consolidation of some of the modules, localization fixes, product advisories work, qa work

2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
--- a/docs/technical/architecture/README.md
+++ b/docs/technical/architecture/README.md
@@ -60,7 +60,7 @@ Each module directory bundles an ownership charter (`AGENTS.md`), current work (
 | Export Center | [architecture.md](../../modules/export-center/architecture.md) | [implementation_plan.md](../../modules/export-center/implementation_plan.md) | [operations/runbook.md](../../modules/export-center/operations/runbook.md) |
 | Graph | [architecture.md](../../modules/graph/architecture.md) | [implementation_plan.md](../../modules/graph/implementation_plan.md) | - |
 | Notify | [architecture.md](../../modules/notify/architecture.md) | [implementation_plan.md](../../modules/notify/implementation_plan.md) | - |
-| Orchestrator | [architecture.md](../../modules/orchestrator/architecture.md) | [implementation_plan.md](../../modules/orchestrator/implementation_plan.md) | - |
+| Orchestrator | [architecture.md](../../modules/jobengine/architecture.md) | [implementation_plan.md](../../modules/jobengine/implementation_plan.md) | - |
 | Platform | [architecture-overview.md](../../modules/platform/architecture-overview.md) + [architecture.md](../../modules/platform/architecture.md) | [implementation_plan.md](../../modules/platform/implementation_plan.md) | - |
 | Policy engine | [architecture.md](../../modules/policy/architecture.md) | [implementation_plan.md](../../modules/policy/implementation_plan.md) | - |
 | Registry token service | [architecture.md](../../modules/registry/architecture.md) | [implementation_plan.md](../../modules/registry/implementation_plan.md) | [operations/token-service.md](../../modules/registry/operations/token-service.md) |
--- a/docs/technical/architecture/component-map.md
+++ b/docs/technical/architecture/component-map.md
@@ -34,7 +34,7 @@ Concise descriptions of every top-level component under `src/`, summarising the

 ## Scheduling, Orchestration & Automation
 - **Scheduler** — Detects advisory/VEX deltas and orchestrates deterministic rescan runs toward Scanner and Policy Engine (`docs/modules/scheduler/architecture.md`). 
- **Orchestrator** — Central coordination service dispatching jobs (scans, exports, policy runs) to modules, working closely with Scheduler, CLI, and UI (`docs/modules/orchestrator/architecture.md`). 
+- **Orchestrator** — Central coordination service dispatching jobs (scans, exports, policy runs) to modules, working closely with Scheduler, CLI, and UI (`docs/modules/jobengine/architecture.md`). 
 - **TaskRunner** - Executes automation packs sourced from PacksRegistry, integrating with Orchestrator, CLI, Notify, and Authority (`docs/modules/packs-registry/guides/runbook.md`). 
 - **Signals** — Ingests runtime posture signals and feeds Policy/Notifier workflows (`docs/modules/zastava/architecture.md`, signals sections). 
 - **TimelineIndexer** — Builds timelines of evidence/events for forensics and audit tooling (`docs/modules/timeline-indexer/guides/timeline.md`). 
--- a/docs/technical/architecture/module-matrix.md
+++ b/docs/technical/architecture/module-matrix.md
@@ -33,69 +33,58 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum

 ## 2. Complete Module Inventory

-### Core Platform (4 modules)
+### Core Platform (3 modules)

 | Module | Path | Purpose | WebService | Worker | Storage |
 |--------|------|---------|------------|--------|---------|
-| **Authority** | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP, tenant management | Yes | No | PostgreSQL (`authority`) |
-| **Gateway** | `src/Gateway/` | API gateway with routing, TLS termination, transport abstraction | Yes | No | Stateless |
-| **Router** | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey) | Yes | No | Valkey |
+| **Authority** | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP, tenant management. Includes IssuerDirectory (Sprint 216). | Yes | No | PostgreSQL (`authority`) |
+| **Router** | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey) and HTTP ingress gateway. `src/Gateway/` deleted (Sprint 200). | Yes | No | Valkey |
 | **Platform** | `src/Platform/` | Platform Service aggregation APIs, console data composition | Yes | No | Aggregates |

