worker/dynamic import/bundle/cache/container cases) validating analyzer determinism and performance. | Deno Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-007 |
+
+_Status 2025-11-12:_ Task `SCANNER-ANALYZERS-DENO-26-008` completed — analyzer output now matches the refreshed golden snapshot (vendor/npm/FFI/worker/dynamic import cases) and the Deno test suite passes with deterministic fixtures.

docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md

@@ -0,0 +1,165 @@
+# Sprint 137 - Scanner & Surface
+
+**Phase focus:** Scanner.VIII — Analyzer gap design & readiness.
+- **Depends on:** Sprint 136 · Scanner.VII (Surface env/fs/secrets) to ensure shared primitives exist.
+- **Feeds:** Sprint 138 (Ruby parity) and Sprint 139 (language-specific analyzers) by locking designs + policy hooks.
+
+| Task ID | State | Summary | Owner / Source | Depends On |
+| --- | --- | --- | --- | --- |
+| `SCANNER-ENG-0002` | DONE (2025-11-09) | Design the Node.js lockfile collector + CLI validator per `docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md`, capturing Surface + policy requirements before implementation. | Scanner Guild, CLI Guild (docs/modules/scanner) | — |
+| `SCANNER-ENG-0003` | DONE (2025-11-09) | Design Python lockfile + editable-install parity checks with policy predicates and CLI workflow coverage as outlined in the gap analysis. | Python Analyzer Guild, CLI Guild (docs/modules/scanner) | — |
+| `SCANNER-ENG-0004` | DONE (2025-11-09) | Design Java lockfile ingestion/validation (Gradle/SBT collectors, CLI verb, policy hooks) to close comparison gaps. | Java Analyzer Guild, CLI Guild (docs/modules/scanner) | — |
+| `SCANNER-ENG-0005` | DONE (2025-11-09) | Enhance Go stripped-binary fallback inference design, including inferred module metadata + policy integration, per the gap analysis. | Go Analyzer Guild (docs/modules/scanner) | — |
+| `SCANNER-ENG-0006` | DONE (2025-11-09) | Expand Rust fingerprint coverage design (enriched fingerprint catalogue + policy controls) per the comparison matrix. | Rust Analyzer Guild (docs/modules/scanner) | — |
+| `SCANNER-ENG-0007` | DONE (2025-11-09) | Design the deterministic secret leak detection pipeline covering rule packaging, Policy Engine integration, and CLI workflow. | Scanner Guild, Policy Guild (docs/modules/scanner) | — |
+
+> 2025-11-09: The gap designs below capture analyzer, Surface, CLI, and policy contracts for SCANNER-ENG-0002…0007; tasks were taken DOING → DONE after this review.
+
+## Implementation progress (2025-11-09)
+
+- Gradle/Maven lock ingestion is now wired into `JavaLanguageAnalyzer`: `JavaLockFileCollector` sorts lock metadata deterministically, merges it with archive findings (`lockConfiguration`, `lockRepository`, `lockResolved`), and emits declared-only components (with `declaredOnly=true`, `lockSource`, `lockLocator`) whenever jars are missing. CLI/Surface telemetry tags were updated to carry per-language declared/missing counters.
+- `stella java lock-validate` shares the `HandleLanguageLockValidateAsync` helper with Node/Python, has table/JSON output parity, and is documented alongside the scanner README + CLI guide (including the new metric `stellaops.cli.java.lock_validate.count`). Tests now cover the Ruby/Node/Java lock workflows end-to-end via `CommandHandlersTests`.
+
+## Design outcomes
+
+### SCANNER-ENG-0002 — Node.js lockfile collector + CLI validator
+
+**Scope & goals**
+- Provide deterministic ingestion of `pnpm-lock.yaml`, `package-lock.json`, and `yarn.lock` so declared dependencies are preserved even when `node_modules` is absent.
+- Offer a CLI validator that runs without scheduling a scan, reusing the same collector and Surface safety rails.
