feat: Add initial implementation of Vulnerability Resolver Jobs

- Created project for StellaOps.Scanner.Analyzers.Native.Tests with necessary dependencies. - Documented roles and guidelines in AGENTS.md for Scheduler module. - Implemented IResolverJobService interface and InMemoryResolverJobService for handling resolver jobs. - Added ResolverBacklogNotifier and ResolverBacklogService for monitoring job metrics. - Developed API endpoints for managing resolver jobs and retrieving metrics. - Defined models for resolver job requests and responses. - Integrated dependency injection for resolver job services. - Implemented ImpactIndexSnapshot for persisting impact index data. - Introduced SignalsScoringOptions for configurable scoring weights in reachability scoring. - Added unit tests for ReachabilityScoringService and RuntimeFactsIngestionService. - Created dotnet-filter.sh script to handle command-line arguments for dotnet. - Established nuget-prime project for managing package downloads.
2025-11-18 07:52:15 +02:00
parent e69b57d467
commit 8355e2ff75
299 changed files with 13293 additions and 2444 deletions
--- a/docs/implplan/AGENTS.md
+++ b/docs/implplan/AGENTS.md
@@ -0,0 +1,42 @@
 # AGENTS · docs/implplan (Coordination Sprints)
 ## Purpose & Scope
 - Working directory: `docs/implplan` (sprint planning/coordination docs only). Cross-module edits must be explicitly noted in the relevant sprint’s Decisons & Risks.
 - Roles supported here: project manager, product manager, implementer (doc maintainer). No code changes are performed in this directory; focus on sprint plans, status, and cross-guild coordination.
 ## Required Reading (treat as read before DOING)
 - `docs/README.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/platform/architecture-overview.md`
 - `docs/implplan` sprint template rules (see Section “Naming & Structure” below)
 - Any sprint-specific upstream docs linked from the current sprint file (e.g., crypto audit, replay runbooks, module architecture dossiers referenced in Dependencies/Prereqs sections)
 ## Naming & Structure
 - Sprint filename format: `SPRINT_<IMPLID>_<BATCHID>_<SPRINTID>_<topic>.md` (see global charter §4.2). Normalize existing files to this format while preserving content and log the rename in Execution Log.
 - Internal template (required sections): Topic & Scope, Dependencies & Concurrency, Documentation Prerequisites, Delivery Tracker, Wave Coordination (if multi-wave), Wave Detail Snapshots, Interlocks, Upcoming Checkpoints, Action Tracker, Decisions & Risks (incl. risk table), Execution Log.
 - Status flow: `TODO → DOING → DONE/BLOCKED`. Flip status only when evidence is captured in the sprint doc.
 ## Determinism & Metadata
 - Use UTC dates (`YYYY-MM-DD`) and include timezone labels for meetings if relevant.
 - Keep tables ordered deterministically (by task ID or due date). Avoid ad-hoc reshuffling.
 - When blocking, state the concrete dependency/document name and expected next signal/date.
 ## Documentation Rules
 - For any design/advisory/platform decision surfaced here, update the canonical doc under `docs/**` (architecture, ADR, product advisory, etc.) and link it from Decisions & Risks.
 - Archival: completed tasks should flow to `docs/implplan/archived/tasks.md` as per sprint guidance.
 - Avoid external URLs unless already present; prefer relative doc links.
 ## Cross-Module Coordination
 - Respect each module’s AGENTS.md when touching module-specific sprint entries; do not change module instructions from here.
 - If a required module AGENTS.md is missing/outdated, mark the related task BLOCKED in that module’s sprint and note it in Decisions & Risks here.
 ## Ready-to-Start Checklist (per change)
 - Confirm template compliance of the sprint file you’ll edit.
 - Verify statuses reflect current reality before adding new actions.
 - Add Execution Log line summarizing what changed, with date and role.
 ## Testing / Validation
 - No automated tests; validate by: (1) template conformance, (2) table integrity (columns align), (3) links resolve locally.
 ## Contacts & Stand-ups
 - Follow sprint-specific checkpoint dates listed in “Upcoming Checkpoints”. Escalations are logged in Decisions & Risks, not via chat.
--- a/docs/implplan/SPRINT_0110_0001_0001_ingestion_evidence.md
+++ b/docs/implplan/SPRINT_0110_0001_0001_ingestion_evidence.md
@@ -5,7 +5,7 @@
 - Land Concelier structured caching + telemetry so Link-Not-Merge schemas feed consoles, air-gap bundles, and attestations.
 - Prepare Excititor chunk API/telemetry/attestation contracts for deterministic VEX evidence delivery.
 - Staff and kick off Mirror assembler (DSSE/TUF metadata, OCI/time anchors, CLI/Export Center automation).
- Working directories: `src/AdvisoryAI`, `src/Concelier`, `src/Excititor`, `ops/devops` (Mirror assembler).
+- Working directory: `docs/implplan` (coordination across `src/AdvisoryAI`, `src/Concelier`, `src/Excititor`, `ops/devops` per task owners).
 ## Dependencies & Concurrency
 - Upstream: Sprint 0100.A (Attestor) must stay green; Link-Not-Merge schema set (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) gates Concelier/Excititor work. Advisory AI docs depend on SBOM/CLI/Policy/DevOps artefacts (`SBOM-AIAI-31-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `POLICY-ENGINE-31-001`, `DEVOPS-AIAI-31-001`).
@@ -29,21 +29,22 @@
 | 5 | DOCS-AIAI-31-005/006/008/009 | BLOCKED | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | Docs Guild | CLI/policy/ops docs paused pending upstream artefacts. |
 | 6 | CONCELIER-AIAI-31-002 | DOING | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 (Link-Not-Merge) | Concelier Core · WebService Guilds | LNM schema drafted (`docs/modules/concelier/link-not-merge-schema.md`) + sample payloads; wiring can proceed while review runs. |
 | 7 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | — | Concelier Observability Guild | Telemetry counters/histograms live for Advisory AI dashboards. |
-| 8 | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Link-Not-Merge schema; Evidence Locker contract | Concelier Core · AirGap Guilds | Mirror/offline provenance chain. |
+| 8 | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Await Mirror thin-bundle milestone dates and evidence bundle artifacts for offline chain | Concelier Core · AirGap Guilds | Mirror/offline provenance chain; proceed against frozen contracts. |
-| 9 | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Link-Not-Merge schema | Concelier Console Guild | Console advisory aggregation/search helpers. |
+| 9 | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Console schema samples not yet published alongside frozen LNM; need evidence bundle identifiers | Concelier Console Guild | Console advisory aggregation/search helpers; proceed on frozen schema. |
-| 10 | CONCELIER-ATTEST-73-001/002 | BLOCKED | CONCELIER-AIAI-31-002; Evidence Locker contract | Concelier Core · Evidence Locker Guild | Attestation inputs + transparency metadata. |
+| 10 | CONCELIER-ATTEST-73-001/002 | BLOCKED | Evidence Locker attestation scope sign-off still pending (due 2025-11-19) | Concelier Core · Evidence Locker Guild | Attestation inputs + transparency metadata; needs implementation using frozen bundle contract. |
 | 11 | FEEDCONN-ICSCISA-02-012 / KISA-02-008 | BLOCKED | Feed owner remediation plan | Concelier Feed Owners | Overdue provenance refreshes. |
 | 12 | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | — | Excititor Web/Core Guilds | Normalised VEX justification projections shipped. |
-| 13 | EXCITITOR-AIAI-31-002 | BLOCKED | Link-Not-Merge schema; Evidence Locker contract | Excititor Web/Core Guilds | Chunk API for Advisory AI feeds. |
+| 13 | EXCITITOR-AIAI-31-002 | BLOCKED (2025-11-17) | Need published chunk API contract (fields, paging, auth), sample payloads, and acceptance criteria referencing frozen LNM/evidence bundle | Excititor Web/Core Guilds | Chunk API for Advisory AI feeds; proceed once contract artefact is provided. |
-| 14 | EXCITITOR-AIAI-31-003 | BLOCKED | EXCITITOR-AIAI-31-002 | Excititor Observability Guild | Telemetry gated on chunk API. |
+| 14 | EXCITITOR-AIAI-31-003 | TODO | EXCITITOR-AIAI-31-002 | Excititor Observability Guild | Telemetry gated on chunk API; counters/logs path allowed per 2025-11-17 decision. |
-| 15 | EXCITITOR-AIAI-31-004 | BLOCKED | EXCITITOR-AIAI-31-002 | Docs Guild · Excititor Guild | Chunk API docs. |
+| 15 | EXCITITOR-AIAI-31-004 | TODO | EXCITITOR-AIAI-31-002 | Docs Guild · Excititor Guild | Chunk API docs; schema now frozen. |
-| 16 | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | BLOCKED | EXCITITOR-AIAI-31-002; Evidence Locker contract | Excititor Guild · Evidence Locker Guild | Attestation scope + payloads. |
+| 16 | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | TODO | EXCITITOR-AIAI-31-002; Evidence Bundle v1 frozen (2025-11-17) | Excititor Guild · Evidence Locker Guild | Attestation scope + payloads; proceed on frozen bundle contract. |
-| 17 | EXCITITOR-AIRGAP-56/57/58 · CONN-TRUST-01-001 | BLOCKED | Link-Not-Merge schema; attestation plan | Excititor Guild · AirGap Guilds | Air-gap ingest + connector trust tasks. |
+| 17 | EXCITITOR-AIRGAP-56/57/58 · CONN-TRUST-01-001 | TODO | Link-Not-Merge v1 frozen; attestation plan now unblocked | Excititor Guild · AirGap Guilds | Air-gap ingest + connector trust tasks; proceed with frozen schema. |
-| 18 | MIRROR-CRT-56-001 | BLOCKED | Staffing decision overdue | Mirror Creator Guild | Kickoff slipped past 2025-11-15. |
+| 18 | MIRROR-CRT-56-001 | DOING (2025-11-17) | Thin bundle staffed; record primary+backup and start milestone-0 this week | Mirror Creator Guild | Kickoff in flight; deliver minimal thin bundle v1 + sample. |
-| 19 | MIRROR-CRT-56-002 | BLOCKED | MIRROR-CRT-56-001; PROV-OBS-53-001 | Mirror Creator · Security Guilds | Needs assembler owner first. |
+| 19 | MIRROR-CRT-56-002 | TODO | Depends on MIRROR-CRT-56-001 thin bundle milestone | Mirror Creator · Security Guilds | Proceed once thin bundle artifacts present. |
-| 20 | MIRROR-CRT-57-001/002 | BLOCKED | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Mirror Creator Guild · AirGap Time Guild | Waiting on staffing. |
+| 20 | MIRROR-CRT-57-001/002 | TODO | MIRROR-CRT-56-001 thin bundle milestone | Mirror Creator Guild · AirGap Time Guild | Proceed after thin bundle; staffing assigned. |
-| 21 | MIRROR-CRT-58-001/002 | BLOCKED | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Mirror Creator · CLI · Exporter Guilds | Requires assembler staffing + upstream contracts. |
+| 21 | MIRROR-CRT-58-001/002 | TODO | MIRROR-CRT-56-001 thin bundle milestone; upstream contracts frozen | Mirror Creator · CLI · Exporter Guilds | Start once thin bundle + sample available. |
-| 22 | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | MIRROR-CRT-56-001 ownership | Exporter Guild · AirGap Time · CLI Guild | Blocked until assembler staffed. |
+| 22 | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | TODO | MIRROR-CRT-56-001 thin bundle milestone (2025-11-17) | Exporter Guild · AirGap Time · CLI Guild | Proceed once thin bundle artifacts land. |
 | 23 | BUILD-TOOLING-110-001 | DOING (2025-11-17) | Use `tools/dotnet-filter.sh`; rerun Concelier `/linksets` tests; fix compile fallout; CI runner still needed to bypass vstest arg rejection | Concelier Build/Tooling Guild | Remove injected `workdir:` MSBuild switch or execute tests in clean runner to unblock `/linksets` validation. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -51,41 +52,75 @@
 | 2025-11-09 | Captured initial wave scope, interlocks, risks for SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, Mirror commitments. | Sprint 110 leads |
 | 2025-11-13 | Refreshed tracker ahead of 14–15 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
 | 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, Mirror staffing decisions. | Implementer |
 | 2025-11-17 | Applied coordinator decisions: Link-Not-Merge v1 frozen; Evidence bundle v1 frozen; span-sink permitted via counters/logs; Mirror thin bundle staffed; flipped dependent tasks to TODO. | Coordinator |
 | 2025-11-17 | Added deterministic ordering + cursor paging tests for `ConcelierMongoLinksetStore` (createdAt desc, advisoryId asc) to de-risk `/linksets` evidence paging. | Concelier Guild |
 | 2025-11-17 | Verified linkset paging determinism via `dotnet test ... --filter ConcelierMongoLinksetStoreTests --no-build` (pass, 4 tests, 6.3s). | Concelier Guild |
 | 2025-11-17 | Targeted Mongo linkset store tests passing; WebService `/linksets` integration tests remain pending runner fix. | Concelier Guild |
 | 2025-11-17 | WebService `/linksets` integration tests now passing (`dotnet test ...WebService.Tests.csproj --filter Linksets --no-build`). | Concelier Guild |
 | 2025-11-18 | Added migration `EnsureAdvisoryLinksetsTenantLowerMigration` to lowercase tenant ids; added unit test; targeted storage tests passing (migration + linkset store). Full storage suite cancelled after partial run to save time. | Concelier Guild |
 | 2025-11-16 | Drafted LNM schema + samples (`docs/modules/concelier/link-not-merge-schema.md`, `docs/samples/lnm/*`); moved CONCELIER-AIAI-31-002 to DOING pending review; added migration + tests to Mongo storage. | Implementer |
 | 2025-11-17 | Wired LNM ingestion writes: observations+linksets persisted via Mongo sinks, WebService DI updated, build green. Next: expose read APIs and backfill. | Implementer |
 | 2025-11-17 | Added cursor-paged `/linksets` API with normalized purls/versions; implemented linkset lookup/paging + unit test coverage. | Implementer |
 | 2025-11-17 | Persisted normalized linksets (purls/versions) in ingestion/backfill; added /linksets integration tests for normalized fields and cursor paging. Full solution test run aborted mid-build; rerun targeted Concelier WebService tests. | Implementer |
-| 2025-11-17 | Targeted `/linksets` WebService tests invoked; `dotnet test` fails early with MSBuild switch `--no-restore,workdir:` injected by toolchain, so tests remain pending until runner is fixed. | Implementer |
+| 2025-11-17 | Targeted `/linksets` WebService tests (Linksets filter) now passing via `dotnet test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/... --filter Linksets` (no-build). | Implementer |
 | 2025-11-17 | Second attempt to run `/linksets` tests with response files disabled still hit `--nologo,workdir:` switch injection; no tests executed. | Implementer |
 | 2025-11-17 | Added local `tools/dotnet-filter.sh` to strip injected `workdir:` from MSBuild args; test run now progresses but full build still long/unfinished in local session. | Implementer |
 | 2025-11-17 | Cleared `src/__Libraries/StellaOps.Configuration/obj` NuGet props collision; reran targeted `StellaOps.Concelier.WebService.Tests` `Linksets` filter via `tools/dotnet-filter.sh`. Build/restore now proceeds but remains multi-minute locally; tests still pending until a cached/CI runner is used. | Implementer |
 | 2025-11-17 | Reran WebService slice with `tools/dotnet-filter.sh`; fixed Storage.Mongo observation DI/upsert, rebuilt `StellaOps.Concelier.Storage.Mongo` clean. `/linksets` tests still blocked locally by vstest rejecting the test DLL argument; need CI runner to execute. | Implementer |
 | 2025-11-17 | Full `dotnet-filter.sh test` (Linksets) still fails: vstest reports test source DLL missing and `bin/Debug/net10.0` remains empty despite successful build; local harness limitation persists. Next: run in CI/clean runner. | Implementer |
 | 2025-11-18 | Another targeted `Linksets*` run shows vstest still refusing the DLL path (test artifacts not emitted locally). No new code changes; action remains to execute on CI runner that preserves build outputs. | Implementer |
 | 2025-11-18 | Aligned Excititor `/v1/vex/evidence/chunks` limits with spec (default 500, max 2000) in Program.cs; code change only, no behavior beyond limit bounds. | Implementer |
 | 2025-11-18 | Updated Excititor evidence endpoints to emit `Excititor-Results-{Total,Truncated}` headers (was `X-*`); matches doc + tests for chunks stream. | Implementer |
 | 2025-11-18 | Attempted Excititor `VexEvidenceChunkServiceTests` (and solution filter) but local harness still routes vstest to missing Concelier test DLL; no tests executed. Need CI/clean runner to validate chunk API. | Implementer |
 | 2025-11-17 | Added test-only linkset fixtures (`AdvisoryLinksetDocument`, normalized/payload DTOs) to satisfy `/linksets` WebService tests; reran filtered tests via `tools/dotnet-filter.sh`—build succeeds, run canceled locally due to duration; CI runner needed for results. | Implementer |
 | 2025-11-17 | Added test-only `AdvisoryLinksetDocument` fixture and cleaned/rebuilt Concelier Storage; started `/linksets` slice again via `tools/dotnet-filter.sh`, cancelled after build success due to long local runtime. | Implementer |
 | 2025-11-17 | Attempted `--no-build --filter Linksets*` and direct `dotnet vstest`; local build emits only coverage maps (no test DLL), vstest reports missing source. Marked `/linksets` execution blocked pending CI runner. | Implementer |
 | 2025-11-18 | Added missing `AdvisoryObservationLinksetAggregate` record + scope/relationship wiring; cleaned Core/Storage builds. `dotnet test --filter Linksets*` still in progress locally (multiple runners active); expect CI run to finalize. | Implementer |
 | 2025-11-17 | Attempted single-case `/linksets` run (`--filter LinksetsEndpoint_ReturnsNormalizedLinksetsFromIngestion` + `--no-build`); vstest still hangs post-restore and requires manual cancel. Tests remain unexecuted locally; defer to CI runner. | Implementer |
 | 2025-11-17 | Refreshed Decisions/Risks: closed LNM/evidence bundle/mirror staffing items; flagged SBOM/CLI/Policy/DevOps ETAs and Evidence Locker scope as overdue; dated risk outlook to 2025-11-17. | Planning |
 | 2025-11-17 | Created BUILD-TOOLING-110-001 to strip `workdir:` arg and queued `/linksets` retest after fix; requested MIRROR-CRT-56-001 milestone dates for 2025-11-19 checkpoint. | Planning |
 | 2025-11-17 | Rescheduled overdue decision due dates (SBOM/CLI/Policy/DevOps ETAs, Evidence Locker scope, DOCS-AIAI screenshots) to 2025-11-18/19, moved MIRROR-CRT-56-001 to DOING, and set fresh checkpoints for the week. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_110_ingestion_evidence.md` to `SPRINT_0110_0001_0001_ingestion_evidence.md`; no semantic changes. | Planning |
 | 2025-11-17 | EXCITITOR-AIAI-31-002 marked BLOCKED pending published chunk API contract (fields/paging/auth) and sample payloads aligned to frozen LNM/evidence bundle. | Implementer |
 | 2025-11-17 | Attempted `tools/dotnet-filter.sh test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj --filter Linksets`; fixed missing `AdvisoryLinksetNormalizedDocument` using/import and added `ReconciledFrom` arg, then reran. Build and restore succeeded, but vstest still rejects the test DLL as “invalid test source”; tests not executed. BUILD-TOOLING-110-001 remains DOING. | Implementer |
 | 2025-11-17 | Tried `dotnet test ... --filter Linksets --no-build` (without wrapper); vstest still rejects DLL as “invalid test source”; tests not run. | Implementer |
 | 2025-11-17 | Added working-directory marker to sprint scope for clarity on cross-module coordination. | Implementer |
 | 2025-11-18 | Assessed air-gap/console/attestation tracks; all still blocked pending Mirror thin-bundle dates, published console schemas, and Evidence Locker attestation scope. Updated Delivery Tracker statuses accordingly. | Implementer |
 ## Decisions & Risks
 ### Decisions in flight
 | Decision | Blocking work | Accountable owner(s) | Due date |
 | --- | --- | --- | --- |
-| Confirm SBOM/CLI/Policy/DevOps delivery dates | DOCS-AIAI backlog, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guild leads | 2025-11-14 |
+| Confirm SBOM/CLI/Policy/DevOps delivery dates (overdue; reschedule with owners) | DOCS-AIAI backlog, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guild leads | 2025-11-18 (rescheduled 2025-11-17) |
-| Approve Link-Not-Merge schema (`CONCELIER-GRAPH-21-001/002`, `CARTO-GRAPH-21-002`) | CONCELIER-AIAI-31-002; EXCITITOR-AIAI-31-002/003/004; air-gap + attestation tasks | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
+| Evidence Locker attestation scope sign-off | EXCITITOR-ATTEST-01-003/73-001/73-002; CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-19 (rescheduled 2025-11-17) |
-| Review & ratify drafted LNM schema doc (`docs/modules/concelier/link-not-merge-schema.md`) | CONCELIER-AIAI-31-002 | Concelier Core · Architecture Guild | 2025-11-17 |
+| Publish MIRROR-CRT-56-001 milestone dates (thin bundle) | MIRROR-CRT-56/57/58; Export/CLI/AirGap Time tracks | Mirror Creator Guild | 2025-11-19 |
-| Assign MIRROR-CRT-56-001 owner | Entire Mirror wave + Export Center + AirGap Time automation | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | 2025-11-15 |
+| Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-18 (rescheduled 2025-11-17) |
 | Evidence Locker attestation scope sign-off | EXCITITOR-ATTEST-01-003/73-001/73-002; CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-15 |
 | Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-15 |
-### Risk outlook (2025-11-13)
+### Decisions closed (2025-11-17)
 | Decision | Outcome / date | Impacted work | Owner(s) |
 | --- | --- | --- | --- |
 | Link-Not-Merge schema (`CONCELIER-GRAPH-21-001/002`, `CARTO-GRAPH-21-002`) | Approved; v1 frozen 2025-11-17. | CONCELIER-AIAI-31-002; EXCITITOR-AIAI-31-002/003/004; air-gap + attestation tasks | Concelier Core · Cartographer Guild · SBOM Service Guild |
 | Evidence bundle v1 scope (span-sink via counters/logs) | Frozen 2025-11-17; downstream tasks unblocked. | Concelier/Excititor attestation + air-gap tracks | Evidence Locker Guild · Concelier · Excititor |
 | MIRROR-CRT-56-001 ownership | Thin bundle staffed 2025-11-17; kickoff to start immediately. | MIRROR-CRT-56/57/58; Export/CLI/AirGap Time tracks | Mirror Creator Guild |
 ### Risk outlook (2025-11-17)
 | Risk | Impact | Mitigation / owner |
 | --- | --- | --- |
-| SBOM/CLI/Policy/DevOps artefacts slip past 2025-11-14 | Advisory AI docs + SBOM feeds stay blocked, delaying rollout & dependent sprints. | Lock ETAs during 14 Nov interlock; escalate to Advisory AI leadership if commitments slip. |
+| SBOM/CLI/Policy/DevOps artefacts still missing (overdue since 2025-11-14) | Advisory AI docs + SBOM feeds remain blocked; rollout delays cascade to dependent sprints. | Reschedule ETAs with owners; escalate if dates not confirmed this week. |
-| Link-Not-Merge schema approval delayed | Concelier/Excititor APIs, console overlays, air-gap bundles remain gated. | Close 14 Nov review with migration notes; unblock tasks immediately after approval. |
+| Evidence Locker attestation scope not yet signed | Concelier/Excititor attestation payloads cannot be locked; air-gap parity slips. | Secure scope sign-off; publish contract in Evidence bundle notes. |
-| Excititor attestation backlog stalls | VEX evidence + air-gap parity cannot progress; Mirror support drifts. | Use 15 Nov sequencing session to lock order and reserve engineering capacity. |
+| Concelier WebService `/linksets` tests still not executed: local build emits only coverage map (no test DLL), vstest reports missing/invalid source | `/linksets` integration remains unvalidated; release confidence reduced. | Execute `Linksets*` in CI runner (no harness arg injection); ensure test DLL persists, then run `dotnet test --filter Linksets`. |
-| MIRROR-CRT-56-001 remains unstaffed | DSSE/TUF, OCI/time-anchor, CLI, Export Center automation cannot start (Sprint 0125 slips). | Assign owner at kickoff; reallocate Export/AirGap engineers if needed. |
+| Excititor chunk API tests not runnable locally (vstest misroutes to missing Concelier test DLL) | Evidence chunk contract changes unvalidated; release risk for EXCITITOR-AIAI-31-002/003/004. | Run `VexEvidence*` tests on CI/clean runner; ensure test DLL outputs are preserved; retry `dotnet test --filter VexEvidence* --no-build --no-restore`. |
-| Connector refreshes (ICSCISA/KISA) remain overdue | Advisory AI may serve stale advisories; telemetry accuracy suffers. | Feed owners to publish remediation plan + interim mitigations by 2025-11-15 stand-up. |
+| Mirror thin-bundle schedule unconfirmed despite staffing | DSSE/TUF, OCI/time-anchor, Export/CLI automation may slip without concrete milestones. | Publish MIRROR-CRT-56-001 milestone dates by 2025-11-19 and log in Execution Log. |
-| Concelier WebService tests blocked by injected MSBuild switch `workdir:` | Cannot validate new `/linksets` integration; release confidence reduced. | Fix runner/tooling or execute tests in environment that does not append `workdir:` to MSBuild args. |
+| Connector refreshes (ICSCISA/KISA) remain overdue | Advisory AI may serve stale advisories; telemetry accuracy suffers. | Feed owners to publish remediation plan + interim mitigations. |
 | Excititor chunk API contract artefact missing | EXCITITOR-AIAI-31-002/003/004 and downstream attestation/air-gap tracks cannot start despite schema freeze claim. | Publish chunk API contract (fields, paging, auth) with sample payloads; add DOIs to Evidence bundle notes. |
 ## Next Checkpoints
 | Date (UTC) | Session | Goal | Impacted wave(s) | Prep owner(s) |
 | --- | --- | --- | --- | --- |
-| 2025-11-14 | Advisory AI customer surfaces follow-up | Capture SBOM/CLI/Policy/DevOps ETAs to restart DOCS/SBOM work. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
+| 2025-11-18 | SBOM/CLI/Policy/DevOps ETA reset | Secure new dates to unblock DOCS-AIAI and SBOM hand-off kit. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
-| 2025-11-14 | Link-Not-Merge schema review | Approve schema payloads + migration notes. | 110.B · 110.C | Concelier Core · Cartographer Guild · SBOM Service Guild |
+| 2025-11-18 | Evidence Locker scope sign-off | Finalise attestation payload/contract for Concelier/Excititor. | 110.C | Evidence Locker · Excititor · Concelier guild leads |
-| 2025-11-15 | Excititor attestation sequencing | Lock Evidence Locker contract + backlog order. | 110.C | Excititor Web/Core · Evidence Locker Guild |
+| 2025-11-19 | Mirror thin bundle milestone-0 | Lock owner, primary/backup, timeline, and sample export path. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
-| 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner; confirm staffing; outline DSSE/TUF + OCI milestones. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
+| 2025-11-19 | Concelier/Excititor validation | Confirm chunk API + `/linksets` test rerun plan and gating for attestation work. | 110.B · 110.C | Concelier · Excititor · Testing guild leads |
 ## Appendix
 - Detailed coordination artefacts, contingency playbook, and historical notes live at `docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md`.
--- a/docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
+++ b/docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
@@ -19,13 +19,14 @@
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | DOCS-AIAI-31-006 | DONE (2025-11-13) | — | Docs Guild · Policy Guild (`docs`) | `docs/policy/assistant-parameters.md` documents inference modes, guardrail phrases, budgets, cache/queue knobs (POLICY-ENGINE-31-001 inputs via `AdvisoryAiServiceOptions`). |
-| 2 | DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | SBOM-AIAI-31-001 | Docs Guild · SBOM Service Guild (`docs`) | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). |
+| 2 | DOCS-AIAI-31-008 | BLOCKED (2025-11-17) | Await `/v1/sbom/context` projection kit/fixtures from SBOM Service (SBOM-AIAI-31-003). | Docs Guild · SBOM Service Guild (`docs`) | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). |
-| 3 | DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | DEVOPS-AIAI-31-001 | Docs Guild · DevOps Guild (`docs`) | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, outages, scaling. |
+| 3 | DOCS-AIAI-31-009 | BLOCKED (2025-11-17) | DEVOPS-AIAI-31-001 draft runbook needed | Docs Guild · DevOps Guild (`docs`) | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, outages, scaling. |
-| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | SBOM-AIAI-31-001 | SBOM Service Guild · Advisory AI Guild (`src/SbomService/StellaOps.SbomService`) | Publish Advisory AI hand-off kit for `/v1/sbom/context`, provide base URL/API key + tenant header contract, run smoke test. |
+| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-17) | Need SBOM Service to supply `/v1/sbom/context` projection kit + smoke fixtures. | SBOM Service Guild · Advisory AI Guild (`src/SbomService/StellaOps.SbomService`) | Publish Advisory AI hand-off kit for `/sbom/context`, provide base URL/API key + tenant header contract, run smoke test. |
-| 5 | AIAI-31-008 | BLOCKED (2025-11-16) | AIAI-31-006/007; DEVOPS-AIAI-31-001 | Advisory AI Guild · DevOps Guild (`src/AdvisoryAI/StellaOps.AdvisoryAI`) | Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance. |
+| 5 | AIAI-31-008 | BLOCKED (2025-11-17) | DEVOPS-AIAI-31-001 runbook not delivered | Advisory AI Guild · DevOps Guild (`src/AdvisoryAI/StellaOps.AdvisoryAI`) | Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance. |
 | 6 | AIAI-31-009 | DONE (2025-11-12) | — | Advisory AI Guild · QA Guild (`src/AdvisoryAI/StellaOps.AdvisoryAI`) | Develop unit/golden/property/perf tests, injection harness, regression suite; determinism with seeded caches. |
-| 7 | DOCS-AIAI-31-004 | BLOCKED (2025-11-16) | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; EXCITITOR-CONSOLE-23-001 | Docs Guild · Console Guild (`docs`) | `/docs/advisory-ai/console.md` screenshots, a11y, copy-as-ticket instructions. |
+| 7 | DOCS-AIAI-31-004 | BLOCKED (2025-11-17) | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; EXCITITOR-CONSOLE-23-001 | Docs Guild · Console Guild (`docs`) | `/docs/advisory-ai/console.md` screenshots, a11y, copy-as-ticket instructions. |
-| 8 | DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | CLI-VULN-29-001; CLI-VEX-30-001; AIAI-31-004C | Docs Guild · CLI Guild (`docs`) | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. |
+| 8 | DOCS-AIAI-31-005 | BLOCKED (2025-11-17) | CLI-VULN-29-001; CLI-VEX-30-001; AIAI-31-004C | Docs Guild · CLI Guild (`docs`) | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. |
 | 9 | AGENTS-AIAI-UPDATE | DONE (2025-11-17) | — | PM Guild · Advisory AI Guild (`src/AdvisoryAI`, `docs/modules/advisory-ai`) | Create/update `src/AdvisoryAI/AGENTS.md` to document roles, working agreements, allowed shared dirs, and required runbooks/tests. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -40,25 +41,29 @@
 | 2025-11-13 | DOCS-AIAI-31-006 published (`assistant-parameters.md`). | Docs Guild |
 | 2025-11-16 | SBOM-AIAI-31-003 and AIAI-31-008 marked BLOCKED pending SBOM-AIAI-31-001 and DEVOPS-AIAI-31-001 respectively; DOCS-AIAI-31-004 remains BLOCKED pending Console/Excititor feeds. | Planner |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_111_advisoryai.md` to `SPRINT_0111_0001_0001_advisoryai.md`; no semantic changes. | Planning |
 | 2025-11-17 | Applied coordinator decisions: SBOM-AIAI-31-001 contract frozen (idempotent, extend-only, no versioning); Ops/telemetry path approved; flipped dependent AIAI docs/packaging tasks to TODO. | Coordinator |
 | 2025-11-17 | Updated statuses (marked console/CLI/docs/devops dependencies BLOCKED), rolled checkpoints forward, and removed legacy `docs/implplan/SPRINT_111_advisoryai.md` now that renamed file is canonical. | Planning |
 | 2025-11-17 | Clarified SBOM gating: DOCS-AIAI-31-008 and SBOM-AIAI-31-003 remain BLOCKED pending `/v1/sbom/context` projection kit/fixtures; AGENTS charter refreshed. | Advisory AI Guild |
 | 2025-11-17 | Updated `src/AdvisoryAI/AGENTS.md` with roles/boundaries/testing rules; marked AGENTS-AIAI-UPDATE as DONE. | Advisory AI Guild |
 ## Decisions & Risks
 - Console dependencies (CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001) control closure of DOCS-AIAI-31-004; consider temporary mock screenshots if dates slip.
- SBOM-AIAI-31-001 is gate for SBOM hand-off kit and remediation heuristics doc.
+- SBOM projection kit (SBOM-AIAI-31-003 deliverable) gates both `/v1/sbom/context` hand-off and remediation heuristics doc; risk of idle time if slip past 2025-11-18.
 - CLI backlog (CLI-VULN-29-001 / CLI-VEX-30-001) blocks CLI doc; request interim outputs if priorities shift.
 - DevOps runbook (DEVOPS-AIAI-31-001) needed before packaging (AIAI-31-008) proceeds.
 ## Next Checkpoints
- 2025-11-14: Console owners to confirm widget readiness for DOCS-AIAI-31-004.
+- 2025-11-18: SBOM Service to deliver `/v1/sbom/context` projection kit + smoke plan (unblocks SBOM-AIAI-31-003; enables DOCS-AIAI-31-008 drafts).
- 2025-11-14: SBOM-AIAI-31-001 projection kit ETA to unlock SBOM-AIAI-31-003/DOCS-AIAI-31-008.
+- 2025-11-18: DevOps to provide first draft of DEVOPS-AIAI-31-001 runbook (unblocks DOCS-AIAI-31-009 and AIAI-31-008 packaging work).
- 2025-11-15: CLI owners to share `stella advise` verb outline/beta timeline.
+- 2025-11-19: Console owners to release widget screenshots/feeds or provide slip date for DOCS-AIAI-31-004.
- 2025-11-15: DevOps to share draft for DEVOPS-AIAI-31-001 to unblock AIAI-31-008/DOCS-AIAI-31-009.
+- 2025-11-19: CLI guild to share `stella advise` verb outline/outputs for DOCS-AIAI-31-005.
 ## Blockers & Dependencies (detailed)
 | Blocked item | Dependency | Owner(s) | Notes |
 | --- | --- | --- | --- |
 | DOCS-AIAI-31-004 (`/docs/advisory-ai/console.md`) | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; EXCITITOR-CONSOLE-23-001 | Docs Guild · Console Guild | Screenshots + a11y copy pending widgets/feeds. |
 | DOCS-AIAI-31-005 (`/docs/advisory-ai/cli.md`) | CLI-VULN-29-001; CLI-VEX-30-001; AIAI-31-004C | Docs Guild · CLI Guild | CLI verbs/outputs unavailable; doc paused. |
-| DOCS-AIAI-31-008 (`/docs/sbom/remediation-heuristics.md`) | SBOM-AIAI-31-001 | Docs Guild · SBOM Service Guild | Needs heuristics kit + contract. |
+| DOCS-AIAI-31-008 (`/docs/sbom/remediation-heuristics.md`) | SBOM Service projection kit for `/v1/sbom/context` | Docs Guild · SBOM Service Guild | Needs projection kit + fixtures to document heuristics. |
 | DOCS-AIAI-31-009 (`/docs/runbooks/assistant-ops.md`) | DEVOPS-AIAI-31-001 | Docs Guild · DevOps Guild | Runbook steps pending. |
-| SBOM-AIAI-31-003 (`/v1/sbom/context` hand-off kit) | SBOM-AIAI-31-001 | SBOM Service Guild · Advisory AI Guild | Requires projection + smoke plan. |
+| SBOM-AIAI-31-003 (`/v1/sbom/context` hand-off kit) | SBOM Service projection kit + smoke plan | SBOM Service Guild · Advisory AI Guild | Requires projection fixtures + smoke plan. |
 | AIAI-31-008 (on-prem/remote inference packaging) | AIAI-31-006..007; DEVOPS-AIAI-31-001 | Advisory AI Guild · DevOps Guild | Packaging waits for guardrail knob doc (done) + DevOps runbook draft. |
--- a/docs/implplan/SPRINT_0112_0001_0001_concelier_i.md
+++ b/docs/implplan/SPRINT_0112_0001_0001_concelier_i.md
@@ -27,19 +27,19 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | CONCELIER-AIAI-31-002 | DOING | Await Link-Not-Merge sign-off; finish `ResolveAdvisoryAsync` + cache key update. | Concelier WebService Guild | Program.cs handler emits structured entries with `{chunkId,fingerprint,entries[],provenance.documentId,provenance.observationPath}`; deterministic ordering; Mongo2Go tests updated. |
+| 1 | CONCELIER-AIAI-31-002 | DOING | Await Link-Not-Merge sign-off; linkset store interface fixed; rerun WebService tests (long restore) to validate chunk changes. | Concelier WebService Guild | Program.cs handler emits structured entries with `{chunkId,fingerprint,entries[],provenance.documentId,provenance.observationPath}`; deterministic ordering; Mongo2Go tests updated. |
 | 2 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | None | Concelier WebService Guild · Observability Guild | OTEL counters: `advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, `advisory_ai_guardrail_blocks_total` tagged with tenant/result/cache. |
-| 3 | CONCELIER-AIRGAP-56-001 | TODO | Staff MIRROR-CRT-56-001; implement Offline Kit read path. | Concelier Core Guild | Mirror ingestion adapters persist `bundleId`, `merkleRoot`, append-only ledger comparisons. |
+| 3 | CONCELIER-AIRGAP-56-001 | BLOCKED | Await MIRROR-CRT-56-001 staffing (kickoff 2025-11-15) before Offline Kit read path. | Concelier Core Guild | Mirror ingestion adapters persist `bundleId`, `merkleRoot`, append-only ledger comparisons. |
-| 4 | CONCELIER-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier Core Guild · AirGap Importer Guild | Store `{bundleId, merkleRoot, observationPath}` on observations/linksets for single-source provenance. |
+| 4 | CONCELIER-AIRGAP-56-002 | BLOCKED | Blocked by 56-001 staffing; provenance fields depend on mirror ingest. | Concelier Core Guild · AirGap Importer Guild | Store `{bundleId, merkleRoot, observationPath}` on observations/linksets for single-source provenance. |
-| 5 | CONCELIER-AIRGAP-57-001 | TODO | Depends on 56-001 | Concelier Core Guild · AirGap Policy Guild | Sealed-mode feature flag rejects non-mirror connectors with actionable diagnostics. |
+| 5 | CONCELIER-AIRGAP-57-001 | BLOCKED | Blocked by 56-001; sealed-mode flag waits on mirror ingest readiness. | Concelier Core Guild · AirGap Policy Guild | Sealed-mode feature flag rejects non-mirror connectors with actionable diagnostics. |
-| 6 | CONCELIER-AIRGAP-57-002 | TODO | Depends on 56-002 | Concelier Core Guild · AirGap Time Guild | Compute `fetchedAt/publishedAt/clockSource` deltas and expose via observation APIs. |
+| 6 | CONCELIER-AIRGAP-57-002 | BLOCKED | Blocked by 56-002; timestamp delta work follows provenance storage. | Concelier Core Guild · AirGap Time Guild | Compute `fetchedAt/publishedAt/clockSource` deltas and expose via observation APIs. |
-| 7 | CONCELIER-AIRGAP-58-001 | TODO | Depends on 57-002 | Concelier Core Guild · Evidence Locker Guild | Portable advisory evidence bundles include provenance notes and verifier instructions. |
+| 7 | CONCELIER-AIRGAP-58-001 | BLOCKED | Blocked by 57-002 timing deltas; evidence bundle schema depends on upstream. | Concelier Core Guild · Evidence Locker Guild | Portable advisory evidence bundles include provenance notes and verifier instructions. |
-| 8 | CONCELIER-ATTEST-73-001 | TODO | Needs Workstream A output + attestation sequencing | Concelier Core Guild · Attestor Service Guild | Emit `{observationDigest, linksetDigest, documentId}` pairs for DSSE bundles. |
+| 8 | CONCELIER-ATTEST-73-001 | BLOCKED | Waiting on Workstream A output + attestation sequencing with Excititor. | Concelier Core Guild · Attestor Service Guild | Emit `{observationDigest, linksetDigest, documentId}` pairs for DSSE bundles. |
-| 9 | CONCELIER-ATTEST-73-002 | TODO | Depends on 73-001 | Concelier Core Guild | Transparency metadata exposes `bundleId`, Rekor refs, observation paths for external explorers. |
+| 9 | CONCELIER-ATTEST-73-002 | BLOCKED | Blocked by 73-001 DSSE emitters. | Concelier Core Guild | Transparency metadata exposes `bundleId`, Rekor refs, observation paths for external explorers. |
-| 10 | CONCELIER-CONSOLE-23-001 | TODO | Blocked by Link-Not-Merge schema | Concelier WebService Guild · BE-Base Platform Guild | `/console/advisories` groups linksets with severity/status chips and provenance `{documentId, observationPath}`. |
+| 10 | CONCELIER-CONSOLE-23-001 | BLOCKED | Blocked by Link-Not-Merge schema review (CARTO-GRAPH-21-002). | Concelier WebService Guild · BE-Base Platform Guild | `/console/advisories` groups linksets with severity/status chips and provenance `{documentId, observationPath}`. |
-| 11 | CONCELIER-CONSOLE-23-002 | TODO | Depends on 23-001 | Concelier WebService Guild | Deterministic dashboard deltas API returns new/modified/conflicting sets referencing linkset IDs and field paths. |
+| 11 | CONCELIER-CONSOLE-23-002 | BLOCKED | Blocked by 23-001 console API shape. | Concelier WebService Guild | Deterministic dashboard deltas API returns new/modified/conflicting sets referencing linkset IDs and field paths. |
-| 12 | CONCELIER-CONSOLE-23-003 | TODO | Depends on Workstream A taxonomy | Concelier WebService Guild | Search fan-out helpers for CVE/GHSA/PURL with observation excerpts, provenance anchors, cache hints. |
+| 12 | CONCELIER-CONSOLE-23-003 | BLOCKED | Blocked by Workstream A taxonomy decisions. | Concelier WebService Guild | Search fan-out helpers for CVE/GHSA/PURL with observation excerpts, provenance anchors, cache hints. |
-| 13 | CONCELIER-CORE-AOC-19-013 | TODO | Waits for structured endpoint readiness + AUTH-SIG-26-001 | Concelier Core Guild | Smoke/e2e suites enforce Authority tokens + tenant headers on ingest/read paths; provenance anchors round-trip. |
+| 13 | CONCELIER-CORE-AOC-19-013 | BLOCKED | Blocked by structured endpoint readiness + AUTH-SIG-26-001 decision. | Concelier Core Guild | Smoke/e2e suites enforce Authority tokens + tenant headers on ingest/read paths; provenance anchors round-trip. |
 ### Implementation checklist (applies to CONCELIER-AIAI-31-002)
 1. Add `ResolveAdvisoryAsync` helper with alias fallback + tenant guard.
@@ -57,13 +57,18 @@
 | 2025-11-17 | Created Concelier module charter at `src/Concelier/AGENTS.md`; unblocked Workstreams B–E and reset tasks to TODO. | Concelier Implementer |
 | 2025-11-17 | Added authority/tenant enforcement smoke tests for ingest + observations; CONCELIER-CORE-AOC-19-013 blocked by storage DI ambiguity (`IAdvisoryLinksetStore`). | Concelier Implementer |
 | 2025-11-17 | Retried build after renaming Mongo linkset store and redoing DI; ambiguity persists (`IAdvisoryLinksetStore`), WebService tests still not runnable. | Concelier Implementer |
 | 2025-11-17 | Updated Delivery Tracker to mark Workstreams B–E as BLOCKED pending MIRROR staffing, Link-Not-Merge outcome, and attestation contract; no scope changes. | Project Management |
 | 2025-11-17 | Implemented structured chunk response with fingerprint + provenance anchors; reordered deterministically; added Advisory AI API doc + inline DSSE appendix; tests not executed because `ConcelierMongoLinksetStore` still fails interface contracts (IAdvisoryLinksetSink/Lookup). | Concelier Implementer |
 | 2025-11-17 | Fixed `ConcelierMongoLinksetStore` to satisfy IAdvisoryLinksetSink/Lookup; storage project builds; WebService test run not completed (restore/build >150s, aborted) — rerun required. | Concelier Implementer |
 | 2025-11-17 | Kicked full solution build to warm cache before rerunning WebService tests; build still running >30s and terminated to stay within sprint window. Tests remain pending; next attempt should use warmed cache and `--no-restore`. | Concelier Implementer |
 ## Decisions & Risks
 - Link-Not-Merge schema slip past 2025-11-14 would stall Workstreams A and D; fallback adapter prep required.
 - Mirror staffing unresolved blocks AIRGAP-56/57/58 and Offline Kit parity; escalate at 2025-11-15 kickoff.
 - Evidence Locker contract delay would stall ATTEST-73, leaving Advisory AI without attested provenance.
 - Authority smoke coverage gap risks AOC guardrails regressing when structured endpoint ships; pairing with Authority guild planned once Workstream A PR is ready.
- Status snapshot (as of 2025-11-13): A 🔶 DOING; B 🔴 BLOCKED; C 🔴 BLOCKED; D 🔶 WATCHING; E 🔶 WATCHING.
+- Status snapshot (as of 2025-11-17): A 🔶 DOING; B 🔴 BLOCKED (MIRROR-CRT-56 staffing pending); C 🔴 BLOCKED (attestation contract with Excititor/Evidence Locker); D 🔴 BLOCKED (Link-Not-Merge review outcome pending); E 🔴 BLOCKED (AUTH-SIG-26-001 + structured endpoint readiness).
 - Advisory AI chunk schema now exposes `fingerprint` + provenance anchors (`documentId`, `observationPath`); consumers must align to `docs/modules/concelier/advisory-ai-api.md`. Build/test verification blocked until `ConcelierMongoLinksetStore` implements `IAdvisoryLinksetSink`/`IAdvisoryLinksetLookup`.
 ## Next Checkpoints
 - 2025-11-14: Link-Not-Merge schema review (CARTO-GRAPH-21-002) — gate for Workstreams A/D.
@@ -74,7 +79,7 @@
 ## Blockers & Dependencies (detailed)
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
-| Link-Not-Merge schema (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Workstream A release, Workstream D APIs | Concelier Core · Cartographer Guild · Platform Events Guild | Review scheduled 2025-11-14; approval required before shipping structured fields/console APIs. |
+| Link-Not-Merge schema (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Workstream A release, Workstream D APIs | Concelier Core · Cartographer Guild · Platform Events Guild | Review held 2025-11-14; decision/outcome not recorded as of 2025-11-17—blocks console API shape. |
-| MIRROR-CRT-56-001 staffing | Workstream B (AIRGAP-56/57/58) | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Owner not assigned (per Sprint 110); kickoff on 2025-11-15 must resolve. |
+| MIRROR-CRT-56-001 staffing | Workstream B (AIRGAP-56/57/58) | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Kickoff scheduled 2025-11-15; staffing outcome not reported, keep blocked. |
-| Evidence Locker attestation contract | Workstream C (ATTEST-73) | Evidence Locker Guild · Concelier Core | Needs alignment with Excititor attestation plan on 2025-11-15. |
+| Evidence Locker attestation contract | Workstream C (ATTEST-73) | Evidence Locker Guild · Concelier Core | Alignment with Excititor planned 2025-11-15; decision not logged as of 2025-11-17. |
 | Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013`) | Workstream E | Concelier Core · Authority Guild | Waiting on structured endpoint readiness + AUTH-SIG-26-001 validation. |
--- a/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
+++ b/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md
@@ -16,16 +16,18 @@
 - docs/modules/platform/architecture-overview.md
 - docs/modules/concelier/architecture.md (plus storage and ingestion notes)
 - Any Link-Not-Merge schema/ADR docs referenced by CONCELIER-LNM-21-***
 - `src/Concelier/AGENTS.md` (module charter, testing/guardrail rules)
 - `docs/modules/concelier/link-not-merge-schema.md` (LNM schema v1, frozen 2025-11-17)
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | CONCELIER-GRAPH-21-001 | BLOCKED (2025-10-27) | Waiting for Link-Not-Merge schema finalization | Concelier Core Guild · Cartographer Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Extend SBOM normalization so relationships/scopes are stored as raw observation metadata with provenance pointers for graph joins. |
+| 1 | CONCELIER-GRAPH-21-001 | DOING | Link-Not-Merge v1 frozen (2025-11-17) | Concelier Core Guild · Cartographer Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Extend SBOM normalization so relationships/scopes are stored as raw observation metadata with provenance pointers for graph joins. |
-| 2 | CONCELIER-GRAPH-21-002 | BLOCKED (2025-10-27) | Depends on 21-001 | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments. |
+| 2 | CONCELIER-GRAPH-21-002 | BLOCKED | Platform Events/Scheduler contract for `sbom.observation.updated` not defined; no event publisher plumbing in repo. | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments. |
 | 3 | CONCELIER-GRAPH-24-101 | TODO | Depends on 21-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/summary` bundles observation/linkset metadata (aliases, confidence, conflicts) for graph overlays; upstream values intact. |
 | 4 | CONCELIER-GRAPH-28-102 | TODO | Depends on 24-101 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Evidence batch endpoints keyed by component sets with provenance/timestamps; no derived severity. |
-| 5 | CONCELIER-LNM-21-001 | TODO | Start of Link-Not-Merge chain | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Define immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards). |
+| 5 | CONCELIER-LNM-21-001 | DONE | Start of Link-Not-Merge chain | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Define immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards). |
-| 6 | CONCELIER-LNM-21-002 | TODO | Depends on 21-001 | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation pipelines output linksets with confidence + conflict markers, avoiding value collapse. |
+| 6 | CONCELIER-LNM-21-002 | BLOCKED | Depends on 21-001 | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation pipelines output linksets with confidence + conflict markers, avoiding value collapse. |
 | 7 | CONCELIER-LNM-21-003 | TODO | Depends on 21-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Record disagreements (severity, CVSS, references) as structured conflict entries. |
 | 8 | CONCELIER-LNM-21-004 | TODO | Depends on 21-003 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Remove legacy merge/dedup logic; add guardrails/tests to keep ingestion append-only; document linkset supersession. |
 | 9 | CONCELIER-LNM-21-005 | TODO | Depends on 21-004 | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit `advisory.linkset.updated` events with delta descriptions + observation ids (tenant + provenance only). |
@@ -39,11 +41,21 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Started CONCELIER-GRAPH-21-001: added raw linkset scopes + relationships (provenance) through contracts, ingest mapper, storage mapping, and sanitization; new Mongo mapping test added. | Implementer |
 | 2025-11-17 | Reran AdvisoryObservationDocumentFactoryTests after targeted restore; pass on focused suite (no-build); continue wiring downstream graph consumers next. | Implementer |
 | 2025-11-17 | Exposed scopes/relationships in observation query aggregates and API responses; updated LNM samples. Attempted AdvisoryObservationQueryServiceTests build cancelled due to long solution build; rerun on warmed cache needed. | Implementer |
 | 2025-11-17 | Marked CONCELIER-GRAPH-21-002 BLOCKED: no `sbom.observation.updated` event contract/publisher present; requires Scheduler/Platform Events agreement before implementation. | Implementer |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_113_concelier_ii.md` to `SPRINT_0113_0001_0002_concelier_ii.md`; no semantic changes. | Planning |
 | 2025-11-17 | Link-Not-Merge v1 frozen; tasks 1–2 moved to TODO; Cartographer to deliver fixtures. | Coordinator |
 | 2025-11-17 | Recorded LNM v1 freeze in doc prerequisites/Decisions; aligned schema reference for implementers. | Planning |
 | 2025-11-17 | Implemented immutable `advisory_observations` v1 model + Mongo mapping with deterministic ids and tenant guards; added factory/unit tests. | Concelier Core |
 | 2025-11-17 | Added linkset v1 confidence/conflict scaffolding and deterministic mapping; started CONCELIER-LNM-21-002 implementation; tests pending build pass. | Concelier Core |
 | 2025-11-17 | Documented optional `confidence`/`conflicts` fields in LNM linkset schema and refreshed sample payload. | Concelier Core |
 | 2025-11-18 | Task 6 blocked: Core test project (`StellaOps.Concelier.Core.Tests`) not emitting DLL; `dotnet test` fails (MSB6006) despite rebuilds. Needs build infra fix before proceeding. | Concelier Core |
 ## Decisions & Risks
- Link-Not-Merge schema sequence is critical path; delays keep ingestion and graph events blocked (see tasks 5–15).
+- Link-Not-Merge v1 frozen 2025-11-17; schema captured in `docs/modules/concelier/link-not-merge-schema.md` (add-only evolution); fixtures pending for tasks 1–2, 5–15.
 - Graph event pipeline depends on Scheduler/Platform Events alignment to avoid non-deterministic downstream joins.
 - Storage backfill (21-102) and object-store move (21-103) must preserve provenance metadata to avoid regression in Offline Kit and replay.
