feat(telemetry): add telemetry client and services for tracking events

- Implemented TelemetryClient to handle event queuing and flushing to the telemetry endpoint. - Created TtfsTelemetryService for emitting specific telemetry events related to TTFS. - Added tests for TelemetryClient to ensure event queuing and flushing functionality. - Introduced models for reachability drift detection, including DriftResult and DriftedSink. - Developed DriftApiService for interacting with the drift detection API. - Updated FirstSignalCardComponent to emit telemetry events on signal appearance. - Enhanced localization support for first signal component with i18n strings.
2025-12-18 16:19:16 +02:00
parent 00d2c99af9
commit 811f35cba7
114 changed files with 13702 additions and 268 deletions
--- a/docs/implplan/SPRINT_0339_0001_0001_cli_offline_commands.md
+++ b/docs/implplan/SPRINT_0339_0001_0001_cli_offline_commands.md
@@ -72,12 +72,12 @@ stellaops verify offline \
 | 2 | T2 | DONE | Implemented `OfflineCommandGroup` and wired into `CommandFactory`. | DevEx/CLI Guild | Create `OfflineCommandGroup` class. |
 | 3 | T3 | DONE | Implemented `offline import` with manifest/hash validation, monotonicity checks, and quarantine hooks. | DevEx/CLI Guild | Implement `offline import` command (core import flow). |
 | 4 | T4 | DONE | Implemented `--verify-dsse` via `DsseVerifier` (requires `--trust-root`) and added tests. | DevEx/CLI Guild | Add `--verify-dsse` flag handler. |
-| 5 | T5 | DOING | Implement offline Rekor receipt inclusion proof + checkpoint signature verification per `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §13. | DevEx/CLI Guild | Add `--verify-rekor` flag handler. |
+| 5 | T5 | DONE | Implement offline Rekor receipt inclusion proof + checkpoint signature verification per `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §13. | DevEx/CLI Guild | Add `--verify-rekor` flag handler. |
 | 6 | T6 | DONE | Implemented deterministic trust-root loading (`--trust-root`). | DevEx/CLI Guild | Add `--trust-root` option. |
 | 7 | T7 | DONE | Enforced `--force-reason` when forcing activation and persisted justification. | DevEx/CLI Guild | Add `--force-activate` flag. |
 | 8 | T8 | DONE | Implemented `offline status` with table/json outputs. | DevEx/CLI Guild | Implement `offline status` command. |
-| 9 | T9 | DOING | Implement `verify offline` using the policy schema in `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` §4 plus deterministic evidence reconciliation outputs. | DevEx/CLI Guild | Implement `verify offline` command. |
-| 10 | T10 | DOING | Add YAML+JSON policy loader with deterministic parsing/canonicalization rules; share with AirGap reconciliation. | DevEx/CLI Guild | Add `--policy` option parser. |
+| 9 | T9 | DONE | Implement `verify offline` using the policy schema in `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` §4 plus deterministic evidence reconciliation outputs. | DevEx/CLI Guild | Implement `verify offline` command. |
+| 10 | T10 | DONE | Add YAML+JSON policy loader with deterministic parsing/canonicalization rules; share with AirGap reconciliation. | DevEx/CLI Guild | Add `--policy` option parser. |
 | 11 | T11 | DONE | Standardized `--output table|json` formatting for offline verbs. | DevEx/CLI Guild | Create output formatters (table, json). |
 | 12 | T12 | DONE | Added progress reporting for bundle hashing when bundle size exceeds threshold. | DevEx/CLI Guild | Implement progress reporting. |
 | 13 | T13 | DONE | Implemented offline exit codes (`OfflineExitCodes`). | DevEx/CLI Guild | Add exit code standardization. |
@@ -628,7 +628,7 @@ public static class OfflineExitCodes
 - [x] `--bundle` is required; error if not provided
 - [x] Bundle file must exist; clear error if missing
 - [x] `--verify-dsse` integrates with `DsseVerifier`
- [ ] `--verify-rekor` uses offline Rekor snapshot
+- [x] `--verify-rekor` uses offline Rekor snapshot
 - [x] `--trust-root` loads public key from file
 - [x] `--force-activate` without `--force-reason` fails with helpful message
 - [x] Force activation logs to audit trail
@@ -647,14 +647,14 @@ public static class OfflineExitCodes
 - [x] Shows quarantine count if > 0

 ### `verify offline`
- [ ] `--evidence-dir` is required
- [ ] `--artifact` accepts sha256:... format
- [ ] `--policy` supports YAML and JSON
- [ ] Loads keys from evidence directory
- [ ] Verifies DSSE signatures offline
- [ ] Checks tlog inclusion proofs offline
- [ ] Reports policy violations clearly
- [ ] Exit code 0 on pass, 12 on fail
+- [x] `--evidence-dir` is required
+- [x] `--artifact` accepts sha256:... format
+- [x] `--policy` supports YAML and JSON
+- [x] Loads keys from evidence directory
+- [x] Verifies DSSE signatures offline
+- [x] Checks tlog inclusion proofs offline
+- [x] Reports policy violations clearly
+- [x] Exit code 0 on pass, 12 on fail