-### Data Ingestion (7 modules)
+### Data Ingestion (4 modules)

 | Module | Path | Purpose | WebService | Worker | Storage |
 |--------|------|---------|------------|--------|---------|
-| **Concelier** | `src/Concelier/` | Vulnerability advisory ingestion (NVD, OSV, GHSA, CSAF), merge engine with AOC | Yes | Yes | PostgreSQL (`vuln`) |
-| **Excititor** | `src/Excititor/` | VEX document ingestion and export (OpenVEX, CSAF VEX) | Yes | Yes | PostgreSQL (`vex`) |
+| **Concelier** | `src/Concelier/` | Vulnerability advisory ingestion (NVD, OSV, GHSA, CSAF), merge engine with AOC. Includes Feedser and Excititor (Sprint 203). | Yes | Yes | PostgreSQL (`vuln`, `vex`) |
 | **VexLens** | `src/VexLens/` | VEX consensus computation across issuers, conflict analysis | Yes | No | PostgreSQL (cache) |
 | **VexHub** | `src/VexHub/` | VEX distribution and exchange hub | Yes | No | PostgreSQL |
-| **IssuerDirectory** | `src/IssuerDirectory/` | Issuer trust registry for CSAF publishers | Yes | No | PostgreSQL |
-| **Feedser** | `src/Feedser/` | Evidence collection library for backport detection | Library | N/A | N/A |
 | **Mirror** | `src/Mirror/` | Vulnerability feed mirror and distribution | Yes | Yes | RustFS |

-### Scanning & Analysis (5 modules)
+### Scanning & Analysis (4 modules)

 | Module | Path | Purpose | WebService | Worker | Storage |
 |--------|------|---------|------------|--------|---------|
-| **Scanner** | `src/Scanner/` | Container scanning with SBOM generation (11 language analyzers), call graphs | Yes | Yes | PostgreSQL (`scanner`) + RustFS |
-| **BinaryIndex** | `src/BinaryIndex/` | Binary identity extraction and fingerprinting | Yes | No | PostgreSQL |
-| **AdvisoryAI** | `src/AdvisoryAI/` | AI-assisted advisory analysis and summarization | Yes | No | PostgreSQL |
-| **Symbols** | `src/Symbols/` | Symbol resolution and debug information | Yes | No | PostgreSQL |
+| **Scanner** | `src/Scanner/` | Container scanning with SBOM generation (11 language analyzers), call graphs. Includes Cartographer (Sprint 201). | Yes | Yes | PostgreSQL (`scanner`) + RustFS |
+| **BinaryIndex** | `src/BinaryIndex/` | Binary identity extraction and fingerprinting. Includes Symbols (Sprint 202). | Yes | No | PostgreSQL |
+| **AdvisoryAI** | `src/AdvisoryAI/` | AI-assisted advisory analysis and summarization. Includes OpsMemory (Sprint 213). | Yes | No | PostgreSQL |
 | **ReachGraph** | `src/ReachGraph/` | Reachability graph service, CVE reachability analysis | Yes | No | PostgreSQL |

-### Artifacts & Evidence (7 modules)
+### Artifacts & Evidence (5 modules)

 | Module | Path | Purpose | WebService | Worker | Storage |
 |--------|------|---------|------------|--------|---------|
-| **Attestor** | `src/Attestor/` | in-toto/DSSE attestation generation, Rekor v2 integration | Yes | No | PostgreSQL + RustFS |
-| **Signer** | `src/Signer/` | Cryptographic signing operations (PKIX, DSSE) | Yes | No | PostgreSQL |
+| **Attestor** | `src/Attestor/` | in-toto/DSSE attestation generation, Rekor v2 integration. Includes Signer and Provenance (Sprint 204). | Yes | No | PostgreSQL + RustFS |
 | **SbomService** | `src/SbomService/` | SBOM storage, versioning, and lineage ledger | Yes | No | PostgreSQL + RustFS |
 | **EvidenceLocker** | `src/EvidenceLocker/` | Sealed evidence storage and export | Yes | No | RustFS |
 | **ExportCenter** | `src/ExportCenter/` | Batch export and report generation (SARIF, SBOM, evidence bundles) | Yes | No | RustFS |
-| **Provenance** | `src/Provenance/` | SLSA/DSSE attestation tooling | Library | N/A | N/A |
 | **Provcache** | Library | Provenance cache utilities | Library | N/A | N/A |

