product advisories add change contiang folder

docs-archived/implplan/2025-12-20/SPRINT_3600_0001_0001_reachability_drift_master.md

@@ -11,7 +11,7 @@
 
 ## Topic & Scope
 
-Implementation of Reachability Drift Detection as specified in `docs/product-advisories/17-Dec-2025 - Reachability Drift Detection.md`. This extends Smart-Diff to detect when vulnerable code paths become reachable/unreachable between container image versions, with causal attribution and UI visualization.
+Implementation of Reachability Drift Detection as specified in `docs/product/advisories/17-Dec-2025 - Reachability Drift Detection.md`. This extends Smart-Diff to detect when vulnerable code paths become reachable/unreachable between container image versions, with causal attribution and UI visualization.
 
 **Business Value:**
 - Transform from "all vulnerabilities" to "material reachability changes"
@@ -38,9 +38,9 @@ Implementation of Reachability Drift Detection as specified in `docs/product-adv
 ## Documentation Prerequisites
 
 Before starting implementation, read:
-- `docs/product-advisories/17-Dec-2025 - Reachability Drift Detection.md`
-- `docs/product-advisories/14-Dec-2025 - Smart-Diff Technical Reference.md`
-- `docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md`
+- `docs/product/advisories/17-Dec-2025 - Reachability Drift Detection.md`
+- `docs/product/advisories/14-Dec-2025 - Smart-Diff Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md`
 - `docs/modules/scanner/architecture.md`
 - `docs/reachability/lattice.md`
 - `bench/reachability-benchmark/README.md`
@@ -364,7 +364,7 @@ SPRINT_3600_0004 (UI)    Integration
 
 ## 9. REFERENCES
 
-- **Source Advisory**: `docs/product-advisories/17-Dec-2025 - Reachability Drift Detection.md`
-- **Smart-Diff Reference**: `docs/product-advisories/14-Dec-2025 - Smart-Diff Technical Reference.md`
-- **Reachability Reference**: `docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md`
+- **Source Advisory**: `docs/product/advisories/17-Dec-2025 - Reachability Drift Detection.md`
+- **Smart-Diff Reference**: `docs/product/advisories/14-Dec-2025 - Smart-Diff Technical Reference.md`
+- **Reachability Reference**: `docs/product/advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md`
 - **Benchmark**: `bench/reachability-benchmark/README.md`

docs-archived/implplan/2025-12-20/SPRINT_3600_0001_0001_trust_algebra_lattice.md

@@ -23,7 +23,7 @@
 
 ## Documentation Prerequisites
 
-- `docs/product-advisories/archived/19-Dec-2025 - Trust Algebra and Lattice Engine Specification.md`
+- `docs/product/advisories/archived/19-Dec-2025 - Trust Algebra and Lattice Engine Specification.md`
 - `docs/modules/policy/architecture.md`
 - `docs/reachability/lattice.md`
 

docs-archived/implplan/2025-12-20/SPRINT_3700_0006_0001_incremental_cache.md

@@ -6,7 +6,7 @@
 **Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`
 **Estimated Effort:** Medium (1 sprint)
 **Dependencies:** SPRINT_3700_0004
-**Source Advisory:** `docs/product-advisories/18-Dec-2025 - Concrete Advances in Reachability Analysis.md`
+**Source Advisory:** `docs/product/advisories/18-Dec-2025 - Concrete Advances in Reachability Analysis.md`
 
 ---
 

docs-archived/implplan/2025-12-20/SPRINT_3800_0000_0000_explainable_triage_master.md

@@ -4,7 +4,7 @@
 
 This master plan implements the product advisory "Designing Explainable Triage and Proof-Linked Evidence" which transforms StellaOps's triage experience by making every risk score **explainable** and every approval **provably evidence-linked**.
 
-**Source Advisory:** `docs/product-advisories/18-Dec-2025 - Designing Explainable Triage and Proof‑Linked Evidence.md`
+**Source Advisory:** `docs/product/advisories/18-Dec-2025 - Designing Explainable Triage and Proof‑Linked Evidence.md`
 
 ## Objectives
 

docs-archived/implplan/2025-12-23-sprint-3200/SPRINT_3200_0000_0000_attestation_ecosystem_interop.md

@@ -5,7 +5,7 @@
 > **Epic:** Attestor + Scanner + CLI Integration
 > **Priority:** CRITICAL
 > **Owner:** Attestor, Scanner, CLI & Docs Guilds
-> **Advisory Origin:** `docs/product-advisories/23-Dec-2026 - Distinctive Edge for Docker Scanning.md`
+> **Advisory Origin:** `docs/product/advisories/23-Dec-2026 - Distinctive Edge for Docker Scanning.md`
 
 ---
 
@@ -399,7 +399,7 @@ All attestation operations include structured logging:
 ## References
 
 ### Advisory
-- `docs/product-advisories/23-Dec-2026 - Distinctive Edge for Docker Scanning.md`
+- `docs/product/advisories/23-Dec-2026 - Distinctive Edge for Docker Scanning.md`
 
 ### Gap Analysis
 - `docs/implplan/analysis/3200_attestation_ecosystem_gap_analysis.md`

docs-archived/implplan/2025-12-23-sprint-3200/SPRINT_3200_IMPLEMENTATION_STATUS.md

@@ -492,7 +492,7 @@ attestations/
 - [Sigstore Documentation](https://docs.sigstore.dev/)
 
 ### Advisory
-- [Original Advisory](../product-advisories/23-Dec-2026 - Distinctive Edge for Docker Scanning.md)
+- [Original Advisory](../product/advisories/23-Dec-2026 - Distinctive Edge for Docker Scanning.md)
 
 ---
 

docs-archived/implplan/2025-12-23-sprint-7100-proof-moats/SPRINT_7100_0001_0001_COMPLETION_REPORT.md

@@ -549,7 +549,7 @@ The following items were **intentionally out of scope** for Sprint 7100.0001.000
 **Sprint Duration:** Multi-session implementation
 **Velocity:** 100% of planned work completed
 
-**Advisory Reference:** `docs/product-advisories/23-Dec-2026 - Proof-Driven Moats Stella Ops Can Ship.md` (archived)
+**Advisory Reference:** `docs/product/advisories/23-Dec-2026 - Proof-Driven Moats Stella Ops Can Ship.md` (archived)
 
 ---
 

docs-archived/implplan/2025-12-23-sprint-7100-proof-moats/SPRINT_7100_0002_0001_COMPLETION_REPORT.md

@@ -494,7 +494,7 @@ services.AddSingleton<IPatchRepository>(sp =>
 **Sprint Duration:** Single session implementation
 **Velocity:** 100% of planned work completed
 
-**Advisory Reference:** `docs/product-advisories/23-Dec-2026 - Proof-Driven Moats Stella Ops Can Ship.md` (archived)
+**Advisory Reference:** `docs/product/advisories/23-Dec-2026 - Proof-Driven Moats Stella Ops Can Ship.md` (archived)
 **Parent Sprint:** SPRINT_7100_0001_0001 (Proof-Driven Moats Core)
 
 ---

docs-archived/implplan/2025-12-23/SPRINT_4100_0002_0003_snapshot_export_import.md

@@ -17,7 +17,7 @@
 ## Documentation Prerequisites
 
 - Sprint 4100.0002.0001 completion (KnowledgeSnapshotManifest, KnowledgeSourceDescriptor)
-- `docs/product-advisories/20-Dec-2025 - Moat Explanation - Knowledge Snapshots and Time‑Travel Replay.md`
+- `docs/product/advisories/20-Dec-2025 - Moat Explanation - Knowledge Snapshots and Time‑Travel Replay.md`
 - `docs/24_OFFLINE_KIT.md`
 
 ---

docs-archived/implplan/2025-12-23/SPRINT_4100_0003_0001_snapshot_merge_preview_replay_ui.md

@@ -20,7 +20,7 @@
 
 ## Documentation Prerequisites
 
-- `docs/product-advisories/22-Dec-2026 - UI Patterns for Triage and Replay.md` (source advisory)
+- `docs/product/advisories/22-Dec-2026 - UI Patterns for Triage and Replay.md` (source advisory)
 - `src/__Libraries/StellaOps.Replay.Core/AGENTS.md`
 - `docs/modules/snapshot/replay-yaml.md` (created with this sprint)
 - `docs/modules/snapshot/merge-preview.md` (created with this sprint)

docs-archived/implplan/2025-12-26-completed/SPRINT_20251226_010_FE_visual_diff_enhancements.md

@@ -4,7 +4,7 @@
 > **Priority:** P2
 > **Module:** Frontend (Web)
 > **Created:** 2025-12-26
-> **Advisory:** [`25-Dec-2025 - Visual Diffs for Explainable Triage.md`](../product-advisories/25-Dec-2025%20-%20Visual%20Diffs%20for%20Explainable%20Triage.md)
+> **Advisory:** [`25-Dec-2025 - Visual Diffs for Explainable Triage.md`](../product/advisories/25-Dec-2025%20-%20Visual%20Diffs%20for%20Explainable%20Triage.md)
 
 ---
 
@@ -357,5 +357,5 @@ export class PlainLanguageService {
 ## Related Documentation
 
 - [Smart-Diff UI Architecture](../modules/web/smart-diff-ui-architecture.md)
-- [Triage UI Lessons from Competitors](../product-advisories/25-Dec-2025%20-%20Triage%20UI%20Lessons%20from%20Competitors.md)
-- [Implementing Diff-Aware Release Gates](../product-advisories/25-Dec-2025%20-%20Implementing%20Diff%E2%80%91Aware%20Release%20Gates.md)
+- [Triage UI Lessons from Competitors](../product/advisories/25-Dec-2025%20-%20Triage%20UI%20Lessons%20from%20Competitors.md)
+- [Implementing Diff-Aware Release Gates](../product/advisories/25-Dec-2025%20-%20Implementing%20Diff%E2%80%91Aware%20Release%20Gates.md)

docs-archived/implplan/2025-12-26-completed/SPRINT_20251226_010_SIGNALS_runtime_stack.md

@@ -16,7 +16,7 @@
 ## Documentation Prerequisites
 - `docs/modules/scanner/runtime-evidence.md`
 - `docs/modules/signals/architecture.md`
-- `docs/product-advisories/25-Dec-2025 - Evolving Evidence Models for Reachability.md`
+- `docs/product/advisories/25-Dec-2025 - Evolving Evidence Models for Reachability.md`
 
 ## Context: What Already Exists
 

docs-archived/implplan/2025-12-26-completed/SPRINT_20251226_011_BE_auto_vex_downgrade.md

@@ -15,7 +15,7 @@
 - `docs/modules/signals/architecture.md`
 - `docs/modules/policy/architecture.md`
 - `docs/modules/excititor/architecture.md`
-- `docs/product-advisories/25-Dec-2025 - Evolving Evidence Models for Reachability.md`
+- `docs/product/advisories/25-Dec-2025 - Evolving Evidence Models for Reachability.md`
 
 ## Context: What Already Exists
 

docs-archived/implplan/2025-12-26-completed/SPRINT_20251226_011_BINIDX_known_build_catalog.md

@@ -5,7 +5,7 @@
 > **Module:** BinaryIndex
 > **Created:** 2025-12-26
 > **Architecture:** [`docs/modules/binaryindex/architecture.md`](../modules/binaryindex/architecture.md)
-> **Advisory:** [`26-Dec-2026 - Mapping a Binary Intelligence Graph.md`](../product-advisories/26-Dec-2026%20-%20Mapping%20a%20Binary%20Intelligence%20Graph.md) (SUPERSEDED)
+> **Advisory:** [`26-Dec-2026 - Mapping a Binary Intelligence Graph.md`](../product/advisories/26-Dec-2026%20-%20Mapping%20a%20Binary%20Intelligence%20Graph.md) (SUPERSEDED)
 
 ---
 

docs-archived/implplan/2025-12-26-completed/SPRINT_20251226_012_FE_smart_diff_compare.md

@@ -20,8 +20,8 @@
 
 ## Documentation Prerequisites
 - `docs/modules/web/smart-diff-ui-architecture.md` (REQUIRED - primary design reference)
-- `docs/product-advisories/25-Dec-2025 - Visual Diffs for Explainable Triage.md`
-- `docs/product-advisories/25-Dec-2025 - Triage UI Lessons from Competitors.md`
+- `docs/product/advisories/25-Dec-2025 - Visual Diffs for Explainable Triage.md`
+- `docs/product/advisories/25-Dec-2025 - Triage UI Lessons from Competitors.md`
 - Angular 17 patterns in existing codebase
 
 ## Context: What Already Exists

docs-archived/implplan/2025-12-26-completed/SPRINT_20251226_013_FE_triage_canvas.md

@@ -19,7 +19,7 @@
 - Can run in parallel with: Backend API work.
 
 ## Documentation Prerequisites
-- `docs/product-advisories/25-Dec-2025 - Triage UI Lessons from Competitors.md`
+- `docs/product/advisories/25-Dec-2025 - Triage UI Lessons from Competitors.md`
 - `docs/modules/advisoryai/architecture.md`
 - `src/VulnExplorer/StellaOps.VulnExplorer.Api/Models/` (existing models)
 - Angular 17 component patterns

docs-archived/implplan/2025-12-26-completed/SPRINT_20251226_014_DOCS_triage_consolidation.md

@@ -12,7 +12,7 @@
 - Create authoritative "Unified Triage Experience" specification.
 - Update smart-diff-ui-architecture.md to reflect current sprint structure.
 - Archive original advisories with cross-reference preservation.
-- **Working directory:** `docs/product-advisories/`, `docs/modules/web/`
+- **Working directory:** `docs/product/advisories/`, `docs/modules/web/`
 
 ## Dependencies & Concurrency
 - No technical dependencies; documentation-only sprint.

docs-archived/implplan/2025-12-29-completed-sprints/SPRINT_20251229_001_002_BE_vex_delta.md

@@ -20,7 +20,7 @@ The VEX delta schema is designed in `ADVISORY_SBOM_LINEAGE_GRAPH.md` but not mig
 
 ## Related Documentation
 
-- `docs/product-advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Gap Analysis section)
+- `docs/product/advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Gap Analysis section)
 - `docs/modules/sbomservice/lineage/architecture.md`
 - `docs/modules/vex-lens/architecture.md`
 - `docs/modules/excititor/architecture.md`

docs-archived/implplan/2025-12-29-completed-sprints/SPRINT_20251229_001_005_FE_explainer_timeline.md

@@ -28,7 +28,7 @@ This component does NOT exist in the current codebase and must be built from scr
 
 ## Related Documentation
 
-- `docs/product-advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Explainer section)
+- `docs/product/advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Explainer section)
 - `docs/modules/policy/architecture.md` (ProofTrace format)
 - `docs/modules/vexlens/architecture.md` (Consensus Engine)
 - Existing: `src/app/features/lineage/components/why-safe-panel/` (similar concept, simpler)

docs-archived/implplan/2025-12-29-completed-sprints/SPRINT_20251229_001_006_FE_node_diff_table.md

@@ -30,7 +30,7 @@ The existing `DataTableComponent` in shared components provides a base, but need
 
 ## Related Documentation
 
-- `docs/product-advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Diff section)
+- `docs/product/advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Diff section)
 - Existing: `src/app/features/lineage/components/lineage-sbom-diff/`
 - Existing: `src/app/shared/components/data-table/`
 - API: `GET /api/v1/lineage/{from}/compare?to={to}`

docs-archived/implplan/2026-01-02-completed-sprints/SPRINT_20260102_001_BE_binary_delta_signatures.md

@@ -9,7 +9,7 @@
 | **Working Directory** | `src/BinaryIndex/` |
 | **Duration** | 4-6 weeks |
 | **Dependencies** | None (foundational sprint) |
-| **Advisory Source** | `docs/product-advisories/30-Dec-2025 - Binary Diff Signatures for Patch Detection.md` |
+| **Advisory Source** | `docs/product/advisories/30-Dec-2025 - Binary Diff Signatures for Patch Detection.md` |
 
 ## Problem Statement
 
@@ -587,5 +587,5 @@ stella deltasig inspect
 
 - [B2R2 GitHub](https://github.com/B2R2-org/B2R2)
 - [B2R2 NuGet](https://www.nuget.org/packages/B2R2.FrontEnd.API/)
-- [Product Advisory: Binary Diff Signatures](../product-advisories/30-Dec-2025%20-%20Binary%20Diff%20Signatures%20for%20Patch%20Detection.md)
-- [Product Advisory: Golden Set for Patch Validation](../product-advisories/30-Dec-2025%20-%20Building%20a%20Golden%20Set%20for%20Patch%20Validation.md)
+- [Product Advisory: Binary Diff Signatures](../product/advisories/30-Dec-2025%20-%20Binary%20Diff%20Signatures%20for%20Patch%20Detection.md)
+- [Product Advisory: Golden Set for Patch Validation](../product/advisories/30-Dec-2025%20-%20Building%20a%20Golden%20Set%20for%20Patch%20Validation.md)

docs-archived/implplan/2026-01-02-completed-sprints/SPRINT_20260102_002_BE_intoto_link_generation.md

