save checkpoint

2026-02-12 21:02:43 +02:00
parent 5bca406787
commit 9911b7d73c
593 changed files with 174390 additions and 1376 deletions
--- a/docs/features/checked/binaryindex/vulnerable-code-fingerprint-matching.md
+++ b/docs/features/checked/binaryindex/vulnerable-code-fingerprint-matching.md
@@ -0,0 +1,37 @@
+# Vulnerable Code Fingerprint Matching (CFG + Basic Block + String Refs Ensemble)
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+## Description
+Function-level vulnerability detection independent of package metadata using an ensemble of fingerprint algorithms: basic block hashing, control flow graph fingerprinting, and string reference fingerprinting. Combined generator provides multi-algorithm similarity matching with configurable thresholds. Includes pre-seeded fingerprints for high-impact CVEs in OpenSSL, glibc, zlib, and curl.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/`
+- **Key Classes**:
+  - `SignatureMatcher` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/SignatureMatcher.cs`) - matches vulnerability signatures using fingerprint index
+  - `EnsembleDecisionEngine` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/EnsembleDecisionEngine.cs`) - combines CFG, basic block, string ref, and ML embedding fingerprints with configurable weights
+  - `FunctionAnalysisBuilder` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/FunctionAnalysisBuilder.cs`) - assembles multi-algorithm fingerprint inputs
+  - `SemanticFingerprintGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/SemanticFingerprintGenerator.cs`) - KSG-based semantic fingerprinting
+  - `CallNgramGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/CallNgramGenerator.cs`) - call-sequence fingerprinting
+  - `BinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs`) - vulnerability lookup with pre-seeded fingerprints
+- **Models**: `SignatureIndexModels` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/Models/`) - fingerprint index models
+- **Source**: SPRINT_20251226_013_BINIDX_fingerprint_factory.md
+
+## E2E Test Plan
+- [x] Match a known vulnerable function (e.g., OpenSSL Heartbleed) against pre-seeded fingerprints and verify detection
+- [x] Verify multi-algorithm ensemble: CFG fingerprint + basic block hash + string refs all contribute to match score
+- [x] Verify configurable threshold: adjust threshold to 0.8 and verify borderline matches are excluded
+- [x] Verify pre-seeded fingerprints exist for high-impact CVEs (OpenSSL, glibc, zlib, curl)
+- [x] Verify false positive rate: submit clean binary functions and verify no false matches
+- [x] Verify `EnsembleDecisionEngine` weight tuning affects match outcomes
+
+## Verification
+- Verified on 2026-02-12 via run `run-002`.
+- Tier 0 source/symbol checks: pass.
+- Tier 1 build/tests/code-review: pass (`420/420` tests).
+- Tier 2 behavioral verification: pass (golden signature behavior, threshold behavior, and pre-seeded package coverage including openssl/glibc/zlib/curl).
+- Run evidence: `docs/qa/feature-checks/runs/binaryindex/vulnerable-code-fingerprint-matching/run-002/`.
+
--- a/docs/features/checked/gateway/configurable-route-table-configuration-model.md
+++ b/docs/features/checked/gateway/configurable-route-table-configuration-model.md
@@ -0,0 +1,38 @@
+# Configurable Route Table - Configuration Model and Validation
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a configurable route table via `GatewayOptions.Routes` (`List<StellaOpsRoute>`). Each route is defined by a `StellaOpsRouteType` enum (Microservice, ReverseProxy, StaticFiles, StaticFile, WebSocket, NotFoundPage, ServerErrorPage), a `Path`, an optional `IsRegex` flag, a `TranslatesTo` target, and optional `Headers` dictionary. The `GatewayOptionsValidator` validates all routes with type-specific rules: ReverseProxy requires valid HTTP(S) URL, WebSocket requires ws:///wss:// URL, StaticFiles/StaticFile/NotFoundPage/ServerErrorPage require non-empty file/directory paths, all routes require non-empty Path, and regex paths must be valid regex patterns.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model class with `StellaOpsRouteType` enum (7 values)
+  - `GatewayOptions` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptions.cs`) - `Routes` property (`List<StellaOpsRoute>`)
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Type-specific validation rules for all 7 route types
+- **Tests**:
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - 11 route validation tests
+  - `StellaOpsRouteResolverTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Routing/StellaOpsRouteResolverTests.cs`) - 9 resolver unit tests
+
+## E2E Test Plan
+- [ ] Validate that a ReverseProxy route with invalid URL fails validation
+- [ ] Validate that a WebSocket route with non-ws:// URL fails validation
+- [ ] Validate that a StaticFiles route with empty TranslatesTo fails validation
+- [ ] Validate that a route with empty Path fails validation
+- [ ] Validate that a route with IsRegex=true and invalid regex fails validation
+- [ ] Validate that a properly configured route table with all 7 types passes validation
+- [ ] Gateway starts successfully with a valid route table configuration