 ### Testing Strategy

@@ -675,13 +675,14 @@ public static class OfflineExitCodes

 | Risk | Impact | Mitigation | Owner | Status |
 | --- | --- | --- | --- | --- |
-| Offline Rekor verification contract missing/incomplete | Cannot meet `--verify-rekor` acceptance criteria. | Define/land offline inclusion proof verification contract/library and wire into CLI. | DevEx/CLI | Blocked |
+| Offline Rekor verification contract missing/incomplete | Cannot meet `--verify-rekor` acceptance criteria. | Define/land offline inclusion proof verification contract/library and wire into CLI. | DevEx/CLI | Closed |
 | `.tar.zst` payload inspection not implemented | Limited local validation (hash/sidecar checks only). | Add deterministic Zstd+tar inspection path (or reuse existing bundle tooling) and cover with tests. | DevEx/CLI | Open |
-| `verify offline` policy schema unclear | Risk of implementing an incompatible policy loader/verifier. | Define policy schema + canonicalization/evaluation rules; then implement `verify offline` and `--policy`. | DevEx/CLI | Blocked |
+| `verify offline` policy schema unclear | Risk of implementing an incompatible policy loader/verifier. | Define policy schema + canonicalization/evaluation rules; then implement `verify offline` and `--policy`. | DevEx/CLI | Closed |

 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-18 | Completed T5/T9/T10 (offline Rekor verifier, `verify offline`, YAML/JSON policy loader); validated via `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -c Release`. | Agent |
 | 2025-12-17 | Unblocked T5/T9/T10 by adopting the published offline policy schema (A12) and Rekor receipt contract (Rekor Technical Reference §13); started implementation of offline Rekor inclusion proof verification and `verify offline`. | Agent |
 | 2025-12-15 | Implemented `offline import/status` (+ exit codes, state storage, quarantine hooks), added docs and tests; validated with `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -c Release`; marked T5/T9/T10 BLOCKED pending verifier/policy contracts. | DevEx/CLI |
 | 2025-12-15 | Normalised sprint file to standard template; set T1 to DOING. | Planning · DevEx/CLI |
--- a/docs/implplan/SPRINT_0340_0001_0001_first_signal_card_ui.md
+++ b/docs/implplan/SPRINT_0340_0001_0001_first_signal_card_ui.md
@@ -3,7 +3,7 @@
 **Epic:** Time-to-First-Signal (TTFS) Implementation
 **Module:** Web UI
 **Working Directory:** `src/Web/StellaOps.Web/src/app/`
-**Status:** DOING
+**Status:** DONE
 **Created:** 2025-12-14
 **Target Completion:** TBD
 **Depends On:** SPRINT_0339_0001_0001 (First Signal API)
@@ -49,15 +49,15 @@ This sprint implements the `FirstSignalCard` Angular component that displays the
 | T6 | Create FirstSignalCard styles | — | DONE | `src/Web/StellaOps.Web/src/app/features/runs/components/first-signal-card/first-signal-card.component.scss` |
 | T7 | Implement SSE integration | — | DONE | Uses run stream SSE (`first_signal`) via `EventSourceFactory`; requires `tenant` query fallback in Orchestrator stream endpoints. |
 | T8 | Implement polling fallback | — | DONE | `FirstSignalStore` starts polling (default 5s) when SSE errors. |
-| T9 | Implement TTFS telemetry | — | DOING | Implement Web telemetry client + TTFS event emission (`ttfs_start`, `ttfs_signal_rendered`) with sampling and offline-safe buffering. |
+| T9 | Implement TTFS telemetry | Agent | DONE | Implemented `TelemetryClient` + TTFS event emission (`ttfs_start`, `ttfs_signal_rendered`) with offline queueing + flush. |
 | T10 | Create prefetch service | — | DONE | `src/Web/StellaOps.Web/src/app/features/runs/services/first-signal-prefetch.service.ts` |
 | T11 | Integrate into run detail page | — | DONE | Integrated into `src/Web/StellaOps.Web/src/app/features/console/console-status.component.html` as interim run-surface. |
 | T12 | Create Storybook stories | — | DONE | `src/Web/StellaOps.Web/src/stories/runs/first-signal-card.stories.ts` |
 | T13 | Create unit tests | — | DONE | `src/Web/StellaOps.Web/src/app/core/api/first-signal.store.spec.ts` |
 | T14 | Create e2e tests | — | DONE | `src/Web/StellaOps.Web/tests/e2e/first-signal-card.spec.ts` |
 | T15 | Create accessibility tests | — | DONE | `src/Web/StellaOps.Web/tests/e2e/a11y-smoke.spec.ts` includes `/console/status`. |
-| T16 | Configure telemetry sampling | — | DOING | Wire `AppConfig.telemetry.sampleRate` into telemetry client sampling decisions and expose defaults in config. |
-| T17 | Add i18n keys for micro-copy | — | DOING | Add i18n framework and migrate FirstSignalCard micro-copy to translation keys (EN baseline). |
+| T16 | Configure telemetry sampling | Agent | DONE | Wired `AppConfig.telemetry.sampleRate` into `TelemetrySamplerService` decisions; config normalization clamps defaults. |
+| T17 | Add i18n keys for micro-copy | Agent | DONE | Created `I18nService`, `TranslatePipe`, added `firstSignal.*` keys to `micro-interactions.en.json`, migrated FirstSignalCard template. |

