Tests fixes, audit progress, UI completions

src/AirGap/StellaOps.AirGap.Importer/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Importer Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0026-M | DONE | Maintainability audit for StellaOps.AirGap.Importer. |
+| AUDIT-0026-T | DONE | Test coverage audit for StellaOps.AirGap.Importer. |
+| AUDIT-0026-A | TODO | Pending approval for changes. |

src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers.Tests/AGENTS.md

@@ -0,0 +1,19 @@
+# AirGap Policy Analyzers Tests Charter
+
+## Working Directory
+- `src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers.Tests`
+
+## Scope
+- Analyzer and code-fix tests for air-gap egress enforcement.
+
+## Required Reading
+- `docs/airgap/airgap-mode.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/AirGap/StellaOps.AirGap.Policy/AGENTS.md`
+
+## Working Agreements
+- Update task status in the sprint tracker and local `TASKS.md`.
+- Keep tests deterministic; avoid environment-dependent references.
+
+## Testing Rules
+- Cover diagnostics, suppression rules, and deterministic code-fix output.

src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Policy Analyzers Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0032-M | DONE | Maintainability audit for StellaOps.AirGap.Policy.Analyzers.Tests. |
+| AUDIT-0032-T | DONE | Test coverage audit for StellaOps.AirGap.Policy.Analyzers.Tests. |
+| AUDIT-0032-A | TODO | Pending approval for changes. |

src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers/AGENTS.md

@@ -0,0 +1,19 @@
+# AirGap Policy Analyzers Charter
+
+## Working Directory
+- `src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers`
+
+## Scope
+- Roslyn analyzer + code fix enforcing air-gap egress policy usage.
+
+## Required Reading
+- `docs/airgap/airgap-mode.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/AirGap/StellaOps.AirGap.Policy/AGENTS.md`
+
+## Working Agreements
+- Update task status in the sprint tracker and local `TASKS.md`.
+- Keep diagnostics deterministic and stable across builds.
+
+## Testing Rules
+- Analyzer and code-fix tests must cover expected diagnostics and fix output determinism.

src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Policy Analyzers Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0031-M | DONE | Maintainability audit for StellaOps.AirGap.Policy.Analyzers. |
+| AUDIT-0031-T | DONE | Test coverage audit for StellaOps.AirGap.Policy.Analyzers. |
+| AUDIT-0031-A | TODO | Pending approval for changes. |

src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Tests/AGENTS.md

@@ -0,0 +1,19 @@
+# AirGap Policy Tests Charter
+
+## Working Directory
+- `src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Tests`
+
+## Scope
+- Unit tests for egress policy evaluation, configuration binding, and HttpClient enforcement.
+
+## Required Reading
+- `docs/airgap/airgap-mode.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/AirGap/StellaOps.AirGap.Policy/AGENTS.md`
+
+## Working Agreements
+- Update task status in the sprint tracker and local `TASKS.md`.
+- Keep tests deterministic; avoid wall-clock dependencies.
+
+## Testing Rules
+- Cover allowlist parsing, rule matching, and sealed/unsealed behavior.

src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Policy Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0033-M | DONE | Maintainability audit for StellaOps.AirGap.Policy.Tests. |
+| AUDIT-0033-T | DONE | Test coverage audit for StellaOps.AirGap.Policy.Tests. |
+| AUDIT-0033-A | TODO | Pending approval for changes. |

src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/AGENTS.md

@@ -0,0 +1,21 @@
+# AirGap Policy Library Charter
+
+## Working Directory
+- `src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy`
+
+## Scope
+- Egress policy evaluation, rules, and configuration helpers.
+- Air-gap aware HttpClient creation helpers.
+
+## Required Reading
+- `docs/airgap/airgap-mode.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/AirGap/StellaOps.AirGap.Policy/AGENTS.md`
+
+## Working Agreements
+- Update task status in the sprint tracker and local `TASKS.md`.
+- Keep outputs deterministic and sealed-mode safe.
+- Avoid direct network egress without policy checks.
+
+## Testing Rules
+- Cover allow/deny logic, rule matching, and configuration precedence.

src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Policy Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0030-M | DONE | Maintainability audit for StellaOps.AirGap.Policy. |
+| AUDIT-0030-T | DONE | Test coverage audit for StellaOps.AirGap.Policy. |
+| AUDIT-0030-A | TODO | Pending approval for changes. |

src/AirGap/StellaOps.AirGap.Time/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Time Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0034-M | DONE | Maintainability audit for StellaOps.AirGap.Time. |
+| AUDIT-0034-T | DONE | Test coverage audit for StellaOps.AirGap.Time. |
+| AUDIT-0034-A | TODO | Pending approval for changes. |

src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/BundleBuilder.cs

@@ -88,9 +88,11 @@ public sealed class BundleBuilder : IBundleBuilder
         var targetPath = Path.Combine(outputPath, source.RelativePath);
         Directory.CreateDirectory(Path.GetDirectoryName(targetPath) ?? outputPath);
 
-        await using var input = File.OpenRead(source.SourcePath);
-        await using var output = File.Create(targetPath);
-        await input.CopyToAsync(output, ct).ConfigureAwait(false);
+        await using (var input = File.OpenRead(source.SourcePath))
+        await using (var output = File.Create(targetPath))
+        {
+            await input.CopyToAsync(output, ct).ConfigureAwait(false);
+        }
 
         await using var digestStream = File.OpenRead(targetPath);
         var hash = await SHA256.HashDataAsync(digestStream, ct).ConfigureAwait(false);

src/AirGap/__Libraries/StellaOps.AirGap.Persistence/AGENTS.md

@@ -0,0 +1,27 @@
+# AirGap Persistence Guild Charter
+
+## Working Directory
+- `src/AirGap/__Libraries/StellaOps.AirGap.Persistence`
+
+## Scope
+- PostgreSQL persistence for AirGap state and bundle version history.
+- Data source configuration, schema management, and repository wiring.
+- EF Core context scaffolding for AirGap data models.
+
+## Required Reading
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/airgap/bundle-repositories.md`
+- `docs/airgap/airgap-mode.md`
+
+## Working Agreements
+- Update task status in the sprint tracker and local `TASKS.md`.
+- Keep schema changes deterministic and migration-driven.
+- Use configured schema names consistently (no hard-coded schema drift).
+- Avoid cross-module edits unless the sprint explicitly permits them.
+
+## Testing Rules
+- Use Postgres test fixtures or Testcontainers; no network.
+- Mark integration tests as Integration, not Unit.
+- Keep data ordering deterministic with explicit ORDER BY clauses.

src/AirGap/__Libraries/StellaOps.AirGap.Persistence/Migrations/001_initial_schema.sql