@@ -54,6 +66,6 @@
 ## Blockers & Dependencies (detailed)
 | Dependency | Impacted work | Owner(s) | Status |
 | --- | --- | --- | --- |
-| Link-Not-Merge schema finalization (CONCELIER-LNM-21-001+) | Tasks 1–15 | Concelier Core · Cartographer · Platform Events | Outstanding; blockers dated 2025-10-27 remain. |
+| Link-Not-Merge schema finalization (CONCELIER-LNM-21-001+) | Tasks 1–15 | Concelier Core · Cartographer · Platform Events | Resolved: v1 frozen 2025-11-17 with add-only rule; fixtures pending. |
 | Scheduler / Platform Events contract for `sbom.observation.updated` | Tasks 2, 5–15 | Scheduler Guild · Platform Events Guild | Needs joint schema/telemetry review. |
 | Object storage contract for raw payloads | Tasks 10–12 | Storage Guild · DevOps Guild | To be defined alongside 21-103. |
--- a/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
+++ b/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md
@@ -20,31 +20,37 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | CONCELIER-OAS-61-001 | TODO | Needs latest LNM schema from Sprint 0113 | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). |
+| 1 | CONCELIER-OAS-61-001 | BLOCKED | LNM schema frozen 2025-11-17, but OpenAPI source/spec artifact not present in repo; need canonical spec to edit | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). |
-| 2 | CONCELIER-OAS-61-002 | TODO | Depends on 61-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. |
+| 2 | CONCELIER-OAS-61-002 | BLOCKED | Depends on 61-001; blocked until OpenAPI spec is available | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. |
-| 3 | CONCELIER-OAS-62-001 | TODO | Depends on 61-002 | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. |
+| 3 | CONCELIER-OAS-62-001 | BLOCKED | Depends on 61-002; blocked with OAS chain | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. |
-| 4 | CONCELIER-OAS-63-001 | TODO | Depends on 62-001 | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. |
+| 4 | CONCELIER-OAS-63-001 | BLOCKED | Depends on 62-001; blocked with OAS chain | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. |
-| 5 | CONCELIER-OBS-51-001 | TODO | Start of OBS chain | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. |
+| 5 | CONCELIER-OBS-51-001 | BLOCKED | Await observability spec (metrics names/labels, SLO burn rules) from DevOps; none present in repo | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. |
-| 6 | CONCELIER-OBS-52-001 | TODO | Depends on 51-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. |
+| 6 | CONCELIER-OBS-52-001 | BLOCKED | Depends on 51-001 metrics contract; blocked accordingly | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. |
-| 7 | CONCELIER-OBS-53-001 | TODO | Depends on 52-001 | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. |
+| 7 | CONCELIER-OBS-53-001 | BLOCKED | Depends on 52-001; blocked until timeline instrumentation defined | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. |
-| 8 | CONCELIER-OBS-54-001 | TODO | Depends on 53-001 | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. |
+| 8 | CONCELIER-OBS-54-001 | BLOCKED | Depends on OBS timeline artifacts; no attestation contract yet | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. |
-| 9 | CONCELIER-OBS-55-001 | TODO | Depends on 54-001 | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. |
+| 9 | CONCELIER-OBS-55-001 | BLOCKED | Depends on 54-001; incident-mode hooks need finalized attestation/timeline shape | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. |
-| 10 | CONCELIER-ORCH-32-001 | TODO | Coordinate with orchestrator registry | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
+| 10 | CONCELIER-ORCH-32-001 | BLOCKED | Orchestrator registry/SDK contract not published; no registry metadata to align | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. |
-| 11 | CONCELIER-ORCH-32-002 | TODO | Depends on 32-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
+| 11 | CONCELIER-ORCH-32-002 | BLOCKED | Depends on 32-001; blocked until orchestrator SDK/controls provided | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. |
-| 12 | CONCELIER-ORCH-33-001 | TODO | Depends on 32-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
+| 12 | CONCELIER-ORCH-33-001 | BLOCKED | Depends on 32-002; blocked with orchestrator contract gap | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. |
-| 13 | CONCELIER-ORCH-34-001 | TODO | Depends on 33-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
+| 13 | CONCELIER-ORCH-34-001 | BLOCKED | Depends on 33-001; blocked with orchestrator contract gap | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. |
-| 14 | CONCELIER-POLICY-20-001 | TODO | Needs Link-Not-Merge APIs from Sprint 0113 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
+| 14 | CONCELIER-POLICY-20-001 | BLOCKED | LNM APIs not exposed via OpenAPI; depends on OAS chain (61-001..63-001) now blocked | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_114_concelier_iii.md` to `SPRINT_0114_0001_0003_concelier_iii.md`; no semantic changes. | Planning |
 | 2025-11-18 | Marked OAS tasks (61-001..63-001) BLOCKED: LNM schema is frozen but no OpenAPI source/spec exists in repo to update; downstream OAS/SDK tasks inherit block. | Concelier Core |
 | 2025-11-18 | Marked OBS chain (51-001..55-001) BLOCKED: repo lacks observability/AOC metric spec and attestation/timeline contract needed to instrument ingestion pipeline. | Concelier Core |
 | 2025-11-18 | Marked ORCH chain (32-001..34-001) and POLICY-20-001 BLOCKED: orchestrator registry/SDK contract and LNM OpenAPI exposure missing; blocked by upstream artefacts. | Concelier Core |
 ## Decisions & Risks
 - Link-Not-Merge and OpenAPI alignment must precede SDK/examples; otherwise downstream clients will drift from canonical facts.
 - Observability/attestation chain (OBS-51…55) risks audit gaps if sequencing slips; each step depends on previous artifacts.
 - Orchestrator control compliance is required to prevent evidence loss during throttles/pauses.
 - OpenAPI source (swagger/OAS) for Concelier endpoints is missing from the repo; OAS tasks 61-001..63-001 (and dependent Policy 20-001 tasks) cannot proceed until the canonical spec artifact is provided or generated location is identified.
 - Observability metric/attestation contracts are absent; OBS tasks 51-001..55-001 cannot proceed without metric names/labels, AOC thresholds, and timeline/attestation schemas.
 - Orchestrator registry/SDK contract is absent; ORCH tasks 32-001..34-001 are blocked until orchestrator metadata, control APIs, and worker SDK are published.
 ## Next Checkpoints
 - Schedule OpenAPI/SDK review once CONCELIER-OAS-61-001 draft ready (date TBD, gated on Sprint 0113 outputs).
--- a/docs/implplan/SPRINT_0119_0001_0001_excititor_i.md
+++ b/docs/implplan/SPRINT_0119_0001_0001_excititor_i.md
@@ -24,15 +24,15 @@
 | --- | --- | --- | --- | --- | --- |
 | 1 | EXCITITOR-AIAI-31-001 | DONE (2025-11-12) | Available to Advisory AI; monitor usage. | Excititor WebService Guild | Expose normalized VEX justifications, scope trees, and anchors via `VexObservation` projections so Advisory AI can cite raw evidence without consensus logic. |
 | 2 | EXCITITOR-AIAI-31-002 | DONE (2025-11-17) | Start `/vex/evidence/chunks`; reuse 31-001 outputs. | Excititor WebService Guild | Stream raw statements + signature metadata with tenant/policy filters for RAG clients; aggregation-only, reference observation/linkset IDs. |
-| 3 | EXCITITOR-AIAI-31-003 | BLOCKED (2025-11-17) | Await Ops span sink; finalize metrics wiring. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. |
+| 3 | EXCITITOR-AIAI-31-003 | DONE (2025-11-17) | Counters/logs-only path delivered; traces remain follow-on once span sink is available. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. |
-| 4 | EXCITITOR-AIAI-31-004 | BLOCKED (2025-11-17) | Waiting for 31-003 telemetry sink to stabilize before finalizing docs/SDK. | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. |
+| 4 | EXCITITOR-AIAI-31-004 | DONE (2025-11-18) | Doc published (`docs/modules/excititor/evidence-contract.md`); traces still gated on span sink but contract delivered | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. |
-| 5 | EXCITITOR-AIRGAP-56-001 | TODO | Waiting on Export Center mirror bundle schema (Sprint 162). | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. |
+| 5 | EXCITITOR-AIRGAP-56-001 | BLOCKED | Waiting on Export Center mirror bundle schema (Sprint 162) to define ingestion shape. | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. |
-| 6 | EXCITITOR-AIRGAP-57-001 | TODO | Blocked on 56-001; define sealed-mode errors. | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. |
+| 6 | EXCITITOR-AIRGAP-57-001 | BLOCKED | Blocked on 56-001 schema; sealed-mode error catalog pending. | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. |
-| 7 | EXCITITOR-AIRGAP-58-001 | TODO | Depends on 57-001 and EvidenceLocker portable format (160/161). | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. |
+| 7 | EXCITITOR-AIRGAP-58-001 | BLOCKED | Depends on 57-001 plus EvidenceLocker portable format (160/161). | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. |
 | 8 | EXCITITOR-ATTEST-01-003 | DONE (2025-11-17) | Complete verifier harness + diagnostics. | Excititor Attestation Guild | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove DSSE bundle verification without touching consensus results. |
 | 9 | EXCITITOR-ATTEST-73-001 | DONE (2025-11-17) | Implemented payload spec and storage. | Excititor Core · Attestation Payloads Guild | Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining. |
 | 10 | EXCITITOR-ATTEST-73-002 | DONE (2025-11-17) | Implemented linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. |
-| 11 | EXCITITOR-CONN-TRUST-01-001 | TODO | Await connector signer metadata schema (review 2025-11-14). | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
+| 11 | EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Connector signer metadata schema still unpublished post-2025-11-14 review. | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. |
 ### Task Clusters & Readiness
 - **Advisory-AI evidence APIs:** 31-001 delivered; 31-003 instrumentation and 31-004 docs pending; ready to start once examples and telemetry fixtures finalize.
@@ -44,7 +44,7 @@
 | Focus | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
 | Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) |
-| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | Blocked (code + runbook ready; waiting on Ops span sink deploy) |
+| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | PARTIAL (metrics/logs delivered 2025-11-17; traces await span sink) |
 | AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending |
 | Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending |
 | Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness ~80% complete) |
@@ -58,10 +58,13 @@
 | 2025-11-13 | OpenAPI draft for 31-004 shared; observability wiring blocked until Ops deploys span sink. | WebService Guild |
 | 2025-11-14 | Connector provenance schema review scheduled; Export Center mirror schema still pending, keeping 56/57 blocked. | Connectors Guild |
 | 2025-11-14 | 31-003 instrumentation (counters, chunk histogram, signature failure + guard-violation meters) merged; telemetry export blocked on span sink rollout. | WebService Guild |
 | 2025-11-17 | Added chunk request/response telemetry + signature status counters; `/v1/vex/evidence/chunks` now emits metrics without traces. | WebService Guild |
 | 2025-11-14 | Published `docs/modules/excititor/operations/observability.md` covering new evidence metrics for Ops/Lens dashboards. | Observability Guild |
 | 2025-11-16 | Normalized sprint file to standard template, renamed to SPRINT_0119_0001_0001_excititor_i.md, and updated tasks-all references. | Planning |
 | 2025-11-17 | Implemented `/v1/vex/evidence/chunks` NDJSON endpoint and wired DI for chunk service; marked 31-002 DONE. | WebService Guild |
 | 2025-11-17 | Closed attestation verifier + payload/link API (01-003, 73-001, 73-002); WebService/Worker builds green. | Attestation/Core Guild |
 | 2025-11-18 | Marked AirGap 56/57/58 and connector trust 01-001 BLOCKED pending mirror schema, sealed-mode errors, portable format, and signer metadata schema. | Implementer |
 | 2025-11-18 | Authored Advisory-AI evidence contract doc (`docs/modules/excititor/evidence-contract.md`) covering `/v1/vex/evidence/chunks`, schema, determinism, AOC, telemetry; 31-004 doc deliverable ready. | Implementer |
 ## Decisions & Risks
 - **Decisions**
@@ -70,13 +73,16 @@
  - Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs.
 - **Risks & Mitigations**
  - Observability sinks not ready for 31-003 → reuse Signals dashboards; ship log-only fallback. Severity: Medium.
-  - Mirror bundle schema slips (Export Center/AirGap) → use placeholder schema; escalate; severity: High.
+  - Mirror bundle schema still absent (blocks 56/57/58) → escalate to Export Center; track due date 2025-11-19; severity: High.
  - Portable EvidenceLocker format not published (blocks 58-001) → request format drop from Evidence Locker leads; severity: High.
  - Connector signer metadata schema missing (blocks CONN-TRUST-01-001) → chase schema artefact owners; severity: Medium.
  - Attestation verifier misses 2025-11-16 target → daily stand-ups; parallel diagnostics; severity: High.
  - Connector signer metadata incomplete → stage connector-specific TODOs and feature flag partial rollout; severity: Medium.
 ## Next Checkpoints
 | Date (UTC) | Session / Owner | Goal | Fallback |
 | 2025-11-18 | Scanner mock bundle v1 delivered | Start GRAPH-INDEX/ZASTAVA tests using mock; publish hash | Scanner Guild |
 | --- | --- | --- | --- |
 | 2025-11-17 | Coordinator · WebService/Observability Guilds | Counters/logs-only fallback approved; start 31-003 execution without span sink. | Keep span sink as follow-on milestone. |
 | 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. |
 | 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. |
 | 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks. | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. |
--- a/docs/implplan/SPRINT_0119_0001_0002_excititor_ii.md
+++ b/docs/implplan/SPRINT_0119_0001_0002_excititor_ii.md
@@ -25,25 +25,26 @@
 | 1 | EXCITITOR-CONN-SUSE-01-003 | DONE (2025-11-09) | Trust metadata flowing; monitor consumers. | Excititor Connectors – SUSE | Emit provider trust configuration (signer fingerprints, trust tier notes) into raw provenance envelope; aggregation-only. |
 | 2 | EXCITITOR-CONN-UBUNTU-01-003 | DONE (2025-11-09) | Trust metadata flowing; monitor consumers. | Excititor Connectors – Ubuntu | Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) in raw provenance artifacts; aggregation-only. |
 | 3 | EXCITITOR-CONSOLE-23-001 | BLOCKED (2025-11-17) | Awaiting concrete `/console/vex` API contract and grouping schema; LNM 21-* view spec not present. | Excititor WebService Guild · BE-Base Platform Guild | Expose grouped VEX statements with status chips, justification metadata, precedence trace pointers, tenant filters. |
-| 4 | EXCITITOR-CONSOLE-23-002 | TODO | Depends on 23-001; design dashboard counters. | Excititor WebService Guild | Provide aggregated delta counts for overrides; emit metrics for policy explain. |
+| 4 | EXCITITOR-CONSOLE-23-002 | BLOCKED (2025-11-17) | Depends on 23-001; need sprint-level contract for counters. | Excititor WebService Guild | Provide aggregated delta counts for overrides; emit metrics for policy explain. |
-| 5 | EXCITITOR-CONSOLE-23-003 | TODO | Depends on 23-001; plan caching/RBAC. | Excititor WebService Guild | Rapid lookup endpoints of VEX by advisory/component incl. provenance + precedence context; caching + RBAC. |
+| 5 | EXCITITOR-CONSOLE-23-003 | BLOCKED (2025-11-17) | Depends on 23-001; contract for caching/RBAC/precedence context pending. | Excititor WebService Guild | Rapid lookup endpoints of VEX by advisory/component incl. provenance + precedence context; caching + RBAC. |
-| 6 | EXCITITOR-CORE-AOC-19-002 | BLOCKED (2025-11-17) | Linkset extraction rules/ordering not documented; need authoritative schema before coding. | Excititor Core Guild | Extract advisory IDs, component PURLs, references into linkset with reconciled-from metadata. |
+| 6 | EXCITITOR-CORE-AOC-19-002 | BLOCKED (2025-11-17) | Linkset extraction rules/ordering not documented. | Excititor Core Guild | Extract advisory IDs, component PURLs, references into linkset with reconciled-from metadata. |
-| 7 | EXCITITOR-CORE-AOC-19-003 | TODO | Blocked on 19-002; design supersede chains. | Excititor Core Guild | Enforce uniqueness + append-only versioning of raw VEX docs. |
+| 7 | EXCITITOR-CORE-AOC-19-003 | BLOCKED (2025-11-17) | Blocked on 19-002; design supersede chains. | Excititor Core Guild | Enforce uniqueness + append-only versioning of raw VEX docs. |
-| 8 | EXCITITOR-CORE-AOC-19-004 | TODO | Remove consensus after 19-003 in place. | Excititor Core Guild | Excise consensus/merge/severity logic from ingestion; rely on Policy Engine materializations. |
+| 8 | EXCITITOR-CORE-AOC-19-004 | BLOCKED (2025-11-17) | Remove consensus after 19-003 in place. | Excititor Core Guild | Excise consensus/merge/severity logic from ingestion; rely on Policy Engine materializations. |
-| 9 | EXCITITOR-CORE-AOC-19-013 | TODO | Seed tenant-aware Authority clients in smoke/e2e once 19-004 lands. | Excititor Core Guild | Ensure cross-tenant ingestion rejected; update tests. |
+| 9 | EXCITITOR-CORE-AOC-19-013 | BLOCKED (2025-11-17) | Seed tenant-aware Authority clients in smoke/e2e once 19-004 lands. | Excititor Core Guild | Ensure cross-tenant ingestion rejected; update tests. |
 | 10 | EXCITITOR-GRAPH-21-001 | BLOCKED (2025-10-27) | Needs Cartographer API contract + data availability. | Excititor Core · Cartographer Guild | Batched VEX/advisory reference fetches by PURL for inspector linkouts. |
 | 11 | EXCITITOR-GRAPH-21-002 | BLOCKED (2025-10-27) | Blocked on 21-001. | Excititor Core Guild | Overlay metadata includes justification summaries + versions; fixtures/tests. |
 | 12 | EXCITITOR-GRAPH-21-005 | BLOCKED (2025-10-27) | Blocked on 21-002. | Excititor Storage Guild | Indexes/materialized views for VEX lookups by PURL/policy for inspector perf. |
-| 13 | EXCITITOR-GRAPH-24-101 | TODO | Wait for 21-005 indexes. | Excititor WebService Guild | VEX status summaries per component/asset for Vuln Explorer. |
+| 13 | EXCITITOR-GRAPH-24-101 | BLOCKED (2025-11-17) | Wait for 21-005 indexes. | Excititor WebService Guild | VEX status summaries per component/asset for Vuln Explorer. |
-| 14 | EXCITITOR-GRAPH-24-102 | TODO | Depends on 24-101; design batch shape. | Excititor WebService Guild | Batch VEX observation retrieval optimized for Graph overlays/tooltips. |
+| 14 | EXCITITOR-GRAPH-24-102 | BLOCKED (2025-11-17) | Depends on 24-101; design batch shape. | Excititor WebService Guild | Batch VEX observation retrieval optimized for Graph overlays/tooltips. |
 | 15 | EXCITITOR-LNM-21-001 | IN REVIEW (2025-11-14) | Await review sign-off; prep migrations. | Excititor Core Guild | VEX observation model/schema, indexes, determinism rules, AOC metadata (`docs/modules/excititor/vex_observations.md`). |
 | 16 | AGENTS-EXCITITOR-UPDATE | DONE (2025-11-17) | AGENTS.md authored for WebService/Core/Storage/Worker. | Planning / Platform Guild | Author module-level AGENTS.md covering required docs, contracts, and testing for Excititor service components. |
 ## Action Tracker
 | Focus | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
-| Console APIs | Finalize `/console/vex` contract (23-001) and dashboard deltas (23-002). | WebService Guild | 2025-11-18 | TODO |
+| Console APIs | Finalize `/console/vex` contract (23-001) and dashboard deltas (23-002). | WebService Guild | 2025-11-18 | BLOCKED (await contract; LNM view spec needed) |
-| Ingestion idempotency | Land linkset extraction + raw upsert uniqueness (19-002/003). | Core Guild | 2025-11-19 | TODO |
+| Ingestion idempotency | Land linkset extraction + raw upsert uniqueness (19-002/003). | Core Guild | 2025-11-19 | BLOCKED (linkset schema pending) |
-| Consensus removal | Remove merge/severity logic after idempotency in place (19-004). | Core Guild | 2025-11-20 | TODO |
+| Consensus removal | Remove merge/severity logic after idempotency in place (19-004). | Core Guild | 2025-11-20 | BLOCKED (depends on 19-002/003) |
 | Graph overlays | Align inspector/linkout schemas to unblock 21-001/002/005. | Core + Cartographer Guilds | 2025-11-21 | BLOCKED (awaiting Cartographer contract) |
 ## Execution Log
@@ -52,6 +53,9 @@
 | 2025-11-09 | Connector SUSE + Ubuntu trust provenance delivered. | Connectors Guild |
 | 2025-11-14 | LNM-21-001 schema in review. | Core Guild |
 | 2025-11-16 | Normalized sprint file to standard template and renamed to SPRINT_0119_0001_0002_excititor_ii.md. | Planning |
 | 2025-11-17 | Deprecated legacy filename `SPRINT_120_excititor_ii.md`; redirect left in place pointing here. | Planning |
 | 2025-11-17 | Authored AGENTS.md for WebService/Core/Storage.Mongo/Worker to unblock Excititor II work. | Planning |
 | 2025-11-17 | Work paused: module-level AGENTS.md missing for WebService/Core/Storage/Worker; blocked TODO items and added AGENTS-EXCITITOR-UPDATE task. | Planning |
 ## Decisions & Risks
 - **Decisions**
@@ -62,6 +66,7 @@
  - Consensus removal without full smoke tests could regress ingestion → Mitigation: expand tenant-aware e2e (19-013) before cutover.
  - Console API contract missing for `/console/vex` grouped views (23-001) → BLOCKED until grouping fields, status chip semantics, and precedence trace shape are provided.
  - Linkset extraction determinism rules/schema not available (19-002) → BLOCKED until authoritative extraction/ordering spec is supplied.
  - Module AGENTS.md absent for WebService/Core/Storage/Worker → Mitigated by AGENTS-EXCITITOR-UPDATE (DONE 2025-11-17); ensure new contributors read the charters.
 ## Next Checkpoints
 | Date (UTC) | Session / Owner | Goal | Fallback |
--- a/docs/implplan/SPRINT_0119_0001_0003_excititor_iii.md
+++ b/docs/implplan/SPRINT_0119_0001_0003_excititor_iii.md
@@ -22,27 +22,30 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | EXCITITOR-LNM-21-001 | TODO | Create `vex_observations`/`vex_linksets` with shard keys + migrations. | Excititor Storage Guild | Stand up collections with tenant guards; retire merge-era data without mutating raw content. |
+| 1 | EXCITITOR-LNM-21-001 | DONE (2025-11-17) | Collections + indexes created via migration `20251117-observations-linksets`. | Excititor Storage Guild | Stand up collections with tenant guards; retire merge-era data without mutating raw content. |
-| 2 | EXCITITOR-LNM-21-002 | TODO | After 21-001; design disagreement fields. | Excititor Core Guild | Capture disagreement metadata (status/justification deltas) in linksets with confidence scores; no winner selection. |
+| 2 | EXCITITOR-LNM-21-002 | DONE (2025-11-17) | Disagreement fields added to linkset domain + Mongo schema/indexes. | Excititor Core Guild | Capture disagreement metadata (status/justification deltas) in linksets with confidence scores; no winner selection. |
-| 3 | EXCITITOR-LNM-21-003 | TODO | After 21-002; event payload contract. | Excititor Core · Platform Events Guild | Emit `vex.linkset.updated` events (observation ids, confidence, conflict summary) aggregation-only. |
+| 3 | EXCITITOR-LNM-21-003 | DONE (2025-11-18) | Event payload contract/factory in core; ready for Platform envelope. | Excititor Core · Platform Events Guild | Emit `vex.linkset.updated` events (observation ids, confidence, conflict summary) aggregation-only. |
-| 4 | EXCITITOR-LNM-21-201 | TODO | After 21-003; implement filters + pagination. | Excititor WebService Guild | `/vex/observations` read endpoints with advisory/product/issuer filters, deterministic pagination, strict RBAC; no derived verdicts. |
+| 4 | EXCITITOR-LNM-21-201 | BLOCKED (2025-11-18) | Observation persistence/lookup not implemented; need store + projection wiring before API. | Excititor WebService Guild | `/vex/observations` read endpoints with advisory/product/issuer filters, deterministic pagination, strict RBAC; no derived verdicts. |
-| 5 | EXCITITOR-LNM-21-202 | TODO | After 21-201; export shape. | Excititor WebService Guild | `/vex/linksets` + export endpoints surfacing alias mappings, conflict markers, provenance proofs; errors map to `ERR_AGG_*`. |
+| 5 | EXCITITOR-LNM-21-202 | BLOCKED (2025-11-18) | Dependent on 21-201 data source and schema. | Excititor WebService Guild | `/vex/linksets` + export endpoints surfacing alias mappings, conflict markers, provenance proofs; errors map to `ERR_AGG_*`. |
-| 6 | EXCITITOR-LNM-21-203 | TODO | After 21-202; update SDK/docs. | Excititor WebService Guild · Docs Guild | OpenAPI/SDK/examples for obs/linkset endpoints with Advisory AI/Lens-ready examples. |
+| 6 | EXCITITOR-LNM-21-203 | BLOCKED (2025-11-18) | Blocked on 21-202 API shape. | Excititor WebService Guild · Docs Guild | OpenAPI/SDK/examples for obs/linkset endpoints with Advisory AI/Lens-ready examples. |
 | 7 | EXCITITOR-OBS-51-001 | TODO | Define metric names + SLOs. | Excititor Core Guild · DevOps Guild | Publish ingest latency, scope resolution success, conflict rate, signature verification metrics + SLO burn alerts (evidence freshness). |
 ## Action Tracker
 | Focus | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
-| Stores & migrations | Finalize shard keys and migration plan for 21-001. | Storage Guild | 2025-11-18 | TODO |
+| Stores & migrations | Finalize shard keys and migration plan for 21-001. | Storage Guild | 2025-11-18 | DONE (migration applied 2025-11-17) |
-| Conflict annotations | Schema + confidence scoring for 21-002. | Core Guild | 2025-11-19 | TODO |
+| Conflict annotations | Schema + confidence scoring for 21-002. | Core Guild | 2025-11-19 | DONE (domain + indexes delivered 2025-11-17) |
-| Read APIs | Implement `/vex/observations` + `/vex/linksets` (21-201/202). | WebService Guild | 2025-11-22 | TODO |
+| Read APIs | Implement `/vex/observations` + `/vex/linksets` (21-201/202). | WebService Guild | 2025-11-22 | BLOCKED (waiting on observation store/lookup contract) |
-| Docs & SDK | Produce OpenAPI + SDK examples (21-203). | WebService · Docs Guild | 2025-11-23 | TODO |
+| Docs & SDK | Produce OpenAPI + SDK examples (21-203). | WebService · Docs Guild | 2025-11-23 | BLOCKED (pending API availability) |
 | Metrics/SLOs | Define and wire ingest metrics (OBS-51-001). | Core · DevOps Guild | 2025-11-24 | TODO |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-16 | Normalized sprint file to standard template and renamed to SPRINT_0119_0001_0003_excititor_iii.md; pending staffing. | Planning |
 | 2025-11-17 | Added migration `20251117-observations-linksets` (collections + indexes for observations/linksets). | Storage Guild |
 | 2025-11-17 | Added linkset disagreement schema (domain + Mongo records/index) fulfilling 21-002. | Core Guild |
 | 2025-11-18 | Added `vex.linkset.updated` payload contract + factory (21-003). | Core Guild |
 ## Decisions & Risks
 - **Decisions**
@@ -51,6 +54,7 @@
 - **Risks & Mitigations**
  - Migration of merge-era data could impact availability → Use phased backfill and snapshot/rollback plan.
  - Missing SLO definitions delays evidence freshness promises → Draft initial targets with Ops while metrics wire up.
  - Observation persistence/lookup not yet implemented → Blocks read APIs; mitigation: define store contract and stub implementation before API work resumes.
 ## Next Checkpoints
 | Date (UTC) | Session / Owner | Goal | Fallback |
--- a/docs/implplan/SPRINT_0119_0001_0004_excititor_iv.md
+++ b/docs/implplan/SPRINT_0119_0001_0004_excititor_iv.md
@@ -54,6 +54,7 @@
 ## Next Checkpoints
 | Date (UTC) | Session / Owner | Goal | Fallback |
 | 2025-11-19 | OBS-52-001 schema update | Add provenance buckets + sealed-mode markers; finalize v1 | If slip, publish interim schema and mark blockers. |
 | --- | --- | --- | --- |
 | 2025-11-18 | Timeline schema review | Approve OBS-52-001 event envelope. | Iterate with provisional event topic if blocked. |
 | 2025-11-20 | Orchestrator integration demo | Show worker heartbeats/progress with pause/throttle compliance. | Keep jobs on legacy runner until stability proven. |
--- a/docs/implplan/SPRINT_0121_0001_0001_policy_reasoning.md
+++ b/docs/implplan/SPRINT_0121_0001_0001_policy_reasoning.md
@@ -0,0 +1,64 @@
 # Sprint 0121 · Policy & Reasoning
 ## Topic & Scope
 - Findings Ledger Policy & Reasoning track (phase II) following Sprint 120.B Findings.I.
 - Split from the prior combined sprint; execute tasks in listed order with status priority DOING → TODO → BLOCKED.
 - Extend ledger projections, exports, and telemetry to carry provenance, verification, and risk explanations end-to-end.
 - Align OpenAPI/SDK surface with new policy-aware evidence and provide deterministic snapshot/export flows.
 - **Working directory:** `src/Findings/StellaOps.Findings.Ledger`.
 ## Dependencies & Concurrency
 - Upstream: Sprint 120.B — Findings.I must land before this track proceeds.
 - Coordinate with Evidence Locker, Provenance, Risk Engine, and Observability guilds for shared schemas.
 - Concurrency safe with other CC-0121 efforts once contract changes stabilise.
 ## Documentation Prerequisites
 - docs/README.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/findings-ledger/implementation_plan.md
 - docs/modules/findings-ledger/schema.md
 - docs/modules/findings-ledger/observability.md
 - docs/modules/findings-ledger/workflow-inference.md
 - src/Findings/StellaOps.Findings.Ledger/AGENTS.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | LEDGER-ATTEST-73-002 | BLOCKED | Waiting on LEDGER-ATTEST-73-001 verification pipeline delivery | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status |
 | 2 | LEDGER-EXPORT-35-001 | BLOCKED | No HTTP/API surface or contract to host export endpoints; needs API scaffold + filters spec | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings with deterministic ordering and provenance metadata |
 | 3 | LEDGER-OAS-61-001 | BLOCKED | Absent OAS baseline and API host for ledger; requires contract definition with API Guild | Findings Ledger Guild; API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples |
 | 4 | LEDGER-OAS-61-002 | BLOCKED | Depends on 61-001 contract + HTTP surface | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release |
 | 5 | LEDGER-OAS-62-001 | BLOCKED | SDK generation pending 61-002 | Findings Ledger Guild; SDK Generator Guild / src/Findings/StellaOps.Findings.Ledger | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance |
 | 6 | LEDGER-OAS-63-001 | BLOCKED | Dependent on SDK validation (62-001) | Findings Ledger Guild; API Governance Guild / src/Findings/StellaOps.Findings.Ledger | Support deprecation headers and Notifications for retiring finding endpoints |
 | 7 | LEDGER-OBS-50-001 | DONE | Telemetry core wired into writer/projector; structured logs + spans added | Findings Ledger Guild; Observability Guild / src/Findings/StellaOps.Findings.Ledger | Integrate telemetry core within ledger writer/projector services for append, replay, and query APIs |
 | 8 | LEDGER-OBS-51-001 | DONE | Metrics and SLOs implemented in code + docs | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage; SLOs: append P95 < 1s, replay lag < 30s |
 | 9 | LEDGER-OBS-52-001 | DONE | Timeline events emitted for ledger append + projection commit | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Emit timeline events for ledger writes and projector commits (`ledger.event.appended`, `ledger.projection.updated`) with trace ID, policy version, evidence bundle reference placeholders |
 | 10 | LEDGER-OBS-53-001 | DONE | Evidence bundle refs persisted + lookup API | Findings Ledger Guild; Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | Persist evidence bundle references alongside ledger entries; expose lookup linking findings to evidence manifests and timeline |
 | 11 | LEDGER-OBS-54-001 | BLOCKED | No HTTP surface/minimal API present in module to host `/ledger/attestations`; needs API contract + service scaffold | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary |
 | 12 | LEDGER-OBS-55-001 | BLOCKED | Depends on 54-001 attestation API availability | Findings Ledger Guild; DevOps Guild / src/Findings/StellaOps.Findings.Ledger | Enhance incident mode to record replay diagnostics (lag traces, conflict snapshots), extend retention while active, and emit activation events to timeline/notifier |
 | 13 | LEDGER-PACKS-42-001 | BLOCKED | Snapshot/time-travel contract and bundle format not specified; needs design input | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Provide snapshot/time-travel APIs and digestible exports for task pack simulation and CLI offline mode |
 | 14 | LEDGER-RISK-66-001 | BLOCKED | Risk Engine schema/contract inputs absent; requires risk field definitions + rollout plan | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes |
 | 15 | LEDGER-RISK-66-002 | BLOCKED | Depends on 66-001 migration + risk scoring contract | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-08 | Sprint stub created; awaiting template normalisation. | Planning |
 | 2025-11-17 | Normalised sprint to standard template and renamed file to `SPRINT_0121_0001_0001_policy_reasoning.md`. | Project Mgmt |
 | 2025-11-17 | Implemented LEDGER-OBS-50-001: telemetry core spans/scopes/logs for ledger append and projection paths added. | Findings Ledger |
 | 2025-11-17 | Implemented LEDGER-OBS-51-001: metrics for append latency, projection lag/apply, throughput with SLOs (+ doc updates). | Findings Ledger |
 | 2025-11-17 | Implemented LEDGER-OBS-52-001: timeline events emitted for ledger append and projection commits with trace IDs. | Findings Ledger |
 | 2025-11-17 | Implemented LEDGER-OBS-53-001: evidence bundle ref persisted + lookup API + timeline propagation. | Findings Ledger |
 | 2025-11-17 | LEDGER-OBS-54-001 blocked: module lacks HTTP/API surface to host `/ledger/attestations`; needs contract + service bootstrap. | Findings Ledger |
 | 2025-11-17 | Marked EXPORT/OAS/PACKS/RISK tasks BLOCKED pending API surface, contracts, and risk engine inputs. | Findings Ledger |
 ## Decisions & Risks
 - Upstream dependency on Sprint 120.B (Findings.I); block start until merged.
 - Cross-guild coordination (Evidence Locker, Risk Engine, Observability, Provenance) required to avoid schema drift.
 - Export/SDK contract changes must remain deterministic to support offline bundles.
 - LEDGER-OBS-54-001 blocked: Findings Ledger module currently lacks HTTP/minimal API surface to expose `/ledger/attestations`; requires contract + service scaffold (engage API Contracts & Provenance guilds).
 ## Next Checkpoints
 - Schedule cross-guild kickoff for week of 2025-11-24 once dependency clears.
 - Add weekly Findings Ledger status review (TBD owner) after staffing.
--- a/docs/implplan/SPRINT_0125_0001_0001_mirror.md
+++ b/docs/implplan/SPRINT_0125_0001_0001_mirror.md
@@ -0,0 +1,63 @@
 # Sprint 0125_0001_0001 · Mirror Bundles
 ## Topic & Scope
 - Build the deterministic mirror bundle assembler covering advisories, VEX, policy packs, and optional OCI artefacts.
 - Layer DSSE/TUF metadata, time anchors, and CLI automation so air-gapped sites receive verifiable bundles.
 - Wire Export Center and scheduling hooks so mirror creation can be orchestrated automatically.
 - **Working directory:** `src/Mirror/StellaOps.Mirror.Creator`.
 ## Dependencies & Concurrency
 - Upstream: Sprint 110.D must deliver the assembler foundation (`MIRROR-CRT-56-001`). Attestor v2 contracts from Sprint 100.A remain required.
 - Mirror sprints share the 120s decade with Policy & Reasoning work but remain independent; avoid adding dependencies on `SPRINT_125_policy_reasoning.md`.
 - Evidence Locker, Export Center, CLI, and AirGap Time guild commitments must be available as soon as assembler code exists.
 ## Documentation Prerequisites
 - `docs/modules/export-center/architecture.md`
 - `docs/modules/airgap/architecture.md`
 - `docs/modules/devops/architecture.md`
 - `docs/modules/policy/architecture.md` (for provenance expectations)
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | MIRROR-CRT-56-001 | BLOCKED | Upstream Sprint 110.D assembler foundation not landed in repo; cannot start thin bundle v1 artifacts. | Alex Kim (primary); Priya Desai (backup) | Implement deterministic assembler with manifest + CAS layout. |
 | 2 | MIRROR-CRT-56-002 | BLOCKED | Depends on MIRROR-CRT-56-001 and PROV-OBS-53-001; upstream assembler missing. | Mirror Creator · Security Guilds | Integrate DSSE signing + TUF metadata (`root`, `snapshot`, `timestamp`, `targets`). |
 | 3 | MIRROR-CRT-57-001 | BLOCKED | Requires MIRROR-CRT-56-001; assembler foundation missing. | Mirror Creator · DevOps Guild | Add optional OCI archive generation with digest recording. |
 | 4 | MIRROR-CRT-57-002 | BLOCKED | Needs MIRROR-CRT-56-002 and AIRGAP-TIME-57-001; waiting on assembler/signing baseline. | Mirror Creator · AirGap Time Guild | Embed signed time-anchor metadata. |
 | 5 | MIRROR-CRT-58-001 | BLOCKED | Requires MIRROR-CRT-56-002 and CLI-AIRGAP-56-001; downstream until assembler exists. | Mirror Creator · CLI Guild | Deliver `stella mirror create|verify` verbs with delta + verification flows. |
 | 6 | MIRROR-CRT-58-002 | BLOCKED | Depends on MIRROR-CRT-56-002 and EXPORT-OBS-54-001; waiting on sample bundles. | Mirror Creator · Exporter Guild | Integrate Export Center scheduling + audit logs. |
 | 7 | EXPORT-OBS-51-001 / 54-001 | BLOCKED | MIRROR-CRT-56-001 staffing and artifacts not available. | Exporter Guild | Align Export Center workers with assembler output. |
 | 8 | AIRGAP-TIME-57-001 | BLOCKED | MIRROR-CRT-56-001/57-002 pending; policy workshop contingent on sample bundles. | AirGap Time Guild | Provide trusted time-anchor service & policy. |
 | 9 | CLI-AIRGAP-56-001 | BLOCKED | MIRROR-CRT-56-002/58-001 pending; offline kit inputs unavailable. | CLI Guild | Extend CLI offline kit tooling to consume mirror bundles. |
 | 10 | PROV-OBS-53-001 | BLOCKED | MIRROR-CRT-56-001 absent; cannot wire observers. | Security Guild | Define provenance observers + verification hooks. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | All sprint tasks marked BLOCKED: upstream Sprint 110.D assembler foundation absent from repo; no manifest/CAS layout or samples present to proceed. | Implementer |
 | 2025-11-17 | Normalised sprint file to standard template; renamed from `SPRINT_125_mirror.md` to `SPRINT_0125_0001_0001_mirror.md`; no semantic task changes. | Project Management |
 | 2025-11-17 | Coordinator decision: assign primary + backup for MIRROR-CRT-56-001; scope thin bundle v1; downstream tasks may proceed once schema + sample bundle land. | Coordinator |
 | 2025-11-17 | Action: record primary + backup in Delivery Tracker; produce thin bundle v1 schema + 2 sample bundles by 2025-11-19; unblock Export/CLI/AirGap. | Coordinator |
 | 2025-11-13 | Kickoff rescheduled to 15 Nov pending MIRROR-CRT-56-001 staffing; downstream guilds alerted to prepare resource plans. | Mirror Creator Guild |
 ## Decisions & Risks
 - **Decisions**
  - Assign primary engineer for MIRROR-CRT-56-001 (due 2025-11-17 EOD). Owners: Mirror Creator Guild · Exporter Guild; Security as backup. Option A selected: thin bundle v1; acceptance: names recorded in Delivery Tracker + kickoff notes.
  - Confirm DSSE/TUF signing profile (due 2025-11-18). Owners: Security Guild · Attestor Guild. Needed before MIRROR-CRT-56-002 can merge.
  - Lock time-anchor authority scope (due 2025-11-19). Owners: AirGap Time Guild · Mirror Creator Guild. Required for MIRROR-CRT-57-002 policy enforcement.
 - **Risks**
  - Upstream assembler foundation (Sprint 110.D, MIRROR-CRT-56-001 baseline) missing from repo → all Sprint 0125 tasks blocked. Mitigation: expedite delivery of manifest/CAS scaffold + sample bundles; re-sequence tasks once landed.
  - Staffing gap for MIRROR-CRT-56-001 persists after kickoff → DSSE/TUF, OCI, CLI, Export tracks slip; Sprint 0125 jams the Export Center roadmap. Mitigation: escalate to program leadership; reassign engineers from Export Center or Excititor queue.
  - DSSE/TUF contract debates with Security Guild → signing + transparency integration slips, blocking CLI/Export release. Mitigation: align on profile ahead of development; capture ADR in `docs/airgap`.
  - Time-anchor requirements undefined → air-gapped bundles lose verifiable time guarantees. Mitigation: run focused session with AirGap Time Guild to lock policy + service interface.
 ## Next Checkpoints
 | Date (UTC) | Session | Goal | Owner(s) |
 | --- | --- | --- | --- |
 | 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, outline scope, confirm downstream staffing. | Mirror Creator · Exporter · AirGap Time · Security guilds |
 | 2025-11-18 | DSSE/TUF design review | Freeze signing profile + manifest shape. | Mirror Creator · Security Guild |
 | 2025-11-19 | Thin bundle v1 sample paths | Publish locations + SHA256 for sample bundles; usable by Export/CLI/AirGap. | Mirror Creator Guild |
 | 2025-11-19 | Time-anchor policy workshop | Approve requirements for AIRGAP-TIME-57-001. | AirGap Time Guild · Mirror Creator |
 ## Appendix
 - Previous detailed notes retained at `docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md`.
--- a/docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
+++ b/docs/implplan/SPRINT_0131_0001_0001_scanner_surface.md
@@ -0,0 +1,62 @@
 # Sprint 0131-0001-0001 · Scanner & Surface (Phase II)
 ## Topic & Scope
 - Continue Scanner & Surface wave (phase II) after Sprint 0130, deepening analyzers for Deno and Java with runtime evidence and surface signals.
 - Deliver Deno runtime hooks, policy signal emitters, and CLI/Worker packaging that stay offline-friendly and bundle-ready.
 - Expand Java analyzer coverage for configs, JNI hints, manifest metadata, fixtures/benchmarks, and optional runtime ingestion to feed surface decisioning.
 - **Working directory:** `src/Scanner`.
 ## Dependencies & Concurrency
 - Sequential dependency: Sprint 0130 must finish before this sprint; maintain order across the 0130–0139 wave.
 - Deno work depends on `SCANNER-ANALYZERS-DENO-26-008`; Java chain builds serially from 21-005 → 21-006 → 21-007 → 21-008 → 21-009 → 21-010 → 21-011.
 - Stay within scanner scope to avoid new cross-module coupling unless explicitly approved.
 ## Documentation Prerequisites
 - docs/README.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/scanner/architecture.md
 - src/Scanner/AGENTS.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | SCANNER-ANALYZERS-DENO-26-009 | DOING | Implement runtime hook per `docs/modules/scanner/design/deno-runtime-signals.md`; NDJSON serializer and metadata done; loader/require shim pending. | Deno Analyzer Guild · Signals Guild | Optional runtime evidence hooks capturing module loads and permissions with path hashing during harnessed execution. |
 | 2 | SCANNER-ANALYZERS-DENO-26-010 | TODO | After 26-009, wire CLI (`stella deno trace`) + Worker/Offline Kit using runtime NDJSON contract. | Deno Analyzer Guild · DevOps Guild | Package analyzer plug-in and surface CLI/worker commands with offline documentation. |
 | 3 | SCANNER-ANALYZERS-DENO-26-011 | TODO | Implement policy signal emitter using contract in `docs/modules/scanner/design/deno-runtime-signals.md`. | Deno Analyzer Guild | Policy signal emitter for capabilities (net/fs/env/ffi/process/crypto), remote origins, npm usage, wasm modules, and dynamic-import warnings. |
 | 4 | SCANNER-ANALYZERS-JAVA-21-005 | BLOCKED (2025-11-17) | Tests blocked: repo build fails in Concelier (CoreLinksets missing) and targeted Java analyzer test run stalls; retry once dependencies fixed or CI available. | Java Analyzer Guild | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml/fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. |
 | 5 | SCANNER-ANALYZERS-JAVA-21-006 | TODO | Needs outputs from 21-005. | Java Analyzer Guild | JNI/native hint scanner detecting native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges. |
 | 6 | SCANNER-ANALYZERS-JAVA-21-007 | TODO | After 21-006; align manifest parsing with resolver. | Java Analyzer Guild | Signature and manifest metadata collector capturing JAR signature structure, signers, and manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). |
 | 7 | SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | Waiting on 21-007 completion and resolver authoring bandwidth. | Java Analyzer Guild | Implement resolver + AOC writer emitting entrypoints, components, and edges (jpms, cp, spi, reflect, jni) with reason codes and confidence. |
 | 8 | SCANNER-ANALYZERS-JAVA-21-009 | TODO | Unblock when 21-008 lands; prepare fixtures in parallel where safe. | Java Analyzer Guild · QA Guild | Comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. |
 | 9 | SCANNER-ANALYZERS-JAVA-21-010 | TODO | After 21-009; requires runtime capture design. | Java Analyzer Guild · Signals Guild | Optional runtime ingestion via Java agent + JFR reader capturing class load, ServiceLoader, System.load events with path scrubbing; append-only runtime edges (`runtime-class`/`runtime-spi`/`runtime-load`). |
 | 10 | SCANNER-ANALYZERS-JAVA-21-011 | TODO | Depends on 21-010; finalize DI/manifest registration and docs. | Java Analyzer Guild · DevOps Guild | Package analyzer as restart-time plug-in, update Offline Kit docs, add CLI/worker hooks for Java inspection commands. |
 | 11 | SCANNER-ANALYZERS-LANG-11-001 | BLOCKED (2025-11-17) | `dotnet test` hangs/returns empty output; needs clean runner/CI diagnostics. | StellaOps.Scanner EPDR Guild · Language Analyzer Guild | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Normalised sprint file to standard template and renamed from `SPRINT_131_scanner_surface.md` to `SPRINT_0131_0001_0001_scanner_surface.md`; no semantic changes. | Planning |
 | 2025-11-17 | Attempted `./tools/dotnet-filter.sh test src/Scanner/StellaOps.Scanner.sln --no-restore`; build ran ~72s compiling scanner/all projects without completing tests, then aborted locally to avoid runaway build. Follow-up narrow build `dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj` also stalled ~28s in target resolution before manual stop. Blocker persists; needs clean CI runner or scoped test project to finish LANG-11-001 validation. | Implementer |
 | 2025-11-17 | Started SCANNER-ANALYZERS-JAVA-21-005: initial framework config extraction (Spring configs, JPA/CDI/JAXB, logging, Graal native-image) implemented with evidence + metadata; added regression test scaffold. | Implementer |
 | 2025-11-17 | SCANNER-ANALYZERS-JAVA-21-005: Added Spring Boot `.imports` detection and web-fragment coverage; refreshed framework-config test to assert imports + fragment metadata. Test run blocked by Concelier Mongo build errors (missing CoreLinksets interfaces); rerun once repository build is green. | Java Analyzer Guild |
 | 2025-11-17 | Targeted `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests.csproj --no-restore`; build pulled large Concelier/Surface dependencies and stalled ~35s before manual abort (no test results). Need clean CI or lighter test target to validate 21-005. | Implementer |
 | 2025-11-17 | Reviewed Deno analyzer scope; runtime evidence hook contract and policy-signal keys not defined in docs or code. Marked DENO-26-009/010/011 as BLOCKED pending approved trace/signal schema shared with Surface/Signals. | Implementer |
 | 2025-11-17 | SCANNER-ANALYZERS-JAVA-21-005: Added JNI/native hint scanning (native libs, Graal jni-config, System.load/Library strings) with component metadata + evidence; targeted tests added. Test run aborted ~80s in due to concurrent repo-wide builds; rerun on clean runner. | Java Analyzer Guild |
 | 2025-11-17 | Authored `docs/modules/scanner/design/deno-runtime-signals.md` defining NDJSON runtime trace + policy signal keys; unblocked DENO-26-009/010/011 back to TODO. | Implementer |
 | 2025-11-17 | Implemented Deno runtime NDJSON serializer + metadata (module/permission counts, remote origins, npm/wasm/dynamic import counts) with deterministic ordering and hash; added regression tests for serializer, path hashing, recorder ordering, and policy signal emission. Loader/require shim still pending. | Implementer |
 | 2025-11-17 | Deno runtime tests passing: `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj --no-restore`. | Implementer |
 ## Decisions & Risks
 - `SCANNER-ANALYZERS-LANG-11-001` blocked (2025-11-17): local `dotnet test` hangs/returns empty output; requires clean runner/CI hang diagnostics to progress and regenerate goldens.
 - Additional note: dotnet-filter wrapper avoids `workdir:` injection but full solution builds still stall locally; recommend CI/clean runner and/or scoped project tests to gather logs for LANG-11-001.
 - `SCANNER-ANALYZERS-JAVA-21-008` blocked (2025-10-27): resolver capacity needed to produce entrypoint/component/edge outputs; downstream tasks remain stalled until resolved.
 - Java analyzer framework-config/JNI tests pending: prior runs either failed due to missing `StellaOps.Concelier.Storage.Mongo` `CoreLinksets` types or were aborted after 80s due to concurrent repo-wide builds; rerun on clean runner or after Concelier build stabilises.
 - Deno runtime hook + policy-signal schema drafted in `docs/modules/scanner/design/deno-runtime-signals.md`; awaiting Signals/Surface review but tasks can proceed against draft contract.
 - Loader/require shim still outstanding for DENO-26-009; needs consensus on harness injection point and offline capture scope before marking task DONE.
 ## Next Checkpoints
 | Date (UTC) | Session | Goal | Impacted work | Owner |
 | --- | --- | --- | --- | --- |
 | 2025-11-18 | Scanner EPDR triage | Reproduce and debug `dotnet test` hang for LANG-11-001 on clean runner; capture logs for unblock. | SCANNER-ANALYZERS-LANG-11-001 | Signals Guild |
 | 2025-11-19 | Java analyzer sequencing | Confirm resolver plan for 21-008 and schedule fixtures for 21-009 accordingly. | SCANNER-ANALYZERS-JAVA-21-008/009 | Java Analyzer Guild |
--- a/docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md
+++ b/docs/implplan/SPRINT_0132_0001_0001_scanner_surface.md
@@ -1,4 +1,4 @@
-# Sprint 132 · Scanner & Surface
+# Sprint 0132 · Scanner & Surface
 ## Topic & Scope
 - Phase III of the Scanner & Surface track, focusing on deepening language analyzers and surface evidence for Scanner.
@@ -26,7 +26,7 @@
 | 2 | SCANNER-ANALYZERS-LANG-11-003 | TODO | Depends on SCANNER-ANALYZERS-LANG-11-002 | StellaOps.Scanner EPDR Guild; Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. |
 | 3 | SCANNER-ANALYZERS-LANG-11-004 | TODO | Depends on SCANNER-ANALYZERS-LANG-11-003 | StellaOps.Scanner EPDR Guild; SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant); wire to SBOM service entrypoint tagging. |
 | 4 | SCANNER-ANALYZERS-LANG-11-005 | TODO | Depends on SCANNER-ANALYZERS-LANG-11-004 | StellaOps.Scanner EPDR Guild; QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. |
-| 5 | SCANNER-ANALYZERS-NATIVE-20-001 | TODO | None | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices); capture arch, OS, build-id/UUID, interpreter metadata. |
+| 5 | SCANNER-ANALYZERS-NATIVE-20-001 | DOING | Build minimal format detector + identity model; add unit tests. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices); capture arch, OS, build-id/UUID, interpreter metadata. |
 | 6 | SCANNER-ANALYZERS-NATIVE-20-002 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-001 | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse ELF dynamic sections: `DT_NEEDED`, `DT_RPATH`, `DT_RUNPATH`, symbol versions, interpreter, and note build-id; emit declared dependency records with reason `elf-dtneeded` and attach version needs. |
 | 7 | SCANNER-ANALYZERS-NATIVE-20-003 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-002 | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse PE imports, delay-load tables, manifests/SxS metadata, and subsystem flags; emit edges with reasons `pe-import` and `pe-delayimport`, plus SxS policy metadata. |
 | 8 | SCANNER-ANALYZERS-NATIVE-20-004 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-003 | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Parse Mach-O load commands (`LC_LOAD_DYLIB`, `LC_REEXPORT_DYLIB`, `LC_RPATH`, `LC_UUID`, fat headers); handle `@rpath/@loader_path` placeholders and slice separation. |
@@ -36,7 +36,7 @@
 | 12 | SCANNER-ANALYZERS-NATIVE-20-008 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-007 | Native Analyzer Guild; QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Author cross-platform fixtures (ELF dynamic/static, PE delay-load/SxS, Mach-O @rpath, plugin configs) and determinism benchmarks (<25 ms / binary, <250 MB). |
 | 13 | SCANNER-ANALYZERS-NATIVE-20-009 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-008 | Native Analyzer Guild; Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Provide optional runtime capture adapters (Linux eBPF `dlopen`, Windows ETW ImageLoad, macOS dyld interpose) writing append-only runtime evidence; include redaction/sandbox guidance. |
 | 14 | SCANNER-ANALYZERS-NATIVE-20-010 | TODO | Depends on SCANNER-ANALYZERS-NATIVE-20-009 | Native Analyzer Guild; DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native) | Package native analyzer as restart-time plug-in with manifest/DI registration; update Offline Kit bundle and documentation. |
-| 15 | SCANNER-ANALYZERS-NODE-22-001 | TODO | None | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets (`.nvmrc`, `.node-version`, Dockerfile) and workspace roots deterministically. |
+| 15 | SCANNER-ANALYZERS-NODE-22-001 | DOING | None | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets (`.nvmrc`, `.node-version`, Dockerfile) and workspace roots deterministically. |
 | 16 | SCANNER-ANALYZERS-NODE-22-002 | TODO | Depends on SCANNER-ANALYZERS-NODE-22-001 | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Implement entrypoint discovery (bin/main/module/exports/imports, workers, electron, shebang scripts) and condition set builder per entrypoint. |
 | 17 | SCANNER-ANALYZERS-NODE-22-003 | TODO | Depends on SCANNER-ANALYZERS-NODE-22-002 | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Parse JS/TS sources for static `import`, `require`, `import()` and string concat cases; flag dynamic patterns with confidence levels; support source map de-bundling. |
 | 18 | SCANNER-ANALYZERS-NODE-22-004 | TODO | Depends on SCANNER-ANALYZERS-NODE-22-003 | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node) | Implement Node resolver engine for CJS + ESM (core modules, exports/imports maps, conditions, extension priorities, self-references) parameterised by node_version. |
@@ -48,12 +48,26 @@
 | --- | --- | --- |
 | 2025-11-16 | Normalised sprint file to standard template; renamed from `SPRINT_132_scanner_surface.md` to `SPRINT_0132_0001_0001_scanner_surface.md`; scope unchanged; added governance task for missing Scanner AGENTS.md. | Planning |
 | 2025-11-17 | AGENTS-SCANNER-00-001 completed; module AGENTS.md added under src/Scanner. | Implementer |
 | 2025-11-17 | Updated Decisions & Risks to reflect AGENTS.md completion date, fixed AGENTS.md required-reading formatting/sprint reference, and added dated checkpoints; no scope change. | Planning |
 | 2025-11-17 | SCANNER-ANALYZERS-NATIVE-20-001: Started format detector + identity model; added initial ELF/PE/Mach-O detection and xunit coverage. Tests pending due to repo-wide build health. | Native Analyzer Guild |
 | 2025-11-17 | SCANNER-ANALYZERS-NATIVE-20-001: Library compiles; test project builds. `dotnet test` currently exits with vstest argument error; needs follow-up once runner/tooling is aligned. | Native Analyzer Guild |
 | 2025-11-17 | SCANNER-ANALYZERS-NATIVE-20-001: `dotnet test` failure details — vstest reports generated DLL path as invalid (`...Native.Tests.dll is invalid`). Test binaries build; treat as tooling issue to resolve before marking DONE. | Native Analyzer Guild |
 | 2025-11-18 | SCANNER-ANALYZERS-NATIVE-20-001: Added `.editorconfig` + NoWarn/WNAE for CA2022 and switched to `ReadExactly`/`ReadAtLeast`; dotenv test still blocked because CA2022 is enforced globally. Build/test remains failing on CA2022 in NativeFormatDetector; needs repo-wide analyzer override or alternative IO pattern. | Native Analyzer Guild |
 | 2025-11-17 | SCANNER-ANALYZERS-NODE-22-001: Added Node version target detection (.nvmrc/.node-version/Dockerfile) with metadata + evidence; new fixture + regression test authored. Test run deferred due to repo-wide build contention; rerun when clean runner is available. | Node Analyzer Guild |
 | 2025-11-17 | SCANNER-ANALYZERS-NODE-22-001: Added tarball (`*.tgz`) package processing with package.json hashing + install-script evidence; fixture + regression test created. Test runs blocked by solution-wide restore contention; rerun required on clean runner. | Node Analyzer Guild |
 | 2025-11-18 | SCANNER-ANALYZERS-NODE-22-001: Targeted tests (`VersionTargetsAreCapturedAsync|TarballPackageIsParsedAsync`) reattempted; restore still blocked by concurrent solution builds; aborted after ~44s to avoid contention. Awaiting clean runner. | Node Analyzer Guild |
 | 2025-11-18 | SCANNER-ANALYZERS-NATIVE-20-001: Isolated test project from Concelier test infra, pinned test SDK/xunit/FluentAssertions versions; build still pending clean runner (large solution restore churn). | Native Analyzer Guild |
 | 2025-11-18 | SCANNER-ANALYZERS-NATIVE-20-001: Added ELF interpreter/build-id extraction and Mach-O UUID capture in format detector; new regression tests authored. Test runs currently fail during solution restore; rerun needed on clean runner. | Native Analyzer Guild |
 | 2025-11-18 | SCANNER-ANALYZERS-NATIVE-20-001: Native analyzer tests now passing after targeted restore/test (`StellaOps.Scanner.Analyzers.Native.Tests`) post build-id/interpreter/UUID additions. | Native Analyzer Guild |
 ## Decisions & Risks
- Scanner AGENTS.md added 2025-11-16; keep in sync with scanner architecture and future advisories.