 ---

@@ -1780,5 +1780,6 @@ npx ngx-translate-extract \

 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-12-15 | Implemented FirstSignalCard + store/client, quickstart mock, Storybook story, unit/e2e/a11y coverage; added Orchestrator stream tenant query fallback; marked telemetry/i18n tasks BLOCKED pending platform decisions. | Agent |
+| 2025-12-18 | Completed T9/T16 (telemetry client + sampling) and refreshed T17 (i18n keys, FirstSignalCard micro-copy); added unit specs. | Agent |
 | 2025-12-17 | Unblocked T9/T16/T17 by selecting a Web telemetry+sampling contract and adding an i18n framework; started implementation and test updates. | Agent |
+| 2025-12-15 | Implemented FirstSignalCard + store/client, quickstart mock, Storybook story, unit/e2e/a11y coverage; added Orchestrator stream tenant query fallback; marked telemetry/i18n tasks BLOCKED pending platform decisions. | Agent |
--- a/docs/implplan/SPRINT_0342_0001_0001_evidence_reconciliation.md
+++ b/docs/implplan/SPRINT_0342_0001_0001_evidence_reconciliation.md
@@ -61,7 +61,7 @@ Per advisory §5:
 | T5 | Implement SBOM collector (CycloneDX, SPDX) | DONE | Agent | `CycloneDxParser`, `SpdxParser`, `SbomParserFactory`, `SbomCollector` in Reconciliation/Parsers. |
 | T6 | Implement attestation collector | DONE | Agent | `IAttestationParser`, `DsseAttestationParser`, `AttestationCollector` in Reconciliation/Parsers. |
 | T7 | Integrate with `DsseVerifier` for validation | DONE | Agent | `AttestationCollector` integrates with `DsseVerifier` for DSSE signature verification. |
-| T8 | Integrate with Rekor offline verifier | DOING | Agent | Implement offline Rekor receipt verifier (Merkle inclusion + checkpoint signature) and wire into AttestationCollector when `VerifyRekorProofs=true`. |
+| T8 | Integrate with Rekor offline verifier | DONE | Agent | Implement offline Rekor receipt verifier (Merkle inclusion + checkpoint signature) and wire into AttestationCollector when `VerifyRekorProofs=true`. |
 | **Step 3: Normalization** | | | | |
 | T9 | Design normalization rules | DONE | Agent | `NormalizationOptions` with configurable rules. |
 | T10 | Implement stable JSON sorting | DONE | Agent | `JsonNormalizer.NormalizeObject()` with ordinal key sorting. |
@@ -77,10 +77,10 @@ Per advisory §5:
 | T18 | Design `EvidenceGraph` schema | DONE | Agent | `EvidenceGraph`, `EvidenceNode`, `EvidenceEdge` models. |
 | T19 | Implement deterministic graph serializer | DONE | Agent | `EvidenceGraphSerializer` with stable ordering. |
 | T20 | Create SHA-256 manifest generator | DONE | Agent | `EvidenceGraphSerializer.ComputeHash()` writes `evidence-graph.sha256`. |
-| T21 | Integrate DSSE signing for output | DOING | Agent | Implement local DSSE signing of `evidence-graph.json` using `StellaOps.Attestor.Envelope` + ECDSA PEM key option; keep output deterministic. |
+| T21 | Integrate DSSE signing for output | DONE | Agent | Implement local DSSE signing of `evidence-graph.json` using `StellaOps.Attestor.Envelope` + ECDSA PEM key option; keep output deterministic. |
 | **Integration & Testing** | | | | |
 | T22 | Create `IEvidenceReconciler` service | DONE | Agent | `IEvidenceReconciler` + `EvidenceReconciler` implementing 5-step algorithm. |
-| T23 | Wire to CLI `verify offline` command | DOING | Agent | CLI `verify offline` calls reconciler and returns deterministic pass/fail + violations; shared policy loader. |
+| T23 | Wire to CLI `verify offline` command | DONE | Agent | CLI `verify offline` calls reconciler and returns deterministic pass/fail + violations; shared policy loader. |
 | T24 | Write golden-file tests | DONE | Agent | `CycloneDxParserTests`, `SpdxParserTests`, `DsseAttestationParserTests` with fixtures. |
 | T25 | Write property-based tests | DONE | Agent | `SourcePrecedenceLatticePropertyTests` verifying lattice algebraic properties. |
 | T26 | Update documentation | DONE | Agent | Created `docs/modules/airgap/evidence-reconciliation.md`. |
@@ -976,6 +976,7 @@ public sealed record ReconciliationResult(

