feat: Add VEX Lens CI and Load Testing Plan

- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing.
- Defined load test parameters and SLOs for VEX Lens API and Issuer Directory.
- Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates.
- Established offline posture guidelines for CI jobs and load testing.

feat: Implement deterministic projection verification script

- Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes.
- Ensured robust error handling for missing files and hash mismatches.

feat: Develop Vuln Explorer CI and Ops Plan

- Created CI jobs for Vuln Explorer, including build, test, and replay verification.
- Implemented backup and disaster recovery strategies for MongoDB and Redis.
- Established Merkle anchoring verification and automation for ledger projector.

feat: Introduce EventEnvelopeHasher for hashing event envelopes

- Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes.

feat: Add Risk Store and Dashboard components

- Developed `RiskStore` for managing risk data and state.
- Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities.
- Implemented unit tests for `RiskStore` and `RiskDashboardComponent`.

feat: Enhance Vulnerability Detail Component

- Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities.
- Implemented error handling for missing vulnerability IDs and loading failures.

ops/devops/vuln/verify_projection.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Deterministic projection verification for DEVOPS-VULN-29-001/002
+# Usage: ./verify_projection.sh [projection-export.json] [expected-hash-file]
+set -euo pipefail
+PROJECTION=${1:-samples/vuln/events/projection.json}
+EXPECTED_HASH_FILE=${2:-ops/devops/vuln/expected_projection.sha256}
+
+if [[ ! -f "$PROJECTION" ]]; then
+  echo "projection file not found: $PROJECTION" >&2
+  exit 1
+fi
+if [[ ! -f "$EXPECTED_HASH_FILE" ]]; then
+  echo "expected hash file not found: $EXPECTED_HASH_FILE" >&2
+  exit 1
+fi
+
+calc_hash=$(sha256sum "$PROJECTION" | awk '{print $1}')
+expected_hash=$(cut -d' ' -f1 "$EXPECTED_HASH_FILE")
+
+if [[ "$calc_hash" != "$expected_hash" ]]; then
+  echo "mismatch: projection hash $calc_hash expected $expected_hash" >&2
+  exit 2
+fi
+
+echo "projection hash matches ($calc_hash)" >&2

ops/devops/vuln/vuln-explorer-ci-plan.md

@@ -0,0 +1,43 @@
+# Vuln Explorer CI + Ops Plan (DEVOPS-VULN-29-001)
+
+Scope: CI jobs, backup/DR, Merkle anchoring monitoring, and verification automation for the Vuln Explorer ledger projector and API.
+Assumptions: Vuln Explorer API uses MongoDB + Redis; ledger projector performs replay into materialized views; Merkle tree anchoring to transparency log.
+
+## CI Jobs
+- `build-vuln`: dotnet restore/build for `src/VulnExplorer/StellaOps.VulnExplorer.Api` and projector; use `DOTNET_DISABLE_BUILTIN_GRAPH=1` and `local-nugets/`.
+- `test-vuln`: focused tests with `dotnet test src/VulnExplorer/__Tests/...` and `--filter Category!=GraphHeavy`; publish TRX + coverage.
+- `replay-smoke`: run projector against fixture event log (`samples/vuln/events/replay.ndjson`) and assert deterministic materialized view hash; fail on divergence.
+- `sbom+attest`: reuse `ops/devops/docker/sbom_attest.sh` post-build.
+
+## Backup & DR
+- Mongo: enable point-in-time snapshots (if available) or nightly `mongodump` of `vuln_explorer` db; store in object storage with retention 30d.
+- Redis (if used for cache): not authoritative; no backup required.
+- Replay-first recovery: keep latest event log snapshot in `release artifacts`; replay task rehydrates materialized views.
+
+## Merkle Anchoring Verification
+- Monitor projector metrics: `ledger_projection_lag_seconds`, `ledger_projection_errors_total`.
+- Add periodic job `verify-merkle`: fetch latest Merkle root from projector state, cross-check against transparency log (`rekor` or configured log) using `cosign verify-tree` or custom verifier.
+- Alert when last anchored root age > 15m or mismatch detected.
+
+## Verification Automation
+- Script `ops/devops/vuln/verify_projection.sh` (to be added) should:
+  - Run projector against fixture events and compute hash of materialized view snapshot (`sha256sum` over canonical JSON export).
+  - Compare with expected hash stored in `ops/devops/vuln/expected_projection.sha256`.
+  - Exit non-zero on mismatch.
+
+## Fixtures
+- Store deterministic replay fixture under `samples/vuln/events/replay.ndjson` (generated offline, includes mixed tenants, disputed findings, remediation states).
+- Export canonical projection snapshot to `samples/vuln/events/projection.json` and hash to `ops/devops/vuln/expected_projection.sha256`.
+
+## Dashboards / Alerts (DEVOPS-VULN-29-002/003)
+- Dashboard panels: projection lag, replay throughput, API latency (`/findings`, `/findings/{id}`), query budget enforcement hits, and Merkle anchoring status.
+- Alerts: `vuln_projection_lag_gt_60s`, `vuln_projection_error_rate_gt_1pct`, `vuln_api_latency_p95_gt_300ms`, `merkle_anchor_stale_gt_15m`.
+
+## Offline posture
+- CI and verification use in-repo fixtures; no external downloads.
+- Use mirrored images and `local-nugets/` for all builds/tests.
+
+## Local run
+```
+DOTNET_DISABLE_BUILTIN_GRAPH=1 dotnet test src/VulnExplorer/__Tests/StellaOps.VulnExplorer.Api.Tests/StellaOps.VulnExplorer.Api.Tests.csproj --filter Category!=GraphHeavy
+```