notify doctors work, audit work, new product advisory sprints

devops/compose/env/dev.env.example

@@ -23,6 +23,18 @@ SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
 
+# Rekor Configuration (Attestor/Scanner)
+# Server URL - default is public Sigstore Rekor
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+# Log version: Auto, V1, or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=Auto
+# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
+REKOR_TILE_BASE_URL=
+# Log ID for multi-log environments (Sigstore production log ID)
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+# Prefer tile proofs when Version=Auto
+REKOR_PREFER_TILE_PROOFS=false
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_SEED_CSAF=true

docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md

@@ -268,7 +268,7 @@ Bulk task definitions (applies to every project row below):
 | 243 | AUDIT-0081-A | TODO | Approved 2026-01-12 | Guild | src/__Libraries/StellaOps.Evidence.Persistence/StellaOps.Evidence.Persistence.csproj - APPLY |
 | 244 | AUDIT-0082-M | DONE | Revalidated 2026-01-08 | Guild | src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj - MAINT |
 | 245 | AUDIT-0082-T | DONE | Revalidated 2026-01-08 | Guild | src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj - TEST |
-| 246 | AUDIT-0082-A | TODO | Approved 2026-01-12 | Guild | src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj - APPLY |
+| 246 | AUDIT-0082-A | DONE | Applied 2026-01-13 | Guild | src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj - APPLY |
 | 247 | AUDIT-0083-M | DONE | Revalidated 2026-01-08 (test project) | Guild | src/__Libraries/StellaOps.Facet.Tests/StellaOps.Facet.Tests.csproj - MAINT |
 | 248 | AUDIT-0083-T | DONE | Revalidated 2026-01-08 (test project) | Guild | src/__Libraries/StellaOps.Facet.Tests/StellaOps.Facet.Tests.csproj - TEST |
 | 249 | AUDIT-0083-A | DONE | Waived (test project; revalidated 2026-01-08) | Guild | src/__Libraries/StellaOps.Facet.Tests/StellaOps.Facet.Tests.csproj - APPLY |
@@ -1447,7 +1447,7 @@ Bulk task definitions (applies to every project row below):
 | 1422 | AUDIT-0474-A | TODO | Approved 2026-01-12 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj - APPLY |
 | 1423 | AUDIT-0475-M | DONE | Revalidated 2026-01-12 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj - MAINT |
 | 1424 | AUDIT-0475-T | DONE | Revalidated 2026-01-12 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj - TEST |
-| 1425 | AUDIT-0475-A | TODO | Approved 2026-01-12 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj - APPLY |
+| 1425 | AUDIT-0475-A | DONE | Applied 2026-01-13; determinism, DI guards, retention/TLS gating, tests added | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj - APPLY |
 | 1426 | AUDIT-0476-M | DONE | Revalidated 2026-01-12 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj - MAINT |
 | 1427 | AUDIT-0476-T | DONE | Revalidated 2026-01-12 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj - TEST |
 | 1428 | AUDIT-0476-A | TODO | Approved 2026-01-12 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj - APPLY |
@@ -1951,10 +1951,10 @@ Bulk task definitions (applies to every project row below):
 | 1926 | AUDIT-0642-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/StellaOps.Scanner.Analyzers.Lang.Bun.csproj - APPLY |
 | 1927 | AUDIT-0643-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj - MAINT |
 | 1928 | AUDIT-0643-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj - TEST |
-| 1929 | AUDIT-0643-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj - APPLY |
+| 1929 | AUDIT-0643-A | DONE | Applied 2026-01-13; runtime trace hardening, deterministic ordering, TimeProvider injection, JSON encoder updates, tests added | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj - APPLY |
 | 1930 | AUDIT-0644-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj - MAINT |
 | 1931 | AUDIT-0644-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj - TEST |
-| 1932 | AUDIT-0644-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj - APPLY |
+| 1932 | AUDIT-0644-A | DONE | Applied 2026-01-12; invariant culture metadata, TimeProvider injection, XML resolver disabled, tests added; capability scanner findings are string literals | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj - APPLY |
 | 1933 | AUDIT-0645-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.csproj - MAINT |
 | 1934 | AUDIT-0645-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.csproj - TEST |
 | 1935 | AUDIT-0645-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/StellaOps.Scanner.Analyzers.Lang.Go.csproj - APPLY |
@@ -1981,7 +1981,7 @@ Bulk task definitions (applies to every project row below):
 | 1956 | AUDIT-0652-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/StellaOps.Scanner.Analyzers.Lang.csproj - APPLY |
 | 1957 | AUDIT-0653-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj - MAINT |
 | 1958 | AUDIT-0653-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj - TEST |
-| 1959 | AUDIT-0653-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj - APPLY |
+| 1959 | AUDIT-0653-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj - APPLY |
 | 1960 | AUDIT-0654-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Apk/StellaOps.Scanner.Analyzers.OS.Apk.csproj - MAINT |
 | 1961 | AUDIT-0654-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Apk/StellaOps.Scanner.Analyzers.OS.Apk.csproj - TEST |
 | 1962 | AUDIT-0654-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Apk/StellaOps.Scanner.Analyzers.OS.Apk.csproj - APPLY |
@@ -2065,7 +2065,7 @@ Bulk task definitions (applies to every project row below):
 | 2040 | AUDIT-0680-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Queue/StellaOps.Scanner.Queue.csproj - APPLY |
 | 2041 | AUDIT-0681-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj - MAINT |
 | 2042 | AUDIT-0681-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj - TEST |
-| 2043 | AUDIT-0681-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj - APPLY |
+| 2043 | AUDIT-0681-A | DONE | Applied 2026-01-13; DSSE PAE/canon, determinism, cancellation, invariant outputs, tests | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj - APPLY |
 | 2044 | AUDIT-0682-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/StellaOps.Scanner.ReachabilityDrift.csproj - MAINT |
 | 2045 | AUDIT-0682-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/StellaOps.Scanner.ReachabilityDrift.csproj - TEST |
 | 2046 | AUDIT-0682-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/StellaOps.Scanner.ReachabilityDrift.csproj - APPLY |
@@ -2113,10 +2113,10 @@ Bulk task definitions (applies to every project row below):
 | 2088 | AUDIT-0696-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests.csproj - APPLY |
 | 2089 | AUDIT-0697-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj - MAINT |
 | 2090 | AUDIT-0697-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj - TEST |
-| 2091 | AUDIT-0697-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj - APPLY |
+| 2091 | AUDIT-0697-A | DONE | Applied 2026-01-13; deterministic temp paths, allowlist/root checks, safe JSON encoding, newline normalization | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj - APPLY |
 | 2092 | AUDIT-0698-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj - MAINT |
 | 2093 | AUDIT-0698-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj - TEST |
-| 2094 | AUDIT-0698-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj - APPLY |
+| 2094 | AUDIT-0698-A | DONE | Applied 2026-01-12; TreatWarningsAsErrors enabled, deterministic temp paths, new tests added | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj - APPLY |
 | 2095 | AUDIT-0699-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests.csproj - MAINT |
 | 2096 | AUDIT-0699-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests.csproj - TEST |
 | 2097 | AUDIT-0699-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests.csproj - APPLY |
@@ -2146,7 +2146,7 @@ Bulk task definitions (applies to every project row below):
 | 2121 | AUDIT-0707-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/StellaOps.Scanner.Analyzers.Lang.Tests.csproj - APPLY |
 | 2122 | AUDIT-0708-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/StellaOps.Scanner.Analyzers.Native.Tests.csproj - MAINT |
 | 2123 | AUDIT-0708-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/StellaOps.Scanner.Analyzers.Native.Tests.csproj - TEST |
-| 2124 | AUDIT-0708-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/StellaOps.Scanner.Analyzers.Native.Tests.csproj - APPLY |
+| 2124 | AUDIT-0708-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/StellaOps.Scanner.Analyzers.Native.Tests.csproj - APPLY |
 | 2125 | AUDIT-0709-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests.csproj - MAINT |
 | 2126 | AUDIT-0709-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests.csproj - TEST |
 | 2127 | AUDIT-0709-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests/StellaOps.Scanner.Analyzers.OS.Homebrew.Tests.csproj - APPLY |
@@ -2227,7 +2227,7 @@ Bulk task definitions (applies to every project row below):
 | 2202 | AUDIT-0734-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/StellaOps.Scanner.ReachabilityDrift.Tests.csproj - APPLY |
 | 2203 | AUDIT-0735-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj - MAINT |
 | 2204 | AUDIT-0735-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj - TEST |
-| 2205 | AUDIT-0735-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj - APPLY |
+| 2205 | AUDIT-0735-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj - APPLY |
 | 2206 | AUDIT-0736-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.SchemaEvolution.Tests/StellaOps.Scanner.SchemaEvolution.Tests.csproj - MAINT |
 | 2207 | AUDIT-0736-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.SchemaEvolution.Tests/StellaOps.Scanner.SchemaEvolution.Tests.csproj - TEST |
 | 2208 | AUDIT-0736-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.SchemaEvolution.Tests/StellaOps.Scanner.SchemaEvolution.Tests.csproj - APPLY |
@@ -2263,19 +2263,19 @@ Bulk task definitions (applies to every project row below):
 | 2238 | AUDIT-0746-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/StellaOps.Scanner.Triage.Tests.csproj - APPLY |
 | 2239 | AUDIT-0747-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj - MAINT |
 | 2240 | AUDIT-0747-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj - TEST |
-| 2241 | AUDIT-0747-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj - APPLY |
+| 2241 | AUDIT-0747-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj - APPLY |
 | 2242 | AUDIT-0748-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj - MAINT |
 | 2243 | AUDIT-0748-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj - TEST |
 | 2244 | AUDIT-0748-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj - APPLY |
 | 2245 | AUDIT-0749-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj - MAINT |
 | 2246 | AUDIT-0749-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj - TEST |
-| 2247 | AUDIT-0749-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj - APPLY |
+| 2247 | AUDIT-0749-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj - APPLY |
 | 2248 | AUDIT-0750-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj - MAINT |
 | 2249 | AUDIT-0750-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj - TEST |
-| 2250 | AUDIT-0750-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj - APPLY |
+| 2250 | AUDIT-0750-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj - APPLY |
 | 2251 | AUDIT-0751-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj - MAINT |
 | 2252 | AUDIT-0751-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj - TEST |
-| 2253 | AUDIT-0751-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj - APPLY |
+| 2253 | AUDIT-0751-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj - APPLY |
 | 2254 | AUDIT-0752-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Worker/StellaOps.Scanner.Worker.csproj - MAINT |
 | 2255 | AUDIT-0752-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Worker/StellaOps.Scanner.Worker.csproj - TEST |
 | 2256 | AUDIT-0752-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/StellaOps.Scanner.Worker/StellaOps.Scanner.Worker.csproj - APPLY |
@@ -2863,7 +2863,7 @@ Bulk task definitions (applies to every project row below):
 | 2838 | AUDIT-0945-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/StellaOps.Scanner.ChangeTrace.csproj - APPLY |
 | 2839 | AUDIT-0946-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Contracts/StellaOps.Scanner.Contracts.csproj - MAINT |
 | 2840 | AUDIT-0946-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Contracts/StellaOps.Scanner.Contracts.csproj - TEST |
-| 2841 | AUDIT-0946-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Contracts/StellaOps.Scanner.Contracts.csproj - APPLY |
+| 2841 | AUDIT-0946-A | DONE | Applied 2026-01-12; safe JSON encoder; sink patterns are string literals only | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Contracts/StellaOps.Scanner.Contracts.csproj - APPLY |
 | 2842 | AUDIT-0947-M | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/StellaOps.Scanner.PatchVerification.csproj - MAINT |
 | 2843 | AUDIT-0947-T | DONE | Revalidated 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/StellaOps.Scanner.PatchVerification.csproj - TEST |
 | 2844 | AUDIT-0947-A | TODO | Approved 2026-01-12 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/StellaOps.Scanner.PatchVerification.csproj - APPLY |
@@ -3074,11 +3074,16 @@ Bulk task definitions (applies to every project row below):
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2026-01-12 | Applied Scanner.Contracts hotlist: removed unsafe JSON encoder usage; confirmed Process.Start/BinaryFormatter hits are sink pattern literals; updated tests. | Project Mgmt |
+| 2026-01-12 | Applied DotNet analyzer hotlist: invariant culture bundling metadata, TimeProvider injection for callgraph, XML resolver disabled, deterministic test updates and new tests. | Project Mgmt |
 | 2026-01-12 | Added Doctor.WebService audit rows and findings; synced Doctor web service project into src/StellaOps.sln. | Project Mgmt |
 | 2026-01-12 | Added Doctor.Tests audit rows and findings, updated Doctor core test coverage note, and synced the new test project into src/StellaOps.sln. | Project Mgmt |
 | 2026-01-12 | Added 19 Doctor projects to the audit tracker and recorded findings for new csproj entries. | Project Mgmt |
 | 2026-01-12 | Synced src/StellaOps.sln with 139 missing csproj entries. | Project Mgmt |
 | 2026-01-12 | Archived audit report and maint/test sprint to docs-archived/implplan/2025-12-29-csproj-audit; updated references and created pending apply sprint SPRINT_20260112_003_BE_csproj_audit_pending_apply.md. | Project Mgmt |
+| 2026-01-13 | Applied ExportCenter.WebService hotlist (AUDIT-0337-A/AUDIT-0475-A): determinism, DI guards, retention/TLS gating, tests. | Project Mgmt |
+| 2026-01-13 | Applied Scanner.Reachability hotlist (AUDIT-0681-A): DSSE PAE/canon, deterministic IDs, cancellation propagation, invariant formatting, tests. | Project Mgmt |
+| 2026-01-13 | Applied Evidence hotlist (AUDIT-0082-A/AUDIT-0279-A): determinism, schema validation, budgets, retention, tests. | Project Mgmt |
 | 2026-01-12 | Approved all pending APPLY tasks; updated tracker entries to Approved 2026-01-12. | Project Mgmt |
 | 2026-01-12 | Added Apply Status Summary to the audit report and created sprint `docs-archived/implplan/2026-01-12-csproj-audit-apply-backlog/SPRINT_20260112_002_BE_csproj_audit_apply_backlog.md` for pending APPLY backlog. | Project Mgmt |
 | 2026-01-12 | Added production test and reuse gap inventories to the audit report to complete per-project audit coverage. | Project Mgmt |
@@ -5189,7 +5194,7 @@ Bulk task definitions (applies to every project row below):
 | 834 | AUDIT-0278-A | DONE | Waived (test project; revalidated 2026-01-07) | Guild | src/__Analyzers/StellaOps.Determinism.Analyzers.Tests/StellaOps.Determinism.Analyzers.Tests.csproj - APPLY |
 | 835 | AUDIT-0279-M | DONE | Revalidated 2026-01-07 | Guild | src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj - MAINT |
 | 836 | AUDIT-0279-T | DONE | Revalidated 2026-01-07 | Guild | src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj - TEST |
-| 837 | AUDIT-0279-A | TODO | Revalidated 2026-01-07 (open findings) | Guild | src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj - APPLY |
+| 837 | AUDIT-0279-A | DONE | Applied 2026-01-13 | Guild | src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj - APPLY |
 | 838 | AUDIT-0280-M | DONE | Revalidated 2026-01-07 | Guild | src/__Libraries/StellaOps.Evidence.Bundle/StellaOps.Evidence.Bundle.csproj - MAINT |
 | 839 | AUDIT-0280-T | DONE | Revalidated 2026-01-07 | Guild | src/__Libraries/StellaOps.Evidence.Bundle/StellaOps.Evidence.Bundle.csproj - TEST |
 | 840 | AUDIT-0280-A | TODO | Revalidated 2026-01-07 (open findings) | Guild | src/__Libraries/StellaOps.Evidence.Bundle/StellaOps.Evidence.Bundle.csproj - APPLY |
@@ -5363,7 +5368,7 @@ Bulk task definitions (applies to every project row below):
 | 1008 | AUDIT-0336-A | DONE | Waived (test project; revalidated 2026-01-07) | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj - APPLY |
 | 1009 | AUDIT-0337-M | DONE | Revalidated 2026-01-07 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj - MAINT |
 | 1010 | AUDIT-0337-T | DONE | Revalidated 2026-01-07 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj - TEST |
-| 1011 | AUDIT-0337-A | TODO | Revalidated 2026-01-07 (open findings) | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj - APPLY |
+| 1011 | AUDIT-0337-A | DONE | Applied 2026-01-13; determinism, DI guards, retention/TLS gating, tests added | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj - APPLY |
 | 1012 | AUDIT-0338-M | DONE | Revalidated 2026-01-07 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj - MAINT |
 | 1013 | AUDIT-0338-T | DONE | Revalidated 2026-01-07 | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj - TEST |
 | 1014 | AUDIT-0338-A | TODO | Revalidated 2026-01-07 (open findings) | Guild | src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj - APPLY |
@@ -5924,7 +5929,7 @@ Bulk task definitions (applies to every project row below):
 | 1566 | AUDIT-0522-A | DONE | Waived (test project; revalidated 2026-01-07) | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests.csproj - APPLY |
 | 1567 | AUDIT-0523-M | DONE | Revalidated 2026-01-07 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj - MAINT |
 | 1568 | AUDIT-0523-T | DONE | Revalidated 2026-01-07 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj - TEST |
-| 1569 | AUDIT-0523-A | TODO | Revalidated 2026-01-07 (open findings) | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj - APPLY |
+| 1569 | AUDIT-0523-A | DONE | Applied 2026-01-13; superseded by AUDIT-0643-A | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj - APPLY |
 | 1570 | AUDIT-0524-M | DONE | Revalidated 2026-01-07 | Guild | src/Scanner/__Benchmarks/StellaOps.Scanner.Analyzers.Lang.Deno.Benchmarks/StellaOps.Scanner.Analyzers.Lang.Deno.Benchmarks.csproj - MAINT |
 | 1571 | AUDIT-0524-T | DONE | Revalidated 2026-01-07 | Guild | src/Scanner/__Benchmarks/StellaOps.Scanner.Analyzers.Lang.Deno.Benchmarks/StellaOps.Scanner.Analyzers.Lang.Deno.Benchmarks.csproj - TEST |
 | 1572 | AUDIT-0524-A | DONE | Waived (benchmark project; revalidated 2026-01-07) | Guild | src/Scanner/__Benchmarks/StellaOps.Scanner.Analyzers.Lang.Deno.Benchmarks/StellaOps.Scanner.Analyzers.Lang.Deno.Benchmarks.csproj - APPLY |
@@ -5933,7 +5938,7 @@ Bulk task definitions (applies to every project row below):
 | 1575 | AUDIT-0525-A | DONE | Waived (test project; revalidated 2026-01-07) | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj - APPLY |
 | 1576 | AUDIT-0526-M | DONE | Revalidated 2026-01-07 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj - MAINT |
 | 1577 | AUDIT-0526-T | DONE | Revalidated 2026-01-07 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj - TEST |
-| 1578 | AUDIT-0526-A | TODO | Revalidated 2026-01-07 (open findings) | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj - APPLY |
+| 1578 | AUDIT-0526-A | DONE | Applied 2026-01-12; superseded by AUDIT-0644-A | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj - APPLY |
 | 1579 | AUDIT-0527-M | DONE | Waived (test project; revalidated 2026-01-07) | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj - MAINT |
 | 1580 | AUDIT-0527-T | DONE | Waived (test project; revalidated 2026-01-07) | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj - TEST |
 | 1581 | AUDIT-0527-A | DONE | Waived (test project; revalidated 2026-01-07) | Guild | src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.csproj - APPLY |
@@ -6131,7 +6136,7 @@ Bulk task definitions (applies to every project row below):
 | 1773 | AUDIT-0591-A | DONE | Waived (test project; revalidated 2026-01-08) | Guild | src/Scanner/__Tests/StellaOps.Scanner.Queue.Tests/StellaOps.Scanner.Queue.Tests.csproj - APPLY |
 | 1774 | AUDIT-0592-M | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj - MAINT |
 | 1775 | AUDIT-0592-T | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj - TEST |
-| 1776 | AUDIT-0592-A | TODO | Revalidated 2026-01-08 (open findings) | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj - APPLY |
+| 1776 | AUDIT-0592-A | DONE | Applied 2026-01-13; DSSE PAE/canon, determinism, cancellation, invariant outputs, tests | Guild | src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj - APPLY |
 | 1777 | AUDIT-0593-M | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Reachability.Stack.Tests/StellaOps.Scanner.Reachability.Stack.Tests.csproj - MAINT |
 | 1778 | AUDIT-0593-T | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Reachability.Stack.Tests/StellaOps.Scanner.Reachability.Stack.Tests.csproj - TEST |
 | 1779 | AUDIT-0593-A | DONE | Waived (test project; revalidated 2026-01-08) | Guild | src/Scanner/__Tests/StellaOps.Scanner.Reachability.Stack.Tests/StellaOps.Scanner.Reachability.Stack.Tests.csproj - APPLY |
@@ -6146,7 +6151,7 @@ Bulk task definitions (applies to every project row below):
 | 1788 | AUDIT-0596-A | DONE | Waived (test project; revalidated 2026-01-08) | Guild | src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/StellaOps.Scanner.ReachabilityDrift.Tests.csproj - APPLY |
 | 1789 | AUDIT-0597-M | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj - MAINT |
 | 1790 | AUDIT-0597-T | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj - TEST |
-| 1791 | AUDIT-0597-A | TODO | Revalidated 2026-01-08 (open findings) | Guild | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj - APPLY |
+| 1791 | AUDIT-0597-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj - APPLY |
 | 1792 | AUDIT-0598-M | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj - MAINT |
 | 1793 | AUDIT-0598-T | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj - TEST |
 | 1794 | AUDIT-0598-A | DONE | Waived (test project; revalidated 2026-01-08) | Guild | src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj - APPLY |
@@ -6215,7 +6220,7 @@ Bulk task definitions (applies to every project row below):
 | 1857 | AUDIT-0619-A | DONE | Waived (test project; revalidated 2026-01-08) | Guild | src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces.Tests/StellaOps.Scanner.VulnSurfaces.Tests.csproj - APPLY |
 | 1858 | AUDIT-0620-M | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj - MAINT |
 | 1859 | AUDIT-0620-T | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj - TEST |
-| 1860 | AUDIT-0620-A | TODO | Revalidated 2026-01-08 (open findings) | Guild | src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj - APPLY |
+| 1860 | AUDIT-0620-A | DONE | Applied 2026-01-13 | Guild | src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj - APPLY |
 | 1861 | AUDIT-0621-M | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj - MAINT |
 | 1862 | AUDIT-0621-T | DONE | Revalidated 2026-01-08 | Guild | src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj - TEST |
 | 1863 | AUDIT-0621-A | DONE | Waived (test project; revalidated 2026-01-08) | Guild | src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj - APPLY |
@@ -8080,17 +8085,3 @@ Bulk task definitions (applies to every project row below):
 ## Next Checkpoints
 - TBD: Rebaseline inventory review (repo-wide csproj list) and tranche scheduling.
 - TBD: Audit report review and approval checkpoint.
-
-
-
-
-
-
-
-
-
-
-
-
-
-

docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229_049_BE_csproj_audit_report.md

@@ -2573,7 +2573,7 @@
 - TEST: Coverage exists in src/__Libraries/__Tests/StellaOps.Evidence.Tests for EvidenceIndex serialization, validation, query summary, and budget checks.
 - TEST: Missing tests for EvidenceIndexValidator error paths (digest mismatch, invalid signatures, missing unknowns), EvidenceLinker ordering/determinism, retention tier migration/restore, and schema loading/validation.
 - Proposed changes (pending approval): inject deterministic ID/time providers and sort evidence collections before digesting; align GetAttestationsForSbom to use sbomDigest or remove the parameter; make GetCurrentUsage async; stabilize pruning order and use invariant formatting in budget issues; remove UnsafeRelaxedJsonEscaping from canonicalization pipeline; implement or guard compression; add schema validation or remove the unused schema loader; remove non-ASCII comment glyphs; remove committed bin/obj artifacts or update gitignore; add tests for validator errors, linker determinism, retention flows, schema validation, and pruning order.
-- Disposition: revalidated 2026-01-08 (open findings)
+- Disposition: applied 2026-01-13
 ### src/__Libraries/StellaOps.Evidence.Bundle/StellaOps.Evidence.Bundle.csproj
 - MAINT: EvidenceBundle uses Guid.NewGuid for BundleId; bundles are nondeterministic even when other fields are stable. `src/__Libraries/StellaOps.Evidence.Bundle/EvidenceBundle.cs`
 - MAINT: EvidenceBundleBuilder does not allow overriding BundleId; deterministic bundle IDs cannot be injected for tests or replay. `src/__Libraries/StellaOps.Evidence.Bundle/EvidenceBundle.cs`, `src/__Libraries/StellaOps.Evidence.Bundle/EvidenceBundleBuilder.cs`
@@ -4575,8 +4575,8 @@
 - QUALITY: Runtime shim orders events using localeCompare with the default locale; NDJSON ordering (and hashes) can differ across locales. `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/Runtime/DenoRuntimeShim.cs`
 - MAINT: DenoRuntimeTraceRecorder defaults to TimeProvider.System; timestamps are nondeterministic unless callers inject a TimeProvider or explicit timestamps. `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/Internal/Runtime/DenoRuntimeTraceRecorder.cs`
 - TEST: Runtime runner tests do not cover entrypoint path containment or binary allowlist enforcement. `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/Deno/DenoRuntimeTraceRunnerTests.cs`
-- Proposed changes (pending approval): validate entrypoint paths and restrict binary selection, scope Deno permissions, use ordinal comparisons in the shim, inject TimeProvider, and add tests for root containment/allowlist behavior.
+- Applied changes: validated entrypoint paths and binary allowlist, scoped allow-read, switched shim ordering to ordinal compares, required TimeProvider injection, replaced UnsafeRelaxedJsonEscaping, and added tests for root containment/allowlist behavior.
-- Disposition: pending implementation (non-test project; revalidated 2026-01-07; apply recommendations remain open).
+- Disposition: applied 2026-01-13; apply recommendations closed.
 ### src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/StellaOps.Scanner.Gate.Benchmarks.csproj
 - MAINT: GenerateFindings allocates a Random that is never used; this triggers a warning with TreatWarningsAsErrors and should be removed or used. `src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/VexGateBenchmarks.cs`
 - MAINT: Evaluate_NoRuleMatch allocates evidence per iteration, so benchmark timings include setup/allocation overhead instead of only evaluation cost. `src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/VexGateBenchmarks.cs`
@@ -4615,8 +4615,8 @@
 ### src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj
 - MAINT: Test project sets TreatWarningsAsErrors=false. `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests.csproj`
 - MAINT: Tests use Guid.NewGuid for temp roots and CancellationToken.None for execution. `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/TestUtilities/TestPaths.cs` `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Deno.Tests/Deno/DenoRuntimeTraceRunnerTests.cs`
-- Proposed changes (optional): use deterministic temp paths/tokens and enable warnings-as-errors.
+- Applied changes: deterministic temp paths/tokens, allowlist/root tests, safe JSON encoding, newline normalization; warnings-as-errors remains waived.
-- Disposition: waived (test project; revalidated 2026-01-07).
+- Disposition: waived (test project; determinism/security fixes applied 2026-01-13).
 ### src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj
 - MAINT: Bundling signal metadata formats SizeBytes/EstimatedBundledAssemblies with ToString() without InvariantCulture, producing culture-dependent output. `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Bundling/DotNetBundlingSignalCollector.cs`
 - MAINT: DotNetCallgraphBuilder defaults to TimeProvider.System, making reachability metadata timestamps nondeterministic unless injected. `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Callgraph/DotNetCallgraphBuilder.cs`
@@ -4986,7 +4986,7 @@
 - QUALITY: Numeric/time outputs use `ToString()` without InvariantCulture (union writer timestamps, edge bundle generated_at, semantic score/cwe formatting, PR summary metrics). `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/ReachabilityUnionWriter.cs` `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/EdgeBundlePublisher.cs` `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphSemanticExtensions.cs` `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs`
 - QUALITY: PR summary markdown includes non-ASCII/mojibake symbols. `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs`
 - TEST: No tests validate DSSE PAE/canonicalization for witness/suppression signing. `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs`
-- Disposition: revalidated 2026-01-08; apply recommendations remain open.
+- Disposition: applied 2026-01-13; apply recommendations closed.
 ### src/Scanner/__Tests/StellaOps.Scanner.Reachability.Stack.Tests/StellaOps.Scanner.Reachability.Stack.Tests.csproj
 - MAINT: TreatWarningsAsErrors is not set for the test project. `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Stack.Tests/StellaOps.Scanner.Reachability.Stack.Tests.csproj`
 - MAINT: Tests use DateTimeOffset.UtcNow and Guid.NewGuid, which reduces determinism. `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Stack.Tests/ReachabilityStackEvaluatorTests.cs` `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Stack.Tests/ReachabilityResultFactoryTests.cs`
@@ -5011,11 +5011,12 @@
 - MAINT: Attestor client is built with new HttpClient rather than IHttpClientFactory. `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`
 - SECURITY: --attestor-insecure disables TLS validation; ensure explicit warnings and guardrails to avoid accidental use in production. `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`
 - QUALITY: Console output uses a non-ASCII arrow glyph in the handshake message. `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs`
-- Disposition: revalidated 2026-01-08; apply recommendations remain open.
+- NOTE: CLI stdout/stderr output is part of the BuildX protocol; retained intentionally.
+- Disposition: applied 2026-01-13; apply recommendations closed.
 ### src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj
 - MAINT: TreatWarningsAsErrors is not set for the test project. `src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj`
 - MAINT: Tests use Guid.NewGuid, DateTimeOffset.UtcNow, and CancellationToken.None for temp roots and fixtures, which makes runs nondeterministic. `src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/TestUtilities/TempDirectory.cs` `src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Attestation/AttestorClientTests.cs` `src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Surface/SurfaceManifestWriterTests.cs`
-- Disposition: waived (test project; revalidated 2026-01-08).
+- Disposition: waived (test project; determinism fixes applied 2026-01-13).
 ### src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/StellaOps.Scanner.SmartDiff.csproj
 - MAINT: EPSS threshold text and score formatting use current culture (P0/F4), making change reasons locale-dependent. `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeDetector.cs`
 - QUALITY: SmartDiffJsonSerializer uses JsonSerializerDefaults.Web and camelCase instead of the shared RFC 8785 canonicalizer for predicate output. `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/SmartDiffJsonSerializer.cs`
@@ -5130,12 +5131,12 @@
 - QUALITY: Orchestrator event serialization uses UnsafeRelaxedJsonEscaping and non-canonical JSON for deterministic outputs. `src/Scanner/StellaOps.Scanner.WebService/Serialization/OrchestratorEventSerializer.cs`
 - QUALITY: Surface manifest digest is computed from JsonSerializerDefaults.Web output instead of canonical JSON. `src/Scanner/StellaOps.Scanner.WebService/Services/SurfacePointerService.cs`
 - TEST: Coverage review continues in AUDIT-0621 (Scanner.WebService.Tests).
-- Disposition: revalidated 2026-01-08; apply recommendations remain open.
+- Disposition: applied 2026-01-13; apply recommendations closed.
 ### src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj
 - MAINT: Tests use Guid.NewGuid, DateTimeOffset.UtcNow, DateTime.UtcNow, and Random.Shared across fixtures, making runs nondeterministic. `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/Benchmarks/TtfsPerformanceBenchmarks.cs` `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ManifestEndpointsTests.cs` `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/UnifiedEvidenceServiceTests.cs`
 - MAINT: Tests use CancellationToken.None in async paths; cancellation handling is not exercised. `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ReportEventDispatcherTests.cs` `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/RuntimeEndpointsTests.cs`
 - QUALITY: Non-ASCII glyphs appear in comments. `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/Benchmarks/TtfsPerformanceBenchmarks.cs` `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/Integration/ProofReplayWorkflowTests.cs`
-- Disposition: waived (test project; revalidated 2026-01-08).
+- Disposition: waived (test project; determinism fixes applied 2026-01-13).
 ### src/Scanner/StellaOps.Scanner.Worker/StellaOps.Scanner.Worker.csproj
 - MAINT: CancellationToken.None and blocking .Result are used in worker pipeline and signing paths; cancellation cannot propagate cleanly. `src/Scanner/StellaOps.Scanner.Worker/Hosting/ScannerWorkerHostedService.cs` `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestStageExecutor.cs` `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/HmacDsseEnvelopeSigner.cs`
 - SECURITY: DSSE PAE and envelope serialization are reimplemented locally; output is not spec-compliant or canonical. `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/HmacDsseEnvelopeSigner.cs` `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/IDsseEnvelopeSigner.cs`

docs-archived/implplan/2026-01-12-doctor-diagnostics/SPRINT_20260112_001_000_INDEX_doctor_diagnostics.md

@@ -201,7 +201,7 @@ Examples:
 - [x] Export capability for support tickets
 - [x] Unit test coverage >= 85%
 - [x] Integration tests for all plugins
-- [ ] Documentation in `docs/doctor/` (TODO)
+- [x] Documentation in `docs/doctor/`
 
 ---
 
@@ -248,6 +248,7 @@ Examples:
 | 12-Jan-2026 | Sprint 001_008 (FE Dashboard) completed - Angular 17+ standalone components |
 | 12-Jan-2026 | Sprint 001_009 (Self-service) completed - Export, Observability plugin |
 | 12-Jan-2026 | All 9 sprints complete - Doctor Diagnostics System fully implemented |
+| 12-Jan-2026 | Documentation created in docs/doctor/ (README.md, cli-reference.md) |
 
