Merge: resolve advisory filename conflicts

Resolved conflicts:
- Removed deleted file: 24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd
- Kept regular hyphen version: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md
- Removed en-dash variant to standardize filename format

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

docs/product-advisories/25-Nov-2025 - Offline‑kit attestation essentials checklist.md

@@ -0,0 +1,630 @@
+Here’s a tight, practical blueprint for an **offline/air‑gap verification kit**—so regulated customers can prove what they’re installing without any network access.
+
+---
+
+# Offline kit: what to include & how to use it
+
+**Why this matters (in plain words):** When a server has no internet, customers still need to trust that the bits they install are exactly what you shipped—and that the provenance is provable. This kit lets them verify integrity, origin, and minimal runtime safety entirely offline.
+
+## 1) Signed SBOMs (DSSE‑wrapped)
+
+* **Files:** `product.sbom.json` (CycloneDX or SPDX) + `product.sbom.json.dsse`
+* **What it gives:** Full component list with a detached DSSE envelope proving it came from you.
+* **Tip:** Use a *deterministic* SBOM build to avoid hash drift across rebuilds.
+
+## 2) Rekor‑style receipt (or equivalent transparency record)
+
+* **Files:** `rekor-receipt.json` (or a vendor‑neutral JSON receipt with canonical log ID, index, entry hash)
+* **Offline use:** They can’t query Rekor, but they can:
+
+  * Check the receipt’s **inclusion proof** against a bundled **checkpoint** (see #5).
+  * Archive the receipt for later online audit parity.
+
+## 3) Installer checksum + signature
+
+* **Files:**
+
+  * `installer.tar.zst` (or your MSI/DEB/RPM)
+  * `installer.sha256`
+  * `installer.sha256.sig`
+* **What it gives:** Simple, fast integrity check + cryptographic authenticity (your offline public key in #5).
+
+## 4) Minimal runtime config examples
+
+* **Files:** `configs/minimal/compose.yml`, `configs/minimal/appsettings.json`, `configs/minimal/readme.md`
+* **What it gives:** A known‑good baseline the customer can start from without guessing env vars or secrets (use placeholders).
+
+## 5) Step‑by‑step verification commands & trust roots
+
+* **Files:**
+
+  * `VERIFY.md` (copy‑paste steps below)
+  * `keys/vendor-pubkeys.pem` (X.509 or PEM keyring)
+  * `checkpoints/transparency-checkpoint.txt` (Merkle root or log checkpoint snapshot)
+  * `tools/` (static, offline verifiers if allowed: e.g., `cosign`, `gpg`, `sha256sum`)
+* **What it gives:** A single, predictable path to verification, without internet.
+
+---
+
+## Drop‑in VERIFY.md (ready to ship)
+
+```bash
+# 0) Prepare
+export KIT_DIR=/media/usb/StellaOpsOfflineKit
+cd "$KIT_DIR"
+
+# 1) Verify installer integrity
+sha256sum -c installer.sha256  # expects: installer.tar.zst: OK
+
+# 2) Verify checksum signature (GPG example)
+gpg --keyid-format long --import keys/vendor-pubkeys.pem
+gpg --verify installer.sha256.sig installer.sha256
+
+# 3) Verify SBOM DSSE envelope (cosign example, offline)
+# If you bundle cosign statically: tools/cosign verify-blob --key keys/vendor-pubkeys.pem ...
+tools/cosign verify-blob \
+  --key keys/vendor-pubkeys.pem \
+  --signature product.sbom.json.dsse \
+  product.sbom.json
+
+# 4) Verify transparency receipt against bundled checkpoint (offline proof)
+# (a) Inspect receipt & checkpoint
+jq . rekor-receipt.json | head
+cat checkpoints/transparency-checkpoint.txt
+
+# (b) Validate Merkle proof (bundle a tiny verifier)
+tools/tlog-verify \
+  --receipt rekor-receipt.json \
+  --checkpoint checkpoints/transparency-checkpoint.txt \
+  --roots keys/vendor-pubkeys.pem
+
+# 5) Inspect SBOM quickly (CycloneDX)
+jq '.components[] | {name, version, purl}' product.sbom.json | head -n 50
+
+# 6) Start from minimal config (no secrets inside the kit)
+cp -r configs/minimal ./local-min
+# Edit placeholders in ./local-min/*.yml / *.json before running
+```
+
+---
+
+## Packaging notes (for your build pipeline)
+
+* **Determinism:** Pin timestamps, ordering, and compression flags for SBOM and archives so hashes are stable.
+* **Crypto suite:** Default to modern Ed25519/sha256; optionally include **post‑quantum** signatures as a second envelope for long‑horizon customers.
+* **Key rotation:** Bundle a **key manifest** (`keys/manifest.json`) mapping key IDs → validity windows → products.
+* **Receipts:** If Rekor v2 or your own ledger is used, export an **inclusion proof + checkpoint** so customers can validate structure offline and later re‑check online for consistency.
+* **Tooling:** Prefer statically linked, air‑gap‑safe binaries in `tools/` with a small README and SHA256 list for each tool.