@@ -9,7 +9,7 @@
 | **Working Directory** | `src/Attestor/` |
 | **Duration** | 2-3 weeks |
 | **Dependencies** | Existing DSSE infrastructure (complete) |
-| **Advisory Source** | `docs/product-advisories/02-Dec-2025 - Designing offline DSSE + in‑toto attestations.md` |
+| **Advisory Source** | `docs/product/advisories/02-Dec-2025 - Designing offline DSSE + in‑toto attestations.md` |
 
 ## Problem Statement
 
@@ -479,4 +479,4 @@ Response:
 - [in-toto Specification](https://github.com/in-toto/attestation)
 - [in-toto Link Predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/link.md)
 - [SLSA Provenance](https://slsa.dev/provenance/v1)
-- [Product Advisory: Offline DSSE + in-toto](../product-advisories/02-Dec-2025%20-%20Designing%20offline%20DSSE%20+%20in‑toto%20attestations.md)
+- [Product Advisory: Offline DSSE + in-toto](../product/advisories/02-Dec-2025%20-%20Designing%20offline%20DSSE%20+%20in‑toto%20attestations.md)

docs-archived/implplan/2026-01-02-completed-sprints/SPRINT_20260102_003_BE_vex_proof_objects.md

@@ -9,7 +9,7 @@
 | **Working Directory** | `src/VexLens/`, `src/Policy/` |
 | **Duration** | 2-3 weeks |
 | **Dependencies** | VexLens consensus engine (complete) |
-| **Advisory Source** | `docs/product-advisories/30-Dec-2025 - Designing a Deterministic VEX Resolver.md` |
+| **Advisory Source** | `docs/product/advisories/30-Dec-2025 - Designing a Deterministic VEX Resolver.md` |
 
 ## Problem Statement
 
@@ -593,6 +593,6 @@ public enum ConditionOutcome
 
 ## References
 
-- [Product Advisory: Deterministic VEX Resolver](../product-advisories/30-Dec-2025%20-%20Designing%20a%20Deterministic%20VEX%20Resolver.md)
+- [Product Advisory: Deterministic VEX Resolver](../product/advisories/30-Dec-2025%20-%20Designing%20a%20Deterministic%20VEX%20Resolver.md)
 - [CycloneDX VEX](https://cyclonedx.org/use-cases/vulnerability-exploitability/)
 - [OpenVEX Spec](https://github.com/openvex/spec)

docs-archived/implplan/2026-01-02-completed-sprints/SPRINT_20260102_004_BE_polish_and_testing.md

@@ -355,6 +355,6 @@ public async Task FullPipeline_IsDeterministic(RegressionTestCase testCase)
 
 ## References
 
-- [Product Advisory: Golden Set for Patch Validation](../product-advisories/30-Dec-2025%20-%20Building%20a%20Golden%20Set%20for%20Patch%20Validation.md)
+- [Product Advisory: Golden Set for Patch Validation](../product/advisories/30-Dec-2025%20-%20Building%20a%20Golden%20Set%20for%20Patch%20Validation.md)
 - [CycloneDX 1.7 Schema](https://cyclonedx.org/docs/1.7/)
 - [Existing VexLens Truth Table Tests](../../src/VexLens/__Tests/StellaOps.VexLens.Tests/Consensus/VexLensTruthTableTests.cs)

docs-archived/implplan/2026-01-07-completed-sprints/SPRINT_20260106_004_001_FE_quiet_triage_ux_integration.md

@@ -10,7 +10,7 @@
 | Working Directory | `src/Web/StellaOps.Web/` |
 | Dependencies | None (backend APIs complete) |
 | Blocking | None |
-| Advisory | `docs-archived/product-advisories/06-Jan-2026 - Quiet-by-Default Triage with Attested Exceptions.md` |
+| Advisory | `docs-archived/product/advisories/06-Jan-2026 - Quiet-by-Default Triage with Attested Exceptions.md` |
 
 ## Objective
 
@@ -274,7 +274,7 @@ Per `docs/ux/TRIAGE_UX_GUIDE.md`:
 - **UX Guide**: `docs/ux/TRIAGE_UX_GUIDE.md`
 - **Backend Contracts**: `src/Scanner/StellaOps.Scanner.WebService/Contracts/GatingContracts.cs`
 - **Approval API**: `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ApprovalEndpoints.cs`
-- **Archived Advisory**: `docs-archived/product-advisories/06-Jan-2026 - Quiet-by-Default Triage with Attested Exceptions.md`
+- **Archived Advisory**: `docs-archived/product/advisories/06-Jan-2026 - Quiet-by-Default Triage with Attested Exceptions.md`
 
 ## Execution Log
 

docs-archived/implplan/ADVISORY_PROCESSING_REPORT_20251220.md

@@ -8,7 +8,7 @@
 
 ## Executive Summary
 
-Reviewed **7 unprocessed advisories** and **12 moat documents** from `docs/product-advisories/unprocessed/`. After cross-referencing with existing sprints, archived advisories, and implemented code, identified **3 new epic-level initiatives** and **5 enhancement opportunities** for existing features.
+Reviewed **7 unprocessed advisories** and **12 moat documents** from `docs/product/advisories/unprocessed/`. After cross-referencing with existing sprints, archived advisories, and implemented code, identified **3 new epic-level initiatives** and **5 enhancement opportunities** for existing features.
 
 ---
 
@@ -212,13 +212,13 @@ Reviewed **7 unprocessed advisories** and **12 moat documents** from `docs/produ
 These advisories have been processed or are reference-only:
 
 ```
-docs/product-advisories/unprocessed/16-Dec-2025 - Reimagining Proof‑Linked UX in Security Workflows.md
+docs/product/advisories/unprocessed/16-Dec-2025 - Reimagining Proof‑Linked UX in Security Workflows.md
   → Already processed (Status: PROCESSED in file)
 
-docs/product-advisories/unprocessed/18-Dec-2025 - Designing Explainable Triage and Proof‑Linked Evidence.md
+docs/product/advisories/unprocessed/18-Dec-2025 - Designing Explainable Triage and Proof‑Linked Evidence.md
   → Overlaps with 16-Dec, consolidate
 
-docs/product-advisories/unprocessed/20-Dec-2025 - Branch · UX patterns worth borrowing from top scanners.md
+docs/product/advisories/unprocessed/20-Dec-2025 - Branch · UX patterns worth borrowing from top scanners.md
   → Reference only, no actionable tasks
 ```
 

docs-archived/implplan/HANDOFF_VERDICT_ATTESTATIONS.md

@@ -393,7 +393,7 @@ curl http://localhost:5000/api/v1/verdicts/test-verdict-id
 - **JSON Schema**: `docs/schemas/stellaops-policy-verdict.v1.schema.json`
 - **Sprint Plan**: `docs/implplan/SPRINT_3000_0100_0001_signed_verdicts.md`
 - **API Documentation**: `docs/policy/verdict-attestations.md`
-- **Product Advisory**: `docs/product-advisories/23-Dec-2026 - Competitor Scanner UI Breakdown.md`
+- **Product Advisory**: `docs/product/advisories/23-Dec-2026 - Competitor Scanner UI Breakdown.md`
 
 ## Contact & Escalation
 

docs-archived/implplan/IMPLEMENTATION_INDEX.md

@@ -134,7 +134,7 @@ docs/
 │   └── scanner_schema_specification.md ⭐ DATABASE
 ├── api/
 │   └── scanner-score-proofs-api.md ⭐ API CONTRACTS
-└── product-advisories/
+└── product/advisories/
     └── archived/17-Dec-2025/
         └── 16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md (processed)
 ```

docs-archived/implplan/IMPL_3400_determinism_reproducibility_master_plan.md

@@ -5,7 +5,7 @@
 This implementation plan addresses gaps identified between the **14-Dec-2025 - Determinism and Reproducibility Technical Reference** advisory and the current StellaOps codebase. The plan follows the "ULTRATHINK" recommendations prioritizing high-value implementations while avoiding changes that don't align with StellaOps' architectural philosophy.
 
 **Plan ID:** IMPL_3400
-**Advisory Reference:** `docs/product-advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md`
+**Advisory Reference:** `docs/product/advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md`
 **Created:** 2025-12-14
 **Status:** PLANNING
 

docs-archived/implplan/IMPL_3410_epss_v4_integration_master_plan.md

@@ -5,7 +5,7 @@
 This implementation plan delivers **EPSS (Exploit Prediction Scoring System) v4** integration into StellaOps as a probabilistic threat signal alongside CVSS v4's deterministic severity assessment. EPSS provides daily-updated exploitation probability scores (0.0-1.0) from FIRST.org, transforming vulnerability prioritization from static severity to live risk intelligence.
 
 **Plan ID:** IMPL_3410
-**Advisory Reference:** `docs/product-advisories/unprocessed/16-Dec-2025 - Merging EPSS v4 with CVSS v4 Frameworks.md`
+**Advisory Reference:** `docs/product/advisories/unprocessed/16-Dec-2025 - Merging EPSS v4 with CVSS v4 Frameworks.md`
 **Created:** 2025-12-17
 **Status:** APPROVED
 **Target Completion:** Q2 2026
@@ -849,9 +849,9 @@ notify:
 
 ### A) Related Advisories
 
-- `docs/product-advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md`
-- `docs/product-advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md`
-- `docs/product-advisories/archived/14-Dec-2025/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md`
+- `docs/product/advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md`
+- `docs/product/advisories/archived/14-Dec-2025/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md`
 
 ### B) Related Implementations
 

docs-archived/implplan/IMPL_3420_postgresql_patterns_implementation.md

@@ -11,7 +11,7 @@
 
 ## 1. Executive Summary
 
-This implementation program delivers four PostgreSQL pattern enhancements identified in the gap analysis of `docs/product-advisories/14-Dec-2025 - PostgreSQL Patterns Technical Reference.md`. These patterns strengthen StellaOps' data layer for determinism, multi-tenancy security, query performance, and operational efficiency.
+This implementation program delivers four PostgreSQL pattern enhancements identified in the gap analysis of `docs/product/advisories/14-Dec-2025 - PostgreSQL Patterns Technical Reference.md`. These patterns strengthen StellaOps' data layer for determinism, multi-tenancy security, query performance, and operational efficiency.
 
 ### 1.1 Program Scope
 
@@ -326,4 +326,4 @@ This implementation program delivers four PostgreSQL pattern enhancements identi
 - `docs/db/MIGRATION_STRATEGY.md` - Migration approach
 - `docs/operations/postgresql-guide.md` - Operational runbook
 - `docs/adr/0001-postgresql-for-control-plane.md` - Architecture decision
-- `docs/product-advisories/14-Dec-2025 - PostgreSQL Patterns Technical Reference.md` - Source advisory
+- `docs/product/advisories/14-Dec-2025 - PostgreSQL Patterns Technical Reference.md` - Source advisory

docs-archived/implplan/README_VERDICT_ATTESTATIONS.md

@@ -234,7 +234,7 @@ docs/implplan/archived/
 ├── SPRINT_3000_0100_0002_evidence_packs.md
 └── SPRINT_3000_0100_0003_base_image.md
 
-docs/product-advisories/archived/
+docs/product/advisories/archived/
 └── 23-Dec-2026 - Implementation Summary - Competitor Gap Closure.md
 ```
 

docs-archived/implplan/SPRINT_0115_0001_0004_concelier_iv.md

@@ -45,7 +45,7 @@
 | 11 | CONCELIER-STORE-AOC-19-005-DEV | DONE | Dataset tarball generated via `scripts/concelier/build-store-aoc-19-005-dataset.sh` (`out/linksets/linksets-stage-backfill.tar.zst`, SHA256 recorded in runbook). Rehearsal executed against local Postgres 16 container (counts: linksets_raw=2, advisory_chunks_raw=3). | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Postgres`) | Execute raw-linkset backfill/rollback plan so Postgres reflects Link-Not-Merge data; rehearse rollback (dev/staging). |
 | 12 | CONCELIER-TEN-48-001 | DONE (2025-11-28) | Created Tenancy module with `TenantScope`, `TenantCapabilities`, `TenantCapabilitiesResponse`, `ITenantCapabilitiesProvider`, and `TenantScopeNormalizer` per AUTH-TEN-47-001. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. |
 | 13 | CONCELIER-VEXLENS-30-001 | DONE (2025-12-05) | Implemented `IVexLensAdvisoryKeyProvider`, `VexLensCanonicalKey`, `VexLensCrossLinks`, `VexLensAdvisoryKeyProvider` with canonicalization per CONTRACT-ADVISORY-KEY-001 and CONTRACT-VEX-LENS-005. DI registration via `AddConcelierVexLensServices()`. | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. |
-| 14 | CONCELIER-GAPS-115-014 | DONE (2025-12-02) | None; informs tasks 0–13. | Product Mgmt · Concelier Guild | Address Concelier ingestion gaps CI1–CI10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed observation/linkset schemas and AOC guard, enforce denylist/allowlist via analyzers, require provenance/signature details, feed snapshot governance/staleness, deterministic conflict rules, canonical content-hash/idempotency keys, tenant isolation tests, connector sandbox limits, offline advisory bundle schema/verify, and shared fixtures/CI determinism. |
+| 14 | CONCELIER-GAPS-115-014 | DONE (2025-12-02) | None; informs tasks 0–13. | Product Mgmt · Concelier Guild | Address Concelier ingestion gaps CI1–CI10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: publish signed observation/linkset schemas and AOC guard, enforce denylist/allowlist via analyzers, require provenance/signature details, feed snapshot governance/staleness, deterministic conflict rules, canonical content-hash/idempotency keys, tenant isolation tests, connector sandbox limits, offline advisory bundle schema/verify, and shared fixtures/CI determinism. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |

docs-archived/implplan/SPRINT_0121_0001_0001_policy_reasoning.md

@@ -48,7 +48,7 @@
 | 6 | LEDGER-OBS-54-001 | DONE (2025-11-22) | `/v1/ledger/attestations` endpoint implemented with deterministic paging + filters hash; schema/OAS updated | Findings Ledger Guild; Provenance Guild / src/Findings/StellaOps.Findings.Ledger | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary |
 | 7 | LEDGER-RISK-66-001 | DONE (2025-11-21) | PREP-LEDGER-RISK-66-001-RISK-ENGINE-SCHEMA-CO | Findings Ledger Guild; Risk Engine Guild / src/Findings/StellaOps.Findings.Ledger | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes |
 | 8 | LEDGER-RISK-66-002 | DONE (2025-11-21) | PREP-LEDGER-RISK-66-002-DEPENDS-ON-66-001-MIG | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit |
-| 9 | LEDGER-GAPS-121-009 | DONE (2025-12-02) | Close FL1–FL10 gaps from `docs/product-advisories/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md`; align schemas/exports with advisory; depends on schema catalog refresh | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Remediate FL1–FL10: publish versioned schemas/canonical JSON (events/projections/exports), Merkle + external anchor policy doc, tenant isolation + redaction manifest, DSSE/policy hash linkage, deterministic exports + golden fixtures, offline verifier script, replay/rebuild checksum guard, and quotas/backpressure metrics; update docs under `docs/modules/findings-ledger/`. |
+| 9 | LEDGER-GAPS-121-009 | DONE (2025-12-02) | Close FL1–FL10 gaps from `docs/product/advisories/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md`; align schemas/exports with advisory; depends on schema catalog refresh | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | Remediate FL1–FL10: publish versioned schemas/canonical JSON (events/projections/exports), Merkle + external anchor policy doc, tenant isolation + redaction manifest, DSSE/policy hash linkage, deterministic exports + golden fixtures, offline verifier script, replay/rebuild checksum guard, and quotas/backpressure metrics; update docs under `docs/modules/findings-ledger/`. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -56,7 +56,7 @@
 | 2025-12-03 | Added Wave Coordination (Wave A done; no open tasks—future work needs new wave/sprint). No status changes. | Project Mgmt |
 | 2025-12-02 | Completed LEDGER-GAPS-121-009: added schema catalog + FL1–FL10 gap report, Merkle/anchor policy, redaction manifest, DSSE linkage doc, golden export fixtures + checksums, offline verifier script with replay checksum guard, quota/backpressure metrics/code/tests. | Findings Ledger |
 | 2025-12-02 | Started LEDGER-GAPS-121-009 (FL1–FL10 remediation); status → DOING; drafting schema catalog, Merkle/anchor policy, redaction manifest, offline verifier, and backpressure metrics. | Findings Ledger |
-| 2025-12-01 | Added LEDGER-GAPS-121-009 to track FL1–FL10 remediation from `docs/product-advisories/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md`; status TODO pending schema catalog refresh. | Project Mgmt |
+| 2025-12-01 | Added LEDGER-GAPS-121-009 to track FL1–FL10 remediation from `docs/product/advisories/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md`; status TODO pending schema catalog refresh. | Project Mgmt |
 | 2025-12-02 | Clarified LEDGER-GAPS-121-009 outputs: schema catalog, Merkle/anchor policy, tenant isolation/redaction manifest, DSSE/policy linkage, deterministic exports + golden fixtures, offline verifier, replay checksums, and quotas/backpressure metrics. | Project Mgmt |
 | 2025-11-25 | Moved all remaining BLOCKED tasks (OAS, ATTEST, OBS-55, PACKS) to new sprint `SPRINT_0121_0001_0002_policy_reasoning_blockers`; cleansed Delivery Tracker to active/completed items only. | Project Mgmt |
 | 2025-11-22 | Implemented LEDGER-OBS-54-001: `/v1/ledger/attestations` endpoint with paging token + filters hash guard; OAS/schema updated; status set to DONE. | Findings Ledger |
@@ -90,7 +90,7 @@
 - LEDGER-OBS-54-001 delivered: `/v1/ledger/attestations` now live with deterministic paging + filters hash; downstream OBS-55-001 (incident mode) still blocked pending incident diagnostics contract.
 - Current state: findings export endpoint and paging contracts implemented; VEX/advisory/SBOM endpoints stubbed (auth + shape) but await underlying projection/query schemas. Risk schema/implementation (LEDGER-RISK-66-001/002) delivered. Remaining blockers: OAS/SDK surface (61/62/63), attestation HTTP host (OBS-54/55), and packs time-travel contract (PACKS-42-001).
 - Export endpoints now enforce filter hash + page token determinism for VEX/advisory/SBOMs but still return empty sets until backing projections land; downstream SDK/OAS tasks should treat payload shapes as stable.
-- New advisory gaps (FL1–FL10) tracked via LEDGER-GAPS-121-009; requires schema catalog refresh and alignment of Merkle/anchoring, redaction, DSSE linkage, and offline verify tooling with `docs/product-advisories/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` recommendations.
+- New advisory gaps (FL1–FL10) tracked via LEDGER-GAPS-121-009; requires schema catalog refresh and alignment of Merkle/anchoring, redaction, DSSE linkage, and offline verify tooling with `docs/product/advisories/28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` recommendations.
 - FL1–FL10 remediation shipped: schema catalog + gap report, Merkle/anchor policy, redaction manifest (JSON/YAML), DSSE linkage guidance, golden export fixtures/checksums, offline verify script with replay checksum guard, and quota/backpressure metrics/tests wired into ledger service.
 