+- Scanner AGENTS.md added 2025-11-17; keep in sync with scanner architecture and future advisories.
 - Sprint execution gated on completion of Sprint 131; monitor for slippage to avoid cascading delays in 130–139 chain.
 - Maintain offline-first and deterministic outputs for analyzers; ensure runtime capture adapters include redaction/sandbox guidance before rollout.
 - Native analyzer format-detector tests now passing; keep monitoring broader solution restore health for downstream NAT-20-002+.
 - Node analyzer version-target and tarball tests pending; latest runs aborted due to concurrent repo builds/restore contention. Requires clean runner to validate SCANNER-ANALYZERS-NODE-22-001 changes.
 - Native analyzer format-detector tests (build-id/interpreter/UUID) blocked by solution restore contention; rerun on clean runner to validate SCANNER-ANALYZERS-NATIVE-20-001.
 ## Next Checkpoints
- Schedule sprint kickoff once Sprint 131 is marked DONE.
+- 2025-11-19: Sprint kickoff (owner: Scanner PM), contingent on Sprint 131 sign-off.
- Plan mid-sprint review after initial analyzer implementations land to validate observation exports and resolver behaviour.
+- 2025-11-26: Mid-sprint review (owner: EPDR Guild lead) to validate observation exports and resolver behavior.
--- a/docs/implplan/SPRINT_0138_0000_0001_scanner_ruby_parity.md
+++ b/docs/implplan/SPRINT_0138_0000_0001_scanner_ruby_parity.md
@@ -51,6 +51,7 @@
 | 2025-11-16 | Normalised sprint file to standard template and renamed to `SPRINT_0138_0000_0001_scanner_ruby_parity.md`; no semantic task changes. | Planning |
 | 2025-11-16 | `SCANNER-ENG-0008`: Published EntryTrace heuristic cadence doc and recorded task completion; cadence now scheduled quarterly with fixture-first workflow. | EntryTrace Guild |
 | 2025-11-16 | `SCANNER-ENG-0010..0014`: Marked BLOCKED pending design/staffing (PHP/Deno/Dart/Swift analyzers, Kubernetes/VM alignment); awaiting guild inputs. | Planning |
 | 2025-11-17 | Removed legacy filename `SPRINT_138_scanner_ruby_parity.md` and updated `docs/implplan/tasks-all.md` references to the canonical sprint name to avoid duplication. | Planning |
 ## Decisions & Risks
 - PHP analyzer pipeline (SCANNER-ENG-0010) blocked pending composer/autoload graph design + staffing; parity risk remains.
--- a/docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
+++ b/docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
@@ -1,3 +1,66 @@
 # Sprint 0140_0001_0001 · Runtime & Signals
 ## Topic & Scope
 - Coordinate Runtime & Signals wave (140.A Graph, 140.B SBOM Service, 140.C Signals, 140.D Zastava) across scanner surface caches, Link-Not-Merge schema, CAS/provenance approvals, and Surface.FS adoption.
 - Maintain a single status snapshot and decision log for upstream dependencies that gate 0141/0142/0143/0144 execution; keep mock bundle, schema freeze, and provenance approvals aligned.
 - Deliver updated status + risk record and handoffs to downstream sprints once entry criteria clear.
 - **Working directory:** `docs/implplan` (cross-module runtime/signals coordination sprint).
 ## Dependencies & Concurrency
 - Upstream: Sprint 120.A · AirGap feeds; Sprint 130.A · Scanner analyzer artifacts and Surface.FS caches; AUTH-SIG-26-001 scopes; Concelier Link-Not-Merge schema and fixtures.
 - Concurrent sprints: `SPRINT_0141_0001_0001_graph_indexer.md`, `SPRINT_0142_0001_0001_sbomservice.md`, `SPRINT_143_signals.md`, `SPRINT_0144_0001_0001_zastava_runtime_signals.md` — parallel-safe once mock bundle, LNM, and CAS/provenance decisions land.
 - Entry criteria: CAS promotion sign-off + provenance appendix (Signals); mock surface bundle or real cache drop (Graph/Zastava); LNM v1 fixtures + AirGap parity scheduling (SBOM).
 ## Documentation Prerequisites
 - docs/README.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/scanner/architecture.md
 - docs/modules/graph/architecture.md
 - docs/modules/authority/architecture.md
 - docs/modules/concelier/architecture.md
 - docs/modules/zastava/architecture.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | 140.A Graph wave | DOING | Executing against scanner surface mock bundle v1; awaiting real cache ETA from Sprint 130.A for parity validation. | Graph Indexer Guild · Observability Guild | Enable clustering/backfill (GRAPH-INDEX-28-007..010) against mock bundle; update once cache ETA is published. |
 | 2 | 140.B SBOM Service wave | TODO | Link-Not-Merge v1 frozen 2025-11-17; need fixtures + AirGap parity review scheduling. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
 | 3 | 140.C Signals wave | DOING | CAS promotion + signed manifest rollout; provenance appendix + runtime backfill before scoring. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
 | 4 | 140.D Zastava wave | BLOCKED | Waiting on Surface.FS cache drop plan + Surface.Env helper ownership. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-18 | Added cache parity checklist to prep Graph revalidation once Scanner caches drop; mock bundle execution ongoing. | Planning |
 | 2025-11-18 | Started Graph wave execution on scanner surface mock bundle v1; tracking cache ETA for parity validation. | Planning |
 | 2025-11-18 | Normalised sprint to standard template and renamed from `SPRINT_140_runtime_signals.md`; scope unchanged, legacy detail retained below. | Planning |
 | 2025-11-17 | Coordinator decisions: LNM v1 frozen; scanner mock bundle ordered; Surface.FS CI cache approved; SBOM-SERVICE-21-001..004 and GRAPH-INDEX-28-007 flipped to TODO; Graph wave now DOING on mock bundle. | Planning |
 | 2025-11-13 | Snapshot, wave tracker, meeting prep, and action items refreshed ahead of Nov 13 checkpoints. | Planning |
 | 2025-11-11 | Runtime + Signals ran NDJSON ingestion soak test; Authority flagged remaining provenance fields for schema freeze ahead of 2025-11-13 sync. | Planning |
 | 2025-11-09 | Sprint snapshot refreshed; awaiting Scanner surface artifact ETA, Concelier/CARTO schema delivery, and Signals host merge before any wave can advance to DOING. | Planning |
 ## Decisions & Risks
 - Operating Graph/Zastava on scanner surface mock bundle v1 until real caches publish; ETA still outstanding.
 - Link-Not-Merge v1 schema frozen 2025-11-17; fixtures due 2025-11-18; AirGap parity review still required for SBOM endpoints.
 - CAS promotion + signed manifest approval pending; blocks closing SIGNALS-24-002 and downstream scoring/cache work (24-004/005).
 - Runtime provenance appendix not yet frozen; delays SIGNALS-24-003 enrichment/backfill and creates risk of double uploads.
 - Surface.FS cache drop timeline uncertain; Zastava env/secret/admission tasks remain blocked until cache endpoints + helper ownership are published.
 - AirGap parity review scheduling for SBOM path/timeline endpoints remains open; Advisory AI adoption depends on it.
 ## Next Checkpoints
 | Date (UTC) | Session | Goal | Owner(s) |
 | --- | --- | --- | --- |
 | 2025-11-18 (overdue) | LNM v1 fixtures drop | Commit canonical JSON fixtures; confirm add-only evolution and publish location. | Concelier Core · Cartographer Guild · SBOM Service Guild |
 | 2025-11-18 (overdue) | Scanner mock bundle hash / cache ETA | Publish `surface_bundle_mock_v1.tgz` hash plus real cache delivery timeline. | Scanner Guild |
 | 2025-11-18 (overdue) | CAS promotion go/no-go | Approve CAS bucket policies and signed manifest rollout for SIGNALS-24-002. | Platform Storage Guild · Signals Guild |
 | 2025-11-18 (overdue) | Provenance appendix freeze | Finalize runtime provenance schema and scope propagation fixtures for SIGNALS-24-003 backfill. | Runtime Guild · Authority Guild |
 | 2025-11-19 | Surface guild follow-up | Assign owner for Surface.Env helper rollout and confirm Surface.FS cache drop sequencing. | Surface Guild · Zastava Guilds |
 ---
 ## Legacy detail (preserved from pre-normalization)
 # Sprint 140 - Runtime & Signals
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
@@ -8,25 +71,25 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 | Wave | Guild owners | Shared prerequisites | Status | Notes |
 | --- | --- | --- | --- | --- |
-| 140.A Graph | Graph Indexer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner (phase I tracked under `docs/implplan/SPRINT_130_scanner_surface.md`) | BLOCKED | Analyzer artifacts ETA from Sprint 130 is overdue (missed 2025-11-13); clustering/backfill waits on ETA or mock payload plan. |
+| 140.A Graph | Graph Indexer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner (phase I tracked under `docs/implplan/SPRINT_130_scanner_surface.md`) | DOING | Executing on scanner surface mock bundle v1; real cache ETA still required for parity validation and to flip to real inputs. |
 | 140.B SbomService | SBOM Service Guild · Cartographer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | TODO | Projection schema remains blocked on Concelier outputs; keep AirGap parity requirements in scope. |
-| 140.C Signals | Signals Guild · Authority Guild (for scopes) · Runtime Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | BLOCKED | CAS checklist + provenance appendix overdue; callgraph retrieval live but artifacts not trusted until CAS/signing lands. |
+| 140.C Signals | Signals Guild · Authority Guild (for scopes) · Runtime Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | DOING (red) | CAS checklist + provenance appendix overdue; callgraph retrieval live but artifacts not trusted until CAS/signing lands. |
 | 140.D Zastava | Zastava Observer/Webhook Guilds · Security Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | BLOCKED | Surface.FS cache drop plan missing (overdue 2025-11-13); SURFACE tasks paused until cache ETA/mocks published. |
 # Status snapshot (2025-11-18)
- **140.A Graph** – GRAPH-INDEX-28-007/008/009/010 are BLOCKED while Sprint 130 analyzer artifacts remain overdue; clustering/backfill/fixture scaffolds stay staged pending ETA or mock payloads.
+- **140.A Graph** – DOING on scanner surface mock bundle v1 (decision 2025-11-17); real cache ETA still required but no longer blocks coding/fixtures; will revalidate outputs when caches land.
- **140.B SbomService** – Advisory AI, console, and orchestrator tracks stay TODO; SBOM-SERVICE-21-001..004 remain BLOCKED waiting for Concelier Link-Not-Merge (`CONCELIER-GRAPH-21-001`) plus Cartographer schema (`CARTO-GRAPH-21-002`), and AirGap parity must be re-validated once schemas land. Teams are refining projection docs so we can flip to DOING as soon as payloads land.
+- **140.B SbomService** – Link-Not-Merge v1 frozen 2025-11-17; SBOM-SERVICE-21-001..004 can proceed on frozen schema with add-only evolution and fixtures; AirGap parity review remains required but not blocking coding.
 - **140.C Signals** – SIGNALS-24-001 shipped on 2025-11-09; SIGNALS-24-002 is RED/BLOCKED with CAS promotion + signed manifest tooling pending; SIGNALS-24-003 is DOING but awaits provenance appendix and runtime feed reconciliation. Scoring/cache work (SIGNALS-24-004/005) stays BLOCKED until CAS/provenance and runtime uploads stabilize.
 - **140.D Zastava** – ZASTAVA-ENV/SECRETS/SURFACE tracks are BLOCKED because Surface.FS cache outputs from Scanner are still unavailable; guilds continue prepping Surface.Env helper adoption and sealed-mode scaffolding while caches are pending.
-## Wave task tracker (refreshed 2025-11-13)
+## Wave task tracker (refreshed 2025-11-18)
 ### 140.A Graph
 | Task ID | State | Notes |
 | --- | --- | --- |
-| GRAPH-INDEX-28-007 | BLOCKED-w/escalation | Clustering/centrality jobs queued behind overdue Sprint 130 analyzer artifacts; design work complete but implementation held. |
+| GRAPH-INDEX-28-007 | DOING | Running on scanner surface mock bundle v1; will revalidate once real cache ETA publishes. |
 | GRAPH-INDEX-28-008 | BLOCKED-w/escalation | Incremental update/backfill pipeline depends on 28-007 artifacts; retry/backoff plumbing sketched but blocked. |
 | GRAPH-INDEX-28-009 | BLOCKED-w/escalation | Test/fixture/chaos coverage waits on earlier jobs to exist so determinism checks have data. |
 | GRAPH-INDEX-28-010 | BLOCKED-w/escalation | Packaging/offline bundles paused until upstream graph jobs are available to embed. |
@@ -42,10 +105,10 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 | SBOM-ORCH-32-001 | TODO | Orchestrator registration is sequenced after projection schema because payload shapes map into job metadata. |
 | SBOM-ORCH-33-001 | TODO | Backpressure/telemetry features depend on 32-001 workers. |
 | SBOM-ORCH-34-001 | TODO | Backfill + watermark logic requires the orchestrator integration from 33-001. |
-| SBOM-SERVICE-21-001 | BLOCKED | Normalized SBOM projection schema cannot ship until Concelier (`CONCELIER-GRAPH-21-001`) delivers Link-Not-Merge definitions. |
+| SBOM-SERVICE-21-001 | TODO | Link-Not-Merge v1 frozen (2025-11-17); proceed with projection schema + fixtures. |
-| SBOM-SERVICE-21-002 | BLOCKED | Change events hinge on 21-001 response contract; no work underway. |
+| SBOM-SERVICE-21-002 | TODO | Depends on 21-001 implementation; schema now frozen. |
-| SBOM-SERVICE-21-003 | BLOCKED | Entry point/service node management blocked behind 21-002 event outputs. |
+| SBOM-SERVICE-21-003 | TODO | Entry point/service node management follows 21-002; proceed with stub fixtures. |
-| SBOM-SERVICE-21-004 | BLOCKED | Observability wiring follows projection + event pipelines; on hold. |
+| SBOM-SERVICE-21-004 | TODO | Observability wiring to follow 21-003; unblock with mock feeds. |
 | SBOM-SERVICE-23-001 | TODO | Asset metadata extensions queued once 21-004 observability baseline exists. |
 | SBOM-SERVICE-23-002 | TODO | Asset update events depend on 23-001 schema. |
 | SBOM-VULN-29-001 | TODO | Inventory evidence feed deferred until projection schema + runtime align. |
@@ -76,14 +139,22 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 | Task ID | Remaining work | Target date | Owners |
 | --- | --- | --- | --- |
 | GRAPH-INDEX-28-007 | Continue execution on scanner surface mock bundle v1; revalidate outputs once real cache drops and manifests are available. | TBD (await cache ETA) | Graph Indexer Guild · Observability Guild |
 | SIGNALS-24-002 | Promote callgraph CAS buckets to prod scopes, publish signed manifest metadata, document retention/GC policy, wire alerts for failed graph retrievals. | 2025-11-14 | Signals Guild, Platform Storage Guild |
 | SIGNALS-24-003 | Finalize provenance/context enrichment (Authority scopes + runtime metadata), support NDJSON batch provenance, backfill existing facts, and validate AOC contract. | 2025-11-15 | Signals Guild, Runtime Guild, Authority Guild |
-## Wave readiness checklist (2025-11-13)
+### Graph cache parity checklist (ready for cache drop)
 - Capture `surface_bundle_mock_v1.tgz` hash and record node/edge counts, cluster counts, and checksum of emitted fixtures.
 - Define tolerant variance thresholds for clustering/centrality determinism (e.g., Louvain modularity delta ≤ 0.001 across runs).
 - Prepare rerun script to diff mock vs real cache outputs (IDs, cluster labels, metrics) and emit NDJSON of divergences.
 - Track CPU/memory/runtime metrics for mock vs cache replays to spot performance regressions.
 - Export minimal fixtures for downstream consumers (Graph UI overlays, Zastava surface) after real-cache validation.
 ## Wave readiness checklist (2025-11-18)
 | Wave | Entry criteria | Prep status | Next checkpoint |
 | --- | --- | --- | --- |
-| 140.A Graph | Scanner surface analyzer artifacts + SBOM projection schema for clustering inputs. | Job scaffolds and determinism harness drafted; waiting on artifact ETA. | 2025-11-13 cross-guild sync (Scanner ↔ Graph) to lock delivery window. |
+| 140.A Graph | Scanner surface analyzer artifacts + SBOM projection schema for clustering inputs. | Executing on scanner surface mock bundle v1; determinism harness drafted; Scanner cache ETA still pending for parity validation. | 2025-11-19 cross-guild follow-up to confirm cache drop timeline. |
 | 140.B SbomService | Concelier Link-Not-Merge + Cartographer projection schema, plus AirGap parity review. | Projection doc redlines complete; schema doc ready for Concelier feedback. | 2025-11-14 schema review (Concelier, Cartographer, SBOM). |
 | 140.C Signals | CAS promotion approval + runtime provenance contract + AUTH-SIG-26-001 sign-off. | HOST + callgraph retrieval merged; CAS/provenance work tracked in DOING table above. | 2025-11-13 runtime sync to approve CAS rollout + schema freeze. |
 | 140.D Zastava | Surface.FS cache availability + Surface.Env helper specs published. | Env/secrets design notes ready; waiting for Scanner cache drop and Surface.FS API stubs. | 2025-11-15 Surface guild office hours to confirm helper adoption plan. |
@@ -101,9 +172,9 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 | Dependency | Status | Latest detail | Owner(s) / follow-up |
 | --- | --- | --- | --- |
 | AUTH-SIG-26-001 (Signals scopes + AOC) | DONE (2025-10-29) | Authority shipped scope + role templates; Signals is validating propagation + provenance enrichment before enabling scoring. | Authority Guild · Runtime Guild · Signals Guild |
-| CONCELIER-GRAPH-21-001 (SBOM projection enrichment) | BLOCKED (2025-10-27) | Awaiting Cartographer schema + Link-Not-Merge contract; SBOM/Graph/Zastava work cannot proceed without enriched projections. | Concelier Core · Cartographer Guild |
+| CONCELIER-GRAPH-21-001 (SBOM projection enrichment) | TODO | Link-Not-Merge v1 frozen (2025-11-17); proceed to finalize payload and fixtures. | Concelier Core · Cartographer Guild |
-| CONCELIER-GRAPH-21-002 / CARTO-GRAPH-21-002 (SBOM change events) | BLOCKED (2025-10-27) | Change event contract depends on 21-001; Cartographer has not provided webhook schema yet. | Concelier Core · Cartographer Guild · Platform Events Guild |
+| CONCELIER-GRAPH-21-002 / CARTO-GRAPH-21-002 (SBOM change events) | TODO | Depends on 21-001 now proceeding; align webhook schema with frozen LNM. | Concelier Core · Cartographer Guild · Platform Events Guild |
-| Sprint 130 Scanner surface artifacts | ETA pending | Analyzer artifact publication schedule still outstanding; Graph/Zastava need cache outputs and manifests. | Scanner Guild · Graph Indexer Guild · Zastava Guilds |
+| Sprint 130 Scanner surface artifacts | ETA pending | Mock bundle v1 in use for Graph; still need real cache publication schedule plus manifests for parity validation and Zastava start. | Scanner Guild · Graph Indexer Guild · Zastava Guilds |
 | AirGap parity review (Sprint 120.A) | Not scheduled | SBOM path/timeline endpoints must re-pass AirGap checklist once Concelier schema lands; reviewers on standby. | AirGap Guild · SBOM Service Guild |
 ## Upcoming checkpoints (updated 2025-11-13)
@@ -155,25 +226,25 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 | Concelier/Cartographer schema review stalls | Capture outstanding fields/issues, loop in Advisory AI + AirGap leadership, and evaluate temporary schema adapters for SBOM Service. | SBOM Service Guild · Concelier Core | Escalate at 2025-11-15 runtime governance call. |
 | Surface.Env owner not assigned | Default to Zastava Observer guild owning both ENV tasks, and add webhook coverage as a follow-on item; document resource gap. | Surface Guild · Zastava Observer Guild | Escalate by 2025-11-16. |
-## Action item tracker (status as of 2025-11-13)
+## Action item tracker (status as of 2025-11-18)
 | Item | Status | Next step | Owner(s) | Due |
 | --- | --- | --- | --- | --- |
-| CAS checklist feedback | In review | Platform Storage to mark checklist “approved” or add blockers before runtime sync. | Platform Storage Guild | 2025-11-13 |
+| CAS checklist feedback | Past due — awaiting decision | Platform Storage to mark checklist “approved” or list blockers for runtime sync. | Platform Storage Guild | 2025-11-13 |
-| Signed manifest PRs | Ready for merge | Signals to merge once CAS checklist approved, then deploy to staging. | Signals Guild | 2025-11-14 |
+| Signed manifest PRs | Pending CAS approval | Merge once CAS checklist approved, then deploy to staging. | Signals Guild | 2025-11-14 |
-| Provenance schema appendix | Drafted | Runtime/Authority to publish final appendix + fixtures to repo. | Runtime Guild · Authority Guild | 2025-11-13 |
+| Provenance schema appendix | Past due — draft exists | Runtime/Authority to publish final appendix + fixtures to repo. | Runtime Guild · Authority Guild | 2025-11-13 |
-| Scanner artifact roadmap | Draft in Scanner doc | Publish final ETA + delivery format after readiness sync. | Scanner Guild | 2025-11-13 |
+| Scanner artifact roadmap | Past due — ETA required | Publish final surface cache ETA + delivery format after readiness sync. | Scanner Guild | 2025-11-13 |
-| Link-Not-Merge schema redlines | Circulated | Concelier/Cartographer/SBOM to sign off during Nov 14 review. | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
+| Link-Not-Merge schema redlines | Decision pending | Concelier/Cartographer/SBOM to sign off; fixtures still needed. | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
-| Surface.Env adoption checklist | Outline ready | Surface guild to confirm owner and add step-by-step instructions post office hours. | Surface Guild · Zastava Guilds | 2025-11-15 |
+| Surface.Env adoption checklist | Past due — owner assignment needed | Surface guild to confirm owner and add step-by-step instructions. | Surface Guild · Zastava Guilds | 2025-11-15 |
-## Standup agenda (2025-11-13)
+## Standup agenda (2025-11-19)
 | Track | Questions / updates to cover | Owner ready to report |
 | --- | --- | --- |
-| 140.A Graph | Did Scanner commit to an analyzer artifact ETA? If not, what mock data or alternate scope can Graph tackle? | Graph Indexer Guild |
+| 140.A Graph | Confirm Scanner cache ETA; align parity checklist and revalidation plan once caches land. | Graph Indexer Guild |
-| 140.B SbomService | Are Concelier/CARTO reviewers aligned on schema redlines ahead of the Nov 14 meeting? Any AirGap checklist prep gaps? | SBOM Service Guild |
+| 140.B SbomService | LNM fixtures and schema sign-off status? AirGap review scheduling? | SBOM Service Guild |
-| 140.C Signals | Status of CAS approval + signed manifest merges? Is provenance schema appendix ready for publication? Any blockers for runtime backfill? | Signals Guild · Runtime Guild · Authority Guild |
+| 140.C Signals | CAS approval + signed manifest merge status; provenance appendix publication; backfill start date. | Signals Guild · Runtime Guild · Authority Guild |
-| 140.D Zastava | What dependencies remain besides Surface.FS cache drop? Do we have a draft owner for Surface.Env rollout? | Zastava Guilds |
+| 140.D Zastava | Surface.FS cache drop plan and Surface.Env owner assignment; any sealed-mode gaps. | Zastava Guilds |
 | Cross-track | Upcoming decisions/risks from the contingency playbook that need leadership visibility today? | Sprint 140 leads |
 # Blockers & coordination
@@ -185,17 +256,17 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 - **CAS promotion + signed manifests** – SIGNALS-24-002 cannot close until Storage guild reviews CAS promotion plan and manifest signing tooling; downstream scoring needs immutable graph IDs.
 - **Runtime provenance wiring** – SIGNALS-24-003 still needs Authority scope propagation and NDJSON provenance mapping before runtime feeds can unblock scoring/cache layers.
-# Next actions (target: 2025-11-14)
+# Next actions (target: 2025-11-20)
 | Owner(s) | Action |
 | --- | --- |
-| Graph Indexer Guild | Use 2025-11-13 Scanner sync to lock analyzer artifact ETA; keep clustering/backfill scaffolds staged so GRAPH-INDEX-28-007 can flip to DOING immediately after feeds land. |
+| Graph Indexer Guild | Running GRAPH-INDEX-28-007 on mock bundle v1; need Scanner to provide cache ETA/manifests to revalidate and shift to real inputs; parity checklist ready for cache drop. |
-| SBOM Service Guild | Circulate redlined projection schema to Concelier/Cartographer ahead of the 2025-11-14 review; scaffold SBOM-SERVICE-21-001 PR so coding can start once schema is approved. |
+| SBOM Service Guild | Secure LNM fixtures and schema sign-off; schedule AirGap review; be ready to scaffold SBOM-SERVICE-21-001 once fixtures land. |
-| Signals Guild | Merge CAS promotion + signed manifest PRs, then pivot to SIGNALS-24-003 provenance enrichment/backfill; prepare scoring/cache kickoff deck for 24-004/005 owners. |
+| Signals Guild | Escalate CAS promotion + signed manifest approval; merge once approved; start provenance enrichment/backfill (SIGNALS-24-003). |
-| Runtime & Authority Guilds | Use delivered AUTH-SIG-26-001 scopes to finish propagation validation, freeze provenance schema, and hand off fixtures to Signals before 2025-11-15. |
+| Runtime & Authority Guilds | Publish final provenance appendix + fixtures; confirm scope propagation; unblock SIGNALS-24-003 backfill. |
-| Platform Storage Guild | Review CAS bucket policies/GC guardrails from the 2025-11-12 checklist and provide written sign-off before runtime sync on 2025-11-13. |
+| Platform Storage Guild | Deliver CAS bucket policy sign-off to unblock SIGNALS-24-002. |
-| Scanner Guild | Publish Sprint 130 surface artifact roadmap + Surface.FS cache drop timeline so Graph/Zastava can schedule start dates; provide mock datasets if slips extend past 2025-11-15. |
+| Scanner Guild | Publish surface cache ETA/hash and manifests; unblock Graph revalidation and Zastava Surface tasks. |
-| Zastava Guilds | Convert Surface.Env helper adoption notes into a ready-to-execute checklist, align sealed-mode tests, and be prepared to start once Surface.FS caches are announced. |
+| Zastava Guilds | Assign Surface.Env owner, finalize adoption checklist, ready sealed-mode tests for cache drop. |
 # Downstream dependency rollup (snapshot: 2025-11-13)
@@ -210,8 +281,11 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 | Risk | Impact | Mitigation / owner |
 | --- | --- | --- |
-| Concelier Link-Not-Merge schema slips | SBOM-SERVICE-21-001..004 + Advisory AI SBOM endpoints stay blocked | Concelier + Cartographer guilds to publish CARTO-GRAPH-21-002 ETA during next coordination call; SBOM guild to prep schema doc meanwhile. |
+| Concelier Link-Not-Merge schema slips | SBOM-SERVICE-21-001..004 + Advisory AI SBOM endpoints stay blocked | Resolved: LNM v1 frozen 2025-11-17; Cartographer to ship fixtures and change-event schema additively. |
-| Scanner surface artifact delay | GRAPH-INDEX-28-007+ and ZASTAVA-SURFACE-* cannot even start | Scanner guild to deliver analyzer artifact roadmap; Graph/Zastava teams to prepare mocks/tests in advance; escalation sent 2025-11-17. |
+| Scanner surface artifact delay | GRAPH-INDEX-28-007+ and ZASTAVA-SURFACE-* to start with mock bundle; real cache ETA still required | Scanner guild to deliver analyzer artifact roadmap + mock bundle v1 within 24h; Graph/Zastava teams executing on mock; escalation sent 2025-11-17. |
 | Scanner mock bundle delivery | GRAPH-INDEX-28-007+; ZASTAVA-SURFACE-* | Scanner Guild | 2025-11-18 | Provide `surface_bundle_mock_v1.tgz` + hash; publish real cache ETA. |
 | Record mock bundle hash/location | GRAPH-INDEX-28-007+; ZASTAVA-SURFACE-* | Scanner Guild | 2025-11-18 | Placeholder: update with hash/URI once published. |
 | LNM fixtures publication | SBOM-SERVICE-21-001..004; CONCELIER-GRAPH-21-* | Concelier Core · Cartographer · SBOM Service | 2025-11-18 | Commit 4–6 canonical JSON fixtures; add-only evolution. |
 | Signals host/callgraph merge misses 2025-11-09 | SIGNALS-24-003/004/005 remain blocked, pushing reachability scoring past sprint goals | Signals + Authority guilds to prioritize AUTH-SIG-26-001 review and merge SIGNALS-24-001/002 before 2025-11-10 standup. |
 | Authority build regression (`PackApprovalFreshAuthWindow`) | Signals test suite cannot run in CI, delaying validation of new endpoints | Coordinate with Authority guild to restore missing constant in `StellaOps.Auth.ServerIntegration`; rerun Signals tests once fixed. |
 | CAS promotion slips past 2025-11-14 | SIGNALS-24-002 cannot close; reachability scoring has no trusted graph artifacts | Signals + Platform Storage to co-own CAS rollout checklist, escalate blockers during 2025-11-13 runtime sync. |
@@ -221,6 +295,7 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 | Date | Notes |
 | --- | --- |
 | 2025-11-17 | Coordinator decisions: LNM v1 frozen; scanner mock bundle ordered; Surface.FS CI cache approved; SBOM-SERVICE-21-001..004 and GRAPH-INDEX-28-007 switched to TODO. |
 | 2025-11-17 | Marked Graph/Zastava waves BLOCKED (missing Sprint 130 analyzer ETA); escalated to Scanner leadership per contingency. |
 | 2025-11-13 | Snapshot, wave tracker, meeting prep, and action items refreshed ahead of Nov 13 checkpoints; awaiting outcomes before flipping statuses. |
 | 2025-11-11 | Runtime + Signals ran NDJSON ingestion soak test; Authority flagged remaining provenance fields for schema freeze ahead of 2025-11-13 sync. |
--- a/docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md
+++ b/docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md
@@ -0,0 +1,45 @@
 # Sprint 0141 · Graph Indexer (Runtime & Signals 140.A)
 ## Topic & Scope
 - Stand up graph clustering and centrality background jobs plus incremental/backfill pipelines for runtime & signals ingestion.
 - Deliver deterministic tests/fixtures and packaging for offline-first deployments with backlog and observability metrics.
 - Use scanner surface mock bundle v1 until real caches arrive.
 - **Working directory:** `src/Graph/StellaOps.Graph.Indexer`.
 ## Dependencies & Concurrency
 - Upstream: Sprint 120.A · AirGap (offline feeds) and Sprint 130.A · Scanner (surface/mock bundle availability).
 - Pre-req task GRAPH-INDEX-28-006 (baseline overlays) must land before 28-007 clustering; track as inbound dependency.
 - Coordinate with Observability Guild for metrics pipeline; parallel execution otherwise safe once mock bundle is fixed.
 ## Documentation Prerequisites
 - docs/modules/graph/README.md
 - docs/modules/graph/architecture.md
 - docs/modules/graph/implementation_plan.md
 - docs/modules/platform/architecture-overview.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | GRAPH-INDEX-28-007 | BLOCKED | Waiting on GRAPH-INDEX-28-006 overlays + schedule config design | Graph Indexer Guild · Observability Guild | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules; persist cluster ids on nodes; expose metrics. |
 | 2 | GRAPH-INDEX-28-008 | BLOCKED | Unblock after 28-007; confirm change streams + retry/backoff settings | Graph Indexer Guild | Provide incremental update & backfill pipeline with change streams, retry/backoff, idempotent ops, backlog metrics. |
 | 3 | GRAPH-INDEX-28-009 | BLOCKED | Downstream of 28-008 data paths | Graph Indexer Guild · QA Guild | Add unit/property/integration tests, synthetic large-graph fixtures, chaos tests (missing overlays, cycles), determinism checks across runs. |
 | 4 | GRAPH-INDEX-28-010 | BLOCKED | Needs outputs from 28-009; align with Offline Kit owners | Graph Indexer Guild · DevOps Guild | Package deployment artefacts (Helm/Compose), offline seed bundles, configuration docs; integrate Offline Kit. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Marked tasks 28-007 through 28-010 as BLOCKED pending upstream 28-006 overlays and scanner cache availability. | Planning |
 | 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_141_graph.md; scope unchanged. | Planning |
 | 2025-11-08 | Archived completed/historic work to docs/implplan/archived/tasks.md. | Planning |
 ## Decisions & Risks
 - Operating on scanner surface mock bundle v1 until real caches arrive; reassess when Sprint 130.A delivers caches.
 - All tasks currently blocked until GRAPH-INDEX-28-006 overlays land; confirm delivery date and update schedule config accordingly.
 - Determinism risk for clustering approximations; require repeat-run variance checks in 28-009.
 - Ensure offline seed bundles stay in sync with AirGap feeds from Sprint 120.A.
 ## Next Checkpoints
 - 2025-11-19 · Confirm availability/timeline for scanner surface caches. Owner: Graph Indexer Guild.
 - 2025-11-21 · Dependency check on GRAPH-INDEX-28-006 readiness with Observability Guild.
 - 2025-11-26 · Packaging/Offline Kit alignment checkpoint with DevOps Guild after 28-009 test results.
--- a/docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
+++ b/docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
@@ -0,0 +1,79 @@
 # Sprint 0142_0001_0001 · Runtime & Signals — SBOM Service
 ## Topic & Scope
 - Runtime & Signals stream focusing on SBOM Service projections, APIs, and orchestrator integration to support Advisory AI, Console, Graph overlays, and Vuln Explorer consumers.
 - Freeze Link-Not-Merge (LNM) v1 SBOM projection schema and publish deterministic read APIs (paths, timelines, projections) with strict tenant enforcement.
 - Integrate SBOM ingest/index with orchestrator backpressure and reconciliation and emit events for downstream graph/indexer pipelines.
 - Working directory: `src/SbomService/StellaOps.SbomService`.
 ## Dependencies & Concurrency
 - Upstream: Sprint 120.A (AirGap); Sprint 130.A (Scanner).
 - Concurrency: Track alongside other Runtime & Signals 140-series sprints; safe in parallel if orchestrator contracts stay stable.
 ## Documentation Prerequisites
 - docs/README.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/platform/architecture-overview.md
 - docs/modules/sbomservice/architecture.md (module dossier).
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | SBOM-AIAI-31-001 | DONE | Implemented `/sbom/paths` with env/blast-radius/runtime flags + cursor paging and `/sbom/versions` timeline; in-memory deterministic seed until storage wired. | SBOM Service Guild (src/SbomService/StellaOps.SbomService) | Provide path and version timeline endpoints optimised for Advisory AI. |
 | 2 | SBOM-AIAI-31-002 | DOING | Module charter added; continue metrics work and dashboards. | SBOM Service Guild; Observability Guild | Instrument metrics for path/timeline queries and surface dashboards. |
 | 3 | SBOM-CONSOLE-23-001 | DOING | Module charter added; continue `/console/sboms` implementation and schema/storage backing. | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
 | 4 | SBOM-CONSOLE-23-002 | TODO | Depends on SBOM-CONSOLE-23-001; cache-aware component lookup powering global search and Graph overlays; enforce tenant boundaries. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
 | 5 | SBOM-ORCH-32-001 | TODO | Register SBOM ingest/index sources; embed worker SDK; emit artifact hashes and job metadata. | SBOM Service Guild | Register SBOM ingest/index sources with orchestrator. |
 | 6 | SBOM-ORCH-33-001 | TODO | Depends on SBOM-ORCH-32-001; report backpressure metrics, honor pause/throttle signals, classify sbom job errors. | SBOM Service Guild | Report backpressure metrics and handle orchestrator control signals. |
 | 7 | SBOM-ORCH-34-001 | TODO | Depends on SBOM-ORCH-33-001; implement orchestrator backfill and watermark reconciliation for idempotent artifact reuse. | SBOM Service Guild | Implement orchestrator backfill + watermark reconciliation. |
 | 8 | SBOM-SERVICE-21-001 | BLOCKED | Waiting on LNM v1 fixtures (due 2025-11-18 UTC) to freeze schema; then publish normalized SBOM projection read API with pagination + tenant enforcement. | SBOM Service Guild; Cartographer Guild | Link-Not-Merge v1 frozen schema and deterministic read API. |
 | 9 | SBOM-SERVICE-21-002 | TODO | Depends on SBOM-SERVICE-21-001; emit `sbom.version.created` change events and add replay/backfill tooling. | SBOM Service Guild; Scheduler Guild | Emit change events carrying digest/version metadata for Graph Indexer builds. |
 | 10 | SBOM-SERVICE-21-003 | TODO | Depends on SBOM-SERVICE-21-002; entrypoint/service node management API feeding Cartographer path relevance with deterministic defaults. | SBOM Service Guild | Provide entrypoint/service node management API. |
 | 11 | SBOM-SERVICE-21-004 | TODO | Depends on SBOM-SERVICE-21-003; wire metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, tenant-annotated logs; set backlog alerts. | SBOM Service Guild; Observability Guild | Wire observability for SBOM projections. |
 | 12 | SBOM-SERVICE-23-001 | TODO | Depends on SBOM-SERVICE-21-004; extend projections with asset metadata (criticality, owner, environment, exposure flags); update schema docs. | SBOM Service Guild; Policy Guild | Extend projections to include asset metadata. |
 | 13 | SBOM-SERVICE-23-002 | TODO | Depends on SBOM-SERVICE-23-001; emit `sbom.asset.updated` events with idempotent payloads; document envelopes. | SBOM Service Guild; Platform Events Guild | Emit asset metadata change events. |
 | 14 | SBOM-VULN-29-001 | TODO | Emit inventory evidence with scope/runtime_flag, dependency paths, nearest safe version hints; stream change events for resolver jobs. | SBOM Service Guild | Emit inventory evidence for vulnerability flows. |
 | 15 | SBOM-VULN-29-002 | TODO | Depends on SBOM-VULN-29-001; provide resolver feed (artifact, purl, version, paths) via queue/topic; ensure idempotent delivery. | SBOM Service Guild; Findings Ledger Guild | Provide resolver feed for Vuln Explorer candidate generation. |
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- |
 | Provide LNM v1 fixtures for SBOM projections. | Cartographer Guild | 2025-11-18 | Pending |
 | Publish orchestrator control contract for pause/throttle/backfill signals. | Orchestrator Guild | 2025-11-19 | Pending |
 | Create `src/SbomService/AGENTS.md` (roles, prerequisites, determinism/testing rules). | SBOM Service Guild · Module PM | 2025-11-19 | DONE |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Normalised sprint to standard template and renamed from `SPRINT_142_sbomservice.md`; no scope changes. | Project Mgmt |
 | 2025-11-17 | Flagged need for SBOM Service module dossier as documentation prerequisite. | Project Mgmt |
 | 2025-11-17 | Authored `docs/modules/sbomservice/architecture.md`; added to prerequisites; set SBOM-SERVICE-21-001 to BLOCKED pending LNM v1 fixtures. | Project Mgmt |
 | 2025-11-17 | Delivered Advisory AI path/timeline endpoints (`/sbom/paths`, `/sbom/versions`) with deterministic seed + tests; SBOM-AIAI-31-001 marked DONE. | SBOM Service |
 | 2025-11-17 | Added latency/query metrics for Advisory AI endpoints; dashboards + cache-hit tracking to follow. | SBOM Service |
 | 2025-11-17 | Implemented stub `/console/sboms` with filters, cursor paging, evaluation metadata; seeded deterministic catalog for UI/Console consumers. | SBOM Service |
 | 2025-11-17 | Attempted `dotnet test` for SbomService.Tests; aborted ~45s due to repo-wide build churn. | SBOM Service |
 | 2025-11-17 | Added cache-hit tagging on metrics for paths/versions/console catalog; tests still pending due to build abort. | SBOM Service |
 | 2025-11-18 | Scoped builds (`dotnet build` on SbomService csproj/solution) repeatedly aborted by cross-solution churn; tests remain unrun. | SBOM Service |
 | 2025-11-18 | Additional targeted build of `StellaOps.SbomService.csproj` aborted (~48s) due to repo churn; testing still blocked. | SBOM Service |
 | 2025-11-18 | Marked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 BLOCKED due to missing `src/SbomService/AGENTS.md`; implementation paused until charter is published. | Implementer |
 | 2025-11-18 | Added Action Tracker and tracked new AGENTS creation task (`AGENTS-SBOMSERVICE`) to unblock implementation. | Implementer |
 | 2025-11-18 | Added `src/SbomService/AGENTS.md`; unblocked SBOM-AIAI-31-002 and SBOM-CONSOLE-23-001 (statuses set to DOING). | Implementer |
 ## Decisions & Risks
 - LNM v1 fixtures due 2025-11-18 remain outstanding; SBOM-SERVICE-21-001 stays BLOCKED until fixtures land.
 - Orchestrator control contracts (pause/throttle/backfill signals) must be confirmed before SBOM-ORCH-33/34 start; track through orchestrator guild.
 - Keep `docs/modules/sbomservice/architecture.md` aligned with schema/event decisions made during implementation.
 - Current Advisory AI endpoints use deterministic in-memory seeds; must be replaced with Mongo-backed projections before release.
 - Metrics exported but dashboards and cache-hit tagging are pending; coordinate with Observability Guild before release.
 - Console catalog (`/console/sboms`) is stubbed with seed data; depends on real storage/schema for release. Tests not yet executed end-to-end due to build abort; rerun dotnet test once package reference duplicates are resolved.
 - Local test run aborted due to long repository-wide build; rerun `dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj -v q` when build window is available to validate new endpoints.
 - Metrics now include `cache_hit` tagging; dashboards remain outstanding. Test runs continue to abort due to long builds—schedule in a quiet window or build-only the SbomService solution subset before rerunning tests.
 - Build/test runs for SbomService currently blocked by whole-solution churn; need a quiet window or targeted build of dependencies to validate endpoints and metrics.
 - Component lookup endpoint is stubbed and tested locally in code, but validation is blocked until builds/tests can complete; keep SBOM-CONSOLE-23-002 open.
 - `AGENTS.md` for `src/SbomService` added 2025-11-18; ensure implementers read before coding.
 ## Next Checkpoints
 | Date (UTC) | Session | Goal | Owner(s) |
 | --- | --- | --- | --- |
 | 2025-11-18 | LNM v1 fixtures drop | Commit 4–6 canonical JSON fixtures for Link-Not-Merge v1; add-only evolution | Concelier Core · Cartographer · SBOM Service |
 | 2025-11-18 | Scanner mock bundle v1 hash | Publish hash/location for surface_bundle_mock_v1.tgz and ETA for real caches | Scanner Guild |
--- a/docs/implplan/SPRINT_0143_0000_0001_signals.md
+++ b/docs/implplan/SPRINT_0143_0000_0001_signals.md
@@ -0,0 +1,54 @@
 # Sprint 0143-0000-0001 · Signals
 ## Topic & Scope
 - Runtime & Signals stream focused on reachability ingestion, runtime facts, and scoring.
 - Deliver CAS-backed callgraph ingestion for Java/Node.js/Python/Go plus runtime facts NDJSON/gzip ingestion with provenance enrichment.
 - Produce reachability scoring engine with Redis-backed caching and `signals.fact.updated` events, honoring CAS remediation/waiver rules.
 - **Working directory:** src/Signals/StellaOps.Signals
 ## Dependencies & Concurrency
 - Upstream sprints: 120.A (AirGap), 130.A (Scanner).
 - Tasks sit in Signals; no cross-module coupling flagged beyond Authority (AUTH-SIG-26-001) for finished skeleton.
 - Completed/historic work archived in docs/implplan/archived/tasks.md (last updated 2025-11-08).
 ## Documentation Prerequisites
 - docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md; docs/modules/platform/architecture-overview.md.
 - src/Signals/StellaOps.Signals/AGENTS.md.
 - CAS waiver/remediation checklist dated 2025-11-17 for SIGNALS-24-002/004/005 scope.
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | SIGNALS-24-001 | DONE (2025-11-09) | Dependency AUTH-SIG-26-001; merged host skeleton with scope policies and evidence validation. | Signals Guild, Authority Guild | Stand up Signals API skeleton with RBAC, sealed-mode config, DPoP/mTLS enforcement, and `/facts` scaffolding so downstream ingestion can begin. |
 | 2 | SIGNALS-24-002 | DOING (2025-11-07) | Remaining: CAS bucket promotion and signed graph manifests; depends on SIGNALS-24-001. | Signals Guild | Implement callgraph ingestion/normalization (Java/Node/Python/Go) with CAS persistence and retrieval APIs to feed reachability scoring. |
 | 3 | SIGNALS-24-003 | DONE (2025-11-17) | Runtime ingestion now enriches provenance metadata and triggers reachability recompute on ingest. | Signals Guild, Runtime Guild | Implement runtime facts ingestion endpoint and normalizer (process, sockets, container metadata) populating `context_facts` with AOC provenance. |
 | 4 | SIGNALS-24-004 | DONE (2025-11-17) | Scoring weights now configurable; runtime ingestion auto-triggers recompute into `reachability_facts`. | Signals Guild, Data Science | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. |
 | 5 | SIGNALS-24-005 | BLOCKED (2025-11-17) | Await Redis/event bus contract (keys, payload schema) before implementing caches + publish. | Signals Guild, Platform Events Guild | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-10-29 | Skeleton live with scope policies, stub endpoints, integration tests; sample configuration committed under `etc/signals.yaml.sample`. | Signals Guild |
 | 2025-10-29 | JSON parsers for Java/Node.js/Python/Go implemented; artifacts stored with SHA-256 and callgraphs upserted into Mongo. | Signals Guild |
 | 2025-11-09 | Signals host registers sealed-mode evidence validation, exposes `/readyz`/`/status`, enforces scope policies, and adds `/signals/facts/{subjectKey}` retrieval plus runtime-facts ingestion backing services. | Signals Guild / Authority Guild |
 | 2025-11-09 | Added `/signals/callgraphs/{id}` retrieval, sealed-mode gating, and CAS-backed artifact metadata responses; remaining work is CAS bucket promotion + signed graph manifests. | Signals Guild |
 | 2025-11-09 | Added runtime facts ingestion service + endpoint, aggregated runtime hit storage, and unit tests; next steps are NDJSON/gzip ingestion and provenance metadata wiring. | Signals Guild / Runtime Guild |
 | 2025-11-09 | Added `/signals/runtime-facts/ndjson` streaming endpoint (JSON/NDJSON + gzip) with sealed-mode gating; provenance/context enrichment + scoring linkage remain. | Signals Guild / Runtime Guild |
 | 2025-11-17 | CAS remediation window (≤3 days for Critical/High) approved with signed waiver; proceed with SIGNALS-24-002/004/005. | Signals Guild |
 | 2025-11-17 | CAS checklist in remediation window with risk waiver; continue DOING on SIGNALS-24-002 and unlock 24-004/005. | Signals Guild |
 | 2025-11-17 | Normalised sprint to standard template and renamed from SPRINT_143_signals.md to SPRINT_0143_0000_0001_signals.md. | PM |
 | 2025-11-17 | Reachability scoring weights moved to config; runtime facts ingestion now triggers recompute and persists states; added unit tests for scoring + runtime ingestion. | Signals Guild |
 | 2025-11-17 | `dotnet test src/Signals/StellaOps.Signals.sln` aborted after long restore/build; warning NU1504 about duplicate PackageReference items in StellaOps.Signals.Tests persists—needs cleanup before rerun. | Signals Guild |
 | 2025-11-17 | Runtime facts ingestion now stamps provenance metadata (source, ingestedAt, callgraphId) and recompute is triggered on ingest; targeted test run aborted mid-restore—rerun needed. | Signals Guild |
 | 2025-11-18 | `dotnet restore` for StellaOps.Signals.Tests now succeeds (16.8s); `dotnet test -v:diag --blame-hang-timeout 120s` still running long—awaiting stable completion. | Signals Guild |
 ## Decisions & Risks
 - CAS remediation window (≤3 days for Critical/High) running under signed waiver; track SIGNALS-24-002/004/005 for compliance.
 - Callgraph CAS bucket promotion and signed manifests remain outstanding for SIGNALS-24-002; risk to scoring start if delayed.
 - Runtime facts provenance/context enrichment and scoring linkage pending (SIGNALS-24-003); downstream scoring (24-004/005) can start only after completion.
 - SIGNALS-24-005 blocked pending Redis cache + event payload contract (keys, expiry, `signals.fact.updated` schema) to avoid divergent implementations.
 - Test run (`dotnet test src/Signals/StellaOps.Signals.sln`) interrupted; NU1504 duplicate PackageReference warning in `StellaOps.Signals.Tests.csproj` must be resolved and tests rerun for coverage.
 ## Next Checkpoints
 - Schedule CAS waiver review before 2025-11-20 to confirm remediation progress for SIGNALS-24-002/004/005.
 - Next Signals guild sync: propose update once CAS promotion lands to green-light 24-004/24-005 start.