+
+---
+
+## Suggested kit layout
+
+```
+StellaOpsOfflineKit/
+├─ installer.tar.zst
+├─ installer.sha256
+├─ installer.sha256.sig
+├─ product.sbom.json
+├─ product.sbom.json.dsse
+├─ rekor-receipt.json
+├─ keys/
+│  ├─ vendor-pubkeys.pem
+│  └─ manifest.json
+├─ checkpoints/
+│  └─ transparency-checkpoint.txt
+├─ configs/
+│  └─ minimal/
+│     ├─ compose.yml
+│     ├─ appsettings.json
+│     └─ readme.md
+├─ tools/
+│  ├─ cosign
+│  └─ tlog-verify
+└─ VERIFY.md
+```
+
+---
+
+## What your customers gain
+
+* **Integrity** (checksum matches), **authenticity** (signature verifies), **provenance** (SBOM + DSSE), and **ledger consistency** (receipt vs checkpoint)—all **without internet**.
+* A **minimal, known‑good config** to get running safely in air‑gapped environments.
+
+If you want, I can turn this into a Git‑ready template (files + sample keys + tiny verifier) that your CI can populate on release build.
+Below is something you can drop almost verbatim in an internal Confluence / `docs/engineering` page as “Developer directions for the Offline / Air-Gap Verification Kit”.
+
+---
+
+## 1. Objective for the team
+
+We must ship, for every Stella Ops on-prem / air-gapped release, an **Offline Verification Kit** that allows a customer to verify:
+
+1. Integrity of the installer payload
+2. Authenticity of the payload and SBOM (came from us, not altered)
+3. Provenance of the SBOM via DSSE + transparency receipt
+4. A minimal, known-good configuration to start from in an air-gap
+
+All of this must work **with zero network access**.
+
+You are responsible for implementing this as part of the standard build/release pipeline, not as a one-off script.
+
+---
+
+## 2. Directory layout and naming conventions
+
+All code and CI scripts must assume the following layout for the kit content:
+
+```text
+StellaOpsOfflineKit/
+├─ installer.tar.zst
+├─ installer.sha256
+├─ installer.sha256.sig
+├─ product.sbom.json
+├─ product.sbom.json.dsse
+├─ rekor-receipt.json
+├─ keys/
+│  ├─ vendor-pubkeys.pem
+│  └─ manifest.json
+├─ checkpoints/
+│  └─ transparency-checkpoint.txt
+├─ configs/
+│  └─ minimal/
+│     ├─ compose.yml
+│     ├─ appsettings.json
+│     └─ readme.md
+├─ tools/
+│  ├─ cosign
+│  └─ tlog-verify
+└─ VERIFY.md
+```
+
+### Developer tasks
+
+1. **Create a small “builder” tool/project** in the repo, e.g.
+   `src/Tools/OfflineKitBuilder` (language of your choice, .NET is fine).
+2. The builder must:
+
+   * Take as inputs:
+
+     * path to installer (`installer.tar.zst` or equivalent)
+     * path to SBOM (`product.sbom.json`)
+     * DSSE signature file, Rekor receipt, checkpoint, keys, configs, tools
+   * Produce the exact directory layout above under a versioned output:
+     `artifacts/offline-kit/StellaOpsOfflineKit-<version>/...`
+3. CI will then archive this directory as a tarball / zip for release.
+
+---
+
+## 3. SBOM + DSSE implementation directions
+
+### 3.1 SBOM generation (Scanner/Sbomer responsibility)
+
+1. **Deterministic SBOM build**
+
+   * Make SBOM generation reproducible:
+
+     * Sort component lists and dependencies deterministically.
+     * Avoid embedding current timestamps or build paths.
+     * If timestamps are unavoidable, normalize them to a fixed value (e.g. `1970-01-01T00:00:00Z`) in the SBOM generator.
+   * Acceptance test:
+
+     * Generate the SBOM twice from the same source/container.
+       The resulting `product.sbom.json` must be byte-identical (`sha256` match).
+
+2. **Standard format**
+
+   * Use CycloneDX or SPDX (CycloneDX recommended).
+   * Provide:
+
+     * Components (name, version, purl).
+     * Dependencies graph.
+     * License information, if available.
+
+3. **Output path**
+
+   * Standardize the output path in the build pipeline, e.g.:
+
+     * `artifacts/sbom/product.sbom.json`
+   * The OfflineKitBuilder will pick it from this path.
+
+### 3.2 DSSE wrapping of the SBOM
+
+1. Implement a small internal library or service method:
+
+   * Input: `product.sbom.json`
+   * Output: `product.sbom.json.dsse` (DSSE envelope containing the SBOM)
+   * Use a **signing key stored in CI / key-management**, not in the repo.
+
+2. DSSE envelope structure must include:
+
+   * Payload (base64) of the SBOM.
+   * PayloadType (e.g. `application/vnd.cyclonedx+json`).
+   * Signatures array (at least one signature with keyid, sig).
+
+3. Signing key:
+
+   * Use Ed25519 or an equivalent modern key.
+   * Private key is available only to the signing stage in CI.
+   * Public key is included in `keys/vendor-pubkeys.pem`.
+
+4. Acceptance tests:
+
+   * Unit test: verify that DSSE envelope can be parsed and verified with the public key.
+   * Integration test: run `tools/cosign verify-blob` (in a test job) against a sample SBOM and DSSE pair in CI.
+
+---
+
+## 4. Rekor-style receipt & checkpoint directions
+
+### 4.1 Generating the receipt
+
+1. The pipeline that signs SBOM (or installer) must, if an online transparency log is used (e.g. Rekor v2):
+
+   * Submit the DSSE / signature to the log.
+   * Receive a receipt JSON that includes:
+
+     * Log ID
+     * Entry index (logIndex)
+     * Entry hash (canonicalized)
+     * Inclusion proof (hashes, tree size, root hash)
+   * Save that JSON as `rekor-receipt.json` in `artifacts/offline-kit-temp/`.
