save checkpoint

2026-02-12 21:02:43 +02:00
parent 5bca406787
commit 9911b7d73c
593 changed files with 174390 additions and 1376 deletions
--- a/docs/features/checked/binaryindex/vulnerable-code-fingerprint-matching.md
+++ b/docs/features/checked/binaryindex/vulnerable-code-fingerprint-matching.md
@@ -0,0 +1,37 @@
+# Vulnerable Code Fingerprint Matching (CFG + Basic Block + String Refs Ensemble)
+
+## Module
+BinaryIndex
+
+## Status
+VERIFIED
+## Description
+Function-level vulnerability detection independent of package metadata using an ensemble of fingerprint algorithms: basic block hashing, control flow graph fingerprinting, and string reference fingerprinting. Combined generator provides multi-algorithm similarity matching with configurable thresholds. Includes pre-seeded fingerprints for high-impact CVEs in OpenSSL, glibc, zlib, and curl.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/`
+- **Key Classes**:
+  - `SignatureMatcher` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/SignatureMatcher.cs`) - matches vulnerability signatures using fingerprint index
+  - `EnsembleDecisionEngine` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/EnsembleDecisionEngine.cs`) - combines CFG, basic block, string ref, and ML embedding fingerprints with configurable weights
+  - `FunctionAnalysisBuilder` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/FunctionAnalysisBuilder.cs`) - assembles multi-algorithm fingerprint inputs
+  - `SemanticFingerprintGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/SemanticFingerprintGenerator.cs`) - KSG-based semantic fingerprinting
+  - `CallNgramGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/CallNgramGenerator.cs`) - call-sequence fingerprinting
+  - `BinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs`) - vulnerability lookup with pre-seeded fingerprints
+- **Models**: `SignatureIndexModels` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/Models/`) - fingerprint index models
+- **Source**: SPRINT_20251226_013_BINIDX_fingerprint_factory.md
+
+## E2E Test Plan
+- [x] Match a known vulnerable function (e.g., OpenSSL Heartbleed) against pre-seeded fingerprints and verify detection
+- [x] Verify multi-algorithm ensemble: CFG fingerprint + basic block hash + string refs all contribute to match score
+- [x] Verify configurable threshold: adjust threshold to 0.8 and verify borderline matches are excluded
+- [x] Verify pre-seeded fingerprints exist for high-impact CVEs (OpenSSL, glibc, zlib, curl)
+- [x] Verify false positive rate: submit clean binary functions and verify no false matches
+- [x] Verify `EnsembleDecisionEngine` weight tuning affects match outcomes
+
+## Verification
+- Verified on 2026-02-12 via run `run-002`.
+- Tier 0 source/symbol checks: pass.
+- Tier 1 build/tests/code-review: pass (`420/420` tests).
+- Tier 2 behavioral verification: pass (golden signature behavior, threshold behavior, and pre-seeded package coverage including openssl/glibc/zlib/curl).
+- Run evidence: `docs/qa/feature-checks/runs/binaryindex/vulnerable-code-fingerprint-matching/run-002/`.
+
--- a/docs/features/checked/gateway/configurable-route-table-configuration-model.md
+++ b/docs/features/checked/gateway/configurable-route-table-configuration-model.md
@@ -0,0 +1,38 @@
+# Configurable Route Table - Configuration Model and Validation
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a configurable route table via `GatewayOptions.Routes` (`List<StellaOpsRoute>`). Each route is defined by a `StellaOpsRouteType` enum (Microservice, ReverseProxy, StaticFiles, StaticFile, WebSocket, NotFoundPage, ServerErrorPage), a `Path`, an optional `IsRegex` flag, a `TranslatesTo` target, and optional `Headers` dictionary. The `GatewayOptionsValidator` validates all routes with type-specific rules: ReverseProxy requires valid HTTP(S) URL, WebSocket requires ws:///wss:// URL, StaticFiles/StaticFile/NotFoundPage/ServerErrorPage require non-empty file/directory paths, all routes require non-empty Path, and regex paths must be valid regex patterns.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model class with `StellaOpsRouteType` enum (7 values)
+  - `GatewayOptions` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptions.cs`) - `Routes` property (`List<StellaOpsRoute>`)
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Type-specific validation rules for all 7 route types
+- **Tests**:
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - 11 route validation tests
+  - `StellaOpsRouteResolverTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Routing/StellaOpsRouteResolverTests.cs`) - 9 resolver unit tests
+
+## E2E Test Plan
+- [ ] Validate that a ReverseProxy route with invalid URL fails validation
+- [ ] Validate that a WebSocket route with non-ws:// URL fails validation
+- [ ] Validate that a StaticFiles route with empty TranslatesTo fails validation
+- [ ] Validate that a route with empty Path fails validation
+- [ ] Validate that a route with IsRegex=true and invalid regex fails validation
+- [ ] Validate that a properly configured route table with all 7 types passes validation
+- [ ] Gateway starts successfully with a valid route table configuration