 ## Next Checkpoints

docs-archived/implplan/SPRINT_0125_0001_0001_mirror.md

@@ -34,9 +34,9 @@
 | 8 | AIRGAP-TIME-57-001 | DONE (2025-12-06) | Real Ed25519 Roughtime + RFC3161 SignedCms verification; TimeAnchorPolicyService added | AirGap Time Guild | Provide trusted time-anchor service & policy. |
 | 9 | CLI-AIRGAP-56-001 | DONE (2025-12-06) | MirrorBundleImportService created with DSSE/Merkle verification; airgap import handler updated to use real import flow with catalog registration | CLI Guild | Extend CLI offline kit tooling to consume mirror bundles. |
 | 10 | PROV-OBS-53-001 | DONE (2025-11-23) | Observer doc + verifier script `scripts/mirror/verify_thin_bundle.py` in repo; validates hashes, determinism, and manifest/index digests. | Security Guild | Define provenance observers + verification hooks. |
-| 11 | OFFKIT-GAPS-125-011 | DONE (2025-12-02) | Bundle meta + offline policy layers + verifier updated; see milestone.json and bundle DSSE. | Product Mgmt · Mirror/AirGap Guilds | Address offline-kit gaps OK1–OK10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: key manifest/rotation + PQ co-sign, tool hashing/signing, DSSE-signed top-level manifest linking all artifacts, checkpoint freshness/mirror metadata, deterministic packaging flags, inclusion of scan/VEX/policy/graph hashes, time anchor bundling, transport/chunking + chain-of-custody, tenant/env scoping, and scripted verify with negative-path guidance. |
-| 12 | REKOR-GAPS-125-012 | DONE (2025-12-02) | Rekor policy layer + bundle meta/TUF DSSE; refer to `layers/rekor-policy.json`. | Product Mgmt · Mirror/AirGap · Attestor Guilds | Address Rekor v2/DSSE gaps RK1–RK10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: enforce dsse/hashedrekord only, payload size preflight + chunk manifests, public/private routing policy, shard-aware checkpoints, idempotent submission keys, Sigstore bundles in kits, checkpoint freshness bounds, PQ dual-sign options, error taxonomy/backoff, policy/graph annotations in DSSE/bundles. |
-| 13 | MIRROR-GAPS-125-013 | DONE (2025-12-02) | Mirror policy layer + tenant/env scope + verifier; see mirror-policy.json & bundle meta. | Product Mgmt · Mirror Creator Guild · AirGap Guild | Address mirror/offline strategy gaps MS1–MS10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: signed/versioned mirror schemas, DSSE/TUF rotation policy (incl. PQ), delta spec with tombstones/base hash, time-anchor freshness enforcement, tenant/env scoping, distribution integrity for HTTP/OCI/object, chunking/size rules, standard verify script, metrics/alerts for build/import/verify, and SemVer/change log for mirror formats. |
+| 11 | OFFKIT-GAPS-125-011 | DONE (2025-12-02) | Bundle meta + offline policy layers + verifier updated; see milestone.json and bundle DSSE. | Product Mgmt · Mirror/AirGap Guilds | Address offline-kit gaps OK1–OK10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: key manifest/rotation + PQ co-sign, tool hashing/signing, DSSE-signed top-level manifest linking all artifacts, checkpoint freshness/mirror metadata, deterministic packaging flags, inclusion of scan/VEX/policy/graph hashes, time anchor bundling, transport/chunking + chain-of-custody, tenant/env scoping, and scripted verify with negative-path guidance. |
+| 12 | REKOR-GAPS-125-012 | DONE (2025-12-02) | Rekor policy layer + bundle meta/TUF DSSE; refer to `layers/rekor-policy.json`. | Product Mgmt · Mirror/AirGap · Attestor Guilds | Address Rekor v2/DSSE gaps RK1–RK10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: enforce dsse/hashedrekord only, payload size preflight + chunk manifests, public/private routing policy, shard-aware checkpoints, idempotent submission keys, Sigstore bundles in kits, checkpoint freshness bounds, PQ dual-sign options, error taxonomy/backoff, policy/graph annotations in DSSE/bundles. |
+| 13 | MIRROR-GAPS-125-013 | DONE (2025-12-02) | Mirror policy layer + tenant/env scope + verifier; see mirror-policy.json & bundle meta. | Product Mgmt · Mirror Creator Guild · AirGap Guild | Address mirror/offline strategy gaps MS1–MS10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: signed/versioned mirror schemas, DSSE/TUF rotation policy (incl. PQ), delta spec with tombstones/base hash, time-anchor freshness enforcement, tenant/env scoping, distribution integrity for HTTP/OCI/object, chunking/size rules, standard verify script, metrics/alerts for build/import/verify, and SemVer/change log for mirror formats. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |

docs-archived/implplan/SPRINT_0140_0001_0001_runtime_signals.md

@@ -31,8 +31,8 @@
 | 2 | 140.B SBOM Service wave | DONE (2025-12-05) | Sprint 0142 complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002, SBOM-CONSOLE-23-001/002, SBOM-CONSOLE-23-101-STORAGE all DONE. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
 | 3 | 140.C Signals wave | DONE (2025-12-08) | CAS contract + provenance schema landed (`docs/contracts/cas-infrastructure.md`, `docs/signals/provenance-24-003.md`, `docs/schemas/provenance-feed.schema.json`); SIGNALS-24-002/003 implemented. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
 | 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
-| 5 | DECAY-GAPS-140-005 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Product Mgmt | Address decay gaps U1–U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
-| 6 | UNKNOWN-GAPS-140-006 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1–UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
+| 5 | DECAY-GAPS-140-005 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Product Mgmt | Address decay gaps U1–U10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
+| 6 | UNKNOWN-GAPS-140-006 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1–UN10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
 | 7 | UNKNOWN-HEUR-GAPS-140-007 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1–UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
 | 9 | COSIGN-INSTALL-140 | DONE (2025-12-02) | cosign v3.0.2 installed at `/usr/local/bin/cosign`; repo fallback v2.6.0 staged under `tools/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). | Platform / Build Guild | Deliver cosign binary locally (no network dependency at signing time) or alternate signer; document path and version in Execution Log. |
 | 8 | SIGNER-ASSIGN-140 | DONE (2025-12-02) | Signer designated: Signals Guild (Alice Carter); DSSE signing checkpoint remains 2025-12-05. | Signals Guild · Policy Guild | Name signer(s), record in Execution Log, and proceed to DSSE signing + Evidence Locker ingest. |

docs-archived/implplan/SPRINT_0157_0001_0002_taskrunner_blockers.md

@@ -6,7 +6,7 @@
 - **Working directory:** `src/TaskRunner/StellaOps.TaskRunner`.
 
 ## Dependencies & Concurrency
-- Upstream contracts now anchored in `docs/product-advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md` + `docs/modules/taskrunner/architecture.md` (supersedes prior Sprint 120/130/140 wait).
+- Upstream contracts now anchored in `docs/product/advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md` + `docs/modules/taskrunner/architecture.md` (supersedes prior Sprint 120/130/140 wait).
 - Single-thread on TASKRUN-41-001 until initial run API + storage implementation lands.
 
 ## Documentation Prerequisites
@@ -30,7 +30,7 @@
 | 2025-11-25 | Carried forward TASKRUN-41-001 from Sprint 0157-0001-0001; awaiting upstream contracts before starting implementation. | Project Mgmt |
 
 ## Decisions & Risks
-- Contract source of truth: `docs/product-advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md` + `docs/modules/taskrunner/architecture.md` (plan hash, step types, API surface, Mongo model). Keep sprint tasks aligned to these docs.
+- Contract source of truth: `docs/product/advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md` + `docs/modules/taskrunner/architecture.md` (plan hash, step types, API surface, Mongo model). Keep sprint tasks aligned to these docs.
 - Ensure Authority approval token claims (`pack_run_id`, `pack_gate_id`, `pack_plan_hash`) enforced before enabling approvals pause/resume.
 - Downstream OAS/OBS/air-gap tasks now depend on integration work, not missing contracts; start sequencing in Sprint 0157-0001-0001.
 

docs-archived/implplan/SPRINT_0158_0001_0002_taskrunner_ii.md

@@ -16,7 +16,7 @@
 - docs/modules/platform/architecture-overview.md
 - docs/modules/platform/architecture.md
 - docs/modules/taskrunner/architecture.md
-- docs/product-advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md
+- docs/product/advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md
 - docs/api/gateway/tenant-auth.md
 - docs/task-packs/spec.md
 - docs/task-packs/authoring-guide.md

docs-archived/implplan/SPRINT_0161_0001_0001_evidencelocker.md

@@ -37,7 +37,7 @@
 | 4 | RUNBOOK-REPLAY-187-004 | DONE (2025-12-10) | Runbook updated with retention schema hook. | Docs Guild / Ops Guild | Publish `/docs/runbooks/replay_ops.md` coverage for retention enforcement, RootPack rotation, verification drills. |
 | 5 | CRYPTO-REGISTRY-DECISION-161 | DONE | Decision recorded in `docs/security/crypto-registry-decision-2025-11-18.md`; publish contract defaults. | Security Guild / Evidence Locker Guild | Capture decision from 2025-11-18 review; emit changelog + reference implementation for downstream parity. |
 | 6 | EVID-CRYPTO-90-001 | DONE | Implemented; `MerkleTreeCalculator` now uses `ICryptoProviderRegistry` for sovereign crypto routing. | Evidence Locker Guild / Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash` for sovereign crypto providers. |
-| 7 | EVID-GAPS-161-007 | DONE (2025-12-04) | EB1-EB10 closed; see plan `docs/modules/evidence-locker/eb-gaps-161-007-plan.md` and changelog `docs/modules/evidence-locker/CHANGELOG.md`. | Product Mgmt / Evidence Locker Guild / CLI Guild | Address EB1-EB10 from `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`: publish `bundle.manifest.schema.json` + `checksums.schema.json` (canonical JSON), hash/Merkle recipe doc, mandatory DSSE predicate/log policy, replay provenance block, chunking/CAS rules, incident-mode signed activation/exit, tenant isolation + redaction manifest, offline verifier script (`docs/modules/evidence-locker/verify-offline.md`), golden bundles/replay fixtures under `tests/EvidenceLocker/Bundles/Golden`, and SemVer/change-log updates. |
+| 7 | EVID-GAPS-161-007 | DONE (2025-12-04) | EB1-EB10 closed; see plan `docs/modules/evidence-locker/eb-gaps-161-007-plan.md` and changelog `docs/modules/evidence-locker/CHANGELOG.md`. | Product Mgmt / Evidence Locker Guild / CLI Guild | Address EB1-EB10 from `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`: publish `bundle.manifest.schema.json` + `checksums.schema.json` (canonical JSON), hash/Merkle recipe doc, mandatory DSSE predicate/log policy, replay provenance block, chunking/CAS rules, incident-mode signed activation/exit, tenant isolation + redaction manifest, offline verifier script (`docs/modules/evidence-locker/verify-offline.md`), golden bundles/replay fixtures under `tests/EvidenceLocker/Bundles/Golden`, and SemVer/change-log updates. |
 
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
@@ -94,7 +94,7 @@
 | 2025-11-20 | Completed PREP-EVID-REPLAY-187-001, PREP-CLI-REPLAY-187-002, and PREP-RUNBOOK-REPLAY-187-004; published prep docs at `docs/modules/evidence-locker/replay-payload-contract.md`, `docs/modules/cli/guides/replay-cli-prep.md`, and `docs/runbooks/replay_ops_prep_187_004.md`. | Implementer |
 | 2025-11-20 | Added schema readiness and replay delivery prep notes for Evidence Locker Guild; see `docs/modules/evidence-locker/prep/2025-11-20-schema-readiness-blockers.md` and `.../2025-11-20-replay-delivery-sync.md`. Marked PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO and PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU DONE. | Implementer |
 | 2025-11-27 | Completed EVID-CRYPTO-90-001: Extended `ICryptoProviderRegistry` with `ContentHashing` capability and `ResolveHasher` method; created `ICryptoHasher` interface with `DefaultCryptoHasher` implementation; wired `MerkleTreeCalculator` to use crypto registry for sovereign crypto routing; added `EvidenceCryptoOptions` for algorithm/provider configuration. | Implementer |
-| 2025-12-01 | Added EVID-GAPS-161-007 to capture EB1-EB10 remediation from `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`. | Product Mgmt |
+| 2025-12-01 | Added EVID-GAPS-161-007 to capture EB1-EB10 remediation from `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`. | Product Mgmt |
 | 2025-12-02 | Scoped EVID-GAPS-161-007 deliverables: schemas + DSSE, Merkle recipe, replay provenance, chunk/CAS rules, incident governance, tenant redaction, offline verifier doc, golden fixtures path, and SemVer/change-log updates. | Project Mgmt |
 | 2025-12-04 | Moved EVID-GAPS-161-007 to DOING; drafted EB1/EB2 schemas, offline verifier guide, gap plan, and golden fixtures path. | Project Mgmt |
 | 2025-12-04 | Updated attestation, replay, incident-mode docs with DSSE subject=Merkle root, log policy, replay provenance block, and signed incident toggles; added CAS/Merkle rules to bundle packaging. | Implementer |

docs-archived/implplan/SPRINT_0162_0001_0001_exportcenter_i.md

@@ -52,7 +52,7 @@
 | 10 | EXPORT-OAS-61-001 | DONE | OpenAPI v1 spec published with deterministic examples, ETag/versioning, and standard error envelopes. | Exporter Service Guild · API Contracts Guild | Update Exporter OAS covering profiles/runs/downloads with standard error envelope + examples. |
 | 11 | EXPORT-OAS-61-002 | DONE | Discovery endpoint implemented with ETag, If-None-Match, Cache-Control headers. | Exporter Service Guild | `/.well-known/openapi` discovery endpoint with version metadata and ETag. |
 | 12 | EXPORT-OAS-62-001 | DONE | SDK client project with interface, implementation, streaming/lifecycle helpers, and smoke tests. | Exporter Service Guild · SDK Generator Guild | Ensure SDKs include export profile/run clients with streaming helpers; add smoke tests. |
-| 13 | EXPORT-GAPS-162-013 | DONE (2025-12-04) | None; informs tasks 1–12. | Product Mgmt · Exporter Guild · Evidence Locker Guild | Address EC1–EC10 from `docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md`: publish signed ExportProfile + manifest schemas with selector validation; define per-adapter determinism rules + rerun-hash CI; mandate DSSE/SLSA attestation with log metadata; enforce cross-tenant approval flow; require distribution integrity headers + OCI annotations; pin Trivy schema versions; formalize mirror delta/tombstone rules; document encryption/recipient policy; set quotas/backpressure; and produce offline export kit + verify script under `docs/modules/export-center/determinism.md` with fixtures in `src/ExportCenter/__fixtures`. |
+| 13 | EXPORT-GAPS-162-013 | DONE (2025-12-04) | None; informs tasks 1–12. | Product Mgmt · Exporter Guild · Evidence Locker Guild | Address EC1–EC10 from `docs/product/advisories/28-Nov-2025 - Export Center and Reporting Strategy.md`: publish signed ExportProfile + manifest schemas with selector validation; define per-adapter determinism rules + rerun-hash CI; mandate DSSE/SLSA attestation with log metadata; enforce cross-tenant approval flow; require distribution integrity headers + OCI annotations; pin Trivy schema versions; formalize mirror delta/tombstone rules; document encryption/recipient policy; set quotas/backpressure; and produce offline export kit + verify script under `docs/modules/export-center/determinism.md` with fixtures in `src/ExportCenter/__fixtures`. |
 