--- a/docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md
+++ b/docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md
@@ -22,12 +22,12 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | ZASTAVA-ENV-01 | BLOCKED-w/escalation | Code landed; execution wait on Surface.FS cache plan + package mirrors to validate. | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer) | Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles. |
+| 1 | ZASTAVA-ENV-01 | BLOCKED | Restores now succeed from local-nuget/nuget.org; tests blocked by missing Zastava.Core runtime types | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer) | Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles. |
-| 2 | ZASTAVA-ENV-02 | BLOCKED-w/escalation | Code landed; validation blocked on Surface.FS cache availability/mirrors. | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook) | Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles). |
+| 2 | ZASTAVA-ENV-02 | BLOCKED | Restores now succeed from local-nuget/nuget.org; tests blocked by missing Zastava.Core runtime types | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook) | Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles). |
-| 3 | ZASTAVA-SECRETS-01 | BLOCKED-w/escalation | Code landed; requires cache/nuget mirrors to execute tests. | Zastava Observer Guild, Security Guild (src/Zastava/StellaOps.Zastava.Observer) | Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores. |
+| 3 | ZASTAVA-SECRETS-01 | BLOCKED | Restores now succeed from local-nuget/nuget.org; tests blocked by missing Zastava.Core runtime types | Zastava Observer Guild, Security Guild (src/Zastava/StellaOps.Zastava.Observer) | Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores. |
-| 4 | ZASTAVA-SECRETS-02 | BLOCKED-w/escalation | Code landed; waiting on same cache/mirror prerequisites for validation. | Zastava Webhook Guild, Security Guild (src/Zastava/StellaOps.Zastava.Webhook) | Retrieve attestation verification secrets via Surface.Secrets. |
+| 4 | ZASTAVA-SECRETS-02 | BLOCKED | Restores now succeed from local-nuget/nuget.org; tests blocked by missing Zastava.Core runtime types | Zastava Webhook Guild, Security Guild (src/Zastava/StellaOps.Zastava.Webhook) | Retrieve attestation verification secrets via Surface.Secrets. |
-| 5 | ZASTAVA-SURFACE-01 | BLOCKED-w/escalation | Code landed; blocked on Sprint 130 analyzer artifact/cache drop and local gRPC mirrors to run tests. | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer) | Integrate Surface.FS client for runtime drift detection (lookup cached layer hashes/entry traces). |
+| 5 | ZASTAVA-SURFACE-01 | BLOCKED | Restores now succeed; observer tests blocked by missing Zastava.Core runtime models | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer) | Integrate Surface.FS client for runtime drift detection (lookup cached layer hashes/entry traces). |
-| 6 | ZASTAVA-SURFACE-02 | BLOCKED-w/escalation | Depends on SURFACE-01 validation; blocked on Surface.FS cache drop. | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook) | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. |
+| 6 | ZASTAVA-SURFACE-02 | BLOCKED | Restores now succeed; webhook tests blocked by missing Zastava.Core runtime models | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook) | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -43,17 +43,27 @@
 | 2025-11-16 | Completed ZASTAVA-SURFACE-01; registered Surface.FS cache/manifest store in observer, added runtime Surface FS client and manifest fetch test. Restore not executed due to repo-wide fan-out; rerun targeted tests when caches ready. | Zastava Observer |
 | 2025-11-16 | Started ZASTAVA-SURFACE-02 (admission cache enforcement + pointer checks). | Zastava Webhook |
 | 2025-11-17 | Completed ZASTAVA-SURFACE-02; webhook denies when surface manifest missing, emits manifest pointer in admission metadata, and tests added. Restore/test still blocked by repo-wide restore fan-out (even with nuget.org); rerun once local cache available. | Zastava Webhook |
 | 2025-11-17 | Coordinator approved temporary Surface.FS CI cache seeded from scanner mock bundle; flipped ENV/SECRETS/SURFACE tracks to TODO. | Coordinator |
 | 2025-11-17 | Primed local-nuget via lightweight nuget-prime project (gRPC, Serilog, Microsoft.Extensions rc2); restore still stalls when running observer tests. Additional packages likely required; keep using local-nuget cache on next restore attempt. | Build/DevOps |
 | 2025-11-17 | Added repo-level NuGet.config pointing to ./local-nuget (fallback + primary), nuget.org secondary, to prefer offline cache on future restores. | Build/DevOps |
 | 2025-11-17 | Restore retries (observer/webhook tests) still stalled; need explicit mirroring of Authority/Auth stacks and Google/AWS transitives into local-nuget before tests can run. | Build/DevOps |
 | 2025-11-17 | Marked all sprint tasks BLOCKED pending local-nuget mirrors and Surface.FS cache drop; awaiting DevOps ETA for cache seed. | Project Mgmt |
 | 2025-11-17 | Seeded local-nuget via targeted restores: observer restore succeeded (RestorePackagesPath=local-nuget), webhook restore succeeded with nuget.org fallback. | Zastava |
 | 2025-11-17 | Ran observer test suite; compile fails due to missing Zastava.Core runtime models (RuntimeEvidence/RuntimeProcess/RuntimeLoadedLibrary) and Concelier CoreLinksets interfaces; tests remain blocked on upstream fixes. | Zastava |
 | 2025-11-17 | Fixed observer project reference to Zastava.Core (`../__Libraries/...`); partial build rerun still interrupted while upstream Authority/AirGap projects compiled—re-run focused observer build after package mirror + allow long compile. | Zastava |
 | 2025-11-17 | Replaced corrupted Mongo2Go 4.1.0 in `local-nuget` with fresh download; offline restore should now pass signature check. | Zastava |
 | 2025-11-18 | Re-ran observer build/test with corrected reference; still blocked during upstream Authority/Cryptography compile and missing Zastava.Core runtime types/CoreLinksets; no new code changes. | Zastava |
 ## Decisions & Risks
- All tasks are BLOCKED-w/escalation pending Sprint 130 Surface.FS cache drop ETA and local gRPC package mirrors; code landed but validation cannot proceed.
+- All tasks remain BLOCKED pending Sprint 130 Surface.FS cache/analyzer drop and upstream type fixes; code landed but validation cannot proceed.
- Observer/webhook restores require offline `Google.Protobuf`, `Grpc.Net.Client`, and `Grpc.Tools` in `local-nuget`; prior restores stalled due to repo-wide fan-out.
+- Observer/webhook restores now succeed via local-nuget+nuget.org, but offline parity still requires mirroring `Google.Protobuf`, `Grpc.Net.Client`, and `Grpc.Tools` into `local-nuget`.
 - Surface.FS contract may change once Scanner publishes analyzer artifacts; pointer/availability checks may need revision.
 - Surface.Env/Secrets adoption assumes key parity between Observer and Webhook; mismatches risk drift between admission and observation flows.
 - Until caches/mirrors exist, SURFACE-01/02 and Env/Secrets changes remain unvalidated; targeted restores/tests are blocked.
 - Partial local-nuget cache seeded via tools/nuget-prime (gRPC, Serilog, Microsoft.Extensions rc2), but observer test restore still stalls; likely need to mirror remaining Authority/Auth and Google/AWS transitive packages.
 - Observer test build now fails due to missing Zastava.Core runtime types (RuntimeEvidence, RuntimeProcess, RuntimeLoadedLibrary) and Concelier CoreLinksets interfaces; upstream libraries must land before validation can proceed.
 - Observer tests previously hit `NU3005` for `Mongo2Go 4.1.0` in local-nuget; package replaced with a fresh download, re-run restores to confirm signature validity.
 - Observer build path corrected to Zastava.Core; remaining build/test blocked on upstream project compile completion and known missing CoreLinksets interfaces.
 ## Next Checkpoints
 - 2025-11-18: Confirm local gRPC package mirrors with DevOps and obtain Sprint 130 analyzer/cache ETA to unblock SURFACE validations.
--- a/docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md
+++ b/docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md
@@ -0,0 +1,66 @@
 # Sprint 0153_0001_0003 · Orchestrator III (Scheduling & Automation)
 ## Topic & Scope
 - Deliver phase III scheduling & automation for the Orchestrator: pack-run lifecycle, event envelope standardisation, and live log streaming.
 - Ensure provenance-rich notifier events and tenant isolation reach parity across Job APIs and worker SDKs.
 - Working directory: `src/Orchestrator/StellaOps.Orchestrator` plus worker SDKs `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go` and `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python`.
 - Expected evidence: updated event schema/API contracts, SSE/WS log endpoints, and Go/Python worker SDK helpers covering claim/ack, progress, artifacts, and backfills.
 ## Dependencies & Concurrency
 - Depends on Orchestrator phase II (legacy sprint file `SPRINT_152_orchestrator_ii.md`) for prior event envelope groundwork.
 - Coordinate with Authority pack RBAC initiative (AUTH-PACKS-43-001) and Notifications Studio ingestion to avoid conflicting log-stream semantics.
 - No other CC-decade sprints are blocking; run in parallel with SDK guild streams once envelope contract lands.
 ## Documentation Prerequisites
 - `docs/modules/orchestrator/architecture.md`
 - `docs/modules/platform/architecture-overview.md`
 - Module charter: `src/Orchestrator/StellaOps.Orchestrator/AGENTS.md`
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | ORCH-SVC-38-101 | DOING | Drafting envelope spec & notifier payloads; add doc reference. | Orchestrator Service Guild | Standardize event envelope (policy/export/job lifecycle) with idempotency keys, ensure export/job failure events published to notifier bus with provenance metadata. |
 | 2 | ORCH-SVC-41-101 | TODO | Depends on ORCH-SVC-38-101; register pack-run job type once envelope finalized. | Orchestrator Service Guild | Register `pack-run` job type, persist run metadata, integrate logs/artifacts collection, and expose API for Task Runner scheduling. |
 | 3 | ORCH-SVC-42-101 | TODO | Depends on ORCH-SVC-41-101 pack-run plumbing. | Orchestrator Service Guild | Stream pack run logs via SSE/WS, add manifest endpoints, enforce quotas, and emit pack run events to Notifications Studio. |
 | 4 | ORCH-TEN-48-001 | TODO | Requires job DAL/routes to attach tenant context. | Orchestrator Service Guild | Include `tenant_id`/`project_id` in job specs, set DB session context before processing, enforce context on all queries, and reject jobs missing tenant metadata. |
 | 5 | WORKER-GO-32-001 | DONE | Bootstrap Go SDK scaffolding and smoke sample. | Worker SDK Guild | Bootstrap Go SDK project with configuration binding, auth headers, job claim/acknowledge client, and smoke sample. |
 | 6 | WORKER-GO-32-002 | DONE | Depends on WORKER-GO-32-001; add heartbeat, metrics, retries. | Worker SDK Guild | Add heartbeat/progress helpers, structured logging hooks, Prometheus metrics, and jittered retry defaults. |
 | 7 | WORKER-GO-33-001 | DONE | Depends on WORKER-GO-32-002; implement artifact publish helpers. | Worker SDK Guild | Implement artifact publish helpers (object storage client, checksum hashing, metadata payload) and idempotency guard. |
 | 8 | WORKER-GO-33-002 | DONE | Depends on WORKER-GO-33-001; error classification/backoff. | Worker SDK Guild | Provide error classification/retry helper, exponential backoff controls, and structured failure reporting to orchestrator. |
 | 9 | WORKER-GO-34-001 | DONE | Depends on WORKER-GO-33-002; backfill utilities. | Worker SDK Guild | Add backfill range execution helpers, watermark handshake utilities, and artifact dedupe verification for backfills. |
 | 10 | WORKER-PY-32-001 | DONE | Bootstrap asyncio Python SDK and sample worker. | Worker SDK Guild | Bootstrap asyncio-based Python SDK (config, auth headers, job claim/ack) plus sample worker script. |
 | 11 | WORKER-PY-32-002 | DONE | Depends on WORKER-PY-32-001; heartbeat/metrics/retries. | Worker SDK Guild | Implement heartbeat/progress helpers with structured logging, metrics exporter, and cancellation-safe retries. |
 | 12 | WORKER-PY-33-001 | DONE | Depends on WORKER-PY-32-002; artifact publish helper. | Worker SDK Guild | Add artifact publish/idempotency helpers (object storage adapters, checksum hashing, metadata payload) for Python workers. |
 | 13 | WORKER-PY-33-002 | DONE | Depends on WORKER-PY-33-001; error classification/backoff. | Worker SDK Guild | Provide error classification/backoff helper mapping to orchestrator codes, including jittered retries and structured failure reports. |
 | 14 | WORKER-PY-34-001 | DONE | Depends on WORKER-PY-33-002; backfill utilities. | Worker SDK Guild | Implement backfill range iteration, watermark handshake, and artifact dedupe verification utilities for Python workers. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-07 | Still not started — Authority pack RBAC (AUTH-PACKS-43-001) remains blocked pending approvals/log-stream APIs. | Coordination |
 | 2025-11-17 | Coordinator approved interim token-scoped access for AUTH-PACKS-43-001; proceed with log-stream APIs using scoped tokens while full RBAC completes. | Coordination |
 | 2025-11-17 | Normalised sprint file to standard template and renamed from `SPRINT_153_orchestrator_iii.md` to `SPRINT_0153_0001_0003_orchestrator_iii.md`. | PM |
 | 2025-11-17 | Bootstrapped Go worker SDK with config binding, auth headers, claim/ack client, sample smoke worker, and unit tests. | Worker SDK Guild |
 | 2025-11-17 | Bootstrapped Python asyncio worker SDK with config/auth, claim/ack client, sample worker script, and unit tests using stub transport. | Worker SDK Guild |
 | 2025-11-17 | Added Go worker heartbeat/progress helpers, logging hooks, metrics sink, jittered retry defaults, and updated smoke sample. | Worker SDK Guild |
 | 2025-11-17 | Added Python worker heartbeat/progress helpers, metrics sink, retry helper, and passing unit tests. | Worker SDK Guild |
 | 2025-11-17 | Delivered artifact publish helpers for Go (checksum, metadata, idempotency guard) with storage stub tests. | Worker SDK Guild |
 | 2025-11-17 | Delivered artifact publish/idempotency helpers for Python with in-memory storage adapter and tests. | Worker SDK Guild |
 | 2025-11-17 | Added error classification/backoff helpers for Go/Python SDKs with tests and updated task trackers. | Worker SDK Guild |
 | 2025-11-17 | Added backfill range helpers, watermark handshake, and artifact dedupe utilities for Go/Python SDKs; tests updated. | Worker SDK Guild |
 | 2025-11-17 | Marked ORCH-SVC-38/41/42 blocked pending upstream event envelope spec (ORCH-SVC-37-101) and downstream pack-run contract. | Worker SDK Guild |
 | 2025-11-18 | No further progress possible: event envelope spec (ORCH-SVC-37-101) and missing Orchestrator WebService DAL keep ORCH-SVC-38/41/42 and ORCH-TEN-48-001 blocked. | Orchestrator Service Guild |
 | 2025-11-19 | Drafted event envelope doc (`docs/modules/orchestrator/event-envelope.md`) and set ORCH-SVC-38-101 to DOING pending spec approval. | Orchestrator Service Guild |
 | 2025-11-18 | ORCH-TEN-48-001 blocked: orchestrator WebService is still template-only (no job DAL/routes), cannot enforce tenant context until real endpoints and DB session context exist. | Worker SDK Guild || 2025-11-19 | Set ORCH-SVC-38/41/42 and ORCH-TEN-48-001 back to TODO pending envelope spec and webservice DAL. | Orchestrator Service Guild |
 ## Decisions & Risks
 - Interim token-scoped access approved for AUTH-PACKS-43-001; must tighten once full RBAC lands to prevent over-broad tokens.
 - Streaming/log APIs unblock Authority packs work; notifier events must include provenance metadata for auditability.
 - Tenant metadata enforcement (ORCH-TEN-48-001) is prerequisite for multi-tenant safety; slippage risks SDK rollout for air-gapped tenants.
 - ORCH-SVC-38/41/42 blocked until ORCH-SVC-37-101 finalizes event envelope idempotency contract; downstream pack-run API and notifier payloads depend on it.
 - ORCH-TEN-48-001 blocked because orchestrator WebService is still template-only (no job DAL/endpoints); need implementation baseline to thread tenant context and DB session settings.
 ## Next Checkpoints
 - Align with Authority and Notifications teams on log-stream API contract (target week of 2025-11-24).
 - Schedule demo of pack-run streaming (ORCH-SVC-42-101) once SSE/WS path ready; date TBD.
--- a/docs/implplan/SPRINT_0155_0001_0001_scheduler_i.md
+++ b/docs/implplan/SPRINT_0155_0001_0001_scheduler_i.md
@@ -0,0 +1,67 @@
 # Sprint 0155 · Scheduling & Automation (Scheduler I)
 ## Topic & Scope
 - Phase I delivery for Scheduler automation, vulnerability resolver APIs, and policy/exception workers across webservice and worker libraries.
 - Ensure queue depth and policy simulation instrumentation stay aligned with Observability contracts for Console/DevOps dashboards.
 - Active items only; completed/historic work now reside in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
 - **Working directory:** src/Scheduler
 ## Dependencies & Concurrency
 - Upstream: Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 140.A – Graph.
 - Concurrency: keep independent of parallel Scheduler batch 0156 (phase II) to avoid scope overlap.
 ## Documentation Prerequisites
 - docs/README.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/scheduler/architecture.md
 - src/Scheduler/AGENTS.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 0 | AGENTS-SCHEDULER-UPDATE | DONE | `src/Scheduler/AGENTS.md` created and published. | Project Manager · Architecture Guild | Populate module AGENTS charter covering roles, docs, determinism/testing rules, and allowed shared libs. |
 | 1 | SCHED-IMPACT-16-303 | DONE | Implemented removal + snapshot/restore with compaction; snapshot payloads ready for RocksDB/Redis persistence. | Scheduler ImpactIndex Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex) | Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. |
 | 2 | SCHED-SURFACE-01 | BLOCKED | Need Surface.FS pointer model/contract; awaiting design input before planning deltas. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. |
 | 3 | SCHED-VULN-29-001 | DONE | Resolver job APIs implemented with scope enforcement; in-memory service stub (upgrade to persistent store later). | Scheduler WebService Guild, Findings Ledger Guild (src/Scheduler/StellaOps.Scheduler.WebService) | Expose resolver job APIs (`POST /vuln/resolver/jobs`, `GET /vuln/resolver/jobs/{id}`) to trigger candidate recomputation per artifact/policy change with RBAC and rate limits. |
 | 4 | SCHED-VULN-29-002 | DONE | Depends on SCHED-VULN-29-001; define webhook contract for backlog breach notifications. | Scheduler WebService Guild, Observability Guild (src/Scheduler/StellaOps.Scheduler.WebService) | Provide projector lag metrics endpoint and webhook notifications for backlog breaches consumed by DevOps dashboards. |
 | 5 | SCHED-WEB-20-002 | DONE | Simulation trigger + preview endpoint implemented. | Scheduler WebService Guild (src/Scheduler/StellaOps.Scheduler.WebService) | Provide simulation trigger endpoint returning diff preview metadata and job state for UI/CLI consumption. |
 | 6 | SCHED-WORKER-21-203 | DONE | Metrics added with tenant/graph tags; worker build green. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Export metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) and structured logs with tenant/graph identifiers. |
 | 7 | SCHED-WORKER-23-101 | BLOCKED | Waiting on Policy guild to supply activation event contract and throttle source. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. |
 | 8 | SCHED-WORKER-23-102 | BLOCKED | Blocked by SCHED-WORKER-23-101. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Add reconciliation job ensuring re-eval completion within SLA, emitting alerts on backlog and persisting status to `policy_runs`. |
 | 9 | SCHED-WORKER-25-101 | BLOCKED | Blocked by SCHED-WORKER-23-102. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement exception lifecycle worker handling auto-activation/expiry and publishing `exception.*` events with retries/backoff. |
 | 10 | SCHED-WORKER-25-102 | BLOCKED | Blocked by SCHED-WORKER-25-101. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Add expiring notification job generating digests, marking `expiring` state, updating metrics/alerts. |
 | 11 | SCHED-WORKER-26-201 | BLOCKED | Blocked by SCHED-WORKER-25-102. | Scheduler Worker Guild, Signals Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Build reachability joiner worker that combines SBOM snapshots with signals, writes cached facts, and schedules updates on new events. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Added graph metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) with tenant/graph tags; worker library build succeeded. | Scheduler Worker Guild |
 | 2025-11-17 | Added resolver job APIs (`POST/GET /api/v1/scheduler/vuln/resolver/jobs`) with scope enforcement and in-memory job service stub. | Scheduler WebService Guild |
 | 2025-11-18 | Added per-tenant rate limiting for resolver job creation (in-memory implementation). | Scheduler WebService Guild |
 | 2025-11-18 | Marked SCHED-SURFACE-01 blocked pending Surface.FS pointer model decision. | Scheduler Worker Guild |
 | 2025-11-18 | Added resolver backlog metrics endpoint (`GET /api/v1/scheduler/vuln/resolver/metrics`). | Scheduler WebService Guild |
 | 2025-11-18 | Implemented simulation preview trigger (`POST /api/v1/scheduler/policies/simulations/preview`) returning run state + placeholder diff summary. | Scheduler WebService Guild |
 | 2025-11-18 | Marked SCHED-WORKER-23-101/102/25-101/25-102/26-201 blocked awaiting Policy guild activation event contract and downstream dependencies. | Scheduler Worker Guild |
 | 2025-11-17 | Implemented ImpactIndex removal + snapshot/restore with compaction; library build (`dotnet build` ImpactIndex) succeeded. | Scheduler ImpactIndex Guild |
 | 2025-11-17 | Created `src/Scheduler/AGENTS.md`; unblocked Scheduler tasks and reset to TODO. | Scheduler Worker Guild |
 | 2025-11-17 | All tasks blocked pending creation of `src/Scheduler/AGENTS.md`; added tracking row AGENTS-SCHEDULER-UPDATE. | Scheduler Worker Guild |
 | 2025-11-17 | Normalised sprint to standard template and renamed file to `SPRINT_0155_0001_0001_scheduler_i.md`; no scope changes. | Planning |
 | 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning |
 | 2025-11-07 | Worker counterpart (SCHED-WORKER-20-301) now DOING; unblock SCHED-WEB-20-002 once API scaffolding lands. | Scheduler WebService Guild |
 | 2025-11-06 | Added tenant-aware tagging to `policy_simulation_queue_depth` gauge samples and extended metrics-provider unit coverage. | Observability Guild |
 | 2025-11-05 | Resumed instrumentation work to match `policy_simulation_latency_seconds` naming, add coverage for SSE latency recording, and validate webhook sample alignment. | Observability Guild |
 | 2025-11-05 | `dotnet test` blocked by pre-existing GraphJobs accessibility errors (`IGraphJobStore.UpdateAsync`). | Scheduler Worker Guild |
 | 2025-11-04 | Graph job completions now persist to Mongo with optimistic guards, emit Redis/webhook notifications once per transition, and refresh result URI metadata idempotently (tests cover service + Mongo store paths). | Scheduler Worker Guild |
 ## Decisions & Risks
 - Module-level AGENTS charter now present at `src/Scheduler/AGENTS.md`.
 - Local `dotnet test` remains blocked by GraphJobs accessibility errors (`IGraphJobStore.UpdateAsync`); fix needed for validation.
 - SCHED-WEB-20-002 depends on worker API contract (SCHED-WORKER-20-301); keep priority aligned to avoid UI/CLI drift.
 - Maintain observability naming consistency for `policy_simulation_*` metrics to avoid dashboard regressions.
 - Upstream readiness from AirGap, Scanner, and Graph sprints must be confirmed before expanding scope.
 - SCHED-SURFACE-01 blocked until Surface.FS pointer model/contract is provided; cannot design delta planning without it.
 - Backlog breach webhook contract stubbed via resolver backlog notifier; upgrade to real sink once DevOps endpoint is available.
 - SCHED-WORKER-23-101/102/25-101/25-102/26-201 blocked on Policy guild supplying activation event shape + throttling guidance; downstream workers sit until contract lands.
 ## Next Checkpoints
 - None scheduled; set once worker API scaffolding and GraphJobs accessibility fixes land.
--- a/docs/implplan/SPRINT_0156_0001_0002_scheduler_ii.md
+++ b/docs/implplan/SPRINT_0156_0001_0002_scheduler_ii.md
@@ -0,0 +1,46 @@
 # Sprint 0156 · Scheduling & Automation (Scheduler II)
 ## Topic & Scope
 - Phase II for Scheduler workers: staleness monitoring, batch simulations, resolver/evaluation orchestration, and console streaming.
 - Continues after Scheduler I (0155); focuses on worker pipelines and reachability/resolver coherence.
 - Blocked until module working-directory AGENTS charter exists for `src/Scheduler`.
 - **Working directory:** src/Scheduler
 ## Dependencies & Concurrency
 - Depends on Sprint 0155 (Scheduler I) completion and prior reachability worker (SCHED-WORKER-26-201).
 - Concurrency: share worker code paths with Scheduler I; avoid overlapping migrations until unblocked.
 ## Documentation Prerequisites
 - docs/modules/scheduler/README.md
 - docs/modules/scheduler/architecture.md
 - docs/modules/scheduler/implementation_plan.md
 - docs/modules/platform/architecture-overview.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 0 | AGENTS-SCHEDULER-UPDATE | DONE | `src/Scheduler/AGENTS.md` created and published. | Project Manager · Architecture Guild | Create working-directory charter defining roles, prerequisites, determinism/testing rules, and allowed shared libs. |
 | 1 | SCHED-WORKER-26-202 | BLOCKED | Blocked by SCHED-WORKER-26-201 (reachability joiner not delivered yet). | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. |
 | 2 | SCHED-WORKER-27-301 | BLOCKED | Blocked by SCHED-WORKER-26-202. | Scheduler Worker Guild, Policy Registry Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. |
 | 3 | SCHED-WORKER-27-302 | BLOCKED | Blocked by SCHED-WORKER-27-301. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Build reducer job aggregating shard outputs into final manifests (counts, deltas, samples) and writing to object storage with checksums; emit completion events. |
 | 4 | SCHED-WORKER-27-303 | BLOCKED | Blocked by SCHED-WORKER-27-302. | Scheduler Worker Guild, Security Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Enforce tenant isolation, scope checks, and attestation integration for simulation jobs; secret scanning pipeline for uploaded policy sources. |
 | 5 | SCHED-WORKER-29-001 | BLOCKED | Blocked by SCHED-WORKER-27-303. | Scheduler Worker Guild, Findings Ledger Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. |
 | 6 | SCHED-WORKER-29-002 | BLOCKED | Blocked by SCHED-WORKER-29-001. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. |
 | 7 | SCHED-WORKER-29-003 | BLOCKED | Blocked by SCHED-WORKER-29-002. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. |
 | 8 | SCHED-WORKER-CONSOLE-23-201 | BLOCKED | Blocked by upstream stream schema design; depends on prior resolver/eval pipeline readiness. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. |
 | 9 | SCHED-WORKER-CONSOLE-23-202 | BLOCKED | Blocked by CONSOLE-23-201. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker) | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Normalised sprint, renamed to `SPRINT_0156_0001_0002_scheduler_ii`, and marked tasks BLOCKED pending `src/Scheduler/AGENTS.md`. | Scheduler Worker Guild |
 | 2025-11-17 | Created `src/Scheduler/AGENTS.md`; unblocked tasks and reset to TODO respecting dependencies. | Scheduler Worker Guild |
 | 2025-11-18 | Marked all tasks BLOCKED awaiting upstream reachability worker (SCHED-WORKER-26-201) and subsequent contract handoffs (Policy activation events, stream schema). | Scheduler Worker Guild |
 ## Decisions & Risks
 - Module-level AGENTS charter now present at `src/Scheduler/AGENTS.md`.
 - GraphJobs accessibility issue (`IGraphJobStore.UpdateAsync`) may block validation once work begins.
 - All Scheduler II tasks blocked until reachability joiner (SCHED-WORKER-26-201) and Policy activation event/stream schemas land; no implementation work can proceed yet.
 ## Next Checkpoints
 - None scheduled; add once AGENTS charter is published and blocking issues cleared.
--- a/docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
+++ b/docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
@@ -0,0 +1,168 @@
 # Sprint 0160_0001_0001 · Export & Evidence
 ## Topic & Scope
 - Snapshot coordination for export & evidence tracks (EvidenceLocker, ExportCenter, TimelineIndexer); active backlog continues in Sprint 161+.
 - Ensure bundle formats, crypto routing, and ingestion schemas freeze before downstream sprints move to DOING; completed work is archived in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
 - Working directory: `docs/implplan` (cross-module coordination spanning EvidenceLocker, ExportCenter, TimelineIndexer artefacts).
 - Evidence of completion: refreshed coordination snapshot, normalized sprint structure, and links to module trackers.
 ## Dependencies & Concurrency
 - Depends on AdvisoryAI evidence schema (Sprint 110.A), Orchestrator/Notifications envelopes (Sprint 150.A/140), and crypto-routing audit outcomes (2025-11-07) before DOING can start.
 - Runs in parallel with module sprints 161/162/165; no code convergence expected here, but gating contracts must be frozen first.
 - Interlocks & readiness signals are tracked in the table below; concurrency with other CC-decade sprints is safe once those signals turn green.
 ## Documentation Prerequisites
 - `docs/modules/evidence-locker/architecture.md`, `docs/modules/evidence-locker/bundle-packaging.md`, `docs/modules/evidence-locker/incident-mode.md`
 - `docs/modules/export-center/architecture.md`, `docs/modules/attestor/airgap.md`
 - `docs/modules/timelineindexer/architecture.md` (if present) and Postgres/RLS runbooks
 - `docs/security/crypto-routing-audit-2025-11-07.md`
 - `docs/replay/DETERMINISTIC_REPLAY.md`, `docs/runbooks/replay_ops.md`
 - `docs/events/orchestrator-scanner-events.md`
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | 160.A EvidenceLocker snapshot | BLOCKED | Wait for AdvisoryAI schema + Orchestrator envelopes; then publish ingest/replay summary into Sprint 161. | Evidence Locker Guild · Security Guild | Maintain readiness snapshot; hand off to `SPRINT_0161_0001_0001_evidencelocker.md` & `SPRINT_187_evidence_locker_cli_integration.md`. |
 | 2 | 160.B ExportCenter snapshot | BLOCKED | Freeze EvidenceLocker bundle contract, then align attestation jobs/CLI and crypto routing. | Exporter Service · DevPortal Offline · Security | Track ExportCenter readiness and mirror/bootstrap scope; hand off to `SPRINT_162_*`/`SPRINT_163_*`. |
 | 3 | 160.C TimelineIndexer snapshot | BLOCKED | Receive event schemas + EvidenceLocker digest references; prep migrations/RLS draft. | Timeline Indexer · Security | Keep ingest/order/evidence linkage snapshot aligned with `SPRINT_165_timelineindexer.md`. |
 | 4 | AGENTS-implplan | DONE | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | Local charter present; contributors must read before editing sprint docs. |
 ### Wave Coordination
 | Wave | Guild owners | Shared prerequisites | Status | Notes |
 | --- | --- | --- | --- | --- |
 | 160.A EvidenceLocker | Evidence Locker Guild · Security Guild · Docs Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-17) | Waiting on AdvisoryAI schema + orchestrator ledger envelopes to freeze. |
 | 160.B ExportCenter | Exporter Service Guild · Mirror Creator Guild · DevOps Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-17) | Thin mirror bundle + EvidenceLocker contract not yet frozen. |
 | 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-17) | Awaiting OBS-52-001 schema update and digest references. |
 ## Wave Detail Snapshots & Next Actions
 ### 160.A EvidenceLocker
 - Detail trackers: [SPRINT_0161_0001_0001_evidencelocker.md](./SPRINT_0161_0001_0001_evidencelocker.md) and [SPRINT_187_evidence_locker_cli_integration.md](./SPRINT_187_evidence_locker_cli_integration.md).
 - Task radar (all TODO as of 2025-11-12):
  - `EVID-REPLAY-187-001` — Replay bundle ingestion/retention APIs + storage policy (`src/EvidenceLocker/StellaOps.EvidenceLocker`, `docs/modules/evidence-locker/architecture.md`).
  - `RUNBOOK-REPLAY-187-004` & `CLI-REPLAY-187-002` — CLI + ops readiness for replay bundles (`docs/runbooks/replay_ops.md`, CLI module).
  - `EVID-CRYPTO-90-001` — Sovereign crypto routing via `ICryptoProviderRegistry`/`ICryptoHash` per `docs/security/crypto-routing-audit-2025-11-07.md`.
 - Contracts: bundle packaging + DSSE layout (`docs/modules/evidence-locker/bundle-packaging.md`, `EVID-OBS-54-002`); portable/incident modes in `docs/modules/evidence-locker/incident-mode.md`.
 - Gating dependencies: orchestrator capsule schema, AdvisoryAI payload notes, and replay ledger rules (`docs/replay/DETERMINISTIC_REPLAY.md`).
 - Ready-to-start checklist: finalize ingest schema deltas, stage Replay Ledger ops drills, and publish API surface summary into Sprint 161 before DOING.
 #### EvidenceLocker task snapshot (2025-11-12)
 | Task ID | Scope | State | Notes / Owners |
 | --- | --- | --- | --- |
 | EVID-REPLAY-187-001 | Replay bundle ingestion + retention APIs | TODO | Evidence Locker Guild · docs/modules/evidence-locker/architecture.md |
 | CLI-REPLAY-187-002 | CLI record/verify/replay UX | TODO | CLI Guild · `docs/modules/cli/architecture.md` |
 | RUNBOOK-REPLAY-187-004 | Replay ops runbook + drills | TODO | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` |
 | EVID-CRYPTO-90-001 | Sovereign crypto routing | TODO | Evidence Locker + Security Guilds · `ICryptoProviderRegistry` integration |
 ### 160.B ExportCenter
 - Detail trackers: [SPRINT_0162_0001_0001_exportcenter_i.md](./SPRINT_0162_0001_0001_exportcenter_i.md) and [SPRINT_0163_0001_0001_exportcenter_ii.md](./SPRINT_0163_0001_0001_exportcenter_ii.md).
 - Task radar highlights:
  - Mirror & bootstrap: `EXPORT-AIRGAP-56-001/002/003/004/005`, `EXPORT-AIRGAP-57-001`, `EXPORT-AIRGAP-58-001`.
  - Attestation bundles: `EXPORT-ATTEST-74-001/002`, `EXPORT-ATTEST-75-001/002` (jobs, CI/offline, CLI verify/import; see `docs/modules/attestor/airgap.md`).
  - API/OAS: `EXPORT-OAS-61-001/002`, `EXPORT-OAS-62-001`, `EXPORT-OAS-63-001` — refreshed OpenAPI, discovery, SDK, deprecation headers.
  - Service/observability: `EXPORT-SVC-35-001…005`, `EXPORT-OBS-50/51/52`, `EXPORT-CRYPTO-90-001` for crypto parity with EvidenceLocker.
 - Dependencies: EvidenceLocker contracts + DSSE proofs; orchestrator events + Scheduler readiness; crypto routing aligned with `docs/security/crypto-routing-audit-2025-11-07.md`.
 - Ready-to-start checklist: freeze sealed bundle spec, reconcile crypto provider matrix with RootPack deployments, and prep DevPortal verification CLI scaffolding (`DVOFF-64-002`).
 #### ExportCenter task snapshot (2025-11-12)
 | Task ID | Scope | State | Notes / Owners |
 | --- | --- | --- | --- |
 | DVOFF-64-002 | DevPortal bundle verification CLI | TODO | DevPortal Offline + AirGap Controller Guilds |
 | EXPORT-AIRGAP-56-001/002 | Mirror bundle + bootstrap pack profiles | TODO | Exporter + Mirror Creator + DevOps Guilds |
 | EXPORT-AIRGAP-57-001 | Portable evidence export mode | TODO | Exporter Service + Evidence Locker Guild |
 | EXPORT-AIRGAP-58-001 | Notifications for portable export | TODO | Exporter Service + Notifications Guild |
 | EXPORT-ATTEST-74-001/002 | Attestation bundle job + CI integration | TODO | Attestation Bundle + Exporter Guilds |
 | EXPORT-ATTEST-75-001/002 | CLI verify/import + offline kit integration | TODO | Attestation Bundle + CLI + Exporter Guilds |
 | EXPORT-OAS-61/62/63 | OpenAPI refresh, discovery, SDK + deprecation headers | TODO | Exporter Service + API Governance + SDK Guilds |
 | EXPORT-CRYPTO-90-001 | Sovereign crypto routing | TODO | Exporter Service + Security Guilds |
 ### 160.C TimelineIndexer
 - Detail tracker: [SPRINT_165_timelineindexer.md](./SPRINT_165_timelineindexer.md) covering TIMELINE-OBS-52-001…004 and TIMELINE-OBS-53-001.
 - Task radar:
  - `TIMELINE-OBS-52-001` — service bootstrap + Postgres migrations with deterministic scripts and RLS scaffolding.
  - `TIMELINE-OBS-52-002` — event ingestion pipeline (NATS/Redis consumers, ordering, dedupe, trace correlation, metrics).
  - `TIMELINE-OBS-52-003` — REST/gRPC APIs with filtering/pagination + OpenAPI contracts.
  - `TIMELINE-OBS-52-004` — finalize RLS, scope checks, audit logging, legal hold enforcement tests.
  - `TIMELINE-OBS-53-001` — evidence linkage endpoint returning signed manifest references.
 - Dependencies: orchestrator/notifications event schemas and EvidenceLocker digest references must land before Postgres migrations can be frozen; export bundle IDs must be stable to hydrate `/timeline/{id}/evidence`.
 - Ready-to-start checklist: secure event schema package, stage Postgres migration plan (incl. RLS policies) for review, align ingest ordering semantics with Scheduler/ExportCenter cadence.
 #### TimelineIndexer task snapshot (2025-11-12)
 | Task ID | Scope | State | Notes / Owners |
 | --- | --- | --- | --- |
 | TIMELINE-OBS-52-001 | Service bootstrap + Postgres migrations/RLS | TODO | Timeline Indexer Guild |
 | TIMELINE-OBS-52-002 | Event ingestion pipeline + metrics | TODO | Timeline Indexer Guild |
 | TIMELINE-OBS-52-003 | REST/gRPC APIs + OpenAPI contracts | TODO | Timeline Indexer Guild |
 | TIMELINE-OBS-52-004 | RLS policies, audit logging, legal hold tests | TODO | Timeline Indexer + Security Guilds |
 | TIMELINE-OBS-53-001 | Evidence linkage endpoint | TODO | Timeline Indexer + Evidence Locker Guilds |
 ## Interlocks & Readiness Signals
 | Dependency | Owner / Source | Impacts | Status / Next signal |
 | --- | --- | --- | --- |
 | Orchestrator capsule & notifications schema (`docs/events/orchestrator-scanner-events.md`) | Orchestrator Service Guild · Notifications Guild (Sprint 150.A + 140 wave) | 160.A, 160.B, 160.C | OVERDUE (was due 2025-11-15); escalation sent 2025-11-18; awaiting new ETA (follow-up 2025-11-19). |
 | AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | AdvisoryAI Guild | 160.A, 160.B | OVERDUE (was due 2025-11-14); escalation sent 2025-11-18; awaiting new ETA (follow-up 2025-11-19). |
 | Replay ledger spec alignment (`docs/replay/DETERMINISTIC_REPLAY.md`, `/docs/runbooks/replay_ops.md`) | Replay Delivery Guild (Sprint 187) | 160.A | Replay ops runbook exists (2025-11-03); EvidenceLocker must incorporate retention API shape before DOING. Track in EVID-REPLAY-187-001. |
 | Crypto routing parity (`docs/security/crypto-routing-audit-2025-11-07.md`) | Security Guild + Export/Evidence teams (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`) | 160.A, 160.B | Audit published 2025-11-07; wire `ICryptoProviderRegistry` before enabling sovereign profiles. Readiness review on 2025-11-18. |
 | DevPortal verification CLI scaffolding (`DVOFF-64-002`) | DevPortal Offline Guild (Sprint 162) | 160.B | Prototype pending; keep `stella devportal verify bundle.tgz` ready once bundle contracts are signed. |
 ## Upcoming Checkpoints (UTC)
 | Date | Session / Owner | Target outcome | Fallback / Escalation |
 | --- | --- | --- | --- |
 | 2025-11-14 | AdvisoryAI stand-up (AdvisoryAI Guild) | Freeze evidence bundle schema + payload notes so EvidenceLocker can finalize DSSE manifests (blocked). | MISSED; reschedule immediately and log in Sprint 110 + this sprint. |
 | 2025-11-15 | Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) | Publish capsule envelopes & notification contracts required by EvidenceLocker ingest, ExportCenter notifications, TimelineIndexer ordering (blocked). | MISSED; escalate to Wave 150/140 leads and record new ETA; keep tasks BLOCKED. |
 | 2025-11-18 | Sovereign crypto readiness review (Security Guild + Evidence/Export teams) | Validate `ICryptoProviderRegistry` wiring plan for `EVID-CRYPTO-90-001` & `EXPORT-CRYPTO-90-001`; green-light sovereign modes (blocked). | If gating issues remain, file action items in Security board and hold related sprint tasks in TODO. |
 | 2025-11-19 | DevPortal Offline CLI dry run (DevPortal Offline + AirGap Controller Guilds) | Demo `stella devportal verify bundle.tgz` using sample manifest to prove readiness once EvidenceLocker spec lands (blocked awaiting schema). | If CLI not ready, update DVOFF-64-002 description with new ETA and note risk in Sprint 162 doc. |
 | 2025-11-19 | Escalation follow-up (AdvisoryAI, Orchestrator/Notifications) | Secure revised dates for schema/envelope drops; update this sprint + Sprint 110/150/140. | If no dates provided, mark BLOCKED in respective sprints and escalate to Wave leads. |
 ## Action Tracker
 | Wave | Immediate action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
 | 160.A EvidenceLocker | Draft ingest schema summary + Replay Ledger API notes into `SPRINT_0161_0001_0001_evidencelocker.md` once orchestrator + AdvisoryAI schemas land. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | OVERDUE (schemas not delivered) |
 | 160.A EvidenceLocker | Validate crypto provider registry plan for `EVID-CRYPTO-90-001` ahead of the Nov-18 review. | Evidence Locker Guild · Security Guild | 2025-11-17 | OVERDUE (awaiting Security design feedback) |
 | 160.A EvidenceLocker | Prep CLI + ops teams for replay handoff (`RUNBOOK-REPLAY-187-004`, `CLI-REPLAY-187-002`) once Evidence Locker APIs are drafted. | CLI Guild · Ops Guild · Evidence Locker Guild | 2025-11-18 | Pending |
 | 160.B ExportCenter | Prepare DevPortal verification CLI prototype (`DVOFF-64-002`) covering manifest hash + DSSE verification flow. | DevPortal Offline Guild · AirGap Controller Guild | 2025-11-19 | In progress (design draft shared; waiting on bundle schema) |
 | 160.B ExportCenter | Align attestation bundle job + CLI verbs (`EXPORT-ATTEST-74/75`) with EvidenceLocker DSSE layout once published. | Exporter Service Guild · Attestation Bundle Guild · CLI Guild | 2025-11-20 | Pending |
 | 160.B ExportCenter | Stage crypto routing hooks in exporter service (`EXPORT-CRYPTO-90-001`) tied to the Nov-18 review. | Exporter Service Guild · Security Guild | 2025-11-18 | Pending |
 | 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | Pending |
 | 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | Pending |
 | 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-11-20 | Pending |
 | AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
 | ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DOING (escalation sent 2025-11-18; awaiting ETA) |
 | ESCALATE-ORCH-ENVELOPE | Escalate Orchestrator/Notifications capsule envelope drop; obtain new ETA and log in Sprint 150/140 and this sprint. | Orchestrator Service · Notifications Guild | 2025-11-18 | DOING (escalation sent 2025-11-18; awaiting ETA) |
 ## Decisions & Risks
 | Item | Status / Decision | Notes |
 | --- | --- | --- |
 | Naming & template alignment | DONE (2025-11-17) | File renamed to `SPRINT_0160_0001_0001_export_evidence.md` and normalized to standard sprint template. |
 | AdvisoryAI schema freeze | BLOCKED | Must land before EvidenceLocker/ExportCenter DOING moves; track in Interlocks and Sprint 110. |
 | Orchestrator/Notifications envelopes | BLOCKED | Required for EvidenceLocker ingest, ExportCenter notifications, and TimelineIndexer ordering. |
 | Crypto routing design readiness | BLOCKED | Await 2025-11-18 review to green-light `ICryptoProviderRegistry` wiring (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`). |
 | Risks | See table below | Retained from prior snapshot. |
 | AGENTS.md for docs/implplan | DONE | `docs/implplan/AGENTS.md` added (2025-11-17); read before editing sprint docs. |
 | AdvisoryAI schema checkpoint (2025-11-14) | OVERDUE | Reschedule required; tracked via `ESCALATE-ADV-AI-SCHEMA` action. |
 | Orchestrator/Notifications checkpoint (2025-11-15) | OVERDUE | Reschedule required; tracked via `ESCALATE-ORCH-ENVELOPE` action. |
 | Escalation responses | PENDING | Awaiting ETA confirmations from AdvisoryAI and Orchestrator/Notifications leads; follow-up due 2025-11-19 if no response. |
 ### Risk table
 | Risk | Impacted wave(s) | Severity | Mitigation / Owner |
 | --- | --- | --- | --- |
 | AdvisoryAI schema slips past 2025-11-14, delaying DSSE manifest freeze. | 160.A, 160.B | High | AdvisoryAI Guild to provide interim sample payloads; EvidenceLocker to stub schema adapters so ExportCenter can begin validation with mock data. |
 | Orchestrator/Notifications schema handoff misses 2025-11-15 window. | 160.A, 160.B, 160.C | High | Escalate to Wave 150/140 leads, record BLOCKED status in both sprint docs, and schedule daily schema stand-ups until envelopes land. |
 | Sovereign crypto routing design not ready by 2025-11-18 review. | 160.A, 160.B | Medium | Security Guild to publish `ICryptoProviderRegistry` reference implementation; Evidence/Export guilds to nominate fallback providers per profile. |
 | DevPortal verification CLI lacks signed bundle fixtures for dry run. | 160.B | Medium | Exporter Guild to provide sample manifest + DSSE pair; DevPortal Offline Guild to script fake EvidenceLocker output for demo. |
 | TimelineIndexer Postgres/RLS plan not reviewed before coding. | 160.C | Medium | Timeline Indexer Guild to share migration plan with Security/Compliance for async review; unblock coding by securing written approval in sprint doc. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-12 | Snapshot refreshed; all Export & Evidence waves remain BLOCKED pending orchestrator capsule data, AdvisoryAI bundle schemas, and EvidenceLocker contracts. Re-evaluate after 2025-11-15 handoff. | Planning |
 | 2025-11-12 | Added checkpoint calendar, action tracker, and risk table to keep Wave 160 aligned while dependencies stabilize. | Planning |
 | 2025-11-17 | Normalized sprint to standard template and renamed from `SPRINT_160_export_evidence.md` to `SPRINT_0160_0001_0001_export_evidence.md`; no semantic changes to tasks. | Project PM |
 | 2025-11-17 | Set Delivery Tracker and Wave statuses to BLOCKED pending schemas/crypto review; logged missing `docs/implplan/AGENTS.md` as blocker and added action item `AGENTS-implplan`. | Implementer |
 | 2025-11-17 | Created `docs/implplan/AGENTS.md`; marked AGENTS-implplan DONE and updated Decisions & Risks accordingly. | Implementer |
 | 2025-11-17 | Marked AdvisoryAI (2025-11-14) and Orchestrator/Notifications (2025-11-15) checkpoints as missed; escalations required; action items now OVERDUE. | Implementer |
 | 2025-11-18 | Added escalation actions `ESCALATE-ADV-AI-SCHEMA` and `ESCALATE-ORCH-ENVELOPE` to track overdue schema drops. | Implementer |
 | 2025-11-18 | Started escalations for AdvisoryAI schema and Orchestrator envelopes; awaiting new ETAs from respective guilds. | Implementer |
 | 2025-11-18 | Sent escalation pings to AdvisoryAI and Orchestrator/Notifications leads; awaiting ETA confirmation (tracked in Action Tracker). | Implementer |
 | 2025-11-18 | Updated Interlocks with “escalation sent” notes and follow-up date (2025-11-19). | Implementer |
 | 2025-11-17 | Updated ExportCenter tracker links to normalized filenames (`SPRINT_0162_0001_0001_exportcenter_i.md`, `SPRINT_0163_0001_0001_exportcenter_ii.md`). | Implementer |
--- a/docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md
+++ b/docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md
@@ -0,0 +1,66 @@
 # Sprint 0161_0001_0001 · EvidenceLocker
 ## Topic & Scope
 - Advance 160.A EvidenceLocker stream: finalize bundle packaging, replay ingest/retention, CLI/ops readiness, and sovereign crypto routing.
 - Produce ready-to-execute task definitions that unblock downstream ExportCenter/TimelineIndexer once upstream schemas land.
 - Working directory: `docs/implplan` (coordination for EvidenceLocker; code lives in `src/EvidenceLocker` & CLI modules tracked elsewhere).
 ## Dependencies & Concurrency
 - Upstream: AdvisoryAI evidence bundle schema + payload notes (Sprint 110.A); Orchestrator/Notifications capsule schemas (Sprint 150.A / 140); Replay Ledger rules in `docs/replay/DETERMINISTIC_REPLAY.md`; crypto audit `docs/security/crypto-routing-audit-2025-11-07.md`.
 - Concurrency: runs alongside Sprint 160 coordination; blocks ExportCenter (Sprint 162/163) and TimelineIndexer (Sprint 165) until manifests/envelopes freeze.
 - Ready signals required before DOING: (1) AdvisoryAI schema freeze, (2) Orchestrator envelopes freeze, (3) crypto registry plan approved at 2025-11-18 review.
 ## Documentation Prerequisites
 - `docs/modules/evidence-locker/architecture.md`
 - `docs/modules/evidence-locker/bundle-packaging.md`
 - `docs/modules/evidence-locker/incident-mode.md`
 - `docs/replay/DETERMINISTIC_REPLAY.md`
 - `docs/runbooks/replay_ops.md`
 - `docs/security/crypto-routing-audit-2025-11-07.md`
 - `docs/events/orchestrator-scanner-events.md`
 - `docs/modules/cli/architecture.md`
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | EVID-OBS-54-002 | BLOCKED | Await AdvisoryAI schema + orchestrator envelopes to freeze bundle packaging/DSSE fields. | Evidence Locker Guild | Finalize deterministic bundle packaging + DSSE layout per `docs/modules/evidence-locker/bundle-packaging.md`, including portable/incident modes. |
 | 2 | EVID-REPLAY-187-001 | BLOCKED | Need orchestrator + AdvisoryAI payloads and replay ledger retention shape. | Evidence Locker Guild · Replay Delivery Guild | Implement replay bundle ingestion + retention APIs; update storage policy per `docs/replay/DETERMINISTIC_REPLAY.md`. |
 | 3 | CLI-REPLAY-187-002 | BLOCKED | EvidenceLocker APIs & schemas needed to wire CLI verbs. | CLI Guild | Add CLI `scan --record`, `verify`, `replay`, `diff` with offline bundle resolution; align golden tests. |
 | 4 | RUNBOOK-REPLAY-187-004 | BLOCKED | Depends on retention APIs + CLI behavior to document. | Docs Guild · Ops Guild | Publish `/docs/runbooks/replay_ops.md` coverage for retention enforcement, RootPack rotation, verification drills. |
 | 5 | EVID-CRYPTO-90-001 | BLOCKED | Pending 2025-11-18 sovereign crypto readiness review. | Evidence Locker Guild · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash` for sovereign crypto providers. |
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- |
 | Capture AdvisoryAI + orchestrator schema deltas into this sprint and attach sample payloads. | Evidence Locker Guild | 2025-11-15 | BLOCKED (schemas not yet delivered) |
 | Draft Replay Ledger API + CLI notes to unblock EVID-REPLAY-187-001/002. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | BLOCKED (awaiting schema signals) |
 | Validate `ICryptoProviderRegistry` plan at readiness review. | Evidence Locker Guild · Security Guild | 2025-11-18 | Pending |
 ## Interlocks & Readiness Signals
 | Dependency | Impacts | Status / Next signal |
 | --- | --- | --- |
 | AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | EVID-OBS-54-002, EVID-REPLAY-187-001/002 | Pending; expected at 2025-11-14 stand-up. Required before DOING. |
 | Orchestrator + Notifications capsule schema (`docs/events/orchestrator-scanner-events.md`) | All tasks | Pending; expected 2025-11-15 handoff. Required before DOING. |
 | Sovereign crypto readiness review | EVID-CRYPTO-90-001 | Scheduled 2025-11-18; blocks sovereign routing. |
 | Replay Ledger spec alignment (`docs/replay/DETERMINISTIC_REPLAY.md`) | EVID-REPLAY-187-001/002, RUNBOOK-REPLAY-187-004 | Sections 2,8,9 must be reflected once schemas land. |
 ## Decisions & Risks
 | Item | Status / Decision | Notes |
 | --- | --- | --- |
 | Schema readiness | BLOCKED | Waiting on AdvisoryAI + orchestrator envelopes; no DOING until frozen. |
 | Crypto routing approval | PENDING | Review on 2025-11-18 to approve `ICryptoProviderRegistry` wiring. |
 | Template & filename normalization | DONE (2025-11-17) | Renamed to `SPRINT_0161_0001_0001_evidencelocker.md`; structure aligned to sprint template. |
 ### Risk table
 | Risk | Severity | Mitigation / Owner |
 | --- | --- | --- |
 | AdvisoryAI schema slips past 2025-11-14, delaying DSSE manifest freeze. | High | AdvisoryAI Guild to provide interim sample payloads; EvidenceLocker to stub adapters. |
 | Orchestrator/Notifications schema handoff misses 2025-11-15. | High | Escalate to Wave 150/140; keep tasks BLOCKED and schedule daily stand-ups until envelopes land. |
 | Sovereign crypto routing design not ready by 2025-11-18. | Medium | Security to publish reference implementation; EvidenceLocker to nominate fallback providers. |
 | Replay Ledger alignment drifts from CLI behavior. | Medium | Sync docs/runbooks with CLI/EvidenceLocker changes once schemas land; add deterministic test cases. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
 | 2025-11-17 | Normalized sprint to standard template, renamed file, and set all tasks BLOCKED pending schemas/crypto review. | Implementer |
--- a/docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md
+++ b/docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md
@@ -0,0 +1,79 @@
 # Sprint 0162_0001_0001 · ExportCenter I (Export & Evidence Wave 160.B)
 ## Topic & Scope
 - Phase I for ExportCenter: mirror/bootstrap profiles, portable evidence exports, attestation bundles, OAS/SDK updates, DevPortal verification CLI prototype.
 - Keep tasks aligned with EvidenceLocker bundle contracts and orchestrator/notifications envelopes; deliver ready-to-execute backlog for service + CLI teams once schemas freeze.
 - Working directory: `docs/implplan` (coordination). Code lives in `src/ExportCenter/*` and related CLI/attestor modules.
 ## Dependencies & Concurrency
 - Upstream contracts: EvidenceLocker sealed bundle spec (Sprint 161), AdvisoryAI schema (Sprint 110.A), Orchestrator/Notifications envelopes (Sprint 150.A/140), crypto audit `docs/security/crypto-routing-audit-2025-11-07.md`.
 - Concurrency: Runs in parallel with Sprint 160 (coord) and Sprint 163 (ExportCenter II). Blocks DevPortal dry run (Nov-19) and TimelineIndexer event reliance until envelopes land.
 - Ready signals needed before DOING: EvidenceLocker contract frozen; Orchestrator/Notifications schema published; crypto registry plan accepted (Nov-18 review).