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-configuration-model/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-error-page-fallback.md
+++ b/docs/features/checked/gateway/configurable-route-table-error-page-fallback.md
@@ -0,0 +1,36 @@
+# Configurable Route Table - Error Page Fallback (404/500)
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports `NotFoundPage` and `ServerErrorPage` route types that serve custom HTML error pages for 404 and 500+ responses respectively. Configured via `StellaOpsRoute` with `Type = NotFoundPage` or `Type = ServerErrorPage`, `TranslatesTo` = path to an HTML file on disk. When any route in the pipeline produces a 404 or 500+ response with an empty body, the `ErrorPageFallbackMiddleware` intercepts and serves the configured HTML page. Includes a fast-path optimization that skips response body buffering entirely when no error pages are configured. Falls back to a JSON error response when the configured error page file is missing.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.NotFoundPage` and `StellaOpsRouteType.ServerErrorPage`
+  - `ErrorPageFallbackMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/ErrorPageFallbackMiddleware.cs`) - Intercepts 404/500 responses, serves configured HTML pages, fast-path for no-error-page config
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates error page routes have non-empty TranslatesTo file paths
+  - `Program.cs` (`src/Router/StellaOps.Gateway.WebService/Program.cs`) - Registers error routes in DI and `ErrorPageFallbackMiddleware` at end of pipeline
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - Error page behavior verified through route resolution tests (unmatched paths return 404)
+
+## E2E Test Plan
+- [ ] Unmatched route returns 404 with custom HTML page: `GET /unmatched/path` returns 404 with `Content-Type: text/html` and custom page content
+- [ ] 404 response status code is preserved: response status is 404 (not 200)
+- [ ] 500 error page: trigger a 500 response and verify custom HTML page is served with `Content-Type: text/html`
+- [ ] Fast-path: when no error pages configured, responses pass through without buffering overhead
+- [ ] JSON fallback: when error page file is missing on disk, returns JSON error `{"error":"not_found","status":404}`
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-error-page-fallback/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-reverse-proxy.md
+++ b/docs/features/checked/gateway/configurable-route-table-reverse-proxy.md
@@ -0,0 +1,39 @@
+# Configurable Route Table - Reverse Proxy
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a `ReverseProxy` route type that forwards HTTP requests to an upstream service. Configured via `StellaOpsRoute` with `Type = ReverseProxy`, `Path` = URL prefix, `TranslatesTo` = upstream base URL. Features: prefix stripping (for non-regex routes), header forwarding (excluding hop-by-hop), upstream status code passthrough, custom header injection via `Headers` dictionary, regex-based path matching (`IsRegex = true`), timeout handling (returns 504), and connection error handling (returns 502).
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.ReverseProxy`
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - Supports both prefix and regex matching for proxy routes
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - `HandleReverseProxy` method using `IHttpClientFactory`, strips prefix, forwards headers, streams response
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates ReverseProxy route has valid HTTP(S) URL in TranslatesTo
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 7 ReverseProxy integration tests
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - ReverseProxy URL validation tests
+
+## E2E Test Plan
+- [ ] Forward request to upstream: `GET /proxy/echo` returns proxied response from upstream with 200
+- [ ] Strip path prefix: `GET /proxy/sub/path` forwards as `/sub/path` to upstream
+- [ ] Forward request headers: custom headers (e.g., `X-Test-Header`) are forwarded to upstream
+- [ ] Pass through upstream status codes: 201, 400, 500 are returned as-is
+- [ ] Inject configured headers: route with `Headers["X-Custom-Route"] = "injected-value"` injects that header into upstream request
+- [ ] Regex path matching: route with `IsRegex = true` and pattern `^/api/v[0-9]+/.*` matches `GET /api/v2/data`
+- [ ] Timeout handling: upstream timeout returns 504 Gateway Timeout
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-reverse-proxy/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-route-resolver.md
+++ b/docs/features/checked/gateway/configurable-route-table-route-resolver.md
@@ -0,0 +1,37 @@
+# Configurable Route Table - Route Resolution Engine
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway includes a `StellaOpsRouteResolver` that maps incoming HTTP request paths to configured `StellaOpsRoute` entries. Uses first-match-wins ordering. Supports both prefix matching (case-insensitive `PathString.StartsWith`) and compiled regex matching (`IsRegex = true`). Excludes `NotFoundPage` and `ServerErrorPage` routes from path resolution (these are handled separately by `ErrorPageFallbackMiddleware`). Returns `null` for no match, allowing fallthrough to the existing Microservice pipeline.