-### Policy & Risk (4 modules)
+### Policy & Risk (3 modules)

 | Module | Path | Purpose | WebService | Worker | Storage |
 |--------|------|---------|------------|--------|---------|
 | **Policy** | `src/Policy/` | Policy engine with K4 lattice logic, confidence scoring, VEX emission | Yes | Yes | PostgreSQL (`policy`) |
-| **RiskEngine** | `src/RiskEngine/` | Risk scoring runtime with pluggable providers | Yes | No | PostgreSQL |
-| **VulnExplorer** | `src/VulnExplorer/` | Vulnerability exploration and triage UI backend | Yes | No | PostgreSQL (cache) |
-| **Unknowns** | `src/Unknowns/` | Unknown component and symbol tracking registry | Yes | No | PostgreSQL |
+| **Unknowns** | `src/Unknowns/` | Unknown component and symbol tracking registry (boundary preserved, Sprint 206) | Yes | No | PostgreSQL |
+| **Findings** | `src/Findings/` | Centralized findings aggregation. Includes RiskEngine and VulnExplorer (Sprint 207). | Yes | No | PostgreSQL |

-### Operations (8 modules)
+### Operations (5 modules)

 | Module | Path | Purpose | WebService | Worker | Storage |
 |--------|------|---------|------------|--------|---------|
-| **Scheduler** | `src/Scheduler/` | Job scheduling and queue management, cron-based rescan | Yes | No | PostgreSQL (`scheduler`) |
-| **Orchestrator** | `src/Orchestrator/` | Workflow orchestration and task coordination | Yes | No | PostgreSQL (`orchestrator`) |
-| **TaskRunner** | `src/TaskRunner/` | Task pack execution engine | Yes | Yes | PostgreSQL |
-| **Notify** | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks) - shared libraries | Library | N/A | N/A |
-| **Notifier** | `src/Notifier/` | Notifications Studio host (WebService + Worker) | Yes | Yes | PostgreSQL (`notify`) |
-| **PacksRegistry** | `src/PacksRegistry/` | Task packs registry and distribution | Yes | No | PostgreSQL |
-| **TimelineIndexer** | `src/TimelineIndexer/` | Timeline event indexing for audit trails | Yes | No | PostgreSQL |
+| **JobEngine** | `src/JobEngine/` | Workflow orchestration, scheduling, task execution, pack registry. Includes Scheduler, TaskRunner, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). | Yes | Yes | PostgreSQL (`orchestrator`, `scheduler`) |
+| **Notify** | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks) - shared libraries. Boundary preserved with Notifier (Sprint 209). | Library | N/A | N/A |
+| **Notifier** | `src/Notifier/` | Notifications Studio host (WebService + Worker). Boundary preserved with Notify (Sprint 209). | Yes | Yes | PostgreSQL (`notify`) |
+| **Timeline** | `src/Timeline/` | Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210). | Yes | No | PostgreSQL |
 | **Replay** | `src/Replay/` | Deterministic replay engine | Yes | No | PostgreSQL |

 ### Integration (5 modules)
@@ -126,16 +115,14 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum
 | **Benchmark** | Scanner library | Competitive benchmarking (accuracy comparison) | Tool | N/A | N/A |
 | **Bench** | `src/Bench/` | Performance benchmarks | Tool | N/A | N/A |

-### Utility & Internal (6+ modules)
+### Utility & Internal (4+ modules)

 | Module | Path | Purpose | Notes |
 |--------|------|---------|-------|
-| **Cartographer** | `src/Cartographer/` | Identity graphs from SBOM/advisory data | Feeds Graph Explorer |
-| **Findings** | `src/Findings/` | Materializes effective findings from Policy outputs | Feeds UI/CLI/Notify |
-| **SrmRemote** | `src/SrmRemote/` | SBOM remote operations | Integration utility |
-| **Tools** | `src/Tools/` | Utility programs (fixture generators, migration scripts) | Dev tooling |
+| **Findings** | `src/Findings/` | Materializes effective findings from Policy outputs. Includes RiskEngine and VulnExplorer (Sprint 207). | Feeds UI/CLI/Notify |
+| **SmRemote** | `src/SmRemote/` | Remote SM2/SM3/SM4 cryptographic operations | Integration utility |
+| **Tools** | `src/Tools/` | Utility programs (fixture generators, migration scripts). Includes Bench, Verifier, Sdk, DevPortal (Sprint 212). | Dev tooling |
 | **PluginBinaries** | Various | Authority and Concelier plugin binaries | Plugin hosting |
-| **DevPortal** | `src/DevPortal/` | Developer onboarding portal | Documentation |