+
+**Design decisions**
+- Add `NodeLockfileCollector` under `StellaOps.Scanner.Analyzers.Lang.Node`. The collector normalises manifests into a shared model (`package name`, `version`, `resolved`, `integrity`, `registry`, `workspace path`) and emits `DeclaredOnly = true` components stored beside installed fragments (`LayerComponentFragment.DeclaredSources`).
+- Reuse `LanguageAnalyzerContext` merge rules so installed packages supersede declared-only entries while retaining discrepancies for policy.
+- Gate execution through `Surface.Validation` (`scanner.lockfiles.node.*` knobs) that enforce max lockfile size, workspace limits, and registry allowlists; violations fail fast with deterministic error IDs.
+- Private registries referenced in lockfiles must use `secret://` handles. `Surface.Secrets` resolves these handles before validation and the resolved metadata (never the secret) is attached to the collector context for auditing.
+- EntryTrace usage hints annotate runtime packages; when a package is used at runtime but missing from the lockfile, the merge step tags it with `UsageWithoutDeclaration`.
+
+**CLI, policy, docs**
+- Add `stella node lock-validate [path] --format {auto|pnpm|npm|yarn}` that runs locally, reuses Surface controls, and returns canonical JSON + table summaries. The CLI inherits `--surface-config` so air-gapped configs stay consistent.
+- Scanner/WebService gains `--node-lockfiles` / `SCANNER__NODE__LOCKFILES__ENABLED` toggles to control ingestion during full scans.
+- Policy Engine receives predicates: `node.lock.declaredMissing`, `node.lock.registryDisallowed`, `node.lock.declarationOnly`. Templates show how to fail on disallowed registries while only warning on declared-only findings that never reach runtime.
+- Update `docs/modules/scanner/architecture.md` and policy DSL appendices with the new evidence flags and CLI workflow.
+
+**Testing, telemetry, rollout**
+- Golden fixtures for pnpm v8, npm v9, and yarn berry lockfiles live under `tests/Scanner.Analyzers.Node/__fixtures__/lockfiles`. Deterministic snapshots are asserted in both analyzer and CLI tests.
+- Add integration coverage in `tests/Scanner.Cli.Node` verifying exit codes and explain output for mismatched packages/registries.
+- Emit counters (`scanner.node.lock.declared`, `scanner.node.lock.mismatch`, `scanner.node.lock.registry_blocked`) plus structured logs keyed by lockfile digest.
+- Offline Kit ships the parser tables and CLI binary help under `offline/scanner/node-lockfiles/README.md`.
+
+**Implementation status (2025-11-09)**
+- Lockfile declarations now emit `DeclaredOnly` components in `StellaOps.Scanner.Analyzers.Lang.Node` with lock source/locator metadata and deterministic evidence for policy use.
+- CLI verb `stella node lock-validate` inspects lockfiles locally, rendering declared-only/missing-lock summaries and emitting `stellaops.cli.node.lock_validate.count` telemetry.
+- Node analyzer determinism fixtures updated with declared-only coverage; CLI unit suite exercises the new handler.
+- Python analyzer ingests `requirements*.txt`, `Pipfile.lock`, and `poetry.lock`, tagging installed distributions with `lockSource` metadata and creating declared-only components. `stella python lock-validate` mirrors the workflow for offline validation and records `stellaops.cli.python.lock_validate.count`.
+
+### SCANNER-ENG-0003 — Python lockfile + editable-install parity
+
+**Scope & goals**
+- Parse Python lockfiles (`poetry.lock`, `Pipfile.lock`, hashed `requirements*.txt`) to capture declared graphs pre-install.
+- Detect editable installs and local path references so policy can assert parity between lockfiles and runtime contents.
+
+**Design decisions**
+- Introduce `PythonLockfileCollector` in `StellaOps.Scanner.Analyzers.Lang.Python`, capable of reading Poetry, Pipenv, pip-tools, and raw requirements syntax (including environment markers, extras, hashes, VCS refs).
