up

docs/product-advisories/ADVISORY_INDEX.md

@@ -9,6 +9,7 @@ These are the authoritative advisories to reference for implementation:
 ### CVSS v4.0
 - **Canonical:** `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`
 - **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CV1–CV10 remediation task CVSS-GAPS-190-013)
 - **Status:** New sprint created
 
 ### CVSS v4.0 Momentum Briefing
@@ -17,6 +18,7 @@ These are the authoritative advisories to reference for implementation:
 - **Related Docs:**
   - `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (implementation focus)
   - `docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` (this briefing)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CVM1–CVM10 remediation task CVSS-GAPS-190-014)
 - **Status:** Summarises the industry adoption signals (NVD/GitHub/Microsoft/Snyk) and why Stella Ops should treat CVSS v4.0 as first-class now.
 
 ### SCA Failure Catalogue
@@ -25,22 +27,62 @@ These are the authoritative advisories to reference for implementation:
 - **Related Docs:**
   - `docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` (this catalogue)
   - `docs/implplan/SPRINT_300_documentation_process.md` (tracking sync)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (FC1–FC10 remediation task SCA-FIXTURE-GAPS-300-014)
 - **Status:** Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites.
 
+### Mid-Level .NET Onboarding (Quick Start)
+- **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md`
+- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Related Docs:**
+  - `docs/onboarding/dev-quickstart.md` (to be updated)
+  - `docs/modules/platform/architecture-overview.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (OB1–OB10 remediation task ONBOARD-GAPS-300-015)
+- **Status:** Onboarding brief for mid-level .NET devs; needs deterministic/offline/DSSE/secret-handling expansions and cross-links.
+
 ### Implementor Guidelines
 - **Canonical:** `30-Nov-2025 - Implementor Guidelines for Stella Ops.md`
 - **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md` (this briefing)
   - `docs/05_SYSTEM_REQUIREMENTS_SPEC.md` / `docs/13_RELEASE_ENGINEERING_PLAYBOOK.md` (reference requirements)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (IG1–IG10 remediation task IMPLEMENTOR-GAPS-300-018)
 - **Status:** Operational checklist for contributors, plug-in authors, and implementors linking SRS/architecture to practical practices.
 
+### Rekor Receipt Checklist
+- **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md`
+- **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md
+- **Related Docs:** Authority/Sbomer module docs; Rekor v2 / DSSE receipt schemas (to be published)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005)
+- **Status:** Needs signed/validated receipt schema/catalog, inclusion proof freshness policy, subject/policy binding, client provenance, TSA/time integrity, offline verifier, mirror snapshot rules, retention/observability, and tenant isolation.
+
+### Standup Sprint Kickstarters
+- **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md`
+- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Related Docs:** `docs/implplan/README.md` (sprint template)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (SK1–SK10 remediation task STANDUP-GAPS-300-019)
+- **Status:** Introduces ceremony primer but lacks template alignment, readiness evidence, dependency ledger, offline/async guidance, metrics/SLOs, and role/decision capture rules.
+
+### UI Micro-Interactions
+- **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md`
+- **Sprint:** SPRINT_0209_0001_0001_ui_i.md (UI I; share with UI II/III as needed)
+- **Related Docs:** `docs/modules/ui/architecture.md`, Storybook token catalog (planned)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (MI1–MI10 remediation task UI-MICRO-GAPS-0209-011)
+- **Status:** Needs motion tokens, reduced-motion/a11y rules, perf budgets, offline/latency states, error/cancel patterns, component mapping, telemetry schema, deterministic tests/snapshots, micro-copy localisation, and theme/contrast guidance.
+
+### Proof-Linked VEX UI (Not-Affected Proof Drawer)
+- **Canonical:** Proof-linked VEX UI spec (chat-provided; to land as `docs/ui/proof-linked-vex.md`)
+- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md
+- **Related Docs:** `docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`, `docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`, VexLens/Policy module docs
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (PVX1–PVX10 remediation task UI-PROOF-VEX-0215-010)
+- **Status:** Drawer/badge pattern defined but missing scoped auth, cache/staleness policy, stronger integrity verification, failure/offline UX, evidence precedence rules, telemetry privacy schema, signed permalinks, revision reconciliation, and fixtures/tests.
+
 ### SBOM → VEX Proof Blueprint
 - **Canonical:** `29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md`
 - **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
 - **Related Docs:**
   - `docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` (itself)
   - `docs/modules/platform/architecture-overview.md` (platform dossier link)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (BP1–BP10 remediation task SBOM-VEX-GAPS-300-013)
 - **Status:** Diagram-first guide showing DSSE → Rekor v2 tiles → VEX linkage plus online/offline verification notes for StellaOps proofs.
 