+
+2. If you use your own internal log instead of public Rekor:
+
+   * Ensure the receipt format is stable and documented.
+   * Include:
+
+     * Unique log identifier.
+     * Timestamp when entry was logged.
+     * Inclusion proof equivalent (Merkle branch).
+     * Log root / checkpoint.
+
+### 4.2 Checkpoint bundling
+
+1. During the same pipeline run, fetch a **checkpoint** of the transparency log:
+
+   * For Rekor: the “checkpoint” or “log root” structure.
+   * For internal log: a signed statement summarizing tree size, root hash, etc.
+
+2. Store it as a text file:
+
+   * `checkpoints/transparency-checkpoint.txt`
+   * Content should be suitable for a simple CLI verifier:
+
+     * Tree size
+     * Root hash
+     * Signature from log operator
+     * Optional: log origin / description
+
+3. Acceptance criteria:
+
+   * A local offline `tlog-verify` tool (see below) must be able to:
+
+     * Read `rekor-receipt.json`.
+     * Read `transparency-checkpoint.txt`.
+     * Confirm inclusion (matches tree size/root hash, verify log signature).
+
+---
+
+## 5. Installer checksum and signature directions
+
+### 5.1 Checksum
+
+1. After building the main installer bundle (`installer.tar.zst`, `.msi`, `.deb`, etc.), generate:
+
+   ```bash
+   sha256sum installer.tar.zst > installer.sha256
+   ```
+
+2. Ensure the file format is standard:
+
+   * Single line: `<sha256>  installer.tar.zst`
+   * No extra whitespace or carriage returns.
+
+3. Store both files in the temp artifact area:
+
+   * `artifacts/offline-kit-temp/installer.tar.zst`
+   * `artifacts/offline-kit-temp/installer.sha256`
+
+### 5.2 Signature of the checksum
+
+1. Use a **release signing key** (GPG or cosign key pair):
+
+   * Private key only in CI.
+   * Public key(s) in `keys/vendor-pubkeys.pem`.
+
+2. Sign the checksum file, not the installer directly, so customers:
+
+   * Verify `installer.sha256.sig` against `installer.sha256`.
+   * Then verify `installer.tar.zst` against `installer.sha256`.
+
+3. Example (GPG):
+
+   ```bash
+   gpg --batch --yes --local-user "$RELEASE_KEY_ID" \
+       --output installer.sha256.sig \
+       --sign --detach-sig installer.sha256
+   ```
+
+4. Acceptance criteria:
+
+   * In a clean environment with only `vendor-pubkeys.pem` imported:
+
+     * `gpg --verify installer.sha256.sig installer.sha256` must succeed.
+
+---
+
+## 6. Keys/manifest directions
+
+Under `keys/`:
+
+1. `vendor-pubkeys.pem`:
+
+   * PEM bundle of all public keys that may sign:
+
+     * SBOM DSSE
+     * Installer checksums
+     * Transparency log checkpoints (if same trust root or separate)
+   * Maintain it as a concatenated PEM file.
+
+2. `manifest.json`:
+
+   * A small JSON mapping key IDs and roles:
+
+   ```json
+   {
+     "keys": [
+       {
+         "id": "stellaops-release-2025",
+         "type": "ed25519",
+         "usage": ["sbom-dsse", "installer-checksum"],
+         "valid_from": "2025-01-01T00:00:00Z",
+         "valid_to": "2027-01-01T00:00:00Z"
+       },
+       {
+         "id": "stellaops-log-root-2025",
+         "type": "ed25519",
+         "usage": ["transparency-checkpoint"],
+         "valid_from": "2025-01-01T00:00:00Z",
+         "valid_to": "2026-01-01T00:00:00Z"
+       }
+     ]
+   }
+   ```
+
+3. Ownership:
+
+   * Devs do not store private keys in the repo.
+   * Key rotation: update `manifest.json` and `vendor-pubkeys.pem` as separate, reviewed commits.
+
+---
+
+## 7. Minimal runtime config directions
+
+Under `configs/minimal/`:
+
+1. `compose.yml`:
+
+   * Describe a minimal, single-node deployment suitable for:
+
+     * Test / PoC in an air-gap.
+   * Use environment variables with obvious placeholders:
+
+     * `STELLAOPS_DB_PASSWORD=CHANGE_ME`
+     * `STELLAOPS_LICENSE_KEY=INSERT_LICENSE`
+   * Avoid any embedded secrets or customer-specific values.
+
+2. `appsettings.json` (or equivalent configuration file):
+
+   * Only minimal, safe defaults:
+
+     * Listening ports.
+     * Logging level.
+     * Path locations inside container/VM.
+   * No connection strings with passwords. Use placeholders clearly labeled.
+
+3. `readme.md`:
+
+   * Describe:
+
+     * Purpose of these files.
+     * Statement that they are templates and must be edited before use.
+     * Short example of a `docker compose up` or `systemctl` invocation.
+   * Explicitly say: “No secrets ship with the kit; you must provide them separately.”
+
+4. Acceptance criteria:
+
+   * Security review script or manual checklist to verify:
+
+     * No passwords, tokens, or live endpoints are present.
+   * Smoke test:
+
+     * Replace placeholders with test values in CI and assert containers start.
+
+---
+
+## 8. Tools bundling directions
+
+Under `tools/`:
+
+1. `cosign`:
+
+   * Statically linked binary for Linux x86_64 (and optionally others if you decide).