+
+## Implementation Details
+- **Modules**: `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - First-match-wins resolver with prefix and regex support
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - Calls resolver, dispatches to handler based on route type
+  - `Program.cs` (`src/Router/StellaOps.Gateway.WebService/Program.cs`) - Registers `StellaOpsRouteResolver` as singleton in DI
+- **Tests**:
+  - `StellaOpsRouteResolverTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Routing/StellaOpsRouteResolverTests.cs`) - 9 unit tests (exact match, prefix, regex, no match, first-match-wins, excluded error types, case-insensitive, empty)
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 2 route resolution integration tests
+
+## E2E Test Plan
+- [ ] Exact path match: `GET /favicon.ico` resolves to StaticFile route (returns file content)
+- [ ] Prefix match: `GET /app/index.html` resolves to StaticFiles route (serves directory file)
+- [ ] Regex match: `GET /api/v2/data` resolves to ReverseProxy route with pattern `^/api/v[0-9]+/.*`
+- [ ] No match fallthrough: `GET /unmatched/path` returns 404 (falls through to Microservice pipeline)
+- [ ] First-match-wins: when multiple routes could match, first configured route takes precedence
+- [ ] Case-insensitive: `GET /APP/index.html` resolves to `/app` StaticFiles route
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-route-resolver/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-static-file-serving.md
+++ b/docs/features/checked/gateway/configurable-route-table-static-file-serving.md
@@ -0,0 +1,35 @@
+# Configurable Route Table - Static File Serving
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a `StaticFile` route type that serves a single specific file at an exact path. Configured via `StellaOpsRoute` with `Type = StaticFile`, `Path` = exact URL path (e.g., `/favicon.ico`), `TranslatesTo` = physical file path. Sub-paths are rejected (e.g., `/favicon.ico/extra` returns 404). The file is served with the correct MIME type inferred from the file extension.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.StaticFile`
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - Resolves exact path match for StaticFile routes
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - `HandleStaticFile` method serves exact file with MIME detection
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates StaticFile route has non-empty TranslatesTo file path
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 3 StaticFile integration tests
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - StaticFile validation tests
+
+## E2E Test Plan
+- [ ] Serve a single file: `GET /favicon.ico` returns file content with 200
+- [ ] Reject sub-paths: `GET /favicon.ico/extra` returns 404
+- [ ] Correct Content-Type: `GET /favicon.ico` returns `Content-Type: image/x-icon`
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-static-file-serving/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-static-files-serving.md
+++ b/docs/features/checked/gateway/configurable-route-table-static-files-serving.md
@@ -0,0 +1,38 @@
+# Configurable Route Table - Static Files Serving
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a `StaticFiles` route type that serves directory contents mapped to a URL prefix. Configured via `StellaOpsRoute` with `Type = StaticFiles`, `Path` = URL prefix, `TranslatesTo` = physical directory path. Supports SPA fallback (serving `index.html` for extensionless paths) when the route's `Headers["x-spa-fallback"]` is set to `"true"`. Files are served with correct MIME types via `FileExtensionContentTypeProvider`. Multiple StaticFiles routes can coexist with isolated path scopes.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.StaticFiles`
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - First-match-wins route resolution engine
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - `HandleStaticFiles` method uses `PhysicalFileProvider` and `FileExtensionContentTypeProvider`
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates StaticFiles route has non-empty TranslatesTo directory path
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 8 StaticFiles integration tests
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - StaticFiles validation tests
+
+## E2E Test Plan
+- [ ] Serve a file from a mapped directory: `GET /app/index.html` returns HTML content with 200 and `Content-Type: text/html`
+- [ ] Serve a nested file: `GET /app/assets/style.css` returns CSS content with 200 and `Content-Type: text/css`
+- [ ] Return 404 for missing file: `GET /app/missing.txt` returns 404
+- [ ] Verify MIME types: `.html` -> `text/html`, `.css` -> `text/css`, `.js` -> `application/javascript`, `.json` -> `application/json`
+- [ ] SPA fallback: `GET /app/some/route` (extensionless) returns `index.html` when `x-spa-fallback=true`
+- [ ] Multiple mappings isolation: `/app/` and `/docs/` serve from different directories without interference
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-static-files-serving/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-websocket-proxy.md
+++ b/docs/features/checked/gateway/configurable-route-table-websocket-proxy.md
@@ -0,0 +1,37 @@
+# Configurable Route Table - WebSocket Proxy
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a `WebSocket` route type that accepts WebSocket upgrade requests and proxies them bidirectionally to an upstream WebSocket server. Configured via `StellaOpsRoute` with `Type = WebSocket`, `Path` = URL prefix, `TranslatesTo` = upstream WebSocket URL (ws:// or wss://). The middleware accepts the client WebSocket, opens a `ClientWebSocket` connection to the upstream, and pumps messages in both directions. Supports text messages, binary messages, and close frame propagation.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.WebSocket`
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - Resolves WebSocket routes by path prefix
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - `HandleWebSocket` method: accepts client WS, connects upstream `ClientWebSocket`, bidirectional pump loop
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates WebSocket route has valid ws:// or wss:// URL in TranslatesTo
+  - `Program.cs` (`src/Router/StellaOps.Gateway.WebService/Program.cs`) - Registers `app.UseWebSockets()` in the pipeline
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 4 WebSocket integration tests
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - WebSocket URL validation tests
+
+## E2E Test Plan
+- [ ] WebSocket upgrade succeeds: connect to `ws://host/ws/echo` and verify state is Open
+- [ ] Text message round-trip: send "Hello WebSocket" text message, receive same text echo back
+- [ ] Binary message round-trip: send binary payload `[0x01, 0x02, 0x03, 0xFF]`, receive identical binary echo
+- [ ] Close handshake: send close frame with NormalClosure, verify connection state becomes Closed
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-websocket-proxy/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/scanner/binary-intelligence-engine.md
+++ b/docs/features/checked/scanner/binary-intelligence-engine.md
@@ -0,0 +1,44 @@
+# Binary Intelligence Engine (Function-Level Code Fingerprinting)
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Function-level binary code fingerprinting for entry-trace native terminals, including deterministic symbol-window extraction, vulnerable marker matching, and binary intelligence payload propagation through storage and API contracts.