@@ -0,0 +1,61 @@
+-- AirGap Schema Migration 001: Initial Schema
+-- Creates AirGap state and bundle version tracking tables.
+
+CREATE TABLE IF NOT EXISTS state (
+    id TEXT NOT NULL,
+    tenant_id TEXT NOT NULL PRIMARY KEY,
+    sealed BOOLEAN NOT NULL DEFAULT FALSE,
+    policy_hash TEXT,
+    time_anchor JSONB NOT NULL DEFAULT '{}'::jsonb,
+    last_transition_at TIMESTAMPTZ NOT NULL DEFAULT '0001-01-01T00:00:00Z',
+    staleness_budget JSONB NOT NULL DEFAULT '{"warningSeconds":3600,"breachSeconds":7200}'::jsonb,
+    drift_baseline_seconds BIGINT NOT NULL DEFAULT 0,
+    content_budgets JSONB NOT NULL DEFAULT '{}'::jsonb,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_airgap_state_tenant ON state(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_airgap_state_sealed ON state(sealed) WHERE sealed = TRUE;
+
+CREATE TABLE IF NOT EXISTS bundle_versions (
+    tenant_id TEXT NOT NULL,
+    bundle_type TEXT NOT NULL,
+    version_string TEXT NOT NULL,
+    major INTEGER NOT NULL,
+    minor INTEGER NOT NULL,
+    patch INTEGER NOT NULL,
+    prerelease TEXT,
+    bundle_created_at TIMESTAMPTZ NOT NULL,
+    bundle_digest TEXT NOT NULL,
+    activated_at TIMESTAMPTZ NOT NULL,
+    was_force_activated BOOLEAN NOT NULL DEFAULT FALSE,
+    force_activate_reason TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (tenant_id, bundle_type)
+);
+
+CREATE INDEX IF NOT EXISTS idx_airgap_bundle_versions_tenant
+    ON bundle_versions(tenant_id);
+
+CREATE TABLE IF NOT EXISTS bundle_version_history (
+    id BIGSERIAL PRIMARY KEY,
+    tenant_id TEXT NOT NULL,
+    bundle_type TEXT NOT NULL,
+    version_string TEXT NOT NULL,
+    major INTEGER NOT NULL,
+    minor INTEGER NOT NULL,
+    patch INTEGER NOT NULL,
+    prerelease TEXT,
+    bundle_created_at TIMESTAMPTZ NOT NULL,
+    bundle_digest TEXT NOT NULL,
+    activated_at TIMESTAMPTZ NOT NULL,
+    deactivated_at TIMESTAMPTZ,
+    was_force_activated BOOLEAN NOT NULL DEFAULT FALSE,
+    force_activate_reason TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_airgap_bundle_version_history_tenant
+    ON bundle_version_history(tenant_id, bundle_type, activated_at DESC);

src/AirGap/__Libraries/StellaOps.AirGap.Persistence/Postgres/Repositories/PostgresAirGapStateStore.cs

@@ -30,7 +30,7 @@ public sealed class PostgresAirGapStateStore : RepositoryBase<AirGapDataSource>,
         const string sql = """
             SELECT id, tenant_id, sealed, policy_hash, time_anchor, last_transition_at,
                    staleness_budget, drift_baseline_seconds, content_budgets
-            FROM airgap.state
+            FROM state
             WHERE LOWER(tenant_id) = LOWER(@tenant_id);
             """;
 
@@ -54,7 +54,7 @@ public sealed class PostgresAirGapStateStore : RepositoryBase<AirGapDataSource>,
 
         await using var connection = await DataSource.OpenConnectionAsync("public", "writer", cancellationToken).ConfigureAwait(false);
         const string sql = """
-            INSERT INTO airgap.state (
+            INSERT INTO state (
                 id, tenant_id, sealed, policy_hash, time_anchor, last_transition_at,
                 staleness_budget, drift_baseline_seconds, content_budgets
             )
@@ -245,22 +245,25 @@ public sealed class PostgresAirGapStateStore : RepositoryBase<AirGapDataSource>,
             }
 
             await using var connection = await DataSource.OpenSystemConnectionAsync(cancellationToken).ConfigureAwait(false);
-            const string sql = """
-                CREATE SCHEMA IF NOT EXISTS airgap;
-                CREATE TABLE IF NOT EXISTS airgap.state (
+            var schemaName = DataSource.SchemaName ?? "public";
+            var quotedSchema = QuoteIdentifier(schemaName);
+            var sql = $$"""
+                CREATE SCHEMA IF NOT EXISTS {{quotedSchema}};
+                CREATE TABLE IF NOT EXISTS {{quotedSchema}}.state (
                     id TEXT NOT NULL,
                     tenant_id TEXT NOT NULL PRIMARY KEY,
                     sealed BOOLEAN NOT NULL DEFAULT FALSE,
                     policy_hash TEXT,
-                    time_anchor JSONB NOT NULL DEFAULT '{}',
+                    time_anchor JSONB NOT NULL DEFAULT '{}'::jsonb,
                     last_transition_at TIMESTAMPTZ NOT NULL DEFAULT '0001-01-01T00:00:00Z',
-                    staleness_budget JSONB NOT NULL DEFAULT '{"warningSeconds":3600,"breachSeconds":7200}',
+                    staleness_budget JSONB NOT NULL DEFAULT '{"warningSeconds":3600,"breachSeconds":7200}'::jsonb,
                     drift_baseline_seconds BIGINT NOT NULL DEFAULT 0,
-                    content_budgets JSONB NOT NULL DEFAULT '{}',
+                    content_budgets JSONB NOT NULL DEFAULT '{}'::jsonb,
                     created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
                     updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
                 );
-                CREATE INDEX IF NOT EXISTS idx_airgap_state_sealed ON airgap.state(sealed) WHERE sealed = TRUE;
+                CREATE INDEX IF NOT EXISTS idx_airgap_state_tenant ON {{quotedSchema}}.state(tenant_id);
+                CREATE INDEX IF NOT EXISTS idx_airgap_state_sealed ON {{quotedSchema}}.state(sealed) WHERE sealed = TRUE;
                 """;
 
             await using var command = CreateCommand(sql, connection);
@@ -272,4 +275,10 @@ public sealed class PostgresAirGapStateStore : RepositoryBase<AirGapDataSource>,
             _initLock.Release();
         }
     }
+
+    private static string QuoteIdentifier(string identifier)
+    {
+        var escaped = identifier.Replace("\"", "\"\"", StringComparison.Ordinal);
+        return $"\"{escaped}\"";
+    }
 }

src/AirGap/__Libraries/StellaOps.AirGap.Persistence/Postgres/Repositories/PostgresBundleVersionStore.cs

@@ -35,7 +35,7 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
         const string sql = """
             SELECT tenant_id, bundle_type, version_string, major, minor, patch, prerelease,
                    bundle_created_at, bundle_digest, activated_at, was_force_activated, force_activate_reason
-            FROM airgap.bundle_versions
+            FROM bundle_versions
             WHERE tenant_id = @tenant_id AND bundle_type = @bundle_type;
             """;
 
@@ -59,7 +59,7 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
         await using var tx = await connection.BeginTransactionAsync(ct).ConfigureAwait(false);
 
         const string closeHistorySql = """
-            UPDATE airgap.bundle_version_history
+            UPDATE bundle_version_history
             SET deactivated_at = @activated_at
             WHERE tenant_id = @tenant_id AND bundle_type = @bundle_type AND deactivated_at IS NULL;
             """;
@@ -74,7 +74,7 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
         }
 
         const string historySql = """
-            INSERT INTO airgap.bundle_version_history (
+            INSERT INTO bundle_version_history (
                 tenant_id, bundle_type, version_string, major, minor, patch, prerelease,
                 bundle_created_at, bundle_digest, activated_at, deactivated_at, was_force_activated, force_activate_reason
             )
@@ -103,7 +103,7 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
         }
 
         const string upsertSql = """
-            INSERT INTO airgap.bundle_versions (
+            INSERT INTO bundle_versions (
                 tenant_id, bundle_type, version_string, major, minor, patch, prerelease,
                 bundle_created_at, bundle_digest, activated_at, was_force_activated, force_activate_reason
             )
@@ -169,7 +169,7 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
         const string sql = """
             SELECT tenant_id, bundle_type, version_string, major, minor, patch, prerelease,
                    bundle_created_at, bundle_digest, activated_at, was_force_activated, force_activate_reason
-            FROM airgap.bundle_version_history
+            FROM bundle_version_history
             WHERE tenant_id = @tenant_id AND bundle_type = @bundle_type
             ORDER BY activated_at DESC
             LIMIT @limit;
@@ -236,10 +236,12 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
             }
 
             await using var connection = await DataSource.OpenSystemConnectionAsync(ct).ConfigureAwait(false);
-            const string sql = """
-                CREATE SCHEMA IF NOT EXISTS airgap;
+            var schemaName = DataSource.SchemaName ?? "public";
+            var quotedSchema = QuoteIdentifier(schemaName);
+            var sql = $$"""
+                CREATE SCHEMA IF NOT EXISTS {{quotedSchema}};
 