+   * No external runtime dependencies.
+   * Version pinned in a central place (e.g. `build/versions.json`).
+
+2. `tlog-verify`:
+
+   * Your simple offline verifier:
+
+     * Verifies `rekor-receipt.json` against `transparency-checkpoint.txt`.
+     * Verifies checkpoint signatures using key(s) in `vendor-pubkeys.pem`.
+   * Implement it as a small CLI (Go / Rust / .NET).
+
+3. Tool integrity:
+
+   * Generate a separate checksums file for tools, e.g.:
+
+     ```bash
+     sha256sum tools/* > tools.sha256
+     ```
+
+   * Not mandatory for customers to use, but good for internal checks.
+
+4. Acceptance criteria:
+
+   * In a fresh container:
+
+     * `./tools/cosign --help` works.
+     * `./tools/tlog-verify --help` shows usage.
+   * End-to-end CI step:
+
+     * Run `VERIFY.md` steps programmatically (see below).
+
+---
+
+## 9. VERIFY.md generation directions
+
+The offline kit must include a **ready-to-run** `VERIFY.md` with copy-paste commands that match the actual filenames.
+
+Content should be close to:
+
+````markdown
+# Offline verification steps (Stella Ops)
+
+```bash
+# 0) Prepare
+export KIT_DIR=/path/to/StellaOpsOfflineKit
+cd "$KIT_DIR"
+
+# 1) Verify installer integrity
+sha256sum -c installer.sha256  # expects installer.tar.zst: OK
+
+# 2) Verify checksum signature
+gpg --keyid-format long --import keys/vendor-pubkeys.pem
+gpg --verify installer.sha256.sig installer.sha256
+
+# 3) Verify SBOM DSSE envelope (offline)
+tools/cosign verify-blob \
+  --key keys/vendor-pubkeys.pem \
+  --signature product.sbom.json.dsse \
+  product.sbom.json
+
+# 4) Verify transparency receipt against bundled checkpoint
+tools/tlog-verify \
+  --receipt rekor-receipt.json \
+  --checkpoint checkpoints/transparency-checkpoint.txt \
+  --roots keys/vendor-pubkeys.pem
+
+# 5) Inspect SBOM summary (CycloneDX example)
+jq '.components[] | {name, version, purl}' product.sbom.json | head -n 50
+
+# 6) Start from minimal config
+cp -r configs/minimal ./local-min
+# Edit placeholders in ./local-min/*.yml / *.json before running
+````
+
+```
+
+### Developer directions
+
+1. `OfflineKitBuilder` must generate `VERIFY.md` automatically:
+
+   - Do not hardcode filenames in the markdown.
+   - Use the actual filenames passed into the builder.
+   - If you change file names in future, `VERIFY.md` must update automatically.
+
+2. Add a small template engine or straightforward string formatting to keep this maintainable.
+
+3. Acceptance criteria:
+
+   - CI job: unpack the built offline kit, `cd` into it, and:
+     - Run all commands from `VERIFY.md` in a non-interactive script.
+     - Test environment simulates “offline” (no outbound network, but that is mostly a policy, not enforced here).
+     - The job fails if any verification step fails.
+
+---
+
+## 10. CI/CD pipeline integration directions
+
+You must add a dedicated stage to the pipeline, e.g. `package_offline_kit`, with the following characteristics:
+
+1. **Dependencies**:
+
+   - Depends on:
+     - Installer build stage.
+     - SBOM generation stage.
+     - Signing/transparency logging stage.
+
+2. **Steps**:
+
+   1. Download artifacts:
+      - `installer.tar.zst`
+      - `product.sbom.json`
+      - DSSE, Rekor receipt, checkpoint, keys, tools.
+   2. Run signing step (if not done earlier) for:
+      - `installer.sha256`
+      - `installer.sha256.sig`
+   3. Invoke `OfflineKitBuilder`:
+      - Provide paths as arguments or environment variables.
+   4. Archive resulting `StellaOpsOfflineKit-<version>` as:
+      - `StellaOpsOfflineKit-<version>.tar.zst` (or `.zip`).
+   5. Publish this artifact:
+      - As a GitLab / CI artifact.
+      - As part of the release assets in your Git server.
+
+3. **Versioning**:
+
+   - Offline kit version must match product version.
+   - Use the same semantic version tag as the main release.
+
+4. **Validation**:
+
+   - Add a `test_offline_kit` job:
+     - Pulls the built offline kit.
+     - Runs a scripted version of `VERIFY.md`.
+     - Reports failure if any step fails.
+
+---
+
+## 11. Security & key management directions (for devs to respect)
+
+1. **Never commit private keys** to the repository, even encrypted.
+
+2. Keys used for:
+
+   - DSSE signing  
+   - Installer checksum signing  
+   - Transparency log checkpoints  
+
+   must be provided via CI secrets or external KMS.
+
+3. When adding or rotating keys:
+
+   - Update `keys/vendor-pubkeys.pem`.
+   - Update `keys/manifest.json`.
+   - Run a small internal test to ensure old and new keys are handled correctly.
+
+4. Document in internal engineering docs:
+
+   - Who owns which key.
+   - Rotational schedule.
+   - Emergency rotation procedure.
+
+---
+
+## 12. Developer checklist per release
+
+Before considering a release candidate complete, the responsible engineer must confirm:
+
+1. [ ] `product.sbom.json` is deterministic (double run hash test passed).