 ### UI Micro-Interactions
@@ -53,12 +95,19 @@ These are the authoritative advisories to reference for implementation:
 
 ### Rekor Receipt Checklist
 - **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md`
-- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md (PRIMARY)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md`
   - `docs/modules/platform/architecture-overview.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005)
 - **Status:** Field-level ownership map for receipts, bundles, and offline metadata so Authority/Sbomer/Vexer keep deterministic proofs.
 
+### Air-Gap Deployment Playbook
+- **Canonical:** `25-Nov-2025 - Air-gap deployment playbook for StellaOps.md`
+- **Sprint:** SPRINT_0510_0001_0001_airgap.md (Ops & Offline)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (AG1–AG12 remediation task AIRGAP-GAPS-510-009)
+- **Status:** Implementation guided by Ops/Offline sprint; gaps cover trust roots, Rekor mirrors, feed freezing, tooling hashes, AV scans, policy/graph hash verification, tenant scoping, ingress receipts, replay depth, and offline observability.
+
 ### Ecosystem Reality Tests
 - **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md`
 - **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
@@ -68,9 +117,10 @@ These are the authoritative advisories to reference for implementation:
 
 ### Unknowns Decay & Triage Heuristics
 - **Canonical:** `30-Nov-2025 - Unknowns Decay & Triage Heuristics.md`
-- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (Signals/Unknowns)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (UT1–UT10 remediation task UNKNOWN-HEUR-GAPS-140-007)
 - **Status:** Confidence decay card + triage queue artifacts that feed UI + ops exports for stale unknowns.
 
 ### Standup Sprint Kickstarters
@@ -85,13 +135,23 @@ These are the authoritative advisories to reference for implementation:
 - **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CE1–CE10 remediation task EVIDENCE-PATTERNS-GAPS-300-016)
 - **Status:** Snapshot of how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, and audit/export primitives.
 
+### Ecosystem Reality Test Cases
+- **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases.md`
+- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Related Docs:**
+  - `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (ET1–ET10 remediation task ECOSYS-FIXTURES-GAPS-300-017)
+- **Status:** Five public incidents mapped to acceptance tests (credential leak, Trivy offline schema error, SBOM parity, Grype version drift, inconsistent detection); informs SCA acceptance packs.
+
 ### Reachability Benchmark Fixtures
 - **Canonical:** `30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md`
-- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
+- **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md (PRIMARY)
 - **Related Docs:**
   - `docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (RB1–RB10 remediation task REACH-FIXTURE-GAPS-513-020)
 - **Status:** SV-COMP + OSS-Fuzz grounded fixture plan plus Tier-2 guidance for Java/Python, packages, containers, call-graph corpora.
 
 ### SBOM/VEX Pipeline
@@ -113,6 +173,7 @@ These are the authoritative advisories to reference for implementation:
 ### Graph Revision IDs
 - **Canonical:** `26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md`
 - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (GR1–GR10 remediation task GRAPHREV-GAPS-401-063)
 - **Supersedes:**
   - `25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md` → archive (earlier version)
 
@@ -121,16 +182,20 @@ These are the authoritative advisories to reference for implementation:
 - **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md
 - **Related:**
   - `26-Nov-2025 - Opening Up a Reachability Dataset.md` → complementary (dataset focus)
+  - `31-Nov-2025 FINDINGS.md` → gap analysis (G1–G12) with remediation task BENCH-GAPS-513-018
+- **Gaps (dataset):** `31-Nov-2025 FINDINGS.md` (RD1–RD10 remediation task DATASET-GAPS-513-019)
 
 ### Unknowns Registry
 - **Canonical:** `27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md`
 - **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (existing implementation)
 - **Extends:** `archived/18-Nov-2025 - Unknowns-Registry.md`
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (UN1–UN10 remediation task UNKNOWN-GAPS-140-006)
 - **Status:** Already implemented in Signals module; advisory validates design
 
 ### Confidence Decay for Prioritization
 - **Canonical:** `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md`
 - **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (integration point)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (U1–U10 remediation task DECAY-GAPS-140-005)
 - **Related:** Unknowns Registry (time-based decay complements ambiguity tracking)
 - **Status:** Design advisory - provides exponential decay formula for priority freshness
 
@@ -138,21 +203,37 @@ These are the authoritative advisories to reference for implementation:
 - **Canonical (Graphs):** `27-Nov-2025 - Making Graphs Understandable to Humans.md`
 - **Canonical (Verdicts):** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`
 - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (EX1–EX10 remediation task EXPLAIN-GAPS-401-064)
 - **Status:** Complementary advisories - graphs cover edge reasons, verdicts cover audit trails
 
 ### VEX Proofs
 - **Canonical:** `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md`
 - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (VEX1–VEX10 remediation task VEX-GAPS-401-062)
 
 ### Binary Reachability
 - **Canonical:** `27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md`
 - **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (BR1–BR10 remediation task BINARY-GAPS-401-066)
 