-                CREATE TABLE IF NOT EXISTS airgap.bundle_versions (
+                CREATE TABLE IF NOT EXISTS {{quotedSchema}}.bundle_versions (
                     tenant_id TEXT NOT NULL,
                     bundle_type TEXT NOT NULL,
                     version_string TEXT NOT NULL,
@@ -258,9 +260,9 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
                 );
 
                 CREATE INDEX IF NOT EXISTS idx_airgap_bundle_versions_tenant
-                    ON airgap.bundle_versions(tenant_id);
+                    ON {{quotedSchema}}.bundle_versions(tenant_id);
 
-                CREATE TABLE IF NOT EXISTS airgap.bundle_version_history (
+                CREATE TABLE IF NOT EXISTS {{quotedSchema}}.bundle_version_history (
                     id BIGSERIAL PRIMARY KEY,
                     tenant_id TEXT NOT NULL,
                     bundle_type TEXT NOT NULL,
@@ -279,7 +281,7 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
                 );
 
                 CREATE INDEX IF NOT EXISTS idx_airgap_bundle_version_history_tenant
-                    ON airgap.bundle_version_history(tenant_id, bundle_type, activated_at DESC);
+                    ON {{quotedSchema}}.bundle_version_history(tenant_id, bundle_type, activated_at DESC);
                 """;
 
             await using var command = CreateCommand(sql, connection);
@@ -293,4 +295,10 @@ public sealed class PostgresBundleVersionStore : RepositoryBase<AirGapDataSource
     }
 
     private static string NormalizeKey(string value) => value.Trim().ToLowerInvariant();
+
+    private static string QuoteIdentifier(string identifier)
+    {
+        var escaped = identifier.Replace("\"", "\"\"", StringComparison.Ordinal);
+        return $"\"{escaped}\"";
+    }
 }

src/AirGap/__Libraries/StellaOps.AirGap.Persistence/StellaOps.AirGap.Persistence.csproj

@@ -9,6 +9,10 @@
     <Description>Consolidated persistence layer for StellaOps AirGap module</Description>
   </PropertyGroup>
 
+  <ItemGroup>
+    <EmbeddedResource Include="Migrations\**\*.sql" LogicalName="%(RecursiveDir)%(Filename)%(Extension)" />
+  </ItemGroup>
+
   <ItemGroup>
     <PackageReference Include="Microsoft.EntityFrameworkCore" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Design" PrivateAssets="all" />

src/AirGap/__Libraries/StellaOps.AirGap.Persistence/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Persistence Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0028-M | DONE | Maintainability audit for StellaOps.AirGap.Persistence. |
+| AUDIT-0028-T | DONE | Test coverage audit for StellaOps.AirGap.Persistence. |
+| AUDIT-0028-A | TODO | Pending approval for changes. |

src/AirGap/__Libraries/__Tests/StellaOps.AirGap.Bundle.Tests/AssemblyInfo.cs

@@ -0,0 +1,3 @@
+using Xunit;
+
+[assembly: CollectionBehavior(DisableTestParallelization = true)]

src/AirGap/__Libraries/__Tests/StellaOps.AirGap.Bundle.Tests/StellaOps.AirGap.Bundle.Tests.csproj

@@ -3,6 +3,7 @@
     <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
+    <UseConcelierTestInfra>false</UseConcelierTestInfra>
   </PropertyGroup>
 
   <ItemGroup>
@@ -14,4 +15,4 @@
     <ProjectReference Include="../../StellaOps.AirGap.Bundle/StellaOps.AirGap.Bundle.csproj" />
     <ProjectReference Include="../../../../__Libraries/StellaOps.TestKit/StellaOps.TestKit.csproj" />
   </ItemGroup>
-</Project>
+</Project>

src/AirGap/__Tests/StellaOps.AirGap.Importer.Tests/AGENTS.md

@@ -0,0 +1,27 @@
+# AirGap Importer Tests Guild Charter
+
+## Working Directory
+- `src/AirGap/__Tests/StellaOps.AirGap.Importer.Tests`
+
+## Scope
+- Unit and integration tests for AirGap Importer validation, quarantine, versioning, and reconciliation flows.
+- Deterministic fixtures for DSSE, TUF, SBOM parsing, and evidence graph outputs.
+- Offline-only inputs (no network, no external services).
+
+## Required Reading
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/airgap/importer-scaffold.md`
+- `docs/airgap/airgap-mode.md`
+
+## Working Agreements
+- Update task status in the sprint tracker and local `TASKS.md` for this directory.
+- Keep tests deterministic (fixed time, fixed IDs, stable ordering).
+- Prefer shared temp directory helpers and ensure cleanup.
+- Do not silently skip fixture-based tests; mark explicit skip when fixtures are missing.
+
+## Testing Rules
+- Use `Unit` vs `Integration` trait categories consistently.
+- Use WebApplicationFactory only when exercising HTTP endpoints.
+- Keep fixtures and golden files under this directory; no downloads.

src/AirGap/__Tests/StellaOps.AirGap.Importer.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Importer Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0027-M | DONE | Maintainability audit for StellaOps.AirGap.Importer.Tests. |
+| AUDIT-0027-T | DONE | Test coverage audit for StellaOps.AirGap.Importer.Tests. |
+| AUDIT-0027-A | TODO | Pending approval for changes. |

src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests/AGENTS.md

@@ -0,0 +1,25 @@
+# AirGap Persistence Tests Guild Charter
+
+## Working Directory
+- `src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests`
+
+## Scope
+- Integration and unit tests for AirGap persistence stores and schema behavior.
+- Deterministic validation of state and bundle version storage.
+
+## Required Reading
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/airgap/bundle-repositories.md`
+- `docs/airgap/airgap-mode.md`
+
+## Working Agreements
+- Update task status in the sprint tracker and local `TASKS.md`.
+- Keep tests deterministic (fixed time, fixed IDs, stable ordering).
+- Prefer shared temp directory helpers and ensure cleanup.
+- Categorize integration tests correctly; avoid "Unit" for Postgres-backed tests.
+
+## Testing Rules
+- Use the AirGap Postgres fixture; no network.
+- Validate schema names, indexes, and ordering explicitly in assertions.

src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests/AirGapPostgresFixture.cs

@@ -17,7 +17,7 @@ public sealed class AirGapPostgresFixture : PostgresIntegrationFixture, ICollect
 
     protected override string GetModuleName() => "AirGap";
 
-    protected override string? GetResourcePrefix() => "Migrations";
+    protected override string? GetResourcePrefix() => null;
 
     /// <summary>
     /// Gets all table names in the test schema.

src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests/AirGapStorageIntegrationTests.cs

@@ -37,7 +37,7 @@ public sealed class AirGapStorageIntegrationTests : IAsyncLifetime
         var options = Options.Create(new PostgresOptions
         {
             ConnectionString = fixture.ConnectionString,
-            SchemaName = AirGapDataSource.DefaultSchemaName,
+            SchemaName = fixture.SchemaName,
             AutoMigrate = false
         });
 
@@ -64,9 +64,9 @@ public sealed class AirGapStorageIntegrationTests : IAsyncLifetime
         // Arrange
         var expectedTables = new[]
         {
-            "airgap_state",
-            "airgap_bundles",
-            "airgap_import_log"
+            "state",
+            "bundle_versions",
+            "bundle_version_history"
         };
 
         // Act
@@ -88,7 +88,7 @@ public sealed class AirGapStorageIntegrationTests : IAsyncLifetime
         var expectedColumns = new[] { "tenant_id", "sealed", "policy_hash", "time_anchor", "created_at", "updated_at" };
 
         // Act
-        var columns = await _fixture.GetColumnNamesAsync("airgap_state");
+        var columns = await _fixture.GetColumnNamesAsync("state");
 