 ## Action Tracker
 | Action | Owner(s) | Due | Status |
@@ -122,7 +122,7 @@
 | 2025-11-20 | Completed PREP-EXPORT-AIRGAP-57-001: published export portable bundle contract at `docs/modules/export-center/prep/2025-11-20-export-airgap-57-001-prep.md`; status set to DONE. | Implementer |
 | 2025-11-20 | Confirmed PREP-EXPORT-AIRGAP-57-001 unowned; set to DOING to begin airgap evidence export prep. | Planning |
 | 2025-11-20 | Published prep docs for EXPORT airgap chain and attest (56-001/002/57-001/58-001/74-001) plus DVOFF-64-002; set P1–P6 to DOING after confirming unowned. | Project Mgmt |
-| 2025-12-01 | Added EXPORT-GAPS-162-013 to capture EC1–EC10 remediation from `docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md`. | Product Mgmt |
+| 2025-12-01 | Added EXPORT-GAPS-162-013 to capture EC1–EC10 remediation from `docs/product/advisories/28-Nov-2025 - Export Center and Reporting Strategy.md`. | Product Mgmt |
 | 2025-12-02 | Clarified EXPORT-GAPS-162-013 deliverables: schemas with selector validation, per-adapter determinism + CI, attestation/log policy, tenant approval flow, integrity headers/OCI annotations, Trivy pinning, delta/tombstone rules, encryption policy, quotas/backpressure, offline kit verify script, and fixtures path. | Project Mgmt |
 | 2025-11-20 | Published prep docs for DVOFF-64-002 and EXPORT-AIRGAP-56-001; set P1/P2 to DOING after confirming unowned. | Project Mgmt |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |

docs-archived/implplan/SPRINT_0171_0001_0001_notifier_i.md

@@ -81,7 +81,7 @@
 - Risk alerts depend on POLICY-RISK-40-002 export; schedule slip would re-baseline RISK tasks.
 - Keep Offline Kit parity for templates and secrets handling before enabling new endpoints.
 - Advisory gap remediation (NR1–NR10) added as NOTIFY-GAPS-171-014; requires schema/catalog refresh, tenant/approval enforcement, deterministic rendering, quotas/backpressure/DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulation evidence before activation.
-- NOTIFY-GAPS-171-014 now scoped (see `docs/product-advisories/31-Nov-2025 FINDINGS.md` + `docs/notifications/gaps-nr1-nr10.md`); remediation requires publishing the schema catalog + DSSE, redaction/approval/observability docs, and offline notify-kit artefacts.
+- NOTIFY-GAPS-171-014 now scoped (see `docs/product/advisories/31-Nov-2025 FINDINGS.md` + `docs/notifications/gaps-nr1-nr10.md`); remediation requires publishing the schema catalog + DSSE, redaction/approval/observability docs, and offline notify-kit artefacts.
 - **Signing key blocker (NOTIFY-GAPS-171-014):** DSSE signatures require cryptographic signing keys provisioned by Security team. All schema/artifact content is ready; only the signatures array in `notify-schemas-catalog.dsse.json` and `notify-kit.manifest.dsse.json` remain empty. Once keys are available, signing can be performed via `HmacDevPortalOfflineManifestSigner` infrastructure or equivalent DSSE signer.
 - **Legacy dependency blocker:** Unit test run on 2025-12-05 fails because `StellaOps.Notify.Storage.Mongo` project is missing while Worker still references `StellaOps.Notify.Storage.*` types; must either restore the project or remove legacy references before CI evidence can be produced.
 

docs-archived/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md

@@ -16,7 +16,7 @@
 - docs/replay/TEST_STRATEGY.md
 - docs/modules/scanner/architecture.md
 - docs/modules/sbomer/architecture.md (for SPDX 3.0.1 tasks)
-- Product advisory: `docs/product-advisories/27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md`
+- Product advisory: `docs/product/advisories/27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md`
 - SPDX 3.0.1 specification: https://spdx.github.io/spdx-spec/v3.0.1/
 
 ## Delivery Tracker

docs-archived/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md

@@ -16,7 +16,7 @@
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/policy/architecture.md`
 - `docs/modules/signals/architecture.md`
-- Product advisory: `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`
+- Product advisory: `docs/product/advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`
 - FIRST CVSS v4.0 Specification: https://www.first.org/cvss/v4-0/specification-document
 - FIRST CVSS v4.0 Calculator: https://www.first.org/cvss/calculator/4-0
 - Module AGENTS.md: Create `src/Policy/StellaOps.Policy.Scoring/AGENTS.md` as part of task 1
@@ -37,8 +37,8 @@
 | 10 | CVSS-CLI-190-010 | DONE (2025-12-06) | Depends on 190-009 (API readiness). | CLI Guild (`src/Cli/StellaOps.Cli`) | CLI verbs shipped: `stella cvss score --vuln <id> --policy-file <path> --vector <cvss4>`, `stella cvss show <receiptId>`, `stella cvss history <receiptId>`, `stella cvss export <receiptId> --format json`. |
 | 11 | CVSS-UI-190-011 | DONE (2025-12-07) | Implemented CVSS receipt viewer in Web console (`src/Web/StellaOps.Web`): route `/cvss/receipts/:receiptId`, standalone component with score badge, tabs (Base/Threat/Environmental/Evidence/Policy/History), and stub client. | UI Guild (`src/Web/StellaOps.Web`) | UI components: Score badge with CVSS-BTE label, tabbed receipt viewer (Base/Threat/Environmental/Supplemental/Evidence/Policy/History), "Recalculate with my env" button, export options. |
 | 12 | CVSS-DOCS-190-012 | DONE (2025-12-07) | Docs updated (`cvss-v4.md`, API/CLI reference). | Docs Guild (`docs/modules/policy/cvss-v4.md`, `docs/09_API_CLI_REFERENCE.md`) | Document CVSS v4.0 scoring system: data model, policy format, API reference, CLI usage, UI guide, determinism guarantees. |
-| 13 | CVSS-GAPS-190-013 | DONE (2025-12-01) | None; informs tasks 5–12. | Product Mgmt · Policy Guild | Address gap findings (CV1–CV10) from `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`: policy lifecycle/replay, canonical hashing spec with test vectors, threat/env freshness, tenant-scoped receipts, v3.1→v4.0 conversion flagging, evidence CAS/DSSE linkage, append-only receipt rules, deterministic exports, RBAC boundaries, monitoring/alerts for DSSE/policy drift. |
-| 14 | CVSS-GAPS-190-014 | DONE (2025-12-03) | Close CVM1–CVM10 from `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`; depends on schema/hash publication and API/UI contracts | Policy Guild · Platform Guild | Remediated CVM1–CVM10: updated `docs/modules/policy/cvss-v4.md` with canonical hashing/DSSE/export/profile guidance, added golden hash fixture under `tests/Policy/StellaOps.Policy.Scoring.Tests/Fixtures/hashing/`, and documented monitoring/backfill rules. |
+| 13 | CVSS-GAPS-190-013 | DONE (2025-12-01) | None; informs tasks 5–12. | Product Mgmt · Policy Guild | Address gap findings (CV1–CV10) from `docs/product/advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`: policy lifecycle/replay, canonical hashing spec with test vectors, threat/env freshness, tenant-scoped receipts, v3.1→v4.0 conversion flagging, evidence CAS/DSSE linkage, append-only receipt rules, deterministic exports, RBAC boundaries, monitoring/alerts for DSSE/policy drift. |
+| 14 | CVSS-GAPS-190-014 | DONE (2025-12-03) | Close CVM1–CVM10 from `docs/product/advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`; depends on schema/hash publication and API/UI contracts | Policy Guild · Platform Guild | Remediated CVM1–CVM10: updated `docs/modules/policy/cvss-v4.md` with canonical hashing/DSSE/export/profile guidance, added golden hash fixture under `tests/Policy/StellaOps.Policy.Scoring.Tests/Fixtures/hashing/`, and documented monitoring/backfill rules. |
 | 15 | CVSS-AGENTS-190-015 | DONE (2025-12-06) | None. | Policy Guild (`src/Policy/StellaOps.Policy.Gateway`) | Create/update `src/Policy/StellaOps.Policy.Gateway/AGENTS.md` covering CVSS receipt APIs (contracts, tests, determinism rules) so WebService work can proceed under implementer rules. |
 | 16 | CVSS-AGENTS-190-016 | DONE (2025-12-06) | None. | Concelier Guild (`src/Concelier/AGENTS.md` + module docs) | Refresh Concelier AGENTS to allow CVSS v4.0 vector ingest tasks (190-008) with provenance requirements, offline posture, and policy alignment. |
 
@@ -106,6 +106,6 @@
 | 2025-11-29 | CVSS-RECEIPT/DSSE/HISTORY tasks wired to PostgreSQL: added `policy.cvss_receipts` migration, `PostgresReceiptRepository`, DI registration, and integration test (`PostgresReceiptRepositoryTests`). Test run failed locally because Docker/Testcontainers not available; code compiles and unit tests still pass. | Implementer |
 | 2025-11-29 | Marked tasks 8–12 BLOCKED: Concelier ingestion requires cross-module AGENTS; Policy WebService lacks AGENTS, so API/CLI/UI/DOCS cannot proceed under implementer rules. | Implementer |
 | 2025-11-28 | Ran `dotnet test src/Policy/__Tests/StellaOps.Policy.Scoring.Tests` (Release); 35 tests passed. Adjusted MacroVector lookup for FIRST sample vectors; duplicate PackageReference warnings remain to be cleaned separately. | Implementer |
-| 2025-12-01 | Added CVSS gap analysis `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` and created task CVSS-GAPS-190-013 to track remediation. | Product Mgmt |
+| 2025-12-01 | Added CVSS gap analysis `docs/product/advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` and created task CVSS-GAPS-190-013 to track remediation. | Product Mgmt |
 | 2025-12-01 | CVSS-GAPS-190-013 DONE: added canonical hashing (ReceiptCanonicalizer), tenant-scoped receipts with export hash placeholder, threat freshness metadata, evidence provenance fields, v3.1→v4.0 conversion helper, and hash-ordering determinism tests. | Implementer |
 | 2025-12-02 | Expanded CVSS-GAPS-190-014 scope: added doc target `docs/modules/policy/cvss-v4.md`, replay/backfill rules, tenant/RBAC segregation, deterministic export profile, v3.1→v4.0 conversion flag, monitoring/alert requirements, and golden fixtures path. | Project Mgmt |

docs-archived/implplan/SPRINT_0201_0001_0001_cli_i.md

@@ -39,7 +39,7 @@
 | 16 | CLI-ATTEST-75-001 | DONE (2025-12-04) | Implemented `stella attest key create` with `HandleAttestKeyCreateAsync` handler; supports `--name`, `--algorithm` (ECDSA-P256/P384), `--password`, `--output`, `--format`, `--export-public`; uses FileKmsClient for encrypted key storage in ~/.stellaops/keys/; generates SPKI-format public keys; outputs table or JSON with key metadata. | CLI Attestor Guild · KMS Guild | Implement `stella attest key create` workflows. |
 | 17 | CLI-ATTEST-75-002 | DONE (2025-12-04) | Implemented `stella attest bundle build` and `stella attest bundle verify` commands with `HandleAttestBundleBuildAsync` and `HandleAttestBundleVerifyAsync` handlers; builds audit bundles conforming to `audit-bundle-index.schema.json`; supports artifact filtering (`--include`), time window (`--from`, `--to`), compression (`--compress`), integrity verification (root hash, SHA256SUMS), policy compliance checks; output JSON/table. | CLI Attestor Guild · Export Guild | Add support for building/verifying attestation bundles in CLI. |
 | 18 | CLI-HK-201-002 | DONE (2025-12-10) | Offline kit status contract and sample bundle available; tests updated. | DevEx/CLI Guild | Finalize status coverage tests for offline kit. |
-| 19 | CLI-GAPS-201-003 | DONE (2025-12-01) | None; informs tasks 7–18. | Product Mgmt · DevEx/CLI Guild | Addressed CLI gaps CL1–CL10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned command/flag/exit-code spec with compatibility tests, deterministic output fixtures, auth key rotation/cleanup and audience validation, offline-kit import/verify contract, cosign verification on install/update, pinned buildx plugin digest + rollback, telemetry opt-in/off defaults, UX/a11y guidelines, structured errors/help, and checksum-enforced install paths (online/offline). |
+| 19 | CLI-GAPS-201-003 | DONE (2025-12-01) | None; informs tasks 7–18. | Product Mgmt · DevEx/CLI Guild | Addressed CLI gaps CL1–CL10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: versioned command/flag/exit-code spec with compatibility tests, deterministic output fixtures, auth key rotation/cleanup and audience validation, offline-kit import/verify contract, cosign verification on install/update, pinned buildx plugin digest + rollback, telemetry opt-in/off defaults, UX/a11y guidelines, structured errors/help, and checksum-enforced install paths (online/offline). |
 
 ## Wave Coordination
 - Single-wave delivery; no staggered waves defined.

docs-archived/implplan/SPRINT_0207_0001_0001_graph.md

@@ -36,7 +36,7 @@
 | 10 | GRAPH-API-28-010 | DONE (2025-11-26) | GRAPH-API-28-009 | Graph API Guild · QA Guild (`src/Graph/StellaOps.Graph.Api`) | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. |
 | 11 | GRAPH-API-28-011 | DONE (2025-11-26) | GRAPH-API-28-010 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. |
 | 12 | GRAPH-INDEX-28-011 | DONE (2025-11-04) | Downstream consumption by API once overlays ready | Graph Indexer Guild (`src/Graph/StellaOps.Graph.Indexer`) | Wire SBOM ingest runtime to emit graph snapshot artifacts, add DI factory helpers, and document Mongo/snapshot environment guidance. |
-| 13 | GRAPH-ANALYTICS-GAPS-207-013 | DONE (2025-12-02) | None; informs tasks 1–12. | Product Mgmt · Graph API Guild · Graph Indexer Guild | Address graph analytics gaps GA1–GA10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned analytics schemas, deterministic seeds/rerun-hash CI, privacy/tenant redaction rules, baseline datasets/fixtures, performance budgets/quotas, explainability metadata (inputs/seeds/revision), checksum+DSSE for exports, algorithm versioning, offline analytics bundle schema, and SemVer/change-log governance. |
+| 13 | GRAPH-ANALYTICS-GAPS-207-013 | DONE (2025-12-02) | None; informs tasks 1–12. | Product Mgmt · Graph API Guild · Graph Indexer Guild | Address graph analytics gaps GA1–GA10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: versioned analytics schemas, deterministic seeds/rerun-hash CI, privacy/tenant redaction rules, baseline datasets/fixtures, performance budgets/quotas, explainability metadata (inputs/seeds/revision), checksum+DSSE for exports, algorithm versioning, offline analytics bundle schema, and SemVer/change-log governance. |
 