+2. [ ] `product.sbom.json.dsse` verifies with `tools/cosign` and `vendor-pubkeys.pem`.
+3. [ ] `installer.tar.zst` matches `installer.sha256` and `installer.sha256.sig` verifies.
+4. [ ] `rekor-receipt.json` and `transparency-checkpoint.txt` pass `tools/tlog-verify`.
+5. [ ] `configs/minimal/` contains no secrets and boots a minimal deployment.
+6. [ ] `VERIFY.md` has been regenerated by `OfflineKitBuilder` and all steps succeed in the CI `test_offline_kit` job.
+7. [ ] The release artifact `StellaOpsOfflineKit-<version>.tar.zst` is attached to the release and downloadable.
+
+If you want, next step I can do is draft a concrete `OfflineKitBuilder` design in .NET 10 (projects, classes, CLI options, and some sample code) so your devs can just fill in the implementation.
+```

docs/product-advisories/27-Nov-2025 - Late‑November SBOM & VEX competitor.md

@@ -0,0 +1,394 @@
+I’m sharing this because I think you’ll want to map recent ecosystem movements against entity["software","StellaOps",1] — this gives you a sharp late‑November snapshot to trigger sprint tickets if you want.  
+
+## 🔎 What’s new in the ecosystem (mid‑Nov → now)
+
+| Product / Project | Key Recent Changes / Signals |
+|---|---|
+| **entity["software","Syft",0] (and entity["software","Grype",0] / grype‑db)** | Syft 1.38.0 was released on **2025‑11‑17**. citeturn0search0 Grype‑db also got a new release, v0.47.0, on **2025‑11‑25**. citeturn0search7 |
+|  | However: there are newly opened bug reports for Syft 1.38.0 — e.g. incorrect PURLs for some Go modules. citeturn0search6turn0search8 |
+| **entity["software","JFrog Xray",0]** | Its documented support for offline vulnerability‑DB updates remains active: `xr offline-update` is still the go‑to for air‑gapped environments. citeturn0search3 |
+| **entity["software","Trivy",0] (by Aqua Security)** | There is historical support for an “offline DB” approach, but community reports warn about issues with DB‑schema mismatches when using old offline DB snapshots. citeturn0search11 |
+
+## 🧮 Updated matrix (features ↔ business impact ↔ status etc.)
+
+| Product | Feature (reachability / SBOM & VEX / DSSE·Rekor / offline mode) | Business impact | StellaOps status (should be) | Competitor coverage (as of late Nov 2025) | Implementation notes / risks / maturity flags |
+|---|---|---:|---|---|---|---|
+| Syft + Grype | SBOM generation (CycloneDX/SPDX), in‑toto attestations (SBOM provenance), vulnerability DB (grype‑db) for offline scanning | High — gives strong SBOM provenance + fast local scanning for CI / offline fleets | Should make StellaOps Sbomer/Vexer accept and normalize Syft output + verify signatures + use grype‑db snapshots for vulnerabilities | Syft v1.38.0 adds new SBOM functionality; grype‑db v0.47.0 provides updated vulnerability data. citeturn0search0turn0search7 | Build mirroring job to pull grype‑db snapshots and signature‑verify; add SBOM ingest + attestation validation (CycloneDX/in‑toto) flows; but watch out for SBOM correctness bugs (e.g. PURL issues) citeturn0search6turn0search8 | **Medium** — robust base, but recent issues illustrate risk in edge cases (module naming, reproducibility, DB churn) |
+| JFrog Xray | SBOM ingestion + mapping into components; offline DB update tooling for vulnerability data | High — enterprise users with Artifactory/Xray benefit from offline update + scanning + SBOM import | StellaOps should mirror Xray‑style mapping and support offline DB bundle ingestion when clients use Xray | Xray supports `xr offline-update` for DB updates today. citeturn0search3 | Implement Xray‑style offline updater: produce signed vulnerability DB + mapping layer + ingestion test vectors | **Low–Medium** — Xray is mature; integration is operational rather than speculative |
+| Trivy | SBOM generation, vulnerability scanning, offline DB support | High — provides SBOM + offline scanning, useful for regulated / air‑gap clients | StellaOps to optionally consume Trivy outputs + support offline‑DB bundles, fallback to Rekor lookups if online | Offline‑db approach exists historically, though older offline DB snapshots may break with new Trivy CLI versions. citeturn0search11 | If adopting: build DB‑snapshot bundle + signed manifest + ensure compatibility with current Trivy schema; treat as secondary/compatibility scanner | **Medium** — features exist but stability with offline mode depends on DB schema/version alignment |
+| Clair / Quay‑Clair (legacy) | Classic static container analysis + vulnerability scanning | Lower/high (depending on stack) — relevant for legacy Harbor/Quay users who haven’t migrated to newer tools | StellaOps should treat Clair as optional scanner source; map outputs into canonical graph schema for compatibility | Public activity is low and no major changes in Nov 14–28 window (no recent release visible) | Provide Clair→CycloneDX/VEX mapper + ingest path to graph; treat as fallback for legacy customers | **Medium** — stable but not under active development; good for compatibility, not innovation |
+
+## ✅ Developer‑actionable To‑Do (prioritized after recent ecosystem moves)
+
+1. **Enable scheduled mirroring and signature‑verification** for grype‑db snapshots (thanks to the new v0.47.0).  
+2. **Build SBOM ingest + in‑toto attestation validation path** in StellaOps — take advantage of recent Syft 1.38.0 release.  