 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-18 | Completed T8/T21/T23 (Rekor offline verifier integration, deterministic DSSE signing output, CLI wiring); validated via `dotnet test src/AirGap/__Tests/StellaOps.AirGap.Importer.Tests/StellaOps.AirGap.Importer.Tests.csproj -c Release`. | Agent |
 | 2025-12-15 | Normalised sprint headings toward the standard template; set `T1` to `DOING` and began implementation. | Agent |
 | 2025-12-15 | Implemented `ArtifactIndex` + canonical digest normalization (`T1`, `T3`) with unit tests. | Agent |
 | 2025-12-15 | Implemented deterministic evidence directory discovery (`T2`) with unit tests (relative paths + sha256 content hashes). | Agent |
--- a/docs/implplan/SPRINT_3410_0002_0001_epss_scanner_integration.md
+++ b/docs/implplan/SPRINT_3410_0002_0001_epss_scanner_integration.md
@@ -44,15 +44,15 @@ Integrate EPSS v4 data into the Scanner WebService for vulnerability scoring and
 | # | Task ID | Status | Owner | Est | Description |
 |---|---------|--------|-------|-----|-------------|
 | 1 | EPSS-SCAN-001 | DONE | Agent | 2h | Create Scanner EPSS database schema (008_epss_integration.sql) |
-| 2 | EPSS-SCAN-002 | TODO | Backend | 2h | Create `EpssEvidence` record type |
-| 3 | EPSS-SCAN-003 | TODO | Backend | 4h | Implement `IEpssProvider` interface |
-| 4 | EPSS-SCAN-004 | TODO | Backend | 4h | Implement `EpssProvider` with PostgreSQL lookup |
+| 2 | EPSS-SCAN-002 | DONE | Agent | 2h | Create `EpssEvidence` record type |
+| 3 | EPSS-SCAN-003 | DONE | Agent | 4h | Implement `IEpssProvider` interface |
+| 4 | EPSS-SCAN-004 | DONE | Agent | 4h | Implement `EpssProvider` with PostgreSQL lookup |
 | 5 | EPSS-SCAN-005 | TODO | Backend | 2h | Add optional Valkey cache layer |
 | 6 | EPSS-SCAN-006 | TODO | Backend | 4h | Integrate EPSS into `ScanProcessor` |
-| 7 | EPSS-SCAN-007 | TODO | Backend | 2h | Add EPSS weight to scoring configuration |
-| 8 | EPSS-SCAN-008 | TODO | Backend | 4h | Implement `GET /epss/current` bulk lookup API |
-| 9 | EPSS-SCAN-009 | TODO | Backend | 2h | Implement `GET /epss/history` time-series API |
-| 10 | EPSS-SCAN-010 | TODO | Backend | 4h | Unit tests for EPSS provider |
+| 7 | EPSS-SCAN-007 | DONE | — | 2h | Add EPSS weight to scoring configuration (EpssMultiplier in ScoreExplanationWeights) |
+| 8 | EPSS-SCAN-008 | DONE | Agent | 4h | Implement `GET /epss/current` bulk lookup API |
+| 9 | EPSS-SCAN-009 | DONE | Agent | 2h | Implement `GET /epss/history` time-series API |
+| 10 | EPSS-SCAN-010 | DONE | Agent | 4h | Unit tests for EPSS provider (13 tests passing) |
 | 11 | EPSS-SCAN-011 | TODO | Backend | 4h | Integration tests for EPSS endpoints |
 | 12 | EPSS-SCAN-012 | DONE | Agent | 2h | Create EPSS integration architecture doc |

--- a/docs/implplan/SPRINT_3413_0001_0001_epss_live_enrichment.md
+++ b/docs/implplan/SPRINT_3413_0001_0001_epss_live_enrichment.md
@@ -39,13 +39,13 @@ This sprint implements live EPSS enrichment for existing vulnerability instances
 |---|--------|------|-------|
 | 1 | TODO | Implement `EpssEnrichmentJob` service | Core enrichment logic |
 | 2 | TODO | Create `vuln_instance_triage` schema updates | Add `current_epss_*` columns |
-| 3 | TODO | Implement `epss_changes` flag logic | NEW_SCORED, CROSSED_HIGH, BIG_JUMP, DROPPED_LOW |
+| 3 | DONE | Implement `epss_changes` flag logic | `EpssChangeFlags` enum with NEW_SCORED, CROSSED_HIGH, BIG_JUMP, DROPPED_LOW |
 | 4 | TODO | Add efficient targeting filter | Only update instances with flags set |
-| 5 | TODO | Implement priority band calculation | Map percentile to CRITICAL/HIGH/MEDIUM/LOW |
+| 5 | DONE | Implement priority band calculation | `EpssPriorityCalculator` maps percentile to CRITICAL/HIGH/MEDIUM/LOW |
 | 6 | TODO | Emit `vuln.priority.changed` event | Only when band changes |
-| 7 | TODO | Add configurable thresholds | `HighPercentile`, `HighScore`, `BigJumpDelta` |
+| 7 | DONE | Add configurable thresholds | `EpssEnrichmentOptions` with HighPercentile, HighScore, BigJumpDelta, etc. |
 | 8 | TODO | Implement bulk update optimization | Batch updates for performance |
-| 9 | TODO | Add `EpssEnrichmentOptions` configuration | Environment-specific settings |
+| 9 | DONE | Add `EpssEnrichmentOptions` configuration | Environment-specific settings in Scanner.Core.Configuration |
 | 10 | TODO | Create unit tests for enrichment logic | Flag detection, band calculation |
 | 11 | TODO | Create integration tests | End-to-end enrichment flow |
 | 12 | TODO | Add Prometheus metrics | `epss_enrichment_*` metrics |
--- a/docs/implplan/SPRINT_3500_0011_0001_buildid_mapping_index.md
+++ b/docs/implplan/SPRINT_3500_0011_0001_buildid_mapping_index.md
@@ -75,7 +75,7 @@ public enum BuildIdConfidence { Exact, Inferred, Heuristic }
 | 5 | BID-005 | DONE | Implement NDJSON parsing |
 | 6 | BID-006 | TODO | Implement DSSE signature verification |
 | 7 | BID-007 | DONE | Implement batch lookup |
-| 8 | BID-008 | TODO | Add to OfflineKitOptions |
+| 8 | BID-008 | DONE | Add BuildIdIndexPath + RequireBuildIdIndexSignature to OfflineKitOptions |
 | 9 | BID-009 | DONE | Unit tests (19 tests) |
 | 10 | BID-010 | TODO | Integration tests |

