consolidation of some of the modules, localization fixes, product advisories work, qa work

docs/modules/telemetry/architecture.md

@@ -102,3 +102,42 @@ Verification coverage:
 - Full telemetry core test suite pass (`262` tests) remains green after integration.
 
 Refer to the module README and implementation plan for immediate context, and update this document once component boundaries and data flows are finalised.
+
+## 8) Federation DSSE Security Posture (Updated 2026-03-04)
+
+Status:
+
+- Advisory gap `TEL-001` is closed. Federation consent and bundle paths now emit signed DSSE envelopes instead of payload passthrough placeholders.
+
+Implemented contract:
+
+- Consent and bundle envelopes now use explicit DSSE JSON structure: `payloadType`, base64 `payload`, and `signatures[]` (`keyid`, `sig`).
+- Consent proofs and bundle summaries carry signer identity metadata (`SignerKeyId`) for auditability.
+- Bundle payload canonicalization is deterministic for identical logical inputs:
+  - bucket ordering: `cveId` (ordinal), then `noisyCount` (descending), `artifactCount`, `observationCount`
+  - deterministic bundle ID derivation from canonical payload seed + fixed clock input
+- Bundle verification enforces:
+  - envelope digest integrity (`sha256:` over envelope bytes)
+  - payload type match
+  - trusted-key signature verification
+  - consent digest linkage (`consentDigest` in payload must match `ConsentDsseDigest`)
+
+Signer/verifier integration and fallback:
+
+- Federation now uses explicit abstractions:
+  - `IFederationDsseEnvelopeSigner`
+  - `IFederationDsseEnvelopeVerifier`
+- Default adapter: `HmacFederationDsseEnvelopeService` (offline-safe HMAC-SHA256 DSSE sign/verify using local trusted key map in `FederatedTelemetryOptions`).
+- Failure mode is deterministic and auditable:
+  - signing failures throw `FederationSignatureException` with stable error codes (for example `federation.dsse.sign_failed`, `federation.dsse.signer_unavailable`)
+  - optional unsigned fallback (`AllowUnsignedDsseFallback`) emits envelopes tagged with `offline-unsigned-fallback` for explicit operator visibility.
+
+Verification evidence:
+
+- `dotnet test src/Telemetry/StellaOps.Telemetry.Federation.Tests/StellaOps.Telemetry.Federation.Tests.csproj -m:1 -v minimal`
+- Result: `47` passed, `0` failed.
+- Coverage includes payload tamper, signature tamper, wrong-key verification failure, consent expiry + signature validity combination, and deterministic replay digest checks.
+
+Tracking sprint:
+
+- `docs/implplan/SPRINT_20260304_307_Telemetry_federation_dsse_bundle_hardening.md`

docs/modules/telemetry/contracts/obs-50-telemetry-baselines-contract.md

@@ -109,7 +109,7 @@ public sealed record TelemetryContext
   "span_id": "00f067aa0ba902b7",
   "trace_flags": 1,
   "tenant_id": "tenant-001",
-  "workload": "StellaOps.Orchestrator",
+  "workload": "StellaOps.JobEngine",
   "region": "eu-west-1",
   "environment": "prod",
   "version": "1.2.3",

docs/modules/telemetry/ttfs-architecture.md

@@ -99,7 +99,7 @@ The `phase` field indicates the current execution phase:
 ### 5.1 First Signal Endpoint
 
 ```http
-GET /api/v1/orchestrator/jobs/{jobId}/first-signal
+GET /api/v1/jobengine/jobs/{jobId}/first-signal
 Accept: application/json
 If-None-Match: "{etag}"
 
@@ -133,7 +133,7 @@ X-Signal-Source: snapshot | cold_start | failure_index
 ### 5.2 SSE Stream
 
 ```http
-GET /api/v1/orchestrator/stream/jobs/{jobId}/first-signal
+GET /api/v1/jobengine/stream/jobs/{jobId}/first-signal
 Accept: text/event-stream
 
 event: signal