 ### Scanner Roadmap
 - **Canonical:** `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md`
 - **Sprint:** Multiple sprints (0186, 0401, 0512)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SCANNER-GAPS-186-018)
 - **Status:** High-level roadmap document
 
+### SBOM-First, VEX-Ready Spine
+- **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md`
+- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (spine contracts) and related VEX/graph tasks in SPRINT_0401_0001_0001
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (SP1–SP10 remediation task SPINE-GAPS-186-019)
+- **Status:** Architecture brief; needs formalized schemas/contracts and DSSE/bundle enforcement.
+
+### SBOM & VEX Competitor Snapshot
+- **Canonical:** `27-Nov-2025 - Late‑November SBOM & VEX competitor.md`
+- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (ingest/normalization)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CM1–CM10 remediation task COMPETITOR-GAPS-186-020)
+- **Status:** Competitive intelligence; requires hardened external ingest, signatures, and offline kit parity.
+
 ### Vulnerability Triage UX & VEX-First Decisioning
 - **Canonical:** `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`
 - **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW)
@@ -163,6 +244,7 @@ These are the authoritative advisories to reference for implementation:
   - `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` (evidence chain)
   - `27-Nov-2025 - Making Graphs Understandable to Humans.md` (graph UX)
   - `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` (VEX proofs)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (VT1–VT10 remediation task TRIAGE-GAPS-215-042)
 - **Status:** New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns
 - **Schemas:**
   - `docs/schemas/vex-decision.schema.json`
@@ -176,6 +258,7 @@ These are the authoritative advisories to reference for implementation:
   - `docs/security/rootpack_ru_*.md` - RootPack RU documentation
   - `docs/security/crypto-registry-decision-2025-11-18.md` - Registry design
   - `docs/security/pq-provider-options.md` - Post-quantum options
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SC-GAPS-514-010)
 - **Status:** Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support
 - **Compliance:** EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4)
 
@@ -187,6 +270,7 @@ These are the authoritative advisories to reference for implementation:
   - `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` - Concelier connectors
   - `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md` - Authority plugins
   - `docs/modules/scanner/guides/surface-validation-extensibility.md` - Scanner extensibility
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (PL1–PL10 remediation task Plugin architecture gaps remediation — Sprint 300)
 - **Status:** Fills MEDIUM-priority gap - consolidates extensibility patterns across modules
 
 ### Evidence Bundle & Replay Contracts
@@ -199,13 +283,22 @@ These are the authoritative advisories to reference for implementation:
   - `docs/modules/evidence-locker/bundle-packaging.md` - Bundle spec
   - `docs/modules/evidence-locker/attestation-contract.md` - DSSE contract
   - `docs/modules/evidence-locker/replay-payload-contract.md` - Replay schema
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (EB1–EB10 remediation task EVID-GAPS-161-007)
 - **Status:** Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode
+
+### Export Center & Reporting
+- **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md`
+- **Sprint:** SPRINT_0162_0001_0001_exportcenter_i.md (ExportCenter I)
+- **Related Sprints:** SPRINT_0163_0001_0001_exportcenter_ii.md, SPRINT_0164_0001_0001_exportcenter_iii.md
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (EC1–EC10 remediation task EXPORT-GAPS-162-013)
+- **Status:** Export profiles/adapters; determinism, provenance, and offline kit parity need gap remediation.
 ### Acceptance Tests Pack for Guardrails
 - **Canonical:** `29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md`
 - **Sprint:** SPRINT_300_documentation_process.md (Docs Governance)
 - **Related Docs:**
   - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` (itself)
   - `docs/implplan/SPRINT_300_documentation_process.md` (tracking the sync)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012)
 - **Status:** Captures feed resiliency, SBOM validation, snapshot/replay rehearsals, reachability fallbacks, and pipeline swap guardrails for acceptance tests.
 
 ### Mirror & Offline Kit Strategy
@@ -219,8 +312,15 @@ These are the authoritative advisories to reference for implementation:
   - `docs/modules/mirror/dsse-tuf-profile.md` - DSSE/TUF spec
   - `docs/modules/mirror/thin-bundle-assembler.md` - Thin bundle spec
   - `docs/airgap/time-anchor-schema.json` - Time anchor schema
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (OK1–OK10 remediation task OFFKIT-GAPS-125-011; RK1–RK10 task REKOR-GAPS-125-012; MS1–MS10 task MIRROR-GAPS-125-013)
 - **Status:** Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring
 