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-configuration-model/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-error-page-fallback.md
+++ b/docs/features/checked/gateway/configurable-route-table-error-page-fallback.md
@@ -0,0 +1,36 @@
+# Configurable Route Table - Error Page Fallback (404/500)
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports `NotFoundPage` and `ServerErrorPage` route types that serve custom HTML error pages for 404 and 500+ responses respectively. Configured via `StellaOpsRoute` with `Type = NotFoundPage` or `Type = ServerErrorPage`, `TranslatesTo` = path to an HTML file on disk. When any route in the pipeline produces a 404 or 500+ response with an empty body, the `ErrorPageFallbackMiddleware` intercepts and serves the configured HTML page. Includes a fast-path optimization that skips response body buffering entirely when no error pages are configured. Falls back to a JSON error response when the configured error page file is missing.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.NotFoundPage` and `StellaOpsRouteType.ServerErrorPage`
+  - `ErrorPageFallbackMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/ErrorPageFallbackMiddleware.cs`) - Intercepts 404/500 responses, serves configured HTML pages, fast-path for no-error-page config
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates error page routes have non-empty TranslatesTo file paths
+  - `Program.cs` (`src/Router/StellaOps.Gateway.WebService/Program.cs`) - Registers error routes in DI and `ErrorPageFallbackMiddleware` at end of pipeline
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - Error page behavior verified through route resolution tests (unmatched paths return 404)
+
+## E2E Test Plan
+- [ ] Unmatched route returns 404 with custom HTML page: `GET /unmatched/path` returns 404 with `Content-Type: text/html` and custom page content
+- [ ] 404 response status code is preserved: response status is 404 (not 200)
+- [ ] 500 error page: trigger a 500 response and verify custom HTML page is served with `Content-Type: text/html`
+- [ ] Fast-path: when no error pages configured, responses pass through without buffering overhead
+- [ ] JSON fallback: when error page file is missing on disk, returns JSON error `{"error":"not_found","status":404}`
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-error-page-fallback/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-reverse-proxy.md
+++ b/docs/features/checked/gateway/configurable-route-table-reverse-proxy.md
@@ -0,0 +1,39 @@
+# Configurable Route Table - Reverse Proxy
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a `ReverseProxy` route type that forwards HTTP requests to an upstream service. Configured via `StellaOpsRoute` with `Type = ReverseProxy`, `Path` = URL prefix, `TranslatesTo` = upstream base URL. Features: prefix stripping (for non-regex routes), header forwarding (excluding hop-by-hop), upstream status code passthrough, custom header injection via `Headers` dictionary, regex-based path matching (`IsRegex = true`), timeout handling (returns 504), and connection error handling (returns 502).
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.ReverseProxy`
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - Supports both prefix and regex matching for proxy routes
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - `HandleReverseProxy` method using `IHttpClientFactory`, strips prefix, forwards headers, streams response
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates ReverseProxy route has valid HTTP(S) URL in TranslatesTo
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 7 ReverseProxy integration tests
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - ReverseProxy URL validation tests
+
+## E2E Test Plan
+- [ ] Forward request to upstream: `GET /proxy/echo` returns proxied response from upstream with 200
+- [ ] Strip path prefix: `GET /proxy/sub/path` forwards as `/sub/path` to upstream
+- [ ] Forward request headers: custom headers (e.g., `X-Test-Header`) are forwarded to upstream
+- [ ] Pass through upstream status codes: 201, 400, 500 are returned as-is
+- [ ] Inject configured headers: route with `Headers["X-Custom-Route"] = "injected-value"` injects that header into upstream request
+- [ ] Regex path matching: route with `IsRegex = true` and pattern `^/api/v[0-9]+/.*` matches `GET /api/v2/data`
+- [ ] Timeout handling: upstream timeout returns 504 Gateway Timeout
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-reverse-proxy/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-route-resolver.md
+++ b/docs/features/checked/gateway/configurable-route-table-route-resolver.md
@@ -0,0 +1,37 @@
+# Configurable Route Table - Route Resolution Engine
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway includes a `StellaOpsRouteResolver` that maps incoming HTTP request paths to configured `StellaOpsRoute` entries. Uses first-match-wins ordering. Supports both prefix matching (case-insensitive `PathString.StartsWith`) and compiled regex matching (`IsRegex = true`). Excludes `NotFoundPage` and `ServerErrorPage` routes from path resolution (these are handled separately by `ErrorPageFallbackMiddleware`). Returns `null` for no match, allowing fallthrough to the existing Microservice pipeline.