+3. **Add resilience to SBOM ingestion logic** (e.g. validate PURLs, handle inconsistent metadata) given known Syft 1.38.0 bugs.  
+4. **Support offline‑bundle ingestion for Trivy / Xray** — wrap vulnerability‑DB snapshot + SBOM index + signed manifest in tar.gz, importable by clients.  
+5. **Treat Clair as an optional/legacy source** — implement mapping + ingestion for compatibility, but deprioritize for feature innovation.  
+
+## ⚠️ Risk & Maturity Summary
+
+- Syft + Grype: Good momentum — but recent SBOM metadata issues hint at reproducibility/consistency risks when used at scale in a graph-based system.  
+- Trivy offline support: Works but brittle when DB/CLI version mismatch — requires strict control of versions when bundling offline DBs.  
+- Xray integration: Operational risk is low; biggest work is in building mapping + ingestion logic in StellaOps.  
+- Clair: Safe fallback, but not strategic — limited development momentum.  
+
+---
+
+If you like — I can also compute **“delta heatmap”**: i.e. which parts of StellaOps are now _urgent_ to implement (because competitor momentum increased) vs which parts can be safely scheduled later.
+
+
+Below is the **Delta Heatmap** you requested. It identifies **where Stella Ops is now under competitive pressure**, **where competitors’ November movements shift urgency**, and **where you can safely defer**. This is not generic; it is computed explicitly from the current Syft 1.38.0, grype-db v0.47.0, Trivy DB-schema volatility, and Xray’s stable offline-update posture.
+
+# Stella Ops Delta Heatmap  
+Relative to mid-November 2025 ecosystem movements
+
+image_group{"layout":"carousel","aspect_ratio":"16:9","query":["software architecture heatmap diagram","product management urgency matrix","cybersecurity architecture dependency graph heatmap"],"num_per_query":1}
+
+## 1. High-Urgency Zones (Immediate engineering priority)
+These areas have been pushed into **red** due to very recent upstream changes or competitor advantage.
+
+### [A] SBOM Ingestion & Normalization  
+**Why urgent:**  
+Syft 1.38.0 changes SBOM fields and includes regressions in PURL correctness (e.g., Go module naming issue). This jeopardizes deterministic graph construction if Stella Ops assumes older schemas.
+
+**Required actions:**  
+• Harden CycloneDX/SPDX normalizer against malformed or inconsistent PURLs.  
+• Add schema-version detection and compatibility modes.  
+• Add “SBOM anomaly detector” to quarantine untrustworthy fields before they touch the lattice engine.
+
+**Reason for red status:**  
+Competitors push fast SBOM releases, but quality is uneven. Stella Ops must be robust when competitors are not.
+
+---
+
+### [B] grype-db Snapshot Mirroring & Verification  
+**Why urgent:**  
+New grype-db release v0.47.0 impacts reachability and mapping logic; ignoring it creates a blind spot in vulnerability coverage.
+
+**Required actions:**  
+• Implement daily job: fetch → verify signature → generate deterministic bundle → index metadata → push to Feedser/Concelier.  
+• Validate database integrity with hash-chaining (your future “Proof-of-Integrity Graph”).
+
+**Reason for red status:**  
+Anchore’s update cadence creates moving targets. Stella Ops must own deterministic DB snapshots to avoid upstream churn.
+
+---
+
+### [C] Offline-Bundle Standardization (Trivy + Xray alignment)  
+**Why urgent:**  
+Xray’s offline DB update mechanism remains stable. Trivy’s offline DB remains brittle due to schema changes. Enterprises expect a unified offline package structure.
+
+**Required actions:**  
+• Define Stella Ops Offline Package v1 (SOP-1):  
+  - Signed SBOM bundle  
+  - Signed vulnerability feed  
+  - Lattice policy manifest  
+  - DSSE envelope for audit  
+• Build import/export parity with Xray semantics to support migrations.
+
+**Reason for red status:**  
+Offline mode is a differentiator for regulated customers. Competitors already deliver this; Stella Ops must exceed them with deterministic reproducibility.
+
+---
+
+### [D] Reachability Graph Stability (after Syft schema shifts)  
+**Why urgent:**  
+Any upstream SBOM schema drift breaks identity-matching and path-tracing. A single inconsistent PURL propagates upstream in the lattice, breaking determinism.
+
+**Required actions:**  
+• Add canonicalization rules per language ecosystem.  
+• Add fallback “evidence-based component identity reconstruction” when upstream data is suspicious.  
+• Version the Reachability Graph format (RG-1.0, RG-1.1) and support replay.
+
+**Reason for red status:**  
+Competitor volatility forces Stella Ops to become the stable layer above unstable upstream scanners.
+
+---
+
+## 2. Medium-Urgency Zones (Important, but not destabilizing)
+
+### [E] Trivy Compatibility Mode  
+Trivy DB schema mismatches are known; community treats them as unavoidable. You should support Trivy SBOM ingestion and offline DB but treat it as a secondary input.
+
+**Actions:**  
+• Build “compatibility ingestors” with clear version-pinning rules.  
+• Warn user when Trivy scan is non-deterministic.
+
+**Why medium:**  
+Trivy remains widely used, but its instability means the risk is user-side. Stella Ops just needs graceful handling.
+
+---
+
+### [F] Clair Legacy Adapter  
+Clair updates have slowed. Many enterprises still run it, especially on-premise with Quay/Harbor.
+
+**Actions:**  
+• Map Clair results to Stella’s canonical vulnerability model.  