         // Assert
         foreach (var expectedColumn in expectedColumns)
@@ -117,7 +117,7 @@ public sealed class AirGapStorageIntegrationTests : IAsyncLifetime
     public async Task Migration_HasTenantIndex()
     {
         // Act
-        var indexes = await _fixture.GetIndexNamesAsync("airgap_state");
+        var indexes = await _fixture.GetIndexNamesAsync("state");
 
         // Assert
         indexes.Should().Contain(i => i.Contains("tenant", StringComparison.OrdinalIgnoreCase),

src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests/PostgresAirGapStateStoreTests.cs

@@ -25,7 +25,7 @@ public sealed class PostgresAirGapStateStoreTests : IAsyncLifetime
         var options = Options.Create(new PostgresOptions
         {
             ConnectionString = fixture.ConnectionString,
-            SchemaName = AirGapDataSource.DefaultSchemaName,
+            SchemaName = fixture.SchemaName,
             AutoMigrate = false
         });
 

src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Persistence Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0029-M | DONE | Maintainability audit for StellaOps.AirGap.Persistence.Tests. |
+| AUDIT-0029-T | DONE | Test coverage audit for StellaOps.AirGap.Persistence.Tests. |
+| AUDIT-0029-A | TODO | Pending approval for changes. |

src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# AirGap Time Tests Charter
+
+## Working Directory
+- `src/AirGap/__Tests/StellaOps.AirGap.Time.Tests`
+
+## Scope
+- Unit and integration tests for time anchors, staleness evaluation, and verification services.
+
+## Required Reading
+- `docs/airgap/staleness-and-time.md`
+- `docs/airgap/airgap-mode.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/AirGap/StellaOps.AirGap.Time/AGENTS.md`
+
+## Working Agreements
+- Update task status in the sprint tracker and local `TASKS.md`.
+- Keep tests deterministic (fixed time and IDs).
+- Clean up temp artifacts created during tests.
+
+## Testing Rules
+- Include happy-path verification tests with deterministic fixtures.
+- Exercise health checks and controller endpoints where applicable.

src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AirGap Time Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0035-M | DONE | Maintainability audit for StellaOps.AirGap.Time.Tests. |
+| AUDIT-0035-T | DONE | Test coverage audit for StellaOps.AirGap.Time.Tests. |
+| AUDIT-0035-A | TODO | Pending approval for changes. |

src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/TimeAnchorLoaderTests.cs

@@ -23,12 +23,12 @@ public class TimeAnchorLoaderTests
         [Fact]
     public void LoadsHexToken()
     {
-        var loader = Build();
+        var loader = Build(allowUntrusted: true);
         var hex = "01020304";
-        var trust = new[] { new TimeTrustRoot("k1", new byte[32], "ed25519") };
-        var result = loader.TryLoadHex(hex, TimeTokenFormat.Roughtime, trust, out var anchor);
+        var result = loader.TryLoadHex(hex, TimeTokenFormat.Roughtime, Array.Empty<TimeTrustRoot>(), out var anchor);
 
         Assert.True(result.IsValid);
+        Assert.Equal("untrusted-no-trust-roots", result.Reason);
         Assert.Equal("Roughtime", anchor.Format);
     }
 
@@ -58,9 +58,9 @@ public class TimeAnchorLoaderTests
         Assert.Equal("trust-roots-required", result.Reason);
     }
 
-    private static TimeAnchorLoader Build()
+    private static TimeAnchorLoader Build(bool allowUntrusted = false)
     {
-        var options = Options.Create(new AirGapOptions { AllowUntrustedAnchors = false });
+        var options = Options.Create(new AirGapOptions { AllowUntrustedAnchors = allowUntrusted });
         return new TimeAnchorLoader(new TimeVerificationService(), new TimeTokenParser(), options);
     }
 }

src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/TimeVerificationServiceTests.cs

@@ -14,18 +14,18 @@ public class TimeVerificationServiceTests
         var svc = new TimeVerificationService();
         var result = svc.Verify(new byte[] { 0x01 }, TimeTokenFormat.Roughtime, Array.Empty<TimeTrustRoot>(), out _);
         Assert.False(result.IsValid);
-        Assert.Equal("trust-roots-required", result.Reason);
+        Assert.Equal("roughtime-trust-roots-required", result.Reason);
     }
 
     [Trait("Category", TestCategories.Unit)]
         [Fact]
-    public void SucceedsForRoughtimeWithTrustRoot()
+    public void FailsForRoughtimeWithInvalidToken()
     {
         var svc = new TimeVerificationService();
         var trust = new[] { new TimeTrustRoot("k1", new byte[] { 0x01 }, "rsassa-pss-sha256") };
         var result = svc.Verify(new byte[] { 0x01, 0x02 }, TimeTokenFormat.Roughtime, trust, out var anchor);
-        Assert.True(result.IsValid);
-        Assert.Equal("Roughtime", anchor.Format);
-        Assert.Equal("k1", anchor.SignatureFingerprint);
+        Assert.False(result.IsValid);
+        Assert.Equal("roughtime-message-too-short", result.Reason);
+        Assert.Equal("unknown", anchor.Format);
     }
 }

src/Aoc/AGENTS.md

@@ -0,0 +1,23 @@
+# AOC Module Charter
+
+## Working Directory
+- `src/Aoc`
+
+## Scope
+- Aggregation-Only Contract (AOC) guard library, analyzers, ASP.NET Core integration, and CLI components.
+
+## Required Reading
+- `docs/aoc/aoc-guardrails.md`
+- `docs/security/aoc-invariants.md`
+- `docs/modules/policy/design/policy-aoc-linting-rules.md`
+- `docs/modules/cli/guides/commands/aoc.md`
+- `docs/modules/platform/architecture-overview.md`
+
+## Working Agreements
+- Update sprint tracker and local `TASKS.md` files for active work.
+- Preserve AOC invariants and deterministic outputs.
+- Keep changes offline-friendly and avoid network calls.
+
+## Testing Rules
+- Cover guard validation, analyzer diagnostics, and ASP.NET Core filter behavior.
+- Use fixed timestamps and IDs in tests.

src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AGENTS.md

@@ -0,0 +1,19 @@
+# AOC Analyzer Charter
+
+## Working Directory
+- `src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers`
+
+## Scope
+- Roslyn analyzers enforcing AOC forbidden/derived fields and guard usage.
+
+## Required Reading
+- `docs/modules/policy/design/policy-aoc-linting-rules.md`
+- `docs/security/aoc-invariants.md`
+- `src/Aoc/AGENTS.md`
+
+## Working Agreements
+- Keep analyzer detection deterministic and avoid false positives.
+- Update sprint tracker and local `TASKS.md`.
+
+## Testing Rules
+- Include diagnostics for AOC0001/2/3 and guard-scope suppression.

src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/TASKS.md

@@ -0,0 +1,10 @@
+# AOC Analyzer Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0037-M | DONE | Maintainability audit for StellaOps.Aoc.Analyzers. |
+| AUDIT-0037-T | DONE | Test coverage audit for StellaOps.Aoc.Analyzers. |
+| AUDIT-0037-A | TODO | Pending approval for changes. |

src/Aoc/__Libraries/StellaOps.Aoc.AspNetCore/AGENTS.md

@@ -0,0 +1,19 @@
+# AOC ASP.NET Core Integration Charter
+
+## Working Directory
+- `src/Aoc/__Libraries/StellaOps.Aoc.AspNetCore`
+
+## Scope
+- Endpoint filter and HTTP results for AOC guard validation.
+
+## Required Reading
+- `docs/aoc/aoc-guardrails.md`
+- `docs/security/aoc-invariants.md`
+- `src/Aoc/AGENTS.md`
+
+## Working Agreements
+- Ensure guard enforcement is explicit and deterministic.
+- Update sprint tracker and local `TASKS.md`.
+
+## Testing Rules
+- Validate filter behavior and Problem responses for guard failures.