 ---
 

docs/dev/extending-binary-analysis.md

@@ -0,0 +1,569 @@
+# Extending Binary Analysis
+
+This guide explains how to add support for new binary formats or custom section extractors to the binary diff attestation system.
+
+## Overview
+
+The binary analysis system is designed for extensibility. You can add support for:
+
+- **New binary formats** (PE, Mach-O, WebAssembly)
+- **Custom section extractors** (additional ELF sections, custom hash algorithms)
+- **Verdict classifiers** (custom backport detection logic)
+
+## Architecture
+
+### Core Interfaces
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    Binary Analysis Pipeline                      │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                 │
+│  IBinaryFormatDetector ──▶ ISectionHashExtractor<TConfig>       │
+│          │                         │                            │
+│          ▼                         ▼                            │
+│  BinaryFormat enum         SectionHashSet                       │
+│  (elf, pe, macho)          (per-format)                        │
+│                                    │                            │
+│                                    ▼                            │
+│                            IVerdictClassifier                   │
+│                                    │                            │
+│                                    ▼                            │
+│                            BinaryDiffFinding                    │
+│                                                                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### Key Interfaces
+
+```csharp
+/// <summary>
+/// Detects binary format from file magic/headers.
+/// </summary>
+public interface IBinaryFormatDetector
+{
+    BinaryFormat Detect(ReadOnlySpan<byte> header);
+    BinaryFormat DetectFromPath(string filePath);
+}
+
+/// <summary>
+/// Extracts section hashes for a specific binary format.
+/// </summary>
+public interface ISectionHashExtractor<TConfig> where TConfig : class
+{
+    BinaryFormat SupportedFormat { get; }
+
+    Task<SectionHashSet?> ExtractAsync(
+        string filePath,
+        TConfig? config = null,
+        CancellationToken cancellationToken = default);
+
+    Task<SectionHashSet?> ExtractFromBytesAsync(
+        ReadOnlyMemory<byte> bytes,
+        string virtualPath,
+        TConfig? config = null,
+        CancellationToken cancellationToken = default);
+}
+
+/// <summary>
+/// Classifies binary changes as patched/vanilla/unknown.
+/// </summary>
+public interface IVerdictClassifier
+{
+    Verdict Classify(SectionHashSet? baseHashes, SectionHashSet? targetHashes);
+    double ComputeConfidence(SectionHashSet? baseHashes, SectionHashSet? targetHashes);
+}
+```
+
+## Adding a New Binary Format
+
+### Step 1: Define Configuration
+
+```csharp
+// src/Scanner/__Libraries/StellaOps.Scanner.Contracts/PeSectionConfig.cs
+
+namespace StellaOps.Scanner.Contracts;
+
+/// <summary>
+/// Configuration for PE section hash extraction.
+/// </summary>
+public sealed record PeSectionConfig
+{
+    /// <summary>Sections to extract hashes from.</summary>
+    public ImmutableArray<string> Sections { get; init; } = [".text", ".rdata", ".data", ".rsrc"];
+
+    /// <summary>Hash algorithms to use.</summary>
+    public ImmutableArray<string> HashAlgorithms { get; init; } = ["sha256"];
+
+    /// <summary>Maximum section size to process (bytes).</summary>
+    public long MaxSectionSize { get; init; } = 100 * 1024 * 1024; // 100MB
+
+    /// <summary>Whether to extract version resources.</summary>
+    public bool ExtractVersionInfo { get; init; } = true;
+}
+```
+
+### Step 2: Implement the Extractor
+
+```csharp
+// src/Scanner/StellaOps.Scanner.Analyzers.Native/Hardening/PeSectionHashExtractor.cs
+
+namespace StellaOps.Scanner.Analyzers.Native;
+
+public sealed class PeSectionHashExtractor : ISectionHashExtractor<PeSectionConfig>
+{
+    private readonly TimeProvider _timeProvider;
+    private readonly ILogger<PeSectionHashExtractor> _logger;
+
+    public PeSectionHashExtractor(
+        TimeProvider timeProvider,
+        ILogger<PeSectionHashExtractor> logger)
+    {
+        _timeProvider = timeProvider;
+        _logger = logger;
+    }
+
+    public BinaryFormat SupportedFormat => BinaryFormat.Pe;
+
+    public async Task<SectionHashSet?> ExtractAsync(
+        string filePath,
+        PeSectionConfig? config = null,
+        CancellationToken cancellationToken = default)
+    {
+        config ??= new PeSectionConfig();
+
+        // Read file
+        var bytes = await File.ReadAllBytesAsync(filePath, cancellationToken);
+        return await ExtractFromBytesAsync(bytes, filePath, config, cancellationToken);
+    }
+
+    public async Task<SectionHashSet?> ExtractFromBytesAsync(
+        ReadOnlyMemory<byte> bytes,
+        string virtualPath,
+        PeSectionConfig? config = null,
+        CancellationToken cancellationToken = default)
+    {
+        config ??= new PeSectionConfig();
+
+        // Validate PE magic
+        if (!IsPeFile(bytes.Span))
+        {
+            _logger.LogDebug("Not a PE file: {Path}", virtualPath);
+            return null;
+        }
+
+        try
+        {
+            var sections = new Dictionary<string, SectionInfo>();
+
+            // Parse PE headers
+            using var peReader = new PEReader(new MemoryStream(bytes.ToArray()));
+
+            foreach (var sectionHeader in peReader.PEHeaders.SectionHeaders)
+            {
+                var sectionName = sectionHeader.Name;
+
+                if (!config.Sections.Contains(sectionName))
+                    continue;
+
+                if (sectionHeader.SizeOfRawData > config.MaxSectionSize)
+                {
+                    _logger.LogWarning(
+                        "Section {Section} exceeds max size ({Size} > {Max})",
+                        sectionName, sectionHeader.SizeOfRawData, config.MaxSectionSize);
+                    continue;
+                }
+
+                // Get section data
+                var sectionData = peReader.GetSectionData(sectionName);
+                if (sectionData.Length == 0)
+                    continue;
+
+                // Compute hash
+                var sha256 = ComputeSha256(sectionData.GetContent());
+
+                sections[sectionName] = new SectionInfo
+                {
+                    Sha256 = sha256,
+                    Size = sectionData.Length,
+                    Offset = sectionHeader.PointerToRawData
+                };
+            }
+
+            // Compute file hash
+            var fileHash = ComputeSha256(bytes.Span);
+
+            return new SectionHashSet
+            {
+                FilePath = virtualPath,
+                FileHash = fileHash,
+                Sections = sections.ToImmutableDictionary(),
+                ExtractedAt = _timeProvider.GetUtcNow(),
+                ExtractorVersion = GetType().Assembly.GetName().Version?.ToString() ?? "1.0.0"
+            };
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to extract PE sections from {Path}", virtualPath);
+            return null;
+        }
+    }
+
+    private static bool IsPeFile(ReadOnlySpan<byte> bytes)
+    {
+        // Check DOS header magic (MZ)
+        if (bytes.Length < 64)
+            return false;
+
+        return bytes[0] == 0x4D && bytes[1] == 0x5A; // "MZ"
+    }
+
+    private static string ComputeSha256(ReadOnlySpan<byte> data)
+    {
+        Span<byte> hash = stackalloc byte[32];
+        SHA256.HashData(data, hash);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+}
+```
+
+### Step 3: Register Services
+
+```csharp
+// src/Scanner/StellaOps.Scanner.Analyzers.Native/ServiceCollectionExtensions.cs
+
+public static class ServiceCollectionExtensions
+{
+    public static IServiceCollection AddNativeAnalyzers(
+        this IServiceCollection services,
+        IConfiguration configuration)
+    {
+        // Existing ELF extractor
+        services.AddSingleton<IElfSectionHashExtractor, ElfSectionHashExtractor>();
+
+        // New PE extractor
+        services.AddSingleton<ISectionHashExtractor<PeSectionConfig>, PeSectionHashExtractor>();
+
+        // Register in composite
+        services.AddSingleton<IBinaryFormatDetector, CompositeBinaryFormatDetector>();
+        services.AddSingleton<ICompositeSectionHashExtractor>(sp =>
+        {
+            var extractors = new Dictionary<BinaryFormat, object>
+            {
+                [BinaryFormat.Elf] = sp.GetRequiredService<IElfSectionHashExtractor>(),
+                [BinaryFormat.Pe] = sp.GetRequiredService<ISectionHashExtractor<PeSectionConfig>>()
+            };
+            return new CompositeSectionHashExtractor(extractors);
+        });
+
+        // Configuration
+        services.AddOptions<PeSectionConfig>()
+            .Bind(configuration.GetSection("Scanner:Native:PeSections"))
+            .ValidateDataAnnotations()
+            .ValidateOnStart();
+
+        return services;
+    }
+}
+```
+
+### Step 4: Add Tests
+
+```csharp
+// src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/PeSectionHashExtractorTests.cs
+
+namespace StellaOps.Scanner.Analyzers.Native.Tests;
+
+public class PeSectionHashExtractorTests
+{
+    private readonly PeSectionHashExtractor _extractor;
+    private readonly FakeTimeProvider _timeProvider;
+
+    public PeSectionHashExtractorTests()
+    {
+        _timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 1, 13, 12, 0, 0, TimeSpan.Zero));
+        _extractor = new PeSectionHashExtractor(
+            _timeProvider,
+            NullLogger<PeSectionHashExtractor>.Instance);
+    }
+
+    [Fact]
+    public async Task ExtractAsync_ValidPe_ReturnsAllSections()
+    {
+        // Arrange
+        var pePath = "TestData/sample.exe";
+
+        // Act
+        var result = await _extractor.ExtractAsync(pePath);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.Contains(".text", result.Sections.Keys);
+        Assert.Contains(".rdata", result.Sections.Keys);
+        Assert.NotEmpty(result.FileHash);
+    }
+
+    [Fact]
+    public async Task ExtractAsync_NotPeFile_ReturnsNull()
+    {
+        // Arrange
+        var elfPath = "TestData/sample.elf";
+
+        // Act
+        var result = await _extractor.ExtractAsync(elfPath);
+
+        // Assert
+        Assert.Null(result);
+    }
+
+    [Fact]
+    public async Task ExtractAsync_Deterministic_SameOutput()
+    {
+        // Arrange
+        var pePath = "TestData/sample.exe";
+
+        // Act
+        var result1 = await _extractor.ExtractAsync(pePath);
+        var result2 = await _extractor.ExtractAsync(pePath);
+
+        // Assert
+        Assert.Equal(result1!.FileHash, result2!.FileHash);
+        Assert.Equal(result1.Sections[".text"].Sha256, result2.Sections[".text"].Sha256);
+    }
+}
+```
+
+## Adding Custom Section Analysis
+
+### Custom Hash Algorithm
+
+```csharp
+public interface IHashAlgorithmProvider
+{
+    string Name { get; }
+    string ComputeHash(ReadOnlySpan<byte> data);
+}
+
+public sealed class Blake3HashProvider : IHashAlgorithmProvider
+{
+    public string Name => "blake3";
+
+    public string ComputeHash(ReadOnlySpan<byte> data)
+    {
+        // Using Blake3 library
+        var hash = Blake3.Hasher.Hash(data);
+        return Convert.ToHexString(hash.AsSpan()).ToLowerInvariant();
+    }
+}
+```
+
+### Custom Verdict Classifier
+
+```csharp
+public sealed class EnhancedVerdictClassifier : IVerdictClassifier
+{
+    private readonly ISymbolAnalyzer _symbolAnalyzer;
+
+    public Verdict Classify(SectionHashSet? baseHashes, SectionHashSet? targetHashes)
+    {
+        if (baseHashes == null || targetHashes == null)
+            return Verdict.Unknown;
+
+        // Check .text section change
+        var textChanged = HasSectionChanged(baseHashes, targetHashes, ".text");
+        var symbolsChanged = HasSectionChanged(baseHashes, targetHashes, ".symtab");
+
+        // Custom logic: if .text changed but symbols are similar, likely a patch
+        if (textChanged && !symbolsChanged)
+        {
+            return Verdict.Patched;
+        }
+
+        // If everything changed significantly, it's a vanilla update
+        if (textChanged && symbolsChanged)
+        {
+            return Verdict.Vanilla;
+        }
+
+        return Verdict.Unknown;
+    }
+
+    public double ComputeConfidence(SectionHashSet? baseHashes, SectionHashSet? targetHashes)
+    {
+        if (baseHashes == null || targetHashes == null)
+            return 0.0;
+
+        // Compute similarity score
+        var matchingSections = 0;
+        var totalSections = 0;
+
+        foreach (var (name, baseInfo) in baseHashes.Sections)
+        {
+            totalSections++;
+            if (targetHashes.Sections.TryGetValue(name, out var targetInfo))
+            {
+                if (baseInfo.Sha256 == targetInfo.Sha256)
+                    matchingSections++;
+            }
+        }
+
+        if (totalSections == 0)
+            return 0.0;
+
+        // Higher similarity = higher confidence in classification
+        return Math.Round((double)matchingSections / totalSections, 4, MidpointRounding.ToZero);
+    }
+
+    private static bool HasSectionChanged(SectionHashSet baseHashes, SectionHashSet targetHashes, string section)
+    {
+        if (!baseHashes.Sections.TryGetValue(section, out var baseInfo))
+            return false;
+        if (!targetHashes.Sections.TryGetValue(section, out var targetInfo))
+            return true;
+
+        return baseInfo.Sha256 != targetInfo.Sha256;
+    }
+}
+```
+
+## Best Practices
+
+### 1. Determinism
+
+Always ensure deterministic output:
+
+```csharp
+// BAD - Non-deterministic
+public SectionHashSet Extract(string path)
+{
+    return new SectionHashSet
+    {
+        ExtractedAt = DateTimeOffset.UtcNow, // Non-deterministic!
+        // ...
+    };
+}
+
+// GOOD - Injected time provider
+public SectionHashSet Extract(string path)
+{
+    return new SectionHashSet
+    {
+        ExtractedAt = _timeProvider.GetUtcNow(), // Deterministic
+        // ...
+    };
+}
+```
+
+### 2. Error Handling
+
+Handle malformed binaries gracefully:
+
+```csharp
+public async Task<SectionHashSet?> ExtractAsync(string path, CancellationToken ct)
+{
+    try
+    {
+        // ... extraction logic
+    }
+    catch (BadImageFormatException ex)
+    {
+        _logger.LogDebug(ex, "Invalid binary format: {Path}", path);
+        return null; // Return null, don't throw
+    }
+    catch (IOException ex)
+    {
+        _logger.LogWarning(ex, "I/O error reading: {Path}", path);
+        return null;
+    }
+}
+```
+
+### 3. Memory Management
+
+Stream large binaries instead of loading entirely:
+
+```csharp
+public async Task<SectionHashSet?> ExtractLargeBinaryAsync(
+    string path,
+    CancellationToken ct)
+{
+    await using var stream = new FileStream(
+        path,
+        FileMode.Open,
+        FileAccess.Read,
+        FileShare.Read,
+        bufferSize: 81920,
+        useAsync: true);
+
+    // Stream section data instead of loading all at once
+    // ...
+}
+```
+
+### 4. Configuration Validation
+
+Validate configuration at startup:
+
+```csharp
+public sealed class PeSectionConfigValidator : IValidateOptions<PeSectionConfig>
+{
+    public ValidateOptionsResult Validate(string? name, PeSectionConfig options)
+    {
+        if (options.Sections.Length == 0)
+            return ValidateOptionsResult.Fail("At least one section must be specified");
+
+        if (options.MaxSectionSize <= 0)
+            return ValidateOptionsResult.Fail("MaxSectionSize must be positive");
+
+        return ValidateOptionsResult.Success;
+    }
+}
+```
+
+## Testing Guidelines
+
+### Golden File Tests
+
+```csharp
+[Fact]
+public async Task Extract_KnownBinary_MatchesGolden()
+{
+    // Arrange
+    var binaryPath = "TestData/known-binary.exe";
+    var goldenPath = "TestData/known-binary.golden.json";
+
+    // Act
+    var result = await _extractor.ExtractAsync(binaryPath);
+
+    // Assert
+    var expected = JsonSerializer.Deserialize<SectionHashSet>(
+        await File.ReadAllTextAsync(goldenPath));
+
+    Assert.Equal(expected!.FileHash, result!.FileHash);
+    Assert.Equal(expected.Sections.Count, result.Sections.Count);
+}
+```
+
+### Fuzz Testing
+
+```csharp
+[Theory]
+[MemberData(nameof(MalformedBinaries))]
+public async Task Extract_MalformedBinary_ReturnsNullOrThrows(byte[] malformedData)
+{
+    // Act & Assert - Should not crash
+    var result = await _extractor.ExtractFromBytesAsync(
+        malformedData,
+        "test.bin");
+
+    // Either null or valid result, never exception
+    // (Exception would fail the test)
+}
+```
+
+## References
+
+- [PE Format Specification](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
+- [Mach-O Format Reference](https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/MachORuntime/)
+- [ELF Specification](https://refspecs.linuxfoundation.org/elf/elf.pdf)
+- [Binary Diff Attestation Architecture](../modules/scanner/binary-diff-attestation.md)