--- a/docs/implplan/SPRINT_3500_0012_0001_binary_sbom_emission.md
+++ b/docs/implplan/SPRINT_3500_0012_0001_binary_sbom_emission.md
@@ -56,18 +56,26 @@ public sealed record NativeBinaryMetadata {

 | # | Task ID | Status | Description |
 |---|---------|--------|-------------|
-| 1 | BSE-001 | TODO | Create INativeComponentEmitter |
-| 2 | BSE-002 | TODO | Create NativeComponentEmitter |
-| 3 | BSE-003 | TODO | Create NativePurlBuilder |
-| 4 | BSE-004 | TODO | Create NativeComponentMapper |
-| 5 | BSE-005 | TODO | Add NativeBinaryMetadata |
+| 1 | BSE-001 | DONE | Create INativeComponentEmitter |
+| 2 | BSE-002 | DONE | Create NativeComponentEmitter |
+| 3 | BSE-003 | DONE | Create NativePurlBuilder |
+| 4 | BSE-004 | DONE | Create NativeComponentMapper (layer fragment generation) |
+| 5 | BSE-005 | DONE | Add NativeBinaryMetadata (with Imports/Exports) |
 | 6 | BSE-006 | TODO | Update CycloneDxComposer |
 | 7 | BSE-007 | TODO | Add stellaops:binary.* properties |
-| 8 | BSE-008 | TODO | Unit tests |
+| 8 | BSE-008 | DONE | Unit tests (22 tests passing) |
 | 9 | BSE-009 | TODO | Integration tests |

 ---

+## Execution Log
+
+| Date | Update | Owner |
+|------|--------|-------|
+| 2025-12-18 | Created NativeBinaryMetadata, NativePurlBuilder, INativeComponentEmitter, NativeComponentEmitter. Created 22 tests. Fixed dependency issues in Reachability and SmartDiff. 5/9 tasks DONE. | Agent |
+
+---
+
 ## Acceptance Criteria

 - [ ] Native binaries appear as `file` type components
--- a/docs/implplan/SPRINT_3500_0013_0001_native_unknowns.md
+++ b/docs/implplan/SPRINT_3500_0013_0001_native_unknowns.md
@@ -45,9 +45,9 @@ Extend the Unknowns registry with native binary-specific classification reasons,

 | # | Task ID | Status | Description |
 |---|---------|--------|-------------|
-| 1 | NUC-001 | TODO | Add UnknownKind enum values |
-| 2 | NUC-002 | TODO | Create NativeUnknownContext |
-| 3 | NUC-003 | TODO | Create NativeUnknownClassifier |
+| 1 | NUC-001 | DONE | Add UnknownKind enum values (MissingBuildId, UnknownBuildId, UnresolvedNativeLibrary, HeuristicDependency, UnsupportedBinaryFormat) |
+| 2 | NUC-002 | DONE | Create NativeUnknownContext model |
+| 3 | NUC-003 | DONE | Create NativeUnknownClassifier service |
 | 4 | NUC-004 | TODO | Integration with native analyzer |
 | 5 | NUC-005 | TODO | Unit tests |

--- a/docs/implplan/SPRINT_3500_0014_0001_native_analyzer_integration.md
+++ b/docs/implplan/SPRINT_3500_0014_0001_native_analyzer_integration.md
@@ -51,10 +51,10 @@ public sealed class NativeAnalyzerOptions

 | # | Task ID | Status | Description |
 |---|---------|--------|-------------|
-| 1 | NAI-001 | TODO | Create NativeAnalyzerExecutor |
-| 2 | NAI-002 | TODO | Create NativeBinaryDiscovery |
+| 1 | NAI-001 | DONE | Create NativeAnalyzerExecutor |
+| 2 | NAI-002 | DONE | Create NativeBinaryDiscovery |
 | 3 | NAI-003 | TODO | Update CompositeScanAnalyzerDispatcher |
-| 4 | NAI-004 | TODO | Add ScannerWorkerOptions.NativeAnalyzers |
+| 4 | NAI-004 | DONE | Add ScannerWorkerOptions.NativeAnalyzers |
 | 5 | NAI-005 | TODO | Integration tests |