 ## Documentation Prerequisites
 - `docs/modules/export-center/architecture.md`
 - `docs/modules/attestor/airgap.md`
 - `docs/security/crypto-routing-audit-2025-11-07.md`
 - `docs/events/orchestrator-scanner-events.md`
 - EvidenceLocker bundle packaging (`docs/modules/evidence-locker/bundle-packaging.md`) once frozen
 - DevPortal offline guidance (DVOFF-64 series) as provided by DevPortal Offline Guild
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | DVOFF-64-002 | BLOCKED | Needs sealed bundle spec + sample manifest for CLI verify flow; due for Nov-19 dry run. | DevPortal Offline Guild · AirGap Controller Guild | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. |
 | 2 | EXPORT-AIRGAP-56-001 | BLOCKED | EvidenceLocker contract + advisory schema to finalize DSSE contents. | Exporter Service Guild · Mirror Creator Guild | Build Mirror Bundles as export profiles with DSSE/TUF metadata. |
 | 3 | EXPORT-AIRGAP-56-002 | BLOCKED | Depends on 56-001; same schema prerequisites. | Exporter Service Guild · DevOps Guild | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gap deploy. |
 | 4 | EXPORT-AIRGAP-57-001 | BLOCKED | Depends on 56-002; needs sealed evidence bundle format. | Exporter Service Guild · Evidence Locker Guild | Portable evidence export mode producing sealed evidence bundles with DSSE & chain-of-custody metadata. |
 | 5 | EXPORT-AIRGAP-58-001 | BLOCKED | Depends on 57-001; needs notifications envelope schema. | Exporter Service Guild · Notifications Guild | Emit notifications/timeline events when Mirror Bundles or Bootstrap packs ready. |
 | 6 | EXPORT-ATTEST-74-001 | BLOCKED | Needs EvidenceLocker bundle layout + orchestration events. | Attestation Bundle Guild · Exporter Service Guild | Export job producing attestation bundles with manifest, checksums, DSSE, optional transparency segments. |
 | 7 | EXPORT-ATTEST-74-002 | BLOCKED | Depends on 74-001. | Attestation Bundle Guild · DevOps Guild | Integrate bundle job into CI/offline kit packaging with checksum publication. |
 | 8 | EXPORT-ATTEST-75-001 | BLOCKED | Depends on 74-002; needs CLI contract. | Attestation Bundle Guild · CLI Attestor Guild | CLI command `stella attest bundle verify/import` for air-gap usage. |
 | 9 | EXPORT-ATTEST-75-002 | BLOCKED | Depends on 75-001. | Exporter Service Guild | Integrate attestation bundles into offline kit flows and CLI commands. |
 | 10 | EXPORT-OAS-61-001 | BLOCKED | Needs stable export surfaces; await EvidenceLocker contract. | Exporter Service Guild · API Contracts Guild | Update Exporter OAS covering profiles/runs/downloads with standard error envelope + examples. |
 | 11 | EXPORT-OAS-61-002 | BLOCKED | Depends on 61-001. | Exporter Service Guild | `/.well-known/openapi` discovery endpoint with version metadata and ETag. |
 | 12 | EXPORT-OAS-62-001 | BLOCKED | Depends on 61-002. | Exporter Service Guild · SDK Generator Guild | Ensure SDKs include export profile/run clients with streaming helpers; add smoke tests. |
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- |
 | Provide sealed bundle sample + DSSE manifest to DevPortal CLI team for dry run. | Exporter Service · EvidenceLocker Guild | 2025-11-18 | BLOCKED (awaits EvidenceLocker contract) |
 | Prep `stella devportal verify bundle.tgz` demo script & fixtures. | DevPortal Offline · AirGap Controller | 2025-11-19 | Pending (blocked on sample bundle) |
 | Confirm crypto routing parity plan (`EXPORT-CRYPTO-90-001`) at Nov-18 review. | Exporter Service · Security Guild | 2025-11-18 | Pending |
 ## Interlocks & Readiness Signals
 | Dependency | Impacts | Status / Next signal |
 | --- | --- | --- |
 | EvidenceLocker sealed bundle spec (Sprint 161) | All export/attestation tasks, DVOFF-64-002 | Pending; required before DOING. |
 | AdvisoryAI evidence schema (Sprint 110.A) | AIRGAP-56/57/58, ATTEST-74/75 | Pending; needed for DSSE payload contents. |
 | Orchestrator + Notifications schema (`docs/events/orchestrator-scanner-events.md`) | EXPORT-AIRGAP-58-001, notifications fan-out | Pending; handoff expected 2025-11-15. |
 | Sovereign crypto readiness review | EXPORT-CRYPTO-90-001 | Scheduled 2025-11-18. |
 ## Upcoming Checkpoints (UTC)
 | Date | Session / Owner | Target outcome | Fallback / Escalation |
 | --- | --- | --- | --- |
 | 2025-11-15 | Orchestrator + Notifications schema handoff | Publish envelopes needed for notifications/timeline events. | If not ready, keep tasks BLOCKED and escalate to Wave 150/140 leads. |
 | 2025-11-18 | Crypto readiness review | Approve `ICryptoProviderRegistry` wiring for EXPORT-CRYPTO-90-001. | If blocked, log action items and hold crypto-related tasks. |
 | 2025-11-19 | DevPortal CLI dry run | Demo `stella devportal verify bundle.tgz` with sealed bundle sample. | If bundles absent, slip demo and log risk in Decisions. |
 ## Decisions & Risks
 | Item | Status / Decision | Notes |
 | --- | --- | --- |
 | Template & filename normalization | DONE (2025-11-17) | Renamed to `SPRINT_0162_0001_0001_exportcenter_i.md`; aligned to sprint template. |
 | EvidenceLocker contract dependency | BLOCKED | All export tasks wait on sealed bundle spec + DSSE layout. |
 | Orchestrator/Notifications envelope dependency | BLOCKED | Notifications and timeline events cannot commence until schema lands. |
 | Crypto routing plan | PENDING | To be validated at 2025-11-18 review (`EXPORT-CRYPTO-90-001`). |
 ### Risk table
 | Risk | Severity | Mitigation / Owner |
 | --- | --- | --- |
 | EvidenceLocker contract slips past Nov-18, stalling DevPortal dry run. | High | Provide stub sample bundle from EvidenceLocker; dry-run with synthetic data. |
 | Orchestrator/Notifications schema delayed beyond Nov-15. | High | Escalate to Wave 150/140; keep EXPORT-AIRGAP-58-001 blocked until envelopes freeze. |
 | Crypto routing design not approved on Nov-18. | Medium | Security to supply reference implementation; Exporter to prepare fallback provider matrix. |
 | SDK/OAS drift from final APIs. | Medium | Regenerate OAS/SDK only after contracts freeze; add ETag/versioning to avoid stale clients. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
 | 2025-11-17 | Renamed to template-compliant filename, normalized structure, and set tasks BLOCKED pending upstream contracts. | Implementer |
--- a/docs/implplan/SPRINT_0163_0001_0001_exportcenter_ii.md
+++ b/docs/implplan/SPRINT_0163_0001_0001_exportcenter_ii.md
@@ -0,0 +1,85 @@
 # Sprint 0163_0001_0001 · ExportCenter II (Export & Evidence Wave 160.B)
 ## Topic & Scope
 - Phase II for ExportCenter: observability/audit, deprecation path, service core hardening, risk bundles, and crypto parity matching EvidenceLocker.
 - Turn phase I outputs (Sprint 0162) into executable work once schemas freeze; ensure deterministic exports with telemetry and DSSE provenance.
 - Working directory: `docs/implplan` (coordination). Code lives in `src/ExportCenter/*`.
 ## Dependencies & Concurrency
 - Upstream: EvidenceLocker sealed bundle spec (Sprint 0161) and Sprint 0162 outputs; AdvisoryAI schema; Orchestrator/Notifications envelopes; crypto audit `docs/security/crypto-routing-audit-2025-11-07.md` (Nov-18 review for routing plan).
 - Planner/worker queue depends on Orchestrator/Scheduler telemetry readiness (Sprint 150) and notifications schema.
 - Concurrency: runs after Sprint 0162 milestones; keep tasks BLOCKED until phase I contracts delivered.
 ## Documentation Prerequisites
 - `docs/modules/export-center/architecture.md`
 - `docs/security/crypto-routing-audit-2025-11-07.md`
 - `docs/events/orchestrator-scanner-events.md`
 - EvidenceLocker bundle packaging (`docs/modules/evidence-locker/bundle-packaging.md`) once frozen
 - Observability guidance/dashboards referenced by Observability Guild
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | EXPORT-OAS-63-001 | BLOCKED | Needs EXPORT-OAS-61/62 outputs + stable APIs. | Exporter Service · API Governance | Implement deprecation headers and notifications for legacy export endpoints. |
 | 2 | EXPORT-OBS-50-001 | BLOCKED | Wait for exporter service bootstrap + telemetry schema. | Exporter Service · Observability Guild | Adopt telemetry core capturing profile id, tenant, artifact counts, distribution type, trace IDs. |
 | 3 | EXPORT-OBS-51-001 | BLOCKED | Depends on OBS-50 schema. | Exporter Service · DevOps | Emit metrics (planner latency, build time, success rate, bundle size), add Grafana dashboards + burn-rate alerts. |
 | 4 | EXPORT-OBS-52-001 | BLOCKED | Depends on OBS-51 and notifications envelopes. | Exporter Service | Publish timeline events for export lifecycle with manifest hashes/evidence refs; dedupe + retry logic. |
 | 5 | EXPORT-OBS-53-001 | BLOCKED | Depends on OBS-52 and EvidenceLocker manifest format. | Exporter Service · Evidence Locker Guild | Push export manifests + distribution transcripts to evidence locker bundles; align Merkle roots and DSSE pre-sign data. |
 | 6 | EXPORT-OBS-54-001 | BLOCKED | Depends on OBS-53. | Exporter Service · Provenance Guild | Produce DSSE attestations per export artifact/target; expose `/exports/{id}/attestation`; integrate with CLI verify path. |
 | 7 | EXPORT-OBS-54-002 | BLOCKED | Depends on OBS-54-001 and PROV-OBS-53-003. | Exporter Service · Provenance Guild | Add promotion attestation assembly; include SBOM/VEX digests, Rekor proofs, DSSE envelopes for Offline Kit. |
 | 8 | EXPORT-OBS-55-001 | BLOCKED | Depends on OBS-54-001. | Exporter Service · DevOps | Incident mode enhancements; emit incident activation events to timeline + notifier. |
 | 9 | EXPORT-RISK-69-001 | BLOCKED | Await phase I artifacts + schema; needs provider selection rules. | Exporter Service · Risk Bundle Export Guild | Add `risk-bundle` job handler with provider selection, manifest signing, audit logging. |
 | 10 | EXPORT-RISK-69-002 | BLOCKED | Depends on RISK-69-001. | Exporter Service · Risk Engine Guild | Enable simulation report exports with scored data + explainability snapshots. |
 | 11 | EXPORT-RISK-70-001 | BLOCKED | Depends on RISK-69-002. | Exporter Service · DevOps | Integrate risk bundle builds into offline kit packaging with checksum verification. |
 | 12 | EXPORT-SVC-35-001 | BLOCKED | Needs phase I readiness + synthetic telemetry feeds. | Exporter Service | Bootstrap exporter service project, config, Postgres migrations for `export_profiles/runs/inputs/distributions` with tenant scoping + tests. |
 | 13 | EXPORT-SVC-35-002 | BLOCKED | Depends on 35-001. | Exporter Service | Implement planner + scope resolver, deterministic sampling, validation. |
 | 14 | EXPORT-SVC-35-003 | BLOCKED | Depends on 35-002. | Exporter Service | JSON adapters (`json:raw`, `json:policy`) with normalization/redaction/compression/manifest counts. |
 | 15 | EXPORT-SVC-35-004 | BLOCKED | Depends on 35-003. | Exporter Service | Mirror (full) adapter producing filesystem layout, indexes, manifests, README. |
 | 16 | EXPORT-SVC-35-005 | BLOCKED | Depends on 35-004. | Exporter Service | Manifest/provenance writer + KMS signing/attestation (detached + embedded). |
 | 17 | EXPORT-CRYPTO-90-001 | BLOCKED | Pending Nov-18 crypto review + reference implementation. | Exporter Service · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash`; support crypto provider selection. |
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- |
 | Mirror EvidenceLocker DSSE manifest schema into exporter tests once frozen. | Exporter Service | 2025-11-18 | BLOCKED (waiting on EvidenceLocker spec) |
 | Define telemetry schema (traces/logs/metrics) and attach to this doc. | Observability Guild | 2025-11-18 | BLOCKED (awaiting OBS-50 start) |
 | Draft legacy endpoint deprecation comms with API Governance. | Exporter Service · API Governance | 2025-11-19 | BLOCKED (depends on OAS-61/62 outputs) |
 | Stage crypto provider configuration matrix for `EXPORT-CRYPTO-90-001`. | Exporter Service · Security Guild | 2025-11-18 | Pending |
 ## Interlocks & Readiness Signals
 | Dependency | Impacts | Status / Next signal |
 | --- | --- | --- |
 | EvidenceLocker sealed bundle spec (Sprint 0161) | OBS-53/54, SVC-35 outputs | Pending; required before DOING. |
 | Sprint 0162 outputs (ExportCenter I) | All tasks | Pending; must deliver bundle profiles + CLI sample bundle. |
 | AdvisoryAI schema | AIRGAP/OBS tasks needing payload content | Pending; signals from Sprint 110.A. |
 | Orchestrator + Notifications schema (`docs/events/orchestrator-scanner-events.md`) | OBS-52, notifications | Pending; handoff expected 2025-11-15. |
 | Crypto readiness review | EXPORT-CRYPTO-90-001 | Scheduled 2025-11-18. |
 ## Upcoming Checkpoints (UTC)
 | Date | Session / Owner | Target outcome | Fallback / Escalation |
 | --- | --- | --- | --- |
 | 2025-11-15 | Orchestrator + Notifications schema handoff | Envelopes for export lifecycle events. | If not ready, keep OBS-52 blocked and escalate to Wave 150/140. |
 | 2025-11-18 | Crypto readiness review | Approve routing for EXPORT-CRYPTO-90-001. | If blocked, log action items and hold crypto work. |
 | 2025-11-19 | Telemetry schema sync | Finalize metrics/traces fields for OBS-50/51; unblock instrumentation. | Delay instrumentation until schema baseline agreed. |
 ## Decisions & Risks
 | Item | Status / Decision | Notes |
 | --- | --- | --- |
 | Template & filename normalization | DONE (2025-11-17) | Renamed to `SPRINT_0163_0001_0001_exportcenter_ii.md`; template applied. |
 | EvidenceLocker/phase I dependency | BLOCKED | Cannot start until Sprint 0162 and EvidenceLocker spec deliverables land. |
 | Orchestrator/Notifications dependency | BLOCKED | Required for OBS-52 events. |
 | Crypto routing plan | PENDING | Await Nov-18 review for `ICryptoProviderRegistry` integration. |
 ### Risk table
 | Risk | Severity | Mitigation / Owner |
 | --- | --- | --- |
 | Phase I outputs slip, leaving OBS/SVC tasks idle. | High | Track in Sprint 0162; use synthetic fixtures only after EvidenceLocker spec available. |
 | Notifications schema delay cascades into TimelineIndexer dependence. | High | Escalate via Wave 150/140; keep OBS-52 blocked. |
 | Crypto routing not approved on Nov-18. | Medium | Prepare fallback provider matrix; reuse EvidenceLocker reference impl. |
 | Telemetry schema drift across services. | Medium | Fix metrics/traces in doc before coding; enforce deterministic field names. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
 | 2025-11-17 | Renamed to compliant filename, applied template, and set tasks to BLOCKED pending upstream contracts and Sprint 0162 outputs. | Implementer |
--- a/docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md
+++ b/docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md
@@ -0,0 +1,39 @@
 # Sprint 0316 · Docs Modules · CLI
 ## Topic & Scope
 - Refresh CLI module docs so AGENTS, README, architecture, and implementation plan reflect current CLI scope and active sprints.
 - Capture status sync rules and ensure sprint references point to the normalized filename.
 - Prep ops/runbook notes placeholder for upcoming demo outputs.
 - **Working directory:** `docs/modules/cli`.
 ## Dependencies & Concurrency
 - Upstream reference sprints: CLI roadmap (180.A) plus platform docs; no hard blockers for doc sync.
 - Ops/runbook updates depend on next CLI demo outputs.
 ## Documentation Prerequisites
 - docs/modules/cli/README.md
 - docs/modules/cli/architecture.md
 - docs/modules/cli/implementation_plan.md
 - docs/modules/cli/AGENTS.md
 - docs/modules/platform/architecture-overview.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | CLI-DOCS-0001 | DONE | Synced sprint references on 2025-11-17 | Docs Guild | Update docs/AGENTS to reflect current CLI scope and sprint naming; align with template rules. |
 | 2 | CLI-ENG-0001 | DONE | Sprint normalized; statuses mirrored | Module Team | Update status via ./AGENTS.md workflow and ensure module docs reference current sprint. |
 | 3 | CLI-OPS-0001 | BLOCKED | Waiting for next demo outputs | Ops Guild | Sync outcomes back to ../.. ; refresh ops/runbook notes after demo. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_316_docs_modules_cli.md. | Docs |
 | 2025-11-17 | Completed CLI-DOCS-0001 and CLI-ENG-0001 by updating CLI docs to reference normalized sprint. | Module Team |
 ## Decisions & Risks
 - Ops/runbook updates blocked until next CLI demo delivers outputs (affects CLI-OPS-0001).
 - Keep sprint naming aligned with template to avoid broken references in CLI docs.
 ## Next Checkpoints
 - 2025-11-22 · Check for demo outputs to unblock CLI-OPS-0001. Owner: Ops Guild.
--- a/docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md
+++ b/docs/implplan/SPRINT_0321_0001_0001_docs_modules_graph.md
@@ -0,0 +1,42 @@
 # Sprint 0321 · Docs Modules · Graph
 ## Topic & Scope
 - Refresh graph module docs so milestones, diagrams, and runbooks align with current runtime/signals plan (Sprint 0141) and overlay expectations.
 - Ensure README/architecture/implementation_plan stay in sync with latest overlays/snapshots and upcoming clustering pipelines.
 - Prepare observability/runbook notes for Graph service ahead of next demo.
 - **Working directory:** `docs/modules/graph`.
 ## Dependencies & Concurrency
 - Upstream reference sprints: 0141 (Graph Indexer), 0120 (AirGap), 0130 (Scanner), 0140 (Runtime & Signals). No blocking concurrency once source material available.
 - Pending DOCS-GRAPH-24-003 cross-links needed before finalising API/query references.
 ## Documentation Prerequisites
 - docs/modules/graph/README.md
 - docs/modules/graph/architecture.md
 - docs/modules/graph/implementation_plan.md
 - docs/modules/platform/architecture-overview.md
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | GRAPH-ENG-0001 | DONE | Synced docs to Sprint 0141 rename on 2025-11-17 | Module Team | Keep module milestones in sync with `/docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md` and related files; update references and note deltas. |
 | 2 | GRAPH-DOCS-0002 | BLOCKED | Await DOCS-GRAPH-24-003 cross-links | Docs Guild | Add API/query doc cross-links once DOCS-GRAPH-24-003 lands. |
 | 3 | GRAPH-OPS-0001 | BLOCKED | Waiting for next demo outputs to review dashboards/runbooks | Ops Guild | Review graph observability dashboards/runbooks after the next sprint demo; capture updates in runbooks. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Marked GRAPH-DOCS-0002 and GRAPH-OPS-0001 as BLOCKED pending DOCS-GRAPH-24-003 + next demo outputs. | Module Team |
 | 2025-11-17 | Completed GRAPH-ENG-0001; README and implementation_plan now reference SPRINT_0141_0001_0001_graph_indexer.md. | Module Team |
 | 2025-11-17 | Normalised sprint to standard template; renamed from SPRINT_321_docs_modules_graph.md. | Docs |
 ## Decisions & Risks
 - Cross-links blocked on DOCS-GRAPH-24-003; track before marking GRAPH-DOCS-0002 done.
 - Observability/runbook refresh depends on next demo schedule; risk of stale dashboards if demo slips.
 - Keep docs aligned with Sprint 0141 naming to avoid broken references.
 ## Next Checkpoints
 - 2025-11-17 · Milestone sync completed (GRAPH-ENG-0001). Owner: Module Team.
 - 2025-11-22 · Confirm DOCS-GRAPH-24-003 status; proceed with cross-links if available. Owner: Docs Guild.
 - 2025-11-25 · Runbook/observability review post-demo. Owner: Ops Guild.
--- a/docs/implplan/SPRINT_0323_0001_0001_docs_modules_orchestrator.md
+++ b/docs/implplan/SPRINT_0323_0001_0001_docs_modules_orchestrator.md
@@ -0,0 +1,37 @@
 # Sprint 0323 · Docs & Process (Orchestrator Module)
 ## Topic & Scope
 - Refresh Orchestrator docs (README, diagrams, runbooks) to reflect job leasing, task runner bridge, and pack-run lifecycle.
 - Keep sprint/milestone alignment notes synced with Orchestrator I/II delivery.
 - Produce backlog-facing TASKS board for contributors.
 - **Working directory:** docs/modules/orchestrator
 ## Dependencies & Concurrency
 - Upstream context from Orchestrator phase sprints 0151/0152/0153.
 - Coordinates with Authority pack RBAC and Notifications ingestion; otherwise independent.
 ## Documentation Prerequisites
 - docs/modules/orchestrator/README.md
 - docs/modules/orchestrator/architecture.md
 - docs/modules/orchestrator/implementation_plan.md
 - docs/modules/platform/architecture-overview.md
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | ORCH-DOCS-0001 | DONE | README updated with leasing/task runner notes and interim envelope guidance. | Docs Guild (docs/modules/orchestrator) | Refresh orchestrator README + diagrams to reflect job leasing changes and reference the task runner bridge. |
 | 2 | ORCH-ENG-0001 | DONE | Status synced; sprint references normalized. | Module Team (docs/modules/orchestrator) | Keep sprint milestone alignment notes synced with `/docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md` onward. |
 | 3 | ORCH-OPS-0001 | DONE | Ops notes carried into README; runbooks flagged for update. | Ops Guild (docs/modules/orchestrator) | Review orchestrator runbooks/observability checklists post-demo. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-18 | Normalised sprint to template, renamed to `SPRINT_0323_0001_0001_docs_modules_orchestrator.md`, set tasks to DOING for doc refresh. | Docs Guild |
 | 2025-11-19 | Updated README with leasing/task runner bridge notes and flagged runbooks; marked ORCH-DOCS/ENG/OPS-0001 DONE. | Docs Guild |
 ## Decisions & Risks
 - Pending final event envelope spec from ORCH-SVC-37-101; document current leasing model as interim.
 - Must align log streaming/pack-run notes with Authority RBAC once final.
 ## Next Checkpoints
 - Schedule doc review after README/runbook updates are published.
--- a/docs/implplan/SPRINT_0328_0001_0001_docs_modules_scheduler.md
+++ b/docs/implplan/SPRINT_0328_0001_0001_docs_modules_scheduler.md
@@ -0,0 +1,37 @@
 # Sprint 0328 · Docs & Process (Scheduler Module)
 ## Topic & Scope
 - Refresh Scheduler module docs (AGENTS, TASKS) to make the charter actionable for implementers.
 - Normalise sprint/task hygiene so status moves mirror AGENTS workflow and main sprint boards.
 - Ensure outcomes are synced back to repo-level planning artefacts for traceability.
 - **Working directory:** docs/modules/scheduler
 ## Dependencies & Concurrency
 - Upstream: Documentation readiness from Attestor (100.A), AdvisoryAI (110.A), AirGap (120.A), Scanner (130.A), Graph (140.A), Orchestrator (150.A), EvidenceLocker (160.A), Notifier (170.A), CLI (180.A), Ops Deployment (190.A).
 - Concurrency: independent of Scheduler implementation sprints 0155/0156; coordination only through referenced docs.
 ## Documentation Prerequisites
 - docs/modules/scheduler/README.md
 - docs/modules/scheduler/architecture.md
 - docs/modules/scheduler/implementation_plan.md
 - docs/modules/scheduler/AGENTS.md (this sprint refreshes it)
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
 | 1 | SCHEDULER-DOCS-0001 | DONE | AGENTS charter refreshed with roles/prereqs/determinism and cross-links. | Docs Guild (docs/modules/scheduler) | See ./AGENTS.md |
 | 2 | SCHEDULER-ENG-0001 | DONE | TASKS.md created; status mirror instructions in place. | Module Team (docs/modules/scheduler) | Update status via ./AGENTS.md workflow |
 | 3 | SCHEDULER-OPS-0001 | DONE | Synced outcomes back to sprint file and tasks-all tracker. | Ops Guild (docs/modules/scheduler) | Sync outcomes back to ../.. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Normalised sprint to standard template, renamed to `SPRINT_0328_0001_0001_docs_modules_scheduler.md`; set tasks to DOING for refresh work. | Docs Guild |
 | 2025-11-17 | Refreshed AGENTS charter, created TASKS.md, and marked tasks DONE; synced statuses to `tasks-all`. | Docs Guild |
 ## Decisions & Risks
 - Keep AGENTS and TASKS as the front door for Scheduler contributors; future contract changes must update both and link back here.
 - Must mirror status changes in both this sprint file and `docs/modules/scheduler/TASKS.md` to avoid divergence.
 ## Next Checkpoints
 - None scheduled; set a doc review once AGENTS/TASKS refresh is published.
--- a/docs/implplan/SPRINT_111_advisoryai.md
+++ b/docs/implplan/SPRINT_111_advisoryai.md
@@ -1,101 +0,0 @@
 # Sprint 111 - Ingestion & Evidence · 110.A) AdvisoryAI
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Ingestion & Evidence] 110.A) AdvisoryAI
 Depends on: Sprint 100.A - Attestor
 Summary: Ingestion & Evidence focus on AdvisoryAI.
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 DOCS-AIAI-31-006 | DONE (2025-11-13) | `/docs/policy/assistant-parameters.md` now documents inference modes, guardrail phrases, budgets, and cache/queue knobs (POLICY-ENGINE-31-001 inputs captured via `AdvisoryAiServiceOptions`). | Docs Guild, Policy Guild (docs)
 > 2025-11-13: Published `docs/policy/assistant-parameters.md`, added env-var mapping tables, and linked the page from Advisory AI architecture so guild owners can trace DOCS-AIAI-31-006 to Sprint 111.
 DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). Dependencies: SBOM-AIAI-31-001. | Docs Guild, SBOM Service Guild (docs)
 DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. Dependencies: DEVOPS-AIAI-31-001. | Docs Guild, DevOps Guild (docs)
 SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. Dependencies: SBOM-AIAI-31-001 (not yet delivered). | SBOM Service Guild, Advisory AI Guild (src/SbomService/StellaOps.SbomService)
 AIAI-31-008 | BLOCKED (2025-11-16) | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007 (done) plus DEVOPS-AIAI-31-001 runbook. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI)
 AIAI-31-009 | DONE (2025-11-12) | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. Dependencies: AIAI-31-001..006. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) |
 > 2025-11-03: WebService/Worker scaffolds created with in-memory cache/queue, minimal APIs (`/api/v1/advisory/plan`, `/api/v1/advisory/queue`), metrics counters, and plan cache instrumentation; worker processes queue using orchestrator.
 > 2025-11-16: SBOM-AIAI-31-003 marked BLOCKED pending SBOM-AIAI-31-001 projection kit + smoke plan.
 > 2025-11-16: AIAI-31-008 marked BLOCKED pending DEVOPS-AIAI-31-001 runbook for on-prem/remote packaging.
 > 2025-11-04: SBOM base address now flows via `SbomContextClientOptions.BaseAddress`, worker emits queue/plan metrics, and orchestrator cache keys expanded to cover SBOM hash inputs.
 DOCS-AIAI-31-004 | BLOCKED (2025-11-16) | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001 (not yet delivered). | Docs Guild, Console Guild (docs)
 > 2025-11-07: Draft doc committed (`docs/advisory-ai/console.md`) with workflow outline; screenshots will be added once CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 ship.
 > 2025-11-16: DOCS-AIAI-31-004 marked BLOCKED; console widgets and Excititor feed endpoints still pending, cannot capture final screenshots/flows.
 > 2025-11-08: Console endpoints are staffed (CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 DOING); still waiting on EXCITITOR-CONSOLE-23-001 feeds before capturing screenshots/tests.
 > 2025-11-09: Guardrail/inference sections and offline playbooks documented; screenshot placeholders remain open.
 DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. Dependencies: CLI-VULN-29-001, CLI-VEX-30-001, AIAI-31-004C. | Docs Guild, DevEx/CLI Guild (docs)
 > 2025-11-03: DOCS-AIAI-31-003 moved to DOING – drafting Advisory AI API reference (endpoints, rate limits, error model) for sprint 110.
 > 2025-11-04: AIAI-31-005 DONE – guardrail pipeline redacts secrets, enforces citation/injection policies, emits block counters, and tests (`AdvisoryGuardrailPipelineTests`) cover redaction + citation validation.
 > 2025-11-03: DOCS-AIAI-31-003 marked DONE – `docs/advisory-ai/api.md` published with scopes, request/response schemas, rate limits, and error catalogue (Docs Guild).
 > 2025-11-03: DOCS-AIAI-31-001 marked DONE – `docs/advisory-ai/overview.md` published with value, personas, guardrails, observability, and roadmap checklists (Docs Guild).
 > 2025-11-03: DOCS-AIAI-31-002 marked DONE – `docs/advisory-ai/architecture.md` published describing pipeline, deterministic tooling, caching, and profile governance (Docs Guild).
 > 2025-11-03: DOCS-AIAI-31-004 marked BLOCKED – Console widgets/endpoints (CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001) still pending; cannot document UI flows yet.
 > 2025-11-03: DOCS-AIAI-31-005 marked BLOCKED – CLI implementation (`stella advise run`, CLI-VULN-29-001, CLI-VEX-30-001) plus AIAI-31-004C not shipped; doc blocked until commands exist.
 > 2025-11-03: DOCS-AIAI-31-006 initially blocked (POLICY-ENGINE-31-001 pending); resolved 2025-11-13 once the guardrail/inference bindings shipped and the parameter doc landed.
 > 2025-11-07: DOCS-AIAI-31-007 marked DONE – `/docs/security/assistant-guardrails.md` now documents redaction rules, blocked phrases, telemetry, and alert procedures.
 > 2025-11-03: DOCS-AIAI-31-008 marked BLOCKED – Waiting on SBOM heuristics delivery (SBOM-AIAI-31-001).
 > 2025-11-03: DOCS-AIAI-31-009 marked BLOCKED – DevOps runbook inputs (DEVOPS-AIAI-31-001) outstanding.
 > 2025-11-03: Shipped `/api/v1/advisory/{task}` execution and `/api/v1/advisory/outputs/{cacheKey}` retrieval endpoints with guardrail integration, provenance hashes, and metrics (RBAC & rate limiting still pending Authority scope delivery).
 > 2025-11-06: AIAI-31-007 completed – Advisory AI WebService/Worker emit latency histograms, guardrail/validation counters, citation coverage ratios, and OTEL spans; Grafana dashboard + burn-rate alerts refreshed.
 > 2025-11-09: Guardrail harness converted to JSON fixtures + legacy payloads, property-style plan cache load tests added, and file-system cache/output suites cover seeded/offline scenarios.
 > 2025-11-12: Guardrail/perf suite now enforces sub-400 ms budgets and binds `AdvisoryAI:Guardrails` configuration (prompt length, citation toggle, blocked phrase files) so Console surfaces can reflect ops-tuned budgets.
 > 2025-11-02: AIAI-31-004 kicked off orchestration pipeline design – establishing deterministic task sequence (summary/conflict/remediation) and cache key strategy.
 > 2025-11-02: AIAI-31-004 orchestration prerequisites documented in docs/modules/advisory-ai/orchestration-pipeline.md (tasks 004A/004B/004C).
 > 2025-11-02: AIAI-31-003 moved to DOING – beginning deterministic tooling (comparators, dependency analysis) while awaiting SBOM context client. Semantic & EVR comparators shipped; toolset interface published for orchestrator adoption.
 > 2025-11-04: AIAI-31-004 DONE – orchestrator composes evidence (structured/vector/SBOM) with stable cache keys, metadata, and hashing; tests keep determinism enforced.
 > 2025-11-02: Structured + vector retrievers landed with deterministic CSAF/OSV/Markdown chunkers, deterministic hash embeddings, and unit coverage for sample advisories.
 > 2025-11-02: SBOM context request/result models finalized; retriever tests now validate environment-flag toggles and dependency-path dedupe. SBOM guild to wire real context service client.
 > 2025-11-04: AIAI-31-002 completed – `AddSbomContext` typed client registered in WebService/Worker, BaseAddress/tenant headers sourced from configuration, and retriever HTTP-mapping tests extended.
 > 2025-11-04: AIAI-31-003 completed – deterministic toolset integrated with orchestrator cache, property/range tests broadened, and dependency analysis outputs now hashed for replay.
 > 2025-11-04: AIAI-31-004A ongoing – WebService/Worker queue wiring emits initial metrics, SBOM context hashing feeds cache keys, and replay docs updated ahead of guardrail implementation.
 ## Blockers & dependencies (2025-11-13)
 | Blocked item | Dependency | Owner(s) | Notes |
 | --- | --- | --- | --- |
 | DOCS-AIAI-31-004 (`/docs/advisory-ai/console.md`) | CONSOLE-VULN-29-001 · CONSOLE-VEX-30-001 · EXCITITOR-CONSOLE-23-001 | Docs Guild · Console Guild | Screenshots + a11y copy cannot be captured until Console widgets + Excititor feeds ship. |
 | DOCS-AIAI-31-005 (`/docs/advisory-ai/cli.md`) | CLI-VULN-29-001 · CLI-VEX-30-001 · AIAI-31-004C | Docs Guild · CLI Guild | CLI verbs + outputs not available; doc work paused. |
 | DOCS-AIAI-31-008 (`/docs/sbom/remediation-heuristics.md`) | SBOM-AIAI-31-001 | Docs Guild · SBOM Service Guild | Needs heuristics kit + API contract. |
 | DOCS-AIAI-31-009 (`/docs/runbooks/assistant-ops.md`) | DEVOPS-AIAI-31-001 | Docs Guild · DevOps Guild | Runbook automation steps pending DevOps guidance. |
 | SBOM-AIAI-31-003 (`/v1/sbom/context` hand-off kit) | SBOM-AIAI-31-001 | SBOM Service Guild · Advisory AI Guild | Requires base `/v1/sbom/context` projection + smoke test plan. |
 | AIAI-31-008 (on-prem/remote inference packaging) | AIAI-31-006..007 (guardrail knobs, security guidance) | Advisory AI Guild · DevOps Guild | Needs finalized guardrail knob doc (done) plus DevOps runbooks before shipping containers/manifests. |
 ## Next actions (target: 2025-11-15)
 | Owner(s) | Action | Status |
 | --- | --- | --- |
 | Docs Guild · Console Guild | Capture screenshot checklist + copy snippets for DOCS-AIAI-31-004 once Console widgets land; pre-draft alt text now. | Pending widgets |
 | SBOM Service Guild | Publish SBOM-AIAI-31-001 projection doc + ETA for hand-off kit; unblock SBOM-AIAI-31-003 and remediation heuristics doc. | Pending |
 | CLI Guild | Share outline of `stella advise` verbs (CLI-VULN/CLI-VEX) so docs can prep structure before GA. | Pending |
 | DevOps Guild | Provide first draft of DEVOPS-AIAI-31-001 runbook so DOCS-AIAI-31-009 can start. | Pending |
 | Advisory AI Guild | Scope packaging work for AIAI-31-008 (container manifests, Helm/Compose) now that guardrail knobs doc (DOCS-AIAI-31-006) is live. | In planning |
 ## Dependency watchlist
 | Dependency | Latest update | Impact |
 | --- | --- | --- |
 | CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 | DOING as of 2025-11-08; telemetry not yet exposed to docs. | Blocks DOCS-AIAI-31-004 screenshots + instructions. |
 | EXCITITOR-CONSOLE-23-001 | Not started (per Console backlog). | Required for console doc data feed references. |
 | SBOM-AIAI-31-001 | ETA requested during Sprint 110 follow-up (2025-11-14). | Gate for SBOM-AIAI-31-003 & DOCS-AIAI-31-008. |
 | DEVOPS-AIAI-31-001 | Awaiting runbook draft. | Gate for DOCS-AIAI-31-009 + AIAI-31-008 packaging guidance. |
 ## Standup prompts
 1. Are Console owners on track to deliver widget screenshots/data before 2025-11-15 so DOCS-AIAI-31-004 can close?
 2. Has SBOM-AIAI-31-001 published a projection kit and smoke-test plan to unlock SBOM-AIAI-31-003/DOCS-AIAI-31-008?
 3. When will CLI-VULN-29-001 / CLI-VEX-30-001 expose a beta so DOCS-AIAI-31-005 can resume?
 4. Does DevOps have a draft for DEVOPS-AIAI-31-001 (needed for DOCS-AIAI-31-009) and the packaging work in AIAI-31-008?
 ## Risks (snapshot 2025-11-13)
 | Risk | Impact | Mitigation / owner |
 | --- | --- | --- |
 | Console dependencies miss 2025-11-15 | DOCS-AIAI-31-004 misses sprint goal, delaying Advisory AI UI documentation. | Escalate via Console stand-up; consider temporary mock screenshots if needed. |
 | SBOM-AIAI-31-001 slips again | SBOM hand-off kit + remediation heuristics doc stay blocked, delaying customer enablement. | SBOM Guild to commit date during Sprint 110 follow-up; escalate if no date. |
 | CLI backlog deprioritized | DOCS-AIAI-31-005 + CLI enablement slide. | Request interim CLI output samples; coordinate with CLI guild for priority. |
 | DevOps runbook not ready | DOCS-AIAI-31-009 + packaging work (AIAI-31-008) suspended. | DevOps to share outline even if final automation pending; iterate doc in parallel. |
--- a/docs/implplan/SPRINT_120_excititor_ii.md
+++ b/docs/implplan/SPRINT_120_excititor_ii.md
@@ -1,25 +1,5 @@
-# Sprint 120 - Ingestion & Evidence · 110.C) Excititor.II
+# Legacy Sprint Filename (redirect)
-Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
+The Excititor Ingestion & Evidence phase II sprint was normalized on 2025-11-16 and now lives at `docs/implplan/SPRINT_0119_0001_0002_excititor_ii.md`.
-[Ingestion & Evidence] 110.C) Excititor.II
+This legacy file remains only as a pointer for bookmarks. All updates, task status changes, execution logs, and decisions must be recorded in the normalized sprint file.
 Depends on: Sprint 110.C - Excititor.I
 Summary: Ingestion & Evidence focus on Excititor (phase II).
 > **Prep:** Read `docs/modules/excititor/architecture.md` and the relevant Excititor `AGENTS.md` files within the component directories before touching the tasks below.
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance | Team Excititor Connectors – SUSE | DONE (2025-11-09) – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub)
 EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment | Team Excititor Connectors – Ubuntu | DONE (2025-11-09) – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF)
 EXCITITOR-CONSOLE-23-001 `VEX aggregation views` | TODO | Expose `/console/vex` endpoints returning grouped VEX statements per advisory/component with status chips, justification metadata, precedence trace pointers, and tenant-scoped filters for Console explorer. Dependencies: EXCITITOR-LNM-21-201, EXCITITOR-LNM-21-202. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-CONSOLE-23-002 `Dashboard VEX deltas` | TODO | Provide aggregated counts for VEX overrides (new, not_affected, revoked) powering Console dashboard + live status ticker; emit metrics for policy explain integration. Dependencies: EXCITITOR-CONSOLE-23-001, EXCITITOR-LNM-21-203. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-CONSOLE-23-003 `VEX search helpers` | TODO | Deliver rapid lookup endpoints of VEX by advisory/component for Console global search; ensure response includes provenance and precedence context; include caching and RBAC. Dependencies: EXCITITOR-CONSOLE-23-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-CORE-AOC-19-002 `VEX linkset extraction` | TODO | Implement deterministic extraction of advisory IDs, component PURLs, and references into `linkset`, capturing reconciled-from metadata for traceability. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-CORE-AOC-19-003 `Idempotent VEX raw upsert` | TODO | Enforce `(vendor, upstreamId, contentHash, tenant)` uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. Dependencies: EXCITITOR-CORE-AOC-19-002. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-CORE-AOC-19-004 `Remove ingestion consensus` | TODO | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. Dependencies: EXCITITOR-CORE-AOC-19-003. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Update Excititor smoke/e2e suites to seed tenant-aware Authority clients and ensure cross-tenant VEX ingestion is rejected. Dependencies: EXCITITOR-CORE-AOC-19-004. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-GRAPH-21-001 `Inspector linkouts` | BLOCKED (2025-10-27) | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. | Excititor Core Guild, Cartographer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-GRAPH-21-002 `Overlay enrichment` | BLOCKED (2025-10-27) | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. Dependencies: EXCITITOR-GRAPH-21-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
 EXCITITOR-GRAPH-21-005 `Inspector indexes` | BLOCKED (2025-10-27) | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. Dependencies: EXCITITOR-GRAPH-21-002. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo)
 EXCITITOR-GRAPH-24-101 `VEX summary API` | TODO | Provide endpoints delivering VEX status summaries per component/asset for Vuln Explorer integration. Dependencies: EXCITITOR-GRAPH-21-005. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-GRAPH-24-102 `Evidence batch API` | TODO | Add batch VEX observation retrieval optimized for Graph overlays/tooltips. Dependencies: EXCITITOR-GRAPH-24-101. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
 EXCITITOR-LNM-21-001 `VEX observation model` | IN REVIEW (2025-11-14) | Schema defined in `docs/modules/excititor/vex_observations.md`, covering fields, indexes, determinism rules, and AOC metadata. `DOCS-LNM-22-002` can now consume this contract. | Excititor Core Guild (docs/modules/excititor/vex_observations.md)
--- a/docs/implplan/SPRINT_121_policy_reasoning.md
+++ b/docs/implplan/SPRINT_121_policy_reasoning.md
@@ -1,27 +0,0 @@
 # Sprint 121 - Policy & Reasoning
 _Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED._
 Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
 ## Findings.II
 Dependency: Sprint 120.B - Findings.I (must land before this track).
 Focus: Policy & Reasoning focus on Findings (phase II).
 | # | Task ID & handle | State | Key dependency / next step | Owners |
 | --- | --- | --- | --- | --- |
 | 1 | LEDGER-ATTEST-73-002 | TODO | Enable search/filter in findings projections by verification result and attestation status (Deps: LEDGER-ATTEST-73-001) | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
 | 2 | LEDGER-EXPORT-35-001 | TODO | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
 | 3 | LEDGER-OAS-61-001 | TODO | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples | Findings Ledger Guild, API Contracts Guild / src/Findings/StellaOps.Findings.Ledger |
 | 4 | LEDGER-OAS-61-002 | TODO | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release (Deps: LEDGER-OAS-61-001) | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
 | 5 | LEDGER-OAS-62-001 | TODO | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance (Deps: LEDGER-OAS-61-002) | Findings Ledger Guild, SDK Generator Guild / src/Findings/StellaOps.Findings.Ledger |
 | 6 | LEDGER-OAS-63-001 | TODO | Support deprecation headers and Notifications for retiring finding endpoints (Deps: LEDGER-OAS-62-001) | Findings Ledger Guild, API Governance Guild / src/Findings/StellaOps.Findings.Ledger |
 | 7 | LEDGER-OBS-50-001 | TODO | Integrate telemetry core within ledger writer/projector services, emitting structured logs and trace spans for ledger append, projector replay, and query APIs with tenant context | Findings Ledger Guild, Observability Guild / src/Findings/StellaOps.Findings.Ledger |
 | 8 | LEDGER-OBS-51-001 | TODO | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage. Define SLOs (ledger append P95 < 1s, replay lag < 30s) with burn-rate alerts and dashboards (Deps: LEDGER-OBS-50-001) | Findings Ledger Guild, DevOps Guild / src/Findings/StellaOps.Findings.Ledger |
 | 9 | LEDGER-OBS-52-001 | TODO | Emit timeline events for ledger writes and projector commits (`ledger.event.appended`, `ledger.projection.updated`) with trace ID, policy version, evidence bundle reference placeholders (Deps: LEDGER-OBS-51-001) | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
 | 10 | LEDGER-OBS-53-001 | TODO | Persist evidence bundle references (evaluation/job capsules) alongside ledger entries, exposing lookup API linking findings to evidence manifests and timeline (Deps: LEDGER-OBS-52-001) | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger |
 | 11 | LEDGER-OBS-54-001 | TODO | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary (Deps: LEDGER-OBS-53-001) | Findings Ledger Guild, Provenance Guild / src/Findings/StellaOps.Findings.Ledger |
 | 12 | LEDGER-OBS-55-001 | TODO | Enhance incident mode to record additional replay diagnostics (lag traces, conflict snapshots) and extend retention while active. Emit activation events to timeline + notifier (Deps: LEDGER-OBS-54-001) | Findings Ledger Guild, DevOps Guild / src/Findings/StellaOps.Findings.Ledger |
 | 13 | LEDGER-PACKS-42-001 | TODO | Provide snapshot/time-travel APIs and digestable exports for task pack simulation and CLI offline mode | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
 | 14 | LEDGER-RISK-66-001 | TODO | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes | Findings Ledger Guild, Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger |
 | 15 | LEDGER-RISK-66-002 | TODO | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit (Deps: LEDGER-RISK-66-001) | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger |
--- a/docs/implplan/SPRINT_125_mirror.md
+++ b/docs/implplan/SPRINT_125_mirror.md
@@ -1,61 +0,0 @@
 # Sprint 125 · Ingestion & Evidence · Mirror
 ## Topic & Scope
 - Build the deterministic mirror bundle assembler covering advisories, VEX, policy packs, and optional OCI artefacts.
 - Layer DSSE/TUF metadata, time anchors, and CLI automation so air-gapped sites receive verifiable bundles.
 - Wire Export Center and scheduling hooks so mirror creation can be orchestrated automatically.
 ## Dependencies & Concurrency
 - Upstream: Sprint 110.D must deliver the assembler foundation (`MIRROR-CRT-56-001`). Attestor v2 contracts from Sprint 100.A remain required.
 - Mirror sprints share the 120s decade with Policy & Reasoning work but remain independent; avoid adding dependencies on `SPRINT_125_policy_reasoning.md`.
 - Evidence Locker, Export Center, CLI, and AirGap Time guild commitments must be available as soon as assembler code exists.
 ## Documentation Prerequisites
 - `docs/modules/export-center/architecture.md`
 - `docs/modules/airgap/architecture.md`
 - `docs/modules/devops/architecture.md`
 - `docs/modules/policy/architecture.md` (for provenance expectations)
 ## Task Board
 | Task ID | Status | Owner(s) | Dependencies | Notes |
 | --- | --- | --- | --- | --- |
 | MIRROR-CRT-56-001 | TODO | Mirror Creator Guild | Staffing decision | Implement deterministic assembler with manifest + CAS layout. |
 | MIRROR-CRT-56-002 | TODO | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Integrate DSSE signing + TUF metadata (`root`, `snapshot`, `timestamp`, `targets`). |
 | MIRROR-CRT-57-001 | TODO | Mirror Creator · DevOps Guild | MIRROR-CRT-56-001 | Add optional OCI archive generation with digest recording. |
 | MIRROR-CRT-57-002 | TODO | Mirror Creator · AirGap Time Guild | MIRROR-CRT-56-002; AIRGAP-TIME-57-001 | Embed signed time-anchor metadata. |
 | MIRROR-CRT-58-001 | TODO | Mirror Creator · CLI Guild | MIRROR-CRT-56-002; CLI-AIRGAP-56-001 | Deliver `stella mirror create|verify` verbs with delta + verification flows. |
 | MIRROR-CRT-58-002 | TODO | Mirror Creator · Exporter Guild | MIRROR-CRT-56-002; EXPORT-OBS-54-001 | Integrate Export Center scheduling + audit logs. |
 | EXPORT-OBS-51-001 / 54-001 | TODO | Exporter Guild | MIRROR-CRT-56-001 staffing | Align Export Center workers with assembler output. |
 | AIRGAP-TIME-57-001 | TODO | AirGap Time Guild | MIRROR-CRT-56-001; MIRROR-CRT-57-002 | Provide trusted time-anchor service & policy. |
 | CLI-AIRGAP-56-001 | TODO | CLI Guild | MIRROR-CRT-56-002; MIRROR-CRT-58-001 | Extend CLI offline kit tooling to consume mirror bundles. |
 | PROV-OBS-53-001 | TODO | Security Guild | MIRROR-CRT-56-001 | Define provenance observers + verification hooks. |
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-13 | Kickoff rescheduled to 15 Nov pending MIRROR-CRT-56-001 staffing; downstream guilds alerted to prepare resource plans. | Mirror Creator Guild |
 ## Decisions & Risks
 ### Decisions
 | Decision | Owner(s) | Due | Notes |
 | --- | --- | --- | --- |
 | Assign primary engineer for MIRROR-CRT-56-001 | Mirror Creator Guild · Exporter Guild | 2025-11-15 kickoff | Without an owner the assembler cannot start and all downstream tasks remain blocked. |
 | Confirm DSSE/TUF signing profile | Security Guild · Attestor Guild | 2025-11-18 | Needed before MIRROR-CRT-56-002 can merge. |
 | Lock time-anchor authority scope | AirGap Time Guild · Mirror Creator Guild | 2025-11-19 | Required for MIRROR-CRT-57-002 policy enforcement. |
 ### Risks
 | Risk | Impact | Mitigation |
 | --- | --- | --- |
 | Staffing gap for MIRROR-CRT-56-001 persists after kickoff | DSSE/TUF, OCI, CLI, Export tracks slip; Sprint 125 jams the Export Center roadmap. | Escalate to program leadership, reassign engineers from Export Center or Excititor queue. |
 | DSSE/TUF contract debates with Security guild | Signing + transparency integration slips, blocking CLI/Export release. | Align on profile ahead of development; capture ADR in `docs/airgap`. |
 | Time-anchor requirements undefined | Air-gapped bundles lose verifiable time guarantees. | Run focused session with AirGap Time Guild to lock policy + service interface. |
 ## Next Checkpoints
 | Date (UTC) | Session | Goal | Owner(s) |
 | --- | --- | --- | --- |
 | 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, outline scope, confirm downstream staffing. | Mirror Creator · Exporter · AirGap Time · Security guilds |
 | 2025-11-18 | DSSE/TUF design review | Freeze signing profile + manifest shape. | Mirror Creator · Security Guild |
 | 2025-11-19 | Time-anchor policy workshop | Approve requirements for AIRGAP-TIME-57-001. | AirGap Time Guild · Mirror Creator |
 ## Appendix
 - Previous detailed notes retained at `docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md`.
--- a/docs/implplan/SPRINT_131_scanner_surface.md
+++ b/docs/implplan/SPRINT_131_scanner_surface.md
@@ -1,23 +0,0 @@
 # Sprint 131 - Scanner & Surface
 Implementation order remains sequential across Sprint 130–139. Complete each sprint in order before pulling tasks from the next file.
 ## 2. Scanner.II — Scanner & Surface focus on Scanner (phase II).
 Dependency: Sprint 130 - 1. Scanner.I — Scanner & Surface focus on Scanner (phase I).
 | Task ID | State | Summary | Owner / Source | Depends On |
 | --- | --- | --- | --- | --- |
 | `SCANNER-ANALYZERS-DENO-26-009` | TODO | Optional runtime evidence hooks (loader/require shim) capturing module loads + permissions during harnessed execution with path hashing. | Deno Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-008 |
 | `SCANNER-ANALYZERS-DENO-26-010` | TODO | Package analyzer plug-in, add CLI (`stella deno inspect`, `stella deno resolve`, `stella deno trace`) commands, update Offline Kit docs, ensure Worker integration. | Deno Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-009 |
 | `SCANNER-ANALYZERS-DENO-26-011` | TODO | Policy signal emitter: net/fs/env/ffi/process/crypto capabilities, remote origin list, npm usage, wasm modules, dynamic-import warnings. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-010 |
 | `SCANNER-ANALYZERS-JAVA-21-005` | TODO | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml & fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java) | — |
 | `SCANNER-ANALYZERS-JAVA-21-006` | TODO | JNI/native hint scanner: detect native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges for native analyzer correlation. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java) | SCANNER-ANALYZERS-JAVA-21-005 |
 | `SCANNER-ANALYZERS-JAVA-21-007` | TODO | Signature and manifest metadata collector: verify JAR signature structure, capture signers, manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java) | SCANNER-ANALYZERS-JAVA-21-006 |
 | `SCANNER-ANALYZERS-JAVA-21-008` | BLOCKED (2025-10-27) | Implement resolver + AOC writer: produce entrypoints (env profiles, warnings), components (jar_id + semantic ids), edges (jpms, cp, spi, reflect, jni) with reason codes/confidence. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java) | SCANNER-ANALYZERS-JAVA-21-007 |
 | `SCANNER-ANALYZERS-JAVA-21-009` | TODO | Author comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. | Java Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java) | SCANNER-ANALYZERS-JAVA-21-008 |
 | `SCANNER-ANALYZERS-JAVA-21-010` | TODO | Optional runtime ingestion: Java agent + JFR reader capturing class load, ServiceLoader, and System.load events with path scrubbing. Emit append-only runtime edges `runtime-class`/`runtime-spi`/`runtime-load`. | Java Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java) | SCANNER-ANALYZERS-JAVA-21-009 |
 | `SCANNER-ANALYZERS-JAVA-21-011` | TODO | Package analyzer as restart-time plug-in (manifest/DI), update Offline Kit docs, add CLI/worker hooks for Java inspection commands. | Java Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java) | SCANNER-ANALYZERS-JAVA-21-010 |
 | `SCANNER-ANALYZERS-LANG-11-001` | BLOCKED (2025-11-17) | Build entrypoint resolver that maps project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles (publish mode, host kind, probing paths). Output normalized `entrypoints[]` records with deterministic IDs. | StellaOps.Scanner EPDR Guild, Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet) | SCANNER-ANALYZERS-LANG-10-309R |
 ## Decisions & Risks
 - SCANNER-ANALYZERS-LANG-11-001 blocked (2025-11-17): local `dotnet test` hangs/returns empty output; requires clean runner/CI hang diagnostics to complete entrypoint resolver implementation and golden regeneration.
--- a/docs/implplan/SPRINT_138_scanner_ruby_parity.md
+++ b/docs/implplan/SPRINT_138_scanner_ruby_parity.md
@@ -1,45 +0,0 @@
 # Sprint 138 - Scanner & Surface
 **Phase focus:** Scanner.IX — Ruby analyzer parity & supporting readiness.
 - **Depends on:** Sprint 137 · Scanner.VIII (gap designs locked) and Sprint 135 · Scanner.VI (EntryTrace foundations).