src/Aoc/__Libraries/StellaOps.Aoc.AspNetCore/TASKS.md

@@ -0,0 +1,10 @@
+# AOC ASP.NET Core Integration Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0039-M | DONE | Maintainability audit for StellaOps.Aoc.AspNetCore. |
+| AUDIT-0039-T | DONE | Test coverage audit for StellaOps.Aoc.AspNetCore. |
+| AUDIT-0039-A | TODO | Pending approval for changes. |

src/Aoc/__Libraries/StellaOps.Aoc/AGENTS.md

@@ -0,0 +1,20 @@
+# AOC Guard Library Charter
+
+## Working Directory
+- `src/Aoc/__Libraries/StellaOps.Aoc`
+
+## Scope
+- AOC guard validation, violations, and error payload mapping.
+
+## Required Reading
+- `docs/aoc/aoc-guardrails.md`
+- `docs/security/aoc-invariants.md`
+- `docs/modules/policy/design/policy-aoc-linting-rules.md`
+- `src/Aoc/AGENTS.md`
+
+## Working Agreements
+- Update sprint tracker and local `TASKS.md`.
+- Keep validation deterministic and stable across runs.
+
+## Testing Rules
+- Cover required/allowed fields, signature metadata validation, and violation ordering.

src/Aoc/__Libraries/StellaOps.Aoc/TASKS.md

@@ -0,0 +1,10 @@
+# AOC Guard Library Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0036-M | DONE | Maintainability audit for StellaOps.Aoc. |
+| AUDIT-0036-T | DONE | Test coverage audit for StellaOps.Aoc. |
+| AUDIT-0036-A | TODO | Pending approval for changes. |

src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/AGENTS.md

@@ -0,0 +1,19 @@
+# AOC Analyzer Tests Charter
+
+## Working Directory
+- `src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests`
+
+## Scope
+- Unit tests for AOC Roslyn analyzer diagnostics and suppression rules.
+
+## Required Reading
+- `docs/modules/policy/design/policy-aoc-linting-rules.md`
+- `docs/security/aoc-invariants.md`
+- `src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AGENTS.md`
+
+## Working Agreements
+- Keep analyzer tests deterministic and self-contained.
+- Update sprint tracker and local `TASKS.md`.
+
+## Testing Rules
+- Cover AOC0001/2/3, ingestion-context detection, and guard suppression.

src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AOC Analyzer Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0038-M | DONE | Maintainability audit for StellaOps.Aoc.Analyzers.Tests. |
+| AUDIT-0038-T | DONE | Test coverage audit for StellaOps.Aoc.Analyzers.Tests. |
+| AUDIT-0038-A | TODO | Pending approval for changes. |

src/Aoc/__Tests/StellaOps.Aoc.AspNetCore.Tests/AGENTS.md

@@ -0,0 +1,19 @@
+# AOC ASP.NET Core Tests Charter
+
+## Working Directory
+- `src/Aoc/__Tests/StellaOps.Aoc.AspNetCore.Tests`
+
+## Scope
+- Unit/integration tests for AOC endpoint filters and HTTP result helpers.
+
+## Required Reading
+- `docs/aoc/aoc-guardrails.md`
+- `docs/security/aoc-invariants.md`
+- `src/Aoc/__Libraries/StellaOps.Aoc.AspNetCore/AGENTS.md`
+
+## Working Agreements
+- Keep tests deterministic and clean up temp resources.
+- Update sprint tracker and local `TASKS.md`.
+
+## Testing Rules
+- Cover guard failures, payload selector behavior, and status mapping.

src/Aoc/__Tests/StellaOps.Aoc.AspNetCore.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AOC ASP.NET Core Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0040-M | DONE | Maintainability audit for StellaOps.Aoc.AspNetCore.Tests. |
+| AUDIT-0040-T | DONE | Test coverage audit for StellaOps.Aoc.AspNetCore.Tests. |
+| AUDIT-0040-A | TODO | Pending approval for changes. |

src/Aoc/__Tests/StellaOps.Aoc.Tests/AGENTS.md

@@ -0,0 +1,19 @@
+# AOC Guard Tests Charter
+
+## Working Directory
+- `src/Aoc/__Tests/StellaOps.Aoc.Tests`
+
+## Scope
+- Unit tests for AOC guard validation and error payloads.
+
+## Required Reading
+- `docs/aoc/aoc-guardrails.md`
+- `docs/security/aoc-invariants.md`
+- `src/Aoc/__Libraries/StellaOps.Aoc/AGENTS.md`
+
+## Working Agreements
+- Use fixed timestamps/IDs and deterministic JSON ordering.
+- Update sprint tracker and local `TASKS.md`.
+
+## Testing Rules
+- Cover required/allowed fields, signature metadata rules, and derived/forbidden fields.

src/Aoc/__Tests/StellaOps.Aoc.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# AOC Guard Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0041-M | DONE | Maintainability audit for StellaOps.Aoc.Tests. |
+| AUDIT-0041-T | DONE | Test coverage audit for StellaOps.Aoc.Tests. |
+| AUDIT-0041-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestation.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# Attestation Tests Charter
+
+## Working Directory
+- `src/Attestor/StellaOps.Attestation.Tests`
+
+## Scope
+- Unit tests for attestation DSSE helpers and models.
+
+## Required Reading
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/implementation_plan.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/Attestor/AGENTS.md`
+
+## Working Agreements
+- Keep tests deterministic and focused on DSSE invariants.
+- Update sprint tracker and local `TASKS.md`.
+
+## Testing Rules
+- Validate PAE byte structure and payload type defaults.
+- Include error-path coverage for base64 parsing.

src/Attestor/StellaOps.Attestation.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestation Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0044-M | DONE | Maintainability audit for StellaOps.Attestation.Tests. |
+| AUDIT-0044-T | DONE | Test coverage audit for StellaOps.Attestation.Tests. |
+| AUDIT-0044-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestation/AGENTS.md

@@ -0,0 +1,21 @@
+# Attestation Library Charter
+
+## Working Directory
+- `src/Attestor/StellaOps.Attestation`
+
+## Scope
+- DSSE helpers and in-toto statement models for attestation payloads.
+
+## Required Reading
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/implementation_plan.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/Attestor/AGENTS.md`
+
+## Working Agreements
+- Update sprint tracker and local `TASKS.md`.
+- Keep DSSE signing deterministic and spec-compliant.
+
+## Testing Rules
+- Cover PAE generation, payload type defaults, and base64 conversions.

src/Attestor/StellaOps.Attestation/TASKS.md

@@ -0,0 +1,10 @@
+# Attestation Library Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0043-M | DONE | Maintainability audit for StellaOps.Attestation. |
+| AUDIT-0043-T | DONE | Test coverage audit for StellaOps.Attestation. |
+| AUDIT-0043-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor.Envelope/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Envelope Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0051-M | DONE | Maintainability audit for StellaOps.Attestor.Envelope. |
+| AUDIT-0051-T | DONE | Test coverage audit for StellaOps.Attestor.Envelope. |
+| AUDIT-0051-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor.Envelope/__Tests/StellaOps.Attestor.Envelope.Tests/AGENTS.md

@@ -0,0 +1,19 @@
+# Attestor Envelope Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/StellaOps.Attestor.Envelope/__Tests/StellaOps.Attestor.Envelope.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: envelope serialization, signature helpers, key handling, and deterministic outputs.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic; avoid wall-clock time and random GUIDs unless fixed.
+- Add negative-path tests for malformed payloads, signatures, and key material.
+- Keep fuzz/property tests offline and deterministic (fixed seeds).
+
+## Testing
+- Cover signature sign/verify, key ID derivation, serialization options, compression, and detached payload metadata.