 ---
--- a/docs/implplan/SPRINT_3600_0004_0001_ui_evidence_chain.md
+++ b/docs/implplan/SPRINT_3600_0004_0001_ui_evidence_chain.md
@@ -787,15 +787,15 @@ public sealed class DriftSarifGenerator

 | # | Task ID | Status | Description | Notes |
 |---|---------|--------|-------------|-------|
-| 1 | UI-001 | TODO | Create PathNode TypeScript interface | Angular model |
-| 2 | UI-002 | TODO | Create CompressedPath TypeScript interface | Angular model |
+| 1 | UI-001 | DONE | Create PathNode TypeScript interface | `path-viewer.models.ts` |
+| 2 | UI-002 | DONE | Create CompressedPath TypeScript interface | `path-viewer.models.ts` |
 | 3 | UI-003 | TODO | Create PathViewerComponent | Core visualization |
 | 4 | UI-004 | TODO | Style PathViewerComponent | SCSS styling |
-| 5 | UI-005 | TODO | Create DriftedSink TypeScript interface | Angular model |
-| 6 | UI-006 | TODO | Create DriftResult TypeScript interface | Angular model |
+| 5 | UI-005 | DONE | Create DriftedSink TypeScript interface | `drift.models.ts` |
+| 6 | UI-006 | DONE | Create DriftResult TypeScript interface | `drift.models.ts` |
 | 7 | UI-007 | TODO | Create RiskDriftCardComponent | Summary card |
 | 8 | UI-008 | TODO | Style RiskDriftCardComponent | SCSS styling |
-| 9 | UI-009 | TODO | Create drift API service | Angular HTTP service |
+| 9 | UI-009 | DONE | Create drift API service | `drift-api.service.ts` |
 | 10 | UI-010 | TODO | Integrate PathViewer into scan details | Page integration |
 | 11 | UI-011 | TODO | Integrate RiskDriftCard into PR view | Page integration |
 | 12 | UI-012 | TODO | Unit tests for PathViewerComponent | Jest tests |
--- a/docs/implplan/SPRINT_3620_0002_0001_path_explanation.md
+++ b/docs/implplan/SPRINT_3620_0002_0001_path_explanation.md
@@ -87,13 +87,13 @@ Final multiplier: 30%

 | # | Task ID | Status | Description |
 |---|---------|--------|-------------|
-| 1 | PES-001 | TODO | Create PathExplanationModels |
-| 2 | PES-002 | TODO | Create PathExplanationService |
-| 3 | PES-003 | TODO | Create PathRenderer (text) |
-| 4 | PES-004 | TODO | Create PathRenderer (markdown) |
-| 5 | PES-005 | TODO | Create PathRenderer (json) |
+| 1 | PES-001 | DONE | Create PathExplanationModels |
+| 2 | PES-002 | DONE | Create PathExplanationService |
+| 3 | PES-003 | DONE | Create PathRenderer (text) |
+| 4 | PES-004 | DONE | Create PathRenderer (markdown) |
+| 5 | PES-005 | DONE | Create PathRenderer (json) |
 | 6 | PES-006 | TODO | Add CLI command: stella graph explain |
-| 7 | PES-007 | TODO | Unit tests |
+| 7 | PES-007 | DONE | Unit tests |

 ---

--- a/docs/implplan/SPRINT_3620_0003_0001_cli_graph_verify.md
+++ b/docs/implplan/SPRINT_3620_0003_0001_cli_graph_verify.md
@@ -86,13 +86,13 @@ Edge Bundles: 2 verified

 | # | Task ID | Status | Description |
 |---|---------|--------|-------------|
-| 1 | CGV-001 | TODO | Create GraphVerifyCommand |
-| 2 | CGV-002 | TODO | Implement DSSE verification |
-| 3 | CGV-003 | TODO | Implement --include-bundles |
-| 4 | CGV-004 | TODO | Implement --rekor-proof |
-| 5 | CGV-005 | TODO | Implement --cas-root offline mode |
-| 6 | CGV-006 | TODO | Create GraphBundlesCommand |
-| 7 | CGV-007 | TODO | Create GraphExplainCommand |
+| 1 | CGV-001 | DONE | Create GraphVerifyCommand |
+| 2 | CGV-002 | DONE | Implement DSSE verification |
+| 3 | CGV-003 | DONE | Implement --include-bundles |
+| 4 | CGV-004 | DONE | Implement --rekor-proof |
+| 5 | CGV-005 | DONE | Implement --cas-root offline mode |
+| 6 | CGV-006 | DONE | Create GraphBundlesCommand |
+| 7 | CGV-007 | TODO | Create GraphExplainCommand (uses existing explain) |
 | 8 | CGV-008 | TODO | Unit tests |