+
+## Implementation Details
+- **Modules**: `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - First-match-wins resolver with prefix and regex support
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - Calls resolver, dispatches to handler based on route type
+  - `Program.cs` (`src/Router/StellaOps.Gateway.WebService/Program.cs`) - Registers `StellaOpsRouteResolver` as singleton in DI
+- **Tests**:
+  - `StellaOpsRouteResolverTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Routing/StellaOpsRouteResolverTests.cs`) - 9 unit tests (exact match, prefix, regex, no match, first-match-wins, excluded error types, case-insensitive, empty)
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 2 route resolution integration tests
+
+## E2E Test Plan
+- [ ] Exact path match: `GET /favicon.ico` resolves to StaticFile route (returns file content)
+- [ ] Prefix match: `GET /app/index.html` resolves to StaticFiles route (serves directory file)
+- [ ] Regex match: `GET /api/v2/data` resolves to ReverseProxy route with pattern `^/api/v[0-9]+/.*`
+- [ ] No match fallthrough: `GET /unmatched/path` returns 404 (falls through to Microservice pipeline)
+- [ ] First-match-wins: when multiple routes could match, first configured route takes precedence
+- [ ] Case-insensitive: `GET /APP/index.html` resolves to `/app` StaticFiles route
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-route-resolver/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-static-file-serving.md
+++ b/docs/features/checked/gateway/configurable-route-table-static-file-serving.md
@@ -0,0 +1,35 @@
+# Configurable Route Table - Static File Serving
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a `StaticFile` route type that serves a single specific file at an exact path. Configured via `StellaOpsRoute` with `Type = StaticFile`, `Path` = exact URL path (e.g., `/favicon.ico`), `TranslatesTo` = physical file path. Sub-paths are rejected (e.g., `/favicon.ico/extra` returns 404). The file is served with the correct MIME type inferred from the file extension.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.StaticFile`
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - Resolves exact path match for StaticFile routes
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - `HandleStaticFile` method serves exact file with MIME detection
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates StaticFile route has non-empty TranslatesTo file path
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 3 StaticFile integration tests
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - StaticFile validation tests
+
+## E2E Test Plan
+- [ ] Serve a single file: `GET /favicon.ico` returns file content with 200
+- [ ] Reject sub-paths: `GET /favicon.ico/extra` returns 404
+- [ ] Correct Content-Type: `GET /favicon.ico` returns `Content-Type: image/x-icon`
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-static-file-serving/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-static-files-serving.md
+++ b/docs/features/checked/gateway/configurable-route-table-static-files-serving.md
@@ -0,0 +1,38 @@
+# Configurable Route Table - Static Files Serving
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a `StaticFiles` route type that serves directory contents mapped to a URL prefix. Configured via `StellaOpsRoute` with `Type = StaticFiles`, `Path` = URL prefix, `TranslatesTo` = physical directory path. Supports SPA fallback (serving `index.html` for extensionless paths) when the route's `Headers["x-spa-fallback"]` is set to `"true"`. Files are served with correct MIME types via `FileExtensionContentTypeProvider`. Multiple StaticFiles routes can coexist with isolated path scopes.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.StaticFiles`
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - First-match-wins route resolution engine
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - `HandleStaticFiles` method uses `PhysicalFileProvider` and `FileExtensionContentTypeProvider`
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates StaticFiles route has non-empty TranslatesTo directory path
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 8 StaticFiles integration tests
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - StaticFiles validation tests
+
+## E2E Test Plan
+- [ ] Serve a file from a mapped directory: `GET /app/index.html` returns HTML content with 200 and `Content-Type: text/html`
+- [ ] Serve a nested file: `GET /app/assets/style.css` returns CSS content with 200 and `Content-Type: text/css`
+- [ ] Return 404 for missing file: `GET /app/missing.txt` returns 404
+- [ ] Verify MIME types: `.html` -> `text/html`, `.css` -> `text/css`, `.js` -> `application/javascript`, `.json` -> `application/json`
+- [ ] SPA fallback: `GET /app/some/route` (extensionless) returns `index.html` when `x-spa-fallback=true`
+- [ ] Multiple mappings isolation: `/app/` and `/docs/` serve from different directories without interference
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-static-files-serving/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/gateway/configurable-route-table-websocket-proxy.md
+++ b/docs/features/checked/gateway/configurable-route-table-websocket-proxy.md
@@ -0,0 +1,37 @@
+# Configurable Route Table - WebSocket Proxy
+
+## Module
+Gateway
+
+## Status
+VERIFIED
+
+## Description
+The Gateway supports a `WebSocket` route type that accepts WebSocket upgrade requests and proxies them bidirectionally to an upstream WebSocket server. Configured via `StellaOpsRoute` with `Type = WebSocket`, `Path` = URL prefix, `TranslatesTo` = upstream WebSocket URL (ws:// or wss://). The middleware accepts the client WebSocket, opens a `ClientWebSocket` connection to the upstream, and pumps messages in both directions. Supports text messages, binary messages, and close frame propagation.