 ---

--- a/docs/technical/architecture/port-registry.md
+++ b/docs/technical/architecture/port-registry.md
@@ -15,7 +15,7 @@ All Stella Ops web services are assigned deterministic HTTPS/HTTP port pairs to
 | 0 | 10000 | 10001 | Router Gateway | `router.stella-ops.local` | `src/Router/StellaOps.Gateway.WebService` | `STELLAOPS_ROUTER_URL` |
 | 1 | 10010 | 10011 | Platform | `platform.stella-ops.local` | `src/Platform/StellaOps.Platform.WebService` | `STELLAOPS_PLATFORM_URL` |
 | 2 | 10020 | 10021 | Authority | `authority.stella-ops.local` | `src/Authority/StellaOps.Authority/StellaOps.Authority` | `STELLAOPS_AUTHORITY_URL` |
-| 3 | 10030 | 10031 | Gateway | `gateway.stella-ops.local` | `src/Gateway/StellaOps.Gateway.WebService` | `STELLAOPS_GATEWAY_URL` |
+| 3 | 10030 | 10031 | Gateway (deleted -- now under Router) | `gateway.stella-ops.local` | `src/Router/StellaOps.Gateway.WebService` | `STELLAOPS_GATEWAY_URL` |
 | 4 | 10040 | 10041 | Attestor | `attestor.stella-ops.local` | `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService` | `STELLAOPS_ATTESTOR_URL` |
 | 5 | 10050 | 10051 | Attestor TileProxy | — | `src/Attestor/StellaOps.Attestor.TileProxy` | `STELLAOPS_ATTESTOR_TILEPROXY_URL` |
 | 6 | 10060 | 10061 | Evidence Locker | `evidencelocker.stella-ops.local` | `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService` | `STELLAOPS_EVIDENCELOCKER_URL` |
@@ -25,21 +25,21 @@ All Stella Ops web services are assigned deterministic HTTPS/HTTP port pairs to
 | 10 | 10100 | 10101 | Excititor | `excititor.stella-ops.local` | `src/Excititor/StellaOps.Excititor.WebService` | `STELLAOPS_EXCITITOR_URL` |
 | 11 | 10110 | 10111 | VexHub | `vexhub.stella-ops.local` | `src/VexHub/StellaOps.VexHub.WebService` | `STELLAOPS_VEXHUB_URL` |
 | 12 | 10120 | 10121 | VexLens | `vexlens.stella-ops.local` | `src/VexLens/StellaOps.VexLens.WebService` | `STELLAOPS_VEXLENS_URL` |
-| 13 | 10130 | 10131 | VulnExplorer | `vulnexplorer.stella-ops.local` | `src/VulnExplorer/StellaOps.VulnExplorer.Api` | `STELLAOPS_VULNEXPLORER_URL` |
+| 13 | 10130 | 10131 | VulnExplorer | `vulnexplorer.stella-ops.local` | `src/Findings/StellaOps.VulnExplorer.Api` | `STELLAOPS_VULNEXPLORER_URL` |
 | 14 | 10140 | 10141 | Policy Engine | `policy-engine.stella-ops.local` | `src/Policy/StellaOps.Policy.Engine` | `STELLAOPS_POLICY_ENGINE_URL` |
 | 15 | 10150 | 10151 | Policy Gateway | `policy-gateway.stella-ops.local` | `src/Policy/StellaOps.Policy.Gateway` | `STELLAOPS_POLICY_GATEWAY_URL` |
-| 16 | 10160 | 10161 | RiskEngine | `riskengine.stella-ops.local` | `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService` | `STELLAOPS_RISKENGINE_URL` |
-| 17 | 10170 | 10171 | Orchestrator | `orchestrator.stella-ops.local` | `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService` | `STELLAOPS_ORCHESTRATOR_URL` |
+| 16 | 10160 | 10161 | RiskEngine | `riskengine.stella-ops.local` | `src/Findings/StellaOps.RiskEngine.WebService` | `STELLAOPS_RISKENGINE_URL` |