 ---
--- a/docs/implplan/SPRINT_3700_0002_0001_vuln_surfaces_core.md
+++ b/docs/implplan/SPRINT_3700_0002_0001_vuln_surfaces_core.md
@@ -88,24 +88,24 @@ Before starting, read:

 | # | Task ID | Status | Description |
 |---|---------|--------|-------------|
-| 1 | SURF-001 | TODO | Create StellaOps.Scanner.VulnSurfaces project |
-| 2 | SURF-002 | TODO | Create IPackageDownloader interface |
-| 3 | SURF-003 | TODO | Implement NuGetPackageDownloader |
+| 1 | SURF-001 | DONE | Create StellaOps.Scanner.VulnSurfaces project |
+| 2 | SURF-002 | DONE | Create IPackageDownloader interface |
+| 3 | SURF-003 | DONE | Implement NuGetPackageDownloader |
 | 4 | SURF-004 | TODO | Implement NpmPackageDownloader |
 | 5 | SURF-005 | TODO | Implement MavenPackageDownloader |
 | 6 | SURF-006 | TODO | Implement PyPIPackageDownloader |
-| 7 | SURF-007 | TODO | Create IMethodFingerprinter interface |
-| 8 | SURF-008 | TODO | Implement CecilMethodFingerprinter (.NET IL hash) |
+| 7 | SURF-007 | DONE | Create IMethodFingerprinter interface |
+| 8 | SURF-008 | DONE | Implement CecilMethodFingerprinter (.NET IL hash) |
 | 9 | SURF-009 | TODO | Implement BabelMethodFingerprinter (Node.js AST) |
 | 10 | SURF-010 | TODO | Implement AsmMethodFingerprinter (Java bytecode) |
 | 11 | SURF-011 | TODO | Implement PythonAstFingerprinter |
 | 12 | SURF-012 | TODO | Create MethodKey normalizer per ecosystem |
-| 13 | SURF-013 | TODO | Create MethodDiffEngine service |
+| 13 | SURF-013 | DONE | Create MethodDiffEngine service |
 | 14 | SURF-014 | TODO | Create 011_vuln_surfaces.sql migration |
-| 15 | SURF-015 | TODO | Create VulnSurface, VulnSurfaceSink models |
+| 15 | SURF-015 | DONE | Create VulnSurface, VulnSurfaceSink models |
 | 16 | SURF-016 | TODO | Create PostgresVulnSurfaceRepository |
-| 17 | SURF-017 | TODO | Create VulnSurfaceBuilder orchestrator service |
-| 18 | SURF-018 | TODO | Create IVulnSurfaceBuilder interface |
+| 17 | SURF-017 | DONE | Create VulnSurfaceBuilder orchestrator service |
+| 18 | SURF-018 | DONE | Create IVulnSurfaceBuilder interface |
 | 19 | SURF-019 | TODO | Add surface builder metrics |
 | 20 | SURF-020 | TODO | Create NuGetDownloaderTests |
 | 21 | SURF-021 | TODO | Create CecilFingerprinterTests |
--- a/docs/implplan/SPRINT_3700_0003_0001_trigger_extraction.md
+++ b/docs/implplan/SPRINT_3700_0003_0001_trigger_extraction.md
@@ -76,20 +76,20 @@ Extract **trigger methods** from vulnerability surfaces:

 | # | Task ID | Status | Description |
 |---|---------|--------|-------------|
-| 1 | TRIG-001 | TODO | Create IInternalCallGraphBuilder interface |
-| 2 | TRIG-002 | TODO | Implement CecilInternalGraphBuilder (.NET) |
+| 1 | TRIG-001 | DONE | Create IInternalCallGraphBuilder interface |
+| 2 | TRIG-002 | DONE | Implement CecilInternalGraphBuilder (.NET) |
 | 3 | TRIG-003 | TODO | Implement BabelInternalGraphBuilder (Node.js) |
 | 4 | TRIG-004 | TODO | Implement AsmInternalGraphBuilder (Java) |
 | 5 | TRIG-005 | TODO | Implement PythonAstInternalGraphBuilder |
-| 6 | TRIG-006 | TODO | Create VulnSurfaceTrigger model |
-| 7 | TRIG-007 | TODO | Create ITriggerMethodExtractor interface |
-| 8 | TRIG-008 | TODO | Implement TriggerMethodExtractor service |
-| 9 | TRIG-009 | TODO | Implement forward BFS from public methods to sinks |
+| 6 | TRIG-006 | DONE | Create VulnSurfaceTrigger model |
+| 7 | TRIG-007 | DONE | Create ITriggerMethodExtractor interface |
+| 8 | TRIG-008 | DONE | Implement TriggerMethodExtractor service |
+| 9 | TRIG-009 | DONE | Implement forward BFS from public methods to sinks |
 | 10 | TRIG-010 | TODO | Store trigger→sink paths in vuln_surface_triggers |
-| 11 | TRIG-011 | TODO | Add interface/base method expansion |
+| 11 | TRIG-011 | DONE | Add interface/base method expansion |
 | 12 | TRIG-012 | TODO | Update VulnSurfaceBuilder to call trigger extraction |
 | 13 | TRIG-013 | TODO | Add trigger_count to vuln_surfaces table |
-| 14 | TRIG-014 | TODO | Create TriggerMethodExtractorTests |
+| 14 | TRIG-014 | DONE | Create TriggerMethodExtractorTests |
 | 15 | TRIG-015 | TODO | Integration test with Newtonsoft.Json CVE |