docs/doctor/README.md

@@ -0,0 +1,416 @@
+# Stella Ops Doctor
+
+> Self-service diagnostics for Stella Ops deployments
+
+## Overview
+
+The Doctor system provides comprehensive diagnostics for Stella Ops deployments, enabling operators, DevOps engineers, and developers to:
+
+- **Diagnose** what is working and what is not
+- **Understand** why failures occur with collected evidence
+- **Remediate** issues with copy/paste commands
+- **Verify** fixes with re-runnable checks
+
+## Quick Start
+
+### CLI
+
+```bash
+# Quick health check
+stella doctor
+
+# Full diagnostic with all checks
+stella doctor --full
+
+# Check specific category
+stella doctor --category database
+
+# Export report for support
+stella doctor export --output diagnostic-bundle.zip
+```
+
+### UI
+
+Navigate to `/ops/doctor` in the Stella Ops console to access the interactive Doctor Dashboard.
+
+### API
+
+```bash
+# Run diagnostics
+POST /api/v1/doctor/run
+
+# Get available checks
+GET /api/v1/doctor/checks
+
+# Stream results
+WebSocket /api/v1/doctor/stream
+```
+
+## Available Checks
+
+The Doctor system includes 48+ diagnostic checks across 7 plugins:
+
+| Plugin | Category | Checks | Description |
+|--------|----------|--------|-------------|
+| `stellaops.doctor.core` | Core | 9 | Configuration, runtime, disk, memory, time, crypto |
+| `stellaops.doctor.database` | Database | 8 | Connectivity, migrations, schema, connection pool |
+| `stellaops.doctor.servicegraph` | ServiceGraph | 6 | Gateway, routing, service health |
+| `stellaops.doctor.security` | Security | 9 | OIDC, LDAP, TLS, Vault |
+| `stellaops.doctor.scm.*` | Integration.SCM | 8 | GitHub, GitLab connectivity/auth/permissions |
+| `stellaops.doctor.registry.*` | Integration.Registry | 6 | Harbor, ECR connectivity/auth/pull |
+| `stellaops.doctor.observability` | Observability | 4 | OTLP, logs, metrics |
+
+### Check ID Convention
+
+```
+check.{category}.{subcategory}.{specific}
+```
+
+Examples:
+- `check.config.required`
+- `check.database.migrations.pending`
+- `check.services.gateway.routing`
+- `check.integration.scm.github.auth`
+
+## CLI Reference
+
+See [CLI Reference](./cli-reference.md) for complete command documentation.
+
+### Common Commands
+
+```bash
+# Quick health check (tagged 'quick' checks only)
+stella doctor --quick
+
+# Full diagnostic with all checks
+stella doctor --full
+
+# Filter by category
+stella doctor --category database
+stella doctor --category security
+
+# Filter by plugin
+stella doctor --plugin scm.github
+
+# Run single check
+stella doctor --check check.database.migrations.pending
+
+# Output formats
+stella doctor --format json
+stella doctor --format markdown
+stella doctor --format text
+
+# Filter output by severity
+stella doctor --severity fail,warn
+
+# Export diagnostic bundle
+stella doctor export --output diagnostic.zip
+stella doctor export --include-logs --log-duration 4h
+```
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | All checks passed |
+| 1 | One or more warnings |
+| 2 | One or more failures |
+| 3 | Doctor engine error |
+| 4 | Invalid arguments |
+| 5 | Timeout exceeded |
+
+## Output Example
+
+```
+Stella Ops Doctor
+=================
+
+Running 47 checks across 8 plugins...
+
+[PASS] check.config.required
+  All required configuration values are present
+
+[PASS] check.database.connectivity
+  PostgreSQL connection successful (latency: 12ms)
+
+[WARN] check.tls.certificates.expiry
+  Diagnosis: TLS certificate expires in 14 days
+
+  Evidence:
+    Certificate: /etc/ssl/certs/stellaops.crt
+    Subject: CN=stellaops.example.com
+    Expires: 2026-01-26T00:00:00Z
+    Days remaining: 14
+
+  Likely Causes:
+    1. Certificate renewal not scheduled
+    2. ACME/Let's Encrypt automation not configured
+
+  Fix Steps:
+    # 1. Check current certificate
+    openssl x509 -in /etc/ssl/certs/stellaops.crt -noout -dates
+
+    # 2. Renew certificate (if using certbot)
+    sudo certbot renew --cert-name stellaops.example.com
+
+    # 3. Restart services to pick up new certificate
+    sudo systemctl restart stellaops-gateway
+
+  Verification:
+    stella doctor --check check.tls.certificates.expiry
+
+[FAIL] check.database.migrations.pending
+  Diagnosis: 3 pending release migrations detected in schema 'auth'
+
+  Evidence:
+    Schema: auth
+    Current version: 099_add_dpop_thumbprints
+    Pending migrations:
+      - 100_add_tenant_quotas
+      - 101_add_audit_retention
+      - 102_add_session_revocation
+
+  Likely Causes:
+    1. Release migrations not applied before deployment
+    2. Migration files added after last deployment
+
+  Fix Steps:
+    # 1. Backup database first (RECOMMENDED)
+    pg_dump -h localhost -U stella_admin -d stellaops -F c \
+      -f stellaops_backup_$(date +%Y%m%d_%H%M%S).dump
+
+    # 2. Apply pending release migrations
+    stella system migrations-run --module Authority --category release
+
+    # 3. Verify migrations applied
+    stella system migrations-status --module Authority
+
+  Verification:
+    stella doctor --check check.database.migrations.pending
+
+--------------------------------------------------------------------------------
+Summary: 44 passed, 2 warnings, 1 failed (47 total)
+Duration: 8.3s
+--------------------------------------------------------------------------------
+```
+
+## Export Bundle
+
+The Doctor export feature creates a diagnostic bundle for support escalation:
+
+```bash
+stella doctor export --output diagnostic-bundle.zip
+```
+
+The bundle contains:
+- `doctor-report.json` - Full diagnostic report
+- `doctor-report.md` - Human-readable report
+- `environment.json` - Environment information
+- `system-info.json` - System details (OS, runtime, memory)
+- `config-sanitized.json` - Sanitized configuration (secrets redacted)
+- `logs/` - Recent log files (optional)
+- `README.md` - Bundle contents guide
+
+### Export Options
+
+```bash
+# Include logs from last 4 hours
+stella doctor export --include-logs --log-duration 4h
+
+# Exclude configuration
+stella doctor export --no-config
+
+# Custom output path
+stella doctor export --output /tmp/support-bundle.zip
+```
+
+## Security
+
+### Secret Redaction
+
+All evidence output is sanitized. Sensitive values (passwords, tokens, connection strings) are replaced with `***REDACTED***` in:
+- Console output
+- JSON exports
+- Diagnostic bundles
+- Log files
+
+### RBAC Permissions
+
+| Scope | Description |
+|-------|-------------|
+| `doctor:run` | Execute doctor checks |
+| `doctor:run:full` | Execute all checks including sensitive |
+| `doctor:export` | Export diagnostic reports |
+| `admin:system` | Access system-level checks |
+
+## Plugin Development
+
+To create a custom Doctor plugin, implement `IDoctorPlugin`:
+
+```csharp
+public class MyCustomPlugin : IDoctorPlugin
+{
+    public string PluginId => "stellaops.doctor.custom";
+    public string DisplayName => "Custom Checks";
+    public Version Version => new(1, 0, 0);
+    public DoctorCategory Category => DoctorCategory.Integration;
+
+    public bool IsAvailable(IServiceProvider services) => true;
+
+    public IReadOnlyList<IDoctorCheck> GetChecks(DoctorPluginContext context)
+    {
+        return new IDoctorCheck[]
+        {
+            new MyCustomCheck()
+        };
+    }
+
+    public Task InitializeAsync(DoctorPluginContext context, CancellationToken ct)
+        => Task.CompletedTask;
+}
+```
+
+Implement checks using `IDoctorCheck`:
+
+```csharp
+public class MyCustomCheck : IDoctorCheck
+{
+    public string CheckId => "check.custom.mycheck";
+    public string Name => "My Custom Check";
+    public string Description => "Validates custom configuration";
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Fail;
+    public IReadOnlyList<string> Tags => new[] { "custom", "quick" };
+    public TimeSpan EstimatedDuration => TimeSpan.FromSeconds(2);
+
+    public bool CanRun(DoctorPluginContext context) => true;
+
+    public async Task<DoctorCheckResult> RunAsync(
+        DoctorPluginContext context,
+        CancellationToken ct)
+    {
+        // Perform check logic
+        var isValid = await ValidateAsync(ct);
+
+        if (isValid)
+        {
+            return DoctorCheckResult.Pass(
+                checkId: CheckId,
+                diagnosis: "Custom configuration is valid",
+                evidence: new Evidence
+                {
+                    Description = "Validation passed",
+                    Data = new Dictionary<string, string>
+                    {
+                        ["validated_at"] = context.TimeProvider.GetUtcNow().ToString("O")
+                    }
+                });
+        }
+
+        return DoctorCheckResult.Fail(
+            checkId: CheckId,
+            diagnosis: "Custom configuration is invalid",
+            evidence: new Evidence
+            {
+                Description = "Validation failed",
+                Data = new Dictionary<string, string>
+                {
+                    ["error"] = "Configuration file missing"
+                }
+            },
+            remediation: new Remediation
+            {
+                Steps = new[]
+                {
+                    new RemediationStep
+                    {
+                        Order = 1,
+                        Description = "Create configuration file",
+                        Command = "cp /etc/stellaops/custom.yaml.sample /etc/stellaops/custom.yaml",
+                        CommandType = CommandType.Shell
+                    }
+                }
+            });
+    }
+}
+```
+
+Register the plugin in DI:
+
+```csharp
+services.AddSingleton<IDoctorPlugin, MyCustomPlugin>();
+```
+
+## Architecture
+
+```
++------------------+     +------------------+     +------------------+
+|       CLI        |     |        UI        |     |    External      |
+|  stella doctor   |     |   /ops/doctor    |     |   Monitoring     |
++--------+---------+     +--------+---------+     +--------+---------+
+         |                        |                        |
+         v                        v                        v
++------------------------------------------------------------------------+
+|                         Doctor API Layer                                |
+|  POST /api/v1/doctor/run    GET /api/v1/doctor/checks                  |
+|  GET /api/v1/doctor/report  WebSocket /api/v1/doctor/stream            |
++------------------------------------------------------------------------+
+         |
+         v
++------------------------------------------------------------------------+
+|                      Doctor Engine (Core)                               |
+|  +------------------+  +------------------+  +------------------+       |
+|  | Check Registry   |  | Check Executor   |  | Report Generator |       |
+|  | - Discovery      |  | - Parallel exec  |  | - JSON/MD/Text   |       |
+|  | - Filtering      |  | - Timeout mgmt   |  | - Remediation    |       |
+|  +------------------+  +------------------+  +------------------+       |
++------------------------------------------------------------------------+
+         |
+         v
++------------------------------------------------------------------------+
+|                        Plugin System                                    |
++--------+---------+---------+---------+---------+---------+-------------+
+         |         |         |         |         |         |
+         v         v         v         v         v         v
++--------+  +------+  +------+  +------+  +------+  +------+  +----------+
+| Core   |  | DB & |  |Service|  | SCM  |  |Regis-|  |Observ-|  |Security |
+| Plugin |  |Migra-|  | Graph |  |Plugin|  | try  |  |ability|  | Plugin  |
+|        |  | tions|  |Plugin |  |      |  |Plugin|  |Plugin |  |         |
++--------+  +------+  +------+  +------+  +------+  +------+  +----------+
+```
+
+## Related Documentation
+
+- [CLI Reference](./cli-reference.md) - Complete CLI command reference
+- [Doctor Capabilities Specification](./doctor-capabilities.md) - Full technical specification
+- [Plugin Development Guide](./plugin-development.md) - Creating custom plugins
+
+## Troubleshooting
+
+### Doctor Engine Error (Exit Code 3)
+
+If `stella doctor` returns exit code 3:
+
+1. Check the error message for details
+2. Verify required services are running
+3. Check connectivity to databases
+4. Review logs at `/var/log/stellaops/doctor.log`
+
+### Timeout Exceeded (Exit Code 5)
+
+If checks are timing out:
+
+```bash
+# Increase per-check timeout
+stella doctor --timeout 60s
+
+# Run with reduced parallelism
+stella doctor --parallel 2
+```
+
+### Checks Not Found
+
+If expected checks are not appearing:
+
+1. Verify plugin is registered in DI
+2. Check `CanRun()` returns true for your environment
+3. Review plugin initialization logs

docs/doctor/cli-reference.md

@@ -0,0 +1,396 @@
+# Doctor CLI Reference
+
+> Complete reference for `stella doctor` commands
+
+## Commands
+
+### stella doctor
+
+Run diagnostic checks.
+
+```bash
+stella doctor [options]
+```
+
+#### Options
+
+| Option | Short | Type | Default | Description |
+|--------|-------|------|---------|-------------|
+| `--format` | `-f` | enum | `text` | Output format: `text`, `json`, `markdown` |
+| `--quick` | `-q` | flag | false | Run only quick checks (tagged `quick`) |
+| `--full` | | flag | false | Run all checks including slow/intensive |
+| `--category` | `-c` | string[] | all | Filter by category |
+| `--plugin` | `-p` | string[] | all | Filter by plugin ID |
+| `--check` | | string | | Run single check by ID |
+| `--severity` | `-s` | enum[] | all | Filter output by severity |
+| `--timeout` | `-t` | duration | 30s | Per-check timeout |
+| `--parallel` | | int | 4 | Max parallel check execution |
+| `--no-remediation` | | flag | false | Skip remediation output |
+| `--verbose` | `-v` | flag | false | Include detailed evidence |
+
+#### Categories
+
+- `core` - Configuration, runtime, system checks
+- `database` - Database connectivity, migrations, pools
+- `service-graph` - Service health, gateway, routing
+- `security` - Authentication, TLS, secrets
+- `integration` - SCM, registry integrations
+- `observability` - Telemetry, logging, metrics
+
+#### Examples
+
+```bash
+# Quick health check
+stella doctor
+
+# Full diagnostic
+stella doctor --full
+
+# Database checks only
+stella doctor --category database
+
+# GitHub integration checks
+stella doctor --plugin scm.github
+
+# Single check
+stella doctor --check check.database.connectivity
+
+# JSON output (for CI/CD)
+stella doctor --format json
+
+# Show only failures and warnings
+stella doctor --severity fail,warn
+
+# Markdown report
+stella doctor --format markdown > doctor-report.md
+
+# Verbose with all evidence
+stella doctor --verbose
+
+# Custom timeout and parallelism
+stella doctor --timeout 60s --parallel 2
+```
+
+### stella doctor export
+
+Generate a diagnostic bundle for support.
+
+```bash
+stella doctor export [options]
+```
+
+#### Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `--output` | path | `diagnostic-bundle.zip` | Output file path |
+| `--include-logs` | flag | false | Include recent log files |
+| `--log-duration` | duration | `1h` | Duration of logs to include |
+| `--no-config` | flag | false | Exclude configuration |
+
+#### Duration Format
+
+Duration values can be specified as:
+- `30m` - 30 minutes
+- `1h` - 1 hour
+- `4h` - 4 hours
+- `24h` or `1d` - 24 hours
+
+#### Examples
+
+```bash
+# Basic export
+stella doctor export --output diagnostic.zip
+
+# Include logs from last 4 hours
+stella doctor export --include-logs --log-duration 4h
+
+# Without configuration (for privacy)
+stella doctor export --no-config
+
+# Full bundle with logs
+stella doctor export \
+  --output support-bundle.zip \
+  --include-logs \
+  --log-duration 24h
+```
+
+#### Bundle Contents
+
+The export creates a ZIP archive containing:
+
+```
+diagnostic-bundle.zip
++-- README.md                 # Bundle contents guide
++-- doctor-report.json        # Full diagnostic report
++-- doctor-report.md          # Human-readable report
++-- environment.json          # Environment information
++-- system-info.json          # System details
++-- config-sanitized.json     # Configuration (secrets redacted)
++-- logs/                     # Log files (if --include-logs)
+    +-- stellaops-*.log
+```
+
+### stella doctor list
+
+List available checks.
+
+```bash
+stella doctor list [options]
+```
+
+#### Options
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `--category` | string | Filter by category |
+| `--plugin` | string | Filter by plugin |
+| `--format` | enum | Output format: `text`, `json` |
+
+#### Examples
+
+```bash
+# List all checks
+stella doctor list
+
+# List database checks
+stella doctor list --category database
+
+# List as JSON
+stella doctor list --format json
+```
+
+## Exit Codes
+
+| Code | Name | Description |
+|------|------|-------------|
+| 0 | `Success` | All checks passed |
+| 1 | `Warnings` | One or more warnings, no failures |
+| 2 | `Failures` | One or more checks failed |
+| 3 | `EngineError` | Doctor engine error |
+| 4 | `InvalidArgs` | Invalid command arguments |
+| 5 | `Timeout` | Timeout exceeded |
+
+### Using Exit Codes in Scripts
+
+```bash
+#!/bin/bash
+
+stella doctor --format json > report.json
+exit_code=$?
+
+case $exit_code in
+    0)
+        echo "All checks passed"
+        ;;
+    1)
+        echo "Warnings detected - review report"
+        ;;
+    2)
+        echo "Failures detected - action required"
+        exit 1
+        ;;
+    *)
+        echo "Doctor error (code: $exit_code)"
+        exit 1
+        ;;
+esac
+```
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+- name: Run Stella Doctor
+  run: |
+    stella doctor --format json --severity fail,warn > doctor-report.json
+    exit_code=$?
+    if [ $exit_code -eq 2 ]; then
+      echo "::error::Doctor checks failed"
+      cat doctor-report.json
+      exit 1
+    fi
+```
+
+### GitLab CI
+
+```yaml
+doctor:
+  stage: validate
+  script:
+    - stella doctor --format json > doctor-report.json
+  artifacts:
+    when: always
+    paths:
+      - doctor-report.json
+  allow_failure:
+    exit_codes:
+      - 1  # Allow warnings
+```
+
+### Jenkins
+
+```groovy
+stage('Health Check') {
+    steps {
+        script {
+            def result = sh(
+                script: 'stella doctor --format json',
+                returnStatus: true
+            )
+            if (result == 2) {
+                error "Doctor checks failed"
+            }
+        }
+    }
+}
+```
+
+## Output Formats
+
+### Text Format (Default)
+
+Human-readable console output with colors and formatting.
+
+```
+Stella Ops Doctor
+=================
+
+Running 47 checks across 8 plugins...
+
+[PASS] check.config.required
+  All required configuration values are present
+
+[FAIL] check.database.migrations.pending
+  Diagnosis: 3 pending migrations in schema 'auth'
+
+  Fix Steps:
+    # Apply migrations
+    stella system migrations-run --module Authority
+
+--------------------------------------------------------------------------------
+Summary: 46 passed, 0 warnings, 1 failed (47 total)
+Duration: 8.3s
+--------------------------------------------------------------------------------
+```
+
+### JSON Format
+
+Machine-readable format for automation:
+
+```json
+{
+  "summary": {
+    "total": 47,
+    "passed": 46,
+    "warnings": 0,
+    "failures": 1,
+    "skipped": 0,
+    "duration": "PT8.3S"
+  },
+  "executedAt": "2026-01-12T14:30:00Z",
+  "checks": [
+    {
+      "checkId": "check.config.required",
+      "pluginId": "stellaops.doctor.core",
+      "category": "Core",
+      "severity": "Pass",
+      "diagnosis": "All required configuration values are present",
+      "evidence": {
+        "description": "Configuration validated",
+        "data": {
+          "configSource": "appsettings.json",
+          "keysChecked": "42"
+        }
+      },
+      "duration": "PT0.012S"
+    },
+    {
+      "checkId": "check.database.migrations.pending",
+      "pluginId": "stellaops.doctor.database",
+      "category": "Database",
+      "severity": "Fail",
+      "diagnosis": "3 pending migrations in schema 'auth'",
+      "evidence": {
+        "description": "Migration status",
+        "data": {
+          "schema": "auth",
+          "pendingCount": "3"
+        }
+      },
+      "remediation": {
+        "steps": [
+          {
+            "order": 1,
+            "description": "Apply pending migrations",
+            "command": "stella system migrations-run --module Authority",
+            "commandType": "Shell"
+          }
+        ]
+      },
+      "duration": "PT0.234S"
+    }
+  ]
+}
+```
+
+### Markdown Format
+
+Formatted for documentation and reports:
+
+```markdown
+# Stella Ops Doctor Report
+
+**Generated:** 2026-01-12T14:30:00Z
+**Duration:** 8.3s
+
+## Summary
+
+| Status | Count |
+|--------|-------|
+| Passed | 46 |
+| Warnings | 0 |
+| Failures | 1 |
+| Skipped | 0 |
+| **Total** | **47** |
+
+## Failed Checks
+
+### check.database.migrations.pending
+
+**Status:** FAIL
+**Plugin:** stellaops.doctor.database
+**Category:** Database
+
+**Diagnosis:** 3 pending migrations in schema 'auth'
+
+**Evidence:**
+- Schema: auth
+- Pending count: 3
+
+**Fix Steps:**
+1. Apply pending migrations
+   ```bash
+   stella system migrations-run --module Authority
+   ```
+
+## Passed Checks
+
+- check.config.required
+- check.database.connectivity
+- ... (44 more)
+```
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `STELLAOPS_DOCTOR_TIMEOUT` | Default per-check timeout |
+| `STELLAOPS_DOCTOR_PARALLEL` | Default parallelism |
+| `STELLAOPS_CONFIG_PATH` | Configuration file path |
+
+## See Also
+
+- [Doctor Overview](./README.md)
+- [Doctor Capabilities Specification](./doctor-capabilities.md)