+
+## Implementation Details
+- **Entry-trace graph contract**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/EntryTraceTypes.cs`
+    - Added `EntryTraceGraph.BinaryIntelligence`
+    - Added `EntryTraceBinaryIntelligence`, `EntryTraceBinaryTarget`, `EntryTraceBinaryVulnerability`
+- **Serializer/storage round-trip**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Serialization/EntryTraceGraphSerializer.cs`
+    - Added binary intelligence contract mappings and round-trip conversion.
+- **Worker enrichment**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EntryTraceExecutionService.cs`
+    - Integrates binary intelligence generation for native terminals during entry-trace execution.
+    - Produces deterministic function windows, binary-format inference, CVE marker extraction, and graph enrichment.
+- **API surface**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/EntryTraceResponse.cs`
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScanEndpoints.cs`
+    - Entry-trace response returns `graph.binaryIntelligence` when available.
+- **Behavioral coverage**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/EntryTraceExecutionServiceTests.cs`
+  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ScansEndpointsTests.cs`
+  - `src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/EntryTraceResultStoreTests.cs`
+
+## E2E Test Plan
+- [x] Verify function-level binary fingerprinting behavior in EntryTrace binary test namespace.
+- [x] Verify worker entry-trace execution attaches binary intelligence for native terminal binaries.
+- [x] Verify `GET /api/v1/scans/{scanId}/entrytrace` returns graph payload including `binaryIntelligence`.
+- [x] Verify persisted `EntryTraceResult` round-trips binary intelligence through serializer/repository.
+
+## Verification
+- Run ID: `run-002`
+- Date (UTC): 2026-02-12
+- Tier 0: Source verification passed (`tier0-source-check.json`).
+- Tier 1: Build and focused test executions passed (`tier1-build-check.json`, `tier1-build-results.json`, `tier1-test-results.json`).
+- Tier 2: Integration checks passed for worker, endpoint, and storage round-trip (`tier2-e2e-check.json`).
--- a/docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md
+++ b/docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md
@@ -0,0 +1,51 @@
+# Binary SBOM and Build-ID to PURL Mapping
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Binary call graph extraction, offline Build-ID to PURL correlation, patch verification orchestration, and unified binary finding mapping are wired into Scanner worker execution with deterministic Tier 1/Tier 2 evidence.
+
+## Implementation Details
+- **Binary call graph extraction**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs`
+- **Patch verification engine + contracts**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/IPatchVerificationOrchestrator.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/DependencyInjection/ServiceCollectionExtensions.cs`
+- **Build-ID index**:
+  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/IBuildIdIndex.cs`
+  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs`
+  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdLookupResult.cs`
+- **Worker runtime wiring**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Extensions/BinaryIndexServiceExtensions.cs`
+    - registers patch verification services in worker binary integration path.
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryLookupStageExecutor.cs`
+    - publishes mapped binary findings for downstream gating.
+    - executes Build-ID index batch lookup and stores mapping output.
+    - executes patch verification orchestration and stores verification result.
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryFindingMapper.cs`
+    - runtime call path now exercised from binary lookup stage.
+- **Shared analysis contracts**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanAnalysisKeys.cs`
+    - added binary build-id mapping and patch-verification analysis keys.
+- **Worker validation test**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/BinaryLookupStageExecutorTests.cs`
+
+## E2E Test Plan
+- [x] Scan a container image with native binaries containing ELF build-IDs and verify Build-ID to PURL mapping runtime path executes.
+- [x] Verify binary call graph extraction behavior via `BinaryCallGraphExtractor` tests.
+- [x] Verify patch verification orchestration behavior executes with patch-data and no-patch-data paths.
+- [x] Verify binary vulnerability findings are mapped into unified finding objects for downstream stages.
+- [x] Verify offline Build-ID index resolves exact mappings without network access.
+- [x] Verify worker runtime wiring includes patch verification, build-id lookup, and finding mapping call sites.