 ---
--- a/docs/implplan/SPRINT_3800_0002_0001_boundary_richgraph.md
+++ b/docs/implplan/SPRINT_3800_0002_0001_boundary_richgraph.md
@@ -31,12 +31,12 @@ Implement the base `RichGraphBoundaryExtractor` that extracts boundary proof (ex

 | Task | Status | Owner | Notes |
 |------|--------|-------|-------|
-| Create IBoundaryProofExtractor.cs | TODO | | Interface with context |
-| Create RichGraphBoundaryExtractor.cs | TODO | | Base implementation |
-| Create BoundaryExtractionContext.cs | TODO | | Environment context |
-| Integrate with AuthGateDetector results | TODO | | Reuse existing detection |
-| Add DI registration | TODO | | ServiceCollectionExtensions |
-| Unit tests for extraction | TODO | | Various root types |
+| Create IBoundaryProofExtractor.cs | DONE | Agent | Interface with Priority & CanHandle |
+| Create RichGraphBoundaryExtractor.cs | DONE | Agent | Full implementation with surface/exposure inference |
+| Create BoundaryExtractionContext.cs | DONE | Agent | Environment context with gates |
+| Integrate with AuthGateDetector results | DONE | Agent | Uses DetectedGate from Gates folder |
+| Add DI registration | DONE | Agent | BoundaryServiceCollectionExtensions |
+| Unit tests for extraction | DONE | Agent | RichGraphBoundaryExtractorTests.cs |

 ## Implementation Details

--- a/docs/implplan/SPRINT_3801_0001_0001_policy_decision_attestation.md
+++ b/docs/implplan/SPRINT_3801_0001_0001_policy_decision_attestation.md
@@ -31,14 +31,14 @@ Implement the `PolicyDecisionAttestationService` that creates signed `stella.ops

 | Task | Status | Owner | Notes |
 |------|--------|-------|-------|
-| Add StellaOpsPolicyDecision to PredicateTypes.cs | TODO | | Signer.Core |
-| Create PolicyDecisionPredicate.cs | TODO | | Policy.Engine |
-| Create IPolicyDecisionAttestationService.cs | TODO | | Interface |
-| Create PolicyDecisionAttestationService.cs | TODO | | Implementation |
-| Add configuration options | TODO | | PolicyDecisionAttestationOptions |
-| Add DI registration | TODO | | ServiceCollectionExtensions |
-| Unit tests for predicate creation | TODO | | |
-| Integration tests with signing | TODO | | |
+| Add StellaOpsPolicyDecision to PredicateTypes.cs | DONE | Agent | Added to allowed list |
+| Create PolicyDecisionPredicate.cs | DONE | Agent | Full model with all records |
+| Create IPolicyDecisionAttestationService.cs | DONE | Agent | Interface + request/result records |
+| Create PolicyDecisionAttestationService.cs | DONE | Agent | Full impl with signer/rekor |
+| Add configuration options | DONE | Agent | PolicyDecisionAttestationOptions |
+| Add DI registration | DONE | Agent | AddPolicyDecisionAttestation ext |
+| Unit tests for predicate creation | DONE | Agent | PolicyDecisionAttestationServiceTests |
+| Integration tests with signing | TODO | | Requires live signer service |

 ## Implementation Details

--- a/docs/implplan/SPRINT_4100_0001_0001_triage_models.md
+++ b/docs/implplan/SPRINT_4100_0001_0001_triage_models.md
@@ -29,12 +29,12 @@ Create TypeScript models and API clients for the unified evidence API. These mod

 | Task | Status | Owner | Notes |
 |------|--------|-------|-------|
-| Create triage-evidence.models.ts | TODO | | Mirror backend contracts |
-| Create triage-evidence.client.ts | TODO | | HttpClient with caching |
-| Create attestation-chain.models.ts | TODO | | DSSE envelope types |
-| Create attestation-chain.client.ts | TODO | | Chain verification client |
-| Update core/api/index.ts exports | TODO | | |
-| Add unit tests for client | TODO | | Mock HTTP responses |
+| Create triage-evidence.models.ts | DONE | Agent | Full model coverage with helpers |
+| Create triage-evidence.client.ts | DONE | Agent | HttpClient with caching + mock client |
+| Create attestation-chain.models.ts | DONE | Agent | DSSE, in-toto, Rekor types |
+| Create attestation-chain.client.ts | DONE | Agent | Chain verification + mock client |
+| Update core/api/index.ts exports | DONE | Agent | Created triage-api.index.ts barrel |
+| Add unit tests for client | DONE | Agent | triage-evidence.client.spec.ts |

 ## Implementation Details