docs/examples/binary-diff/README.md

@@ -0,0 +1,55 @@
+# Binary Diff Examples
+
+This directory contains examples demonstrating the binary diff attestation feature.
+
+## Prerequisites
+
+- StellaOps CLI (`stella`) installed
+- Access to a container registry
+- Docker or containerd runtime (for image pulling)
+
+## Examples
+
+### Basic Comparison
+
+[basic-comparison.md](./basic-comparison.md) - Simple binary diff between two image versions
+
+### DSSE Attestation
+
+[dsse-attestation.md](./dsse-attestation.md) - Generating and verifying DSSE-signed attestations
+
+### Policy Integration
+
+[policy-integration.md](./policy-integration.md) - Using binary diff evidence in policy rules
+
+### CI/CD Integration
+
+[ci-cd-integration.md](./ci-cd-integration.md) - GitHub Actions and GitLab CI examples
+
+## Sample Outputs
+
+The `sample-outputs/` directory contains:
+
+- `diff-table.txt` - Sample table-formatted output
+- `diff.json` - Sample JSON output
+- `attestation.dsse.json` - Sample DSSE envelope
+
+## Quick Start
+
+```bash
+# Compare two image versions
+stella scan diff --base myapp:1.0.0 --target myapp:1.0.1
+
+# Generate attestation
+stella scan diff --base myapp:1.0.0 --target myapp:1.0.1 \
+  --mode=elf --emit-dsse=./attestations/
+
+# Verify attestation
+stella verify attestation ./attestations/linux-amd64-binarydiff.dsse.json
+```
+
+## Related Documentation
+
+- [Binary Diff Attestation Architecture](../../modules/scanner/binary-diff-attestation.md)
+- [BinaryDiffV1 JSON Schema](../../schemas/binarydiff-v1.schema.json)
+- [CLI Reference](../../API_CLI_REFERENCE.md#stella-scan-diff)

docs/examples/binary-diff/basic-comparison.md

@@ -0,0 +1,143 @@
+# Basic Binary Comparison
+
+This example demonstrates how to perform a basic binary diff between two container image versions.
+
+## Scenario
+
+You have deployed `myapp:1.0.0` and want to understand what binary changes are in `myapp:1.0.1` before upgrading.
+
+## Prerequisites
+
+```bash
+# Ensure stella CLI is installed
+stella --version
+
+# Verify registry access
+stella registry ping docker://registry.example.com
+```
+
+## Basic Comparison
+
+### Table Output (Default)
+
+```bash
+stella scan diff \
+  --base docker://registry.example.com/myapp:1.0.0 \
+  --target docker://registry.example.com/myapp:1.0.1
+```
+
+Output:
+```
+Binary Diff: docker://registry.example.com/myapp:1.0.0 -> docker://registry.example.com/myapp:1.0.1
+Platform: linux/amd64
+Analysis Mode: ELF Section Hashes
+
+PATH                              CHANGE      VERDICT    CONFIDENCE
+--------------------------------------------------------------------------------
+/usr/lib/libssl.so.3              modified    patched    0.95
+/usr/lib/libcrypto.so.3           modified    patched    0.92
+/app/bin/myapp                    modified    vanilla    0.98
+
+Summary: 156 binaries analyzed, 3 modified, 153 unchanged
+```
+
+### JSON Output
+
+```bash
+stella scan diff \
+  --base docker://registry.example.com/myapp:1.0.0 \
+  --target docker://registry.example.com/myapp:1.0.1 \
+  --format=json > diff.json
+```
+
+The JSON output contains detailed section-level information. See [sample-outputs/diff.json](./sample-outputs/diff.json) for a complete example.
+
+### Summary Output
+
+```bash
+stella scan diff \
+  --base docker://registry.example.com/myapp:1.0.0 \
+  --target docker://registry.example.com/myapp:1.0.1 \
+  --format=summary
+```
+
+Output:
+```
+Binary Diff Summary
+-------------------
+Base:     docker://registry.example.com/myapp:1.0.0 (sha256:abc123...)
+Target:   docker://registry.example.com/myapp:1.0.1 (sha256:def456...)
+Platform: linux/amd64
+
+Binaries: 156 total, 3 modified, 153 unchanged
+Verdicts: 2 patched, 1 vanilla
+```
+
+## Using Digest References
+
+For immutable references, use digests instead of tags:
+
+```bash
+stella scan diff \
+  --base docker://registry.example.com/myapp@sha256:abc123... \
+  --target docker://registry.example.com/myapp@sha256:def456...
+```
+
+## Filtering by Platform
+
+For multi-arch images, specify the platform:
+
+```bash
+# Linux AMD64 only
+stella scan diff \
+  --base myapp:1.0.0 \
+  --target myapp:1.0.1 \
+  --platform=linux/amd64
+
+# Linux ARM64
+stella scan diff \
+  --base myapp:1.0.0 \
+  --target myapp:1.0.1 \
+  --platform=linux/arm64
+```
+
+## Including Unchanged Binaries
+
+By default, unchanged binaries are excluded from output. To include them:
+
+```bash
+stella scan diff \
+  --base myapp:1.0.0 \
+  --target myapp:1.0.1 \
+  --include-unchanged
+```
+
+## Verbose Output
+
+For debugging or detailed progress:
+
+```bash
+stella scan diff \
+  --base myapp:1.0.0 \
+  --target myapp:1.0.1 \
+  --verbose
+```
+
+Output includes:
+- Layer download progress
+- Binary detection details
+- Section hash computation progress
+
+## Understanding Verdicts
+
+| Verdict | Meaning | Action |
+|---------|---------|--------|
+| `patched` | High confidence that a security patch was applied | Review changelog, consider safe to upgrade |
+| `vanilla` | Standard code change, no backport evidence | Normal release update |
+| `unknown` | Cannot determine patch status | Manual review recommended |
+
+## Next Steps
+
+- [Generate DSSE Attestations](./dsse-attestation.md) for audit trail
+- [Integrate with Policy](./policy-integration.md) for automated gates
+- [Add to CI/CD](./ci-cd-integration.md) for continuous verification

docs/examples/binary-diff/ci-cd-integration.md

@@ -0,0 +1,371 @@
+# CI/CD Integration
+
+This example demonstrates how to integrate binary diff attestation into your CI/CD pipelines.
+
+## GitHub Actions
+
+### Basic Workflow
+
+```yaml
+# .github/workflows/binary-diff.yml
+name: Binary Diff Attestation
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  binary-diff:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  # For keyless signing
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Stella CLI
+        uses: stellaops/setup-stella@v1
+        with:
+          version: 'latest'
+
+      - name: Login to Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get Previous Tag
+        id: prev-tag
+        run: |
+          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          echo "tag=$PREV_TAG" >> $GITHUB_OUTPUT
+
+      - name: Binary Diff
+        if: steps.prev-tag.outputs.tag != ''
+        run: |
+          stella scan diff \
+            --base ghcr.io/${{ github.repository }}:${{ steps.prev-tag.outputs.tag }} \
+            --target ghcr.io/${{ github.repository }}:${{ github.ref_name }} \
+            --mode=elf \
+            --emit-dsse=./attestations/ \
+            --format=json > diff.json
+
+      - name: Upload Attestations
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-diff-attestations
+          path: |
+            attestations/
+            diff.json
+
+      - name: Attach Attestation to Image
+        run: |
+          # Using cosign to attach attestation
+          cosign attach attestation \
+            --attestation ./attestations/linux-amd64-binarydiff.dsse.json \
+            ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+```
+
+### With Release Gate
+
+```yaml
+# .github/workflows/release-gate.yml
+name: Release Gate with Binary Diff
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_version:
+        description: 'Base version to compare'
+        required: true
+      target_version:
+        description: 'Target version to release'
+        required: true
+
+jobs:
+  binary-diff-gate:
+    runs-on: ubuntu-latest
+    outputs:
+      verdict: ${{ steps.analyze.outputs.verdict }}
+
+    steps:
+      - name: Setup Stella CLI
+        uses: stellaops/setup-stella@v1
+
+      - name: Binary Diff Analysis
+        id: diff
+        run: |
+          stella scan diff \
+            --base myapp:${{ inputs.base_version }} \
+            --target myapp:${{ inputs.target_version }} \
+            --format=json > diff.json
+
+      - name: Analyze Results
+        id: analyze
+        run: |
+          # Check for unknown verdicts
+          UNKNOWN_COUNT=$(jq '.summary.verdicts.unknown // 0' diff.json)
+          if [ "$UNKNOWN_COUNT" -gt "0" ]; then
+            echo "verdict=review-required" >> $GITHUB_OUTPUT
+            echo "::warning::Found $UNKNOWN_COUNT binaries with unknown verdicts"
+          else
+            echo "verdict=approved" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Gate Decision
+        if: steps.analyze.outputs.verdict == 'review-required'
+        run: |
+          echo "Manual review required for unknown binary changes"
+          exit 1
+```
+
+## GitLab CI
+
+### Basic Pipeline
+
+```yaml
+# .gitlab-ci.yml
+stages:
+  - build
+  - analyze
+  - release
+
+variables:
+  STELLA_VERSION: "latest"
+
+binary-diff:
+  stage: analyze
+  image: stellaops/cli:${STELLA_VERSION}
+  script:
+    - |
+      # Get previous tag
+      PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+
+      if [ -n "$PREV_TAG" ]; then
+        stella scan diff \
+          --base ${CI_REGISTRY_IMAGE}:${PREV_TAG} \
+          --target ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG} \
+          --mode=elf \
+          --emit-dsse=attestations/ \
+          --format=json > diff.json
+
+        # Upload to GitLab artifacts
+        echo "Binary diff completed"
+      else
+        echo "No previous tag found, skipping diff"
+      fi
+  artifacts:
+    paths:
+      - attestations/
+      - diff.json
+    expire_in: 30 days
+  only:
+    - tags
+```
+
+### With Security Gate
+
+```yaml
+# .gitlab-ci.yml
+security-gate:
+  stage: analyze
+  image: stellaops/cli:latest
+  script:
+    - |
+      stella scan diff \
+        --base ${CI_REGISTRY_IMAGE}:${BASE_VERSION} \
+        --target ${CI_REGISTRY_IMAGE}:${TARGET_VERSION} \
+        --format=json > diff.json
+
+      # Fail if any unknown verdicts
+      UNKNOWN=$(jq '.summary.verdicts.unknown // 0' diff.json)
+      if [ "$UNKNOWN" -gt "0" ]; then
+        echo "Security gate failed: $UNKNOWN unknown binary changes"
+        jq '.findings[] | select(.verdict == "unknown")' diff.json
+        exit 1
+      fi
+
+      echo "Security gate passed"
+  allow_failure: false
+```
+
+## Jenkins Pipeline
+
+```groovy
+// Jenkinsfile
+pipeline {
+    agent any
+
+    environment {
+        STELLA_VERSION = 'latest'
+    }
+
+    stages {
+        stage('Binary Diff') {
+            steps {
+                script {
+                    def prevTag = sh(
+                        script: 'git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo ""',
+                        returnStdout: true
+                    ).trim()
+
+                    if (prevTag) {
+                        sh """
+                            stella scan diff \\
+                                --base ${REGISTRY}/${IMAGE}:${prevTag} \\
+                                --target ${REGISTRY}/${IMAGE}:${TAG} \\
+                                --mode=elf \\
+                                --emit-dsse=attestations/ \\
+                                --format=json > diff.json
+                        """
+
+                        archiveArtifacts artifacts: 'attestations/*, diff.json'
+
+                        // Parse and check results
+                        def diff = readJSON file: 'diff.json'
+                        if (diff.summary.verdicts.unknown > 0) {
+                            unstable("Found ${diff.summary.verdicts.unknown} unknown binary changes")
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+```
+
+## Azure DevOps
+
+```yaml
+# azure-pipelines.yml
+trigger:
+  tags:
+    include:
+      - v*
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+steps:
+  - task: Bash@3
+    displayName: 'Install Stella CLI'
+    inputs:
+      targetType: 'inline'
+      script: |
+        curl -sSL https://get.stellaops.io | sh
+        stella --version
+
+  - task: Docker@2
+    displayName: 'Login to Registry'
+    inputs:
+      containerRegistry: 'myRegistry'
+      command: 'login'
+
+  - task: Bash@3
+    displayName: 'Binary Diff'
+    inputs:
+      targetType: 'inline'
+      script: |
+        PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+        if [ -n "$PREV_TAG" ]; then
+          stella scan diff \
+            --base $(REGISTRY)/$(IMAGE):${PREV_TAG} \
+            --target $(REGISTRY)/$(IMAGE):$(Build.SourceBranchName) \
+            --mode=elf \
+            --emit-dsse=$(Build.ArtifactStagingDirectory)/attestations/ \
+            --format=json > $(Build.ArtifactStagingDirectory)/diff.json
+        fi
+
+  - task: PublishBuildArtifacts@1
+    inputs:
+      pathToPublish: '$(Build.ArtifactStagingDirectory)'
+      artifactName: 'binary-diff'
+```
+
+## Best Practices
+
+### 1. Always Use Digest References in Production
+
+```bash
+# Instead of tags
+stella scan diff --base myapp:v1.0.0 --target myapp:v1.0.1
+
+# Use digests for immutability
+stella scan diff \
+  --base myapp@sha256:abc123... \
+  --target myapp@sha256:def456...
+```
+
+### 2. Store Attestations with Releases
+
+Attach DSSE attestations to your container images or store them alongside release artifacts.
+
+### 3. Set Appropriate Timeouts
+
+```bash
+# For large images, increase timeout
+stella scan diff \
+  --base myapp:v1 \
+  --target myapp:v2 \
+  --timeout=600
+```
+
+### 4. Use Caching
+
+```yaml
+# GitHub Actions with caching
+- uses: actions/cache@v4
+  with:
+    path: ~/.stella/cache
+    key: stella-${{ runner.os }}-${{ hashFiles('**/Dockerfile') }}
+```
+
+### 5. Fail Fast on Critical Issues
+
+```bash
+# Exit code indicates issues
+stella scan diff --base old --target new --format=json > diff.json
+if [ $? -ne 0 ]; then
+  echo "Diff failed"
+  exit 1
+fi
+
+# Check for critical verdicts
+jq -e '.summary.verdicts.unknown == 0' diff.json || exit 1
+```
+
+## Troubleshooting
+
+### Registry Authentication
+
+```bash
+# Use Docker config
+stella scan diff \
+  --base myapp:v1 \
+  --target myapp:v2 \
+  --registry-auth=~/.docker/config.json
+```
+
+### Platform Issues
+
+```bash
+# Explicitly specify platform for multi-arch
+stella scan diff \
+  --base myapp:v1 \
+  --target myapp:v2 \
+  --platform=linux/amd64
+```
+
+### Timeout Issues
+
+```bash
+# Increase timeout for slow registries
+stella scan diff \
+  --base myapp:v1 \
+  --target myapp:v2 \
+  --timeout=900
+```

docs/examples/binary-diff/sample-outputs/attestation.dsse.json

@@ -0,0 +1,17 @@
+{
+  "payloadType": "stellaops.binarydiff.v1",
+  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZG9ja2VyOi8vcmVnaXN0cnkuZXhhbXBsZS5jb20vYXBwQHNoYTI1NjpkZWY0NTZhYmM3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1NjdlZmdoIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImRlZjQ1NmFiYzc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2N2VmZ2gifX1dLCJwcmVkaWNhdGVUeXBlIjoic3RlbGxhb3BzLmJpbmFyeWRpZmYudjEiLCJwcmVkaWNhdGUiOnsiaW5wdXRzIjp7ImJhc2UiOnsiZGlnZXN0Ijoic2hhMjU2OmFiYzEyM2RlZjQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNGFiY2QifSwidGFyZ2V0Ijp7ImRpZ2VzdCI6InNoYTI1NjpkZWY0NTZhYmM3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1NjdlZmdoIn19LCJmaW5kaW5ncyI6W3sicGF0aCI6Ii91c3IvbGliL2xpYnNzbC5zby4zIiwiY2hhbmdlVHlwZSI6Im1vZGlmaWVkIiwidmVyZGljdCI6InBhdGNoZWQiLCJjb25maWRlbmNlIjowLjk1fV0sIm1ldGFkYXRhIjp7InRvb2xWZXJzaW9uIjoiMS4wLjAiLCJhbmFseXNpc1RpbWVzdGFtcCI6IjIwMjYtMDEtMTNUMTI6MDA6MDBaIn19fQ==",
+  "signatures": [
+    {
+      "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
+      "sig": "MEUCIQDKZokqnCjrRtw5EXP14JvsBwFDRPfCp9K0UoOlWGdlDQIgSNpOGPqKNLv5MNZLYc5iE7q5b3wW6K0cDpjNxBxCWdU="
+    }
+  ],
+  "_note": "This is a sample DSSE envelope for documentation purposes. The payload is base64-encoded and contains an in-toto statement with a BinaryDiffV1 predicate. In production, the signature would be cryptographically valid.",
+  "_rekorMetadata": {
+    "logIndex": 12345678,
+    "entryUuid": "24296fb24b8ad77aa3e6b0d1b6e0e3a0c9f8d7e6b5a4c3d2e1f0a9b8c7d6e5f4",
+    "integratedTime": "2026-01-13T12:00:05Z",
+    "logUrl": "https://rekor.sigstore.dev"
+  }
+}

docs/examples/binary-diff/sample-outputs/diff-table.txt

@@ -0,0 +1,27 @@
+Binary Diff: docker://registry.example.com/app:1.0.0 -> docker://registry.example.com/app:1.0.1
+Platform: linux/amd64
+Analysis Mode: ELF Section Hashes
+Analyzed Sections: .text, .rodata, .data, .symtab, .dynsym
+
+PATH                              CHANGE      VERDICT    CONFIDENCE  SECTIONS CHANGED
+--------------------------------------------------------------------------------------------------
+/usr/lib/x86_64-linux-gnu/libssl.so.3        modified    patched    0.95        .text, .rodata
+/usr/lib/x86_64-linux-gnu/libcrypto.so.3     modified    patched    0.92        .text
+/usr/bin/openssl                             modified    unknown    0.75        .text, .data, .symtab
+/lib/x86_64-linux-gnu/libc.so.6              unchanged   -          -           -
+/lib/x86_64-linux-gnu/libpthread.so.0        unchanged   -          -           -
+/usr/lib/x86_64-linux-gnu/libz.so.1          unchanged   -          -           -
+/app/bin/myapp                               modified    vanilla    0.98        .text, .rodata, .data
+
+Summary
+-------
+Total binaries analyzed: 156
+Modified: 4
+Unchanged: 152
+
+Verdicts:
+  Patched:  2 (high confidence backport detected)
+  Vanilla:  1 (standard update, no backport evidence)
+  Unknown:  1 (insufficient evidence for classification)
+
+Analysis completed in 12.4s