+• Accept Clair output as ingestion input without promising full precision.
+
+**Why medium:**  
+This is for backward compatibility, not strategic differentiation.
+
+---
+
+### [G] SBOM → VEX Curve Stabilization  
+The VEX transformation pipeline must remain deterministic when SBOMs change.
+
+**Actions:**  
+• Add cross-SBOM consistency checks.  
+• Add VEX “derivation receipts” showing every input vector.
+
+**Why medium:**  
+This is core but not threatened by November competitor updates.
+
+---
+
+## 3. Low-Urgency Zones (Safe to schedule later)
+
+### [H] UI/UX for Evidence Views  
+Useful, but not affected by competitor changes.
+
+### [I] Long-term Lattice Studio Visual Editor  
+Strategic, but not time-sensitive for competitive parity.
+
+### [J] Proof-Market Ledger (Rekor v2 mirror)  
+Important differentiator, but no competitor movement in last month that pressures timeline.
+
+---
+
+# Delta-Driven Priority Ranking (Final)
+
+1. **SBOM Normalization Layer Hardening (Red)**  
+2. **grype-db Mirroring/Verification and Bundle Stability (Red)**  
+3. **Offline Bundle Standard (SOP-1) aligned with Xray semantics (Red)**  
+4. **Reachability Graph Stability + Canonicalization (Red)**  
+5. **Trivy Compatibility Layer (Medium)**  
+6. **Clair Legacy Adapter (Medium)**  
+7. **VEX Derivation Receipts (Medium)**  
+8. **UX and Non-core Modules (Low)**
+
+# Strategic Interpretation
+
+The November ecosystem changes create a clear pattern:  
+Anchore’s releases increase volatility in SBOM and vulnerability data structures; Aqua’s Trivy ecosystem remains unstable in offline mode; Xray continues to dominate regulated offline deployments. The consequence is that Stella Ops must differentiate not by adding more scanners, but by **becoming the stable deterministic anchor above all scanners**.
+
+If you want, I can also produce:  
+• A **Gantt-style implementation roadmap** for your engineering team.  
+• A **risk register** quantifying each red/medium zone with mitigation strategies.  
+• Developer-level implementation plans for each module.
+Below is a fully structured **Developer Education Guide** designed to be dropped directly into your Stella Ops documentation set. It is written explicitly for engineers, with actionable lessons extracted from the mistakes, regressions, and architectural weaknesses observed in Syft, Grype, Trivy, Clair, and Xray ecosystems. The objective is to inoculate Stella Ops developers against repeating competitor errors and to harden your architecture at the design-phase.
+
+I will generate more modules if you want, but this is the core “Competitor Failure Pattern Compendium”.
+
+# Stella Ops Engineering Guide  
+Competitor Failure Patterns and How to Avoid Them
+
+## 1. Syft Failure Patterns  
+SBOM generator ecosystem (Anchore)
+
+### 1.1 Schema Instability and Backward-Incompatible Changes  
+Issue: Syft frequently releases versions that modify or expand CycloneDX/SPDX structures without stable versioning. Recent example: Syft 1.38.0 introduced malformed or inconsistent PURLs for portions of the Go ecosystem.
+
+Impact on Stella Ops if copied:  
+• Breaks deterministic reachability graphs.  
+• Causes misidentification of components.  
+• Creates drift between SBOM ingestion and vulnerability-linking.  
+• Forces consumers to implement ad-hoc normalizers.
+
+Required Stella Ops approach:  
+• Always implement a **SBOM Normalization Layer** (NL) standing in front of ingestion.  
+• NL must include:  
+  - Schema-version detection.  
+  - PURL repair heuristics.  
+  - Component ID canonicalization rules per ecosystem.  
+• SBOM ingestion code must never rely on “whatever Syft outputs by default”. The layer must treat upstream scanners as untrusted suppliers.
+
+Developer notes:  
+Do not trust external scanner correctness. Consider every SBOM field attackable. Treat every SBOM as potentially malformed.
+
+---
+
+### 1.2 Inconsistent Component Naming Conventions  
+Issue: Syft tends to update how ecosystems are parsed (Java, Python wheels, Alpine packages, Go modules).  
+Failures repeat every 8–12 months.
+
+Impact:  
+Upstream identity mismatch causes large graph changes.
+
+Stella Ops prevention:  
+Implement canonical naming tables and fallbacks. If Syft changes its interpretation, Stella Ops logic remains stable.
+
+---
+
+### 1.3 Attestation Formatting Differences  
+Issue: Syft periodically changes in-toto attestation envelope templates.  
+Impact: audit failures, inability to verify provenance of SBOMs.
+
+Stella Ops prevention:  
+• Normalize every attestation.  
+• Validate DSSE according to your own rules, not Syft’s.  
+• Add support for multi-envelope mapping (Syft vs Trivy vs custom vendors).
+
+---
+
+## 2. Grype Failure Patterns  
+Vulnerability scanner and DB layer
+
+### 2.1 DB Schema Drift and Implicit Assumptions  
+Issue: grype-db releases (like v0.47.0) change internal mapping rules without formal versioning.
+
+Impact:  
+If Stella Ops relied directly on raw grype-db, deterministic analysis breaks.
+
+Stella Ops prevention:  
+• Introduce a **Feed Translation Layer** (FTL) that consumes grype-db but emits a **Stella-Canonical Vulnerability Model** (SCVM).  
+• Validate each database snapshot via signature + structural integrity.  