+- Extend the collector with an `EditableResolver` that inspects lockfile entries (`path =`, `editable = true`, `-e ./pkg`) and consults `Surface.FS` to normalise the referenced directory, capturing `EditablePath`, `SourceDigest`, and `VcsRef` metadata.
+- Merge results with installed `*.dist-info` data using `LanguageAnalyzerContext`. Installed evidence overrides declared-only components; editable packages missing from the artifact layer are tagged `EditableMissing`.
+- `Surface.Validation` adds knobs `scanner.lockfiles.python.maxBytes`, `scanner.lockfiles.python.allowedIndexes`, and ensures hashes are present when policy mandates repeatable environments. Private index credentials are provided via `Surface.Secrets` and never persisted.
+
+**CLI, policy, docs**
+- New CLI verb `stella python lock-validate` mirrors the Node workflow, validates editable references resolve within the checked-out tree, and emits parity diagnostics.
+- Scanner runs accept `--python-lockfiles` to toggle ingestion per tenant.
+- Policy predicates: `python.lock.declaredMissing`, `python.lock.editableUnpinned`, `python.lock.indexDisallowed`. Editable packages missing from the filesystem can be set to fail builds or raise waivers.
+- Document the workflow in `docs/modules/scanner/architecture.md` and the policy cookbook, including guidance on handling build-system backends.
+
+**Testing, telemetry, rollout**
+- Fixtures covering Poetry 1.6, Pipenv 2024.x, `requirements.txt` with markers, and mixed editable/VCS entries live beside the analyzer tests.
+- CLI golden output asserts deterministic ordering and masking of secrets in URLs.
+- Metrics: `scanner.python.lock.declared`, `scanner.python.lock.editable`, `scanner.python.lock.failures`.
+- Offline Kit bundles include parser definitions and sample policies to keep air-gapped tenants aligned.
+
+### SCANNER-ENG-0004 — Java/Gradle/SBT lockfile ingestion & validation
+
+**Scope & goals**
+- Capture Gradle, Maven, and SBT dependency locks before artifacts are built, along with repository provenance and configuration scopes.
+- Provide CLI validation and policy predicates enforcing repository allowlists and declared/runtime parity.
+
+**Design decisions**
+- Add collectors: `GradleLockfileCollector` (reads `gradle.lockfile` and `gradle/dependency-locks/*.lock`), `MavenLockfileCollector` (parses `pom.xml`/`pom.lock` + dependencyManagement overrides), and `SbtLockfileCollector` (reads Ivy resolution outputs or `dependencies.lock`).
+- Each collector emits normalized records keyed by `groupId:artifactId:version` plus config scope (`compileClasspath`, `runtimeClasspath`, etc.), repository URI, checksum, and optional classifier. Records are stored as `DeclaredOnly` fragments associated with their workspace path.
+- `Surface.Validation` enforces file-size limits, repository allowlists (`scanner.lockfiles.java.allowedRepos`), and optional checksum requirements. Private Maven credentials flow through `Surface.Secrets`.
+- `JavaLanguageAnalyzer` merges declared entries with installed archives. Runtime usage from EntryTrace is attached so policies can prioritize gaps that reach runtime.
+
+**CLI, policy, docs**
+- CLI verb `stella java lock-validate` supports Gradle/Maven/SBT modes, prints mismatched dependencies, and checks repository policy.
+- Scanner flags `--java-lockfiles` or env `SCANNER__JAVA__LOCKFILES__ENABLED` gate ingestion. Lockfile artifacts are uploaded to Surface.FS for evidence replay.
+- Policy predicates: `java.lock.declaredMissing`, `java.lock.repoDisallowed`, `java.lock.unpinned` (no checksum). Explain traces cite repository + config scope for each discrepancy.
+- Docs: update scanner module dossier and policy template library with repository governance examples.
+
+**Testing, telemetry, rollout**
+- Fixtures derived from sample Gradle multi-projects, Maven BOM hierarchies, and SBT builds validate parser coverage and CLI messaging.
+- Metrics `scanner.java.lock.declared`, `scanner.java.lock.missing`, `scanner.java.lock.repo_blocked` feed the observability dashboards.
