Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations.

- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md

@@ -33,7 +33,7 @@ Create the .NET analyzer plug-in that inspects `*.deps.json`, `runtimeconfig.jso
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md

@@ -35,7 +35,7 @@ Build the Go analyzer plug-in that reads Go build info, module metadata, and DWA
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md

@@ -19,7 +19,7 @@ Implement deterministic Java analyzers that normalise JVM/Build ecosystem inputs
 - Build system references linked from sprint tasks (Maven, Gradle, shading).
 
 ## Working Agreement
-1. **Status synchronisation**: set tasks to `DOING`/`DONE` in `docs/implplan/SPRINTS.md` and local `TASKS.md` as work progresses.
+1. **Status synchronisation**: set tasks to `DOING`/`DONE` in corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` as work progresses.
 2. **Surface usage**: rely on shared Surface libraries for env detection, cached artifacts, secret access, and validation.
 3. **Deterministic outputs**: stabilise classpath ordering, canonicalise PURLs, and avoid network fetches; rely on local caches.
 4. **SBOM accuracy**: produce consistent component/relationship data; no policy/severity decisions.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md

@@ -43,7 +43,7 @@ Deliver the Node.js / npm / Yarn / PNPM analyzer plug-in that resolves workspace
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md

@@ -36,7 +36,7 @@ Implement the Python analyzer plug-in that inspects installed distributions, REC
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md

@@ -33,7 +33,7 @@ Develop the Rust analyzer plug-in that resolves crates from metadata (`.fingerpr
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md

@@ -37,7 +37,7 @@ Deliver deterministic language ecosystem analyzers that run inside Scanner Worke
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md

@@ -44,7 +44,7 @@ Out of scope:
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md

@@ -19,7 +19,7 @@ Provide deterministic, offline-friendly caching primitives for scanner layers an
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md

@@ -33,7 +33,7 @@ Out: queue implementations, analyzer logic, storage adapters, HTTP endpoints, UI
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md

@@ -24,7 +24,7 @@ Deliver deterministic image-to-image component diffs grouped by layer with prove
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md

@@ -24,7 +24,7 @@ Assemble deterministic SBOM artifacts (inventory, usage, BOM index) from analyze
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md

@@ -36,7 +36,7 @@ Resolve container `ENTRYPOINT`/`CMD` chains into deterministic call graphs that
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md

@@ -19,7 +19,7 @@ Deliver the scanner job queue backbone defined in `docs/modules/scanner/ARCHITEC
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md

@@ -32,7 +32,7 @@ Out: HTTP endpoints, queue processing, analyzer logic, SBOM composition, policy
 - `docs/modules/platform/architecture-overview.md`
 
 ## Working Agreement
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
 - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
 - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
 - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.

src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md

@@ -19,7 +19,7 @@ Provide strongly-typed configuration helpers for Scanner/Zastava components, enc
 - Deployment guides (`deploy/README.md`, `ops/devops/TASKS.md`) referencing scanner env vars.
 
 ## Working Agreement
-1. **State sync**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` before/after changes.
+1. **State sync**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` before/after changes.
 2. **Deterministic parsing**: validate inputs once, emit structured errors, avoid direct `Environment.GetEnvironmentVariable` calls elsewhere.
 3. **Compatibility**: version new keys; provide migration helpers and deprecation warnings; update docs + Ops templates.
 4. **Testing**: maintain unit tests for parsing, validation, and fallback behaviour; include edge cases (missing, malformed, default override).

src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md

@@ -20,11 +20,11 @@ Define and maintain the shared surface filesystem abstraction used by Scanner, Z
 - Offline kit notes referencing cache bundles.
 
 ## Working Agreement
-1. **Status updates**: adjust task state in `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work.
+1. **Status updates**: adjust task state in corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting/finishing work.
 2. **Determinism**: manifests must be stable (ordered keys, normalised timestamps); avoid non-deterministic metadata.
 3. **Security & tenancy**: enforce namespace separation, hash validation, and capability checks; integrate with Surface.Secrets for protected stores.
 4. **Concurrency**: design for multi-writer safety with leases or idempotent writes; document locking expectations.
 5. **Testing**: cover unit/integration scenarios (write/read, corruption handling, retention policies) and regression tests in Scanner/Zastava.
 6. **Documentation**: update `surface-fs.md` and downstream guides when schema or API contracts evolve; coordinate with Ops for deployment changes.
 
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.

src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md

@@ -20,11 +20,11 @@ Provide a unified secret access layer for Scanner, Zastava, and related services
 - Security guidance in `docs/security/redaction-and-privacy.md`
 
 ## Working Agreement
-1. **Status synchronisation**: update task state in both `docs/implplan/SPRINTS.md` and local `TASKS.md` whenever you start or complete work.
+1. **Status synchronisation**: update task state in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` whenever you start or complete work.
 2. **Security posture**: enforce least privilege, short cache TTLs, redaction in logs, and Authority scope checks where applicable.
 3. **Deterministic behaviour**: deterministic secret selection & failure modes; avoid random jitter unless documented.
 4. **Offline readiness**: support sealed-mode bundles; document required manifest formats and verification steps.
 5. **Testing**: add unit/integration tests for each backend, rotation scenario, and failure path; include air-gap fixtures.
 6. **Documentation**: keep `surface-secrets.md` current; collaborate with DevOps to update Helm/Compose/offline-kit instructions.
 
-- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
+- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.

src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md

@@ -19,7 +19,7 @@ Deliver an extensible validation framework that enforces preconditions for Surfa
 - `docs/modules/scheduler/architecture.md`
 
 ## Working Agreement
-1. **Status sync**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when you begin/finish work.
+1. **Status sync**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when you begin/finish work.
 2. **Extensibility**: design validators to be SOLID-compliant; document registration patterns; avoid hard-coded logic in consumers.
 3. **Deterministic diagnostics**: produce stable error codes/messages; support localisation if required.
 4. **Integration**: ensure all Surface libraries and consumers call validators before operation; add regression tests in downstream modules when new checks land.