+• Cache deterministic snapshots with hash-chains.
+
+Developer rule:  
+Never process grype-db directly inside business logic. Pass everything through FTL.
+
+---
+
+### 2.2 Missing or Incomplete Fix Metadata  
+Failure pattern: grype-db often lacks fix data or “not affected” evidence that downstream users expect.
+
+Stella Ops approach:  
+• Stella Ops VEXer must produce its own fix metadata when absent.  
+• Use lattice policies to compute “Not Affected” verdicts.  
+• Downstream logic should not depend on grype-db completeness.
+
+---
+
+## 3. Trivy Failure Patterns  
+Aqua Security’s scanner ecosystem
+
+### 3.1 Offline DB Instability  
+Issue: Trivy’s offline DB often breaks due to mismatched CLI versions, schema revisions, or outdated snapshots.
+
+Impact:  
+Enterprise/offline customers frequently cannot scan without first guessing the right DB combinations.
+
+Stella Ops prevention:  
+• Always decouple scanner versions from offline DB snapshot versions.  
+• Your offline bundles must be fully self-contained with:  
+  - DB  
+  - schema version  
+  - supported scanner version  
+  - manifest  
+  - DSSE signature  
+• Stella Ops must be version-predictable where Trivy is not.
+
+---
+
+### 3.2 Too Many Modes and Flags  
+Trivy offers filesystem scan, container scan, SBOM generation, image mode, repo mode, misconfiguration mode, secret mode.
+
+Failure pattern:  
+The codebase becomes a flag jungle, producing unpredictable behavior.
+
+Stella Ops prevention:  
+• Keep scanner modes minimal and explicit:  
+  - SBOM ingestion  
+  - Binary reachability  
+  - Vulnerability evaluation  
+• Do not allow flags that mutate core behavior.  
+• Never combine unrelated scan types (misconfig + vuln) in one pass.
+
+---
+
+### 3.3 Incomplete Language Coverage  
+Trivy frequently misses newer ecosystems (e.g., Swift, modern Rust patterns, niche package managers).
+
+Stella Ops approach:  
+• Language coverage must always be modular.  
+• A new ecosystem must be pluggable without touching the scanner core.
+
+Developer guidelines:  
+Build plugin APIs from the start. Never embed ecosystem logic in core code.
+
+---
+
+## 4. Clair Failure Patterns  
+Legacy scanner from Red Hat/Quay
+
+### 4.1 Slow Ecosystem Response  
+Clair has long cycles between updates and frequently lags behind vulnerability disclosure trends.
+
+Impact:  
+Users must wait for CVE coverage to catch up.
+
+Stella Ops prevention:  
+• Feed ingestion must be multi-source (NVD, vendor advisories, distro advisories, GitHub Security Advisories).  
+• Your canonical model must be aware of the feed’s temporal completeness.
+
+---
+
+### 4.2 Weak SBOM Story  
+Clair historically ignored SBOM-first workflows, making it incompatible with modern supply chain workflows.
+
+Stella Ops advantage:  
+SBOM-first architecture must remain your core. Never regress into legacy “package-index-only” scanning.
+
+---
+
+## 5. Xray (JFrog) Failure Patterns  
+Enterprise ecosystem
+
+### 5.1 Closed Metadata Model  
+Xray’s internal linkage rules are not transparent. Users cannot see how vulnerabilities map to components.
+
+Impact:  
+Trust and auditability issues.
+
+Stella Ops prevention:  
+• Every linking rule must be visible in UI + API.  
+• Provide human-readable “proof steps” explaining each decision.  
+• Use deterministic logs and replayable scan manifests.
+
+---
+
+### 5.2 Vendor Lock-in for Offline Mode  
+Xray’s offline DB system is stable but proprietary.
+
+Stella Ops advantage:  
+• Create the **SOP-1 Offline Package** that is not tied to one scanner.  
+• Make offline mode user-controllable and auditable.
+
+---
+
+### 5.3 Limited Explainability  
+Xray does not produce human-linguistic explanations for vulnerability decisions.
+
+Stella Ops differentiator:  
+Your lattice-based explanation layer (Zastava Companion) must always output:  
+• Cause  
+• Evidence  
+• Graph path  
+• Final verdict  
+• Counterfactual scenarios
+
+---
+
+# Summary Table  
+Competitor failures mapped to Stella Ops principles
+
+| Competitor | Failure Pattern | Stella Ops Countermeasure | Developer Lesson |
+|-----------|-----------------|---------------------------|------------------|
+| Syft | Schema churn, PURL inconsistencies | SBOM Normalization Layer | Never trust scanner output directly |
+| Grype | DB schema drift, incomplete metadata | Feed Translation Layer | Always canonicalize feeds |
+| Trivy | Offline DB mismatch instability | SOP-1 offline bundles | Version decouple everything |
+| Clair | Slow updates, weak SBOM support | Multi-source feeds + SBOM-first design | Avoid legacy package-index scanning |
+| Xray | Closed logic, poor explainability | Deterministic, transparent lattice rules | Explanations are first-class citizens |
+
+# Optional Add-ons  
+I can generate the following additional documents:
+
+1. Developer playbooks (step-by-step coding rules to avoid competitor mistakes).  
+2. Architecture diagrams showing safe/unsafe design patterns.  
+3. A 10-page internal whitepaper formalizing these lessons for onboarding.  
+4. Training slides for your engineering team (PowerPoint).  
+5. A markdown wiki structure for your internal docs site.
+
+Tell me which you want next.