 - **Feeds:** Sprint 139 and CLI releases once Ruby analyzer + policy/CLI/licensing tracks land.
 | Task ID | State | Summary | Owner / Source | Depends On |
 | --- | --- | --- | --- | --- |
 | `SCANNER-ENG-0008` | TODO | Maintain EntryTrace heuristic cadence per `docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md`, including quarterly pattern reviews + explain-trace updates. | EntryTrace Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace) | — |
 | `SCANNER-ENG-0009` | DONE (2025-11-13) | Ruby analyzer parity shipped: runtime graph + capability signals, observation payload, Mongo-backed `ruby.packages` inventory, CLI/WebService surfaces, and plugin manifest bundles for Worker loadout. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ANALYZERS-RUBY-28-001..012 |
 | `SCANNER-ENG-0010` | TODO | Ship the PHP analyzer pipeline (composer lock, autoload graph, capability signals) to close comparison gaps. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php) | SCANNER-ANALYZERS-PHP-27-001..012 |
 | `SCANNER-ENG-0011` | TODO | Scope the Deno runtime analyzer (lockfile resolver, import graphs) based on competitor techniques to extend beyond Sprint 130 coverage. | Language Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | — |
 | `SCANNER-ENG-0012` | TODO | Evaluate Dart analyzer requirements (pubspec parsing, AOT artifacts) and split implementation tasks. | Language Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart) | — |
 | `SCANNER-ENG-0013` | TODO | Plan Swift Package Manager coverage (Package.resolved, xcframeworks, runtime hints) with policy hooks. | Swift Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Swift) | — |
 | `SCANNER-ENG-0014` | TODO | Align Kubernetes/VM target coverage between Scanner and Zastava per comparison findings; publish joint roadmap. | Runtime Guild, Zastava Guild (docs/modules/scanner) | — |
 | `SCANNER-ENG-0015` | DONE (2025-11-13) | DSSE/Rekor operator playbook published (`docs/modules/scanner/operations/dsse-rekor-operator-guide.md`) with config/env tables, rollout phases, runbook snippets, offline verification steps, and SLA/alert guidance. | Export Center Guild, Scanner Guild (docs/modules/scanner) | — |
 | `SCANNER-ENG-0016` | DONE (2025-11-10) | RubyLockCollector and vendor ingestion finalized: Bundler config overrides honoured, workspace lockfiles merged, vendor bundles normalised, and deterministic fixtures added. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ENG-0009 |
 | `SCANNER-ENG-0017` | DONE (2025-11-09) | Build the runtime require/autoload graph builder with tree-sitter Ruby per design §4.4 and integrate EntryTrace hints. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ENG-0016 |
 | `SCANNER-ENG-0018` | DONE (2025-11-09) | Emit Ruby capability + framework surface signals as defined in design §4.5 with policy predicate hooks. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ENG-0017 |
 | `SCANNER-ENG-0019` | DONE (2025-11-13) | Ruby CLI verbs now resolve inventories by scan ID, digest, or image reference; Scanner.WebService fallbacks + CLI client encoding ensure `--image` works for both digests and tagged references, and tests cover the new lookup flow. | Ruby Analyzer Guild, CLI Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby) | SCANNER-ENG-0016..0018 |
 | `SCANNER-LIC-0001` | DONE (2025-11-10) | Tree-sitter licensing captured, `NOTICE.md` updated, and Offline Kit now mirrors `third-party-licenses/` with ruby artifacts. | Scanner Guild, Legal Guild (docs/modules/scanner) | SCANNER-ENG-0016 |
 | `SCANNER-POLICY-0001` | DONE (2025-11-10) | Ruby predicates shipped: Policy Engine exposes `sbom.any_component` + `ruby.*`, tests updated, DSL/offline-kit docs refreshed. | Policy Guild, Ruby Analyzer Guild (docs/modules/scanner) | SCANNER-ENG-0018 |
 | `SCANNER-CLI-0001` | DONE (2025-11-10) | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | SCANNER-ENG-0019 |
 ### Updates — 2025-11-09
 - `SCANNER-CLI-0001`: Completed Spectre table wrapping fix for runtime/lockfile columns, expanded Ruby resolve JSON assertions, removed ad-hoc debug artifacts, and drafted CLI docs covering `stellaops-cli ruby inspect|resolve`. Pending: final verification + handoff once docs/tests merge.
 - `SCANNER-CLI-0001`: Wired `stellaops-cli ruby inspect|resolve` into `CommandFactory` so the verbs are available via `System.CommandLine` with the expected `--root`, `--image/--scan-id`, and `--format` options; `dotnet test ... --filter Ruby` passes.
 - `SCANNER-CLI-0001`: Added CLI unit tests (`CommandFactoryTests`, Ruby inspect JSON assertions) to guard the new verbs and runtime metadata output; `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj --filter "CommandFactoryTests|Ruby"` now covers the CLI surface.
 - `SCANNER-ENG-0016`: 2025-11-10 — Completed Ruby lock collector and vendor ingestion work: honour `.bundle/config` overrides, fold workspace lockfiles, emit bundler groups, add Ruby analyzer fixtures/goldens (including new git/path offline kit mirror), and `dotnet test ... --filter Ruby` passes.
 - `SCANNER-ENG-0009`: Emitted observation payload + `ruby-observation` component summarising packages, runtime edges, and capability flags for Policy/Surface exports; fixtures updated for determinism and Offline Kit now ships the observation JSON.
 - `SCANNER-ENG-0009`: 2025-11-12 — Added bundler-version metadata to observation payloads, introduced the `complex-app` fixture to cover vendor caches/BUNDLE_PATH overrides, and taught `stellaops-cli ruby inspect` to print the observation banner (bundler/runtime/capabilities) alongside JSON `observation` blocks.
 - `SCANNER-ENG-0009`: 2025-11-12 — Ruby package inventories now flow into `RubyPackageInventoryStore`; `SurfaceManifestStageExecutor` builds the package list, persists it via Mongo, and Scanner.WebService exposes the data through `GET /api/scans/{scanId}/ruby-packages` for CLI/Policy consumers.
 - `SCANNER-ENG-0009`: 2025-11-12 — Ruby package inventory API now returns a typed envelope (scanId/imageDigest/generatedAt + packages) backed by `ruby.packages`; Worker/WebService DI registers the real store when Mongo is enabled, CLI `ruby resolve` consumes the new payload/warns when inventories are still warming, and docs/OpenAPI references were refreshed.
 ### Updates — 2025-11-13
 - `SCANNER-ENG-0009`: Verified Worker DI registers `IRubyPackageInventoryStore` when Mongo is enabled and falls back to `NullRubyPackageInventoryStore` for in-memory/unit scenarios; confirmed Scanner.WebService endpoint + CLI client exercise the same store contract.
 - `SCANNER-ENG-0009`: Cross-checked docs/manifests so operators can trace the new `/api/scans/{scanId}/ruby-packages` endpoint from `docs/modules/scanner/architecture.md` and the CLI reference; plugin drop under `plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Ruby` now mirrors the analyzer assembly + manifest for Worker hot-load.
 - `SCANNER-ENG-0009`: Targeted tests cover analyzer fixtures, Worker persistence, and the WebService endpoint:  
  `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests.csproj --nologo --verbosity minimal`  
  `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj --nologo --verbosity minimal`  
  `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj --nologo --verbosity minimal --filter "FullyQualifiedName~RubyPackages"`
 - `SCANNER-ENG-0015`: DSSE & Rekor operator guide expanded with configuration/env var map, rollout runbook, verification snippets, and alert/SLO recommendations so Export Center + Ops can enable attestations deterministically.
 - `SCANNER-ENG-0019`: Scanner.WebService now maps digest/reference identifiers back to canonical scan IDs, CLI backend encodes path segments, and regression tests (`RubyPackagesEndpointsTests`, `StellaOps.Cli.Tests --filter Ruby`) cover the new resolution path so `stella ruby resolve --image` works for both digests and tagged references.
--- a/docs/implplan/SPRINT_141_graph.md
+++ b/docs/implplan/SPRINT_141_graph.md
@@ -1,13 +0,0 @@
 # Sprint 141 - Runtime & Signals · 140.A) Graph
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Runtime & Signals] 140.A) Graph
 Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner
 Summary: Runtime & Signals focus on Graph).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 GRAPH-INDEX-28-007 | TODO | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules and store cluster ids on nodes. Dependencies: GRAPH-INDEX-28-006. | Graph Indexer Guild, Observability Guild (src/Graph/StellaOps.Graph.Indexer)
 GRAPH-INDEX-28-008 | TODO | Provide incremental update + backfill pipeline with change streams, retry/backoff, idempotent operations, and backlog metrics. Dependencies: GRAPH-INDEX-28-007. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer)
 GRAPH-INDEX-28-009 | TODO | Add unit/property/integration tests, synthetic large graph fixtures, chaos testing (missing overlays, cycles), and determinism checks across runs. Dependencies: GRAPH-INDEX-28-008. | Graph Indexer Guild, QA Guild (src/Graph/StellaOps.Graph.Indexer)
 GRAPH-INDEX-28-010 | TODO | Package deployment artifacts (Helm/Compose), offline seed bundles, and configuration docs; integrate  Offline Kit. Dependencies: GRAPH-INDEX-28-009. | Graph Indexer Guild, DevOps Guild (src/Graph/StellaOps.Graph.Indexer)
--- a/docs/implplan/SPRINT_142_sbomservice.md
+++ b/docs/implplan/SPRINT_142_sbomservice.md
@@ -1,24 +0,0 @@
 # Sprint 142 - Runtime & Signals · 140.B) SbomService
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Runtime & Signals] 140.B) SbomService
 Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner
 Summary: Runtime & Signals focus on SBOM Service — projections, APIs, and orchestrator integration.
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 SBOM-AIAI-31-001 | TODO | Provide `GET /sbom/paths?purl=...` and version timeline endpoints optimized for Advisory AI (incl. env flags, blast radius metadata). | SBOM Service Guild (src/SbomService/StellaOps.SbomService)
 SBOM-AIAI-31-002 | TODO | Instrument metrics for path/timeline queries (latency, cache hit rate) and surface dashboards. Dependencies: SBOM-AIAI-31-001. | SBOM Service Guild, Observability Guild (src/SbomService/StellaOps.SbomService)
 SBOM-CONSOLE-23-001 | TODO | Provide Console-focused SBOM catalog API (`/console/sboms`) with filters (artifact, license, scope, asset tags), pagination cursors, evaluation metadata, and immutable JSON projections for raw view drawer. Document schema + determinism guarantees. | SBOM Service Guild, Cartographer Guild (src/SbomService/StellaOps.SbomService)
 SBOM-CONSOLE-23-002 | TODO | Deliver component lookup endpoints powering global search and Graph overlays (component neighborhoods, license overlays, policy deltas) with caching hints and tenant enforcement. Dependencies: SBOM-CONSOLE-23-001. | SBOM Service Guild (src/SbomService/StellaOps.SbomService)
 SBOM-ORCH-32-001 | TODO | Register SBOM ingest/index sources with orchestrator, embed worker SDK, and emit artifact hashes + job metadata. | SBOM Service Guild (src/SbomService/StellaOps.SbomService)
 SBOM-ORCH-33-001 | TODO | Report backpressure metrics, honor orchestrator pause/throttle signals, and classify error outputs for sbom jobs. Dependencies: SBOM-ORCH-32-001. | SBOM Service Guild (src/SbomService/StellaOps.SbomService)
 SBOM-ORCH-34-001 | TODO | Implement orchestrator backfill + watermark reconciliation for SBOM ingest/index, ensuring idempotent artifact reuse. Dependencies: SBOM-ORCH-33-001. | SBOM Service Guild (src/SbomService/StellaOps.SbomService)
 SBOM-SERVICE-21-001 | BLOCKED (2025-10-27) | Publish normalized SBOM projection schema (components, relationships, scopes, entrypoints) and implement read API with pagination + tenant enforcement.<br>2025-10-27: Awaiting projection schema from Concelier (`CONCELIER-GRAPH-21-001`) before finalizing API payloads and fixtures. | SBOM Service Guild, Cartographer Guild (src/SbomService/StellaOps.SbomService)
 SBOM-SERVICE-21-002 | BLOCKED (2025-10-27) | Emit change events (`sbom.version.created`) carrying digest/version metadata for Graph Indexer builds; add replay/backfill tooling. Dependencies: SBOM-SERVICE-21-001.<br>2025-10-27: Blocked until `SBOM-SERVICE-21-001` defines projection schema and endpoints. | SBOM Service Guild, Scheduler Guild (src/SbomService/StellaOps.SbomService)
 SBOM-SERVICE-21-003 | BLOCKED (2025-10-27) | Provide entrypoint/service node management API (list/update overrides) feeding Cartographer path relevance with deterministic defaults. Dependencies: SBOM-SERVICE-21-002.<br>2025-10-27: Depends on base projection schema (`SBOM-SERVICE-21-001`) which is blocked. | SBOM Service Guild (src/SbomService/StellaOps.SbomService)
 SBOM-SERVICE-21-004 | BLOCKED (2025-10-27) | Wire observability: metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, structured logs with tenant info; set alerts for backlog. Dependencies: SBOM-SERVICE-21-003.<br>2025-10-27: Projection pipeline not in place yet; will follow once `SBOM-SERVICE-21-001` unblocks. | SBOM Service Guild, Observability Guild (src/SbomService/StellaOps.SbomService)
 SBOM-SERVICE-23-001 | TODO | Extend projections to include asset metadata (criticality, owner, environment, exposure flags) required by policy rules; update schema docs. Dependencies: SBOM-SERVICE-21-004. | SBOM Service Guild, Policy Guild (src/SbomService/StellaOps.SbomService)
 SBOM-SERVICE-23-002 | TODO | Emit `sbom.asset.updated` events when metadata changes; ensure idempotent payloads and documentation. Dependencies: SBOM-SERVICE-23-001. | SBOM Service Guild, Platform Events Guild (src/SbomService/StellaOps.SbomService)
 SBOM-VULN-29-001 | TODO | Emit inventory evidence with `scope`, `runtime_flag`, dependency paths, and nearest safe version hints, streaming change events for resolver jobs. | SBOM Service Guild (src/SbomService/StellaOps.SbomService)
 SBOM-VULN-29-002 | TODO | Provide resolver feed (artifact, purl, version, paths) via queue/topic for Vuln Explorer candidate generation; ensure idempotent delivery. Dependencies: SBOM-VULN-29-001. | SBOM Service Guild, Findings Ledger Guild (src/SbomService/StellaOps.SbomService)
--- a/docs/implplan/SPRINT_143_signals.md
+++ b/docs/implplan/SPRINT_143_signals.md
@@ -1,24 +0,0 @@
 # Sprint 143 - Runtime & Signals · 140.C) Signals
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Runtime & Signals] 140.C) Signals
 Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner
 Summary: Runtime & Signals focus on Signals — reachability ingestion and scoring.
 Notes:
 - 2025-10-29: Skeleton live with scope policies, stub endpoints, and integration tests; sample configuration committed under `etc/signals.yaml.sample`.
 - 2025-10-29: JSON parsers for Java/Node.js/Python/Go implemented; artifacts stored on filesystem with SHA-256 and callgraphs upserted into Mongo.
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 SIGNALS-24-001 | DONE (2025-11-09) | Stand up Signals API skeleton with RBAC, sealed-mode config, DPoP/mTLS enforcement, and `/facts` scaffolding so downstream ingestion work can begin. Dependencies: AUTH-SIG-26-001. | Signals Guild, Authority Guild (src/Signals/StellaOps.Signals)
 > 2025-11-09: Signals host now registers sealed-mode evidence validation, exposes `/readyz`/`/status` indicators, enforces scope policies, and adds `/signals/facts/{subjectKey}` retrieval plus runtime-facts ingestion backing services.
 SIGNALS-24-002 | DOING (2025-11-07) | Implement callgraph ingestion/normalization (Java/Node/Python/Go) with CAS persistence and retrieval APIs to feed reachability scoring. Dependencies: SIGNALS-24-001. | Signals Guild (src/Signals/StellaOps.Signals)
 > 2025-11-09: Added `/signals/callgraphs/{id}` retrieval, sealed-mode gating, and CAS-backed artifact metadata responses; remaining work is CAS bucket promotion + signed graph manifests.
 SIGNALS-24-003 | DOING (2025-11-09) | Implement runtime facts ingestion endpoint and normalizer (process, sockets, container metadata) populating `context_facts` with AOC provenance.<br>2025-11-09: Initial JSON ingestion service + persistence landed; NDJSON/gzip + context enrichment remain TODO. | Signals Guild, Runtime Guild (src/Signals/StellaOps.Signals)
 > 2025-11-07: Waiting on SIGNALS-24-001 / SIGNALS-24-002 DOING work to land before flipping this to DOING.
 > 2025-11-07: Upstream SIGNALS-24-001 / SIGNALS-24-002 now DOING; this flips to DOING once host + callgraph ingestion merge.
 > 2025-11-08: Targeting 2025-11-09 merge for SIGNALS-24-001/002; schema + AOC contract drafted so SIGNALS-24-003 can move to DOING immediately after those PRs land (dependencies confirmed, none missing).
 > 2025-11-09: Added runtime facts ingestion service + endpoint, aggregated runtime hit storage, and unit tests; next steps are NDJSON/gzip ingestion and provenance metadata wiring.
 > 2025-11-09: Added `/signals/runtime-facts/ndjson` streaming endpoint (JSON/NDJSON + gzip) with sealed-mode gating; provenance/context enrichment + scoring linkage remain.
 SIGNALS-24-004 | BLOCKED (2025-10-27) | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. Dependencies: SIGNALS-24-003.<br>2025-10-27: Upstream ingestion pipelines (`SIGNALS-24-002/003`) blocked; scoring engine cannot proceed. | Signals Guild, Data Science (src/Signals/StellaOps.Signals)
 SIGNALS-24-005 | BLOCKED (2025-10-27) | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. Dependencies: SIGNALS-24-004.<br>2025-10-27: Awaiting scoring engine and ingestion layers before wiring cache/events. | Signals Guild, Platform Events Guild (src/Signals/StellaOps.Signals)
--- a/docs/implplan/SPRINT_153_orchestrator_iii.md
+++ b/docs/implplan/SPRINT_153_orchestrator_iii.md
@@ -1,24 +0,0 @@
 # Sprint 153 - Scheduling & Automation · 150.A) Orchestrator.III
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Scheduling & Automation] 150.A) Orchestrator.III
 Depends on: Sprint 150.A - Orchestrator.II
 Summary: Scheduling & Automation focus on Orchestrator (phase III).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 ORCH-SVC-38-101 | TODO | Standardize event envelope (policy/export/job lifecycle) with idempotency keys, ensure export/job failure events published to notifier bus with provenance metadata. Dependencies: ORCH-SVC-37-101. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator)
 ORCH-SVC-41-101 | TODO | Register `pack-run` job type, persist run metadata, integrate logs/artifacts collection, and expose API for Task Runner scheduling. Dependencies: ORCH-SVC-38-101. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator)
 ORCH-SVC-42-101 | TODO | Stream pack run logs via SSE/WS, add manifest endpoints, enforce quotas, and emit pack run events to Notifications Studio. Dependencies: ORCH-SVC-41-101. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator)
 > 2025-11-07: Still NOT STARTED—Authority pack RBAC (AUTH-PACKS-43-001) remains BLOCKED pending these approvals/log-stream APIs. Not missing; needs staffing.
 ORCH-TEN-48-001 | TODO | Include `tenant_id`/`project_id` in job specs, set DB session context before processing, enforce context on all queries, and reject jobs missing tenant metadata. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator)
 WORKER-GO-32-001 | TODO | Bootstrap Go SDK project with configuration binding, auth headers, job claim/acknowledge client, and smoke sample. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go)
 WORKER-GO-32-002 | TODO | Add heartbeat/progress helpers, structured logging hooks, Prometheus metrics, and jittered retry defaults. Dependencies: WORKER-GO-32-001. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go)
 WORKER-GO-33-001 | TODO | Implement artifact publish helpers (object storage client, checksum hashing, metadata payload) and idempotency guard. Dependencies: WORKER-GO-32-002. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go)
 WORKER-GO-33-002 | TODO | Provide error classification/retry helper, exponential backoff controls, and structured failure reporting to orchestrator. Dependencies: WORKER-GO-33-001. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go)
 WORKER-GO-34-001 | TODO | Add backfill range execution helpers, watermark handshake utilities, and artifact dedupe verification for backfills. Dependencies: WORKER-GO-33-002. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go)
 WORKER-PY-32-001 | TODO | Bootstrap asyncio-based Python SDK (config, auth headers, job claim/ack) plus sample worker script. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python)
 WORKER-PY-32-002 | TODO | Implement heartbeat/progress helpers with structured logging, metrics exporter, and cancellation-safe retries. Dependencies: WORKER-PY-32-001. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python)
 WORKER-PY-33-001 | TODO | Add artifact publish/idempotency helpers (object storage adapters, checksum hashing, metadata payload) for Python workers. Dependencies: WORKER-PY-32-002. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python)
 WORKER-PY-33-002 | TODO | Provide error classification/backoff helper mapping to orchestrator codes, including jittered retries and structured failure reports. Dependencies: WORKER-PY-33-001. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python)
 WORKER-PY-34-001 | TODO | Implement backfill range iteration, watermark handshake, and artifact dedupe verification utilities for Python workers. Dependencies: WORKER-PY-33-002. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python)
--- a/docs/implplan/SPRINT_155_scheduler_i.md
+++ b/docs/implplan/SPRINT_155_scheduler_i.md
@@ -1,25 +0,0 @@
 # Sprint 155 - Scheduling & Automation · 150.C) Scheduler.I
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Scheduling & Automation] 150.C) Scheduler.I
 Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph
 Summary: Scheduling & Automation focus on Scheduler (phase I).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 > 2025-11-05: Resumed instrumentation work to match `policy_simulation_latency_seconds` naming, add coverage for SSE latency recording, and validate webhook sample alignment before closing.
 > 2025-11-05: Ship telemetry updates + tests; local `dotnet test` blocked by pre-existing GraphJobs accessibility errors (`IGraphJobStore.UpdateAsync`).
 > 2025-11-06: Added tenant-aware tagging to `policy_simulation_queue_depth` gauge samples and extended metrics-provider unit coverage.
 SCHED-IMPACT-16-303 | TODO | Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. | Scheduler ImpactIndex Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex)
 SCHED-SURFACE-01 | TODO | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-VULN-29-001 | TODO | Expose resolver job APIs (`POST /vuln/resolver/jobs`, `GET /vuln/resolver/jobs/{id}`) to trigger candidate recomputation per artifact/policy change with RBAC and rate limits. | Scheduler WebService Guild, Findings Ledger Guild (src/Scheduler/StellaOps.Scheduler.WebService)
 SCHED-VULN-29-002 | TODO | Provide projector lag metrics endpoint and webhook notifications for backlog breaches consumed by DevOps dashboards. Dependencies: SCHED-VULN-29-001. | Scheduler WebService Guild, Observability Guild (src/Scheduler/StellaOps.Scheduler.WebService)
 SCHED-WEB-20-002 | BLOCKED (waiting on SCHED-WORKER-20-301) | Provide simulation trigger endpoint returning diff preview metadata and job state for UI/CLI consumption. | Scheduler WebService Guild (src/Scheduler/StellaOps.Scheduler.WebService)
 > 2025-11-07: Worker counterpart (SCHED-WORKER-20-301) now DOING; revisit once API scaffolding lands.
 > 2025-11-04: Graph job completions now persist to Mongo with optimistic guards, emit Redis/webhook notifications once per transition, and refresh result URI metadata idempotently (tests cover service + Mongo store paths).
 SCHED-WORKER-21-203 | TODO | Export metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) and structured logs with tenant/graph identifiers. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-23-101 | TODO | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. Dependencies: SCHED-WORKER-21-203. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-23-102 | TODO | Add reconciliation job ensuring re-eval completion within SLA, emitting alerts on backlog and persisting status to `policy_runs`. Dependencies: SCHED-WORKER-23-101. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-25-101 | TODO | Implement exception lifecycle worker handling auto-activation/expiry and publishing `exception.*` events with retries/backoff. Dependencies: SCHED-WORKER-23-102. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-25-102 | TODO | Add expiring notification job generating digests, marking `expiring` state, updating metrics/alerts. Dependencies: SCHED-WORKER-25-101. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-26-201 | TODO | Build reachability joiner worker that combines SBOM snapshots with signals, writes cached facts, and schedules updates on new events. Dependencies: SCHED-WORKER-25-102. | Scheduler Worker Guild, Signals Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
--- a/docs/implplan/SPRINT_156_scheduler_ii.md
+++ b/docs/implplan/SPRINT_156_scheduler_ii.md
@@ -1,18 +0,0 @@
 # Sprint 156 - Scheduling & Automation · 150.C) Scheduler.II
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Scheduling & Automation] 150.C) Scheduler.II
 Depends on: Sprint 150.C - Scheduler.I
 Summary: Scheduling & Automation focus on Scheduler (phase II).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 SCHED-WORKER-26-202 | TODO | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. Dependencies: SCHED-WORKER-26-201. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-27-301 | TODO | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. Dependencies: SCHED-WORKER-26-202. | Scheduler Worker Guild, Policy Registry Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-27-302 | TODO | Build reducer job aggregating shard outputs into final manifests (counts, deltas, samples) and writing to object storage with checksums; emit completion events. Dependencies: SCHED-WORKER-27-301. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-27-303 | TODO | Enforce tenant isolation, scope checks, and attestation integration for simulation jobs; secret scanning pipeline for uploaded policy sources. Dependencies: SCHED-WORKER-27-302. | Scheduler Worker Guild, Security Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-29-001 | TODO | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. Dependencies: SCHED-WORKER-27-303. | Scheduler Worker Guild, Findings Ledger Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-29-002 | TODO | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. Dependencies: SCHED-WORKER-29-001. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-29-003 | TODO | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. Dependencies: SCHED-WORKER-29-002. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-CONSOLE-23-201 | TODO | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
 SCHED-WORKER-CONSOLE-23-202 | TODO | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. Dependencies: SCHED-WORKER-CONSOLE-23-201. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker)
--- a/docs/implplan/SPRINT_160_export_evidence.md
+++ b/docs/implplan/SPRINT_160_export_evidence.md
@@ -1,121 +0,0 @@
 # Sprint 160 - Export & Evidence
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 This file now only tracks the export & evidence status snapshot. Active backlog lives in Sprint 161+ files.
 # Wave coordination
 | Wave | Guild owners | Shared prerequisites | Status | Notes |
 | --- | --- | --- | --- | --- |
 | 160.A EvidenceLocker | Evidence Locker Guild · Security Guild · Docs Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-12) | Waiting for orchestrator capsule data and AdvisoryAI evidence bundles to stabilize before wiring ingestion APIs. |
 | 160.B ExportCenter | Exporter Service Guild · Mirror Creator Guild · DevOps Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-12) | Profiles can begin once EvidenceLocker contracts are published; keep DSSE/attestation specs ready. |
 | 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | BLOCKED (2025-11-12) | Postgres/RLS scaffolding drafted; hold for event schemas from orchestrator/notifications. |
 # Sprint 160 - Export & Evidence
 ## Detail trackers & next actions
 ### 160.A EvidenceLocker
 - Detail trackers: [SPRINT_161_evidencelocker.md](./SPRINT_161_evidencelocker.md) (wave entry) and [SPRINT_187_evidence_locker_cli_integration.md](./SPRINT_187_evidence_locker_cli_integration.md) for CLI/replay integration follow-ups.
 - Task radar (all TODO as of 2025-11-12):
  - `EVID-REPLAY-187-001` — add Evidence Locker replay bundle ingestion/retention APIs and document storage policy (`src/EvidenceLocker/StellaOps.EvidenceLocker`, `docs/modules/evidence-locker/architecture.md`).
  - `RUNBOOK-REPLAY-187-004` & `CLI-REPLAY-187-002` — CLI + ops readiness for replay bundles (`docs/runbooks/replay_ops.md`, CLI module).
  - `EVID-CRYPTO-90-001` — route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash` per `docs/security/crypto-routing-audit-2025-11-07.md`.
 - Contracts: bundle packaging + DSSE layout documented in `docs/modules/evidence-locker/bundle-packaging.md` (`EVID-OBS-54-002`); portable/incident modes live under `docs/modules/evidence-locker/incident-mode.md`.
 - Gating dependencies: orchestrator capsule schema (`docs/events/orchestrator-scanner-events.md`), AdvisoryAI evidence bundle payload notes, and replay ledger requirements from `docs/replay/DETERMINISTIC_REPLAY.md`.
 - Ready-to-start checklist: finalize ingest schema deltas, stage Replay Ledger ops drills, and publish the API surface summary into `SPRINT_161_evidencelocker.md` before moving items to DOING.
 #### EvidenceLocker task snapshot (2025-11-12)
 | Task ID | Scope | State | Notes / Owners |
 | --- | --- | --- | --- |
 | EVID-REPLAY-187-001 | Replay bundle ingestion + retention APIs | TODO | Evidence Locker Guild · docs/modules/evidence-locker/architecture.md |
 | CLI-REPLAY-187-002 | CLI record/verify/replay UX | TODO | CLI Guild · `docs/modules/cli/architecture.md` |
 | RUNBOOK-REPLAY-187-004 | Replay ops runbook + drills | TODO | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` |
 | EVID-CRYPTO-90-001 | Sovereign crypto routing | TODO | Evidence Locker + Security Guilds · `ICryptoProviderRegistry` integration |
 ### 160.B ExportCenter
 - Detail trackers: [SPRINT_162_exportcenter_i.md](./SPRINT_162_exportcenter_i.md) (mirror/bootstrap/attestation jobs, `DVOFF-64-002`, `EXPORT-AIRGAP-56/57/58`, `EXPORT-ATTEST-74/75`, `EXPORT-OAS-61/62`) and [SPRINT_163_exportcenter_ii.md](./SPRINT_163_exportcenter_ii.md) (service automation, observability, notification hooks, crypto routing `EXPORT-CRYPTO-90-001`).
 - Task radar highlights:
  - Mirror & bootstrap: `EXPORT-AIRGAP-56-001/002/003/004/005` and `EXPORT-AIRGAP-57-001`, `EXPORT-AIRGAP-58-001` — build mirror bundles, bootstrap packs, portable evidence exports, and notifications.
  - Attestation bundles: `EXPORT-ATTEST-74-001/002` and `EXPORT-ATTEST-75-001/002` — job implementation, CI/offline integration, CLI verify/import, and documentation (`docs/modules/attestor/airgap.md`).
  - API/OAS: `EXPORT-OAS-61-001/002`, `EXPORT-OAS-62-001`, `EXPORT-OAS-63-001` — refreshed OpenAPI, discovery endpoint, SDK updates, deprecation headers.
  - Service/observability: `EXPORT-SVC-35-001…005`, `EXPORT-OBS-50/51/52`, plus `EXPORT-CRYPTO-90-001` ensuring crypto routing parity with Evidence Locker.
 - Dependencies: EvidenceLocker contracts + DSSE proofs define digests; orchestration relies on Orchestrator events + Scheduler readiness; crypto routing must stay aligned with `docs/security/crypto-routing-audit-2025-11-07.md`.
 - Ready-to-start checklist: confirm sealed bundle spec (from EvidenceLocker) is frozen, reconcile crypto provider matrix with RootPack deployments, and prep the DevPortal verification CLI scaffolding so `DVOFF-64-002` can move immediately.
 #### ExportCenter task snapshot (2025-11-12)
 | Task ID | Scope | State | Notes / Owners |
 | --- | --- | --- | --- |
 | DVOFF-64-002 | DevPortal bundle verification CLI | TODO | DevPortal Offline + AirGap Controller Guilds |
 | EXPORT-AIRGAP-56-001/002 | Mirror bundle + bootstrap pack profiles | TODO | Exporter + Mirror Creator + DevOps Guilds |
 | EXPORT-AIRGAP-57-001 | Portable evidence export mode | TODO | Exporter Service + Evidence Locker Guild |
 | EXPORT-ATTEST-74-001/002 | Attestation bundle job + CI integration | TODO | Attestation Bundle + Exporter Guilds |
 | EXPORT-ATTEST-75-001/002 | CLI verify/import + offline kit integration | TODO | Attestation Bundle + CLI + Exporter Guilds |
 | EXPORT-OAS-61/62/63 | OpenAPI refresh, discovery, SDK + deprecation headers | TODO | Exporter Service + API Governance + SDK Guilds |
 | EXPORT-CRYPTO-90-001 | Sovereign crypto routing | TODO | Exporter Service + Security Guilds |
 ### 160.C TimelineIndexer
 - Detail tracker: [SPRINT_165_timelineindexer.md](./SPRINT_165_timelineindexer.md) (TIMELINE-OBS-52-001…004 and TIMELINE-OBS-53-001 covering migrations, ingestion pipeline, APIs, RLS, and evidence linkage).
 - Task radar:
  - `TIMELINE-OBS-52-001` — bootstrap service + Postgres migrations with deterministic scripts and RLS scaffolding.
  - `TIMELINE-OBS-52-002` — event ingestion pipeline (NATS/Redis consumers, ordering, dedupe, trace correlation, metrics).
  - `TIMELINE-OBS-52-003` — REST/gRPC APIs with filtering/pagination + OpenAPI contracts.
  - `TIMELINE-OBS-52-004` — finalize RLS, scope checks, audit logging, legal hold enforcement tests.
  - `TIMELINE-OBS-53-001` — evidence linkage endpoint returning signed manifest references.
 - Dependencies: needs orchestrator/notifications event schemas plus EvidenceLocker digest references to land before Postgres migrations can be frozen; export bundle IDs must be stable to hydrate `/timeline/{id}/evidence`.
 - Ready-to-start checklist: secure the event schema package, stage Postgres migration plan (including RLS policies) for review, and align ingest ordering semantics with Scheduler/ExportCenter event cadence.
 #### TimelineIndexer task snapshot (2025-11-12)
 | Task ID | Scope | State | Notes / Owners |
 | --- | --- | --- | --- |
 | TIMELINE-OBS-52-001 | Service bootstrap + Postgres migrations/RLS | TODO | Timeline Indexer Guild |
 | TIMELINE-OBS-52-002 | Event ingestion pipeline + metrics | TODO | Timeline Indexer Guild |
 | TIMELINE-OBS-52-003 | REST/gRPC APIs + OpenAPI contracts | TODO | Timeline Indexer Guild |
 | TIMELINE-OBS-52-004 | RLS policies, audit logging, legal hold tests | TODO | Timeline Indexer + Security Guilds |
 | TIMELINE-OBS-53-001 | Evidence linkage endpoint | TODO | Timeline Indexer + Evidence Locker Guilds |
 ## Interlocks & readiness signals
 | Dependency | Owner / Source | Impacts | Status / Next signal |
 | --- | --- | --- | --- |
 | Orchestrator capsule & notifications schema (`docs/events/orchestrator-scanner-events.md`) | Orchestrator Service Guild · Notifications Guild (Sprint 150.A + 140 wave) | 160.A, 160.B, 160.C | Pending schema drop scheduled for 2025-11-15 sync; unblock EvidenceLocker ingestion, ExportCenter notifications, and TimelineIndexer ordering once envelopes freeze. |
 | AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | AdvisoryAI Guild | 160.A, 160.B | Still stabilizing; EvidenceLocker cannot finalize DSSE manifests or digests until this contract lands. Follow up in AdvisoryAI stand-up on 2025-11-14. |
 | Replay ledger spec alignment (`docs/replay/DETERMINISTIC_REPLAY.md`, `/docs/runbooks/replay_ops.md`) | Replay Delivery Guild (Sprint 187) | 160.A | Replay ops runbook exists (2025-11-03); EvidenceLocker must incorporate retention API shape before DOING. Track in EVID-REPLAY-187-001. |
 | Crypto routing parity (`docs/security/crypto-routing-audit-2025-11-07.md`) | Security Guild + Export/Evidence teams (`EVID-CRYPTO-90-001`, `EXPORT-CRYPTO-90-001`) | 160.A, 160.B | Audit published 2025-11-07; both guilds must wire `ICryptoProviderRegistry` before enabling sovereign profiles. Target reenlist date: 2025-11-18 readiness review. |
 | DevPortal verification CLI scaffolding (`DVOFF-64-002`) | DevPortal Offline Guild (Sprint 162) | 160.B | CLI still TODO; keep `stella devportal verify bundle.tgz` prototype ready so that once bundle contracts are signed, DOING can start within same sprint. |
 | DevPortal verification CLI scaffolding (`DVOFF-64-002`) | DevPortal Offline Guild (Sprint 162) | 160.B | CLI still TODO; keep `stella devportal verify bundle.tgz` prototype ready so that once bundle contracts are signed, DOING can start within same sprint. |
 ## Upcoming checkpoints (UTC)
 | Date | Session / Owner | Target outcome | Fallback / Escalation |
 | --- | --- | --- | --- |
 | 2025-11-14 | AdvisoryAI stand-up (AdvisoryAI Guild) | Freeze evidence bundle schema + payload notes so EvidenceLocker can finalize DSSE manifests (blocked). | If schema slips, log BLOCKED status in Sprint 110 tracker and re-evaluate at 2025-11-18 review. |
 | 2025-11-15 | Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds) | Publish capsule envelopes & notification contracts required by EvidenceLocker ingest, ExportCenter notifications, TimelineIndexer ordering (blocked). | If envelopes not ready, escalate to Wave 150/140 leads and leave blockers noted here; defer DOING flips. |
 | 2025-11-18 | Sovereign crypto readiness review (Security Guild + Evidence/Export teams) | Validate `ICryptoProviderRegistry` wiring plan for `EVID-CRYPTO-90-001` & `EXPORT-CRYPTO-90-001`; green-light sovereign modes (blocked). | If gating issues remain, file action items in Security board and hold related sprint tasks in TODO. |
 | 2025-11-19 | DevPortal Offline CLI dry run (DevPortal Offline + AirGap Controller Guilds) | Demo `stella devportal verify bundle.tgz` using sample manifest to prove readiness once EvidenceLocker spec lands (blocked awaiting schema). | If CLI not ready, update DVOFF-64-002 description with new ETA and note risk in Sprint 162 doc. |
 ## Action tracker
 | Wave | Immediate action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
 | 160.A EvidenceLocker | Draft ingest schema summary + Replay Ledger API notes into `SPRINT_161_evidencelocker.md` once orchestrator + AdvisoryAI schemas land. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | Pending (blocked on Nov-14/15 checkpoints) |
 | 160.A EvidenceLocker | Validate crypto provider registry plan for `EVID-CRYPTO-90-001` ahead of the Nov-18 review. | Evidence Locker Guild · Security Guild | 2025-11-17 | Risk: awaiting Security design feedback |
 | 160.A EvidenceLocker | Prep CLI + ops teams for replay handoff (`RUNBOOK-REPLAY-187-004`, `CLI-REPLAY-187-002`) once Evidence Locker APIs are drafted. | CLI Guild · Ops Guild · Evidence Locker Guild | 2025-11-18 | Pending |
 | 160.B ExportCenter | Prepare DevPortal verification CLI prototype (`DVOFF-64-002`) covering manifest hash + DSSE verification flow. | DevPortal Offline Guild · AirGap Controller Guild | 2025-11-19 | In progress (design draft shared; waiting on bundle schema) |
 | 160.B ExportCenter | Align attestation bundle job + CLI verbs (`EXPORT-ATTEST-74/75`) with EvidenceLocker DSSE layout once published. | Exporter Service Guild · Attestation Bundle Guild · CLI Guild | 2025-11-20 | Pending |
 | 160.B ExportCenter | Stage crypto routing hooks in exporter service (`EXPORT-CRYPTO-90-001`) tied to the Nov-18 review. | Exporter Service Guild · Security Guild | 2025-11-18 | Pending |
 | 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | Pending |
 | 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | Pending |
 | 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-11-20 | Pending |
 ## Risks & mitigations
 | Risk | Impacted wave(s) | Severity | Mitigation / Owner |
 | --- | --- | --- | --- |
 | AdvisoryAI schema slips past 2025-11-14, delaying DSSE manifest freeze. | 160.A, 160.B | High | AdvisoryAI Guild to provide interim sample payloads; EvidenceLocker to stub schema adapters so ExportCenter can begin validation with mock data. |
 | Orchestrator/Notifications schema handoff misses 2025-11-15 window. | 160.A, 160.B, 160.C | High | Escalate to Wave 150/140 leads, record BLOCKED status in both sprint docs, and schedule daily schema stand-ups until envelopes land. |
 | Sovereign crypto routing design not ready by 2025-11-18 review. | 160.A, 160.B | Medium | Security Guild to publish `ICryptoProviderRegistry` reference implementation; Evidence/Export guilds to nominate fallback providers per profile. |
 | DevPortal verification CLI lacks signed bundle fixtures for dry run. | 160.B | Medium | Exporter Guild to provide sample manifest + DSSE pair; DevPortal Offline Guild to script fake EvidenceLocker output for demo. |
 | TimelineIndexer Postgres/RLS plan not reviewed before coding. | 160.C | Medium | Timeline Indexer Guild to share migration plan with Security/Compliance for async review; unblock coding by securing written approval in sprint doc. |
 ## Status log
 - 2025-11-12 — Snapshot refreshed; all Export & Evidence waves remain BLOCKED pending orchestrator capsule data, AdvisoryAI bundle schemas, and EvidenceLocker contracts. Re-evaluate readiness after the orchestrator + notifications schema handoff (target sync: 2025-11-15).
 - 2025-11-12 (EOD) — Added checkpoint calendar, action tracker, and risk table to keep Wave 160 aligned on pre-work while dependencies stabilize; next update scheduled immediately after the AdvisoryAI + Orchestrator handoffs.
--- a/docs/implplan/SPRINT_161_evidencelocker.md
+++ b/docs/implplan/SPRINT_161_evidencelocker.md
@@ -1,33 +0,0 @@
 # Sprint 161 - Export & Evidence · 160.A) EvidenceLocker
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Export & Evidence] 160.A) EvidenceLocker
 Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
 Summary: Export & Evidence focus on EvidenceLocker).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 ## Task board (snapshot: 2025-11-12)
 | Task ID | State | Description | Owners (Source) |
 | --- | --- | --- | --- |
 | EVID-OBS-54-002 | TODO | Finalize deterministic bundle packaging + DSSE layout per `docs/modules/evidence-locker/bundle-packaging.md`, ensuring parity with portable/incident modes. | Evidence Locker Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) |
 | EVID-REPLAY-187-001 | TODO | Implement replay bundle ingestion + retention APIs and document storage policy updates referencing `docs/replay/DETERMINISTIC_REPLAY.md`. | Evidence Locker Guild · Replay Delivery Guild |
 | CLI-REPLAY-187-002 | TODO | Add `scan --record`, `verify`, `replay`, `diff` CLI verbs with offline bundle resolution; sync golden tests. | CLI Guild (`src/Cli/StellaOps.Cli`) |
 | RUNBOOK-REPLAY-187-004 | TODO | Publish `/docs/runbooks/replay_ops.md` coverage for retention enforcement, RootPack rotation, and verification drills. | Docs Guild · Ops Guild |
 | EVID-CRYPTO-90-001 | TODO | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash` for sovereign crypto providers. | Evidence Locker Guild · Security Guild |
 ## Dependencies & readiness
 - Waiting on AdvisoryAI evidence bundle schema + payload notes (Sprint 110.A) to freeze DSSE manifest format.
 - Waiting on orchestrator + notifications capsule schema (Sprint 150.A / Sprint 140.A handoff) to finalize ingest API fields.
 - Replay Ledger alignment requires `docs/replay/DETERMINISTIC_REPLAY.md` sections 2, 8, and 9 to be reflected in Evidence Locker + CLI before DOING.
 - Crypto routing must follow `docs/security/crypto-routing-audit-2025-11-07.md` and align with Export Center’s `EXPORT-CRYPTO-90-001` for consistency.
 ## Ready-to-start checklist
 1. Capture orchestrator capsule + AdvisoryAI schema diffs in this sprint doc (attach sample payloads).
 2. Draft Replay Ledger API summary + CLI command notes here so `EVID-REPLAY-187-001` can flip to DOING.
 3. Confirm `ICryptoProviderRegistry` design with Security Guild ahead of 2025-11-18 readiness review.
 4. Ensure docs/ops owners have outline for replay runbook before CLI/EvidenceLocker work begins.
--- a/docs/implplan/SPRINT_162_exportcenter_i.md
+++ b/docs/implplan/SPRINT_162_exportcenter_i.md
@@ -1,41 +0,0 @@
 # Sprint 162 - Export & Evidence · 160.B) ExportCenter.I
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Export & Evidence] 160.B) ExportCenter.I
 Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
 Summary: Export & Evidence focus on ExportCenter (phase I).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 DVOFF-64-002 | TODO | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. Dependencies: DVOFF-64-001. | DevPortal Offline Guild, AirGap Controller Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline)
 EXPORT-AIRGAP-56-001 | TODO | Extend Export Center to build Mirror Bundles as export profiles, including advisories/VEX/policy packs manifesting DSSE/TUF metadata. | Exporter Service Guild, Mirror Creator Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-AIRGAP-56-002 | TODO | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gapped deployment. Dependencies: EXPORT-AIRGAP-56-001. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-AIRGAP-57-001 | TODO | Integrate portable evidence export mode producing sealed evidence bundles with DSSE signatures and chain-of-custody metadata. Dependencies: EXPORT-AIRGAP-56-002. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-AIRGAP-58-001 | TODO | Emit notifications and timeline events when Mirror Bundles or Bootstrap packs are ready for transfer. Dependencies: EXPORT-AIRGAP-57-001. | Exporter Service Guild, Notifications Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-ATTEST-74-001 | TODO | Implement export job producing attestation bundles with manifest, checksums, DSSE signature, and optional transparency log segments. | Attestation Bundle Guild, Attestor Service Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles)
 EXPORT-ATTEST-74-001 | TODO | Implement attestation bundle export job via Export Center. Dependencies: EXPORT-ATTEST-74-001. | Exporter Service Guild, Attestation Bundle Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-ATTEST-74-002 | TODO | Integrate bundle job into CI/offline kit packaging with checksum publication. Dependencies: EXPORT-ATTEST-74-001. | Attestation Bundle Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles)
 EXPORT-ATTEST-75-001 | TODO | Provide CLI command `stella attest bundle verify/import` for air-gap usage. Dependencies: EXPORT-ATTEST-74-002. | Attestation Bundle Guild, CLI Attestor Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles)
 EXPORT-ATTEST-75-001 | TODO | Integrate attestation bundles into offline kit flows and CLI commands. Dependencies: EXPORT-ATTEST-75-001. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-ATTEST-75-002 | TODO | Document `/docs/modules/attestor/airgap.md` with bundle workflows and verification steps. Dependencies: EXPORT-ATTEST-75-001. | Attestation Bundle Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles)
 EXPORT-OAS-61-001 | TODO | Update Exporter OAS covering profiles, runs, downloads, devportal exports with standard error envelope and examples. | Exporter Service Guild, API Contracts Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OAS-61-002 | TODO | Provide `/.well-known/openapi` discovery endpoint with version metadata and ETag. Dependencies: EXPORT-OAS-61-001. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OAS-62-001 | TODO | Ensure SDKs include export profile/run clients with streaming download helpers; add smoke tests. Dependencies: EXPORT-OAS-61-002. | Exporter Service Guild, SDK Generator Guild (src/ExportCenter/StellaOps.ExportCenter)
 ## Task snapshot (2025-11-12)
 - Mirror/bootstrap profiles: `EXPORT-AIRGAP-56-001/002`, `EXPORT-AIRGAP-57-001`, `EXPORT-AIRGAP-58-001` (bundle builds, bootstrap packs, notification fan-out).
 - Attestation bundles: `EXPORT-ATTEST-74-001/002`, `EXPORT-ATTEST-75-001/002` plus docs entry to wire CLI + offline kit workflows.
 - DevPortal verification: `DVOFF-64-002` (hash/signature verification CLI) aligns with EvidenceLocker sealed bundle contracts.
 - API/OAS + SDK: `EXPORT-OAS-61/62` ensures clients and discovery endpoints reflect export surfaces.
 ## Dependencies & blockers
 - Waiting on EvidenceLocker bundle contracts (Sprint 161) to freeze DSSE layouts for mirror/attestation/CLI tasks.
 - Orchestrator + Notifications schema (Sprint 150.A / 140) must be published to emit ready events (`EXPORT-AIRGAP-58-001`).
 - Sovereign crypto requirements tracked via `EXPORT-CRYPTO-90-001` (Sprint 163) and Security Guild audit (2025-11-07).
 - DevPortal CLI prototype requires sample manifests from Exporter + EvidenceLocker coordination to rehearse Nov-19 dry run.
 ## Ready-to-start checklist
 1. Import EvidenceLocker sample manifests once AdvisoryAI + orchestrator schemas freeze; attach to this doc.
 2. Align export profile configs with AirGap/DevOps to ensure OCI bootstrap pack dependencies are available offline.
 3. Prep `stella devportal verify bundle.tgz` demo script + fixtures ahead of Nov-19 dry run.
 4. Stage telemetry hooks for notification events to integrate with TimelineIndexer once events begin emitting.
--- a/docs/implplan/SPRINT_163_exportcenter_ii.md
+++ b/docs/implplan/SPRINT_163_exportcenter_ii.md
@@ -1,44 +0,0 @@
 # Sprint 163 - Export & Evidence · 160.B) ExportCenter.II
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Export & Evidence] 160.B) ExportCenter.II
 Depends on: Sprint 160.B - ExportCenter.I
 Summary: Export & Evidence focus on ExportCenter (phase II).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 EXPORT-OAS-63-001 | TODO | Implement deprecation headers and notifications for legacy export endpoints. Dependencies: EXPORT-OAS-62-001. | Exporter Service Guild, API Governance Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OBS-50-001 | TODO | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Exporter Service Guild, Observability Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OBS-51-001 | TODO | Emit metrics for export planner latency, bundle build time, distribution success rate, bundle size, and define SLOs (bundle availability P95 <90s). Add Grafana dashboards + burn-rate alerts. Dependencies: EXPORT-OBS-50-001. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OBS-52-001 | TODO | Publish timeline events for export lifecycle (`export.requested`, `export.built`, `export.distributed`, `export.failed`) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. Dependencies: EXPORT-OBS-51-001. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OBS-53-001 | TODO | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. Dependencies: EXPORT-OBS-52-001. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OBS-54-001 | TODO | Produce DSSE attestations for each export artifact and distribution target, expose verification API `/exports/{id}/attestation`, and integrate with CLI verify path. Dependencies: EXPORT-OBS-53-001. | Exporter Service Guild, Provenance Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OBS-54-002 | TODO | Add promotion attestation assembly to export runs (compute SBOM/VEX digests, embed Rekor proofs, bundle DSSE envelopes) and ensure Offline Kit packaging includes the resulting JSON + DSSE envelopes. Dependencies: EXPORT-OBS-54-001, PROV-OBS-53-003. | Exporter Service Guild, Provenance Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-OBS-55-001 | TODO | Add incident mode enhancements (extra tracing for slow exports, additional debug logs, retention bump). Emit incident activation events to timeline + notifier. Dependencies: EXPORT-OBS-54-001. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-RISK-69-001 | TODO | Add Export Center job handler `risk-bundle` with provider selection, manifest signing, and audit logging. | Exporter Service Guild, Risk Bundle Export Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-RISK-69-002 | TODO | Enable simulation report exports pulling scored data + explainability snapshots. Dependencies: EXPORT-RISK-69-001. | Exporter Service Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-RISK-70-001 | TODO | Integrate risk bundle builds into offline kit packaging with checksum verification. Dependencies: EXPORT-RISK-69-002. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-SVC-35-001 | BLOCKED (2025-10-29) | Bootstrap exporter service project, configuration, and Postgres migrations for `export_profiles`, `export_runs`, `export_inputs`, `export_distributions` with tenant scoping + tests. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-SVC-35-002 | TODO | Implement planner + scope resolver translating filters into ledger iterators and orchestrator job payloads; include deterministic sampling and validation. Dependencies: EXPORT-SVC-35-001. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-SVC-35-003 | TODO | Deliver JSON adapters (`json:raw`, `json:policy`) with canonical normalization, redaction allowlists, compression, and manifest counts. Dependencies: EXPORT-SVC-35-002. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-SVC-35-004 | TODO | Build mirror (full) adapter producing filesystem layout, indexes, manifests, and README with download-only distribution. Dependencies: EXPORT-SVC-35-003. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-SVC-35-005 | TODO | Implement manifest/provenance writer and KMS signing/attestation (detached + embedded) for bundle outputs. Dependencies: EXPORT-SVC-35-004. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter)
 EXPORT-CRYPTO-90-001 | TODO | Ensure manifest hashing, signing, and bundle encryption flows route through `ICryptoProviderRegistry`/`ICryptoHash` so RootPack deployments can select CryptoPro/PKCS#11 providers per `docs/security/crypto-routing-audit-2025-11-07.md`. | Exporter Service Guild, Security Guild (src/ExportCenter/StellaOps.ExportCenter)
 ## Task snapshot (2025-11-12)
 - Service core: `EXPORT-SVC-35-001…005` hardens planner, worker, adapters, and provenance writers for deterministic outputs.
 - Observability/audit: `EXPORT-OBS-50/51/52` ensure traces, metrics, and audit logs capture tenants, profiles, DSSE digests.
 - API lifecycle: `EXPORT-OAS-63-001` delivers deprecation headers + notifications for legacy endpoints.
 - Crypto parity: `EXPORT-CRYPTO-90-001` wires sovereign provider support matching EvidenceLocker design.
 ## Dependencies & blockers
 - Requires Sprint 162 (phase I) outputs and EvidenceLocker contracts to supply DSSE digests for observability tests.
 - Depends on Security Guild publishing the crypto routing reference ahead of the 2025-11-18 readiness review.
 - Needs orchestrator/notifications schema finalization to define audit trail payloads and event IDs.
 - Export planner/worker queue relies on Orchestrator/Scheduler telemetry readiness (Sprint 150), still in BLOCKED state.
 ## Ready-to-start checklist
 1. Mirror the EvidenceLocker DSSE manifest schema into exporter tests once AdvisoryAI + orchestrator schemas freeze.
 2. Define telemetry schema (traces/logs/metrics) per Observability guidelines and attach to this doc.
 3. Draft deprecation communication plan for legacy endpoints with API Governance before coding `EXPORT-OAS-63-001`.
 4. Stage crypto provider configuration (default, CryptoPro, PKCS#11) for fast integration after the Nov-18 review.
--- a/docs/implplan/SPRINT_171_notifier_i.md
+++ b/docs/implplan/SPRINT_171_notifier_i.md
@@ -25,8 +25,8 @@ NOTIFY-AIRGAP-56-002 | DONE | Provide Bootstrap Pack notifier configurations wit
 - **NOTIFY-ATTEST-74-001** – Template matrix (verification failure, expiring attestation, key revoke, witness anomaly) drafted; Section 7 added to `docs/notifications/templates.md` plus cross-references in `notifications/overview.md` and `notifications/rules.md` so rule authors and operators use the canonical `tmpl-attest-*` suite; baseline template exports now live under `offline/notifier/templates/attestation/*.template.json`; waiting on Attestor schema freeze (due 2025-11-13) before locking copy and localization tokens.
 - **NOTIFY-OAS-61-001** – OpenAPI document restructure underway; shared error envelope + examples added, but `quietHours` and `incident` sections still need review with API Contracts Guild.
- **NOTIFY-OBS-51-001/NOTIFY-OBS-55-001** – Remain TODO pending Telemetry SLO webhook schema + incident toggle contract; coordinate with TELEMETRY-OBS-50/55 tasks.
+- **NOTIFY-OBS-51-001/NOTIFY-OBS-55-001** – Telemetry SLO webhook schema frozen 2025-11-17; proceed with implementation; incident toggle contract to follow add-only evolution.
- **NOTIFY-RISK-66-001 → NOTIFY-RISK-68-001** – Blocked by Policy export (`POLICY-RISK-40-002`) to supply profile metadata; revisit once Policy sprint publishes the feed.