+| 17 | 10170 | 10171 | Orchestrator | `jobengine.stella-ops.local` | `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService` | `STELLAOPS_JOBENGINE_URL` |
 | 18 | 10180 | 10181 | TaskRunner | `taskrunner.stella-ops.local` | `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService` | `STELLAOPS_TASKRUNNER_URL` |
 | 19 | 10190 | 10191 | Scheduler | `scheduler.stella-ops.local` | `src/Scheduler/StellaOps.Scheduler.WebService` | `STELLAOPS_SCHEDULER_URL` |
 | 20 | 10200 | 10201 | Graph API | `graph.stella-ops.local` | `src/Graph/StellaOps.Graph.Api` | `STELLAOPS_GRAPH_URL` |
-| 21 | 10210 | 10211 | Cartographer | `cartographer.stella-ops.local` | `src/Cartographer/StellaOps.Cartographer` | `STELLAOPS_CARTOGRAPHER_URL` |
+| 21 | 10210 | 10211 | Cartographer | `cartographer.stella-ops.local` | `src/Scanner/StellaOps.Scanner.Cartographer` | `STELLAOPS_CARTOGRAPHER_URL` |
 | 22 | 10220 | 10221 | ReachGraph | `reachgraph.stella-ops.local` | `src/ReachGraph/StellaOps.ReachGraph.WebService` | `STELLAOPS_REACHGRAPH_URL` |
-| 23 | 10230 | 10231 | Timeline Indexer | `timelineindexer.stella-ops.local` | `src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService` | `STELLAOPS_TIMELINEINDEXER_URL` |
+| 23 | 10230 | 10231 | Timeline Indexer | `timelineindexer.stella-ops.local` | `src/Timeline/StellaOps.TimelineIndexer.WebService` | `STELLAOPS_TIMELINEINDEXER_URL` |
 | 24 | 10240 | 10241 | Timeline | `timeline.stella-ops.local` | `src/Timeline/StellaOps.Timeline.WebService` | `STELLAOPS_TIMELINE_URL` |
 | 25 | 10250 | 10251 | Findings Ledger | `findings.stella-ops.local` | `src/Findings/StellaOps.Findings.Ledger.WebService` | `STELLAOPS_FINDINGS_LEDGER_URL` |
 | 26 | 10260 | 10261 | Doctor | `doctor.stella-ops.local` | `src/Doctor/StellaOps.Doctor.WebService` | `STELLAOPS_DOCTOR_URL` |
-| 27 | 10270 | 10271 | OpsMemory | `opsmemory.stella-ops.local` | `src/OpsMemory/StellaOps.OpsMemory.WebService` | `STELLAOPS_OPSMEMORY_URL` |
+| 27 | 10270 | 10271 | OpsMemory | `opsmemory.stella-ops.local` | `src/AdvisoryAI/StellaOps.OpsMemory.WebService` | `STELLAOPS_OPSMEMORY_URL` |
 | 28 | 10280 | 10281 | Notifier | `notifier.stella-ops.local` | `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService` | `STELLAOPS_NOTIFIER_URL` |
 | 29 | 10290 | 10291 | Notify | `notify.stella-ops.local` | `src/Notify/StellaOps.Notify.WebService` | `STELLAOPS_NOTIFY_URL` |
 | 30 | 10300 | 10301 | Signer | `signer.stella-ops.local` | `src/Signer/StellaOps.Signer/StellaOps.Signer.WebService` | `STELLAOPS_SIGNER_URL` |
@@ -50,7 +50,7 @@ All Stella Ops web services are assigned deterministic HTTPS/HTTP port pairs to
 | 35 | 10350 | 10351 | Registry Token | `registry-token.stella-ops.local` | `src/Registry/StellaOps.Registry.TokenService` | `STELLAOPS_REGISTRY_TOKENSERVICE_URL` |