docs/examples/binary-diff/sample-outputs/diff.json

@@ -0,0 +1,179 @@
+{
+  "schemaVersion": "1.0.0",
+  "base": {
+    "reference": "docker://registry.example.com/app:1.0.0",
+    "digest": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
+    "manifestDigest": "sha256:111222333444555666777888999000aaabbbcccdddeeefff000111222333444555"
+  },
+  "target": {
+    "reference": "docker://registry.example.com/app:1.0.1",
+    "digest": "sha256:def456abc789012345678901234567890123456789012345678901234567efgh",
+    "manifestDigest": "sha256:666777888999000aaabbbcccdddeeefff000111222333444555666777888999000"
+  },
+  "platform": {
+    "os": "linux",
+    "architecture": "amd64"
+  },
+  "analysisMode": "elf",
+  "timestamp": "2026-01-13T12:00:00.000000Z",
+  "findings": [
+    {
+      "path": "/usr/lib/x86_64-linux-gnu/libssl.so.3",
+      "changeType": "modified",
+      "binaryFormat": "elf",
+      "layerDigest": "sha256:aaa111bbb222ccc333ddd444eee555fff666777888999000aaabbbcccdddeeef",
+      "baseHashes": {
+        "buildId": "abc123def456789012345678",
+        "fileHash": "1111111111111111111111111111111111111111111111111111111111111111",
+        "sections": {
+          ".text": {
+            "sha256": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+            "size": 524288,
+            "offset": 4096
+          },
+          ".rodata": {
+            "sha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+            "size": 131072,
+            "offset": 528384
+          }
+        }
+      },
+      "targetHashes": {
+        "buildId": "def789abc012345678901234",
+        "fileHash": "2222222222222222222222222222222222222222222222222222222222222222",
+        "sections": {
+          ".text": {
+            "sha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+            "size": 524544,
+            "offset": 4096
+          },
+          ".rodata": {
+            "sha256": "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
+            "size": 131200,
+            "offset": 528640
+          }
+        }
+      },
+      "sectionDeltas": [
+        {
+          "section": ".text",
+          "status": "modified",
+          "baseSha256": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+          "targetSha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+          "sizeDelta": 256
+        },
+        {
+          "section": ".rodata",
+          "status": "modified",
+          "baseSha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+          "targetSha256": "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
+          "sizeDelta": 128
+        },
+        {
+          "section": ".data",
+          "status": "identical",
+          "baseSha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
+          "targetSha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
+          "sizeDelta": 0
+        },
+        {
+          "section": ".symtab",
+          "status": "identical",
+          "baseSha256": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+          "targetSha256": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+          "sizeDelta": 0
+        }
+      ],
+      "confidence": 0.95,
+      "verdict": "patched"
+    },
+    {
+      "path": "/usr/lib/x86_64-linux-gnu/libcrypto.so.3",
+      "changeType": "modified",
+      "binaryFormat": "elf",
+      "layerDigest": "sha256:aaa111bbb222ccc333ddd444eee555fff666777888999000aaabbbcccdddeeef",
+      "sectionDeltas": [
+        {
+          "section": ".text",
+          "status": "modified",
+          "sizeDelta": 1024
+        },
+        {
+          "section": ".rodata",
+          "status": "identical",
+          "sizeDelta": 0
+        }
+      ],
+      "confidence": 0.92,
+      "verdict": "patched"
+    },
+    {
+      "path": "/usr/bin/openssl",
+      "changeType": "modified",
+      "binaryFormat": "elf",
+      "sectionDeltas": [
+        {
+          "section": ".text",
+          "status": "modified",
+          "sizeDelta": 512
+        },
+        {
+          "section": ".data",
+          "status": "modified",
+          "sizeDelta": 64
+        },
+        {
+          "section": ".symtab",
+          "status": "modified",
+          "sizeDelta": 128
+        }
+      ],
+      "confidence": 0.75,
+      "verdict": "unknown"
+    },
+    {
+      "path": "/app/bin/myapp",
+      "changeType": "modified",
+      "binaryFormat": "elf",
+      "sectionDeltas": [
+        {
+          "section": ".text",
+          "status": "modified",
+          "sizeDelta": 2048
+        },
+        {
+          "section": ".rodata",
+          "status": "modified",
+          "sizeDelta": 512
+        },
+        {
+          "section": ".data",
+          "status": "modified",
+          "sizeDelta": 128
+        }
+      ],
+      "confidence": 0.98,
+      "verdict": "vanilla"
+    }
+  ],
+  "summary": {
+    "totalBinaries": 156,
+    "modified": 4,
+    "unchanged": 152,
+    "added": 0,
+    "removed": 0,
+    "verdicts": {
+      "patched": 2,
+      "vanilla": 1,
+      "unknown": 1,
+      "incompatible": 0
+    },
+    "sectionsAnalyzed": [".text", ".rodata", ".data", ".symtab", ".dynsym"],
+    "analysisDurationMs": 12400
+  },
+  "metadata": {
+    "toolVersion": "1.0.0",
+    "analysisTimestamp": "2026-01-13T12:00:00.000000Z",
+    "configDigest": "sha256:config123456789abcdef0123456789abcdef0123456789abcdef0123456789ab"
+  }
+}

docs/implplan/SPRINT_20260112_003_BE_csproj_audit_pending_apply.md

@@ -23,20 +23,20 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | AUDIT-HOTLIST-SCANNER-LANG-DOTNET-0001 | TODO | Approved 2026-01-12; Hotlist S3/M1/Q0 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj`; apply fixes, add tests, update audit tracker. |
+| 1 | AUDIT-HOTLIST-SCANNER-LANG-DOTNET-0001 | DONE | Applied 2026-01-12 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/StellaOps.Scanner.Analyzers.Lang.DotNet.csproj`; apply fixes, add tests, update audit tracker. |
-| 2 | AUDIT-HOTLIST-SCANNER-CONTRACTS-0001 | TODO | Approved 2026-01-12; Hotlist S3/M0/Q0 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/StellaOps.Scanner.Contracts.csproj`; apply fixes, add tests, update audit tracker. |
+| 2 | AUDIT-HOTLIST-SCANNER-CONTRACTS-0001 | DONE | Applied 2026-01-12 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/StellaOps.Scanner.Contracts.csproj`; apply fixes, add tests, update audit tracker. |
-| 3 | AUDIT-HOTLIST-CLI-0001 | TODO | Approved 2026-01-12; Hotlist S2/M5/Q3 | Guild - CLI | Remediate hotlist findings for `src/Cli/StellaOps.Cli/StellaOps.Cli.csproj`; apply fixes, add tests, update audit tracker. |
+| 3 | AUDIT-HOTLIST-CLI-0001 | BLOCKED | Blocked: CLI tests under active edit; avoid touching other agent work | Guild - CLI | Remediate hotlist findings for `src/Cli/StellaOps.Cli/StellaOps.Cli.csproj`; apply fixes, add tests, update audit tracker. |
-| 4 | AUDIT-HOTLIST-EXPORTCENTER-WEBSERVICE-0001 | TODO | Approved 2026-01-12; Hotlist S2/M4/Q0 | Guild - ExportCenter | Remediate hotlist findings for `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj`; apply fixes, add tests, update audit tracker. |
+| 4 | AUDIT-HOTLIST-EXPORTCENTER-WEBSERVICE-0001 | DONE | Applied 2026-01-13; tests added and tracker updated | Guild - ExportCenter | Remediate hotlist findings for `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj`; apply fixes, add tests, update audit tracker. |
-| 5 | AUDIT-HOTLIST-POLICY-ENGINE-0001 | TODO | Approved 2026-01-12; Hotlist S2/M3/Q2 | Guild - Policy | Remediate hotlist findings for `src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj`; apply fixes, add tests, update audit tracker. |
+| 5 | AUDIT-HOTLIST-POLICY-ENGINE-0001 | DONE | Applied 2026-01-13; determinism DI, options binding, auth, tests | Guild - Policy | Remediate hotlist findings for `src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj`; apply fixes, add tests, update audit tracker. |
-| 6 | AUDIT-HOTLIST-SCANNER-NATIVE-0001 | TODO | Approved 2026-01-12; Hotlist S2/M3/Q1 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj`; apply fixes, add tests, update audit tracker. |
+| 6 | AUDIT-HOTLIST-SCANNER-NATIVE-0001 | DONE | Applied 2026-01-13; tracker updated | Guild - Scanner | Remediate hotlist findings for `src/Scanner/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj`; apply fixes, add tests, update audit tracker. |
-| 7 | AUDIT-HOTLIST-SCANNER-WEBSERVICE-0001 | TODO | Approved 2026-01-12; Hotlist S2/M2/Q2 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj`; apply fixes, add tests, update audit tracker. |
+| 7 | AUDIT-HOTLIST-SCANNER-WEBSERVICE-0001 | DONE | Applied 2026-01-13; Hotlist S2/M2/Q2 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj`; apply fixes, add tests, update audit tracker. |
-| 8 | AUDIT-HOTLIST-EXPORTCENTER-CORE-0001 | TODO | Approved 2026-01-12; Hotlist S2/M2/Q1 | Guild - ExportCenter | Remediate hotlist findings for `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj`; apply fixes, add tests, update audit tracker. |
+| 8 | AUDIT-HOTLIST-EXPORTCENTER-CORE-0001 | DOING | In progress 2026-01-13; Hotlist S2/M2/Q1 | Guild - ExportCenter | Remediate hotlist findings for `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj`; apply fixes, add tests, update audit tracker. |
 | 9 | AUDIT-HOTLIST-SIGNALS-0001 | TODO | Approved 2026-01-12; Hotlist S2/M2/Q1 | Guild - Signals | Remediate hotlist findings for `src/Signals/StellaOps.Signals/StellaOps.Signals.csproj`; apply fixes, add tests, update audit tracker. |
-| 10 | AUDIT-HOTLIST-SCANNER-LANG-DENO-0001 | TODO | Approved 2026-01-12; Hotlist S2/M0/Q0 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj`; apply fixes, add tests, update audit tracker. |
+| 10 | AUDIT-HOTLIST-SCANNER-LANG-DENO-0001 | DONE | Applied 2026-01-13; runtime hardening, determinism fixes, tests updated | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Deno/StellaOps.Scanner.Analyzers.Lang.Deno.csproj`; apply fixes, add tests, update audit tracker. |
 | 11 | AUDIT-HOTLIST-VEXLENS-0001 | TODO | Approved 2026-01-12; Hotlist S1/M4/Q0 | Guild - VexLens | Remediate hotlist findings for `src/VexLens/StellaOps.VexLens/StellaOps.VexLens.csproj`; apply fixes, add tests, update audit tracker. |
 | 12 | AUDIT-HOTLIST-CONCELIER-CORE-0001 | TODO | Approved 2026-01-12; Hotlist S1/M3/Q2 | Guild - Concelier | Remediate hotlist findings for `src/Concelier/__Libraries/StellaOps.Concelier.Core/StellaOps.Concelier.Core.csproj`; apply fixes, add tests, update audit tracker. |
-| 13 | AUDIT-HOTLIST-SCANNER-REACHABILITY-0001 | TODO | Approved 2026-01-12; Hotlist S1/M3/Q1 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj`; apply fixes, add tests, update audit tracker. |
+| 13 | AUDIT-HOTLIST-SCANNER-REACHABILITY-0001 | DONE | Applied 2026-01-13; tracker updated | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/StellaOps.Scanner.Reachability.csproj`; apply fixes, add tests, update audit tracker. |
-| 14 | AUDIT-HOTLIST-EVIDENCE-0001 | TODO | Approved 2026-01-12; Hotlist S1/M3/Q0 | Guild - Core | Remediate hotlist findings for `src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj`; apply fixes, add tests, update audit tracker. |
+| 14 | AUDIT-HOTLIST-EVIDENCE-0001 | DONE | Applied 2026-01-13 | Guild - Core | Remediate hotlist findings for `src/__Libraries/StellaOps.Evidence/StellaOps.Evidence.csproj`; apply fixes, add tests, update audit tracker. |
 | 15 | AUDIT-HOTLIST-ZASTAVA-OBSERVER-0001 | TODO | Approved 2026-01-12; Hotlist S1/M3/Q0 | Guild - Zastava | Remediate hotlist findings for `src/Zastava/StellaOps.Zastava.Observer/StellaOps.Zastava.Observer.csproj`; apply fixes, add tests, update audit tracker. |
 | 16 | AUDIT-HOTLIST-TESTKIT-0001 | TODO | Approved 2026-01-12; Hotlist S0/M4/Q1 | Guild - Core | Remediate hotlist findings for `src/__Libraries/StellaOps.TestKit/StellaOps.TestKit.csproj`; apply fixes, add tests, update audit tracker. |
 | 17 | AUDIT-HOTLIST-EXCITITOR-WORKER-0001 | TODO | Approved 2026-01-12; Hotlist S0/M4/Q1 | Guild - Excititor | Remediate hotlist findings for `src/Excititor/StellaOps.Excititor.Worker/StellaOps.Excititor.Worker.csproj`; apply fixes, add tests, update audit tracker. |
@@ -46,7 +46,7 @@
 | 21 | AUDIT-HOTLIST-PROVCACHE-0001 | TODO | Approved 2026-01-12; Hotlist S0/M3/Q1 | Guild - Core | Remediate hotlist findings for `src/__Libraries/StellaOps.Provcache/StellaOps.Provcache.csproj`; apply fixes, add tests, update audit tracker. |
 | 22 | AUDIT-HOTLIST-EXCITITOR-CORE-0001 | TODO | Approved 2026-01-12; Hotlist Q2/S1/M2 | Guild - Excititor | Remediate hotlist findings for `src/Excititor/__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj`; apply fixes, add tests, update audit tracker. |
 | 23 | AUDIT-HOTLIST-SBOMSERVICE-0001 | TODO | Approved 2026-01-12; Hotlist Q2/S1/M2 | Guild - SbomService | Remediate hotlist findings for `src/SbomService/StellaOps.SbomService/StellaOps.SbomService.csproj`; apply fixes, add tests, update audit tracker. |
-| 24 | AUDIT-HOTLIST-SCANNER-SBOMER-BUILDX-0001 | TODO | Approved 2026-01-12; Hotlist Q2/S1/M2 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj`; apply fixes, add tests, update audit tracker. |
+| 24 | AUDIT-HOTLIST-SCANNER-SBOMER-BUILDX-0001 | DONE | Applied 2026-01-13; Hotlist Q2/S1/M2 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj`; apply fixes, add tests, update audit tracker. |
 | 25 | AUDIT-HOTLIST-ATTESTOR-WEBSERVICE-0001 | TODO | Approved 2026-01-12; Hotlist Q2/S0/M2 | Guild - Attestor | Remediate hotlist findings for `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/StellaOps.Attestor.WebService.csproj`; apply fixes, add tests, update audit tracker. |
 | 26 | AUDIT-HOTLIST-POLICY-TOOLS-0001 | TODO | Approved 2026-01-12; Hotlist Q2/S0/M1 | Guild - Policy | Remediate hotlist findings for `src/__Libraries/StellaOps.Policy.Tools/StellaOps.Policy.Tools.csproj`; apply fixes, add tests, update audit tracker. |
 | 27 | AUDIT-HOTLIST-SCANNER-SOURCES-0001 | TODO | Approved 2026-01-12; Hotlist Q2/S0/M1 | Guild - Scanner | Remediate hotlist findings for `src/Scanner/__Libraries/StellaOps.Scanner.Sources/StellaOps.Scanner.Sources.csproj`; apply fixes, add tests, update audit tracker. |
@@ -85,6 +85,14 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2026-01-12 | Started AUDIT-HOTLIST-SCANNER-CONTRACTS-0001 remediation work. | Project Mgmt |
+| 2026-01-12 | Completed AUDIT-HOTLIST-SCANNER-CONTRACTS-0001; updated safe JSON encoding and coverage, updated audit tracker and local TASKS.md. | Project Mgmt |
+| 2026-01-12 | Started AUDIT-HOTLIST-SCANNER-LANG-DOTNET-0001 remediation work. | Project Mgmt |
+| 2026-01-12 | Blocked AUDIT-HOTLIST-CLI-0001: CLI tests are being modified by another agent; cannot update tests without touching their work. | Project Mgmt |
+| 2026-01-12 | Started AUDIT-HOTLIST-EXPORTCENTER-WEBSERVICE-0001 remediation work. | Project Mgmt |
+| 2026-01-13 | Completed AUDIT-HOTLIST-EXPORTCENTER-WEBSERVICE-0001; determinism/DI guards, retention/TLS gating, tests; updated audit tracker and TASKS.md. | Project Mgmt |
+| 2026-01-12 | Completed AUDIT-HOTLIST-SCANNER-LANG-DOTNET-0001; applied fixes and tests, updated audit tracker and local TASKS.md. | Project Mgmt |
+| 2026-01-12 | Test run failed for StellaOps.Scanner.Analyzers.Lang.DotNet.Tests: missing testhost.dll in testhost.deps.json. | Project Mgmt |
 | 2026-01-12 | Started AUDIT-SLN-NEWPROJECTS-0001 to add missing projects and audit new entries. | Project Mgmt |
 | 2026-01-12 | Completed AUDIT-SLN-NEWPROJECTS-0001: src/StellaOps.sln synced to include all csproj; Doctor projects audited and recorded in archived tracker findings. | Project Mgmt |
 | 2026-01-12 | Added Doctor.Tests to src/StellaOps.sln and extended archived audit tracker with audit rows and findings for the new test project. | Project Mgmt |
@@ -93,6 +101,22 @@
 | 2026-01-12 | Expanded Delivery Tracker with per-project hotlist items and batched test/reuse gap remediation tasks. | Project Mgmt |
 | 2026-01-12 | Set working directory to repo root to cover devops and docs items in test/reuse gaps. | Project Mgmt |
 | 2026-01-12 | Sprint created to execute approved pending APPLY actions from the C# audit backlog. | Project Mgmt |
+| 2026-01-12 | Tests failed: StellaOps.Scanner.CallGraph.Tests (ValkeyCallGraphCacheServiceTests null result, BinaryDisassemblyTests target mismatch, BenchmarkIntegrationTests repo root missing). | Project Mgmt |
+| 2026-01-13 | Started AUDIT-HOTLIST-POLICY-ENGINE-0001 remediation work. | Project Mgmt |
+| 2026-01-13 | Completed AUDIT-HOTLIST-POLICY-ENGINE-0001 remediation work; updated determinism, auth, options binding, and tests. | Project Mgmt |
+| 2026-01-13 | Started AUDIT-HOTLIST-SCANNER-NATIVE-0001 remediation work. | Project Mgmt |
+| 2026-01-13 | Completed AUDIT-HOTLIST-SCANNER-NATIVE-0001; updated native analyzer determinism, hardening, runtime capture, and tests; updated audit tracker. | Project Mgmt |
+| 2026-01-13 | Started AUDIT-HOTLIST-SCANNER-WEBSERVICE-0001 remediation work. | Project Mgmt |
+| 2026-01-13 | Completed AUDIT-HOTLIST-SCANNER-WEBSERVICE-0001; DSSE PAE, determinism/auth updates, test fixes; trackers updated. | Project Mgmt |
+| 2026-01-13 | Started AUDIT-HOTLIST-SCANNER-SBOMER-BUILDX-0001 remediation work. | Project Mgmt |
+| 2026-01-13 | Completed AUDIT-HOTLIST-SCANNER-SBOMER-BUILDX-0001; canonical surface manifests, HttpClientFactory + TLS guardrails, deterministic tests; trackers updated. | Project Mgmt |
+| 2026-01-13 | Started AUDIT-HOTLIST-SCANNER-LANG-DENO-0001 remediation work. | Project Mgmt |
+| 2026-01-13 | Completed AUDIT-HOTLIST-SCANNER-LANG-DENO-0001; runtime hardening, deterministic ordering, safe JSON encoding, tests updated; trackers updated. | Project Mgmt |
+| 2026-01-13 | Started AUDIT-HOTLIST-SCANNER-REACHABILITY-0001 remediation work. | Project Mgmt |
+| 2026-01-13 | Completed AUDIT-HOTLIST-SCANNER-REACHABILITY-0001; DSSE PAE/canon, determinism/cancellation fixes, invariant formatting, tests; trackers updated. | Project Mgmt |
+| 2026-01-13 | Started AUDIT-HOTLIST-EVIDENCE-0001 remediation work. | Project Mgmt |
+| 2026-01-13 | Completed AUDIT-HOTLIST-EVIDENCE-0001 (determinism, schema validation, budgets, retention, tests). | Project Mgmt |
+| 2026-01-13 | Started AUDIT-HOTLIST-EXPORTCENTER-CORE-0001 remediation work. | Project Mgmt |
 