 ## Wave Coordination
 - Wave 1 · API surface and overlays: GRAPH-API-28-001..011 (sequential pipeline).

docs-archived/implplan/SPRINT_0209_0001_0001_ui_i.md

@@ -101,7 +101,7 @@
 | 2025-12-04 | Added `scripts/storybook.js` wrapper and updated npm scripts. Clean install in temp copy succeeded; `storybook:build` now fails with SB_FRAMEWORK_ANGULAR_0001 (needs Angular Storybook builder migration) and `test:a11y` timed out waiting for dev server. Action #9 remains BLOCKED pending migration and rerun of Storybook + a11y smoke. | Implementer |
 | 2025-12-04 | Ran Storybook automigrate in clean copy, applied Angular builder targets, updated stories glob, and added @storybook/test/@chromatic-com/storybook. Synced changes into workspace and ran `npm install`; however `ng run stellaops-web:build-storybook` still exits non-zero with no output (Angular CLI appears to hang in this environment). Action #10 remains DOING; tests still blocked. | Implementer |
 | 2025-12-04 | Confirmed canonical Angular workspace is `src/Web/StellaOps.Web` (not `src/Web/StellaOps.Web`); updated working directory, blockers, and Action #7 accordingly. Graph blockers now tied to generated `graph:*` SDK scopes. | Project mgmt |
-| 2025-12-04 | Published canonical UI Micro-Interactions advisory (`docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md`). UI-MICRO-GAPS-0209-011 remains BLOCKED pending motion token catalog + a11y/Storybook/Playwright harness in `src/Web/StellaOps.Web`. | Project mgmt |
+| 2025-12-04 | Published canonical UI Micro-Interactions advisory (`docs/product/advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md`). UI-MICRO-GAPS-0209-011 remains BLOCKED pending motion token catalog + a11y/Storybook/Playwright harness in `src/Web/StellaOps.Web`. | Project mgmt |
 | 2025-12-04 | Earlier note: UI-MICRO-GAPS-0209-011 was marked BLOCKED when advisory was still pending and `src/Web/StellaOps.Web` was empty; superseded by publication + path correction the same day. | Project mgmt |
 | 2025-12-03 | Marked UI-GRAPH-24-001/002/003/004/006 BLOCKED: UI path was empty and `graph:*` scope SDK exports were missing; will re-evaluate after path correction and SDK delivery. | Implementer |
 | 2025-11-27 | UI-GRAPH-21-001: Created stub `StellaOpsScopes` exports and integrated auth configuration into Graph Explorer. Created `scopes.ts` with: typed scope constants (`GRAPH_READ`, `GRAPH_WRITE`, `GRAPH_ADMIN`, `GRAPH_EXPORT`, `GRAPH_SIMULATE` and scopes for SBOM, Scanner, Policy, Exception, Release, AOC, Admin domains), scope groupings (`GRAPH_VIEWER`, `GRAPH_EDITOR`, `GRAPH_ADMIN`, `RELEASE_MANAGER`, `SECURITY_ADMIN`), human-readable labels, and helper functions (`hasScope`, `hasAllScopes`, `hasAnyScope`). Created `auth.service.ts` with `AuthService` interface and `MockAuthService` implementation providing: user info with tenant context, scope-based permission methods (`canViewGraph`, `canEditGraph`, `canExportGraph`, `canSimulate`). Integrated into `GraphExplorerComponent` via `AUTH_SERVICE` injection token: added computed signals for scope-based permissions (`canViewGraph`, `canEditGraph`, `canExportGraph`, `canSimulate`, `canCreateException`), current user info, and user scopes list. Stub implementation allows Graph Explorer development to proceed; will be replaced by generated SDK exports from SPRINT_0208_0001_0001_sdk. Files added: `src/app/core/auth/scopes.ts`, `src/app/core/auth/auth.service.ts`, `src/app/core/auth/index.ts`. Files updated: `graph-explorer.component.ts`. | UI Guild |

docs-archived/implplan/SPRINT_0215_0001_0001_vuln_triage_ux.md

@@ -18,8 +18,8 @@
 - `docs/modules/ui/architecture.md`
 - `docs/modules/vuln-explorer/architecture.md`
 - `docs/modules/vex-lens/architecture.md`
-- `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md` (canonical)
-- `docs/product-advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`
+- `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md` (canonical)
+- `docs/product/advisories/archived/27-Nov-2025-superseded/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`
 - `docs/schemas/vex-decision.schema.json`
 - `docs/schemas/audit-bundle-index.schema.json`
 
@@ -64,7 +64,7 @@
 | 36 | TS-10-001 | DONE | Evidence: `src/Web/StellaOps.Web/src/app/core/api/evidence.models.ts`; `src/Web/StellaOps.Web/src/app/core/api/vex-decisions.models.ts` | UI Guild (src/Web/StellaOps.Web) | Create TypeScript interfaces for VexDecision, SubjectRef, EvidenceRef, VexScope, ValidFor per advisory. |
 | 37 | TS-10-002 | DONE | Evidence: `src/Web/StellaOps.Web/src/app/core/api/attestation-vuln-scan.models.ts` | UI Guild (src/Web/StellaOps.Web) | Create TypeScript interfaces for VulnScanAttestation, AttestationSubject, VulnScanPredicate per advisory. |
 | 38 | TS-10-003 | DONE | Evidence: `src/Web/StellaOps.Web/src/app/core/api/audit-bundles.models.ts` | UI Guild (src/Web/StellaOps.Web) | Create TypeScript interfaces for AuditBundleIndex, BundleArtifact, BundleVexDecisionEntry per advisory. |
-| 39 | DOC-11-001 | DONE | Evidence: `docs/key-features.md`; `docs/07_HIGH_LEVEL_ARCHITECTURE.md` | Docs Guild (docs/) | Update high-level positioning for VEX-first triage: refresh docs/key-features.md and docs/07_HIGH_LEVEL_ARCHITECTURE.md with UX/audit bundle narrative; link `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`. |
+| 39 | DOC-11-001 | DONE | Evidence: `docs/key-features.md`; `docs/07_HIGH_LEVEL_ARCHITECTURE.md` | Docs Guild (docs/) | Update high-level positioning for VEX-first triage: refresh docs/key-features.md and docs/07_HIGH_LEVEL_ARCHITECTURE.md with UX/audit bundle narrative; link `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`. |
 | 40 | DOC-11-002 | DONE | Evidence: `docs/modules/ui/architecture.md` | Docs Guild; UI Guild | Update docs/modules/ui/architecture.md with triage workspace + VEX modal flows; add schema links and advisory cross-references. |
 | 41 | DOC-11-003 | DONE | Evidence: `docs/modules/vuln-explorer/architecture.md`; `docs/modules/export-center/architecture.md` | Docs Guild; Vuln Explorer Guild; Export Center Guild | Update docs/modules/vuln-explorer/architecture.md and docs/modules/export-center/architecture.md with VEX decision/audit bundle API surfaces and schema references. |
 | 42 | TRIAGE-GAPS-215-042 | DONE | Evidence: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TimeToEvidenceMetrics.cs`; `docs/schemas/tte-event.schema.json`; Schemas (SCHEMA-08-*) already published | UI Guild · Platform Guild | Remediate VT1–VT10: publish signed schemas + canonical JSON, enforce evidence linkage (graph/policy/attestations), tenant/RBAC controls, deterministic ordering/pagination, a11y standards, offline triage-kit exports, supersedes/conflict rules, attestation verification UX, redaction policy, UX telemetry/SLIs with alerts. |
@@ -128,7 +128,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-11-28 | Sprint created from product advisory `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`. 38 tasks defined across 5 UI task groups, 2 API task groups, 3 schema tasks, 3 DTO tasks, 3 TS interface tasks. | Project mgmt |
+| 2025-11-28 | Sprint created from product advisory `docs/product/advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`. 38 tasks defined across 5 UI task groups, 2 API task groups, 3 schema tasks, 3 DTO tasks, 3 TS interface tasks. | Project mgmt |
 | 2025-11-30 | Added DOC-11-* doc-sync tasks per advisory handling rules; no scope change to delivery waves. | Project mgmt |
 | 2025-11-30 | Marked UI-TRIAGE-01-001 and TS-10-* tasks BLOCKED because src/Web/StellaOps.Web lacks Angular workspace; awaiting restoration to proceed. | UI Guild |
 | 2025-12-01 | Added TRIAGE-GAPS-215-042 to track VT1–VT10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema publication and UI workspace bootstrap. | Project Mgmt |

docs-archived/implplan/SPRINT_0336_0001_0001_product_advisories_14_dec_2025_thematic_refs.md

@@ -1,10 +1,10 @@
 # Sprint 0336.0001.0001 - Product Advisories (14-Dec-2025) Thematic References
 
 ## Topic & Scope
-- Distill raw advisories under `docs/product-advisories/archived/14-Dec-2025/` into 12 themed technical references under `docs/product-advisories/`.
+- Distill raw advisories under `docs/product/advisories/archived/14-Dec-2025/` into 12 themed technical references under `docs/product/advisories/`.
 - Ensure each themed reference is complete, non-repetitive, and developer-usable (schemas/checklists; no chatty prose).
 - Evidence: updated themed docs with coverage mapping and placeholder/schema cleanups.
-- **Working directory:** `docs/product-advisories`.
+- **Working directory:** `docs/product/advisories`.
 
 ## Dependencies & Concurrency
 - None (documentation-only). Safe to execute in parallel with code sprints.
@@ -13,27 +13,27 @@
 - `docs/README.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/AGENTS.md`
-- Source set: `docs/product-advisories/archived/14-Dec-2025/`
+- Source set: `docs/product/advisories/archived/14-Dec-2025/`
 
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | ADV-0336-001 | DONE (2025-12-14) | Source corpus exists; start with coverage diff. | Docs Guild (`docs/product-advisories`) | Inventory 51 raw advisories and 12 themed docs; map sources to themes and identify gaps. |
-| 2 | ADV-0336-002 | DONE (2025-12-14) | After #1. | Docs Guild (`docs/product-advisories`) | Fill missing technical content in themed docs (GraphRevisionID, reachability query/caching, bench harness rules, Postgres decision checklists, provenance-rich binaries). |
-| 3 | ADV-0336-003 | DONE (2025-12-14) | After #2. | Docs Guild (`docs/product-advisories`) | Normalize schema placeholders and remove unusable artifacts in technical references. |
-| 4 | ADV-0336-004 | DONE (2025-12-14) | After #3. | Docs Guild (`docs/product-advisories`) | Validate coverage: every raw advisory referenced by at least one themed doc; no external/chatty prose remains. |
+| 1 | ADV-0336-001 | DONE (2025-12-14) | Source corpus exists; start with coverage diff. | Docs Guild (`docs/product/advisories`) | Inventory 51 raw advisories and 12 themed docs; map sources to themes and identify gaps. |
+| 2 | ADV-0336-002 | DONE (2025-12-14) | After #1. | Docs Guild (`docs/product/advisories`) | Fill missing technical content in themed docs (GraphRevisionID, reachability query/caching, bench harness rules, Postgres decision checklists, provenance-rich binaries). |
+| 3 | ADV-0336-003 | DONE (2025-12-14) | After #2. | Docs Guild (`docs/product/advisories`) | Normalize schema placeholders and remove unusable artifacts in technical references. |
+| 4 | ADV-0336-004 | DONE (2025-12-14) | After #3. | Docs Guild (`docs/product/advisories`) | Validate coverage: every raw advisory referenced by at least one themed doc; no external/chatty prose remains. |
 
 ## Wave Coordination
 - N/A (single wave).
 
 ## Wave Detail Snapshots
-- 2025-12-14: Consolidation completed; see Execution Log and themed doc list under `docs/product-advisories/`.
+- 2025-12-14: Consolidation completed; see Execution Log and themed doc list under `docs/product/advisories/`.
 
 ## Interlocks
 - None.
 
 ## Upcoming Checkpoints
-- None scheduled; re-open if new advisories land under `docs/product-advisories/**`.
+- None scheduled; re-open if new advisories land under `docs/product/advisories/**`.
 
 ## Action Tracker
 | Action | Owner | Due | Status |
@@ -48,5 +48,5 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
-| 2025-12-14 | Sprint created and completed: consolidated 14-Dec-2025 advisory set into themed technical references; added missing content (graphRevisionId/receipts, reachability methods, bench/packaging rules, Postgres checklists, provenance-rich binaries) and cleaned schema placeholders. Evidence: `docs/product-advisories/*.md`. | Docs Guild |
+| 2025-12-14 | Sprint created and completed: consolidated 14-Dec-2025 advisory set into themed technical references; added missing content (graphRevisionId/receipts, reachability methods, bench/packaging rules, Postgres checklists, provenance-rich binaries) and cleaned schema placeholders. Evidence: `docs/product/advisories/*.md`. | Docs Guild |
 

docs-archived/implplan/SPRINT_0337_0001_0001_cvss_advisory_enhancement.md

@@ -1,12 +1,12 @@
 # Sprint 0337.0001.0001 - CVSS Advisory Technical Enhancement
 
 ## Topic & Scope
-- Enhance `docs/product-advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md` with:
+- Enhance `docs/product/advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md` with:
   1. CVSS v4.0 MacroVector scoring system explanation
   2. Threat Metrics multipliers documentation
   3. Receipt system overview
   4. KEV integration formula
-- **Working directory:** `docs/product-advisories`
+- **Working directory:** `docs/product/advisories`
 
 ## Dependencies & Concurrency
 - None (documentation-only). Safe to execute in parallel with code sprints.
@@ -15,7 +15,7 @@
 ## Documentation Prerequisites
 - `docs/README.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/product-advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md`
 - Source implementation: `src/Policy/StellaOps.Policy.Scoring/`
 
 ## Delivery Tracker

docs-archived/implplan/SPRINT_0338_0001_0001_airgap_importer_core.md

@@ -6,7 +6,7 @@
 - **Priority:** P0 (Critical)
 - **Working directory:** `src/AirGap/StellaOps.AirGap.Importer/` (primary); allowed cross-module edits: `src/AirGap/StellaOps.AirGap.Storage.Postgres/`, `src/AirGap/StellaOps.AirGap.Storage.Postgres.Tests/`, `tests/AirGap/StellaOps.AirGap.Importer.Tests/`.
 - **Related modules:** `StellaOps.AirGap.Controller`, `StellaOps.ExportCenter.Core`
-- **Source advisory:** `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
+- **Source advisory:** `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
 - **Gaps addressed:** G6 (Monotonicity), G7 (Quarantine)
 
 ## Dependencies & Concurrency
@@ -18,7 +18,7 @@
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/airgap/mirror-dsse-plan.md`
-- `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
 
 
 ## Delivery Tracker

docs-archived/implplan/SPRINT_0338_0001_0001_cvss_epss_development.md

@@ -13,7 +13,7 @@ Complete missing CVSS and EPSS infrastructure identified in advisory gap analysi
 - Can run in parallel with documentation sprints
 
 ## Documentation Prerequisites
-- `docs/product-advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md`
 - FIRST CVSS v4.0 Specification (external)
 - FIRST EPSS Documentation (external)
 - `src/Policy/StellaOps.Policy.Scoring/Engine/CvssV4Engine.cs`

docs-archived/implplan/SPRINT_0338_0001_0001_ttfs_foundation.md

@@ -350,7 +350,7 @@ public static IServiceCollection AddTimeToFirstSignalMetrics(
 
 ## 5. References
 
-- Advisory: `docs/product-advisories/14-Dec-2025 - UX and Time-to-Evidence Technical Reference.md`
+- Advisory: `docs/product/advisories/14-Dec-2025 - UX and Time-to-Evidence Technical Reference.md`
 - Pattern: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TimeToEvidenceMetrics.cs`
 - Schema Pattern: `docs/schemas/tte-event.schema.json`
 - Database Spec: `docs/db/SPECIFICATION.md`

docs-archived/implplan/SPRINT_0339_0001_0001_cli_offline_commands.md

@@ -4,7 +4,7 @@
 - Priority: P1 (High) · Gap: G4 (CLI Commands)
 - Working directory: `src/Cli/StellaOps.Cli/` (tests: `src/Cli/__Tests/StellaOps.Cli.Tests/`; docs: `docs/modules/cli/**`)
 - Related modules: `StellaOps.AirGap.Importer`, `StellaOps.Cli.Services`
-- Source advisory: `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (A12) · Exit codes: A11
+- Source advisory: `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (A12) · Exit codes: A11
 
 **Sprint ID:** SPRINT_0339_0001_0001
 **Topic:** CLI `offline` Command Group Implementation
@@ -62,7 +62,7 @@ stellaops verify offline \
 ## Documentation Prerequisites
 - `docs/modules/cli/architecture.md`
 - `docs/modules/platform/architecture-overview.md`
-- `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
 
 ## Delivery Tracker
 
@@ -72,11 +72,11 @@ stellaops verify offline \
 | 2 | T2 | DONE | Implemented `OfflineCommandGroup` and wired into `CommandFactory`. | DevEx/CLI Guild | Create `OfflineCommandGroup` class. |
 | 3 | T3 | DONE | Implemented `offline import` with manifest/hash validation, monotonicity checks, and quarantine hooks. | DevEx/CLI Guild | Implement `offline import` command (core import flow). |
 | 4 | T4 | DONE | Implemented `--verify-dsse` via `DsseVerifier` (requires `--trust-root`) and added tests. | DevEx/CLI Guild | Add `--verify-dsse` flag handler. |
-| 5 | T5 | DONE | Implement offline Rekor receipt inclusion proof + checkpoint signature verification per `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §13. | DevEx/CLI Guild | Add `--verify-rekor` flag handler. |
+| 5 | T5 | DONE | Implement offline Rekor receipt inclusion proof + checkpoint signature verification per `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §13. | DevEx/CLI Guild | Add `--verify-rekor` flag handler. |
 | 6 | T6 | DONE | Implemented deterministic trust-root loading (`--trust-root`). | DevEx/CLI Guild | Add `--trust-root` option. |
 | 7 | T7 | DONE | Enforced `--force-reason` when forcing activation and persisted justification. | DevEx/CLI Guild | Add `--force-activate` flag. |
 | 8 | T8 | DONE | Implemented `offline status` with table/json outputs. | DevEx/CLI Guild | Implement `offline status` command. |
-| 9 | T9 | DONE | Implement `verify offline` using the policy schema in `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` §4 plus deterministic evidence reconciliation outputs. | DevEx/CLI Guild | Implement `verify offline` command. |
+| 9 | T9 | DONE | Implement `verify offline` using the policy schema in `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` §4 plus deterministic evidence reconciliation outputs. | DevEx/CLI Guild | Implement `verify offline` command. |
 | 10 | T10 | DONE | Add YAML+JSON policy loader with deterministic parsing/canonicalization rules; share with AirGap reconciliation. | DevEx/CLI Guild | Add `--policy` option parser. |
 | 11 | T11 | DONE | Standardized `--output table|json` formatting for offline verbs. | DevEx/CLI Guild | Create output formatters (table, json). |
 | 12 | T12 | DONE | Added progress reporting for bundle hashing when bundle size exceeds threshold. | DevEx/CLI Guild | Implement progress reporting. |

docs-archived/implplan/SPRINT_0339_0001_0001_competitive_benchmarking_docs.md

@@ -7,7 +7,7 @@ Address documentation gaps identified in competitive analysis and benchmarking i
 3. Publish accuracy metrics framework
 4. Document performance baselines
 5. Create claims citation index
-- **Working directory:** `docs/market/`, `docs/benchmarks/`, `docs/product-advisories/`
+- **Working directory:** `docs/market/`, `docs/benchmarks/`, `docs/product/advisories/`
 
 ## Dependencies & Concurrency
 - Depends on: Existing competitive docs in `docs/market/`

docs-archived/implplan/SPRINT_0341_0001_0001_observability_audit.md

@@ -10,7 +10,7 @@
   - `src/Cli/StellaOps.Cli/Services/` (ProblemDetails parsing integration)
   - `src/Cli/StellaOps.Cli/Services/Transport/` (SDK client ProblemDetails parsing integration)
   - `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres/` (audit schema)
-- **Source advisory:** `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (§10, §11, §13)
+- **Source advisory:** `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (§10, §11, §13)
 - **Gaps addressed:** G11 (Prometheus Metrics), G12 (Structured Logging), G13 (Error Codes), G14 (Audit Schema)
 
 ## Dependencies & Concurrency
@@ -20,7 +20,7 @@
 - Concurrency note: touches AirGap Importer + CLI + Authority storage; avoid cross-module contract changes without recording them in this sprint’s Decisions & Risks.
 