src/Attestor/StellaOps.Attestor.Envelope/__Tests/StellaOps.Attestor.Envelope.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Envelope Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0052-M | DONE | Maintainability audit for StellaOps.Attestor.Envelope.Tests. |
+| AUDIT-0052-T | DONE | Test coverage audit for StellaOps.Attestor.Envelope.Tests. |
+| AUDIT-0052-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor.Types/Tools/StellaOps.Attestor.Types.Generator/AGENTS.md

@@ -0,0 +1,21 @@
+# Attestor Types Generator AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/StellaOps.Attestor.Types/Tools/StellaOps.Attestor.Types.Generator/`.
+- Roles: backend engineer, QA automation.
+- Focus: deterministic schema and SDK generation for Attestor payload types.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Determinism is mandatory: stable ordering, canonical outputs, UTC timestamps only.
+- Keep generator output reproducible across OSes (line endings, encoding).
+- Avoid network dependencies; generator must run offline.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add or update tests under `src/Attestor/__Tests/StellaOps.Attestor.Types.Tests`.
+- Include fixtures that verify schema parity and deterministic output.

src/Attestor/StellaOps.Attestor.Types/Tools/StellaOps.Attestor.Types.Generator/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Types Generator Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0069-M | DONE | Maintainability audit for StellaOps.Attestor.Types.Generator. |
+| AUDIT-0069-T | DONE | Test coverage audit for StellaOps.Attestor.Types.Generator. |
+| AUDIT-0069-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor.Verify/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Verify Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0071-M | DONE | Maintainability audit for StellaOps.Attestor.Verify. |
+| AUDIT-0071-T | DONE | Test coverage audit for StellaOps.Attestor.Verify. |
+| AUDIT-0071-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# Attestor Core Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: unit coverage for core validation, signing, verification, and offline proof paths.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/rekor-verification-design.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic: fixed time, fixed IDs, and deterministic fixtures.
+- Use `StellaOps.TestKit` helpers for temp directories and deterministic clocks.
+- Label integration tests clearly; avoid network access.
+
+## Testing
+- Add coverage for DSSE, submission validation, time skew, Merkle proofs, and PoE artifacts.

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Core Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0050-M | DONE | Maintainability audit for StellaOps.Attestor.Core.Tests. |
+| AUDIT-0050-T | DONE | Test coverage audit for StellaOps.Attestor.Core.Tests. |
+| AUDIT-0050-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/AGENTS.md

@@ -0,0 +1,24 @@
+# Attestor Core AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/`.
+- Roles: backend engineer, QA automation.
+- Focus: submission validation, signing, verification, delta attestations, PoE artifacts, and observability contracts.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/rekor-verification-design.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Preserve DSSE and in-toto compatibility; keep Rekor verification deterministic and offline-friendly.
+- Use stable ordering and deterministic JSON for hashes and evidence artifacts.
+- Avoid hard-coded time sources; prefer injected time providers where possible.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add unit tests under `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/`.
+- Use deterministic fixtures (fixed time/IDs) and clean up temp files.

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Core Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0049-M | DONE | Maintainability audit for StellaOps.Attestor.Core. |
+| AUDIT-0049-T | DONE | Test coverage audit for StellaOps.Attestor.Core. |
+| AUDIT-0049-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/AGENTS.md

@@ -0,0 +1,24 @@
+# Attestor Infrastructure AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/`.
+- Roles: backend engineer, QA automation.
+- Focus: DI wiring, Rekor/Transparency clients, submission/verification services, storage/queue implementations, offline bundle import/export, and background workers.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/rekor-verification-design.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Preserve deterministic outputs (canonical JSON, stable ordering) and offline-first behavior.
+- Avoid wall-clock time or randomness in core paths; prefer TimeProvider and deterministic IDs.
+- Keep HTTP/storage clients explicit about timeouts and cancellation.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add unit tests under `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/`.
+- Cover submission/verification flows, Rekor/Transparency clients, repository pagination, and worker loops with deterministic fixtures.

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Infrastructure Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0055-M | DONE | Maintainability audit for StellaOps.Attestor.Infrastructure. |
+| AUDIT-0055-T | DONE | Test coverage audit for StellaOps.Attestor.Infrastructure. |
+| AUDIT-0055-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: unit, integration, and contract coverage for Attestor core, infrastructure, and web service.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/rekor-verification-design.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Determinism is mandatory: fixed timestamps, stable IDs, and deterministic ordering in tests.
+- Separate unit vs integration/perf tests with explicit categories.
+- Avoid wall-clock delays; prefer FakeTimeProvider or deterministic schedulers.
+- Keep tests offline-friendly; Testcontainers belong in Integration category only.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit; prefer deterministic fixtures.
+- Contract tests must assert a stable baseline (snapshot or explicit schema checks).

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0066-M | DONE | Maintainability audit for StellaOps.Attestor.Tests. |
+| AUDIT-0066-T | DONE | Test coverage audit for StellaOps.Attestor.Tests. |
+| AUDIT-0066-A | TODO | Pending approval for changes. |

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/AGENTS.md

@@ -0,0 +1,24 @@
+# Attestor WebService AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/`.
+- Roles: backend engineer, QA automation.
+- Focus: HTTP API surface, auth, rate limiting, request validation, determinism, and observability for Attestor.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/rekor-verification-design.md`
+- `docs/modules/attestor/operations/observability.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Enforce auth and mTLS for all mutation endpoints; never accept anonymous callers.
+- Keep responses deterministic (stable ordering, fixed formatting, explicit UTC timestamps).
+- Prefer explicit validation and consistent ProblemDetails for errors.
+- Apply rate limiting to public endpoints.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use WebApplicationFactory for endpoint tests and include auth/mtls coverage.
+- Add contract tests for request/response DTOs and error handling.

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor WebService Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0072-M | DONE | Maintainability audit for StellaOps.Attestor.WebService. |
+| AUDIT-0072-T | DONE | Test coverage audit for StellaOps.Attestor.WebService. |
+| AUDIT-0072-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Bundle/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor Bundle Library Charter
+
+## Working Directory
+- `src/Attestor/__Libraries/StellaOps.Attestor.Bundle`
+
+## Scope
+- Sigstore bundle models, serialization, builder, and offline verification utilities.
+
+## Required Reading
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/Attestor/AGENTS.md`
+- `src/Attestor/__Libraries/AGENTS.md`
+
+## Working Agreements
+- Update sprint tracker and local `TASKS.md`.
+- Preserve deterministic serialization and offline verification behavior.
+- Avoid network dependencies in bundle verification.
+
+## Testing Rules
+- Cover builder validation, serialization round-trips, and verification error paths.
+- Include inclusion proof and signature verification fixtures.

src/Attestor/__Libraries/StellaOps.Attestor.Bundle/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Bundle Library Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0045-M | DONE | Maintainability audit for StellaOps.Attestor.Bundle. |
+| AUDIT-0045-T | DONE | Test coverage audit for StellaOps.Attestor.Bundle. |
+| AUDIT-0045-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Bundling/AGENTS.md

@@ -0,0 +1,22 @@
+# Attestor Bundling Library Charter
+
+## Working Directory
+- `src/Attestor/__Libraries/StellaOps.Attestor.Bundling`
+
+## Scope
+- Attestation bundle aggregation, retention, offline kit export, and org-key signing.
+
+## Required Reading
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/Attestor/AGENTS.md`
+- `src/Attestor/__Libraries/AGENTS.md`
+
+## Working Agreements
+- Update sprint tracker and local `TASKS.md`.
+- Keep bundling deterministic and offline-friendly.
+- Avoid network dependencies in core bundling logic.
+
+## Testing Rules
+- Cover bundling limits, signature handling, retention policy, and offline export.