 ## Decisions & Risks
 - APPROVED 2026-01-12: All pending APPLY actions are approved for execution under module review gates.
@@ -100,6 +124,7 @@
 - Cross-module doc link updates applied for archived audit files and the code-of-conduct relocation in docs/code-of-conduct/.
 - Backlog size (851 TODO APPLY items); mitigate by prioritizing hotlists then long-tail batches.
 - Devops and docs items are in scope; cross-directory changes must be logged per sprint guidance.
+- BLOCKED: AUDIT-HOTLIST-CLI-0001 requires edits in `src/Cli/__Tests/StellaOps.Cli.Tests` which are under active modification by another agent; defer until those changes land or ownership is coordinated.
 
 ## Next Checkpoints
 - TBD: Security hotlist remediation review.

docs/implplan/SPRINT_20260113_000_MASTER_INDEX_oci_binary_integrity.md

@@ -0,0 +1,334 @@
+# Master Index 20260113 - OCI Layer-Level Binary Integrity Verification
+
+## Executive Summary
+
+This master index coordinates four sprint batches implementing **OCI layer-level image integrity verification** with binary patch detection capabilities. The complete feature set enables:
+
+1. **Multi-arch image inspection** with layer enumeration
+2. **Section-level binary analysis** (ELF/PE) for vendor backport detection
+3. **DSSE-signed attestations** proving patch presence or absence
+4. **VEX auto-linking** to binary evidence for deterministic decisions
+5. **Golden pairs dataset** for validation and regression testing
+
+**Total Effort:** ~25-30 story points across 4 batches, 13 sprints
+**Priority:** High (core differentiator for evidence-first security)
+
+## Background
+
+### Advisory Origin
+
+The original product advisory specified requirements for:
+
+> OCI layer-level image integrity verification that:
+> - Enumerates all layers across multi-arch manifests
+> - Computes section-level hashes (ELF .text/.rodata, PE .text/.rdata)
+> - Produces DSSE-signed in-toto attestations for binary diffs
+> - Maps findings to VEX with cryptographic evidence links
+> - Validates against a curated "golden pairs" corpus
+
+### Strategic Value
+
+| Capability | Business Value |
+|------------|----------------|
+| Binary patch detection | Prove vendor backports without source access |
+| Attestation chain | Tamper-evident evidence for audits |
+| VEX evidence links | Deterministic, reproducible security decisions |
+| Golden pairs validation | Confidence in detection accuracy |
+
+## Sprint Batch Index
+
+| Batch | ID | Topic | Sprints | Status | Priority |
+|-------|-----|-------|---------|--------|----------|
+| 1 | 20260113_001 | ELF Section Hashes & Binary Diff Attestation | 4 | TODO | P0 |
+| 2 | 20260113_002 | Image Index Resolution CLI | 3 | TODO | P1 |
+| 3 | 20260113_003 | VEX Evidence Auto-Linking | 2 | TODO | P1 |
+| 4 | 20260113_004 | Golden Pairs Pilot (Vendor Backport Corpus) | 3 | TODO | P2 |
+
+## Batch Details
+
+### Batch 001: ELF Section Hashes & Binary Diff Attestation
+
+**Index:** [SPRINT_20260113_001_000_INDEX_binary_diff_attestation.md](SPRINT_20260113_001_000_INDEX_binary_diff_attestation.md)
+
+**Scope:** Core binary analysis infrastructure
+
+| Sprint | ID | Module | Topic | Key Deliverables |
+|--------|-----|--------|-------|------------------|
+| 1 | 001_001 | SCANNER | ELF Section Hash Extractor | `IElfSectionHashExtractor`, per-section SHA-256 |
+| 2 | 001_002 | ATTESTOR | BinaryDiffV1 In-Toto Predicate | `BinaryDiffV1` schema, DSSE signing |
+| 3 | 001_003 | CLI | Binary Diff Command | `stella binary diff`, OCI layer comparison |
+| 4 | 001_004 | DOCS | Binary Diff Attestation Documentation | Architecture docs, examples |
+
+**Key Models:**
+- `ElfSectionHash` - Per-section hash with flags
+- `BinaryDiffV1` - In-toto predicate for diff attestations
+- `SectionDelta` - Section comparison result
+
+### Batch 002: Image Index Resolution CLI
+
+**Index:** [SPRINT_20260113_002_000_INDEX_image_index_resolution.md](SPRINT_20260113_002_000_INDEX_image_index_resolution.md)
+
+**Scope:** Multi-arch image inspection and layer enumeration
+
+| Sprint | ID | Module | Topic | Key Deliverables |
+|--------|-----|--------|-------|------------------|
+| 1 | 002_001 | SCANNER | OCI Image Inspector Service | `IOciImageInspector`, manifest resolution |
+| 2 | 002_002 | CLI | Image Inspect Command | `stella image inspect`, platform selection |
+| 3 | 002_003 | DOCS | Image Inspection Documentation | Architecture docs, examples |
+
+**Key Models:**
+- `ImageInspectionResult` - Full image analysis
+- `PlatformManifest` - Per-platform manifest info
+- `LayerInfo` - Layer digest, size, media type
+
+### Batch 003: VEX Evidence Auto-Linking
+
+**Index:** [SPRINT_20260113_003_000_INDEX_vex_evidence_linking.md](SPRINT_20260113_003_000_INDEX_vex_evidence_linking.md)
+
+**Scope:** Automatic linking of VEX entries to binary diff evidence
+
+| Sprint | ID | Module | Topic | Key Deliverables |
+|--------|-----|--------|-------|------------------|
+| 1 | 003_001 | EXCITITOR | VEX Evidence Linker | `IVexEvidenceLinker`, CycloneDX mapping |
+| 2 | 003_002 | CLI | VEX Evidence Integration | `--link-evidence` flag, evidence display |
+
+**Key Models:**
+- `VexEvidenceLink` - Link to evidence attestation
+- `VexEvidenceLinkSet` - Multi-evidence aggregation
+
+### Batch 004: Golden Pairs Pilot
+
+**Index:** [SPRINT_20260113_004_000_INDEX_golden_pairs_pilot.md](SPRINT_20260113_004_000_INDEX_golden_pairs_pilot.md)
+
+**Scope:** Validation dataset for binary patch detection
+
+| Sprint | ID | Module | Topic | Key Deliverables |
+|--------|-----|--------|-------|------------------|
+| 1 | 004_001 | TOOLS | Golden Pairs Data Model | `GoldenPairMetadata`, JSON schema |
+| 2 | 004_002 | TOOLS | Mirror & Diff Pipeline | Package mirror, diff validation |
+| 3 | 004_003 | TOOLS | Pilot CVE Corpus (3 CVEs) | Dirty Pipe, Baron Samedit, PrintNightmare |
+
+**Target CVEs:**
+- CVE-2022-0847 (Dirty Pipe) - Linux kernel
+- CVE-2021-3156 (Baron Samedit) - sudo
+- CVE-2021-34527 (PrintNightmare) - Windows PE (conditional)
+
+## Dependency Graph
+
+```
++-----------------------------------------------------------------------------------+
+|                              DEPENDENCY FLOW                                       |
++-----------------------------------------------------------------------------------+
+|                                                                                   |
+|   BATCH 001: Binary Diff Attestation                                              |
+|   +------------------------------------------------------------------+            |
+|   | Sprint 001 (ELF Hashes) --> Sprint 002 (Predicate) --> Sprint 003 (CLI)      |
+|   +------------------------------------------------------------------+            |
+|                |                           |                                      |
+|                v                           v                                      |
+|   BATCH 002: Image Index Resolution        |                                      |
+|   +--------------------------------+       |                                      |
+|   | Sprint 001 --> Sprint 002 (CLI)|       |                                      |
+|   +--------------------------------+       |                                      |
+|                |                           |                                      |
+|                v                           v                                      |
+|   BATCH 003: VEX Evidence Linking   <------+                                      |
+|   +--------------------------------+                                              |
+|   | Sprint 001 (Linker) --> Sprint 002 (CLI)                                     |
+|   +--------------------------------+                                              |
+|                                                                                   |
+|   BATCH 004: Golden Pairs (Validation) - Can start in parallel with Batch 001    |
+|   +------------------------------------------------------------------+            |
+|   | Sprint 001 (Model) --> Sprint 002 (Pipeline) --> Sprint 003 (Corpus)         |
+|   +------------------------------------------------------------------+            |
+|                |                                                                  |
+|                v                                                                  |
+|   Uses Batch 001 Sprint 001 (ELF Hashes) for validation                           |
+|                                                                                   |
++-----------------------------------------------------------------------------------+
+```
+
+## Cross-Cutting Concerns
+
+### Determinism Requirements
+
+All components must follow CLAUDE.md Section 8 determinism rules:
+
+| Requirement | Implementation |
+|-------------|----------------|
+| Timestamps | Inject `TimeProvider`, use UTC ISO-8601 |
+| IDs | Inject `IGuidGenerator` or derive from content |
+| Ordering | Sort sections by name, layers by index |
+| JSON | RFC 8785 canonical encoding for hashing |
+| Hashes | SHA-256 lowercase hex, no prefix |
+
+### DSSE/In-Toto Standards
+
+| Standard | Version | Usage |
+|----------|---------|-------|
+| DSSE | v1 | Envelope format for all attestations |
+| In-Toto | v1.0 | Predicate wrapper (`_type`, `subject`, `predicateType`) |
+| BinaryDiffV1 | 1.0.0 | Custom predicate for binary diff attestations |
+| Rekor | v1 | Optional transparency log integration |
+
+### Test Requirements
+
+| Category | Coverage |
+|----------|----------|
+| Unit | All public APIs, serialization round-trips |
+| Integration | End-to-end with test containers |
+| Determinism | Identical inputs produce identical outputs |
+| Golden | Validation against known-good corpus |
+
+## File Manifest
+
+### Sprint Files
+
+```
+docs/implplan/
++-- SPRINT_20260113_000_MASTER_INDEX_oci_binary_integrity.md  # This file
+|
++-- Batch 001: Binary Diff Attestation
+|   +-- SPRINT_20260113_001_000_INDEX_binary_diff_attestation.md
+|   +-- SPRINT_20260113_001_001_SCANNER_elf_section_hashes.md
+|   +-- SPRINT_20260113_001_002_ATTESTOR_binary_diff_predicate.md
+|   +-- SPRINT_20260113_001_003_CLI_binary_diff_command.md
+|   +-- SPRINT_20260113_001_004_DOCS_binary_diff_attestation.md
+|
++-- Batch 002: Image Index Resolution
+|   +-- SPRINT_20260113_002_000_INDEX_image_index_resolution.md
+|   +-- SPRINT_20260113_002_001_SCANNER_image_inspector_service.md
+|   +-- SPRINT_20260113_002_002_CLI_image_inspect_command.md
+|   +-- SPRINT_20260113_002_003_DOCS_image_inspection.md
+|
++-- Batch 003: VEX Evidence Linking
+|   +-- SPRINT_20260113_003_000_INDEX_vex_evidence_linking.md
+|   +-- SPRINT_20260113_003_001_EXCITITOR_vex_evidence_linker.md
+|   +-- SPRINT_20260113_003_002_CLI_vex_evidence_integration.md
+|
++-- Batch 004: Golden Pairs Pilot
+    +-- SPRINT_20260113_004_000_INDEX_golden_pairs_pilot.md
+    +-- SPRINT_20260113_004_001_TOOLS_golden_pairs_data_model.md
+    +-- SPRINT_20260113_004_002_TOOLS_mirror_diff_pipeline.md
+    +-- SPRINT_20260113_004_003_TOOLS_pilot_corpus.md
+```
+
+### Schema Files
+
+```
+docs/schemas/
++-- binarydiff-v1.schema.json          # Binary diff attestation (Batch 001)
++-- golden-pair-v1.schema.json         # Golden pair metadata (Batch 004)
++-- golden-pairs-index.schema.json     # Corpus index (Batch 004)
+```
+
+### Source Directories
+
+```
+src/
++-- Scanner/
+|   +-- __Libraries/
+|       +-- StellaOps.Scanner.Analyzers.Native/
+|           +-- Sections/              # ELF/PE section hash extraction
++-- Attestor/
+|   +-- StellaOps.Attestor.Core/
+|       +-- Predicates/
+|           +-- BinaryDiffV1.cs        # Binary diff predicate
++-- Excititor/
+|   +-- __Libraries/
+|       +-- StellaOps.Excititor.Core/
+|           +-- Evidence/              # VEX evidence linking
++-- Cli/
+|   +-- StellaOps.Cli/
+|       +-- Commands/
+|           +-- BinaryDiffCommandGroup.cs
+|           +-- ImageInspectCommandGroup.cs
++-- Tools/
+    +-- GoldenPairs/
+        +-- StellaOps.Tools.GoldenPairs/
+
+datasets/
++-- golden-pairs/
+    +-- index.json
+    +-- README.md
+    +-- CVE-2022-0847/
+    +-- CVE-2021-3156/
+```
+
+## Success Metrics
+
+### Functional Metrics
+
+| Metric | Target |
+|--------|--------|
+| ELF section hash accuracy | 100% match with reference implementation |
+| Binary diff verdict accuracy | >= 95% on golden pairs corpus |
+| Attestation verification | 100% pass Rekor/in-toto validation |
+| VEX evidence link coverage | >= 90% of applicable entries |
+
+### Performance Metrics
+
+| Metric | Target |
+|--------|--------|
+| Section hash extraction | < 100ms per binary |
+| Binary diff comparison | < 500ms per pair |
+| Image index resolution | < 2s for multi-arch images |
+
+## Risk Register
+
+| Risk | Likelihood | Impact | Mitigation |
+|------|------------|--------|------------|
+| PE section hashing complexity | Medium | Medium | Defer PrintNightmare if PE not ready |
+| Large kernel binaries | Medium | Low | Extract specific .ko modules |
+| Package archive availability | Medium | High | Cache packages locally |
+| Cross-platform DSSE signing | Low | Medium | Use portable signing libraries |
+
+## Execution Schedule
+
+### Recommended Order
+
+1. **Week 1-2:** Batch 001 Sprints 1-2 (ELF hashes, predicate)
+2. **Week 2-3:** Batch 002 Sprint 1 (image inspector) + Batch 004 Sprint 1 (data model)
+3. **Week 3-4:** Batch 001 Sprint 3 (CLI) + Batch 002 Sprint 2 (CLI)
+4. **Week 4-5:** Batch 003 (VEX linking) + Batch 004 Sprint 2 (pipeline)
+5. **Week 5-6:** Documentation sprints + Batch 004 Sprint 3 (corpus)
+
+### Parallelization Opportunities
+
+- Batch 004 Sprint 1 can start immediately (no dependencies)
+- Documentation sprints can run in parallel with implementation
+- Batch 002 Sprint 1 can start after Batch 001 Sprint 1
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Master index created from product advisory analysis. | Project Mgmt |
+| 2026-01-13 | Batch 001 INDEX already existed; added to master index. | Project Mgmt |
+| 2026-01-13 | Batches 002, 003, 004 sprint files created. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED 2026-01-13**: Four-batch structure covering full advisory scope.
+- **APPROVED 2026-01-13**: ELF-first approach; PE support conditional on Batch 001 progress.
+- **APPROVED 2026-01-13**: Golden pairs stored in datasets/, not git LFS initially.
+- **APPROVED 2026-01-13**: VEX evidence linking extends existing Excititor module.
+- **RISK**: PrintNightmare (PE) may be deferred if PE section hashing not ready.
+- **RISK**: Kernel binaries are large; may need to extract specific modules.
+
+## Next Checkpoints
+
+- Batch 001 complete -> Core binary diff infrastructure operational
+- Batch 002 complete -> Multi-arch image inspection available
+- Batch 003 complete -> VEX entries include evidence links
+- Batch 004 complete -> Validation corpus ready for CI integration
+- All batches complete -> Full OCI layer-level integrity verification operational
+
+## References
+
+- [OCI Image Index Specification](https://github.com/opencontainers/image-spec/blob/main/image-index.md)
+- [DSSE Specification](https://github.com/secure-systems-lab/dsse)
+- [In-Toto Attestation Framework](https://github.com/in-toto/attestation)
+- [CycloneDX VEX](https://cyclonedx.org/capabilities/vex/)
+- [ELF Specification](https://refspecs.linuxfoundation.org/elf/elf.pdf)
+- [PE Format](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)