+- **NOTIFY-RISK-66-001 → NOTIFY-RISK-68-001** – Policy risk export v1 approved (read-only); proceed with notification wiring; history fields to arrive later additively.
 ## Milestones & dependencies
--- a/docs/implplan/SPRINT_201_cli_i.md
+++ b/docs/implplan/SPRINT_201_cli_i.md
@@ -21,4 +21,5 @@ CLI-ATTEST-73-002 | TODO | Implement `stella attest verify` with policy selectio
 CLI-ATTEST-74-001 | TODO | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. Dependencies: CLI-ATTEST-73-002. | CLI Attestor Guild (src/Cli/StellaOps.Cli)
 CLI-ATTEST-74-002 | TODO | Implement `stella attest fetch` to download envelopes and payloads to disk. Dependencies: CLI-ATTEST-74-001. | CLI Attestor Guild (src/Cli/StellaOps.Cli)
 CLI-ATTEST-75-001 | TODO | Implement `stella attest key create. Dependencies: CLI-ATTEST-74-002. | CLI Attestor Guild, KMS Guild (src/Cli/StellaOps.Cli)
-CLI-ATTEST-75-002 | TODO | Add support for building/verifying attestation bundles in CLI. Dependencies: CLI-ATTEST-75-001. | CLI Attestor Guild, Export Guild (src/Cli/StellaOps.Cli)
+CLI-ATTEST-75-002 | TODO | Add support for building/verifying attestation bundles in CLI. Dependencies: CLI-ATTEST-75-001. | CLI Attestor Guild, Export Guild (src/Cli/StellaOps.Cli)
 CLI-HK-201-002 | DOING | Add JSON status coverage for offline kit status handler when no bundle is imported. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
--- a/docs/implplan/SPRINT_316_docs_modules_cli.md
+++ b/docs/implplan/SPRINT_316_docs_modules_cli.md
@@ -1,12 +0,0 @@
 # Sprint 316 - Documentation & Process · 200.F) Docs Modules Cli
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Documentation & Process] 200.F) Docs Modules Cli
 Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
 Summary: Documentation & Process focus on Docs Modules Cli).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 CLI-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/cli)
 CLI-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/cli)
 CLI-OPS-0001 | TODO | Sync outcomes back to ../.. | Ops Guild (docs/modules/cli)
--- a/docs/implplan/SPRINT_321_docs_modules_graph.md
+++ b/docs/implplan/SPRINT_321_docs_modules_graph.md
@@ -1,15 +0,0 @@
 # Sprint 321 - Documentation & Process · 200.K) Docs Modules Graph
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Documentation & Process] 200.K) Docs Modules Graph
 Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
 Summary: Documentation & Process focus on Docs Modules Graph).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 GRAPH-DOCS-0001 | DONE (2025-11-05) | Validate that graph module README/diagrams reflect the latest overlay + snapshot updates. | Docs Guild (docs/modules/graph)
 GRAPH-OPS-0001 | TODO | Review graph observability dashboards/runbooks after the next sprint demo. | Ops Guild (docs/modules/graph)
 GRAPH-ENG-0001 | TODO | Keep module milestones in sync with `/docs/implplan/SPRINT_141_graph.md` and related files. | Module Team (docs/modules/graph)
 GRAPH-DOCS-0002 | TODO (2025-11-05) | Pending DOCS-GRAPH-24-003 to add API/query doc cross-links | Docs Guild (docs/modules/graph)
 GRAPH-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/graph)
 GRAPH-OPS-0001 | TODO | Sync outcomes back to ../.. | Ops Guild (docs/modules/graph)
--- a/docs/implplan/SPRINT_323_docs_modules_orchestrator.md
+++ b/docs/implplan/SPRINT_323_docs_modules_orchestrator.md
@@ -1,14 +0,0 @@
 # Sprint 323 - Documentation & Process · 200.M) Docs Modules Orchestrator
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Documentation & Process] 200.M) Docs Modules Orchestrator
 Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
 Summary: Documentation & Process focus on Docs Modules Orchestrator).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 SOURCE---JOB-ORCHESTRATOR-DOCS-0001 | TODO | Refresh orchestrator README + diagrams to reflect job leasing changes and reference the task runner bridge. | Docs Guild (docs/modules/orchestrator)
 ORCHESTRATOR-OPS-0001 | TODO | Review orchestrator runbooks/observability checklists post-demo. | Ops Guild (docs/modules/orchestrator)
 ORCHESTRATOR-ENG-0001 | TODO | Keep sprint milestone alignment notes synced with `/docs/implplan/SPRINT_151_orchestrator_i.md` onward. | Module Team (docs/modules/orchestrator)
 SOURCE---JOB-ORCHESTRATOR-ENG-0001 | TODO | Sync into ../.. | Module Team (docs/modules/orchestrator)
 SOURCE---JOB-ORCHESTRATOR-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/orchestrator)
--- a/docs/implplan/SPRINT_328_docs_modules_scheduler.md
+++ b/docs/implplan/SPRINT_328_docs_modules_scheduler.md
@@ -1,12 +0,0 @@
 # Sprint 328 - Documentation & Process · 200.R) Docs Modules Scheduler
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
 [Documentation & Process] 200.R) Docs Modules Scheduler
 Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
 Summary: Documentation & Process focus on Docs Modules Scheduler).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
 SCHEDULER-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/scheduler)
 SCHEDULER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/scheduler)
 SCHEDULER-OPS-0001 | TODO | Sync outcomes back to ../.. | Ops Guild (docs/modules/scheduler)
--- a/docs/implplan/SPRINT_513_provenance.md
+++ b/docs/implplan/SPRINT_513_provenance.md
@@ -7,8 +7,14 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
 Summary: Ops & Offline focus on Provenance).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
-PROV-OBS-53-001 | TODO | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, and deterministic hashing tests. Publish sample statements for orchestrator/job/export subjects. | Provenance Guild (src/Provenance/StellaOps.Provenance.Attestation)
+PROV-OBS-53-001 | DONE (2025-11-17) | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, and deterministic hashing tests. Publish sample statements for orchestrator/job/export subjects. | Provenance Guild (src/Provenance/StellaOps.Provenance.Attestation)
-PROV-OBS-53-002 | TODO | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. Dependencies: PROV-OBS-53-001. | Provenance Guild, Security Guild (src/Provenance/StellaOps.Provenance.Attestation)
+PROV-OBS-53-002 | DOING | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. Dependencies: PROV-OBS-53-001. | Provenance Guild, Security Guild (src/Provenance/StellaOps.Provenance.Attestation)
 PROV-OBS-53-003 | TODO | Deliver `PromotionAttestationBuilder` that materialises the `stella.ops/promotion@v1` predicate (image digest, SBOM/VEX materials, promotion metadata, Rekor proof) and feeds canonicalised payload bytes to Signer via StellaOps.Cryptography. | Provenance Guild (src/Provenance/StellaOps.Provenance.Attestation)
 PROV-OBS-54-001 | TODO | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody, exposing reusable CLI/service APIs. Include negative-case fixtures and offline timestamp verification. Dependencies: PROV-OBS-53-002. | Provenance Guild, Evidence Locker Guild (src/Provenance/StellaOps.Provenance.Attestation)
 PROV-OBS-54-002 | TODO | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`. Provide deterministic packaging and offline kit instructions. Dependencies: PROV-OBS-54-001. | Provenance Guild, DevEx/CLI Guild (src/Provenance/StellaOps.Provenance.Attestation)
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-17 | Started PROV-OBS-53-002: added cosign/kms/offline signer abstractions, rotating key provider, audit hooks, and unit tests; full test run pending. | Provenance |
 | 2025-11-17 | PROV-OBS-53-001 delivered: canonical BuildDefinition/BuildMetadata hashes, Merkle helpers, deterministic tests, and sample DSSE statements for orchestrator/job/export subjects. | Provenance |
--- a/docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md
+++ b/docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md
@@ -210,8 +210,8 @@ Active items only. Completed/historic work now resides in docs/implplan/archived
 | Wave | Dependent sprint(s) | Impact if delayed |
 | --- | --- | --- |
-| 110.A AdvisoryAI | Advisory AI customer rollout (Docs, Console, CLI), `SPRINT_120_excititor_ii.md`, `SPRINT_140_runtime_signals.md` | SBOM/CLI/Policy/DevOps lag keeps Advisory AI docs + guardrails blocked and stalls downstream Scanner/Policy/Vuln Explorer adoption. |
+| 110.A AdvisoryAI | Advisory AI customer rollout (Docs, Console, CLI), `SPRINT_120_excititor_ii.md`, `SPRINT_0140_0001_0001_runtime_signals.md` | SBOM/CLI/Policy/DevOps lag keeps Advisory AI docs + guardrails blocked and stalls downstream Scanner/Policy/Vuln Explorer adoption. |
-| 110.B Concelier | `SPRINT_140_runtime_signals.md`, `SPRINT_185_shared_replay_primitives.md`, Concelier console/air-gap/attest waves | Link-Not-Merge schema + observation APIs gate Concelier graph, telemetry, and orchestrator waves; Console/advisor UIs stay blocked. |
+| 110.B Concelier | `SPRINT_0140_0001_0001_runtime_signals.md`, `SPRINT_185_shared_replay_primitives.md`, Concelier console/air-gap/attest waves | Link-Not-Merge schema + observation APIs gate Concelier graph, telemetry, and orchestrator waves; Console/advisor UIs stay blocked. |
 | 110.C Excititor | `SPRINT_120_excititor_ii.md` → `SPRINT_124_excititor_vi.md` | VEX chunk/attestation phases cannot progress until chunk/telemetry deliverables land, delaying Lens, Policy, and Advisory AI parity. |
 | 110.D Mirror | `SPRINT_125_mirror.md` | Export Center, CLI, and air-gap bundles rely on MIRROR-CRT-56-001; no downstream mirror automation can begin until the deterministic assembler is complete. |
--- a/docs/implplan/blocked-all.md
+++ b/docs/implplan/blocked-all.md
@@ -1,151 +0,0 @@
 # Blocked / dependency-linked tasks (as of 2025-11-17)
 ## Decisions to unblock (ordered by blast-radius reduction)
 1) **Ratify Link-Not-Merge schema** (Concelier + Cartographer) — unblocks Concelier GRAPH-21-001/002, CONCELIER-AIRGAP/CONSOLE/ATTEST, SBOM-SERVICE-21-001..004, SBOM-AIAI-31-002/003, Excititor AIAI chunk/attestation, Graph 140.A, Signals ingest overlays. Options: (A) Freeze current schema with examples and fixtures this week; (B) Publish interim “mock schema” + feature flag while full review completes; (C) Slip one sprint and re-baseline all dependents.
 2) **Publish Sprint 130 scanner surface artifacts + cache drop ETA** — unblocks GRAPH-INDEX-28-007..010 (Sprint 141), ZASTAVA-SURFACE-01/02 (Sprint 0144), runtime signals 140.D, build/test for Zastava Env/Secrets. Options: (A) Deliver real analyzer caches + hashes; (B) Ship deterministic mock bundle within 24h plus firm delivery date; (C) Declare slip and set new start dates in downstream sprints.
 3) **Staff MIRROR-CRT-56-001 assembler** — prerequisite for MIRROR-CRT-56/57/58, Exporter OBS-51/54, CLI-AIRGAP-56, PROV-OBS-53, ExportCenter timeline. Options: (A) Assign primary + backup engineer today and start thin bundle; (B) Re-scope to “minimal thin bundle” to unblock EvidenceLocker/ExportCenter first; (C) Escalate staffing if no owner by EOD.
 4) **Expose SBOM-AIAI-31-001 contract** — required for SBOM-AIAI-31-003, DOCS-AIAI-31-008/009, AIAI-31-008 packaging. Options: (A) Ship production  with auth header contract; (B) Provide sandbox/mock endpoint + recorded responses with “beta” label; (C) Slip and re-forecast dependent docs/devops tasks.
 5) **Ops span sink deployment for Excititor telemetry (31-003)** — gates observability export. Options: (A) Deploy span sink on 2025-11-18; (B) Approve temporary counters/logs-only path until sink is live.
 6) **Complete CAS checklist + signed manifest rollout (Signals)** — unblocks SIGNALS-24-002 → 24-004/005. Options: (A) Accept current manifest after spot-check; (B) Time-box remediation with risk waiver; (C) Keep RED/BLOCKED and re-plan delivery.
 7) **Orchestrator ledger export contract** — pre-req for LEDGER-34-101, EvidenceLocker/ExportCenter (160.A/B/C), TimelineIndexer. Options: (A) Ship minimal ledger payload (job_id, capsule_digest, tenant) now; (B) Wait for full capsule envelope from Orchestrator/Notifications and slip dependents; (C) Provide mock export + fixtures for Ledger tests meantime.
 8) **AdvisoryAI evidence bundle schema freeze (Nov 14 sync slip)** — needed by EvidenceLocker ingest and ExportCenter profiles. Options: (A) Freeze DSSE manifest + payload notes immediately; (B) Provide sample bundle + checksum for contract testing; (C) Move related tasks to BLOCKED-w/escalation with new date.
 9) **Policy risk export  availability** — blocks NOTIFY-RISK-66/67/68. Options: (A) Release minimal read-only profile feed now; (B) Add history metadata with ≤4 day slip; (C) Freeze schema and allow Notifications to mock results.
 10) **Telemetry SLO webhook schema (TELEMETRY-OBS-50)** — blocks NOTIFY-OBS-51/55. Options: (A) Freeze current draft and hand to Notifications; (B) Provide stub contract + fixtures and allow coding against mocks; (C) Slip and re-baseline notifier tasks.
 11) **Language analyzer design kickoffs (PHP/Deno/Dart/Swift) & Java 21-008 dependency** — blocks SCANNER-ENG-0010..0014 and SCANNER-ANALYZERS-JAVA-21-008. Options: (A) Run design triage per language this week and staff leads; (B) De-scope to one language per sprint, mark others slipped; (C) Provide interim capability matrix and mock outputs for dependency unlocks.
 12) **Surface.FS cache/mirror availability** — needed to validate ZASTAVA ENV/SECRETS/SURFACE tasks and unblock SURFACE-01/02 execution. Options: (A) Stand up temporary local cache/mirror in CI; (B) Accept “code complete, unvalidated” with dated follow-up window; (C) Slip validation to align with scanner cache drop.
 13) **Timeline schema review OBS-52-001** — blocks excititor timeline overlays. Options: (A) Approve current envelope; (B) Add required fields (e.g., provenance buckets) with ≤2 day slip; (C) Provide mock topic for early pipeline tests.
 14) **SCHED-WORKER-20-301 delivery** — prerequisite for SCHED-WEB-20-002 sim trigger endpoint. Options: (A) Prioritize worker fix to unblock web; (B) Let web mock worker response for integration tests; (C) Re-scope to deliver read-only preview first.
 15) **PacksRegistry tenancy scaffolding (150.B)** — needed before PacksRegistry work starts. Options: (A) Land orchestrator tenancy scaffolding now; (B) Allow PacksRegistry to target single-tenant mode temporarily; (C) Slip PacksRegistry wave and note in sprint.
 16) **Authority pack RBAC approvals/log-stream APIs (AUTH-PACKS-43-001)** — blocking Sprint 153 start. Options: (A) Approve current RBAC model; (B) Provide interim token-scoped access; (C) Slip sprint with new date and escalation.
 17) **Export Center bootstrap (EXPORT-SVC-35-001)** — blocked on upstream Orchestrator/Scheduler telemetry readiness. Options: (A) Provide synthetic telemetry feeds for bootstrap; (B) Start migrations/config in isolation; (C) Slip with dated dependency.
 18) **Notifications OAS / SDK parity ( → )** — SDK generator blocked on  schema. Options: (A) Freeze rules schema; (B) Provide placeholder schema with versioned breaking-change flag; (C) Re-baseline SDK work.
 ## SPRINT_0110_0001_0001_ingestion_evidence.md
 - **AIAI-31-008** — Status: BLOCKED (2025-11-16); Depends on: AIAI-31-006/007; DEVOPS-AIAI-31-001; Owners: Advisory AI Guild · DevOps Guild; Notes: Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance.
 - **SBOM-AIAI-31-003** — Status: BLOCKED (2025-11-16); Depends on: SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001; Owners: SBOM Service Guild · Advisory AI Guild; Notes: Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants.
 - **DOCS-AIAI-31-005/006/008/009** — Status: BLOCKED; Depends on: CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001; Owners: Docs Guild; Notes: CLI/policy/ops docs paused pending upstream artefacts.
 - **CONCELIER-AIRGAP-56-001..58-001** — Status: BLOCKED; Depends on: Link-Not-Merge schema; Evidence Locker contract; Owners: Concelier Core · AirGap Guilds; Notes: Mirror/offline provenance chain.
 - **CONCELIER-CONSOLE-23-001..003** — Status: BLOCKED; Depends on: Link-Not-Merge schema; Owners: Concelier Console Guild; Notes: Console advisory aggregation/search helpers.
 - **CONCELIER-ATTEST-73-001/002** — Status: BLOCKED; Depends on: CONCELIER-AIAI-31-002; Evidence Locker contract; Owners: Concelier Core · Evidence Locker Guild; Notes: Attestation inputs + transparency metadata.
 - **FEEDCONN-ICSCISA-02-012 / KISA-02-008** — Status: BLOCKED; Depends on: Feed owner remediation plan; Owners: Concelier Feed Owners; Notes: Overdue provenance refreshes.
 - **EXCITITOR-AIAI-31-002** — Status: BLOCKED; Depends on: Link-Not-Merge schema; Evidence Locker contract; Owners: Excititor Web/Core Guilds; Notes: Chunk API for Advisory AI feeds.
 - **EXCITITOR-AIAI-31-003** — Status: BLOCKED; Depends on: EXCITITOR-AIAI-31-002; Owners: Excititor Observability Guild; Notes: Telemetry gated on chunk API.
 - **EXCITITOR-AIAI-31-004** — Status: BLOCKED; Depends on: EXCITITOR-AIAI-31-002; Owners: Docs Guild · Excititor Guild; Notes: Chunk API docs.
 - **EXCITITOR-ATTEST-01-003 / 73-001 / 73-002** — Status: BLOCKED; Depends on: EXCITITOR-AIAI-31-002; Evidence Locker contract; Owners: Excititor Guild · Evidence Locker Guild; Notes: Attestation scope + payloads.
 - **EXCITITOR-AIRGAP-56/57/58 · CONN-TRUST-01-001** — Status: BLOCKED; Depends on: Link-Not-Merge schema; attestation plan; Owners: Excititor Guild · AirGap Guilds; Notes: Air-gap ingest + connector trust tasks.
 - **MIRROR-CRT-56-001** — Status: BLOCKED; Depends on: Staffing decision overdue; Owners: Mirror Creator Guild; Notes: Kickoff slipped past 2025-11-15.
 - **MIRROR-CRT-56-002** — Status: BLOCKED; Depends on: MIRROR-CRT-56-001; PROV-OBS-53-001; Owners: Mirror Creator · Security Guilds; Notes: Needs assembler owner first.
 - **MIRROR-CRT-57-001/002** — Status: BLOCKED; Depends on: MIRROR-CRT-56-001; AIRGAP-TIME-57-001; Owners: Mirror Creator Guild · AirGap Time Guild; Notes: Waiting on staffing.
 - **MIRROR-CRT-58-001/002** — Status: BLOCKED; Depends on: MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001; Owners: Mirror Creator · CLI · Exporter Guilds; Notes: Requires assembler staffing + upstream contracts.
 - **EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001** — Status: BLOCKED; Depends on: MIRROR-CRT-56-001 ownership; Owners: Exporter Guild · AirGap Time · CLI Guild; Notes: Blocked until assembler staffed.
 ## SPRINT_0111_0001_0001_advisoryai.md
 - **DOCS-AIAI-31-008** — Status: BLOCKED (2025-11-03); Depends on: SBOM-AIAI-31-001; Owners: Docs Guild · SBOM Service Guild (`docs`); Notes: Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius).
 - **DOCS-AIAI-31-009** — Status: BLOCKED (2025-11-03); Depends on: DEVOPS-AIAI-31-001; Owners: Docs Guild · DevOps Guild (`docs`); Notes: Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, outages, scaling.
 - **SBOM-AIAI-31-003** — Status: BLOCKED (2025-11-16); Depends on: SBOM-AIAI-31-001; Owners: SBOM Service Guild · Advisory AI Guild (`src/SbomService/StellaOps.SbomService`); Notes: Publish Advisory AI hand-off kit for `/v1/sbom/context`, provide base URL/API key + tenant header contract, run smoke test.
 - **AIAI-31-008** — Status: BLOCKED (2025-11-16); Depends on: AIAI-31-006/007; DEVOPS-AIAI-31-001; Owners: Advisory AI Guild · DevOps Guild (`src/AdvisoryAI/StellaOps.AdvisoryAI`); Notes: Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance.
 - **DOCS-AIAI-31-004** — Status: BLOCKED (2025-11-16); Depends on: CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; EXCITITOR-CONSOLE-23-001; Owners: Docs Guild · Console Guild (`docs`); Notes: `/docs/advisory-ai/console.md` screenshots, a11y, copy-as-ticket instructions.
 - **DOCS-AIAI-31-005** — Status: BLOCKED (2025-11-03); Depends on: CLI-VULN-29-001; CLI-VEX-30-001; AIAI-31-004C; Owners: Docs Guild · CLI Guild (`docs`); Notes: Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns.
 ## SPRINT_0112_0001_0001_concelier_i.md
 - **CONCELIER-CONSOLE-23-001** — Status: TODO; Depends on: Blocked by Link-Not-Merge schema; Owners: Concelier WebService Guild · BE-Base Platform Guild; Notes: `/console/advisories` groups linksets with severity/status chips and provenance `{documentId, observationPath}`.
 ## SPRINT_0113_0001_0002_concelier_ii.md
 - **CONCELIER-GRAPH-21-001** — Status: BLOCKED (2025-10-27); Depends on: Waiting for Link-Not-Merge schema finalization; Owners: Concelier Core Guild · Cartographer Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`); Notes: Extend SBOM normalization so relationships/scopes are stored as raw observation metadata with provenance pointers for graph joins.
 - **CONCELIER-GRAPH-21-002** — Status: BLOCKED (2025-10-27); Depends on: Depends on 21-001; Owners: Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`); Notes: Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments.
 ## SPRINT_0119_0001_0001_excititor_i.md
 - **EXCITITOR-AIRGAP-57-001** — Status: TODO; Depends on: Blocked on 56-001; define sealed-mode errors.; Owners: Excititor Core Guild · AirGap Policy Guild; Notes: Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI.
 - **EXCITITOR-ATTEST-73-001** — Status: DONE (2025-11-17); Depends on: Unblocked by 01-003; implement payload records.; Owners: Excititor Core · Attestation Payloads Guild; Notes: Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining.
 - **Connector provenance schema review (Connectors + Security Guilds)** — Status: Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001.; Depends on: If schema not ready, keep task blocked and request interim metadata list from connectors.; Owners: ; Notes: 
 - **Attestation verifier rehearsal (Excititor Attestation Guild)** — Status: Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks.; Depends on: If issues persist, log BLOCKED status in attestation plan and re-forecast completion.; Owners: ; Notes: 
 - **Observability span sink deploy (Ops/Signals Guild)** — Status: Enable telemetry pipeline needed for 31-003.; Depends on: If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked.; Owners: ; Notes: 
 ## SPRINT_0119_0001_0002_excititor_ii.md
 - **EXCITITOR-CORE-AOC-19-003** — Status: TODO; Depends on: Blocked on 19-002; design supersede chains.; Owners: Excititor Core Guild; Notes: Enforce uniqueness + append-only versioning of raw VEX docs.
 - **EXCITITOR-GRAPH-21-001** — Status: BLOCKED (2025-10-27); Depends on: Needs Cartographer API contract + data availability.; Owners: Excititor Core · Cartographer Guild; Notes: Batched VEX/advisory reference fetches by PURL for inspector linkouts.
 - **EXCITITOR-GRAPH-21-002** — Status: BLOCKED (2025-10-27); Depends on: Blocked on 21-001.; Owners: Excititor Core Guild; Notes: Overlay metadata includes justification summaries + versions; fixtures/tests.
 - **EXCITITOR-GRAPH-21-005** — Status: BLOCKED (2025-10-27); Depends on: Blocked on 21-002.; Owners: Excititor Storage Guild; Notes: Indexes/materialized views for VEX lookups by PURL/policy for inspector perf.
 - **Cartographer schema sync** — Status: Unblock GRAPH-21-* inspector/linkout contracts.; Depends on: Maintain BLOCKED status; deliver sample payloads for early testing.; Owners: ; Notes: 
 ## SPRINT_0119_0001_0004_excititor_iv.md
 - **Timeline schema review** — Status: Approve OBS-52-001 event envelope.; Depends on: Iterate with provisional event topic if blocked.; Owners: ; Notes: 
 ## SPRINT_0120_0000_0001_policy_reasoning.md
 - **LEDGER-34-101** — Status: BLOCKED; Depends on: Orchestrator ledger export contract (Sprint 150.A) pending; Owners: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger`; Notes: Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries.
 - **LEDGER-AIRGAP-56-001** — Status: BLOCKED; Depends on: Mirror bundle schema freeze; Owners: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger`; Notes: Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles.
 - **LEDGER-AIRGAP-56-002** — Status: BLOCKED; Depends on: Waits on LEDGER-AIRGAP-56-001 schema freeze; Owners: Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger`; Notes: Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging.
 - **LEDGER-AIRGAP-57-001** — Status: BLOCKED; Depends on: Waits on LEDGER-AIRGAP-56-002; Owners: Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger`; Notes: Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works.
 - **LEDGER-AIRGAP-58-001** — Status: BLOCKED; Depends on: Waits on LEDGER-AIRGAP-57-001; Owners: Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger`; Notes: Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context.
 - **LEDGER-ATTEST-73-001** — Status: BLOCKED; Depends on: Attestation pointer schema alignment with NOTIFY-ATTEST-74-001; Owners: Findings Ledger Guild, Attestor Service Guild / `src/Findings/StellaOps.Findings.Ledger`; Notes: Persist pointers from findings to verification reports and attestation envelopes for explainability.
 ## SPRINT_0138_0000_0001_scanner_ruby_parity.md
 - **SCANNER-ENG-0010** — Status: BLOCKED; Depends on: Await composer/autoload graph design + staffing; no PHP analyzer scaffolding exists yet.; Owners: PHP Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php`); Notes: Ship the PHP analyzer pipeline (composer lock, autoload graph, capability signals) to close comparison gaps.
 - **SCANNER-ENG-0011** — Status: BLOCKED; Depends on: Needs Deno runtime analyzer scope + lockfile/import graph design; pending competitive review.; Owners: Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno`); Notes: Scope the Deno runtime analyzer (lockfile resolver, import graphs) beyond Sprint 130 coverage.
 - **SCANNER-ENG-0012** — Status: BLOCKED; Depends on: Define Dart analyzer requirements (pubspec parsing, AOT artifacts) and split into tasks.; Owners: Language Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Lang.Dart`); Notes: Evaluate Dart analyzer requirements (pubspec parsing, AOT artifacts) and split implementation tasks.
 - **SCANNER-ENG-0013** — Status: BLOCKED; Depends on: Draft SwiftPM coverage plan; align policy hooks; awaiting design kick-off.; Owners: Swift Analyzer Guild (`src/Scanner/StellaOps.Scanner.Analyzers.Native`); Notes: Plan Swift Package Manager coverage (Package.resolved, xcframeworks, runtime hints) with policy hooks.
 - **SCANNER-ENG-0014** — Status: BLOCKED; Depends on: Needs joint roadmap with Zastava/Runtime guilds for Kubernetes/VM alignment.; Owners: Runtime Guild, Zastava Guild (`docs/modules/scanner`); Notes: Align Kubernetes/VM target coverage between Scanner and Zastava per comparison findings; publish joint roadmap.
 ## SPRINT_0144_0001_0001_zastava_runtime_signals.md
 - **ZASTAVA-ENV-01** — Status: BLOCKED-w/escalation; Depends on: Code landed; execution wait on Surface.FS cache plan + package mirrors to validate.; Owners: Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer); Notes: Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles.
 - **ZASTAVA-ENV-02** — Status: BLOCKED-w/escalation; Depends on: Code landed; validation blocked on Surface.FS cache availability/mirrors.; Owners: Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook); Notes: Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles).
 - **ZASTAVA-SECRETS-01** — Status: BLOCKED-w/escalation; Depends on: Code landed; requires cache/nuget mirrors to execute tests.; Owners: Zastava Observer Guild, Security Guild (src/Zastava/StellaOps.Zastava.Observer); Notes: Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores.
 - **ZASTAVA-SECRETS-02** — Status: BLOCKED-w/escalation; Depends on: Code landed; waiting on same cache/mirror prerequisites for validation.; Owners: Zastava Webhook Guild, Security Guild (src/Zastava/StellaOps.Zastava.Webhook); Notes: Retrieve attestation verification secrets via Surface.Secrets.
 - **ZASTAVA-SURFACE-01** — Status: BLOCKED-w/escalation; Depends on: Code landed; blocked on Sprint 130 analyzer artifact/cache drop and local gRPC mirrors to run tests.; Owners: Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer); Notes: Integrate Surface.FS client for runtime drift detection (lookup cached layer hashes/entry traces).
 - **ZASTAVA-SURFACE-02** — Status: BLOCKED-w/escalation; Depends on: Depends on SURFACE-01 validation; blocked on Surface.FS cache drop.; Owners: Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook); Notes: Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response.
 ## SPRINT_123_policy_reasoning.md
 - **POLICY-AIRGAP-57-001** — Status: TODO; Depends on: Enforce sealed-mode guardrails in evaluation (no outbound fetch), surface `AIRGAP_EGRESS_BLOCKED` errors with remediation (Deps: POLICY-AIRGAP-56-002); Owners: Policy Guild, AirGap Policy Guild / src/Policy/StellaOps.Policy.Engine; Notes: 
 ## SPRINT_124_policy_reasoning.md
 - **POLICY-ENGINE-20-002** — Status: BLOCKED (2025-10-26); Depends on: Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access); Owners: Policy Guild / src/Policy/StellaOps.Policy.Engine; Notes: 
 ## SPRINT_125_mirror.md
 - **Mirror Creator Guild · Exporter Guild** — Status: 2025-11-15 kickoff; Depends on: Without an owner the assembler cannot start and all downstream tasks remain blocked.; Owners: ; Notes: 
 ## SPRINT_140_runtime_signals.md
 - **Graph Indexer Guild · Observability Guild** — Status: Sprint 120.A – AirGap; Sprint 130.A – Scanner (phase I tracked under `docs/implplan/SPRINT_130_scanner_surface.md`); Depends on: BLOCKED; Owners: Analyzer artifact ETA from Sprint 130 is overdue (sync 2025-11-13); GRAPH-INDEX-28-007+ cannot start without it.; Notes: 
 - **Zastava Observer/Webhook Guilds · Security Guild** — Status: Sprint 120.A – AirGap; Sprint 130.A – Scanner; Depends on: BLOCKED; Owners: Surface.FS cache drop plan still missing (overdue from 2025-11-13 sync); SURFACE tasks cannot start.; Notes: 
 - **OVERDUE** — Status: Analyzer artifact publication schedule not published after 2025-11-13 sync; Graph/Zastava blocked awaiting ETA or mock payloads.; Depends on: Scanner Guild · Graph Indexer Guild · Zastava Guilds; Owners: ; Notes: 
 - **GRAPH-INDEX-28-007** — Status: BLOCKED; Depends on: Sprint 130 analyzer artifacts ETA overdue (missed 2025-11-13 sync); proceed once cache manifests land or mocks are provided.; Owners: Graph Indexer Guild · Observability Guild; Notes: Clustering/centrality jobs staged for execution.
 - **GRAPH-INDEX-28-008** — Status: BLOCKED; Depends on: Depends on 28-007 artifacts; blocked until analyzer payloads available.; Owners: Graph Indexer Guild; Notes: Retry/backoff plumbing sketched but blocked.
 - **GRAPH-INDEX-28-009** — Status: BLOCKED; Depends on: Upstream graph job data unavailable while 28-007 is blocked.; Owners: Graph Indexer Guild; Notes: Test/fixture/chaos coverage for graph jobs.
 - **GRAPH-INDEX-28-010** — Status: BLOCKED; Depends on: Requires outputs from blocked graph jobs to bundle offline artifacts.; Owners: Graph Indexer Guild; Notes: Packaging/offline bundles for graph jobs.
 - **SBOM-SERVICE-21-001** — Status: BLOCKED; Depends on: Concelier Link-Not-Merge (`CONCELIER-GRAPH-21-001`) not delivered.; Owners: SBOM Service Guild · Concelier Core · Cartographer Guild; Notes: Normalized SBOM projection schema.
 - **SBOM-SERVICE-21-002** — Status: BLOCKED; Depends on: Waits on 21-001 contract + event outputs.; Owners: SBOM Service Guild; Notes: SBOM change events.
 - **SBOM-SERVICE-21-003** — Status: BLOCKED; Depends on: Depends on 21-002 event payloads.; Owners: SBOM Service Guild; Notes: Entry point/service node management.
 - **SBOM-SERVICE-21-004** — Status: BLOCKED; Depends on: Follows projection + event pipelines.; Owners: SBOM Service Guild; Notes: Observability wiring for SBOM service.
 - **SIGNALS-24-004** — Status: BLOCKED (2025-10-27); Depends on: Wait for 24-002/003 completion and Authority scope validation.; Owners: Signals Guild; Notes: Reachability scoring.
 - **SIGNALS-24-005** — Status: BLOCKED (2025-10-27); Depends on: Depends on scoring outputs (24-004).; Owners: Signals Guild; Notes: Cache + `signals.fact.updated` events.
 - **ZASTAVA-SURFACE-01** — Status: BLOCKED; Depends on: Requires Scanner layer metadata + cache drop ETA (overdue).; Owners: Zastava Guilds · Scanner Guild; Notes: Surface.FS client integration with tests.
 - **ZASTAVA-SURFACE-02** — Status: BLOCKED; Depends on: Depends on SURFACE-01; blocked while cache plan is missing.; Owners: Zastava Guilds; Notes: Admission enforcement using Surface.FS caches.
 - **2025-11-13 (overdue)** — Status: TODO; Depends on: Scanner to publish Sprint 130 surface roadmap; Graph/Zastava blocked until then.; Owners: ; Notes: 
 - **2025-11-14 (overdue)** — Status: BLOCKED; Depends on: Requires `CONCELIER-GRAPH-21-001` + `CARTO-GRAPH-21-002` agreement; AirGap review scheduled after sign-off.; Owners: ; Notes: 
 - **Marked Graph/Zastava waves BLOCKED; escalation sent to Scanner leadership per contingency.** — Status: Await ETA or mock payload commitment; if none by 2025-11-18, log new target date and adjust downstream start dates; move impacted tasks to BLOCKED-with-escalation in downstream sprints.; Depends on: Graph Guild · Zastava Guilds · Scanner Guild; Owners: ; Notes: 
 - **Overdue** — Status: Publish analyzer artifact ETA or mark GRAPH-INDEX-28-007 as BLOCKED with mock data plan.; Depends on: Scanner Guild · Graph Indexer Guild; Owners: 2025-11-16 (overdue); Notes: 
 - **Overdue** — Status: Record whether Link-Not-Merge schema was ratified; if not, set SBOM-SERVICE-21-001..004 to BLOCKED with new ETA.; Depends on: Concelier Core · Cartographer Guild · SBOM Service Guild · AirGap Guild; Owners: 2025-11-16 (overdue); Notes: 
 ## SPRINT_160_export_evidence.md
 - **Evidence Locker Guild · Security Guild · Docs Guild** — Status: Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Depends on: BLOCKED (2025-11-12); Owners: Waiting for orchestrator capsule data and AdvisoryAI evidence bundles to stabilize before wiring ingestion APIs.; Notes: 
 - **Exporter Service Guild · Mirror Creator Guild · DevOps Guild** — Status: Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Depends on: BLOCKED (2025-11-12); Owners: Profiles can begin once EvidenceLocker contracts are published; keep DSSE/attestation specs ready.; Notes: 
 - **Timeline Indexer Guild · Evidence Locker Guild · Security Guild** — Status: Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Depends on: BLOCKED (2025-11-12); Owners: Postgres/RLS scaffolding drafted; hold for event schemas from orchestrator/notifications.; Notes: 
 - **AdvisoryAI stand-up (AdvisoryAI Guild)** — Status: Freeze evidence bundle schema + payload notes so EvidenceLocker can finalize DSSE manifests (blocked).; Depends on: If schema slips, log BLOCKED status in Sprint 110 tracker and re-evaluate at 2025-11-18 review.; Owners: ; Notes: 
 - **Orchestrator + Notifications schema handoff (Orchestrator Service + Notifications Guilds)** — Status: Publish capsule envelopes & notification contracts required by EvidenceLocker ingest, ExportCenter notifications, TimelineIndexer ordering (blocked).; Depends on: If envelopes not ready, escalate to Wave 150/140 leads and leave blockers noted here; defer DOING flips.; Owners: ; Notes: 
 - **Sovereign crypto readiness review (Security Guild + Evidence/Export teams)** — Status: Validate `ICryptoProviderRegistry` wiring plan for `EVID-CRYPTO-90-001` & `EXPORT-CRYPTO-90-001`; green-light sovereign modes (blocked).; Depends on: If gating issues remain, file action items in Security board and hold related sprint tasks in TODO.; Owners: ; Notes: 
 - **DevPortal Offline CLI dry run (DevPortal Offline + AirGap Controller Guilds)** — Status: Demo `stella devportal verify bundle.tgz` using sample manifest to prove readiness once EvidenceLocker spec lands (blocked awaiting schema).; Depends on: If CLI not ready, update DVOFF-64-002 description with new ETA and note risk in Sprint 162 doc.; Owners: ; Notes: 
 - **160.A, 160.B, 160.C** — Status: High; Depends on: Escalate to Wave 150/140 leads, record BLOCKED status in both sprint docs, and schedule daily schema stand-ups until envelopes land.; Owners: ; Notes: 
--- a/docs/implplan/tasks-all.md
+++ b/docs/implplan/tasks-all.md
--- a/docs/modules/cli/README.md
+++ b/docs/modules/cli/README.md
@@ -28,9 +28,12 @@ The `stella` CLI is the operator-facing Swiss army knife for scans, exports, pol
 - ./guides/cli-reference.md
 - ./guides/policy.md
-## Backlog references
+## Backlog references
- DOCS-CLI-OBS-52-001 / DOCS-CLI-FORENSICS-53-001 in ../../TASKS.md.
+- DOCS-CLI-OBS-52-001 / DOCS-CLI-FORENSICS-53-001 in ../../TASKS.md.
- CLI-CORE-41-001 epic in `src/Cli/StellaOps.Cli/TASKS.md`.
+- CLI-CORE-41-001 epic in `src/Cli/StellaOps.Cli/TASKS.md`.
 ## Current workstreams (Q4 2025)
 - Active docs sprint: `docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md` — normalised sprint naming, doc sync, and upcoming ops/runbook refresh.
 ## Epic alignment
 - **Epic 2 – Policy Engine & Editor:** deliver deterministic policy authoring, simulation, and explain verbs.
--- a/docs/modules/cli/implementation_plan.md
+++ b/docs/modules/cli/implementation_plan.md
@@ -4,10 +4,11 @@
 - Maintain deterministic behaviour and offline parity across releases.
 - Keep documentation, telemetry, and runbooks aligned with the latest sprint outcomes.
-## Workstreams
+## Workstreams
- Backlog grooming: reconcile open stories in ../../TASKS.md with this module's roadmap.
+- Backlog grooming: reconcile open stories in ../../TASKS.md with this module's roadmap.
- Implementation: collaborate with service owners to land feature work defined in SPRINTS/EPIC docs.
+- Implementation: collaborate with service owners to land feature work defined in SPRINTS/EPIC docs.
- Validation: extend tests/fixtures to preserve determinism and provenance requirements.
+- Validation: extend tests/fixtures to preserve determinism and provenance requirements.
 - Documentation sync: keep module docs aligned with active sprint `docs/implplan/SPRINT_0316_0001_0001_docs_modules_cli.md`.
 ## Epic milestones
 - **Epic 2 – Policy Engine & Editor:** deliver deterministic policy verbs, simulation, and explain outputs.
--- a/docs/modules/concelier/advisory-ai-api.md
+++ b/docs/modules/concelier/advisory-ai-api.md
@@ -0,0 +1,47 @@
 # Advisory AI API (structured chunks)
 **Scope:** `/advisories/{advisoryKey}/chunks` (Concelier WebService) · aligned with Sprint 0112 canonical model.
 ## Response contract
 ```jsonc
 {
  "advisoryKey": "CVE-2025-0001",
  "fingerprint": "<sha256 canonical advisory>",
  "total": 3,
  "truncated": false,
  "entries": [
    {
      "type": "workaround",                  // ordered by (type, observationPath, documentId)
      "chunkId": "c0ffee12",                // sha256(documentId|observationPath) first 8 bytes
      "content": { /* structured field payload */ },
      "provenance": {
        "documentId": "tenant-a:chunk:newest",   // Observation _id
        "observationPath": "/references/0",      // JSON Pointer into observation
        "source": "nvd",
        "kind": "workaround",
        "value": "tenant-a:chunk:newest",
        "recordedAt": "2025-01-07T00:00:00Z",
        "fieldMask": ["/references/0"]
      }
    }
  ]
 }
 ```
 ### Determinism & provenance
 - Sort entries by `(type, observationPath, documentId)` to keep cache keys stable across nodes.
 - Cache keys include the advisory `fingerprint`, chunk/observation limits, filters, and observation hashes.
 - Provenance anchors must always include both `documentId` and `observationPath` for Console/Attestor deep links and offline mirrors.
 ### Query parameters
 - `tenant` (required): tenant id; must match authorization context.
 - `limit`, `observations`, `minLength`: bounded integers (see `ConcelierOptions.AdvisoryChunks`).
 - `section`, `format`: comma-separated filters (case-insensitive).
 ### Compatibility notes
 - Mirrors and offline kits rely on `fingerprint` + `chunkId` to verify chunks without re-merging observations.
 - Field names mirror GHSA GraphQL and Cisco PSIRT openVuln payloads for downstream parity.
--- a/docs/modules/concelier/link-not-merge-schema.md
+++ b/docs/modules/concelier/link-not-merge-schema.md
@@ -1,12 +1,15 @@
 # Link-Not-Merge (LNM) Observation & Linkset Schema
-_Draft for approval — authored 2025-11-16 to unblock CONCELIER-LNM tracks._
+_Frozen v1 (add-only) — approved 2025-11-17 for CONCELIER-LNM-21-001/002/101._
 ## Goals
 - Immutable storage of raw advisory observations per source/tenant.
 - Deterministic linksets built from observations without merging or mutating originals.
 - Stable across online/offline deployments; replayable from raw inputs.
 ## Status
 - Frozen v1 as of 2025-11-17; further schema changes must go through ADR + sprint gating (CONCELIER-LNM-22x+).
 ## Observation document (Mongo JSON Schema excerpt)
 ```json
 {
@@ -41,6 +44,17 @@ _Draft for approval — authored 2025-11-16 to unblock CONCELIER-LNM tracks._
      }
    },
    "references": {"bsonType": "array", "items": {"bsonType":"string"}},
    "scopes": {"bsonType":"array","items":{"bsonType":"string"}},
    "relationships": {
      "bsonType": "array",
      "items": {"bsonType":"object","required":["type","source","target"],
        "properties": {
          "type":{"bsonType":"string"},
          "source":{"bsonType":"string"},
          "target":{"bsonType":"string"},
          "provenance":{"bsonType":"string"}
        }}
    },
    "weaknesses": {"bsonType":"array","items":{"bsonType":"string"}},
    "published": {"bsonType": "date"},
    "modified": {"bsonType": "date"},
@@ -84,6 +98,14 @@ _Draft for approval — authored 2025-11-16 to unblock CONCELIER-LNM tracks._
        "severities": {"bsonType":"array","items":{"bsonType":"object"}}
      }
    },
    "confidence": {"bsonType":"double", "description":"Optional correlation confidence (0–1)"},
    "conflicts": {"bsonType":"array","items":{"bsonType":"object",
      "required":["field","reason"],
      "properties":{
        "field":{"bsonType":"string"},
        "reason":{"bsonType":"string"},
        "values":{"bsonType":"array","items":{"bsonType":"string"}}
      }}},
    "createdAt":{"bsonType":"date"},
    "builtByJobId":{"bsonType":"string"},
    "provenance": {"bsonType":"object","properties":{
--- a/docs/modules/excititor/evidence-contract.md
+++ b/docs/modules/excititor/evidence-contract.md
@@ -0,0 +1,89 @@
 # Excititor Advisory-AI Evidence Contract (v1)
 Updated: 2025-11-18 · Scope: EXCITITOR-AIAI-31-004 (Phase 119)
 This note defines the deterministic, aggregation-only contract that Excititor exposes to Advisory AI and Lens consumers. It covers the `/v1/vex/evidence/chunks` NDJSON stream plus the projection rules for observation IDs, signatures, and provenance metadata.
 ## Goals
 - **Deterministic & replayable**: stable ordering, no implicit clocks, fixed schemas.
 - **Aggregation-only**: no consensus/inference; raw supplier statements plus signatures and AOC (Aggregation-Only Contract) guardrails.
 - **Offline-friendly**: chunked NDJSON; no cross-tenant lookups; portable enough for mirror/air-gap bundles.
 ## Endpoint
 - `GET /v1/vex/evidence/chunks`
  - **Query**:
    - `tenant` (required)
    - `vulnerabilityId` (optional, repeatable) — CVE, GHSA, etc.
    - `productKey` (optional, repeatable) — PURLish key used by Advisory AI.
    - `cursor` (optional) — stable pagination token.
    - `limit` (optional) — max records per stream chunk (default 500, max 2000).
  - **Response**: `Content-Type: application/x-ndjson`
    - Each line is a single evidence record (see schema below).
    - Ordered by `(tenant, vulnerabilityId, productKey, observationId, statementId)` to stay deterministic.
 ## Evidence record schema (NDJSON)
 ```json
 {
  "tenant": "acme",
  "vulnerabilityId": "CVE-2024-1234",
  "productKey": "pkg:pypi/django@3.2.24",
  "observationId": "obs-3cf9d6e4-…",
  "statementId": "stmt-9c1d…",
  "source": {
    "supplier": "upstream:osv",
    "documentId": "osv:GHSA-xxxx-yyyy",
    "retrievedAt": "2025-11-10T12:34:56Z",
    "signatureStatus": "missing|unverified|verified"
  },
  "aoc": {
    "violations": [
      { "code": "EVIDENCE_SIGNATURE_MISSING", "surface": "ingest" }
    ]
  },
  "evidence": {
    "type": "vex.statement",
    "payload": { "...supplier-normalized-fields..." }
  },
  "provenance": {
    "hash": "sha256:...",
    "canonicalUri": "https://mirror.example/bundles/…",
    "bundleId": "mirror-bundle-001"
  }
 }
 ```
 ### Field notes
 - `observationId` is stable and maps 1:1 to internal storage; Advisory AI must cite it when emitting narratives.
 - `statementId` remains unique within an observation.
 - `signatureStatus` is pass-through from ingest; no interpretation beyond `missing|unverified|verified`.
 - `aoc.violations` enumerates guardrail violations without blocking delivery.
 - `evidence.payload` is supplier-shaped; we **do not** merge or rank.
 - `provenance.hash` is the SHA-256 of the supplier document bytes; `canonicalUri` points to the mirror bundle when available.
 ## Determinism rules
 - Ordering: fixed sort above; pagination cursor is derived from the last emitted `(tenant, vulnerabilityId, productKey, observationId, statementId)`.
 - Clocks: All timestamps are UTC ISO-8601 with `Z`.
 - No server-generated randomness; record content is idempotent for identical upstream inputs.
 ## AOC guardrails
 - Enforced surfaces: ingest, `/v1/vex/aoc/verify`, and chunk emission.
 - Violations are reported via `aoc.violations` and metric `excititor.vex.aoc.guard_violations`.
 - No statements are dropped due to AOC; consumers decide how to act.
 ## Telemetry (counters/logs-only until span sink arrives)
 - `excititor.vex.chunks.requests` — by `tenant`, `outcome`, `truncated`.
 - `excititor.vex.chunks.bytes` — histogram of NDJSON stream sizes.
 - `excititor.vex.chunks.records` — histogram of records per stream.
 - Existing observation metrics (`excititor.vex.observation.*`) remain unchanged.
 ## Error handling
 - 400 for invalid tenant or mutually exclusive filters.
 - 429 with `Retry-After` when throttle budgets exceeded.
 - 503 on upstream store/transient failures; responses remain NDJSON-free on error.
 ## Offline / mirror readiness
 - When mirror bundles are configured, `provenance.canonicalUri` points to the local bundle path; otherwise it is omitted.
 - All payloads are side-effect free; no remote fetches occur while streaming.
 ## Versioning
 - Contract version: `v1` (this document). Changes must be additive; breaking changes require `v2` path and updated doc.
--- a/docs/modules/excititor/operations/observability.md
+++ b/docs/modules/excititor/operations/observability.md
@@ -17,7 +17,10 @@ Excititor’s evidence APIs now emit first-class OpenTelemetry metrics so Lens,
 | `excititor.vex.observation.requests` | Counter | Number of `/v1/vex/observations/{vulnerabilityId}/{productKey}` requests handled. | `tenant`, `outcome` (`success`, `error`, `cancelled`), `truncated` (`true/false`) |
 | `excititor.vex.observation.statement_count` | Histogram | Distribution of statements returned per observation projection request. | `tenant`, `outcome` |
 | `excititor.vex.signature.status` | Counter | Signature status per statement (missing vs. unverified). | `tenant`, `status` (`missing`, `unverified`) |
-| `excititor.vex.aoc.guard_violations` | Counter | Aggregated count of Aggregation-Only Contract violations detected by the WebService (ingest + `/vex/aoc/verify`). | `tenant`, `surface` (`ingest`, `aoc_verify`, etc.), `code` (AOC error code) |
+| `excititor.vex.aoc.guard_violations` | Counter | Aggregated count of Aggregation-Only Contract violations detected by the WebService (ingest + `/v1/vex/aoc/verify`). | `tenant`, `surface` (`ingest`, `aoc_verify`, etc.), `code` (AOC error code) |
 | `excititor.vex.chunks.requests` | Counter | Requests to `/v1/vex/evidence/chunks` (NDJSON stream). | `tenant`, `outcome` (`success`,`error`,`cancelled`), `truncated` (`true/false`) |
 | `excititor.vex.chunks.bytes` | Histogram | Size of NDJSON chunk streams served (bytes). | `tenant`, `outcome` |
 | `excititor.vex.chunks.records` | Histogram | Count of evidence records emitted per chunk stream. | `tenant`, `outcome` |
 > All metrics originate from the `EvidenceTelemetry` helper (`src/Excititor/StellaOps.Excititor.WebService/Telemetry/EvidenceTelemetry.cs`). When disabled (telemetry off), the helper is inert.
@@ -31,8 +34,8 @@ Excititor’s evidence APIs now emit first-class OpenTelemetry metrics so Lens,
 1. **Enable telemetry**: set `Excititor:Telemetry:EnableMetrics=true`, configure OTLP endpoints/headers as described in `TelemetryExtensions`.
 2. **Add dashboards**: import panels referencing the metrics above (see Grafana JSON snippets in Ops repo once merged).
-3. **Alerting**: add rules for high guard violation rates and missing signatures. Tie alerts back to connectors via tenant metadata.
+3. **Alerting**: add rules for high guard violation rates, missing signatures, and abnormal chunk bytes/record counts. Tie alerts back to connectors via tenant metadata.
-4. **Post-deploy checks**: after each release, verify metrics emit by curling `/v1/vex/observations/...`, watching the console exporter (dev) or OTLP (prod).
+4. **Post-deploy checks**: after each release, verify metrics emit by curling `/v1/vex/observations/...` and `/v1/vex/evidence/chunks`, watching the console exporter (dev) or OTLP (prod).
 ## Related documents
--- a/docs/modules/findings-ledger/observability.md
+++ b/docs/modules/findings-ledger/observability.md
@@ -17,6 +17,8 @@
 | `ledger_ingest_backlog_events` | Gauge | `tenant` | Number of events buffered in the writer queue. Alert when >5 000 for 5 min. |
 | `ledger_projection_lag_seconds` | Gauge | `tenant` | Wall-clock difference between latest ledger event and projection tail. Target <30 s. |
 | `ledger_projection_rebuild_seconds` | Histogram | `tenant` | Duration of replay/rebuild operations triggered by LEDGER-29-008 harness. |
 | `ledger_projection_apply_seconds` | Histogram | `tenant`, `event_type`, `policy_version`, `evaluation_status` | Time to apply a single ledger event to projection. Target P95 <1 s. |
 | `ledger_projection_events_total` | Counter | `tenant`, `event_type`, `policy_version`, `evaluation_status` | Count of events applied to projections. |
 | `ledger_merkle_anchor_duration_seconds` | Histogram | `tenant` | Time to batch + anchor events. Target <60 s per 10k events. |
 | `ledger_merkle_anchor_failures_total` | Counter | `tenant`, `reason` (`db`, `signing`, `network`) | Alerts at >0 within 15 min. |
 | `ledger_attachments_encryption_failures_total` | Counter | `tenant`, `stage` (`encrypt`, `sign`, `upload`) | Ensures secure attachment pipeline stays healthy. |
@@ -25,22 +27,23 @@
 ### Derived dashboards
 - **Writer health:** `ledger_write_latency_seconds` (P50/P95/P99), backlog gauge, event throughput.
- **Projection health:** `ledger_projection_lag_seconds`, rebuild durations, conflict counts (from logs).
+- **Projection health:** `ledger_projection_lag_seconds`, `ledger_projection_apply_seconds`, projection throughput, conflict counts (from logs).
 - **Anchoring:** Anchor duration histogram, failure counter, root hash timeline.
 ## 3. Logs & traces
 - **Log structure:** Serilog JSON with fields `tenant`, `chainId`, `sequence`, `eventId`, `eventType`, `actorId`, `policyVersion`, `hash`, `merkleRoot`.
 - **Log levels:** `Information` for success summaries (sampled), `Warning` for retried operations, `Error` for failed writes/anchors.
 - **Correlation:** Each API request includes `requestId` + `traceId` logged with events. Projector logs capture `replayId` and `rebuildReason`.
 - **Timeline events:** `ledger.event.appended` and `ledger.projection.updated` are emitted as structured logs carrying `tenant`, `chainId`, `sequence`, `eventId`, `policyVersion`, `traceId`, and placeholder `evidence_ref` fields for downstream timeline consumers.
 - **Secrets:** Ensure `event_body` is never logged; log only metadata/hashes.