 ## Documentation Prerequisites
-- `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
 - `docs/airgap/airgap-mode.md`
 - `docs/airgap/advisory-implementation-roadmap.md`
 - `docs/modules/platform/architecture-overview.md`

docs-archived/implplan/SPRINT_0342_0001_0001_evidence_reconciliation.md

@@ -25,7 +25,7 @@ Implement the 5-step deterministic evidence reconciliation algorithm as specifie
 - Concurrency note: this sprint introduces new reconciliation contracts; avoid cross-module coupling until the graph schema is agreed and documented.
 
 ## Documentation Prerequisites
-- `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (§5)
+- `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (§5)
 - `docs/airgap/airgap-mode.md`
 - `docs/airgap/advisory-implementation-roadmap.md`
 

docs-archived/implplan/SPRINT_0350_0001_0001_ci_quality_gates_foundation.md

@@ -4,7 +4,7 @@
 
 Implement foundational CI quality gates for reachability metrics, TTFS regression tracking, and performance SLO enforcement. This sprint connects existing test infrastructure (reachability corpus, bench harnesses, baseline CSVs) to CI enforcement pipelines.
 
-**Source Advisory:** `docs/product-advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md`
+**Source Advisory:** `docs/product/advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md`
 
 **Working directory:** `.gitea/workflows/`, `scripts/ci/`, `tests/reachability/`
 

docs-archived/implplan/SPRINT_0351_0001_0001_sca_failure_catalogue_completion.md

@@ -4,7 +4,7 @@
 
 Complete the SCA Failure Catalogue (FC6-FC10) to provide comprehensive regression testing coverage for scanner failure modes. Currently FC1-FC5 exist in `tests/fixtures/sca/catalogue/`; this sprint adds the remaining five failure cases.
 
-**Source Advisory:** `docs/product-advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md` (Section 2)
+**Source Advisory:** `docs/product/advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md` (Section 2)
 
 **Working directory:** `tests/fixtures/sca/catalogue/`
 
@@ -31,7 +31,7 @@ Read before implementation:
 - `docs/19_TEST_SUITE_OVERVIEW.md`
 - `tests/fixtures/sca/catalogue/README.md`
 - `tests/fixtures/sca/catalogue/fc1-*/` (existing patterns)
-- `docs/product-advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md`
 
 ## Failure Catalogue Reference
 

docs-archived/implplan/SPRINT_0352_0001_0001_security_testing_framework.md

@@ -4,7 +4,7 @@
 
 Implement systematic security testing coverage for OWASP Top 10 vulnerabilities across StellaOps modules. As a security platform, StellaOps must dogfood its own security testing practices to maintain credibility and prevent vulnerabilities in its codebase.
 
-**Source Advisory:** `docs/product-advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md` (Section 15)
+**Source Advisory:** `docs/product/advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md` (Section 15)
 
 **Working directory:** `tests/security/`, `src/*/Tests/Security/`
 

docs-archived/implplan/SPRINT_0353_0001_0001_mutation_testing_integration.md

@@ -4,7 +4,7 @@
 
 Integrate Stryker.NET mutation testing framework to measure test suite effectiveness. Mutation testing creates small code changes (mutants) and verifies tests catch them. This provides a more meaningful quality metric than line coverage alone.
 
-**Source Advisory:** `docs/product-advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md` (Section 14)
+**Source Advisory:** `docs/product/advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md` (Section 14)
 
 **Working directory:** Root solution, `src/`, `.stryker/`
 

docs-archived/implplan/SPRINT_0354_0001_0001_testing_quality_guardrails_index.md

@@ -5,7 +5,7 @@
 This sprint is a coordination/index sprint for the Testing Quality Guardrails sprint series (0350-0353) from the 14-Dec-2025 product advisory. The series consists of 4 sprints with 40 total tasks.
 
 - **Working directory:** `docs/implplan`
-- **Source advisory:** `docs/product-advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md`
+- **Source advisory:** `docs/product/advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md`
 - **Master documentation:** `docs/testing/testing-quality-guardrails-implementation.md`
 
 ## Dependencies & Concurrency
@@ -15,7 +15,7 @@ This sprint is a coordination/index sprint for the Testing Quality Guardrails sp
 ## Documentation Prerequisites
 - `docs/README.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
-- `docs/product-advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Testing and Quality Guardrails Technical Reference.md`
 - `docs/testing/testing-quality-guardrails-implementation.md`
 
 ---

docs-archived/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md

@@ -96,10 +96,10 @@
 | 60 | CORPUS-MERGE-401-060 | DONE (2025-12-13) | Unblocked: task 58 complete with 4 samples and ground-truth schema. Ready to merge archived multi-runtime corpus. | QA Guild - Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT -> Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
 | 61 | DOCS-BENCH-401-061 | DONE (2025-11-26) | Blocks on outputs from 57-60. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
 | 62 | VEX-GAPS-401-062 | DONE (2025-12-04) | Schema/catalog frozen; fixtures + verifier landed. | Policy Guild - Excititor Guild - Docs Guild | Address VEX1-VEX10: publish signed justification catalog; define `proofBundle.schema.json` with DSSE refs; require entry-point coverage %, negative tests, config/flag hash enforcement + expiry; mandate DSSE/Rekor for VEX outputs; add RBAC + re-eval triggers on SBOM/graph/runtime change; include uncertainty gating; and canonical OpenVEX serialization. Playbook + schema at `docs/benchmarks/vex-evidence-playbook.{md,schema.json}`; catalog at `docs/benchmarks/vex-justifications.catalog.json` (+ DSSE); fixtures under `tests/Vex/ProofBundles/`; offline verifier `scripts/vex/verify_proof_bundle.py`; CI guard `.gitea/workflows/vex-proof-bundles.yml`. |
-| 63 | GRAPHREV-GAPS-401-063 | DONE (2025-12-13) | Complete: Created `docs/reachability/graph-revision-schema.md` addressing all 10 gaps (GR1-GR10): manifest schema + canonical hash rules, BLAKE3-256 encoding, append-only storage layout, lineage/diff metadata format, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI full/short ID formats + commands, shard/tenant context, pin/audit governance with events, retention/tombstone policies, and offline kit inclusion with Rekor checkpoints. | Platform Guild - Scanner Guild - Policy Guild - UI/CLI Guilds | Address graph revision gaps GR1-GR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: manifest schema + canonical hash rules, mandated BLAKE3-256 encoding, append-only storage, lineage/diff metadata, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI surfacing of full/short IDs, shard/tenant context, pin/audit governance, retention/tombstones, and inclusion in offline kits. |
-| 64 | EXPLAIN-GAPS-401-064 | DONE (2025-12-13) | Complete: Created `docs/reachability/explainability-schema.md` addressing all 10 gaps (EX1-EX10): canonical explanation schema + hash rules, DSSE predicate `stella.ops/explanation@v1` + signing policy, CAS storage layout + rules, link format for decision/policy/graph_revision_id, export/replay bundle format with verification, PII/redaction categories + metadata, size budgets with truncation behavior, schema versioning + migration support, golden fixture locations + test categories + CI integration, and determinism guarantees. | Policy Guild - UI/CLI Guild - Docs Guild - Signals Guild | Address explainability gaps EX1-EX10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: schema/canonicalization + hashes, DSSE predicate/signing policy, CAS storage rules for evidence, link to decision/policy and graph_revision_id, export/replay bundle format, PII/redaction rules, size budgets, versioning, and golden fixtures/tests. |
-| 65 | EDGE-GAPS-401-065 | DONE (2025-12-13) | Complete: Created `docs/reachability/edge-explainability-schema.md` addressing all 10 gaps (EG1-EG10): reason enum registry with governance rules, canonical edge schema + hash computation using from/to/kind/reason, evidence limits (10 entries) + redaction rules, confidence rubric (certain/high/medium/low/unknown) with base scores per reason, detector/rule provenance schema with input artifact digests, API endpoints + CLI commands with output parity, deterministic fixture locations + requirements, propagation format for explanation graphs + VEX evidence, message catalog structure for localization, and backfill strategy + migration script. | Scanner Guild - Policy Guild - UI/CLI Guild - Docs Guild | Address edge explainability gaps EG1-EG10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: reason enum governance, canonical edge schema with hash rules, evidence limits/redaction, confidence rubric, detector/rule provenance, API/CLI parity, deterministic fixtures, propagation into explanation graphs/VEX, localization guidance, and backfill plan. |
-| 66 | BINARY-GAPS-401-066 | DONE (2025-12-13) | Complete: Created `docs/reachability/binary-reachability-schema.md` addressing all 10 gaps (BR1-BR10): canonical DSSE predicates (`stella.ops/binaryGraph@v1`, `stella.ops/binaryEdgeBundle@v1`), edge hash recipe including binary_hash context, required binary evidence table with CAS refs (`cas://binary/blocks|disasm|cfg|symbols`), build-id/variant rules for ELF/PE/Mach-O with fallback, policy hash governance with strict/forward/any binding modes, Sigstore bundle/log routing with offline mode, idempotent submission keys with tenant/binary/graph/hour granularity, size/chunking limits (10MB graph, 512 edges, 1MB DSSE, 100KB Rekor), API endpoints + CLI commands + UI component guidance, and binary fixtures with test categories. | Scanner Guild - Attestor Guild - Policy Guild | Address binary reachability gaps BR1-BR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: canonical DSSE/predicate schemas, edge hash recipe, required binary evidence with CAS refs, build-id/variant rules, policy hash governance, Sigstore bundle/log routing, idempotent submission keys, size/chunking limits, API/CLI/UI surfacing, and binary fixtures. |
+| 63 | GRAPHREV-GAPS-401-063 | DONE (2025-12-13) | Complete: Created `docs/reachability/graph-revision-schema.md` addressing all 10 gaps (GR1-GR10): manifest schema + canonical hash rules, BLAKE3-256 encoding, append-only storage layout, lineage/diff metadata format, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI full/short ID formats + commands, shard/tenant context, pin/audit governance with events, retention/tombstone policies, and offline kit inclusion with Rekor checkpoints. | Platform Guild - Scanner Guild - Policy Guild - UI/CLI Guilds | Address graph revision gaps GR1-GR10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: manifest schema + canonical hash rules, mandated BLAKE3-256 encoding, append-only storage, lineage/diff metadata, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI surfacing of full/short IDs, shard/tenant context, pin/audit governance, retention/tombstones, and inclusion in offline kits. |
+| 64 | EXPLAIN-GAPS-401-064 | DONE (2025-12-13) | Complete: Created `docs/reachability/explainability-schema.md` addressing all 10 gaps (EX1-EX10): canonical explanation schema + hash rules, DSSE predicate `stella.ops/explanation@v1` + signing policy, CAS storage layout + rules, link format for decision/policy/graph_revision_id, export/replay bundle format with verification, PII/redaction categories + metadata, size budgets with truncation behavior, schema versioning + migration support, golden fixture locations + test categories + CI integration, and determinism guarantees. | Policy Guild - UI/CLI Guild - Docs Guild - Signals Guild | Address explainability gaps EX1-EX10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: schema/canonicalization + hashes, DSSE predicate/signing policy, CAS storage rules for evidence, link to decision/policy and graph_revision_id, export/replay bundle format, PII/redaction rules, size budgets, versioning, and golden fixtures/tests. |
+| 65 | EDGE-GAPS-401-065 | DONE (2025-12-13) | Complete: Created `docs/reachability/edge-explainability-schema.md` addressing all 10 gaps (EG1-EG10): reason enum registry with governance rules, canonical edge schema + hash computation using from/to/kind/reason, evidence limits (10 entries) + redaction rules, confidence rubric (certain/high/medium/low/unknown) with base scores per reason, detector/rule provenance schema with input artifact digests, API endpoints + CLI commands with output parity, deterministic fixture locations + requirements, propagation format for explanation graphs + VEX evidence, message catalog structure for localization, and backfill strategy + migration script. | Scanner Guild - Policy Guild - UI/CLI Guild - Docs Guild | Address edge explainability gaps EG1-EG10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: reason enum governance, canonical edge schema with hash rules, evidence limits/redaction, confidence rubric, detector/rule provenance, API/CLI parity, deterministic fixtures, propagation into explanation graphs/VEX, localization guidance, and backfill plan. |
+| 66 | BINARY-GAPS-401-066 | DONE (2025-12-13) | Complete: Created `docs/reachability/binary-reachability-schema.md` addressing all 10 gaps (BR1-BR10): canonical DSSE predicates (`stella.ops/binaryGraph@v1`, `stella.ops/binaryEdgeBundle@v1`), edge hash recipe including binary_hash context, required binary evidence table with CAS refs (`cas://binary/blocks|disasm|cfg|symbols`), build-id/variant rules for ELF/PE/Mach-O with fallback, policy hash governance with strict/forward/any binding modes, Sigstore bundle/log routing with offline mode, idempotent submission keys with tenant/binary/graph/hour granularity, size/chunking limits (10MB graph, 512 edges, 1MB DSSE, 100KB Rekor), API endpoints + CLI commands + UI component guidance, and binary fixtures with test categories. | Scanner Guild - Attestor Guild - Policy Guild | Address binary reachability gaps BR1-BR10 from `docs/product/advisories/31-Nov-2025 FINDINGS.md`: canonical DSSE/predicate schemas, edge hash recipe, required binary evidence with CAS refs, build-id/variant rules, policy hash governance, Sigstore bundle/log routing, idempotent submission keys, size/chunking limits, API/CLI/UI surfacing, and binary fixtures. |
 
 ## Wave Coordination
 | Wave | Guild owners | Shared prerequisites | Status | Notes |

docs-archived/implplan/SPRINT_0501_0001_0001_proof_evidence_chain_master.md

@@ -1,9 +1,9 @@
 # Sprint 0501 · Proof and Evidence Chain · Master Plan
 
 ## Topic & Scope
-Implementation of the complete Proof and Evidence Chain infrastructure as specified in `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`. This master sprint coordinates 7 sub-sprints covering content-addressed IDs, DSSE predicates, proof spine assembly, API surface, database schema, CLI integration, and key rotation.
+Implementation of the complete Proof and Evidence Chain infrastructure as specified in `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`. This master sprint coordinates 7 sub-sprints covering content-addressed IDs, DSSE predicates, proof spine assembly, API surface, database schema, CLI integration, and key rotation.
 
-**Source Advisory**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+**Source Advisory**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
 
 ## Architecture Overview
 

docs-archived/implplan/SPRINT_0501_0002_0001_proof_chain_content_addressed_ids.md

@@ -3,7 +3,7 @@
 ## Topic & Scope
 Implement content-addressed identifier system for proof chain components as specified in advisory §1 (Core Identifiers & Data Model). This sprint establishes the foundational ID generation, validation, and storage primitives required by all subsequent proof chain sprints.
 
-**Source Advisory**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §1
+**Source Advisory**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §1
 **Parent Sprint**: `SPRINT_0501_0001_0001_proof_evidence_chain_master.md`
 **Working Directory**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain`
 

docs-archived/implplan/SPRINT_0501_0003_0001_proof_chain_dsse_predicates.md

@@ -3,7 +3,7 @@
 ## Topic & Scope
 Implement the 6 new DSSE predicate types for proof chain statements as specified in advisory §2 (DSSE Envelope Structures). This sprint creates the in-toto Statement/v1 wrappers with proper signing, serialization, and validation for each predicate type.
 
