docs(implplan): sync sprint statuses with real repo state

- SPRINT_20260408_005_Audit_endpoint_filters_deprecation: FILTER-004, -006,
  -008 marked DONE with commit 54e7f871a; FILTER-005, -007 DONE with
  d4d75200c; FILTER-010 DONE with 665bd6db4. DEPRECATE-001/002/003 still
  TODO with mandatory 30-day + 90-day wait windows; CAPSULE-001 stays
  BLOCKED. Sprint cannot be archived until the verification windows pass.

- SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge: corrected VXLM-003
  and VXLM-004 from DONE → DOING. Adapters still back VEX decisions,
  fix verifications, and audit bundles with ConcurrentDictionary; the
  VulnExplorer.Api and VulnExplorer.WebService project directories were not
  deleted; migration 010 is present but unused. Execution log records the
  finding; commit 414049ef8 message was misleading.

- SPRINT_20260408_004_Timeline_unified_audit_sink: scope confirmation logged.
  AUDIT-002 through AUDIT-007 remain TODO (~15–25 hr breadth work); too
  large for a single session. Sprint stays active.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/implplan/SPRINT_20260408_002_Findings_vulnexplorer_ledger_merge.md

@@ -373,7 +373,7 @@ Completion criteria:
 - [ ] Pagination (pageToken/pageSize) works
 
 ### VXLM-003 - Migrate VEX decision and fix verification endpoints to Ledger event persistence
-Status: DONE
+Status: DOING (adapters still ConcurrentDictionary; see 2026-04-13 execution log)
 Dependency: VXLM-001, VXLM-002
 Owners: Backend engineer
 
@@ -425,7 +425,7 @@ Completion criteria:
 - [ ] Data migration from `vulnexplorer.*` tables to Ledger events complete
 
 ### VXLM-004 - Remove VulnExplorer service and update compose/routing/consumers
-Status: DONE
+Status: DOING (compose/routing done; VulnExplorer.Api and VulnExplorer.WebService project dirs not deleted)
 Dependency: VXLM-003
 Owners: Backend engineer, DevOps
 
@@ -550,6 +550,7 @@ Completion criteria:
 | 2026-04-08 | Sprint restructured into two phases: Phase 1 (in-memory to Postgres migration) and Phase 2 (merge into Ledger). Comprehensive consumer/dependency audit added. | Planning |
 | 2026-04-08 | Phase 2 implemented (VXLM-001 through VXLM-004): DTOs moved to Ledger `Contracts/VulnExplorer/`, endpoints mounted via `VulnExplorerEndpoints.cs`, adapter services created, compose/routing/services-matrix updated, docs updated. Phase 1 skipped per user direction (wire to existing Ledger services instead of creating separate vulnexplorer schema). VXLM-005 (integration tests) remaining TODO. | Backend |
 | 2026-04-08 | VXLM-005 verification started. Created 12 integration tests in `VulnExplorerEndpointsIntegrationTests.cs` covering all 6 endpoint groups + full triage workflow + auth checks. Identified 4 gaps: (1) adapters still use ConcurrentDictionary not Ledger events, (2) evidence-subgraph route mismatch between UI and Ledger, (3) old VulnExplorer.Api.Tests reference stale Program.cs, (4) VulnApiTests expect hardcoded SampleData IDs. Documentation updates pending. | Backend/QA |
+| 2026-04-13 | Status audit: VXLM-003 and VXLM-004 corrected from DONE → DOING to match reality. Re-verification confirmed the 2026-04-08 GAP: `VexDecisionAdapter`, `FixVerificationAdapter`, `AuditBundleAdapter` still use `ConcurrentDictionary` (source comment explicitly says "future iterations will wire to Ledger event types"). `StellaOps.VulnExplorer.Api/` and `StellaOps.VulnExplorer.WebService/` project directories were not deleted by VXLM-004. Migration `010_vex_fix_audit_tables.sql` exists but `VulnExplorerRepositories.cs` is a 33-line placeholder. No new Ledger event types (`finding.vex_decision_created`, etc.) were added. Commit `414049ef8` message "wire VulnExplorer adapters to Postgres" is misleading — only scaffolding landed. Real work remaining: implement Postgres repositories consuming migration 010, extend `LedgerEventConstants`, swap adapters to emit Ledger events, delete the stale VulnExplorer projects. Sprint cannot be archived. | QA |
 
 ## Decisions & Risks
 - **Decision**: Two-phase approach. Phase 1 migrates VulnExplorer to Postgres while it remains a standalone service. Phase 2 merges into Findings Ledger. Rationale: reduces risk by separating persistence migration from service boundary changes; allows independent validation of the data model.

docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md

@@ -251,6 +251,7 @@ Completion criteria:
 | --- | --- | --- |
 | 2026-04-08 | Sprint created from deep audit landscape investigation. Catalogued 16+ independent audit implementations across the monorepo. | Planning |
 | 2026-04-08 | AUDIT-001 implemented: created 20260408_003_unified_audit_events.sql migration (table + sequences + chain functions), PostgresUnifiedAuditEventStore with SHA-256 hash chain, updated CompositeUnifiedAuditEventProvider to read from Postgres, wired AddStartupMigrations in Program.cs. Build passes with 0 errors. | Developer |
+| 2026-04-13 | Scope confirmation: AUDIT-002 through AUDIT-007 remain TODO. Estimated 15-25 hr of breadth work: instrument 14+ services with `AddAuditEmission()` + `AuditActionAttribute` (AUDIT-002, L), backfill polling for Scanner/Scheduler/Integrations/Attestor/SBOM (AUDIT-003, S), GDPR data classification + retention engine + right-to-erasure endpoint (AUDIT-004, L), deprecate per-service audit tables (AUDIT-005, M), UI updates for unified module visibility (AUDIT-006, M), AuditPack export from Timeline store (AUDIT-007, M). Sprint stays active; too large for a single session. Note: Migration `20260408_003_unified_audit_events.sql` was renumbered to `003_unified_audit_events.sql` in commit `4a8e2758c`. | Planning |
 
 ## Decisions & Risks
 

docs/implplan/SPRINT_20260408_005_Audit_endpoint_filters_deprecation.md

@@ -451,7 +451,7 @@ Completion criteria:
 **Effort: 2 days**
 
 ### FILTER-004 - Batch 2: Annotate Platform
-Status: TODO
+Status: DONE (commit 54e7f871a)
 Dependency: FILTER-001
 Owners: Developer (backend)
 Task description:
@@ -470,7 +470,7 @@ Completion criteria:
 **Effort: 2.5 days**
 
 ### FILTER-005 - Batch 2 continued: Annotate Authority
-Status: TODO
+Status: DONE (commit d4d75200c)
 Dependency: FILTER-001
 Owners: Developer (backend)
 Task description:
@@ -491,7 +491,7 @@ Completion criteria:
 **Effort: 2 days**
 
 ### FILTER-006 - Batch 2 continued: Annotate Notify
-Status: TODO
+Status: DONE (commit 54e7f871a)
 Dependency: FILTER-001
 Owners: Developer (backend)
 Task description:
@@ -510,7 +510,7 @@ Completion criteria:
 **Effort: 2 days**
 
 ### FILTER-007 - Batch 2 continued: Annotate Policy Engine + Gateway
-Status: TODO
+Status: DONE (commit d4d75200c)
 Dependency: FILTER-001
 Owners: Developer (backend)
 Task description:
@@ -540,7 +540,7 @@ Completion criteria:
 **Effort: 4 days**
 
 ### FILTER-008 - Batch 2 continued: Annotate Release-Orchestrator + Scheduler
-Status: TODO
+Status: DONE (commit 54e7f871a)
 Dependency: FILTER-001
 Owners: Developer (backend)
 Task description:
@@ -556,7 +556,7 @@ Completion criteria:
 **Effort: 2 days**
 
 ### FILTER-010 - Annotate endpoints in newly-wired services (Attestor, Findings, Doctor, Signals, AdvisoryAI, RiskEngine)
-Status: TODO
+Status: DONE (commit 665bd6db4)
 Dependency: FILTER-001 (convention helper)
 Owners: Developer (backend)
 Task description:
@@ -709,6 +709,7 @@ Completion criteria:
 | 2026-04-08 | Sprint created. Full endpoint inventory completed across all 9 wired services (~532 state-changing endpoints). Per-service audit table analysis completed for 6 services with local tables. | Planning |
 | 2026-04-08 | Added FILTER-010 (6 newly-wired services: ~80 endpoints) and CAPSULE-001 (blocked on capsule pipeline). Added Config/Settings Audit Checklist confirming all mutation surfaces are covered. Total active effort updated to 28 days. | Planning |
 | 2026-04-08 | FILTER-001 DONE: Created `AuditedRouteGroupExtensions.cs` with `WithAuditFilter()` and `Audited()` convenience methods. FILTER-002 DONE: Annotated 7 EvidenceLocker + 6 Integrations endpoints. FILTER-003 DONE: Annotated ~50 Scanner endpoints across 20 files (skipped read-only POSTs per convention). All 3 services build clean with 0 errors/warnings. | Developer |
+| 2026-04-13 | Status sync: FILTER-004 (Platform), FILTER-006 (Notify), FILTER-008 (ReleaseOrchestrator+Scheduler) confirmed DONE via commit `54e7f871a`. FILTER-005 (Authority), FILTER-007 (Policy+Gateway) confirmed DONE via commit `d4d75200c`. FILTER-010 (Attestor, Findings, Doctor, Signals, AdvisoryAI, RiskEngine) confirmed DONE via commit `665bd6db4`. Additional audit-filter hardening shipped via commits `2a69ad112` (enhanced filter with body capture) and `7f40f8d67` (module catalog, Diff ingest, chain verify fixes). DEPRECATE-001/002/003 remain TODO — they have mandatory 30-day and 90-day verification windows built into the plan and cannot be accelerated. CAPSULE-001 remains BLOCKED on the capsule sealing pipeline. | QA |
 
 ## Decisions & Risks