+### Rekor v2 / DSSE Limits
+- **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air-Gap Limits.md`
+- **Sprint:** SPRINT_0125_0001_0001_mirror.md (mirror/offline log handling) and linked to reachability evidence chain where DSSE predicates are used.
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (RK1–RK10 remediation task REKOR-GAPS-125-012)
+- **Status:** Guides policy for public/private Rekor use, payload limits, chunking, and shard-aware checkpoints.
+
 ### Task Pack Orchestration & Automation
 - **Canonical:** `28-Nov-2025 - Task Pack Orchestration and Automation.md`
 - **Sprint:** SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
@@ -231,6 +331,7 @@ These are the authoritative advisories to reference for implementation:
   - `docs/task-packs/spec.md` - Pack manifest specification
   - `docs/task-packs/authoring-guide.md` - Authoring workflow
   - `docs/task-packs/registry.md` - Registry architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (TP1–TP10 remediation task TASKRUN-GAPS-157-014)
 - **Status:** Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture
 
 ### Authentication & Authorization Architecture
@@ -240,6 +341,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_100_identity_signing.md (CLOSED - historical)
   - SPRINT_314_docs_modules_authority.md (Docs)
   - SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto)
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (AU1–AU10 remediation task AUTH-GAPS-314-004)
 - **Related Docs:**
   - `docs/modules/authority/architecture.md` - Module architecture
   - `docs/11_AUTHORITY.md` - Overview
@@ -256,6 +358,7 @@ These are the authoritative advisories to reference for implementation:
 - **Related Docs:**
   - `docs/modules/cli/architecture.md` - Module architecture
   - `docs/09_API_CLI_REFERENCE.md` - Command reference
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CL1–CL10 remediation task CLI-GAPS-201-003)
 - **Status:** Fills HIGH-priority gap - covers command surface, auth model, Buildx integration
 
 ### Orchestrator Event Model & Job Lifecycle
@@ -266,6 +369,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0152_0001_0002_orchestrator_ii.md
 - **Related Docs:**
   - `docs/modules/orchestrator/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (OR1–OR10 remediation task ORCH-GAPS-151-016)
 - **Status:** Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics
 
 ### Export Center & Reporting Strategy
@@ -285,6 +389,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0143_0000_0001_signals.md
 - **Related Docs:**
   - `docs/modules/zastava/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (ZR1–ZR10 remediation task ZASTAVA-GAPS-144-007)
 - **Status:** Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection
 
 ### Notification Rules & Alerting Engine
@@ -295,6 +400,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0172_0001_0003_notify_ack_tokens.md
 - **Related Docs:**
   - `docs/modules/notify/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (NR1–NR10 remediation task NOTIFY-GAPS-171-014)
 - **Status:** Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens
 
 ### Graph Analytics & Dependency Insights
@@ -305,6 +411,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0140_0001_0001_runtime_signals.md
 - **Related Docs:**
   - `docs/modules/graph/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (GA1–GA10 remediation task GRAPH-ANALYTICS-GAPS-207-013)
 - **Status:** Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization
 
 ### Telemetry & Observability Patterns
@@ -315,6 +422,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0182_0001_0003_telemetry_offline.md
 - **Related Docs:**
   - `docs/modules/telemetry/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (TO1–TO10 remediation task TELEM-GAPS-180-001)
 - **Status:** Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles
 
 ### Policy Simulation & Shadow Gates
@@ -325,6 +433,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0121_0001_0001_policy_reasoning.md
 - **Related Docs:**
   - `docs/modules/policy/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (PS1–PS10 remediation task POLICY-GAPS-185-006)
 - **Status:** Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates
 
 ### Findings Ledger & Immutable Audit Trail
@@ -335,6 +444,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_311_docs_tasks_md_xi.md
 - **Related Docs:**
   - `docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml` - OpenAPI spec
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (FL1–FL10 remediation task LEDGER-GAPS-121-009)
 - **Status:** Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections
 
 ### Concelier Advisory Ingestion Model
@@ -345,6 +455,7 @@ These are the authoritative advisories to reference for implementation:
   - SPRINT_0114_0001_0003_concelier_iii.md
 - **Related Docs:**
   - `docs/modules/concelier/architecture.md` - Module architecture
+- **Gaps:** `31-Nov-2025 FINDINGS.md` (CI1–CI10 remediation task CONCELIER-GAPS-115-014)
   - `docs/modules/concelier/link-not-merge-schema.md` - LNM schema
 - **Status:** Fills MEDIUM-priority gap - covers AOC, Link-Not-Merge, connectors, deterministic exports
 
@@ -508,4 +619,4 @@ Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may c
 
 ---
 *Index created: 2025-11-27*
-*Last updated: 2025-11-30 (added Implementor Guidelines, UI micro-interactions brief, Rekor receipt checklist, Ecosystem test cases, Unknowns decay/triage heuristics, Standup Sprint Kickstarters, Comparative Evidence Patterns, and prior references)*
+*Last updated: 2025-12-01 (added Rekor Receipt, Standup Kickstarters, UI Micro-Interactions, Proof-Linked VEX UI entries, plus new gap task IDs)*