+
+## Implementation Details
+- **Modules**: `src/Router/__Libraries/StellaOps.Router.Gateway/`, `src/Router/StellaOps.Gateway.WebService/`
+- **Key Classes**:
+  - `StellaOpsRoute` (`src/Router/__Libraries/StellaOps.Router.Gateway/Configuration/StellaOpsRoute.cs`) - Route model with `StellaOpsRouteType.WebSocket`
+  - `StellaOpsRouteResolver` (`src/Router/StellaOps.Gateway.WebService/Routing/StellaOpsRouteResolver.cs`) - Resolves WebSocket routes by path prefix
+  - `RouteDispatchMiddleware` (`src/Router/StellaOps.Gateway.WebService/Middleware/RouteDispatchMiddleware.cs`) - `HandleWebSocket` method: accepts client WS, connects upstream `ClientWebSocket`, bidirectional pump loop
+  - `GatewayOptionsValidator` (`src/Router/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs`) - Validates WebSocket route has valid ws:// or wss:// URL in TranslatesTo
+  - `Program.cs` (`src/Router/StellaOps.Gateway.WebService/Program.cs`) - Registers `app.UseWebSockets()` in the pipeline
+- **Tests**:
+  - `RouteTableIntegrationTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Integration/RouteTableIntegrationTests.cs`) - 4 WebSocket integration tests
+  - `GatewayOptionsValidatorTests` (`src/Router/__Tests/StellaOps.Gateway.WebService.Tests/Configuration/GatewayOptionsValidatorTests.cs`) - WebSocket URL validation tests
+
+## E2E Test Plan
+- [ ] WebSocket upgrade succeeds: connect to `ws://host/ws/echo` and verify state is Open
+- [ ] Text message round-trip: send "Hello WebSocket" text message, receive same text echo back
+- [ ] Binary message round-trip: send binary payload `[0x01, 0x02, 0x03, 0xFF]`, receive identical binary echo
+- [ ] Close handshake: send close frame with NormalClosure, verify connection state becomes Closed
+
+## Verification
+- **Run ID**: run-001
+- **Date**: 2026-02-12
+- **Method**: Tier 0 source verification + Tier 1 build/code review (224/224 tests pass) + Tier 2a live HTTP API testing
+- **Build**: PASS (0 errors, 0 warnings)
+- **Tests**: PASS (224/224 Gateway tests pass)
+- **Tier 2a Evidence**: `docs/qa/feature-checks/runs/gateway/configurable-route-table-websocket-proxy/run-001/tier2-api-check.json`
+- **Verdict**: PASS
--- a/docs/features/checked/scanner/binary-intelligence-engine.md
+++ b/docs/features/checked/scanner/binary-intelligence-engine.md
@@ -0,0 +1,44 @@
+# Binary Intelligence Engine (Function-Level Code Fingerprinting)
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Function-level binary code fingerprinting for entry-trace native terminals, including deterministic symbol-window extraction, vulnerable marker matching, and binary intelligence payload propagation through storage and API contracts.
+
+## Implementation Details
+- **Entry-trace graph contract**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/EntryTraceTypes.cs`
+    - Added `EntryTraceGraph.BinaryIntelligence`
+    - Added `EntryTraceBinaryIntelligence`, `EntryTraceBinaryTarget`, `EntryTraceBinaryVulnerability`
+- **Serializer/storage round-trip**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Serialization/EntryTraceGraphSerializer.cs`
+    - Added binary intelligence contract mappings and round-trip conversion.
+- **Worker enrichment**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EntryTraceExecutionService.cs`
+    - Integrates binary intelligence generation for native terminals during entry-trace execution.
+    - Produces deterministic function windows, binary-format inference, CVE marker extraction, and graph enrichment.
+- **API surface**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/EntryTraceResponse.cs`
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ScanEndpoints.cs`
+    - Entry-trace response returns `graph.binaryIntelligence` when available.
+- **Behavioral coverage**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/EntryTraceExecutionServiceTests.cs`
+  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ScansEndpointsTests.cs`
+  - `src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/EntryTraceResultStoreTests.cs`
+
+## E2E Test Plan
+- [x] Verify function-level binary fingerprinting behavior in EntryTrace binary test namespace.
+- [x] Verify worker entry-trace execution attaches binary intelligence for native terminal binaries.
+- [x] Verify `GET /api/v1/scans/{scanId}/entrytrace` returns graph payload including `binaryIntelligence`.
+- [x] Verify persisted `EntryTraceResult` round-trips binary intelligence through serializer/repository.
+
+## Verification
+- Run ID: `run-002`
+- Date (UTC): 2026-02-12
+- Tier 0: Source verification passed (`tier0-source-check.json`).
+- Tier 1: Build and focused test executions passed (`tier1-build-check.json`, `tier1-build-results.json`, `tier1-test-results.json`).
+- Tier 2: Integration checks passed for worker, endpoint, and storage round-trip (`tier2-e2e-check.json`).
--- a/docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md
+++ b/docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md
@@ -0,0 +1,51 @@
+# Binary SBOM and Build-ID to PURL Mapping
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Binary call graph extraction, offline Build-ID to PURL correlation, patch verification orchestration, and unified binary finding mapping are wired into Scanner worker execution with deterministic Tier 1/Tier 2 evidence.
+
+## Implementation Details
+- **Binary call graph extraction**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs`
+- **Patch verification engine + contracts**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/IPatchVerificationOrchestrator.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/DependencyInjection/ServiceCollectionExtensions.cs`
+- **Build-ID index**:
+  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/IBuildIdIndex.cs`
+  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs`
+  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdLookupResult.cs`
+- **Worker runtime wiring**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Extensions/BinaryIndexServiceExtensions.cs`
+    - registers patch verification services in worker binary integration path.
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryLookupStageExecutor.cs`
+    - publishes mapped binary findings for downstream gating.
+    - executes Build-ID index batch lookup and stores mapping output.
+    - executes patch verification orchestration and stores verification result.
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryFindingMapper.cs`
+    - runtime call path now exercised from binary lookup stage.
+- **Shared analysis contracts**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanAnalysisKeys.cs`
+    - added binary build-id mapping and patch-verification analysis keys.
+- **Worker validation test**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/BinaryLookupStageExecutorTests.cs`
+
+## E2E Test Plan
+- [x] Scan a container image with native binaries containing ELF build-IDs and verify Build-ID to PURL mapping runtime path executes.
+- [x] Verify binary call graph extraction behavior via `BinaryCallGraphExtractor` tests.