+- Offline kits include parser grammars and CLI docs so air-gapped tenants can enforce repo policies without SaaS dependencies.
+
+### SCANNER-ENG-0005 — Go stripped-binary fallback inference
+
+**Scope & goals**
+- Enrich the stripped-binary fallback so Go modules remain explainable even without embedded `buildinfo`, and give Policy Engine knobs to treat inferred evidence differently.
+
+**Design decisions**
+- Extend `GoBinaryScanner` with an inference pipeline that, when build info is absent, parses ELF/Mach-O symbol tables and DWARF data using the existing `ElfSharp` bindings. Symbols feed into a new `GoSymbolInferenceEngine` that matches against a signed `GoFingerprintCatalog` under `StellaOps.Scanner.Analyzers.Lang.Go.Fingerprints`.
+- Inferred results carry `Confidence` (0–1), matched symbol counts, and reasons (`BuildInfoMissing`, `SymbolMatches`, `PkgPathFallback`). Records are emitted as `InferredModule` metadata alongside hashed fallback components.
+- Update fragment schemas so DSSE-composed BOMs include both the hashed fallback and the inference summary, enabling deterministic replay.
+- `Surface.Validation` exposes `scanner.analyzers.go.fallback.enabled`, `scanner.analyzers.go.fallback.maxSymbolBytes`, ensuring workloads can opt out or constrain processing time.
+
+**Policy, CLI, docs**
+- Policy predicates `go.module.inferenceConfidence` and `go.module.hashOnly` let tenants fail when only hashed provenance exists or warn when inference confidence < threshold.
+- CLI flag `--go-fallback-detail` (and corresponding API query) prints hashed vs inferred modules, confidence, and remediation hints (e.g., rebuild with `-buildvcs`).
+- Documentation updates cover inference details, how confidence feeds lattice weights, and how to author waivers.
+
+**Testing, telemetry, rollout**
+- Add stripped binary fixtures (Linux, macOS) plus intentionally obfuscated samples. Tests assert deterministic inference and hashing.
+- Metrics `scanner.go.inference.count`, `scanner.go.inference.confidence_bucket` ensure observability; logs include `imageDigest`, `binaryPath`, `confidence`.
+- Offline Kit bundles the fingerprint catalog and inference changelog so air-gapped tenants can audit provenance.
+
+### SCANNER-ENG-0006 — Rust fingerprint coverage expansion
+
+**Scope & goals**
+- Improve Rust evidence for stripped binaries by expanding fingerprint sources, symbol parsing, and policy controls over heuristic findings.
+
+**Design decisions**
+- Build a new `RustFingerprintCatalog` signed and versioned, fed by Cargo crate metadata, community hash contributions, and curated fingerprints from StellaOps scans. Catalog lives under `StellaOps.Scanner.Analyzers.Lang.Rust.Fingerprints` with deterministic ordering.
+- Extend `RustAnalyzerCollector` with symbol parsing (DWARF, ELF build IDs) via `SymbolGraphResolver`. Resolver correlates crate sections, monomorphized symbol prefixes, and `#[panic_handler]` markers to infer crate names and versions.
+- Emit inference metadata (`fingerprintId`, `confidence`, `symbolEvidence[]`) alongside hashed fallbacks. Authoritative Cargo.lock data (when present) still wins in merges.
+- `Surface.Validation` adds toggles for fingerprint freshness and maximum catalog size per tenant. Offline bundles deliver catalog updates signed via DSSE.
+
+**Policy, CLI, docs**
+- Policy predicates: `rust.fingerprint.confidence`, `rust.fingerprint.catalogAgeDays`. Templates show how to warn when only heuristic data exists, or fail if catalog updates are stale.
+- CLI flag `--rust-fingerprint-detail` prints authoritative vs inferred crates, symbol samples, and guidance.
+- Documentation (scanner module + policy guide) explains how inference is stored, how catalog publishing works, and how to tune policy weights.