src/Attestor/__Libraries/StellaOps.Attestor.Bundling/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Bundling Library Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0047-M | DONE | Maintainability audit for StellaOps.Attestor.Bundling. |
+| AUDIT-0047-T | DONE | Test coverage audit for StellaOps.Attestor.Bundling. |
+| AUDIT-0047-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor GraphRoot AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/`.
+- Roles: backend engineer, QA automation.
+- Focus: graph root attestation, Merkle root computation, DSSE envelope creation, Rekor submission.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Preserve deterministic ordering and canonical JSON outputs.
+- Keep DSSE signing and verification spec-aligned (PAE, payloadType).
+- Avoid wall-clock time in core logic; inject time providers where needed.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add unit tests under `src/Attestor/__Libraries/__Tests/StellaOps.Attestor.GraphRoot.Tests/`.
+- Ensure tests cover sign/verify, Merkle root determinism, and Rekor submission paths.

src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor GraphRoot Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0053-M | DONE | Maintainability audit for StellaOps.Attestor.GraphRoot. |
+| AUDIT-0053-T | DONE | Test coverage audit for StellaOps.Attestor.GraphRoot. |
+| AUDIT-0053-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Oci/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor OCI AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/StellaOps.Attestor.Oci/`.
+- Roles: backend engineer, QA automation.
+- Focus: OCI reference parsing, ORAS/OCI referrer workflows, attestation attach/list/fetch/remove, and registry client contracts.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Follow OCI Distribution Spec 1.1 and DSSE envelope compatibility.
+- Keep digest/manifest generation deterministic and stable.
+- Avoid wall-clock time in outputs; prefer TimeProvider for timestamps.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add unit tests under `src/Attestor/__Tests/StellaOps.Attestor.Oci.Tests/`.
+- Cover reference parsing, attach/list/fetch/remove, annotation behavior, and deterministic digests.

src/Attestor/__Libraries/StellaOps.Attestor.Oci/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor OCI Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0056-M | DONE | Maintainability audit for StellaOps.Attestor.Oci. |
+| AUDIT-0056-T | DONE | Test coverage audit for StellaOps.Attestor.Oci. |
+| AUDIT-0056-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Offline/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor Offline AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/StellaOps.Attestor.Offline/`.
+- Roles: backend engineer, QA automation.
+- Focus: offline verification of attestation bundles, trust root handling, and air-gap workflows.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep verification deterministic and offline-friendly; no network dependencies.
+- Avoid wall-clock time or randomness in core logic; prefer TimeProvider and stable ordering.
+- Treat DSSE, Merkle, and certificate validation as security-critical; add negative-path tests.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add unit tests under `src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/`.
+- Use deterministic fixtures (fixed time/IDs) and avoid external resources.

src/Attestor/__Libraries/StellaOps.Attestor.Offline/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Offline Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0058-M | DONE | Maintainability audit for StellaOps.Attestor.Offline. |
+| AUDIT-0058-T | DONE | Test coverage audit for StellaOps.Attestor.Offline. |
+| AUDIT-0058-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Persistence/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Persistence Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0060-M | DONE | Maintainability audit for StellaOps.Attestor.Persistence. |
+| AUDIT-0060-T | DONE | Test coverage audit for StellaOps.Attestor.Persistence. |
+| AUDIT-0060-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor ProofChain Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0062-M | DONE | Maintainability audit for StellaOps.Attestor.ProofChain. |
+| AUDIT-0062-T | DONE | Test coverage audit for StellaOps.Attestor.ProofChain. |
+| AUDIT-0062-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/AGENTS.md

@@ -0,0 +1,24 @@
+# StellaOps.Attestor.StandardPredicates Local Agent Charter
+
+## Scope
+- This charter applies to `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/**`.
+
+## Primary roles
+- Backend engineer (C# / .NET 10).
+- QA automation engineer (xUnit).
+
+## Required reading (treat as read before edits)
+- `docs/modules/attestor/architecture.md`
+- `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+- RFC 8785 (JSON Canonicalization Scheme)
+- SPDX 3.0.1, CycloneDX 1.6/1.7, and SLSA provenance v1.0 references
+
+## Working agreements
+- Determinism is mandatory: canonical JSON, stable ordering, UTC timestamps only.
+- Avoid network access; keep parsing offline-friendly.
+- Prefer explicit validation with structured errors and stable metadata output.
+- Keep predicate parsing logic pure and side-effect free; log only for diagnostics.
+
+## Testing expectations
+- Every behavior change must be covered by tests under `src/Attestor/__Tests/StellaOps.Attestor.StandardPredicates.Tests`.
+- Include numeric canonicalization edge cases, schema validation behavior, and SBOM hash determinism checks.

src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor StandardPredicates Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0064-M | DONE | Maintainability audit for StellaOps.Attestor.StandardPredicates. |
+| AUDIT-0064-T | DONE | Test coverage audit for StellaOps.Attestor.StandardPredicates. |
+| AUDIT-0064-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# Attestor TrustVerdict Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: TrustVerdict service, cache, Merkle builder, and canonicalization correctness.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+- RFC 8785 (JSON Canonicalization Scheme)
+- Relevant sprint files.
+
+## Working Agreements
+- Determinism is mandatory: stable ordering and fixed timestamps in tests.
+- Separate unit vs integration/perf tests with explicit categories.
+- Avoid wall-clock time; use FakeTimeProvider or fixed timestamps.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit; prefer deterministic fixtures.
+- Cover canonicalization numeric edge cases, Merkle proof consistency, and cache expiry behavior.

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor TrustVerdict Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0068-M | DONE | Maintainability audit for TrustVerdict tests. |
+| AUDIT-0068-T | DONE | Test coverage audit for TrustVerdict tests. |
+| AUDIT-0068-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/AGENTS.md

@@ -0,0 +1,23 @@
+# StellaOps.Attestor.TrustVerdict Local Agent Charter
+
+## Scope
+- This charter applies to `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/**`.
+
+## Primary roles
+- Backend engineer (C# / .NET 10).
+- QA automation engineer (xUnit).
+
+## Required reading (treat as read before edits)
+- `docs/modules/attestor/architecture.md`
+- `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+- RFC 8785 (JSON Canonicalization Scheme)
+
+## Working agreements
+- Determinism is mandatory: canonical JSON, stable ordering, UTC timestamps only.
+- Evidence Merkle roots must align across service, cache, and verifier implementations.
+- Avoid network dependencies in library code paths; keep offline-friendly defaults.
+- Use explicit invariant-culture formatting for strings that affect hashes.
+
+## Testing expectations
+- Every behavior change must be covered by tests under `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests`.
+- Include canonicalization edge cases, Merkle root consistency, and repository mapping tests.

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor TrustVerdict Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0067-M | DONE | Maintainability audit for StellaOps.Attestor.TrustVerdict. |
+| AUDIT-0067-T | DONE | Test coverage audit for StellaOps.Attestor.TrustVerdict. |
+| AUDIT-0067-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/__Tests/StellaOps.Attestor.GraphRoot.Tests/AGENTS.md

@@ -0,0 +1,21 @@
+# Attestor GraphRoot Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/__Tests/StellaOps.Attestor.GraphRoot.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: graph root attestation, Merkle root computation, DSSE envelope signing/verification.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic: fixed IDs and predictable fixtures.
+- Classify integration tests accurately (Unit vs Integration).
+- Add negative-path tests for malformed inputs and signature failures.
+
+## Testing
+- Cover DSSE PAE signing, signature verification, Rekor submission behavior, and tamper detection.