+- [x] Verify patch verification orchestration behavior executes with patch-data and no-patch-data paths.
+- [x] Verify binary vulnerability findings are mapped into unified finding objects for downstream stages.
+- [x] Verify offline Build-ID index resolves exact mappings without network access.
+- [x] Verify worker runtime wiring includes patch verification, build-id lookup, and finding mapping call sites.
+
+## Verification
+- Run ID: `run-002`
+- Date (UTC): 2026-02-12
+- Tier 0: Source verification passed (`tier0-source-check.json`).
+- Tier 1: Build, focused behavior tests, and code-review semantic wiring checks passed (`tier1-build-check.json`, `tier1-code-review.json`).
+- Tier 2: Integration/e2e summary passed, including runtime wiring parity checks (`tier2-integration-check.json`, `tier2-e2e-check.json`).
--- a/docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md
+++ b/docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md
@@ -0,0 +1,37 @@
+# Bug ID to CVE Mapping in Changelog Parsing
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Regex-based extraction of changelog bug references (Debian `Closes: #123456`, `RHBZ#123456`, Launchpad `LP: #123456`) with deterministic bug-to-CVE correlation for backport evidence metadata.
+
+## Implementation Details
+- **Shared extraction helper**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Helpers/ChangelogBugReferenceExtractor.cs` - Extracts bug references and bug-to-CVE mappings from changelog text.
+- **RPM wiring**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs` - Applies extractor to RPM changelog entries and emits `vendor.changelogBugRefs` / `vendor.changelogBugToCves`.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs` - Supplies `ChangeLogText` entries from RPM metadata.
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs`
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs`
+- **DPKG wiring**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgPackageAnalyzer.cs` - Reads package changelog files (including `.gz`), extracts bug mappings, and merges CVE hints.
+- **Behavioral coverage**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Helpers/ChangelogBugReferenceExtractorTests.cs`
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Dpkg/DpkgChangelogBugCorrelationTests.cs`
+  - `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/OsAnalyzerDeterminismTests.cs`
+
+## E2E Test Plan
+- [x] Verify Debian `Closes: #NNNNNN` references are extracted and preserved in metadata.
+- [x] Verify RPM changelog `RHBZ#NNNNNN` references are extracted.
+- [x] Verify Launchpad `LP: #NNNNNN` references are extracted.
+- [x] Verify bug references are cross-referenced with CVE IDs from the same changelog entry.
+- [x] Verify deterministic metadata and golden snapshot behavior through OS analyzer test runs.
+
+## Verification
+- Run: `run-001`
+- Date (UTC): 2026-02-12
+- Artifacts: `docs/qa/feature-checks/runs/scanner/bug-id-to-cve-mapping-in-changelog-parsing/run-001/`
--- a/docs/features/checked/scanner/byos-ingestion-workflow.md
+++ b/docs/features/checked/scanner/byos-ingestion-workflow.md
@@ -0,0 +1,38 @@
+# BYOS (Bring Your Own SBOM) Ingestion Workflow
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Allows users to upload externally-generated SBOMs (CycloneDX 1.4-1.6, SPDX 2.3/3.0) via REST API. Includes automatic format detection, schema validation, component normalization, quality scoring (PURL/version/license coverage weighted 40/30/30), SHA-256 digest computation, and automatic scan/analysis triggering. Supports both inline JSON and base64-encoded payloads with CI context metadata.
+
+## Implementation Details
+- **Upload Endpoints**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomUploadEndpoints.cs` - `SbomUploadEndpoints` for REST upload API
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SbomEndpoints.cs` - Additional SBOM query endpoints
+- **Contracts**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/SbomContracts.cs` - `SbomUploadRequestDto`, `SbomUploadResponseDto`, `SbomValidationSummaryDto`, `SbomFormats`, `SbomAncestryDto`, `SbomUploadSourceDto`, `SbomUploadCiContextDto`
+- **Ingestion Service**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/ISbomIngestionService.cs` - `ISbomIngestionService`, `SbomIngestionResult`, `SbomValidationResult`
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomIngestionService.cs` - Format detection, schema validation, component normalization, quality scoring, digest computation
+- **BYOS Upload Service**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomByosUploadService.cs` - `ISbomByosUploadService` / `SbomByosUploadService` for external SBOM ingestion
+- **Upload Store**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/SbomUploadStore.cs` - `ISbomUploadStore`, `InMemorySbomUploadStore`, `SbomUploadRecord`
+
+## E2E Test Plan
+- [ ] Upload a CycloneDX 1.6 JSON SBOM via `POST /api/v1/sbom/upload` with inline JSON payload and verify acceptance
+- [ ] Upload an SPDX 2.3 SBOM via base64-encoded payload with CI context metadata and verify ingestion
+- [ ] Verify automatic format detection correctly identifies CycloneDX vs SPDX format
+- [ ] Verify schema validation rejects an invalid SBOM with appropriate error details
+- [ ] Verify quality scoring returns PURL/version/license coverage percentages (40/30/30 weighted)
+- [ ] Verify SHA-256 digest is computed and returned in the response
+- [ ] Verify automatic scan/analysis is triggered after successful ingestion
+- [ ] Query the uploaded SBOM status via `GET /api/v1/sbom/uploads/{id}` and verify metadata
+
+## Verification
+- Verified in `run-001` on 2026-02-12 with Tier 0/1/2 evidence in `docs/qa/feature-checks/runs/scanner/byos-ingestion-workflow/run-001/`.