+
+**Testing, telemetry, rollout**
+- Add fixtures for stripped Rust binaries across editions (2018–2024) and with/without LTO. Determinism tests compare catalog revisions and inference outputs.
+- Metrics `scanner.rust.fingerprint.authoritative`, `scanner.rust.fingerprint.inferred`, `scanner.rust.fingerprint.catalog_version` feed dashboards and alerts.
+- Offline kit updates include catalog packages, verification instructions, and waiver templates tied to predicate names.
+
+### SCANNER-ENG-0007 — Deterministic secret leak detection pipeline
+
+**Scope & goals**
+- Provide first-party secret leak detection that matches competitor capabilities while preserving deterministic, offline-friendly execution and explainability.
+
+**Design decisions**
+- Introduce `StellaOps.Scanner.Analyzers.Secrets`, a restart-time plug-in that consumes rule bundles (`ruleset.tgz`) signed with DSSE and versioned (semantic version + hash). Bundles live under `plugins/scanner/secrets/rules/<version>`.
+- Rule bundles contain deterministic regex/entropy definitions, context windows, and masking directives. A rule index is generated at build time to guarantee deterministic ordering.
+- Analyzer executes after Surface validation of each file/layer. Files pass through a streaming matcher that outputs `SecretLeakEvidence` (rule id, severity, confidence, file path, byte ranges, masking applied). Findings persist in `ScanAnalysisStore` and align with DSSE exports.
+- `Surface.Validation` introduces `scanner.secrets.rules.bundle`, `scanner.secrets.maxFileBytes`, and `scanner.secrets.targetGlobs`. `Surface.Secrets` supplies allowlist tokens (e.g., approved test keys) without exposing plaintext to analyzers.
+- Events/attestations: findings optionally published via the existing Redis events, and Export Center bundles include masked evidence plus rule metadata.
+
+**CLI, policy, docs**
+- Add `stella secrets scan [path|image]` plus `--secrets` flag on `stella scan` to run the analyzer inline. CLI output redacts payloads, shows rule IDs, severity, and remediation hints.
+- Policy Engine ingests `secret.leak` evidence, including `ruleId`, `confidence`, `masking.applied`, enabling predicates like `secret.leak.highConfidence`, `secret.leak.ruleDisabled`. Templates cover severities, approvals, and ticket automation.
+- Documentation updates: scanner module dossier (new analyzer), policy cookbook (rule management), and Offline Kit guide (bundling rule updates).
+
+**Testing, telemetry, rollout**
+- Rule-pack regression tests ensure deterministic matching and masking; analyzer unit tests cover regex + entropy combos, while integration tests run across sample repositories and OCI layers.
+- Metrics: `scanner.secrets.ruleset.version`, `scanner.secrets.findings.total`, `scanner.secrets.findings.high_confidence`. Logs include rule ID, masked hash, and file digests for auditing.
+- Offline Kit delivers the signed ruleset catalog, upgrade guide, and policy defaults so fully air-gapped tenants can keep pace without internet access.

docs/implplan/archived/updates/SPRINT_300_documentation_process_2025-11-13.md

@@ -0,0 +1,12 @@
+# Sprint 300 - Documentation & Process
+
+Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
+
+This file now only tracks the documentation & process status snapshot. Active backlog lives in Sprint 301 and later files.
+
+## Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 200.A Docs Tasks.md ladder | Docs Guild · Ops Guild (for air-gap content) | Sprint 100.A – Attestor; Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 140.A – Graph; Sprint 150.A – Orchestrator; Sprint 160.A – EvidenceLocker; Sprint 170.A – Notifier; Sprint 180.A – CLI; Sprint 190.A – Ops Deployment | DOING | 2025-11-13 – Kicked off implplan restructuring, aligning sprint files to topic-oriented template and dependency rules. Tasks Md.I must flip to DOING first; each subsequent Md stage depends on the prior file, so keep sequencing strict. |
+| 200.B Module dossiers | Docs Guild · Respective Module Guilds (Authority, Concelier, etc.) | Same as above plus Ops Deployment evidence (Sprint 190.A) | TODO | Once Docs Tasks Md.I captures the updated process, we can move the per-module sprints (312‑335) to DOING in parallel; verify each module's AGENTS file before editing. |

docs/implplan/archived/updates/SPRINT_301_docs_tasks_md_i_2025-11-13.md

@@ -0,0 +1,23 @@
+# Sprint 301 - Documentation & Process · 200.A) Docs Tasks.Md.I
+
+Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
+
+[Documentation & Process] 200.A) Docs Tasks.Md.I
+Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
+Summary: Documentation & Process focus on Docs Tasks (phase Md.I).