 ## 4. Alerts
 | Alert | Condition | Response |
 | --- | --- | --- |
-| **LedgerWriteSLA** | `ledger_write_latency_seconds` P95 > 0.12 s for 3 intervals | Check DB contention, review queue backlog, scale writer. |
+| **LedgerWriteSLA** | `ledger_write_latency_seconds` P95 > 1 s for 3 intervals | Check DB contention, review queue backlog, scale writer. |
 | **LedgerBacklogGrowing** | `ledger_ingest_backlog_events` > 5 000 for 5 min | Inspect upstream policy runs, ensure projector keeping up. |
-| **ProjectionLag** | `ledger_projection_lag_seconds` > 60 s | Trigger rebuild, verify change streams. |
+| **ProjectionLag** | `ledger_projection_lag_seconds` > 30 s | Trigger rebuild, verify change streams. |
 | **AnchorFailure** | `ledger_merkle_anchor_failures_total` increase > 0 | Collect logs, rerun anchor, verify signing service. |
 | **AttachmentSecurityError** | `ledger_attachments_encryption_failures_total` increase > 0 | Audit attachments pipeline; check key material and storage endpoints. |
--- a/docs/modules/findings-ledger/schema.md
+++ b/docs/modules/findings-ledger/schema.md
@@ -38,6 +38,7 @@ Events are immutable append-only records representing every workflow change. Rec
 | `event_hash` | `char(64)` | SHA-256 over canonical payload envelope. |
 | `previous_hash` | `char(64)` | Hash of prior event in chain (all zeroes for first). |
 | `merkle_leaf_hash` | `char(64)` | Leaf hash used for Merkle anchoring (hash over `event_hash || sequence_no`). |
 | `evidence_bundle_ref` | `text` | Optional reference to evaluation/job evidence bundle (DSSE or capsule id). |
 **Constraints & indexes**
@@ -49,6 +50,7 @@ CHECK (event_hash ~ '^[0-9a-f]{64}$');
 CHECK (previous_hash ~ '^[0-9a-f]{64}$');
 CREATE INDEX ix_ledger_events_finding ON ledger_events (tenant_id, finding_id, policy_version);
 CREATE INDEX ix_ledger_events_type ON ledger_events (tenant_id, event_type, recorded_at DESC);
 CREATE INDEX ix_ledger_events_finding_evidence_ref ON ledger_events (tenant_id, finding_id, recorded_at DESC) WHERE evidence_bundle_ref IS NOT NULL;
 ```
 Partitions: top-level partitioned by `tenant_id` (list) with a default partition. Optional sub-partition by month on `recorded_at` for large tenants. PostgreSQL requires the partition key in unique constraints; global uniqueness for `event_id` is enforced as `(tenant_id, event_id)` with application-level guards maintaining cross-tenant uniqueness.
--- a/docs/modules/graph/README.md
+++ b/docs/modules/graph/README.md
@@ -16,7 +16,8 @@ Graph Indexer + Graph API build the tenant-scoped knowledge graph that powers bl
 - **Storage abstraction** — supports document + adjacency (Mongo) or pluggable graph engine; both paths enforce deterministic ordering and export manifests.
 ## Current workstreams (Q4 2025)
- `GRAPH-SVC-30-00x` (in `src/Graph/StellaOps.Graph.Indexer/TASKS.md`) — stand up Graph Indexer pipeline, identity registry, snapshot exports.
+- `GRAPH-SVC-30-00x` (see `src/Graph/StellaOps.Graph.Indexer/TASKS.md`) — stand up Graph Indexer pipeline, identity registry, snapshot exports.
 - Active sprint: `docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md` (Runtime & Signals 140.A) — clustering/centrality jobs, incremental/backfill pipeline, determinism tests, packaging.
 - `GRAPH-API-30-00x` — draft API planner/cost guard, streaming responses, and Authority scope integration.
 - `DOCS-GRAPH-24-003` & related backlog — author overview/API/query language docs; update this README again once those deliverables land.
 - Deployment/DevOps follow-ups (`DEVOPS-VEX-30-001`, `DEPLOY-VEX-30-001`) coordinate dashboards, load tests, and Helm/Compose overlays for the graph stack.
--- a/docs/modules/graph/implementation_plan.md
+++ b/docs/modules/graph/implementation_plan.md
@@ -1,6 +1,7 @@
 # Implementation plan — Graph
-## Delivery phases
+## Delivery phases
 > Current active execution sprint: `docs/implplan/SPRINT_0141_0001_0001_graph_indexer.md` (Runtime & Signals 140.A).
 - **Phase 1 – Graph Indexer foundations**  
  Stand up Graph Indexer service, node/edge schemas, ingestion from SBOM/Concelier/Excititor events, identity stability, and snapshot materialisation.
 - **Phase 2 – Graph API service**  
--- a/docs/modules/orchestrator/README.md
+++ b/docs/modules/orchestrator/README.md
@@ -2,14 +2,17 @@
 The Orchestrator schedules, observes, and recovers ingestion and analysis jobs across the StellaOps platform.
-## Latest updates (2025-11-01)
+## Latest updates (2025-11-18)
- Authority added `orch:quota` and `orch:backfill` scopes for quota/backfill operations, plus token reason/ticket auditing (`docs/updates/2025-11-01-orch-admin-scope.md`). Operators must supply `quota_reason` / `quota_ticket` (or `backfill_reason` / `backfill_ticket`) when requesting elevated tokens and surface those claims in change reviews.
+- Job leasing now flows through the Task Runner bridge: allocations carry idempotency keys, lease durations, and retry hints; workers acknowledge via claim/ack and emit heartbeats.
 - Event envelopes remain interim pending ORCH-SVC-37-101; include provenance (tenant/project, job type, correlationId, task runner id) in all notifier events.
 - Authority `orch:quota` / `orch:backfill` scopes require reason/ticket audit fields; include them in runbooks and dashboard overrides.
 ## Responsibilities
 - Track job state, throughput, and errors for Concelier, Excititor, Scheduler, and export pipelines.
 - Expose dashboards and APIs for throttling, replays, and failover.
 - Enforce rate-limits, concurrency and dependency chains across queues.
 - Stream structured events and audit logs for incident response.
 - Provide Task Runner bridge semantics (claim/ack, heartbeats, progress, artifacts, backfills) for Go/Python SDKs.
 ## Key components
 - Orchestrator WebService (control plane).
@@ -24,9 +27,9 @@ The Orchestrator schedules, observes, and recovers ingestion and analysis jobs a
 ## Operational notes
 - Job recovery runbooks and dashboard JSON as described in Epic 9.
- Audit retention policies for job history.
+- Rate-limit and lease reconfiguration guidelines; keep lease defaults aligned across runners and SDKs (Go/Python).
- Rate-limit reconfiguration guidelines.
+- Log streaming: SSE/WS endpoints carry correlationId + tenant/project; buffer size and retention must be documented in runbooks.
- When using the new `orch:quota` / `orch:backfill` scopes, ensure reason/ticket fields are captured in runbooks and audit checklists per the 2025-11-01 Authority update.
+- When using `orch:quota` / `orch:backfill` scopes, capture reason/ticket fields in runbooks and audit checklists.
 ## Epic alignment
 - Epic 9: Source & Job Orchestrator Dashboard.
--- a/docs/modules/orchestrator/TASKS.md
+++ b/docs/modules/orchestrator/TASKS.md
@@ -0,0 +1,9 @@
 # Orchestrator docs task board
 | Task ID | Status | Owner(s) | Notes |
 | --- | --- | --- | --- |
 | ORCH-DOCS-0001 | DONE | Docs Guild | README updated with leasing / task runner bridge notes and interim envelope guidance. |
 | ORCH-ENG-0001 | DONE | Module Team | Sprint references normalized; notes synced to doc sprint. |
 | ORCH-OPS-0001 | DONE | Ops Guild | Runbook impacts captured in README; follow-up to update ops docs. |
 Status rules: mirror changes in `docs/implplan/SPRINT_0323_0001_0001_docs_modules_orchestrator.md`; use TODO → DOING → DONE/BLOCKED; add brief note if pausing.
--- a/docs/modules/orchestrator/architecture.md
+++ b/docs/modules/orchestrator/architecture.md
@@ -9,13 +9,18 @@
 - **Queue abstraction.** Supports Mongo queue, Redis Streams, or NATS JetStream (pluggable). Each job carries lease metadata and retry policy.
 - **Dashboard feeds.** SSE/GraphQL endpoints supply Console UI with job timelines, throughput, error distributions, and rate-limit status.
-## 2) Job lifecycle
+## 2) Job lifecycle
-
+
-1. **Enqueue.** Producer services (Concelier, Excititor, Scheduler, Export Center, Policy Engine) submit `JobRequest` records containing `jobType`, `tenant`, `priority`, `payloadDigest`, `dependencies`.
+1. **Enqueue.** Producer services (Concelier, Excititor, Scheduler, Export Center, Policy Engine) submit `JobRequest` records containing `jobType`, `tenant`, `priority`, `payloadDigest`, `dependencies`.
-2. **Scheduling.** Orchestrator applies quotas and rate limits per `{tenant, jobType}`. Jobs exceeding limits are staged in pending queue with next eligible timestamp.
+2. **Scheduling.** Orchestrator applies quotas and rate limits per `{tenant, jobType}`. Jobs exceeding limits are staged in pending queue with next eligible timestamp.
-3. **Leasing.** Workers poll `LeaseJob` endpoint; Orchestrator returns job with `leaseId`, `leaseUntil`, and instrumentation tokens. Lease renewal required for long-running tasks.
+3. **Leasing (Task Runner bridge).** Workers poll `LeaseJob` endpoint; Orchestrator returns job with `leaseId`, `leaseUntil`, `idempotencyKey`, and instrumentation tokens. Lease renewal required for long-running tasks; leases carry retry hints and provenance (`tenant`, `project`, `correlationId`, `taskRunnerId`).
-4. **Completion.** Worker reports status (`succeeded`, `failed`, `canceled`, `timed_out`). On success the job is archived; on failure Orchestrator applies retry policy (exponential backoff, max attempts). Incidents escalate to Ops if thresholds exceeded.
+4. **Completion.** Worker reports status (`succeeded`, `failed`, `canceled`, `timed_out`). On success the job is archived; on failure Orchestrator applies retry policy (exponential backoff, max attempts). Incidents escalate to Ops if thresholds exceeded.
-5. **Replay.** Operators trigger `POST /jobs/{id}/replay` which clones job payload, sets `replayOf` pointer, and requeues with high priority while preserving determinism metadata.
+5. **Replay.** Operators trigger `POST /jobs/{id}/replay` which clones job payload, sets `replayOf` pointer, and requeues with high priority while preserving determinism metadata.
 ### Pack-run lifecycle (phase III)
 - **Register** `pack-run` job type with task runner hints (artifacts, log channel, heartbeat cadence).
 - **Logs/Artifacts**: SSE/WS stream keyed by `packRunId` + `tenant/project`; artifacts published with content digests and URI metadata.
 - **Events**: notifier payloads include envelope provenance (tenant, project, correlationId, idempotencyKey) pending ORCH-SVC-37-101 final spec.
 ## 3) Rate-limit & quota governance
@@ -24,22 +29,24 @@
 - Circuit breakers automatically pause job types when failure rate > configured threshold; incidents generated via Notify and Observability stack.
 - Control plane quota updates require Authority scope `orch:quota` (issued via `Orch.Admin` role). Historical rebuilds/backfills additionally require `orch:backfill` and must supply `backfill_reason` and `backfill_ticket` alongside the operator metadata. Authority persists all four fields (`quota_reason`, `quota_ticket`, `backfill_reason`, `backfill_ticket`) for audit replay.
-## 4) APIs
+## 4) APIs
-
+
- `GET /api/jobs?status=` — list jobs with filters (tenant, jobType, status, time window).
+- `GET /api/jobs?status=` — list jobs with filters (tenant, jobType, status, time window).
- `GET /api/jobs/{id}` — job detail (payload digest, attempts, worker, lease history, metrics).
+- `GET /api/jobs/{id}` — job detail (payload digest, attempts, worker, lease history, metrics).
- `POST /api/jobs/{id}/cancel` — cancel running/pending job with audit reason.
+- `POST /api/jobs/{id}/cancel` — cancel running/pending job with audit reason.
- `POST /api/jobs/{id}/replay` — schedule replay.
+- `POST /api/jobs/{id}/replay` — schedule replay.
- `POST /api/limits/throttle` — apply throttle (requires elevated scope).
+- `POST /api/limits/throttle` — apply throttle (requires elevated scope).
- `GET /api/dashboard/metrics` — aggregated metrics for Console dashboards.
+- `GET /api/dashboard/metrics` — aggregated metrics for Console dashboards.
 - Event envelope draft (`docs/modules/orchestrator/event-envelope.md`) defines notifier/webhook/SSE payloads with idempotency keys, provenance, and task runner metadata for job/pack-run events.
 All responses include deterministic timestamps, job digests, and DSSE signature fields for offline reconciliation.
-## 5) Observability
+## 5) Observability
-
+
- Metrics: `job_queue_depth{jobType,tenant}`, `job_latency_seconds`, `job_failures_total`, `job_retry_total`, `lease_extensions_total`.
+- Metrics: `job_queue_depth{jobType,tenant}`, `job_latency_seconds`, `job_failures_total`, `job_retry_total`, `lease_extensions_total`.
- Logs: structured with `jobId`, `jobType`, `tenant`, `workerId`, `leaseId`, `status`. Incident logs flagged for Ops.
+- Task Runner bridge adds `pack_run_logs_stream_lag_seconds`, `pack_run_heartbeats_total`, `pack_run_artifacts_total`.
- Traces: spans covering `enqueue`, `schedule`, `lease`, `worker_execute`, `complete`. Trace IDs propagate to worker spans for end-to-end correlation.
+- Logs: structured with `jobId`, `jobType`, `tenant`, `workerId`, `leaseId`, `status`. Incident logs flagged for Ops.
 - Traces: spans covering `enqueue`, `schedule`, `lease`, `worker_execute`, `complete`. Trace IDs propagate to worker spans for end-to-end correlation.
 ## 6) Offline support
--- a/docs/modules/orchestrator/event-envelope.md
+++ b/docs/modules/orchestrator/event-envelope.md
@@ -0,0 +1,69 @@
 # Orchestrator Event Envelope (draft)
 Status: draft for ORCH-SVC-38-101 (pending ORCH-SVC-37-101 approval)
 ## Goals
 - Single, provenance-rich envelope for policy/export/job lifecycle events.
 - Idempotent across retries and transports (Notifier bus, webhooks, SSE/WS streams).
 - Tenant/project isolation and offline-friendly replays.
 ## Envelope
 ```jsonc
 {
  "schemaVersion": "orch.event.v1",
  "eventId": "urn:orch:event:...",            // UUIDv7 or ULID
  "eventType": "job.failed|job.completed|pack_run.log|pack_run.artifact|policy.updated|export.completed",
  "occurredAt": "2025-11-19T12:34:56Z",
  "idempotencyKey": "orch-{eventType}-{jobId}-{attempt}",
  "correlationId": "corr-...",                 // propagated from producer
  "tenantId": "...",
  "projectId": "...",                          // optional but preferred
  "actor": {
    "subject": "service/worker-sdk-go",        // who emitted the event
    "scopes": ["orch:quota", "orch:backfill"]
  },
  "job": {
    "id": "job_018f...",
    "type": "pack-run|ingest|export|policy-simulate",
    "runId": "run_018f...",                    // for pack runs / sims
    "attempt": 3,
    "leaseId": "lease_018f...",
    "taskRunnerId": "tr_018f...",
    "status": "completed|failed|running|canceled",
    "reason": "user_cancelled|retry_backoff|quota_paused",
    "payloadDigest": "sha256:...",
    "artifacts": [
      {"uri": "s3://...", "digest": "sha256:...", "mime": "application/json"}
    ]
  },
  "metrics": {
    "durationSeconds": 12.345,
    "logStreamLagSeconds": 0.8,
    "backoffSeconds": 30
  },
  "notifier": {
    "channel": "orch.jobs",
    "delivery": "dsse",
    "replay": {"ordinal": 5, "total": 12}
  }
 }
 ```
 ## Idempotency rules
 - `eventId` globally unique; `idempotencyKey` dedupe per channel.
 - Emit once per state transition; retries reuse the same `eventId`/`idempotencyKey`.
 ## Provenance
 - Always include `tenantId` and `projectId` (if available).
 - Carry `correlationId` from upstream producers and `taskRunnerId` from leasing bridge.
 - Include `actor.scopes` when events are triggered via elevated tokens (`orch:quota`, `orch:backfill`).
 ## Transport bindings
 - **Notifier bus**: DSSE-wrapped envelope; subject `orch.event` and `eventType`.
 - **Webhooks**: HMAC with `X-Orchestrator-Signature` (sha256), replay-safe via `idempotencyKey`.
 - **SSE/WS**: stream per `tenantId` filtered by `projectId`; client dedupe via `eventId`.
 ## Backlog & follow-ups
 - Align field names with ORCH-SVC-37-101 once finalized.
 - Add examples for policy/export events and pack-run log/manifest payloads.
 - Document retry/backoff semantics in Notify/Console subscribers.
--- a/docs/modules/sbomservice/architecture.md
+++ b/docs/modules/sbomservice/architecture.md
@@ -0,0 +1,57 @@
 # SBOM Service architecture (2025Q4)
 > Scope: canonical SBOM projections, lookup and timeline APIs, asset metadata overlays, and events feeding Advisory AI, Console, Graph, Policy, and Vuln Explorer.
 ## 1) Mission & boundaries
 - Mission: serve deterministic, tenant-scoped SBOM projections (Link-Not-Merge v1) and related metadata for downstream reasoning and overlays.
 - Boundaries:
  - Does not perform scanning; consumes Scanner outputs or supplied SPDX/CycloneDX blobs.
  - Does not author verdicts/policy; supplies evidence and projections to Policy/Concelier/Graph.
  - Append-only SBOM versions; mutations happen via new versions, never in-place edits.
 ## 2) Project layout
 - `src/SbomService/StellaOps.SbomService` — REST API + event emitters + orchestrator integration.
 - Storage: MongoDB collections (proposed)
  - `sbom_snapshots` (immutable versions; tenant + artifact + digest + createdAt)
  - `sbom_projections` (materialised views keyed by snapshotId, entrypoint/service node flags)
  - `sbom_assets` (asset metadata, criticality/owner/env/exposure; append-only history)
  - `sbom_paths` (resolved dependency paths with runtime flags, blast-radius hints)
  - `sbom_events` (outbox for event delivery + watermark/backfill tracking)
 ## 3) APIs (first wave)
 - `GET /sbom/paths?purl=...&artifact=...&scope=...&env=...` — returns ordered paths with runtime_flag/blast_radius and nearest-safe-version hint; supports `cursor` pagination.
 - `GET /sbom/versions?artifact=...` — time-ordered SBOM version timeline for Advisory AI; include provenance and source bundle hash.
 - `GET /console/sboms` — Console catalog with filters (artifact, license, scope, asset tags), cursor pagination, evaluation metadata, immutable JSON projection for drawer views.
 - `GET /components/lookup?purl=...` — component neighborhood for global search/Graph overlays; returns caches hints + tenant enforcement.
 - `POST /entrypoints` / `GET /entrypoints` — manage entrypoint/service node overrides feeding Cartographer relevance; deterministic defaults when unset.
 ## 4) Ingestion & orchestrator integration
 - Ingest sources: Scanner pipeline (preferred) or uploaded SPDX 3.0.1/CycloneDX 1.6 bundles.
 - Orchestrator: register SBOM ingest/index jobs; worker SDK emits artifact hash + job metadata; honor pause/throttle; report backpressure metrics; support watermark-based backfill for idempotent replays.
 - Idempotency: combine `(tenant, artifactDigest, sbomVersion)` as primary key; duplicate ingests short-circuit.
 ## 5) Events & streaming
 - `sbom.version.created` — emitted per new SBOM snapshot; payload: tenant, artifact digest, sbomVersion, projection hash, source bundle hash, import provenance; replay/backfill via outbox with watermark.
 - `sbom.asset.updated` — emitted when asset metadata changes; idempotent payload keyed by `(tenant, assetId, version)`.
 - Inventory/resolver feeds — queue/topic delivering `(artifact, purl, version, paths, runtime_flag, scope, nearest_safe_version)` for Vuln Explorer/Findings Ledger.
 ## 6) Determinism & offline posture
 - Stable ordering for projections and paths; timestamps in UTC ISO-8601; hash inputs canonicalised.
 - Add-only evolution for schemas; LNM v1 fixtures published alongside API docs and replayable tests.
 - Offline-friendly: uses mirrored packages, avoids external calls during projection; exports NDJSON bundles for air-gapped replay.
 ## 7) Tenancy & security
 - All APIs require tenant context (token claims or mTLS binding); collection filters must include tenant keys.
 - Enforce least-privilege queries; avoid cross-tenant caches; log tenant IDs in structured logs.
 - Input validation: schema-validate incoming SBOMs; reject oversized/unsupported media types early.
 ## 8) Observability
 - Metrics: `sbom_projection_seconds`, `sbom_projection_size_bytes`, `sbom_paths_latency_seconds`, `sbom_paths_cache_hit_ratio`, `sbom_events_backlog`.
 - Traces: wrap ingest, projection build, and API handlers; propagate orchestrator job IDs.
 - Logs: structured, include tenant + artifact digest + sbomVersion; classify ingest failures (schema, storage, orchestrator, validation).
 - Alerts: backlog thresholds for outbox/event delivery; high latency on path/timeline endpoints.
 ## 9) Open questions / dependencies
 - Confirm orchestrator pause/backfill contract (shared with Runtime & Signals 140-series).
 - Finalise storage collection names and indexes (compound on tenant+artifactDigest+version, TTL for transient staging).
 - Publish canonical LNM v1 fixtures and JSON schemas for projections and asset metadata.
--- a/docs/modules/scanner/design/README.md
+++ b/docs/modules/scanner/design/README.md
@@ -4,6 +4,7 @@ This directory contains deep technical designs for current and upcoming analyzer
 ## Language analyzers
 - `ruby-analyzer.md` — lockfile, runtime graph, capability signals for Ruby.
 - `deno-runtime-signals.md` — runtime trace + policy signal contract for Deno analyzer.
 ## Surface & platform contracts
 - `surface-fs.md`
--- a/docs/modules/scanner/design/deno-runtime-signals.md
+++ b/docs/modules/scanner/design/deno-runtime-signals.md
@@ -0,0 +1,109 @@
 # Deno Runtime Signals & Policy Contract (v0.1-DRAFT)
 ## Purpose
 Define deterministic runtime evidence records and policy signals for Deno analyzer phase II (tasks DENO-26-009/010/011). The contract is offline-friendly, append-only, and compatible with Surface/Signals stores.
 ## Scope
 - Harnessed execution hook (`stella deno trace`) capturing module loads and permission grants during analysis.
 - Trace serialization for Worker/CLI/Offline Kit and AnalysisStore.
 - Policy signal keys consumed by Surface/Signals and Policy Engine.
 ## Event model
 - Encoding: NDJSON; each line is a UTF-8 JSON object sorted by key when written.
 - Path handling: absolute paths are converted to analyzer-relative paths; each relative path also emits `path_sha256` (lowercase hex) to proof without leaking paths.
 - Timestamps: ISO-8601 UTC with millisecond precision; no local time.
 ### Event types
 ```jsonc
 {
  "type": "deno.module.load",          // required
  "ts": "2025-11-17T12:00:00.123Z",    // required
  "module": {
    "specifier": "file:///src/app/main.ts", // original
    "normalized": "app/main.ts",
    "path_sha256": "..."
  },
  "reason": "dynamic-import",          // static-import | dynamic-import | npm | cache | bundle
  "permissions": ["fs", "net"],        // granted at time of load
  "origin": "https://deno.land/x/std@0.208.0/http/server.ts" // optional for remote/npm
 }
 ```
 ```jsonc
 {
  "type": "deno.permission.use",
  "ts": "2025-11-17T12:00:01.234Z",
  "permission": "ffi",                  // fs|net|env|ffi|process|crypto|worker
  "module": {
    "normalized": "native/mod.ts",
    "path_sha256": "..."
  },
  "details": "Deno.dlopen"             // short reason code
 }
 ```
 ```jsonc
 {
  "type": "deno.npm.resolution",
  "ts": "2025-11-17T12:00:02.100Z",
  "specifier": "npm:chalk@5",
  "package": "chalk",
  "version": "5.3.0",
  "resolved": "file:///cache/npm/registry.npmjs.org/chalk/5.3.0",
  "exists": true
 }
 ```
 ```jsonc
 {
  "type": "deno.wasm.load",
  "ts": "2025-11-17T12:00:03.000Z",
  "module": {
    "normalized": "pkg/module.wasm",
    "path_sha256": "..."
  },
  "importer": "app/main.ts",
  "reason": "dynamic-import"
 }
 ```
 ## Observation envelope (AnalysisStore)
 Key: `ScanAnalysisKeys.DenoObservationPayload`
 Payload fields:
 - `analyzerId`: `deno`
 - `kind`: `deno.runtime.v1`
 - `mediaType`: `application/x-ndjson`
 - `metadata` (map):
  - `deno.runtime.event_count`
  - `deno.runtime.permission_uses`
  - `deno.runtime.module_loads`
  - `deno.runtime.remote_origins` (comma-separated, sorted)
  - `deno.runtime.permissions` (unique perms CSV)
  - `deno.runtime.npm_resolutions`
  - `deno.runtime.wasm_loads`
  - `deno.runtime.dynamic_imports`
 - `content`: gz-safe byte stream of NDJSON lines.
 ## Policy signal keys
 Emit into Surface/Signals (namespaced `surface.lang.deno.*`) derived from observation digest + static analyzer outputs:
 - `surface.lang.deno.permissions`: CSV of unique permissions seen (fs, net, env, ffi, process, crypto, worker).
 - `surface.lang.deno.remote_origins`: CSV of normalized remote origins from module loads/fetches.
 - `surface.lang.deno.npm_modules`: integer count of npm resolutions observed.
 - `surface.lang.deno.wasm_modules`: integer count of wasm loads.
 - `surface.lang.deno.dynamic_imports`: integer count of `deno.module.load` events where `reason=dynamic-import`.
 - `surface.lang.deno.capabilities`: CSV of capability reason codes from static analyzer (`builtin.*`) merged with runtime permissions.
 - `surface.lang.deno.module_loads`: integer count of module load events.
 - `surface.lang.deno.permission_uses`: integer count of permission use events.
 ## CLI / Worker contracts
 - CLI verb `stella deno trace --root <path>` writes `deno-runtime.ndjson` to output folder and prints observation hash.
 - Worker: when `DenoRuntimeCapture:true`, analyzer writes observation to AnalysisStore and links hash in layer metadata `deno.observation.hash` (already produced by static analyzer) and new `deno.runtime.hash`.
 ## Determinism and safety
 - No network fetches; trace operates on cached artifacts or harnessed execution with `--allow-all` disabled. Permissions recorded reflect requested grants; blanks treated as deny.
 - Paths always normalized to forward slashes; hashing uses full relative path bytes.
 - Redaction: no environment variable values or file contents persisted—only paths + hashes.
 ## Open follow-ups (to track in sprint)
 - Map NDJSON to AOC writer once runtime ingestion lands (LANG-11-003 analogue for Deno).
 - Add integration tests mirroring fixtures from DENO-26-008 with synthetic permission use and dynamic imports.
--- a/docs/modules/scheduler/AGENTS.md
+++ b/docs/modules/scheduler/AGENTS.md
@@ -1,34 +1,39 @@
 # Scheduler agent guide
 ## Mission
-Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates re-evaluations across Scanner and Policy Engine.
+Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates re-evaluations across Scanner and Policy Engine. Docs in this directory are the front-door contract for contributors.
-## Key docs
+## Working directory
- [Module README](./README.md)
+- `docs/modules/scheduler` (docs-only); code changes live under `src/Scheduler/**` but must be coordinated via sprint plans.
 - [Architecture](./architecture.md)
 - [Implementation plan](./implementation_plan.md)
 - [Task board](./TASKS.md)
-## How to get started
+## Roles & owners
-1. Open sprint file `/docs/implplan/SPRINT_*.md` and locate the stories referencing this module.
+- **Docs author**: curates AGENTS/TASKS/runbooks; keeps determinism/offline guidance accurate.
-2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
+- **Scheduler engineer (Worker/WebService)**: aligns implementation notes with architecture and ensures observability/runbook updates land with code.
-3. Read the architecture and README for domain context before editing code or docs.
+- **Observability/Ops**: maintains dashboards/rules, documents operational SLOs and alert contracts.
 4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
 ## Guardrails
 - Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
 - Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
 - Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
 - Update runbooks/observability assets when operational characteristics change.
 ## Required Reading
 - `docs/modules/scheduler/README.md`
 - `docs/modules/scheduler/architecture.md`
 - `docs/modules/scheduler/implementation_plan.md`
 - `docs/modules/platform/architecture-overview.md`
-## Working Agreement
+## How to work
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
+1. Open relevant sprint file in `docs/implplan/SPRINT_*.md` and set task status to `DOING` there and in `docs/modules/scheduler/TASKS.md` before starting.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
+2. Confirm prerequisites above are read; note any missing contracts in sprint **Decisions & Risks**.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
+3. Keep outputs deterministic (stable ordering, UTC ISO-8601 timestamps, sorted lists) and offline-friendly (no external fetches without mirrors).
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
+4. When changing behavior, update runbooks and observability assets in `./operations/`.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.
+5. On completion, set status to `DONE` in both the sprint file and `TASKS.md`; if paused, revert to `TODO` and add a brief note.
 ## Guardrails
 - Honour the Aggregation-Only Contract where applicable (see `../../ingestion/aggregation-only-contract.md`).
 - No undocumented schema or API contract changes; document deltas in architecture or implementation_plan.
 - Keep Offline Kit parity—document air-gapped workflows for any new feature.
 - Prefer deterministic fixtures and avoid machine-specific artefacts in examples.
 ## Testing & determinism expectations
 - Examples and snippets should be reproducible; pin sample timestamps to UTC and sort collections.
 - Observability examples must align with published metric names and labels; update `operations/worker-prometheus-rules.yaml` if alert semantics change.
 ## Status mirrors
 - Sprint tracker: `/docs/implplan/SPRINT_*.md` (source of record for Delivery Tracker).
 - Local tracker: `docs/modules/scheduler/TASKS.md` (mirrors sprint status; keep in sync).
--- a/docs/modules/scheduler/TASKS.md
+++ b/docs/modules/scheduler/TASKS.md
@@ -0,0 +1,14 @@
 # Scheduler module task board
 Keep this table in sync with sprint Delivery Trackers for the Scheduler docs/process stream.
 | Task ID | Status | Owner(s) | Notes |
 | --- | --- | --- | --- |
 | SCHEDULER-DOCS-0001 | DONE | Docs Guild | AGENTS charter refreshed with roles/prereqs/determinism and cross-links. |
 | SCHEDULER-ENG-0001 | DONE | Module Team | TASKS.md created; status mirror rules documented. |
 | SCHEDULER-OPS-0001 | DONE | Ops Guild | Outcomes synced to sprint file and tasks-all tracker. |
 ## Status rules
 - Update both this file and the relevant `docs/implplan/SPRINT_*.md` entry whenever you change a task state.
 - Use TODO → DOING → DONE/BLOCKED. If you pause work, revert to TODO and leave a short note.
 - Document contract or runbook changes in the appropriate module docs under this directory.
--- a/docs/policy/assistant-parameters.md
+++ b/docs/policy/assistant-parameters.md
@@ -107,4 +107,4 @@ Overwrite via `AdvisoryAI:Tasks:Summary:Budget:PromptTokens`, etc. The worker re
 - Updating **guardrail phrases** triggers only on host reload. When distributing blocked-phrase files via Offline Kits, keep filenames stable and version them through Git so QA can diff changes.
 - **Temperature / sampling** remains a remote-provider concern. StellaOps records the provider’s `modelId` and exposes fallback metadata so policy authors can audit when sanitized prompts were returned instead of model output.
- Always track changes in `docs/implplan/SPRINT_111_advisoryai.md` (task `DOCS-AIAI-31-006`) when promoting this document so the guild can trace which parameters were added per sprint.
+- Always track changes in `docs/implplan/SPRINT_0111_0001_0001_advisoryai.md` (task `DOCS-AIAI-31-006`) when promoting this document so the guild can trace which parameters were added per sprint.
--- a/docs/product-advisories/archived/15-Nov-2026
+++ b/docs/product-advisories/archived/15-Nov-2026
--- a/docs/product-advisories/archived/15-Nov-2026
+++ b/docs/product-advisories/archived/15-Nov-2026
--- a/docs/product-advisories/archived/15-Nov-2026
+++ b/docs/product-advisories/archived/15-Nov-2026
--- a/docs/product-advisories/archived/15-Nov-2026
+++ b/docs/product-advisories/archived/15-Nov-2026
--- a/docs/product-advisories/archived/15-Nov-2026
+++ b/docs/product-advisories/archived/15-Nov-2026
--- a/docs/product-advisories/archived/16-Nov-2026
+++ b/docs/product-advisories/archived/16-Nov-2026
--- a/docs/product-advisories/archived/16-Nov-2026
+++ b/docs/product-advisories/archived/16-Nov-2026
--- a/docs/product-advisories/archived/16-Nov-2026
+++ b/docs/product-advisories/archived/16-Nov-2026
--- a/docs/product-advisories/archived/16-Nov-2026
+++ b/docs/product-advisories/archived/16-Nov-2026
--- a/docs/provenance/inline-dsse.md
+++ b/docs/provenance/inline-dsse.md
@@ -88,6 +88,45 @@ Reference helper: `src/__Libraries/StellaOps.Provenance.Mongo/ProvenanceMongoExt
 ---
 ### 2.2 Advisory AI structured chunk schema (GHSA/Cisco parity)
 Advisory AI consumes the canonical `Advisory` aggregate and emits structured chunks that mirror GHSA GraphQL and Cisco PSIRT provenance anchors. The response contract is:
 ```jsonc
 {
  "advisoryKey": "CVE-2025-0001",
  "fingerprint": "<sha256 of canonical advisory>",
  "total": 3,
  "truncated": false,
  "entries": [
    {
      "type": "workaround",                // sorted by (type, observationPath, documentId)
      "chunkId": "c0ffee12",              // sha256(advisory.observationId + observationPath)[:16]
      "content": { /* structured field */ },
      "provenance": {
        "documentId": "tenant-a:chunk:newest", // Mongo _id of backing observation
        "observationPath": "/references/0",    // JSON Pointer into the observation
        "source": "nvd",
        "kind": "workaround",
        "value": "tenant-a:chunk:newest",
        "recordedAt": "2025-01-07T00:00:00Z",
        "fieldMask": ["/references/0"]
      }
    }
  ]
 }
 ```
 Determinism requirements:
 - Order entries by `(type, observationPath, documentId)` to keep cache keys stable across nodes.
 - Always include the advisory `fingerprint` in cache keys and responses.
 - Preserve observation-level provenance by emitting both `documentId` and `observationPath` under `provenance`.
 These anchors let Attestor/Console deep-link evidence and allow offline mirrors to prove origin without merging transforms.
 ---
 ## 3. CI/CD snippet
 See `scripts/publish_attestation_with_provenance.sh`:
--- a/docs/samples/lnm/linkset-ghsa.json
+++ b/docs/samples/lnm/linkset-ghsa.json
@@ -8,8 +8,14 @@
    "purls": [ "pkg:npm/example" ],
    "versions": [ "1.2.3" ],
    "ranges": [ { "type": "semver", "events": [ { "introduced": "0" }, { "fixed": "1.2.4" } ] } ],
-    "severities": [ { "system": "cvssv3.1", "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ]
+    "severities": [ { "system": "cvssv3.1", "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ],
    "scopes": [ "runtime", "build" ],
    "relationships": [
      { "type": "depends_on", "source": "pkg:npm/example@1.2.3", "target": "pkg:npm/lib@4.5.6", "provenance": "sbom:inventory-2025-10-01" }
    ]
  },
  "confidence": 1.0,
  "conflicts": [],
  "createdAt": "2025-10-06T12:05:00Z",
  "builtByJobId": "linkset-builder-456",
  "provenance": {
--- a/docs/samples/lnm/observation-ghsa.json
+++ b/docs/samples/lnm/observation-ghsa.json
@@ -11,6 +11,10 @@
    "versions": [ "1.2.3" ],
    "ranges": [ { "type": "semver", "events": [ { "introduced": "0" }, { "fixed": "1.2.4" } ] } ]
  } ],
  "scopes": [ "runtime", "build" ],
  "relationships": [
    { "type": "depends_on", "source": "pkg:npm/example@1.2.3", "target": "pkg:npm/lib@4.5.6", "provenance": "sbom:inventory-2025-10-01" }
  ],
  "references": [ "https://github.com/example/advisory" ],
  "weaknesses": [ "CWE-79" ],
  "published": "2025-10-01T00:00:00Z",
--- a/etc/signals.yaml.sample
+++ b/etc/signals.yaml.sample
@@ -27,6 +27,12 @@ Signals:
    ReachabilityFactsCollection: "reachability_facts"
  Storage:
    RootPath: "../data/signals-artifacts"
  Scoring:
    ReachableConfidence: 0.75
    UnreachableConfidence: 0.25
    RuntimeBonus: 0.15
    MaxConfidence: 0.99
    MinConfidence: 0.05
  AirGap:
    SealedMode:
      EnforcementEnabled: false
--- a/samples/provenance/build-statement-sample.json
+++ b/samples/provenance/build-statement-sample.json
@@ -1,24 +1 @@
-{
+{"BuildDefinition":{"BuildType":"https://slsa.dev/provenance/v1","ExternalParameters":{"policyHash":"sha256:deadbeef","workflow":"orchestrator/job"},"ResolvedDependencies":{"sbomDigest":"sha256:aaaabbbb","vexDigest":"sha256:ccccdddd"}},"BuildMetadata":{"BuildFinishedOn":"2025-11-16T12:00:10Z","BuildInvocationId":"job-12345","BuildStartedOn":"2025-11-16T12:00:00Z","Completeness":{"environment":true,"materials":true,"parameters":true},"Reproducible":true}}
  buildDefinition: {
    buildType: https://slsa.dev/provenance/v1,
    externalParameters: {
      workflow: orchestrator/job,
      policyHash: sha256:deadbeef
    },
    resolvedDependencies: {
      sbomDigest: sha256:aaaabbbb,
      vexDigest: sha256:ccccdddd
    }
  },
  buildMetadata: {
    buildInvocationId: job-12345,
    buildStartedOn: 2025-11-16T12:00:00Z,
    buildFinishedOn: 2025-11-16T12:00:10Z,
    reproducible: true,
    completeness: {
      parameters: true,
      environment: true,
      materials: true
    }
  }
 }
--- a/samples/provenance/export-service-statement.json
+++ b/samples/provenance/export-service-statement.json
@@ -0,0 +1 @@
 {"BuildDefinition":{"BuildType":"https://slsa.dev/provenance/v1","ExternalParameters":{"exportId":"exp-42","format":"ndjson"},"ResolvedDependencies":{"input":"s3://exports/cache/v1/graph.ndjson","policy":"policy-bundle-v3"}},"BuildMetadata":{"BuildFinishedOn":"2025-11-14T18:00:45Z","BuildInvocationId":"export-job-42","BuildStartedOn":"2025-11-14T17:58:10Z","Completeness":{"environment":true,"materials":true,"parameters":true},"Environment":{"region":"us-west-2","runner":"export-center","schemaVersion":"1.0.0"},"Reproducible":true}}
--- a/samples/provenance/job-runner-statement.json
+++ b/samples/provenance/job-runner-statement.json
@@ -0,0 +1 @@
 {"BuildDefinition":{"BuildType":"https://slsa.dev/provenance/v1","ExternalParameters":{"dataset":"sbom-v1","job":"graph-index"},"ResolvedDependencies":{"sbomDigest":"sha256:111122223333444455556666777788889999aaaabbbbccccddddeeeeffff0000"}},"BuildMetadata":{"BuildFinishedOn":"2025-11-12T09:21:30Z","BuildInvocationId":"graph-index-job-789","BuildStartedOn":"2025-11-12T09:20:00Z","Completeness":{"environment":true,"materials":true,"parameters":true},"Environment":{"region":"eu-central-1","runner":"scheduler-worker","schemaVersion":"1.0.0"},"Reproducible":true}}
--- a/samples/provenance/orchestrator-statement.json
+++ b/samples/provenance/orchestrator-statement.json
@@ -0,0 +1 @@
 {"BuildDefinition":{"BuildType":"https://slsa.dev/provenance/v1","ExternalParameters":{"entrypoint":"orchestrator","workflow":"release"},"ResolvedDependencies":{"source":"git+https://git.stella-ops.internal/stella.git@abcdef123456"}},"BuildMetadata":{"BuildFinishedOn":"2025-11-10T12:05:00Z","BuildInvocationId":"orchestrator-run-123","BuildStartedOn":"2025-11-10T12:00:00Z","Completeness":{"environment":true,"materials":true,"parameters":true},"Environment":{"region":"us-east-1","runner":"task-runner","schemaVersion":"1.0.0"},"Reproducible":true}}
--- a/src/AdvisoryAI/AGENTS.md
+++ b/src/AdvisoryAI/AGENTS.md
@@ -0,0 +1,46 @@
 # Advisory AI · AGENTS
 ## Roles
 - Backend engineer (.NET 10, C# preview) for `StellaOps.AdvisoryAI*` services and worker.
 - Docs engineer for Advisory AI runbooks and user guides in `docs/advisory-ai` and related policy/SBOM docs.
 - QA automation engineer for `__Tests/StellaOps.AdvisoryAI.Tests` (unit/golden/property/perf).
 ## Working Directory
 - Primary: `src/AdvisoryAI/**` (WebService, Worker, Hosting, plugins, tests).
 - Docs: `docs/advisory-ai/**`, `docs/policy/assistant-parameters.md`, `docs/sbom/*` when explicitly touched by sprint tasks.
 - Shared libraries allowed only if referenced by Advisory AI projects; otherwise stay in-module.
 ## Required Reading (treat as read before DOING)
 - `docs/README.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/advisory-ai/architecture.md`
 - Sprint context: `docs/implplan/SPRINT_0111_0001_0001_advisoryai.md`
 - Guardrail and ops knobs: `docs/policy/assistant-parameters.md`
 ## Working Agreements
 - Determinism first: stable ordering, seeded randomness, UTC ISO-8601 timestamps, content-addressed caches; no wall-clock timing in tests.
 - Offline-friendly: no hardcoded external endpoints; respect BYO trust roots and offline bundles.
 - Observability: structured logs with event ids; expose counters and (optional) OTEL traces guarded by config.
 - Configuration: prefer `IOptions` + validated options with data annotations; map env vars in docs.
 - Security: least privilege, short-lived keys, no embedding secrets; honor guardrail phrases and sanitization paths documented in policy knobs.
 - Queue/cache: avoid unbounded growth; make capacities and TTLs configurable; default to conservative limits.
 ## Testing
 - Run `dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj` before marking DONE.
 - Add/extend golden/property tests for new behaviors; keep fixtures deterministic (seeded caches, static input data).
 - For perf-sensitive paths, keep benchmarks deterministic and skip in CI unless flagged.
 ## Docs & Change Sync
 - When changing behaviors or contracts, update relevant docs under `docs/modules/advisory-ai`, `docs/policy/assistant-parameters.md`, or sprint-linked docs; mirror decisions in sprint **Decisions & Risks**.
 - If new advisories/platform decisions occur, notify sprint log and link updated docs.
 ## Contracts & Dependencies
 - SBOM context feed: follow `SBOM-AIAI-31-001` contract (idempotent, extend-only, no versioning).
 - DevOps runbook `DEVOPS-AIAI-31-001` governs packaging/on-prem toggles; do not ship manifests without it.
 - Console/CLI dependencies remain gating for UI/CLI docs (see sprint tracker).
 ## Tooling
 - Target `net10.0`; use latest Microsoft.* packages compatible with net10.
 - NuGet: prefer local cache `/local-nugets`; avoid floating versions.
 - Linting/analyzers: keep nullable enabled; treat warnings as errors where feasible.
--- a/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md
+++ b/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md
@@ -25,6 +25,19 @@ Deliver the Advisory AI assistant service that synthesizes advisory/VEX evidence
 - `docs/modules/advisory-ai/architecture.md`
 - `docs/modules/platform/architecture-overview.md`
 ## Roles & Boundaries
 - **Backend engineer** – APIs, retrievers, guardrails, orchestrator glue under `src/AdvisoryAI/StellaOps.AdvisoryAI*` and shared fixtures in `src/AdvisoryAI/__Tests`.
 - **Worker/queue engineer** – background processing and cache orchestration in `StellaOps.AdvisoryAI.Worker`.
 - **Docs engineer** – Advisory AI docs in `docs/advisory-ai/*`, policy/sbom/runbooks in `docs/policy`, `docs/sbom`, `docs/runbooks`.
 - **QA/Testing** – deterministic harnesses and golden/property/generative tests in `src/AdvisoryAI/__Tests`.
 - Allowed shared dirs: `StellaOps.AdvisoryAI.Hosting`, `StellaOps.Concelier.PluginBinaries` (read-only plugins), and cross-module contracts under `docs/modules/advisory-ai/*`.
 ## Testing & Determinism
 - Prefer golden/property tests with seeded randoms; fixtures live under `__Tests/Fixtures` with stable ordering.
 - Cache keys must include tenant + SBOM hash + advisory digest; avoid wall-clock time in logic—use injected clocks.
 - HTTP clients configurable via options + DI; set timeouts; no live network in unit tests (use test servers/mocks).
 - When adding APIs, update OpenAPI and ensure validation/guardrail regressions are tested.
 ## Working Agreement
 - 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
--- a/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/CommandHandlersTests.cs
+++ b/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/CommandHandlersTests.cs
@@ -4056,4 +4056,88 @@ spec:
            return Task.FromResult(_response);
        }
    }
    [Fact]
    public async Task HandleOfflineKitStatusAsync_AsJsonRendersPayload()
    {
        var originalExit = Environment.ExitCode;
        var originalConsole = AnsiConsole.Console;
        try
        {
            Environment.ExitCode = 0;
            var console = new TestConsole();
            AnsiConsole.Console = console;
            var backend = new StubBackendClient(new JobTriggerResult(true, "ok", null, null))
            {
                OfflineStatus = new OfflineKitStatus(
                    "bundle-123",
                    "stable",
                    "kit",
                    false,
                    null,
                    DateTimeOffset.Parse("2025-11-03T00:00:00Z", CultureInfo.InvariantCulture),
                    DateTimeOffset.Parse("2025-11-04T00:00:00Z", CultureInfo.InvariantCulture),
                    "sha256:deadbeef",
                    1024,
                    new[]
                    {
                        new OfflineKitComponentStatus("scanner", "1.0.0", "abc", DateTimeOffset.Parse("2025-11-03T00:00:00Z", CultureInfo.InvariantCulture), 512)
                    })
            };
            var provider = BuildServiceProvider(backend);
            await CommandHandlers.HandleOfflineKitStatusAsync(
                provider,
                asJson: true,
                verbose: false,
                cancellationToken: CancellationToken.None);
            Assert.Equal(0, Environment.ExitCode);
            Assert.Contains("bundle-123", console.Output, StringComparison.OrdinalIgnoreCase);
            Assert.Contains("scanner", console.Output, StringComparison.OrdinalIgnoreCase);
        }
        finally
        {
            Environment.ExitCode = originalExit;
            AnsiConsole.Console = originalConsole;
        }
    }
    [Fact]
    public async Task HandleOfflineKitStatusAsync_AsJsonHandlesEmptyStatus()
    {
        var originalExit = Environment.ExitCode;
        var originalConsole = AnsiConsole.Console;
        try
        {
            Environment.ExitCode = 0;
            var console = new TestConsole();
            AnsiConsole.Console = console;
            var backend = new StubBackendClient(new JobTriggerResult(true, "ok", null, null))
            {
                OfflineStatus = new OfflineKitStatus(null, null, null, false, null, null, null, null, null, Array.Empty<OfflineKitComponentStatus>())
            };
            var provider = BuildServiceProvider(backend);
            await CommandHandlers.HandleOfflineKitStatusAsync(
                provider,
                asJson: true,
                verbose: false,
                cancellationToken: CancellationToken.None);
            Assert.Equal(0, Environment.ExitCode);
            Assert.Contains("\"bundleId\": null", console.Output, StringComparison.OrdinalIgnoreCase);
        }
        finally
        {
            Environment.ExitCode = originalExit;
            AnsiConsole.Console = originalConsole;
        }
    }
 }
--- a/src/Concelier/StellaOps.Concelier.WebService/Contracts/AdvisoryChunkResponses.cs
+++ b/src/Concelier/StellaOps.Concelier.WebService/Contracts/AdvisoryChunkResponses.cs
@@ -5,14 +5,13 @@ namespace StellaOps.Concelier.WebService.Contracts;
 public sealed record AdvisoryStructuredFieldResponse(
    string AdvisoryKey,
    string Fingerprint,
    int Total,
    bool Truncated,
    IReadOnlyList<AdvisoryStructuredFieldEntry> Entries);
 public sealed record AdvisoryStructuredFieldEntry(
    string Type,
    string DocumentId,
    string FieldPath,
    string ChunkId,
    AdvisoryStructuredFieldContent Content,
    AdvisoryStructuredFieldProvenance Provenance);
@@ -65,6 +64,8 @@ public sealed record AdvisoryStructuredAffectedContent(
    string? Status);
 public sealed record AdvisoryStructuredFieldProvenance(
    string DocumentId,
    string ObservationPath,
    string Source,
    string Kind,
    string? Value,
--- a/src/Concelier/StellaOps.Concelier.WebService/Contracts/AdvisoryObservationContracts.cs
+++ b/src/Concelier/StellaOps.Concelier.WebService/Contracts/AdvisoryObservationContracts.cs
@@ -1,16 +1,19 @@
 using System.Collections.Immutable;
-using StellaOps.Concelier.Models.Observations;
+using StellaOps.Concelier.Models.Observations;
 using StellaOps.Concelier.RawModels;
 namespace StellaOps.Concelier.WebService.Contracts;
-public sealed record AdvisoryObservationQueryResponse(
+public sealed record AdvisoryObservationQueryResponse(
-    ImmutableArray<AdvisoryObservation> Observations,
+    ImmutableArray<AdvisoryObservation> Observations,
-    AdvisoryObservationLinksetAggregateResponse Linkset,
+    AdvisoryObservationLinksetAggregateResponse Linkset,
-    string? NextCursor,
+    string? NextCursor,
-    bool HasMore);
+    bool HasMore);
-
+
-public sealed record AdvisoryObservationLinksetAggregateResponse(
+public sealed record AdvisoryObservationLinksetAggregateResponse(
-    ImmutableArray<string> Aliases,
+    ImmutableArray<string> Aliases,
-    ImmutableArray<string> Purls,
+    ImmutableArray<string> Purls,
-    ImmutableArray<string> Cpes,
+    ImmutableArray<string> Cpes,
-    ImmutableArray<AdvisoryObservationReference> References);
+    ImmutableArray<AdvisoryObservationReference> References,
    ImmutableArray<string> Scopes,
    ImmutableArray<RawRelationship> Relationships);
--- a/src/Concelier/StellaOps.Concelier.WebService/Contracts/AdvisoryRawContracts.cs
+++ b/src/Concelier/StellaOps.Concelier.WebService/Contracts/AdvisoryRawContracts.cs
@@ -45,18 +45,26 @@ public sealed record AdvisoryIdentifiersRequest(
    [property: JsonPropertyName("primary")] string Primary,
    [property: JsonPropertyName("aliases")] IReadOnlyList<string>? Aliases);
-public sealed record AdvisoryLinksetRequest(
+public sealed record AdvisoryLinksetRequest(
-    [property: JsonPropertyName("aliases")] IReadOnlyList<string>? Aliases,
+    [property: JsonPropertyName("aliases")] IReadOnlyList<string>? Aliases,
-    [property: JsonPropertyName("purls")] IReadOnlyList<string>? PackageUrls,
+    [property: JsonPropertyName("scopes")] IReadOnlyList<string>? Scopes,
-    [property: JsonPropertyName("cpes")] IReadOnlyList<string>? Cpes,
+    [property: JsonPropertyName("relationships")] IReadOnlyList<AdvisoryLinksetRelationshipRequest>? Relationships,
-    [property: JsonPropertyName("references")] IReadOnlyList<AdvisoryLinksetReferenceRequest>? References,
+    [property: JsonPropertyName("purls")] IReadOnlyList<string>? PackageUrls,
-    [property: JsonPropertyName("reconciledFrom")] IReadOnlyList<string>? ReconciledFrom,
+    [property: JsonPropertyName("cpes")] IReadOnlyList<string>? Cpes,
-    [property: JsonPropertyName("notes")] IDictionary<string, string>? Notes);
+    [property: JsonPropertyName("references")] IReadOnlyList<AdvisoryLinksetReferenceRequest>? References,
-
+    [property: JsonPropertyName("reconciledFrom")] IReadOnlyList<string>? ReconciledFrom,
-public sealed record AdvisoryLinksetReferenceRequest(
+    [property: JsonPropertyName("notes")] IDictionary<string, string>? Notes);
-    [property: JsonPropertyName("type")] string Type,
+
-    [property: JsonPropertyName("url")] string Url,
+public sealed record AdvisoryLinksetRelationshipRequest(
-    [property: JsonPropertyName("source")] string? Source);
+    [property: JsonPropertyName("type")] string Type,
    [property: JsonPropertyName("source")] string Source,
    [property: JsonPropertyName("target")] string Target,
    [property: JsonPropertyName("provenance")] string? Provenance);
 public sealed record AdvisoryLinksetReferenceRequest(
    [property: JsonPropertyName("type")] string Type,
    [property: JsonPropertyName("url")] string Url,
    [property: JsonPropertyName("source")] string? Source);
 public sealed record AdvisoryIngestResponse(
    [property: JsonPropertyName("id")] string Id,
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							{"BuildDefinition":{"BuildType":"https://slsa.dev/provenance/v1","ExternalParameters":{"exportId":"exp-42","format":"ndjson"},"ResolvedDependencies":{"input":"s3://exports/cache/v1/graph.ndjson","policy":"policy-bundle-v3"}},"BuildMetadata":{"BuildFinishedOn":"2025-11-14T18:00:45Z","BuildInvocationId":"export-job-42","BuildStartedOn":"2025-11-14T17:58:10Z","Completeness":{"environment":true,"materials":true,"parameters":true},"Environment":{"region":"us-west-2","runner":"export-center","schemaVersion":"1.0.0"},"Reproducible":true}}