-**Source Advisory**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §2
+**Source Advisory**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §2
 **Parent Sprint**: `SPRINT_0501_0001_0001_proof_evidence_chain_master.md`
 **Working Directory**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain`
 

docs-archived/implplan/SPRINT_0501_0004_0001_proof_chain_spine_assembly.md

@@ -3,7 +3,7 @@
 ## Topic & Scope
 Implement the Proof Spine assembly engine that aggregates Evidence, Reasoning, and VEX statements into a merkle-rooted ProofBundle with deterministic construction. This sprint creates the core orchestration layer that ties the proof chain together.
 
-**Source Advisory**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §2.4, §4.2, §9
+**Source Advisory**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §2.4, §4.2, §9
 **Parent Sprint**: `SPRINT_0501_0001_0001_proof_evidence_chain_master.md`
 **Working Directory**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain`
 

docs-archived/implplan/SPRINT_0501_0005_0001_proof_chain_api_surface.md

@@ -3,7 +3,7 @@
 ## Topic & Scope
 Implement the `/proofs/*` API endpoints and verification pipeline as specified in advisory §5 (API Contracts) and §9 (Verification Pipeline). This sprint exposes the proof chain functionality via REST APIs with OpenAPI documentation.
 
-**Source Advisory**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §5, §9
+**Source Advisory**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §5, §9
 **Parent Sprint**: `SPRINT_0501_0001_0001_proof_evidence_chain_master.md`
 **Working Directory**: `src/Attestor/StellaOps.Attestor.WebService`
 

docs-archived/implplan/SPRINT_0501_0006_0001_proof_chain_database_schema.md

@@ -3,7 +3,7 @@
 ## Topic & Scope
 Implement the 5 PostgreSQL tables and related repository interfaces for proof chain storage as specified in advisory §4 (Storage Schema). This sprint creates the persistence layer with migrations for existing deployments.
 
-**Source Advisory**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §4
+**Source Advisory**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §4
 **Parent Sprint**: `SPRINT_0501_0001_0001_proof_evidence_chain_master.md`
 **Working Directory**: `src/Attestor/__Libraries/StellaOps.Attestor.Persistence`
 

docs-archived/implplan/SPRINT_0501_0007_0001_proof_chain_cli_integration.md

@@ -3,7 +3,7 @@
 ## Topic & Scope
 Implement CLI commands for proof chain operations and standardize exit codes as specified in advisory §15 (CI/CD Integration). This sprint exposes proof chain functionality through the StellaOps CLI with proper exit codes for CI/CD pipeline integration.
 
-**Source Advisory**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §15
+**Source Advisory**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §15
 **Parent Sprint**: `SPRINT_0501_0001_0001_proof_evidence_chain_master.md`
 **Working Directory**: `src/Cli/StellaOps.Cli`
 

docs-archived/implplan/SPRINT_0501_0008_0001_proof_chain_key_rotation.md

@@ -3,7 +3,7 @@
 ## Topic & Scope
 Implement the key rotation workflow and trust anchor management as specified in advisory §8 (Cryptographic Specifications). This sprint creates the infrastructure for secure key lifecycle management without invalidating existing signed proofs.
 
-**Source Advisory**: `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §8
+**Source Advisory**: `docs/product/advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md` §8
 **Parent Sprint**: `SPRINT_0501_0001_0001_proof_evidence_chain_master.md`
 **Working Directory**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement`
 

docs-archived/implplan/SPRINT_0510_0001_0001_airgap.md

@@ -43,7 +43,7 @@
 | 13 | AIRGAP-TIME-57-002 | DONE (2025-11-26) | PREP-AIRGAP-CTL-57-002-BLOCKED-ON-57-001 | AirGap Time Guild · Observability Guild | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. |
 | 14 | AIRGAP-TIME-58-001 | DONE (2025-12-11) | Drift baseline persisted, per-content staleness computed via controller status API. | AirGap Time Guild | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. |
 | 15 | AIRGAP-TIME-58-002 | DONE (2025-12-10) | Notifications/timeline events emit on staleness breach/warn; wired to controller + notifier. | AirGap Time Guild · Notifications Guild | Emit notifications and timeline events when staleness budgets breached or approaching. |
-| 16 | AIRGAP-GAPS-510-009 | DONE (2025-12-01) | None; informs tasks 1–15. | Product Mgmt · Ops Guild | Address gap findings (AG1–AG12) from `docs/product-advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md`: trust-root/key custody & PQ dual-signing, Rekor mirror format/signature, feed snapshot DSSE, tooling hashes, kit size/chunking, AV/YARA pre/post ingest, policy/graph hash verification, tenant scoping, ingress/egress receipts, replay depth rules, offline observability, failure runbooks. |
+| 16 | AIRGAP-GAPS-510-009 | DONE (2025-12-01) | None; informs tasks 1–15. | Product Mgmt · Ops Guild | Address gap findings (AG1–AG12) from `docs/product/advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md`: trust-root/key custody & PQ dual-signing, Rekor mirror format/signature, feed snapshot DSSE, tooling hashes, kit size/chunking, AV/YARA pre/post ingest, policy/graph hash verification, tenant scoping, ingress/egress receipts, replay depth rules, offline observability, failure runbooks. |
 | 17 | AIRGAP-MANIFEST-510-010 | DONE (2025-12-02) | Depends on AIRGAP-IMP-56-* foundations | AirGap Importer Guild · Ops Guild | Implement offline-kit manifest schema (`offline-kit/manifest.schema.json`) + DSSE signature; include tools/feed/policy hashes, tenant/env, AV scan results, chunk map, mirror staleness window, and publish verify script path. |
 | 18 | AIRGAP-AV-510-011 | DONE (2025-12-02) | Depends on AIRGAP-MANIFEST-510-010 | Security Guild · AirGap Importer Guild | Add AV/YARA pre-publish and post-ingest scans with signed reports; enforce in importer pipeline; document in `docs/airgap/runbooks/import-verify.md`. |
 | 19 | AIRGAP-RECEIPTS-510-012 | DONE (2025-12-02) | Depends on AIRGAP-MANIFEST-510-010 | AirGap Controller Guild · Platform Guild | Emit ingress/egress DSSE receipts (hash, operator, time, decision) and store in Proof Graph; expose verify CLI hook. |
@@ -103,9 +103,9 @@
 | 2025-11-25 | Created module charter `src/AirGap/AGENTS.md`; controller tasks unblocked from AGENTS gap. | Implementer |
 | 2025-11-25 | Local environment out of disk space (`No space left on device`); controller tasks moved to BLOCKED until workspace is cleaned. | Implementer |
 | 2025-11-25 | Blocked controller chain (tasks 1–5): module-level `src/AirGap/AGENTS.md` missing; cannot proceed per working agreements until charter exists. Added status notes. | Implementer |
-| 2025-12-01 | Added AIRGAP-GAPS-510-009 to track remediation of AG1–AG12 from `docs/product-advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md`. | Product Mgmt |
+| 2025-12-01 | Added AIRGAP-GAPS-510-009 to track remediation of AG1–AG12 from `docs/product/advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md`. | Product Mgmt |
 | 2025-12-01 | AIRGAP-GAPS-510-009 DONE: drafted remediation plan `docs/airgap/gaps/AG1-AG12-remediation.md` covering trust roots, Rekor mirror, feed freezing, tool hashes, chunked kits, AV/YARA, policy/graph hashes, tenant scoping, ingress/egress receipts, replay levels, observability, and runbooks. | Implementer |
-| 2025-12-02 | Added implementation tasks 510-010…014 for manifest schema + DSSE, AV/YARA scans, ingress/egress receipts, replay-depth enforcement, and offline verifier script per `docs/product-advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md`. | Project Mgmt |
+| 2025-12-02 | Added implementation tasks 510-010…014 for manifest schema + DSSE, AV/YARA scans, ingress/egress receipts, replay-depth enforcement, and offline verifier script per `docs/product/advisories/25-Nov-2025 - Air‑gap deployment playbook for StellaOps.md`. | Project Mgmt |
 | 2025-12-10 | Added AIRGAP-PG-510-015 (PostgreSQL air-gap test) migrated from Sprint 3407 (PG-T7.5.5); covers PostgreSQL 17 kit verification with pg_stat_statements, init scripts, and schema validation. | Infrastructure Guild |
 | 2025-12-06 | ✅ **5 tasks UNBLOCKED**: Created `docs/schemas/sealed-mode.schema.json` (AirGap state, egress policy, bundle verification) and `docs/schemas/time-anchor.schema.json` (TUF trust roots, time anchors, validation). Tasks AIRGAP-IMP-57-002, 58-001, 58-002 and AIRGAP-TIME-58-001, 58-002 moved from BLOCKED to TODO. | System |
 

docs-archived/implplan/SPRINT_0513_0001_0001_public_reachability_benchmark.md

@@ -18,9 +18,9 @@
 - `docs/reachability/function-level-evidence.md`
 - `docs/reachability/lattice.md`
 - `docs/modules/scanner/architecture.md`
-- Product advisory: `docs/product-advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`
-- Related advisory: `docs/product-advisories/archived/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md`
-- Related advisory: `docs/product-advisories/archived/23-Nov-2025 - Publishing a Reachability Benchmark Dataset.md`
+- Product advisory: `docs/product/advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`
+- Related advisory: `docs/product/advisories/archived/23-Nov-2025 - Benchmarking Determinism in Vulnerability Scoring.md`
+- Related advisory: `docs/product/advisories/archived/23-Nov-2025 - Publishing a Reachability Benchmark Dataset.md`
 - Existing bench prep docs: `docs/benchmarks/signals/bench-determinism.md`
 
 
@@ -44,8 +44,8 @@
 | 15 | BENCH-WEBSITE-513-015 | DONE (2025-12-01) | Depends on 513-014. | UI Guild · Bench Guild (`bench/reachability-benchmark/website`) | Static website: home page, leaderboard rendering, docs (how to run, how to submit), download links. Use Docusaurus or plain HTML. |
 | 16 | BENCH-DOCS-513-016 | DONE (2025-12-01) | Depends on all above. | Docs Guild | CONTRIBUTING.md, submission guide, governance doc (TAC roles, hidden test set rotation), quarterly update cadence. |
 | 17 | BENCH-LAUNCH-513-017 | DONE (2025-12-01) | Depends on 513-015, 513-016. | Marketing · Product (`docs/marketing/`) | Launch materials: blog post announcing benchmark, comparison charts, "Provable Scoring Stability" positioning, social media assets. |
-| 18 | BENCH-GAPS-513-018 | DONE (2025-12-03) | None; informs tasks 7–16. | Product Mgmt · Bench Guild | Address gap findings (G1–G12) from `docs/product-advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`: add manifest/attestations to dataset, submission provenance checks, determinism env templates per language, coverage/trace schemas, unreachability oracles, frozen baseline rulepacks, resource normalization policy, sandbox + redaction guidance, and product linkage notes. |
-| 19 | DATASET-GAPS-513-019 | DONE (2025-12-03) | None; complements task 18. | Product Mgmt · Bench Guild | Address reachability dataset gaps RD1–RD10 from `docs/product-advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`: sanitization/PII/license checklist with DSSE approval, feed/tool hash lockfile, published schemas/validators, evidence bundles for ground truth, binary case recipe, determinism CI (multi-run hash compare), signed baselines, CLA/DSSE submission policy, semantic dataset versioning/changelog, and offline kit packaging for dataset+harness. |
+| 18 | BENCH-GAPS-513-018 | DONE (2025-12-03) | None; informs tasks 7–16. | Product Mgmt · Bench Guild | Address gap findings (G1–G12) from `docs/product/advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`: add manifest/attestations to dataset, submission provenance checks, determinism env templates per language, coverage/trace schemas, unreachability oracles, frozen baseline rulepacks, resource normalization policy, sandbox + redaction guidance, and product linkage notes. |
+| 19 | DATASET-GAPS-513-019 | DONE (2025-12-03) | None; complements task 18. | Product Mgmt · Bench Guild | Address reachability dataset gaps RD1–RD10 from `docs/product/advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`: sanitization/PII/license checklist with DSSE approval, feed/tool hash lockfile, published schemas/validators, evidence bundles for ground truth, binary case recipe, determinism CI (multi-run hash compare), signed baselines, CLA/DSSE submission policy, semantic dataset versioning/changelog, and offline kit packaging for dataset+harness. |
 | 20 | REACH-FIXTURE-GAPS-513-020 | DONE (2025-12-03) | Close RB1–RB10 from `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`; depends on fixture schema publication | Product Mgmt · Bench Guild | Remediate RB1–RB10: fixture schema + DSSE manifest, licensing/provenance checklist, deterministic builds/seeds, ground-truth assertions, coverage matrix (C/Java/.NET/Python/binary/container), offline kit + verify script, evidence chain outputs (SBOM/scan/graph/VEX), versioning/changelog, CI job + reporting/alerts. |
 
 ## Wave Coordination
@@ -117,7 +117,7 @@
 | 2025-11-30 | BENCH-BUILD-513-007: build_all/validate_builds run; all JS/PY cases deterministic, Java cases fail due to missing `javac` (same blocker as task 5). | Implementer |
 | 2025-12-01 | BENCH-BUILD-513-007: build tools now auto-write deterministic SBOM/attestation stubs from `case.yaml`; validate checks auxiliary artifact determinism; README updated. | Implementer |
 | 2025-12-01 | BENCH-BASELINE-SEMGREP-513-010 DONE: added semgrep baseline runner (run_case/run_all, rules, normalize) with deterministic outputs and schema-compliant submission. | Implementer |
-| 2025-12-01 | Added gap analysis doc `docs/product-advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md` and created task BENCH-GAPS-513-018 to track remediation. | Product Mgmt |
+| 2025-12-01 | Added gap analysis doc `docs/product/advisories/24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md` and created task BENCH-GAPS-513-018 to track remediation. | Product Mgmt |
 | 2025-12-01 | Added DATASET-GAPS-513-019 to cover RD1–RD10 (reachability dataset gaps) from `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`. | Product Mgmt |
 | 2025-12-01 | Added REACH-FIXTURE-GAPS-513-020 to track RB1–RB10 remediation from `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md`; status TODO pending fixture schema/kit work. | Product Mgmt |
 | 2025-12-01 | BENCH-BASELINE-STELLA-513-012 DONE: added offline-safe Stella baseline runner (`baselines/stella/`) with `run_case.sh`, `run_all.sh`, and `normalize.py` that builds schema-compliant submissions from truth files with deterministic ordering and no external binaries. | Implementer |

docs-archived/implplan/SPRINT_1200_001_000_router_rate_limiting_master.md

@@ -2,7 +2,7 @@
 
 **IMPLID:** 1200 (Router infrastructure)
 **Feature:** Centralized rate limiting for Stella Router as standalone product
-**Advisory Source:** `docs/product-advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
+**Advisory Source:** `docs/product/advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
 **Owner:** Router Team
 **Status:** DONE (Sprints 1–6 closed; Sprint 4 closed N/A)
 **Priority:** HIGH - Core feature for Router product
@@ -210,7 +210,7 @@ Each target can have multiple rules (AND logic):
 
 ## Related Documentation
 
-- **Advisory:** `docs/product-advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
+- **Advisory:** `docs/product/advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
 - **Implementation:** `src/__Libraries/StellaOps.Router.Gateway/RateLimit/`
 - **Tests:** `tests/StellaOps.Router.Gateway.Tests/`
 - **Implementation Guides:** `docs/implplan/SPRINT_1200_001_00X_*.md` (see below)

docs-archived/implplan/SPRINT_1200_001_IMPLEMENTATION_GUIDE.md

@@ -701,7 +701,7 @@ rate_limiting:
 
 ## References
 
-- **Advisory:** `docs/product-advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
+- **Advisory:** `docs/product/advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
 - **Master Sprint Tracker:** `docs/implplan/SPRINT_1200_001_000_router_rate_limiting_master.md`
 - **Sprint Files:** `docs/implplan/SPRINT_1200_001_00X_*.md`
 - **HTTP 429 Semantics:** RFC 6585

docs-archived/implplan/SPRINT_1200_001_README.md

@@ -3,7 +3,7 @@
 **Package Created:** 2025-12-17
 **For:** Implementation agents / reviewers
 **Status:** DONE (Sprints 1–6 closed; Sprint 4 closed N/A)
-**Advisory Source:** `docs/product-advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
+**Advisory Source:** `docs/product/advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
 
 ---
 
@@ -114,7 +114,7 @@ Week 4+: Service Migration
 
 1. `SPRINT_1200_001_000_router_rate_limiting_master.md` - Overview
 2. `SPRINT_1200_001_IMPLEMENTATION_GUIDE.md` - Technical details
-3. Original advisory: `docs/product-advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
+3. Original advisory: `docs/product/advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
 4. Analysis plan: `C:\Users\VladimirMoushkov\.claude\plans\vectorized-kindling-rocket.md`
 
 ### 2. Environment Setup
@@ -471,7 +471,7 @@ rate_limiting:
 ## Related Documentation
 
 ### Source Documents
-- **Advisory:** `docs/product-advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
+- **Advisory:** `docs/product/advisories/archived/15-Dec-2025 - Designing 202 + Retry‑After Backpressure Control.md`
 - **Analysis Plan:** `C:\Users\VladimirMoushkov\.claude\plans\vectorized-kindling-rocket.md`
 - **Architecture:** `docs/modules/platform/architecture-overview.md`
 

docs-archived/implplan/SPRINT_2000_0003_0001_alpine_connector.md

@@ -9,7 +9,7 @@
 
 ## Advisory Reference
 
-- **Source:** `docs/product-advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
+- **Source:** `docs/product/advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
 - **Gap Identified:** Alpine/APK support explicitly recommended but not implemented anywhere in codebase or scheduled sprints.
 