+
+## Verification
+- Run ID: `run-002`
+- Date (UTC): 2026-02-12
+- Tier 0: Source verification passed (`tier0-source-check.json`).
+- Tier 1: Build, focused behavior tests, and code-review semantic wiring checks passed (`tier1-build-check.json`, `tier1-code-review.json`).
+- Tier 2: Integration/e2e summary passed, including runtime wiring parity checks (`tier2-integration-check.json`, `tier2-e2e-check.json`).
--- a/docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md
+++ b/docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md
@@ -0,0 +1,37 @@
+# Bug ID to CVE Mapping in Changelog Parsing
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Regex-based extraction of changelog bug references (Debian `Closes: #123456`, `RHBZ#123456`, Launchpad `LP: #123456`) with deterministic bug-to-CVE correlation for backport evidence metadata.
+
+## Implementation Details
+- **Shared extraction helper**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Helpers/ChangelogBugReferenceExtractor.cs` - Extracts bug references and bug-to-CVE mappings from changelog text.
+- **RPM wiring**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs` - Applies extractor to RPM changelog entries and emits `vendor.changelogBugRefs` / `vendor.changelogBugToCves`.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs` - Supplies `ChangeLogText` entries from RPM metadata.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs`
+- **DPKG wiring**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgPackageAnalyzer.cs` - Reads package changelog files (including `.gz`), extracts bug mappings, and merges CVE hints.
+- **Behavioral coverage**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Helpers/ChangelogBugReferenceExtractorTests.cs`
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Dpkg/DpkgChangelogBugCorrelationTests.cs`
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/OsAnalyzerDeterminismTests.cs`
+
+## E2E Test Plan
+- [x] Verify Debian `Closes: #NNNNNN` references are extracted and preserved in metadata.
+- [x] Verify RPM changelog `RHBZ#NNNNNN` references are extracted.
+- [x] Verify Launchpad `LP: #NNNNNN` references are extracted.
+- [x] Verify bug references are cross-referenced with CVE IDs from the same changelog entry.
+- [x] Verify deterministic metadata and golden snapshot behavior through OS analyzer test runs.
+
+## Verification
+- Run: `run-001`
+- Date (UTC): 2026-02-12
+- Artifacts: `docs/qa/feature-checks/runs/scanner/bug-id-to-cve-mapping-in-changelog-parsing/run-001/`
--- a/docs/features/unchecked/scanner/byos-ingestion-workflow.md
+++ b/docs/features/unchecked/scanner/byos-ingestion-workflow.md
@@ -4,7 +4,7 @@
 Scanner

 ## Status
-IMPLEMENTED
+VERIFIED

 ## Description
 Allows users to upload externally-generated SBOMs (CycloneDX 1.4-1.6, SPDX 2.3/3.0) via REST API. Includes automatic format detection, schema validation, component normalization, quality scoring (PURL/version/license coverage weighted 40/30/30), SHA-256 digest computation, and automatic scan/analysis triggering. Supports both inline JSON and base64-encoded payloads with CI context metadata.
@@ -32,3 +32,7 @@ Allows users to upload externally-generated SBOMs (CycloneDX 1.4-1.6, SPDX 2.3/3
 - [ ] Verify SHA-256 digest is computed and returned in the response
 - [ ] Verify automatic scan/analysis is triggered after successful ingestion
 - [ ] Query the uploaded SBOM status via `GET /api/v1/sbom/uploads/{id}` and verify metadata
+
+## Verification
+- Verified in `run-001` on 2026-02-12 with Tier 0/1/2 evidence in `docs/qa/feature-checks/runs/scanner/byos-ingestion-workflow/run-001/`.
+- Tier 2 API checks validated CycloneDX inline upload, SPDX base64 upload, upload record retrieval, and unknown-format rejection paths.
--- a/docs/features/unchecked/web/web-gateway-graph-platform-client.md
+++ b/docs/features/unchecked/web/web-gateway-graph-platform-client.md
--- a/docs/features/unchecked/web/web-gateway-observability-surfaces.md
+++ b/docs/features/unchecked/web/web-gateway-observability-surfaces.md
--- a/docs/features/unchecked/web/web-gateway-openapi-discovery-with-deprecation-and-idempotency.md
+++ b/docs/features/unchecked/web/web-gateway-openapi-discovery-with-deprecation-and-idempotency.md
--- a/docs/features/unchecked/web/web-gateway-signals-and-reachability-proxy.md
+++ b/docs/features/unchecked/web/web-gateway-signals-and-reachability-proxy.md
--- a/docs/features/unchecked/web/web-gateway-vex-consensus-proxy.md
+++ b/docs/features/unchecked/web/web-gateway-vex-consensus-proxy.md
--- a/docs/features/unchecked/web/why-safe-evidence-explanation-panel.md
+++ b/docs/features/unchecked/web/why-safe-evidence-explanation-panel.md
--- a/docs/features/unchecked/web/witness-drawer.md
+++ b/docs/features/unchecked/web/witness-drawer.md
--- a/docs/features/unchecked/web/witness-viewer-ui.md
+++ b/docs/features/unchecked/web/witness-viewer-ui.md
--- a/docs/features/unchecked/web/workflow-visualization-with-time-travel-controls.md
+++ b/docs/features/unchecked/web/workflow-visualization-with-time-travel-controls.md
--- a/docs/features/unchecked/scanner/binary-intelligence-engine.md
+++ b/docs/features/unchecked/scanner/binary-intelligence-engine.md
@@ -1,35 +0,0 @@
-# Binary Intelligence Engine (Function-Level Code Fingerprinting)
-
-## Module
-Scanner
-
-## Status
-IMPLEMENTED
-
-## Description
-Function-level binary code fingerprinting with symbol recovery for stripped binaries, vulnerable function matching against a fingerprint corpus, and source-to-binary correlation. Extends existing binary fingerprint capabilities with intelligence-grade analysis for entrypoint-scoped binary reachability.