+- Tier 2 API checks validated CycloneDX inline upload, SPDX base64 upload, upload record retrieval, and unknown-format rejection paths.
--- a/docs/features/checked/web/web-gateway-graph-platform-client.md
+++ b/docs/features/checked/web/web-gateway-graph-platform-client.md
@@ -0,0 +1,37 @@
+# Web Gateway Graph Platform Client (Tiles, Search, Paths, Exports)
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+Web gateway client for Graph Platform APIs with tile streaming, search, path queries, export (GraphML/NDJSON/CSV/PNG/SVG), asset snapshots, adjacency queries, and AOC overlay pass-through, all with tenant scoping and RBAC.
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/graph/`
+- **Components**:
+  - `graph-canvas` (`src/Web/StellaOps.Web/src/app/features/graph/graph-canvas.component.ts`)
+  - `graph-explorer` (`src/Web/StellaOps.Web/src/app/features/graph/graph-explorer.component.ts`)
+  - `graph-filters` (`src/Web/StellaOps.Web/src/app/features/graph/graph-filters.component.ts`)
+  - `graph-hotkey-help` (`src/Web/StellaOps.Web/src/app/features/graph/graph-hotkey-help.component.ts`)
+  - `graph-overlays` (`src/Web/StellaOps.Web/src/app/features/graph/graph-overlays.component.ts`)
+  - `graph-side-panels` (`src/Web/StellaOps.Web/src/app/features/graph/graph-side-panels.component.ts`)
+- **Services**:
+  - `graph-accessibility` (`src/Web/StellaOps.Web/src/app/features/graph/graph-accessibility.service.ts`)
+- **Source**: SPRINT_0213_0001_0002_web_ii.md
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to `/graph`
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the visualization renders correctly with sample data
+  - [ ] Verify interactive elements (hover tooltips, click-to-drill-down) work
+  - [ ] Verify the visualization handles empty/minimal data gracefully
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
--- a/docs/features/checked/web/web-gateway-observability-surfaces.md
+++ b/docs/features/checked/web/web-gateway-observability-surfaces.md
@@ -0,0 +1,31 @@
+# Web Gateway Observability Surfaces (Health, SLO, Traces, Logs, Incident Mode)
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+Web gateway observability client providing health aggregation, SLO burn-rate metrics with exemplar links, distributed trace inspection, structured log queries, evidence/attestation pass-through, incident mode toggle, and sealed-mode status APIs.
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/core/telemetry/`
+- **Services**:
+  - `telemetry-sampler` (`src/Web/StellaOps.Web/src/app/core/telemetry/telemetry-sampler.service.ts`)
+  - `ttfs-telemetry` (`src/Web/StellaOps.Web/src/app/core/telemetry/ttfs-telemetry.service.ts`)
+- **Source**: SPRINT_0214_0001_0001_web_iii.md
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
--- a/docs/features/checked/web/web-gateway-openapi-discovery-with-deprecation-and-idempotency.md
+++ b/docs/features/checked/web/web-gateway-openapi-discovery-with-deprecation-and-idempotency.md
@@ -0,0 +1,39 @@
+# Web Gateway OpenAPI Discovery with Deprecation and Idempotency
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+Gateway OpenAPI discovery endpoint with ETag caching, standard error envelope migration, cursor pagination normalization, Idempotency-Key support, and deprecation header middleware with Sunset link emission.
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/core/api/`
+- **Services**:
+  - `gateway-metrics` (`src/Web/StellaOps.Web/src/app/core/api/gateway-metrics.service.ts`)
+  - `policy-interop` (`src/Web/StellaOps.Web/src/app/core/api/policy-interop.service.ts`)
+  - `reachability-integration` (`src/Web/StellaOps.Web/src/app/core/api/reachability-integration.service.ts`)
+  - `vuln-export-orchestrator` (`src/Web/StellaOps.Web/src/app/core/api/vuln-export-orchestrator.service.ts`)
+- **Models**:
+  - `src/Web/StellaOps.Web/src/app/core/api/advisories.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/advisory-ai.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/ai-runs.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/analytics.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/aoc.models.ts`
+- **Source**: SPRINT_0214_0001_0001_web_iii.md
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
--- a/docs/features/checked/web/web-gateway-signals-and-reachability-proxy.md
+++ b/docs/features/checked/web/web-gateway-signals-and-reachability-proxy.md
@@ -0,0 +1,39 @@
+# Web Gateway Signals and Reachability Proxy
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+Gateway proxy for reachability signals providing call-graph queries, reachability state lookups, and runtime evidence retrieval through the web API layer for UI consumption.