 | 36 | 10360 | 10361 | BinaryIndex | `binaryindex.stella-ops.local` | `src/BinaryIndex/StellaOps.BinaryIndex.WebService` | `STELLAOPS_BINARYINDEX_URL` |
 | 37 | 10370 | 10371 | IssuerDirectory | `issuerdirectory.stella-ops.local` | `src/IssuerDirectory/StellaOps.IssuerDirectory/StellaOps.IssuerDirectory.WebService` | `STELLAOPS_ISSUERDIRECTORY_URL` |
-| 38 | 10380 | 10381 | Symbols | `symbols.stella-ops.local` | `src/Symbols/StellaOps.Symbols.Server` | `STELLAOPS_SYMBOLS_URL` |
+| 38 | 10380 | 10381 | Symbols | `symbols.stella-ops.local` | `src/BinaryIndex/StellaOps.Symbols.Server` | `STELLAOPS_SYMBOLS_URL` |
 | 39 | 10390 | 10391 | SbomService | `sbomservice.stella-ops.local` | `src/SbomService/StellaOps.SbomService` | `STELLAOPS_SBOMSERVICE_URL` |
 | 40 | 10400 | 10401 | ExportCenter | `exportcenter.stella-ops.local` | `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService` | `STELLAOPS_EXPORTCENTER_URL` |
 | 41 | 10410 | 10411 | Replay | `replay.stella-ops.local` | `src/Replay/StellaOps.Replay.WebService` | `STELLAOPS_REPLAY_URL` |
@@ -69,10 +69,10 @@ Worker services associated with a web service use ports offset by +2/+3 from the
 | HTTPS | HTTP | Service | Path |
 |-------|------|---------|------|
 | 10062 | 10063 | EvidenceLocker Worker | `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker` |
-| 10162 | 10163 | RiskEngine Worker | `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker` |
-| 10172 | 10173 | Orchestrator Worker | `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker` |
+| 10162 | 10163 | RiskEngine Worker | `src/Findings/StellaOps.RiskEngine.Worker` |
+| 10172 | 10173 | Orchestrator Worker | `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Worker` |
 | 10182 | 10183 | TaskRunner Worker | `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker` |
-| 10232 | 10233 | TimelineIndexer Worker | `src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker` |
+| 10232 | 10233 | TimelineIndexer Worker | `src/Timeline/StellaOps.TimelineIndexer.Worker` |
 | 10282 | 10283 | Notifier Worker | `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker` |
 | 10342 | 10343 | PacksRegistry Worker | `src/PacksRegistry/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker` |
 | 10402 | 10403 | ExportCenter Worker | `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker` |
@@ -123,7 +123,7 @@ Add the following to your hosts file (`C:\Windows\System32\drivers\etc\hosts` on
 127.1.0.14 policy-engine.stella-ops.local
 127.1.0.15 policy-gateway.stella-ops.local
 127.1.0.16 riskengine.stella-ops.local
-127.1.0.17 orchestrator.stella-ops.local
+127.1.0.17 jobengine.stella-ops.local
 127.1.0.18 taskrunner.stella-ops.local
 127.1.0.19 scheduler.stella-ops.local
 127.1.0.20 graph.stella-ops.local
--- a/docs/technical/architecture/signal-contract-mapping.md
+++ b/docs/technical/architecture/signal-contract-mapping.md
@@ -734,7 +734,7 @@ idemKey = hash(subjectDigest || type || runId || cve || windowStart)