-
-## Implementation Details
- **Core Analyzer**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/BinaryIntelligenceAnalyzer.cs` - Main analyzer for function-level binary code fingerprinting
- **Symbol Recovery**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/ISymbolRecovery.cs` - Interface for recovering symbols from stripped binaries
- **Fingerprint Index**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/IFingerprintIndex.cs` - Interface for fingerprint corpus lookup
- **Vulnerable Function Matching**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/VulnerableFunctionMatcher.cs` - Matches binary functions against known vulnerable function fingerprints
- **Analysis Results**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/BinaryAnalysisResult.cs` - Result models for binary intelligence analysis
- **Risk Scoring**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Risk/IRiskScorer.cs` - Risk scorer integrating binary intelligence into entrypoint risk assessment
- **Worker Integration**:
-  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EntryTraceExecutionService.cs` - Executes entry trace analysis including binary intelligence during scan
-  - `src/Scanner/StellaOps.Scanner.Worker/Processing/IEntryTraceExecutionService.cs` - Interface for entry trace execution
-
-## E2E Test Plan
- [ ] Scan a container image containing stripped ELF binaries and verify symbol recovery identifies function boundaries
- [ ] Verify fingerprint matching identifies known library functions in the binary via the `IFingerprintIndex`
- [ ] Scan an image with a binary containing a known vulnerable function and verify `VulnerableFunctionMatcher` flags it
- [ ] Verify binary intelligence results include source-to-binary correlation where debug info is available
- [ ] Verify binary analysis results appear in the entry trace response via `GET /api/v1/scans/{scanId}/entry-trace`
- [ ] Verify binary-level reachability findings contribute to the overall risk score
--- a/docs/features/unchecked/scanner/binary-sbom-and-build-id-to-purl-mapping.md
+++ b/docs/features/unchecked/scanner/binary-sbom-and-build-id-to-purl-mapping.md
@@ -1,46 +0,0 @@
-# Binary SBOM and Build-ID to PURL Mapping
-
-## Module
-Scanner
-
-## Status
-IMPLEMENTED
-
-## Description
-Binary call graph extraction, patch verification with signature stores and evidence models, and binary index service extensions for the scanner worker.
-
-## Implementation Details
- **Binary Call Graph Extraction**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs` - Extracts call graphs from native binaries
-  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/DependencyInjection/CallGraphServiceCollectionExtensions.cs` - DI registration
- **Patch Verification**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/IPatchVerificationOrchestrator.cs` - Orchestrator interface
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs` - Orchestrates patch verification workflow
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/IPatchSignatureStore.cs` - Interface for patch signature storage
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/InMemoryPatchSignatureStore.cs` - In-memory signature store implementation
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/EvidenceIdGenerator.cs` - Generates evidence IDs for patch verification results
- **Patch Verification Models**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationResult.cs` - Result model
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationEvidence.cs` - Evidence model
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationContext.cs` - Context model
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationStatus.cs` - Status enum
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationOptions.cs` - Options
-  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/DsseEnvelopeRef.cs` - DSSE envelope reference
- **Worker Integration**:
-  - `src/Scanner/StellaOps.Scanner.Worker/Extensions/BinaryIndexServiceExtensions.cs` - `BinaryIndexServiceExtensions` registering `IBinaryVulnerabilityService`, `IBinaryFeatureExtractor`
-  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryLookupStageExecutor.cs` - Binary lookup stage during scan
-  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryVulnerabilityAnalyzer.cs` - Binary vulnerability analysis
-  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryFindingMapper.cs` - Maps binary findings to unified finding model
- **Build-ID Index**:
-  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs` - Offline build-ID to PURL index
-  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/IBuildIdIndex.cs` - Interface for build-ID index
-  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdIndexEntry.cs` - Index entry model
-  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdLookupResult.cs` - Lookup result model
-
-## E2E Test Plan
- [ ] Scan a container image with native binaries containing ELF build-IDs and verify build-ID to PURL mapping resolves correctly
- [ ] Verify binary call graph extraction produces a valid call graph for native binaries via `BinaryCallGraphExtractor`
- [ ] Trigger patch verification on a scanned binary and verify `PatchVerificationOrchestrator` produces evidence with status and signature references
- [ ] Verify binary vulnerability findings are mapped to the unified finding model and appear in scan results
- [ ] Verify the offline build-ID index (`OfflineBuildIdIndex`) can resolve build-IDs without network access
- [ ] Export scan results as SBOM and verify binary components include PURL identifiers derived from build-ID mapping
--- a/docs/features/unchecked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md
+++ b/docs/features/unchecked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md
@@ -1,30 +0,0 @@
-# Bug ID to CVE Mapping in Changelog Parsing
-
-## Module
-Scanner
-
-## Status
-IMPLEMENTED
-
-## Description
-Regex-based extraction of bug tracker references (Debian "Closes: #123456", RHBZ#123456, Launchpad "LP: #123456") from changelogs, with cross-reference to CVE IDs for Tier 2 backport evidence.