+Task ID | State | Task description | Owners (Source)
+--- | --- | --- | ---
+DOCS-AIAI-31-004 | DOING (2025-11-07) | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: DOCS-AIAI-31-003, CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001. | Docs Guild, Console Guild (docs)
+DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. Dependencies: DOCS-AIAI-31-004, CLI-VULN-29-001, CLI-VEX-30-001. | Docs Guild, DevEx/CLI Guild (docs)
+DOCS-AIAI-31-006 | BLOCKED (2025-11-03) | Update `/docs/policy/assistant-parameters.md` covering temperature, token limits, ranking weights, TTLs. Dependencies: DOCS-AIAI-31-005, POLICY-ENGINE-31-001. | Docs Guild, Policy Guild (docs)
+DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). Dependencies: DOCS-AIAI-31-007, SBOM-AIAI-31-001. | Docs Guild, SBOM Service Guild (docs)
+DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. Dependencies: DOCS-AIAI-31-008, DEVOPS-AIAI-31-001. | Docs Guild, DevOps Guild (docs)
+DOCS-AIRGAP-56-001 | TODO | Publish `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, and imposed rule banner. | Docs Guild, AirGap Controller Guild (docs)
+DOCS-AIRGAP-56-002 | TODO | Author `/docs/airgap/sealing-and-egress.md` covering network policies, EgressPolicy facade usage, and verification steps. Dependencies: DOCS-AIRGAP-56-001. | Docs Guild, DevOps Guild (docs)
+DOCS-AIRGAP-56-003 | TODO | Create `/docs/airgap/mirror-bundles.md` describing bundle format, DSSE/TUF/Merkle validation, creation/import workflows. Dependencies: DOCS-AIRGAP-56-002. | Docs Guild, Exporter Guild (docs)
+DOCS-AIRGAP-56-004 | TODO | Publish `/docs/airgap/bootstrap.md` detailing Bootstrap Pack creation, validation, and install procedures. Dependencies: DOCS-AIRGAP-56-003. | Docs Guild, Deployment Guild (docs)
+DOCS-AIRGAP-57-001 | TODO | Write `/docs/airgap/staleness-and-time.md` explaining time anchors, drift policies, staleness budgets, and UI indicators. Dependencies: DOCS-AIRGAP-56-004. | Docs Guild, AirGap Time Guild (docs)
+DOCS-AIRGAP-57-002 | TODO | Publish `/docs/console/airgap.md` covering sealed badge, import wizard, staleness dashboards. Dependencies: DOCS-AIRGAP-57-001. | Docs Guild, Console Guild (docs)
+DOCS-SCANNER-DET-01 | DOING (2025-11-09) | Author `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates describing fragment DSSE, `_composition.json`, and offline verification (ties to Sprint 136 tasks). Draft spec seeded in repo; remaining work covers guide updates + review. | Docs Guild, Scanner Guild (docs)
+DOCS-POLICY-DET-01 | TODO | Extend `docs/modules/policy/architecture.md` with determinism gate semantics, SPL examples, and provenance references for UI badge/policy blockers. | Docs Guild, Policy Guild (docs)
+DOCS-CLI-DET-01 | TODO | Document new `stella sbomer` verbs (`layer`, `compose`, `drift`, `verify`) with examples, exit codes, and Offline Kit instructions in `docs/cli/commands/sbomer.md`. Dependencies: CLI-SBOM-60-001/002. | Docs Guild, DevEx/CLI Guild (docs)