 ## Dependencies & Concurrency
@@ -342,7 +342,7 @@ alpine:3.20 → apk info -v zlib → 1.3.1-r0
 
 ## References
 
-- Advisory: `docs/product-advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
+- Advisory: `docs/product/advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
 - Alpine SecDB: https://secdb.alpinelinux.org/
 - APK version comparison: https://gitlab.alpinelinux.org/alpine/apk-tools
 - Existing Debian connector: `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Debian/`

docs-archived/implplan/SPRINT_2000_0003_0002_distro_version_tests.md

@@ -9,7 +9,7 @@
 
 ## Advisory Reference
 
-- **Source:** `docs/product-advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
+- **Source:** `docs/product/advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
 - **Gap Identified:** Current test coverage is 12 tests total (7 NEVRA, 5 EVR). Advisory recommends 50-100 per distro plus golden files and real-image cross-checks.
 
 ## Dependencies & Concurrency
@@ -352,7 +352,7 @@ Document the test corpus structure and how to add new test cases.
 
 ## References
 
-- Advisory: `docs/product-advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
+- Advisory: `docs/product/advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md`
 - RPM versioning: https://rpm.org/user_doc/versioning.html
 - Debian policy: https://www.debian.org/doc/debian-policy/ch-controlfields.html#version
 - Existing tests: `src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/`

docs-archived/implplan/SPRINT_20251226_002_ATTESTOR_bundle_rotation.md

@@ -600,7 +600,7 @@ public async Task BundleOrgSigning_KmsBackend_SignsAndVerifies()
 
 ## Related Documents
 
-- **Parent Advisory:** `docs/product-advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md`
+- **Parent Advisory:** `docs/product/advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md`
 - **Predecessor Sprint:** `SPRINT_20251226_001_SIGNER_fulcio_keyless_client.md`
 - **Attestor Architecture:** `docs/modules/attestor/architecture.md`
 - **Offline Kit:** `docs/24_OFFLINE_KIT.md`

docs-archived/implplan/SPRINT_20251226_002_BE_budget_enforcement.md

@@ -18,7 +18,7 @@
 - `docs/modules/policy/architecture.md`
 - `docs/modules/policy/budget-attestation.md`
 - `docs/modules/notify/architecture.md`
-- `docs/product-advisories/archived/2025-12-21-moat-phase2/20-Dec-2025 - Moat Explanation - Risk Budgets and Diff-Aware Release Gates.md`
+- `docs/product/advisories/archived/2025-12-21-moat-phase2/20-Dec-2025 - Moat Explanation - Risk Budgets and Diff-Aware Release Gates.md`
 
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

docs-archived/implplan/SPRINT_20251226_003_ATTESTOR_offline_verification.md

@@ -615,7 +615,7 @@ public async Task CLI_ExportBundle_CreatesValidBundle()
 
 ## Related Documents
 
-- **Parent Advisory:** `docs/product-advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md`
+- **Parent Advisory:** `docs/product/advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md`
 - **Predecessor Sprints:**
   - `SPRINT_20251226_001_SIGNER_fulcio_keyless_client.md`
   - `SPRINT_20251226_002_ATTESTOR_bundle_rotation.md`

docs-archived/implplan/SPRINT_20251226_005_SCANNER_reachability_extractors.md

@@ -14,8 +14,8 @@
 ## Documentation Prerequisites
 - `docs/modules/scanner/AGENTS.md`
 - `docs/modules/scanner/reachability-drift.md`
-- `docs/product-advisories/archived/2025-12-21-moat-gap-closure/14-Dec-2025 - Smart-Diff Technical Reference.md`
-- `docs/product-advisories/25-Dec-2025 - Evolving Evidence Models for Reachability.md`
+- `docs/product/advisories/archived/2025-12-21-moat-gap-closure/14-Dec-2025 - Smart-Diff Technical Reference.md`
+- `docs/product/advisories/25-Dec-2025 - Evolving Evidence Models for Reachability.md`
 
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

docs-archived/implplan/SPRINT_20251226_006_DOCS_advisory_consolidation.md

@@ -4,7 +4,7 @@
 - Consolidate 8 overlapping product advisories into a single master document for diff-aware release gates.
 - Archive original advisories with cross-reference preservation.
 - Create executive summary for stakeholder communication.
-- **Working directory:** `docs/product-advisories/`
+- **Working directory:** `docs/product/advisories/`
 
 ## Dependencies & Concurrency
 - No technical dependencies; documentation-only sprint.

docs-archived/implplan/SPRINT_20251226_007_BE_determinism_gaps.md

@@ -16,8 +16,8 @@
 - `docs/modules/policy/design/deterministic-evaluator.md`
 - `docs/modules/policy/design/policy-determinism-tests.md`
 - `docs/modules/scanner/deterministic-execution.md`
-- `docs/product-advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md`
-- `docs/product-advisories/25-Dec-2025 - Enforcing Canonical JSON for Stable Verdicts.md` (SUPERSEDED - tasks merged here)
+- `docs/product/advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md`
+- `docs/product/advisories/25-Dec-2025 - Enforcing Canonical JSON for Stable Verdicts.md` (SUPERSEDED - tasks merged here)
 
 ## Context: What Already Exists
 

docs-archived/implplan/SPRINT_20251226_008_DOCS_determinism_consolidation.md

@@ -4,7 +4,7 @@
 - Consolidate 6 overlapping product advisories into a single determinism architecture specification.
 - Create authoritative documentation for all determinism guarantees and digest algorithms.
 - Archive original advisories with cross-reference preservation.
-- **Working directory:** `docs/product-advisories/`, `docs/technical/`
+- **Working directory:** `docs/product/advisories/`, `docs/technical/`
 
 ## Dependencies & Concurrency
 - No technical dependencies; documentation-only sprint.

docs-archived/implplan/SPRINT_20251226_009_SCANNER_funcproof.md

@@ -14,8 +14,8 @@
 ## Documentation Prerequisites
 - `docs/modules/scanner/design/native-reachability-plan.md`
 - `docs/modules/scanner/os-analyzers-evidence.md`
-- `docs/product-advisories/25-Dec-2025 - Evolving Evidence Models for Reachability.md`
-- `docs/product-advisories/26-Dec-2026 - Mapping a Binary Intelligence Graph.md`
+- `docs/product/advisories/25-Dec-2025 - Evolving Evidence Models for Reachability.md`
+- `docs/product/advisories/26-Dec-2026 - Mapping a Binary Intelligence Graph.md`
 
 ## Context: What Already Exists
 

docs-archived/implplan/SPRINT_20251228_005_BE_sbom_lineage_graph_i.md

@@ -15,7 +15,7 @@
 - docs/modules/sbomservice/architecture.md
 - docs/modules/scanner/architecture.md
 - docs/modules/excititor/architecture.md
-- docs/product-advisories/ADVISORY_SBOM_LINEAGE_GRAPH.md
+- docs/product/advisories/ADVISORY_SBOM_LINEAGE_GRAPH.md
 
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

docs-archived/implplan/SPRINT_20251228_006_FE_sbom_lineage_graph_i.md

@@ -12,7 +12,7 @@
 
 ## Documentation Prerequisites
 - docs/modules/web/architecture.md
-- docs/product-advisories/ADVISORY_SBOM_LINEAGE_GRAPH.md
+- docs/product/advisories/ADVISORY_SBOM_LINEAGE_GRAPH.md
 - src/Web/StellaOps.Web/AGENTS.md (if exists)
 
 ## Delivery Tracker

docs-archived/implplan/SPRINT_20251228_007_BE_sbom_lineage_graph_ii.md

@@ -14,7 +14,7 @@
 - docs/07_HIGH_LEVEL_ARCHITECTURE.md
 - docs/modules/attestor/architecture.md
 - docs/modules/exportcenter/architecture.md
-- docs/product-advisories/ADVISORY_SBOM_LINEAGE_GRAPH.md
+- docs/product/advisories/ADVISORY_SBOM_LINEAGE_GRAPH.md
 
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |

docs-archived/implplan/SPRINT_20251228_008_FE_sbom_lineage_graph_ii.md

@@ -11,7 +11,7 @@
 
 ## Documentation Prerequisites
 - docs/modules/web/architecture.md
-- docs/product-advisories/ADVISORY_SBOM_LINEAGE_GRAPH.md
+- docs/product/advisories/ADVISORY_SBOM_LINEAGE_GRAPH.md
 - Sprint 20251228_006 acceptance criteria
 
 ## Delivery Tracker

docs-archived/implplan/SPRINT_20251229_001_001_BE_cgs_infrastructure.md

@@ -17,7 +17,7 @@ This sprint implements the unified Verdict Builder service that composes existin
 
 ## Related Documentation
 
-- `docs/product-advisories/archived/CONSOLIDATED - Deterministic Evidence and Verdict Architecture.md`
+- `docs/product/advisories/archived/CONSOLIDATED - Deterministic Evidence and Verdict Architecture.md`
 - `docs/modules/attestor/architecture.md` (ProofChain section)
 - `docs/modules/policy/architecture.md` (Determinism section)
 - `docs/modules/replay/architecture.md`

docs-archived/implplan/SPRINT_20251229_001_003_FE_lineage_graph.md

@@ -26,7 +26,7 @@ This sprint is now scoped to **minor integration work** with the new CGS backend
 
 - `docs/modules/sbomservice/lineage/architecture.md` (API spec)
 - `docs/modules/ui/architecture.md`
-- `docs/product-advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md`
+- `docs/product/advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md`
 - Existing compare feature: `src/Web/StellaOps.Web/src/app/features/compare/`
 
 ## Prerequisites

docs-archived/implplan/SPRINT_20251229_001_004_FE_proof_studio.md

@@ -27,7 +27,7 @@ This sprint focuses on **new features** not yet implemented:
 
 ## Related Documentation
 
-- `docs/product-advisories/archived/CONSOLIDATED - Deterministic Evidence and Verdict Architecture.md`
+- `docs/product/advisories/archived/CONSOLIDATED - Deterministic Evidence and Verdict Architecture.md`
 - `docs/modules/policy/architecture.md` (Proof Trace section)
 - Existing `ProofTreeComponent` in UI
 

docs-archived/implplan/SPRINT_20251229_001_007_FE_pinned_explanations.md

@@ -30,7 +30,7 @@ This feature bridges the gap between the interactive UI and external documentati
 
 ## Related Documentation
 
-- `docs/product-advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Pinned Explanations section)
+- `docs/product/advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Pinned Explanations section)
 - FE_005 Explainer Timeline (source of explainer steps to pin)
 - FE_006 Node Diff Table (source of component changes to pin)
 - Existing: `src/app/core/services/clipboard.service.ts` (if exists)

docs-archived/implplan/SPRINT_20251229_001_008_FE_reachability_gate_diff.md

@@ -33,7 +33,7 @@ An existing `reachability-diff-view.component.ts` provides basic functionality,
 ## Related Documentation
 
 - `docs/modules/reachgraph/architecture.md` (ReachGraph API)
-- `docs/product-advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Reachability section)
+- `docs/product/advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Reachability section)
 - Existing: `src/app/features/lineage/components/reachability-diff-view/`
 - Backend model: `ReachabilityDelta` from lineage.models.ts
 

docs-archived/implplan/SPRINT_20251229_001_009_FE_audit_pack_export.md

@@ -37,7 +37,7 @@ The existing `lineage-export-dialog.component.ts` provides basic export, but nee
 ## Related Documentation
 
 - `docs/modules/exportcenter/architecture.md` (Export API)
-- `docs/product-advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Audit Pack section)
+- `docs/product/advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md` (Audit Pack section)
 - Existing: `src/app/features/lineage/components/lineage-export-dialog/`
 - Backend model: `LineageEvidencePack` from ExportCenter
 

docs-archived/implplan/SPRINT_3000_0001_0001_rekor_merkle_proof_verification.md

@@ -4,7 +4,7 @@
 **Working Directory**: `src/Attestor/StellaOps.Attestor`
 **Priority**: P0 (Critical)
 **Estimated Complexity**: Medium
-**Parent Advisory**: `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md`
+**Parent Advisory**: `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md`
 
 ---
 
@@ -80,8 +80,8 @@ Before starting, read:
 ### T6a: Freeze offline checkpoint/receipt contract
 - **Goal:** define the canonical offline inputs required to verify inclusion proofs without network access.
 - **Use these docs as the baseline (do not invent new shapes):**
-  - `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` (§13)
-  - `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (§3–4; `evidence/tlog/checkpoint.sig` + `entries/`)
+  - `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` (§13)
+  - `docs/product/advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (§3–4; `evidence/tlog/checkpoint.sig` + `entries/`)
 - **Minimum deliverables:**
   - A single canonical contract doc (new or existing) that answers:
     - Where the **tlog public key** comes from (file path, rotation/versioning)
@@ -372,4 +372,4 @@ public Counter<long> CheckpointVerifyTotal { get; }      // attestor.checkpoint_
 - [RFC 6962: Certificate Transparency](https://datatracker.ietf.org/doc/html/rfc6962)
 - [Sigstore Rekor API](https://github.com/sigstore/rekor/blob/main/openapi.yaml)
 - [Rekor Checkpoint Format](https://github.com/transparency-dev/formats/blob/main/log/checkpoint.md)
-- Advisory: `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §5, §7, §13
+- Advisory: `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §5, §7, §13

docs-archived/implplan/SPRINT_3000_0001_0002_rekor_retry_queue_metrics.md

@@ -4,7 +4,7 @@
 **Working Directory**: `src/Attestor/StellaOps.Attestor`
 **Priority**: P1 (High)
 **Estimated Complexity**: Medium
-**Parent Advisory**: `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md`
+**Parent Advisory**: `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md`
 **Depends On**: None (can run parallel to SPRINT_3000_0001_0001)
 
 ---
@@ -549,5 +549,5 @@ WHERE status = 'dead_letter'
 
 ## 12. REFERENCES
 
-- Advisory: `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §9, §11
+- Advisory: `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §9, §11
 - Similar pattern: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/`

docs-archived/implplan/SPRINT_3000_0001_0003_rekor_time_skew_validation.md

@@ -4,7 +4,7 @@
 **Working Directory**: `src/Attestor/StellaOps.Attestor`
 **Priority**: P2 (Medium)
 **Estimated Complexity**: Low
-**Parent Advisory**: `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md`
+**Parent Advisory**: `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md`
 **Depends On**: SPRINT_3000_0001_0001 (Merkle Proof Verification)
 
 ---
@@ -493,5 +493,5 @@ groups:
 
 ## 12. REFERENCES
 
-- Advisory: `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §14.3
+- Advisory: `docs/product/advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §14.3
 - Rekor API: `integratedTime` field in entry response

docs-archived/implplan/SPRINT_3401_0001_0001_determinism_scoring_foundations.md

@@ -21,7 +21,7 @@ Implement high-value, low-effort scoring enhancements from the Determinism and R
 - `docs/README.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/policy/architecture.md`
-- `docs/product-advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md`
 - Source: `src/Policy/StellaOps.Policy.Scoring/CvssScoreReceipt.cs`
 - Source: `src/Telemetry/StellaOps.Telemetry.Core/TimeToEvidenceMetrics.cs`
 

docs-archived/implplan/SPRINT_3401_0002_0001_score_replay_proof_bundle.md

@@ -9,8 +9,8 @@ Implement the score replay capability and proof bundle writer from the "Building
 3. **Score Replay Endpoint** - `POST /score/replay` to recompute scores without rescanning
 4. **Scan Manifest** - DSSE-signed manifest capturing all inputs affecting results
 
-**Source Advisory**: `docs/product-advisories/archived/17-Dec-2025/16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md`
-**Related Docs**: `docs/product-advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md` §11.2, §12
+**Source Advisory**: `docs/product/advisories/archived/17-Dec-2025/16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md`
+**Related Docs**: `docs/product/advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md` §11.2, §12
 
 **Working Directory**: `src/Scanner/StellaOps.Scanner.WebService`, `src/Policy/__Libraries/StellaOps.Policy/`
 
@@ -26,7 +26,7 @@ Implement the score replay capability and proof bundle writer from the "Building
 - `docs/README.md`
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/scanner/architecture.md`
-- `docs/product-advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md`
+- `docs/product/advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md`
 - `docs/benchmarks/ground-truth-corpus.md` (new)
 
 ---