 **Event Envelope Idempotency:**

-**Location:** `src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Events/EventEnvelope.cs`
+**Location:** `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Core/Domain/Events/EventEnvelope.cs`

 ```csharp
 public static string GenerateIdempotencyKey(
--- a/docs/technical/cicd/path-filters.md
+++ b/docs/technical/cicd/path-filters.md
@@ -160,8 +160,7 @@ Each module has defined source and test paths:
 | Module | Source Paths | Test Paths |
 |--------|--------------|------------|
 | Authority | `src/Authority/**` | `src/Authority/__Tests/**` |
-| Gateway | `src/Gateway/**` | `src/Gateway/__Tests/**` |
-| Router | `src/Router/**` | `src/Router/__Tests/**` |
+| Router (includes Gateway) | `src/Router/**` | `src/Router/__Tests/**` |

 ### Scanning & Analysis

@@ -175,8 +174,7 @@ Each module has defined source and test paths:

 | Module | Source Paths | Test Paths |
 |--------|--------------|------------|
-| Concelier | `src/Concelier/**` | `src/Concelier/__Tests/**` |
-| Excititor | `src/Excititor/**` | `src/Excititor/__Tests/**` |
+| Concelier (includes Feedser, Excititor) | `src/Concelier/**` | `src/Concelier/__Tests/**` |
 | VexLens | `src/VexLens/**` | `src/VexLens/__Tests/**` |
 | VexHub | `src/VexHub/**` | `src/VexHub/__Tests/**` |

@@ -184,27 +182,27 @@ Each module has defined source and test paths:

 | Module | Source Paths | Test Paths |
 |--------|--------------|------------|
-| Attestor | `src/Attestor/**` | `src/Attestor/__Tests/**` |
+| Attestor (includes Signer, Provenance) | `src/Attestor/**` | `src/Attestor/__Tests/**` |
 | SbomService | `src/SbomService/**` | `src/SbomService/__Tests/**` |
 | EvidenceLocker | `src/EvidenceLocker/**` | `src/EvidenceLocker/__Tests/**` |
 | ExportCenter | `src/ExportCenter/**` | `src/ExportCenter/__Tests/**` |
-| Findings | `src/Findings/**` | `src/Findings/__Tests/**` |
+| Findings (includes RiskEngine, VulnExplorer) | `src/Findings/**` | `src/Findings/__Tests/**` |

 ### Policy & Risk

 | Module | Source Paths | Test Paths |
 |--------|--------------|------------|
 | Policy | `src/Policy/**` | `src/Policy/__Tests/**` |
-| RiskEngine | `src/RiskEngine/**` | `src/RiskEngine/__Tests/**` |
+| Unknowns | `src/Unknowns/**` | `src/Unknowns/__Tests/**` |

 ### Operations

 | Module | Source Paths | Test Paths |
 |--------|--------------|------------|
-| Notify | `src/Notify/**`, `src/Notifier/**` | `src/Notify/__Tests/**` |
-| Orchestrator | `src/Orchestrator/**` | `src/Orchestrator/__Tests/**` |
-| Scheduler | `src/Scheduler/**` | `src/Scheduler/__Tests/**` |
-| PacksRegistry | `src/PacksRegistry/**` | `src/PacksRegistry/__Tests/**` |
+| JobEngine (includes Scheduler, TaskRunner, PacksRegistry) | `src/JobEngine/**` | `src/JobEngine/__Tests/**` |
+| Notify | `src/Notify/**` | `src/Notify/__Tests/**` |
+| Notifier | `src/Notifier/**` | `src/Notifier/__Tests/**` |
+| Timeline (includes TimelineIndexer) | `src/Timeline/**` | `src/Timeline/__Tests/**` |
 | Replay | `src/Replay/**` | `src/Replay/__Tests/**` |

 ### Infrastructure
--- a/docs/technical/testing/webservice-test-rollout-plan.md
+++ b/docs/technical/testing/webservice-test-rollout-plan.md
@@ -23,9 +23,9 @@ Following the pilot implementation on Scanner.WebService (Sprint 5100.0007.0006)
 | Attestor | `src/Attestor/StellaOps.Attestor` | P3 | Pending | TBD |
 | ExportCenter.WebService | `src/ExportCenter/StellaOps.ExportCenter.WebService` | P3 | Pending | TBD |
 | Registry.TokenService | `src/Registry/StellaOps.Registry.TokenService` | P3 | Pending | TBD |
-| VulnExplorer.Api | `src/VulnExplorer/StellaOps.VulnExplorer.Api` | P3 | Pending | TBD |
+| VulnExplorer.Api | `src/Findings/StellaOps.VulnExplorer.Api` | P3 | Pending | TBD |
 | Graph.Api | `src/Graph/StellaOps.Graph.Api` | P3 | Pending | TBD |
-| Orchestrator | `src/Orchestrator/StellaOps.Orchestrator` | P4 | Pending | TBD |
+| Orchestrator | `src/JobEngine/StellaOps.JobEngine` | P4 | Pending | TBD |

 ---