src/Attestor/__Libraries/__Tests/StellaOps.Attestor.GraphRoot.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor GraphRoot Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0054-M | DONE | Maintainability audit for StellaOps.Attestor.GraphRoot.Tests. |
+| AUDIT-0054-T | DONE | Test coverage audit for StellaOps.Attestor.GraphRoot.Tests. |
+| AUDIT-0054-A | TODO | Pending approval for changes. |

src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests/AGENTS.md

@@ -0,0 +1,21 @@
+# Attestor Bundle Tests Charter
+
+## Working Directory
+- `src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests`
+
+## Scope
+- Unit tests for Sigstore bundle builder, serializer, and verifier.
+
+## Required Reading
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/Attestor/AGENTS.md`
+- `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/AGENTS.md`
+
+## Working Agreements
+- Keep tests deterministic with fixed timestamps and key material.
+- Update sprint tracker and local `TASKS.md`.
+
+## Testing Rules
+- Cover signature verification, inclusion proof checks, and invalid base64 inputs.

src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Bundle Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0046-M | DONE | Maintainability audit for StellaOps.Attestor.Bundle.Tests. |
+| AUDIT-0046-T | DONE | Test coverage audit for StellaOps.Attestor.Bundle.Tests. |
+| AUDIT-0046-A | TODO | Pending approval for changes. |

src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/AGENTS.md

@@ -0,0 +1,21 @@
+# Attestor Bundling Tests Charter
+
+## Working Directory
+- `src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests`
+
+## Scope
+- Unit and integration tests for bundle aggregation, signing, retention, and offline export.
+
+## Required Reading
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/Attestor/AGENTS.md`
+- `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/AGENTS.md`
+
+## Working Agreements
+- Keep tests deterministic with fixed time and key material.
+- Update sprint tracker and local `TASKS.md`.
+
+## Testing Rules
+- Exercise retention policies, signing paths, and offline kit export.

src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Bundling Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0048-M | DONE | Maintainability audit for StellaOps.Attestor.Bundling.Tests. |
+| AUDIT-0048-T | DONE | Test coverage audit for StellaOps.Attestor.Bundling.Tests. |
+| AUDIT-0048-A | TODO | Pending approval for changes. |

src/Attestor/__Tests/StellaOps.Attestor.Oci.Tests/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor OCI Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Tests/StellaOps.Attestor.Oci.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: unit and integration tests for OCI attestation attach/list/fetch/remove and reference parsing.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic (fixed time/IDs) and avoid network by default.
+- Integration tests must be explicitly skipped or opt-in and document required containers.
+- Ensure tests reflect current production behavior; update when APIs change.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + Moq; keep fixtures reusable and deterministic.
+- Cover negative paths, serialization, and digest/annotation behavior.

src/Attestor/__Tests/StellaOps.Attestor.Oci.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor OCI Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0057-M | DONE | Maintainability audit for StellaOps.Attestor.Oci.Tests. |
+| AUDIT-0057-T | DONE | Test coverage audit for StellaOps.Attestor.Oci.Tests. |
+| AUDIT-0057-A | TODO | Pending approval for changes. |

src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor Offline Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: offline verification tests for bundles, DSSE structure, Merkle validation, and root stores.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic (fixed time/IDs) and avoid wall-clock time.
+- Avoid network calls by default; integration tests must be explicitly opt-in.
+- Ensure negative-path coverage for verification failures.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + Moq; prefer TestKit helpers for temp paths.
+- Cover signature, merkle proof, cert chain, and root-store behaviors.

src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Offline Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0059-M | DONE | Maintainability audit for StellaOps.Attestor.Offline.Tests. |
+| AUDIT-0059-T | DONE | Test coverage audit for StellaOps.Attestor.Offline.Tests. |
+| AUDIT-0059-A | TODO | Pending approval for changes. |

src/Attestor/__Tests/StellaOps.Attestor.Persistence.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# Attestor Persistence Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Tests/StellaOps.Attestor.Persistence.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: trust anchor matching, EF Core persistence behaviors, and migration validation.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/db/SPECIFICATION.md`
+- `docs/db/MIGRATION_STRATEGY.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic (fixed time/IDs) and avoid wall-clock time.
+- Include coverage for repository behaviors and schema defaults.
+- Perf harness updates should stay deterministic and documented.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + NSubstitute; prefer TestKit helpers for temp paths.
+- Cover trust anchor matcher specificity, active/inactive anchors, and predicate/key allowlists.

src/Attestor/__Tests/StellaOps.Attestor.Persistence.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Persistence Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0061-M | DONE | Maintainability audit for StellaOps.Attestor.Persistence.Tests. |
+| AUDIT-0061-T | DONE | Test coverage audit for StellaOps.Attestor.Persistence.Tests. |
+| AUDIT-0061-A | TODO | Pending approval for changes. |

src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# Attestor ProofChain Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: proof chain canonicalization, ID generation, Merkle proofs, schema validation, and signing.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+- RFC 8785 (JSON Canonicalization Scheme)
+- Relevant sprint files.
+
+## Working Agreements
+- Determinism is mandatory: stable ordering and fixed timestamps in tests.
+- Separate unit vs integration/perf tests with explicit categories.
+- Avoid wall-clock time; use fixed timestamps in fixtures.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit; prefer deterministic data.
+- Cover canonicalization numeric edge cases, schema validation, and proof signing/verification.

src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor ProofChain Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0063-M | DONE | Maintainability audit for StellaOps.Attestor.ProofChain.Tests. |
+| AUDIT-0063-T | DONE | Test coverage audit for StellaOps.Attestor.ProofChain.Tests. |
+| AUDIT-0063-A | TODO | Pending approval for changes. |

src/Attestor/__Tests/StellaOps.Attestor.StandardPredicates.Tests/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor StandardPredicates Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Tests/StellaOps.Attestor.StandardPredicates.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: predicate parsers, canonicalization, metadata extraction, and SBOM hashing.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+- RFC 8785 (JSON Canonicalization Scheme)
+- SPDX 3.0.1, CycloneDX 1.6/1.7, and SLSA provenance v1.0 references
+- Relevant sprint files.
+
+## Working Agreements
+- Determinism is mandatory: stable ordering and fixed timestamps in tests.
+- Separate unit vs integration/perf tests with explicit categories.
+- Avoid wall-clock time; use fixed timestamps in fixtures.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit; prefer deterministic data.
+- Cover canonicalization numeric edge cases, parser warnings/errors, and SBOM hash determinism.

src/Attestor/__Tests/StellaOps.Attestor.StandardPredicates.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor StandardPredicates Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0065-M | DONE | Maintainability audit for StandardPredicates tests. |
+| AUDIT-0065-T | DONE | Test coverage audit for StandardPredicates tests. |
+| AUDIT-0065-A | TODO | Pending approval for changes. |

src/Attestor/__Tests/StellaOps.Attestor.Types.Tests/AGENTS.md

@@ -0,0 +1,25 @@
+# Attestor Types Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Tests/StellaOps.Attestor.Types.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: schema validation, sample attestation validation, canonicalization/determinism, and Rekor receipt/proof tests for Attestor Types.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/attestor/payloads.md`
+- `docs/modules/attestor/bundle-format.md`
+- `docs/modules/attestor/rekor-verification-design.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Determinism is mandatory: fixed timestamps, stable IDs, and deterministic ordering in tests.
+- Separate unit vs integration/perf tests with explicit categories.
+- Avoid wall-clock time; prefer deterministic time providers or fakes.
+- Keep tests offline-friendly.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit; prefer deterministic fixtures.
+- Schema/sample tests should validate against the committed schemas and enforce canonicalization rules.

src/Attestor/__Tests/StellaOps.Attestor.Types.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Types Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0070-M | DONE | Maintainability audit for StellaOps.Attestor.Types.Tests. |
+| AUDIT-0070-T | DONE | Test coverage audit for StellaOps.Attestor.Types.Tests. |
+| AUDIT-0070-A | TODO | Pending approval for changes. |

src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# Auth Abstractions Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: unit coverage for scopes, claims, principal builder, network masks, and problem responses.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/platform/architecture-overview.md`
+- `docs/modules/authority/architecture.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic (fixed time/IDs, stable ordering).
+- Use explicit assertions for scope lists and network mask behavior.
+- Update `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit.
+- Add edge-case coverage for parsing and canonicalization.