-
-## Implementation Details
- **Changelog Parsing (OS Analyzers)**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs` - RPM package analyzer with changelog parsing
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs` - Parses RPM headers including changelog entries
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs` - RPM header model with changelog tags
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs` - RPM tag definitions including changelog-related tags
- **Pedigree & Commit Mapping**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/FeedserPedigreeDataProvider.cs` - Provides pedigree data including changelog-derived CVE references
-  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CommitInfoBuilder.cs` - Builds commit info with bug tracker cross-references
- **Material Changes Integration**:
-  - `src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/CardGenerators.cs` - Generates material change cards including changelog-derived bug-to-CVE mappings
-
-## E2E Test Plan
- [ ] Scan a container image with Debian packages containing changelogs with "Closes: #NNNNNN" references and verify bug IDs are extracted
- [ ] Scan an image with RPM packages containing changelogs with RHBZ# references and verify extraction
- [ ] Verify extracted bug IDs are cross-referenced to CVE IDs and appear as Tier 2 backport evidence
- [ ] Verify the pedigree data includes changelog-derived CVE mappings in the scan report
- [ ] Verify material change cards reference changelog bug-to-CVE correlations
- [ ] Verify Launchpad "LP: #NNNNNN" references are extracted from Ubuntu package changelogs
--- a/docs/features/unimplemented/scanner/build-provenance-verification-module-with-slsa-level-evaluator.md
+++ b/docs/features/unimplemented/scanner/build-provenance-verification-module-with-slsa-level-evaluator.md
@@ -4,7 +4,7 @@
 Scanner

 ## Status
-IMPLEMENTED
+PARTIALLY_IMPLEMENTED

 ## Description
 Scanner stage that evaluates SLSA provenance levels (L0-L4) for artifacts, verifies builder identity against trusted builder lists, checks reproducibility claims, and builds provenance chains. Integrates as a dedicated pipeline stage in the scanner worker.
@@ -41,3 +41,9 @@ Scanner stage that evaluates SLSA provenance levels (L0-L4) for artifacts, verif
 - [ ] Verify `BuildProvenanceChainBuilder` links build steps into a verifiable chain
 - [ ] Verify build provenance findings appear in scan report with SLSA level, builder identity, and chain details
 - [ ] Scan an artifact with no provenance and verify it is assigned SLSA L0
+
+## Verification Findings
+- `run-001` Tier 0 confirmed all declared files and key symbols exist.
+- Tier 1 builds and focused tests passed (`18/18`), but code review failed semantic parity for the no-provenance runtime path.
+- `BuildProvenanceStageExecutor` currently returns early when SBOM has no `buildInfo` and no `formulation`, so the worker pipeline does not emit a `BuildProvenanceReport` for the claimed SLSA L0 assignment path.
+- Tier 2 targeted behavioral checks passed at library level, but runtime worker-stage contract parity failed for no-provenance handling and stage-level behavioral coverage.
--- a/docs/features/unimplemented/scanner/bun-call-graph-extractor.md
+++ b/docs/features/unimplemented/scanner/bun-call-graph-extractor.md
@@ -4,7 +4,7 @@
 Scanner

 ## Status
-IMPLEMENTED
+PARTIALLY_IMPLEMENTED

 ## Description
 Static call graph extraction for Bun runtime JavaScript/TypeScript codebases, extending the multi-language extractor framework with Bun-specific entrypoint detection and sink matching.
@@ -26,3 +26,10 @@ Static call graph extraction for Bun runtime JavaScript/TypeScript codebases, ex
 - [ ] Verify the extracted call graph links entrypoints to sinks through the application code
 - [ ] Verify call graph data is available in reachability analysis via `GET /api/v1/scans/{scanId}/reachability`
 - [ ] Verify TypeScript and JavaScript files are both analyzed correctly in mixed Bun projects
+
+## Verification Findings
+- `run-001` Tier 0 confirmed Bun extractor source files and key classes exist.