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/core/api/`
+- **Services**:
+  - `gateway-metrics` (`src/Web/StellaOps.Web/src/app/core/api/gateway-metrics.service.ts`)
+  - `policy-interop` (`src/Web/StellaOps.Web/src/app/core/api/policy-interop.service.ts`)
+  - `reachability-integration` (`src/Web/StellaOps.Web/src/app/core/api/reachability-integration.service.ts`)
+  - `vuln-export-orchestrator` (`src/Web/StellaOps.Web/src/app/core/api/vuln-export-orchestrator.service.ts`)
+- **Models**:
+  - `src/Web/StellaOps.Web/src/app/core/api/advisories.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/advisory-ai.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/ai-runs.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/analytics.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/aoc.models.ts`
+- **Source**: SPRINT_0216_0001_0001_web_v.md
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
--- a/docs/features/checked/web/web-gateway-vex-consensus-proxy.md
+++ b/docs/features/checked/web/web-gateway-vex-consensus-proxy.md
@@ -0,0 +1,39 @@
+# Web Gateway VEX Consensus Proxy
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+Gateway proxy for VEX consensus engine providing multi-source consensus queries, trust scoring, and quorum verification through the web API layer with tenant and ABAC enforcement.
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/core/api/`
+- **Services**:
+  - `gateway-metrics` (`src/Web/StellaOps.Web/src/app/core/api/gateway-metrics.service.ts`)
+  - `policy-interop` (`src/Web/StellaOps.Web/src/app/core/api/policy-interop.service.ts`)
+  - `reachability-integration` (`src/Web/StellaOps.Web/src/app/core/api/reachability-integration.service.ts`)
+  - `vuln-export-orchestrator` (`src/Web/StellaOps.Web/src/app/core/api/vuln-export-orchestrator.service.ts`)
+- **Models**:
+  - `src/Web/StellaOps.Web/src/app/core/api/advisories.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/advisory-ai.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/ai-runs.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/analytics.models.ts`
+  - `src/Web/StellaOps.Web/src/app/core/api/aoc.models.ts`
+- **Source**: SPRINT_0216_0001_0001_web_v.md
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
--- a/docs/features/checked/web/why-safe-evidence-explanation-panel.md
+++ b/docs/features/checked/web/why-safe-evidence-explanation-panel.md
@@ -0,0 +1,62 @@
+# "Why Safe?" Evidence Explanation Panel
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+Dedicated panel answering "Why is this component considered safe?" by aggregating and displaying all contributing evidence: VEX statements, reachability analysis results, attestation chains, and policy evaluation outcomes in a user-friendly breakdown.
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/triage/`
+- **Components**:
+  - `ai-code-guard-badge` (`src/Web/StellaOps.Web/src/app/features/triage/components/ai-code-guard-badge/ai-code-guard-badge.component.ts`)
+  - `ai-recommendation-panel` (`src/Web/StellaOps.Web/src/app/features/triage/components/ai-recommendation-panel/ai-recommendation-panel.component.ts`)
+  - `attestation-viewer` (`src/Web/StellaOps.Web/src/app/features/triage/components/attestation-viewer/attestation-viewer.component.ts`)
+  - `bulk-action-modal` (`src/Web/StellaOps.Web/src/app/features/triage/components/bulk-action-modal/bulk-action-modal.component.ts`)
+  - `case-header` (`src/Web/StellaOps.Web/src/app/features/triage/components/case-header/case-header.component.ts`)
+  - `decision-drawer-enhanced` (`src/Web/StellaOps.Web/src/app/features/triage/components/decision-drawer/decision-drawer-enhanced.component.ts`)
+  - `decision-drawer` (`src/Web/StellaOps.Web/src/app/features/triage/components/decision-drawer/decision-drawer.component.ts`)
+  - `attestation-chain` (`src/Web/StellaOps.Web/src/app/features/triage/components/evidence-panel/attestation-chain.component.ts`)
+  - `backport-verdict-badge` (`src/Web/StellaOps.Web/src/app/features/triage/components/evidence-panel/backport-verdict-badge.component.ts`)
+  - `binary-diff-tab` (`src/Web/StellaOps.Web/src/app/features/triage/components/evidence-panel/binary-diff-tab.component.ts`)
+  - `confidence-meter` (`src/Web/StellaOps.Web/src/app/features/triage/components/evidence-panel/confidence-meter.component.ts`)
+  - `diff-tab` (`src/Web/StellaOps.Web/src/app/features/triage/components/evidence-panel/diff-tab.component.ts`)
+  - `dsse-badge` (`src/Web/StellaOps.Web/src/app/features/triage/components/evidence-panel/dsse-badge.component.ts`)
+  - `evidence-uri-link` (`src/Web/StellaOps.Web/src/app/features/triage/components/evidence-panel/evidence-uri-link.component.ts`)
+  - `function-trace` (`src/Web/StellaOps.Web/src/app/features/triage/components/evidence-panel/function-trace.component.ts`)
+  - ... and 48 more components
+- **Services**:
+  - `advisory-ai` (`src/Web/StellaOps.Web/src/app/features/triage/services/advisory-ai.service.ts`)
+  - `binary-diff-evidence` (`src/Web/StellaOps.Web/src/app/features/triage/services/binary-diff-evidence.service.ts`)
+  - `diff-evidence` (`src/Web/StellaOps.Web/src/app/features/triage/services/diff-evidence.service.ts`)
+  - `display-preferences` (`src/Web/StellaOps.Web/src/app/features/triage/services/display-preferences.service.ts`)
+  - `evidence-tab` (`src/Web/StellaOps.Web/src/app/features/triage/services/evidence-tab.service.ts`)
+  - `gating` (`src/Web/StellaOps.Web/src/app/features/triage/services/gating.service.ts`)
+  - `keyboard-shortcuts` (`src/Web/StellaOps.Web/src/app/features/triage/services/keyboard-shortcuts.service.ts`)
+  - `reach-graph-slice` (`src/Web/StellaOps.Web/src/app/features/triage/services/reach-graph-slice.service.ts`)
+  - `reachability` (`src/Web/StellaOps.Web/src/app/features/triage/services/reachability.service.ts`)
+  - `runtime-evidence` (`src/Web/StellaOps.Web/src/app/features/triage/services/runtime-evidence.service.ts`)
+- **Models**:
+  - `src/Web/StellaOps.Web/src/app/features/triage/models/diff-evidence.models.ts`
+  - `src/Web/StellaOps.Web/src/app/features/triage/models/evidence-panel.models.ts`
+  - `src/Web/StellaOps.Web/src/app/features/triage/models/evidence.model.ts`
+  - `src/Web/StellaOps.Web/src/app/features/triage/models/gating.model.ts`
+  - `src/Web/StellaOps.Web/src/app/features/triage/models/reachability.models.ts`
+- **Source**: SPRINT_20251228_008_FE_sbom_lineage_graph_ii.md
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to `/triage/artifacts`
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the panel/drawer opens on trigger (click, keyboard shortcut)
+  - [ ] Verify the panel displays the correct detail data for the selected item
+  - [ ] Verify the panel can be closed (X button, Escape key, backdrop click)
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
--- a/docs/features/checked/web/witness-drawer.md
+++ b/docs/features/checked/web/witness-drawer.md
@@ -0,0 +1,30 @@
+# Witness Drawer (Slide-In)
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+Contextual slide-in drawer for viewing reachability witness details including call paths, observation type, and claim verification status.
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/shared/overlays/witness-drawer/`
+- **Components**:
+  - `witness-drawer` (`src/Web/StellaOps.Web/src/app/shared/overlays/witness-drawer/witness-drawer.component.ts`)
+- **Source**: SPRINT_20260118_009_FE_route_migration_shared_components.md
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the panel/drawer opens on trigger (click, keyboard shortcut)
+  - [ ] Verify the panel displays the correct detail data for the selected item
+  - [ ] Verify the panel can be closed (X button, Escape key, backdrop click)
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
--- a/docs/features/checked/web/witness-viewer-ui.md
+++ b/docs/features/checked/web/witness-viewer-ui.md
@@ -0,0 +1,30 @@
+# Witness Viewer UI
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+Witness viewer UI component in the shared UI library, plus a witness page within the reachability feature area.
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/shared/ui/witness-viewer/`
+- **Components**:
+  - `witness-viewer` (`src/Web/StellaOps.Web/src/app/shared/ui/witness-viewer/witness-viewer.component.ts`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to the relevant page/section where this feature appears
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the component renders correctly with sample data
+  - [ ] Verify interactive elements respond to user input
+  - [ ] Verify data is fetched and displayed from the correct API endpoints
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)
--- a/docs/features/checked/web/workflow-visualization-with-time-travel-controls.md
+++ b/docs/features/checked/web/workflow-visualization-with-time-travel-controls.md
@@ -0,0 +1,36 @@
+# Workflow Visualization with Time-Travel Controls
+
+## Module
+Web
+
+## Status
+IMPLEMENTED
+
+## Description
+DAG-based workflow visualizer with time-travel debugging controls. Users can step forward/backward through workflow execution states, inspect step details at each point in time, view execution logs, and interactively debug release workflows. The time-travel service manages historical state snapshots. (Merged with Workflow Visualization UI Module from Phase 2 Web section.)
+
+## Implementation Details
+- **Feature directory**: `src/Web/StellaOps.Web/src/app/features/workflow-visualization/`
+- **Routes**: `workflow-visualization.routes.ts`
+- **Components**:
+  - `step-detail-panel` (`src/Web/StellaOps.Web/src/app/features/workflow-visualization/components/step-detail-panel/step-detail-panel.component.ts`)
+  - `time-travel-controls` (`src/Web/StellaOps.Web/src/app/features/workflow-visualization/components/time-travel-controls/time-travel-controls.component.ts`)
+  - `workflow-visualizer` (`src/Web/StellaOps.Web/src/app/features/workflow-visualization/components/workflow-visualizer/workflow-visualizer.component.ts`)
+- **Services**:
+  - `time-travel` (`src/Web/StellaOps.Web/src/app/features/workflow-visualization/services/time-travel.service.ts`)
+  - `workflow-visualization` (`src/Web/StellaOps.Web/src/app/features/workflow-visualization/services/workflow-visualization.service.ts`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- **Setup**:
+  - [ ] Log in with a user that has appropriate permissions
+  - [ ] Navigate to `/release-orchestrator`
+  - [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
+- **Core verification**:
+  - [ ] Verify the visualization renders correctly with sample data
+  - [ ] Verify interactive elements (hover tooltips, click-to-drill-down) work
+  - [ ] Verify the visualization handles empty/minimal data gracefully
+- **Edge cases**:
+  - [ ] Verify graceful handling when backend API is unavailable (error state)
+  - [ ] Verify responsive layout at different viewport sizes
+  - [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)