+- Tier 1 build/tests passed (CallGraph tests `173/173`), including new focused Bun extractor positive/negative behavior tests.
+- Code review and Tier 2 semantic checks failed (`missing_code`):
+  - Bun extractor is not registered in `AddCallGraphServices`, so runtime registry selection does not expose language `bun`.
+  - Source-mode extraction currently emits Bun entrypoint/sink nodes but no call edges linking entrypoints to sinks; edge construction exists only in trace-file mode.
--- a/docs/features/unimplemented/scanner/bun-language-analyzer.md
+++ b/docs/features/unimplemented/scanner/bun-language-analyzer.md
@@ -4,7 +4,7 @@
 Scanner

 ## Status
-IMPLEMENTED
+PARTIALLY_IMPLEMENTED

 ## Description
 Full language analyzer for the Bun JavaScript runtime including bun.lockb binary lockfile parser, installed package collector, workspace/monorepo support, scope classification (dev/prod/peer), symlink safety checks, CLI verbs, and WebService endpoints for Worker integration.
@@ -50,3 +50,9 @@ Full language analyzer for the Bun JavaScript runtime including bun.lockb binary
 - [ ] Verify the scan results include PURL identifiers for all Bun packages
 - [ ] Verify symlink safety checks flag potentially unsafe symlinks in node_modules
 - [ ] Verify Bun scan results are available via the WebService API contracts
+
+## Verification Findings
+- `run-001` Tier 0 confirmed listed Bun analyzer, worker, storage, and WebService contract files are present.
+- Tier 1 builds succeeded for analyzer/worker/storage/webservice/Bun test projects, but Bun deterministic suite failed (`98/115` passed) with 17 golden hash mismatches.
+- Code review found feature-contract mismatch: runtime classifies `bun.lockb` as unsupported remediation-only input instead of parsing binary lockfile package inventory.
+- Tier 2 targeted behavioral checks captured both paths: remediation on `bun.lockb` passes, while standard deterministic Bun analysis remains failing; feature terminalized as `not_implemented`.
--- a/docs/features/unimplemented/scanner/canonical-node-hash-and-path-hash-recipes-for-reachability.md
+++ b/docs/features/unimplemented/scanner/canonical-node-hash-and-path-hash-recipes-for-reachability.md
@@ -0,0 +1,43 @@
+# Canonical Node-Hash and Path-Hash Recipes for Reachability
+
+## Module
+Scanner
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Canonical node-hash (PURL/symbol normalization + SHA-256) and path-hash (top-K selection + PathFingerprint) recipes for deterministic static/runtime evidence joins. Extended PathWitness, RichGraph, SARIF export with hash fields.
+
+## Implementation Details
+- **Path Witness with Hash Fields**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs` - `PathWitness` model with node-hash and path-hash fields
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs` - `PathWitnessBuilder` computes canonical hashes during witness construction
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IPathWitnessBuilder.cs` - Interface
+- **Rich Graph Integration**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraph.cs` - RichGraph model extended with hash fields on nodes
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Ordering/DeterministicGraphOrderer.cs` - Deterministic ordering for canonical hash computation
+- **Witness Matching & Verification**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessMatcher.cs` - Matches witnesses using canonical hashes for deterministic joins
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessSchema.cs` - Schema validation for witness hash fields
+- **Slice Integration**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs` - Slice extraction with path-hash for top-K selection
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs` - Slice models with hash fields
+- **Subgraph Extraction**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphModels.cs` - Subgraph models with hash fields
+
+## E2E Test Plan
+- [ ] Scan an image and verify PathWitness results include canonical node-hash fields (SHA-256 of normalized PURL/symbol)
+- [ ] Verify path-hash is computed using top-K selection and PathFingerprint algorithm
+- [ ] Run the same scan twice and verify node-hash and path-hash values are deterministically identical
+- [ ] Verify RichGraph response includes hash fields on nodes via `GET /api/v1/scans/{scanId}/reachability`
+- [ ] Verify static/runtime evidence join works correctly using canonical hashes as join keys
+- [ ] Verify SARIF export includes hash fields in reachability-related results
+
+## Verification Findings
+- `run-001` Tier 0 confirmed all listed reachability files/classes exist.
+- Tier 1 build/tests passed for reachability library and focused tests (`24/24`), including node-hash/path-hash emission and deterministic replay checks.
+- Code review and Tier 2 semantic checks failed (`missing_code`):
+  - `PathWitnessBuilder` advertises top-K node hashes, but `PathHash` is computed from all node hashes and does not use a PathFingerprint recipe.
+  - `RichGraph` defines `NodeHash` on nodes, but `RichGraphBuilder` does not populate it during node construction.
+  - `Slices/SliceExtractor` and `Slices/SliceModels` currently contain no path-hash/node-hash fields for documented slice integration claims.