docs/implplan/SPRINT_20260113_001_000_INDEX_binary_diff_attestation.md

@@ -0,0 +1,174 @@
+# Sprint Batch 20260113_001 - Binary Diff Attestation (ELF Section Hashes)
+
+## Executive Summary
+
+This sprint batch implements **targeted enhancements** for binary-level image integrity verification, focusing on ELF section-level hashing for vendor backport detection and DSSE-signed attestations for binary diffs. This addresses the genuine gaps identified in the OCI Layer-Level Image Integrity advisory analysis while avoiding redundant work on already-implemented capabilities.
+
+**Scope:** ELF-only (PE/Mach-O deferred to M2+)
+**Effort Estimate:** 5-7 story points across 4 sprints
+**Priority:** Medium (enhancement, not blocking)
+
+## Background
+
+### Advisory Analysis Summary
+
+The original product advisory proposed comprehensive OCI layer-level verification capabilities. Analysis revealed:
+
+| Category | Coverage |
+|----------|----------|
+| **Already Implemented** | ~80% (OCI manifest parsing, layer SBOM fragmentation, DSSE pipeline, VEX emission) |
+| **Partial Overlap** | ~15% (ELF symbols exist, section hashes missing) |
+| **Genuine Gaps** | ~5% (section hashes, BinaryDiffV1 predicate, CLI diff verb) |
+
+This batch addresses only the genuine gaps to maximize value while avoiding redundant effort.
+
+### Existing Capabilities (No Work Needed)
+
+- OCI manifest/index parsing with Docker & OCI media types
+- Per-layer SBOM fragmentation with three-way diff
+- DSSE envelope creation → Attestor → Rekor pipeline
+- VEX emission with trust scoring and evidence links
+- ELF Build-ID, symbol table parsing, link graph analysis
+
+### New Capabilities (This Batch)
+
+1. **ELF Section Hash Extractor** - SHA-256 per `.text`, `.rodata`, `.data`, `.symtab` sections
+2. **BinaryDiffV1 In-Toto Predicate** - Schema for binary-level diff attestations
+3. **CLI `stella scan diff --mode=elf`** - Binary-section-level diff with DSSE output
+4. **Documentation** - Architecture docs and CLI reference updates
+
+## Sprint Index
+
+| Sprint | ID | Module | Topic | Status | Owner |
+|--------|-----|--------|-------|--------|-------|
+| 1 | SPRINT_20260113_001_001 | SCANNER | ELF Section Hash Extractor | TODO | Guild - Scanner |
+| 2 | SPRINT_20260113_001_002 | ATTESTOR | BinaryDiffV1 In-Toto Predicate | TODO | Guild - Attestor |
+| 3 | SPRINT_20260113_001_003 | CLI | Binary Diff Command Enhancement | TODO | Guild - CLI |
+| 4 | SPRINT_20260113_001_004 | DOCS | Documentation & Architecture | TODO | Guild - Docs |
+
+## Dependencies
+
+```
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                         Dependency Graph                                     │
+├─────────────────────────────────────────────────────────────────────────────┤
+│                                                                             │
+│   Sprint 1 (ELF Section Hashes)                                             │
+│         │                                                                   │
+│         ├──────────────────┐                                                │
+│         ▼                  ▼                                                │
+│   Sprint 2 (Predicate)   Sprint 4 (Docs)                                   │
+│         │                  │                                                │
+│         ▼                  │                                                │
+│   Sprint 3 (CLI) ─────────┘                                                │
+│                                                                             │
+└─────────────────────────────────────────────────────────────────────────────┘
+```
+
+- **Sprint 1** is foundational (no dependencies)
+- **Sprint 2** depends on Sprint 1 (uses section hash models)
+- **Sprint 3** depends on Sprint 1 & 2 (consumes extractor and predicate)
+- **Sprint 4** can proceed in parallel with Sprints 2-3
+
+## Acceptance Criteria (Batch-Level)
+
+### Must Have
+
+1. **Section Hash Extraction**
+   - Compute SHA-256 for `.text`, `.rodata`, `.data`, `.symtab` ELF sections
+   - Deterministic output (stable ordering, canonical JSON)
+   - Evidence properties in SBOM components
+
+2. **BinaryDiffV1 Predicate**
+   - In-toto compliant predicate schema
+   - Subjects: image@digest, platform
+   - Inputs: base/target manifests
+   - Findings: per-path section deltas
+
+3. **CLI Integration**
+   - `stella scan diff --mode=elf` produces binary-section-level diff
+   - `--emit-dsse=<dir>` outputs signed attestations
+   - Human-readable and JSON output formats
+
+4. **Documentation**
+   - Architecture doc under `docs/modules/scanner/`
+   - CLI reference updates
+   - Predicate schema specification
+
+### Should Have
+
+- Confidence scoring for section hash matches (0.0-1.0)
+- Integration with existing VEX evidence blocks
+
+### Deferred (Out of Scope)
+
+- PE/Mach-O section analysis (M2)
+- Vendor backport corpus and 95% precision target (follow-up sprint)
+- `ctr images export` integration (use existing OCI blob pull)
+- Multi-platform diff in single invocation
+
+## Technical Context
+
+### Key Files to Extend
+
+| Component | File | Purpose |
+|-----------|------|---------|
+| ELF Analysis | `src/Scanner/StellaOps.Scanner.Analyzers.Native/Hardening/ElfHardeningExtractor.cs` | Add section hash extraction |
+| Native Models | `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/CallGraphModels.cs` | Section hash models |
+| DSSE Signing | `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs` | Pattern for BinaryDiffSigner |
+| Predicates | `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/` | Add BinaryDiffV1 |
+| CLI | `src/Cli/StellaOps.Cli/Commands/` | Add diff subcommand |
+
+### Determinism Requirements
+
+Per CLAUDE.md Section 8:
+
+1. **TimeProvider injection** - No `DateTime.UtcNow` calls
+2. **Stable ordering** - Section hashes sorted by section name
+3. **Canonical JSON** - RFC 8785 for digest computation
+4. **InvariantCulture** - All formatting/parsing
+5. **DSSE PAE compliance** - Use shared `DsseHelper`
+
+## Risk Assessment
+
+| Risk | Likelihood | Impact | Mitigation |
+|------|------------|--------|------------|
+| Section hash instability across compilers | Medium | High | Document compiler/flag assumptions; use position-independent matching as fallback |
+| ELF parsing edge cases | Low | Medium | Comprehensive test fixtures; existing ELF library handles most cases |
+| CLI integration conflicts | Low | Low | CLI tests blocked by other agent; coordinate ownership |
+
+## Success Metrics
+
+- [ ] All unit tests pass (100% of new code covered)
+- [ ] Integration tests with synthetic ELF fixtures pass
+- [ ] CLI help and completions work
+- [ ] Documentation builds without warnings
+- [ ] No regressions in existing Scanner tests
+
+## Documentation Prerequisites
+
+Before starting implementation, reviewers must read:
+
+- `docs/README.md`
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `docs/modules/scanner/architecture.md` (if exists)
+- `CLAUDE.md` Section 8 (Code Quality & Determinism Rules)
+- `src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md` (if exists)
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint batch created from advisory analysis; 4 sprints defined. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED 2026-01-13**: Scope limited to ELF-only; PE/Mach-O deferred to M2.
+- **APPROVED 2026-01-13**: 80% precision target for initial release; 95% deferred to corpus sprint.
+- **RISK**: CLI tests currently blocked by other agent work; Sprint 3 may need coordination.
+
+## Next Checkpoints
+
+- Sprint 1 completion → Sprint 2 & 4 can start
+- Sprint 2 completion → Sprint 3 can start
+- All sprints complete → Integration testing checkpoint

docs/implplan/SPRINT_20260113_001_001_SCANNER_elf_section_hashes.md

@@ -0,0 +1,234 @@
+# Sprint 20260113_001_001_SCANNER - ELF Section Hash Extractor
+
+## Topic & Scope
+
+- Implement per-section SHA-256 hash extraction for ELF binaries
+- Target sections: `.text`, `.rodata`, `.data`, `.symtab`, `.dynsym`
+- Integrate with existing `ElfHardeningExtractor` infrastructure
+- Expose section hashes as SBOM component evidence properties
+- **Working directory:** `src/Scanner/StellaOps.Scanner.Analyzers.Native/`
+
+## Dependencies & Concurrency
+
+- No blocking dependencies (foundational sprint)
+- Parallel work safe within Scanner.Native module
+- Sprint 2 (BinaryDiffV1 predicate) depends on this sprint's models
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- `src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md` (if exists)
+- ELF specification reference (https://refspecs.linuxfoundation.org/elf/elf.pdf)
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | ELF-SECTION-MODELS-0001 | TODO | None | Guild - Scanner | Define `ElfSectionHash` and `ElfSectionHashSet` models in `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/`. Include section name, offset, size, SHA-256 hash, and optional BLAKE3 hash. |
+| 2 | ELF-SECTION-EXTRACTOR-0001 | TODO | Depends on ELF-SECTION-MODELS-0001 | Guild - Scanner | Implement `ElfSectionHashExtractor` class that reads ELF sections and computes per-section hashes. Integrate with existing ELF parsing in `ElfHardeningExtractor`. |
+| 3 | ELF-SECTION-CONFIG-0001 | TODO | Depends on ELF-SECTION-EXTRACTOR-0001 | Guild - Scanner | Add configuration options for section hash extraction: enabled/disabled, section allowlist, hash algorithms. Use `IOptions<T>` with `ValidateOnStart`. |
+| 4 | ELF-SECTION-EVIDENCE-0001 | TODO | Depends on ELF-SECTION-EXTRACTOR-0001 | Guild - Scanner | Emit section hashes as SBOM component `properties[]` with keys: `evidence:section:<name>:sha256`, `evidence:section:<name>:blake3`, `evidence:section:<name>:size`. |
+| 5 | ELF-SECTION-DI-0001 | TODO | Depends on all above | Guild - Scanner | Register `ElfSectionHashExtractor` in `ServiceCollectionExtensions.cs`. Ensure `TimeProvider` and `IGuidGenerator` are injected for determinism. |
+| 6 | ELF-SECTION-TESTS-0001 | TODO | Depends on all above | Guild - Scanner | Add unit tests in `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/` covering: valid ELF with all sections, stripped ELF (missing symtab), malformed ELF, empty sections, large binaries. |
+| 7 | ELF-SECTION-FIXTURES-0001 | TODO | Depends on ELF-SECTION-TESTS-0001 | Guild - Scanner | Create synthetic ELF test fixtures under `src/Scanner/__Tests/__Datasets/elf-section-hashes/` with known section contents for golden hash verification. |
+| 8 | ELF-SECTION-DETERMINISM-0001 | TODO | Depends on all above | Guild - Scanner | Add determinism regression test: same ELF input produces identical section hashes across runs. Use `FakeTimeProvider` and fixed GUID generator. |
+
+## Technical Specification
+
+### ElfSectionHash Model
+
+```csharp
+namespace StellaOps.Scanner.Contracts;
+
+/// <summary>
+/// Represents a cryptographic hash of an ELF section.
+/// </summary>
+public sealed record ElfSectionHash
+{
+    /// <summary>Section name (e.g., ".text", ".rodata").</summary>
+    public required string Name { get; init; }
+
+    /// <summary>Section offset in file.</summary>
+    public required long Offset { get; init; }
+
+    /// <summary>Section size in bytes.</summary>
+    public required long Size { get; init; }
+
+    /// <summary>SHA-256 hash of section contents (lowercase hex).</summary>
+    public required string Sha256 { get; init; }
+
+    /// <summary>Optional BLAKE3-256 hash of section contents (lowercase hex).</summary>
+    public string? Blake3 { get; init; }
+
+    /// <summary>Section type from ELF header.</summary>
+    public required ElfSectionType SectionType { get; init; }
+
+    /// <summary>Section flags from ELF header.</summary>
+    public required ElfSectionFlags Flags { get; init; }
+}
+
+/// <summary>
+/// Collection of section hashes for a single ELF binary.
+/// </summary>
+public sealed record ElfSectionHashSet
+{
+    /// <summary>Path to the ELF binary.</summary>
+    public required string FilePath { get; init; }
+
+    /// <summary>SHA-256 hash of the entire file.</summary>
+    public required string FileHash { get; init; }
+
+    /// <summary>Build-ID from .note.gnu.build-id if present.</summary>
+    public string? BuildId { get; init; }
+
+    /// <summary>Section hashes, sorted by section name.</summary>
+    public required ImmutableArray<ElfSectionHash> Sections { get; init; }
+
+    /// <summary>Extraction timestamp (UTC ISO-8601).</summary>
+    public required DateTimeOffset ExtractedAt { get; init; }
+
+    /// <summary>Extractor version for reproducibility.</summary>
+    public required string ExtractorVersion { get; init; }
+}
+```
+
+### Extractor Interface
+
+```csharp
+namespace StellaOps.Scanner.Analyzers.Native;
+
+public interface IElfSectionHashExtractor
+{
+    /// <summary>
+    /// Extracts section hashes from an ELF binary.
+    /// </summary>
+    /// <param name="elfPath">Path to the ELF file.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Section hash set, or null if not a valid ELF.</returns>
+    Task<ElfSectionHashSet?> ExtractAsync(
+        string elfPath,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Extracts section hashes from ELF bytes in memory.
+    /// </summary>
+    Task<ElfSectionHashSet?> ExtractFromBytesAsync(
+        ReadOnlyMemory<byte> elfBytes,
+        string virtualPath,
+        CancellationToken cancellationToken = default);
+}
+```
+
+### Target Sections
+
+| Section | Purpose | Backport Relevance |
+|---------|---------|-------------------|
+| `.text` | Executable code | **High** - patched functions change this |
+| `.rodata` | Read-only data | Medium - string constants may change |
+| `.data` | Initialized data | Low - rarely changes for patches |
+| `.symtab` | Symbol table | **High** - function signatures |
+| `.dynsym` | Dynamic symbols | **High** - exported API |
+| `.gnu.hash` | GNU hash table | Low - derived from symbols |
+
+### SBOM Evidence Properties
+
+```json
+{
+  "type": "library",
+  "name": "libssl.so.3",
+  "properties": [
+    {"name": "evidence:build-id", "value": "abc123..."},
+    {"name": "evidence:section:.text:sha256", "value": "e3b0c442..."},
+    {"name": "evidence:section:.text:size", "value": "1048576"},
+    {"name": "evidence:section:.rodata:sha256", "value": "d7a8fbb3..."},
+    {"name": "evidence:section:.symtab:sha256", "value": "9f86d081..."},
+    {"name": "evidence:section-set:sha256", "value": "combined_hash..."},
+    {"name": "evidence:extractor-version", "value": "1.0.0"}
+  ]
+}
+```
+
+### Determinism Requirements
+
+1. **Ordering**: Sections sorted lexicographically by name
+2. **Hash format**: Lowercase hexadecimal, no prefix
+3. **Timestamps**: From injected `TimeProvider.GetUtcNow()`
+4. **Version string**: Assembly version or build metadata
+5. **JSON serialization**: RFC 8785 canonical for any digest computation
+
+### Configuration Schema
+
+```yaml
+scanner:
+  native:
+    sectionHashes:
+      enabled: true
+      algorithms:
+        - sha256
+        - blake3  # optional
+      sections:
+        - .text
+        - .rodata
+        - .data
+        - .symtab
+        - .dynsym
+      maxSectionSize: 104857600  # 100MB limit per section
+```
+
+## Test Cases
+
+### Unit Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `ExtractAsync_ValidElf_ReturnsAllSections` | Standard ELF with all target sections | All 5 sections extracted with valid hashes |
+| `ExtractAsync_StrippedElf_OmitsSymtab` | Stripped binary without .symtab | Only .text, .rodata, .data returned |
+| `ExtractAsync_InvalidElf_ReturnsNull` | Non-ELF file (PE, Mach-O, random) | Returns null, no exception |
+| `ExtractAsync_EmptySection_ReturnsEmptyHash` | ELF with zero-size .data | Hash of empty content (`e3b0c442...`) |
+| `ExtractAsync_LargeSection_RespectsLimit` | Section > maxSectionSize | Section skipped or truncated per config |
+| `ExtractAsync_Deterministic_SameOutput` | Same ELF, multiple runs | Identical `ElfSectionHashSet` |
+| `ExtractFromBytesAsync_SameAsFile` | Memory vs file extraction | Identical results |
+
+### Integration Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `LayerAnalysis_ElfWithSections_EmitsEvidence` | Container layer with ELF binaries | SBOM components have section hash properties |
+| `Diff_SameBinaryDifferentPatch_DetectsSectionChange` | Two builds with backport | `.text` hash differs, other sections same |
+
+### Fixtures
+
+Create under `src/Scanner/__Tests/__Datasets/elf-section-hashes/`:
+
+```
+elf-section-hashes/
+├── README.md                    # Fixture documentation
+├── standard-amd64.elf           # Standard ELF with all sections
+├── standard-amd64.golden.json   # Expected section hashes
+├── stripped-amd64.elf           # Stripped binary
+├── stripped-amd64.golden.json
+├── minimal-arm64.elf            # Minimal ELF (few sections)
+├── minimal-arm64.golden.json
+└── corrupt.bin                  # Invalid ELF magic
+```
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: SHA-256 as primary hash; BLAKE3 optional for performance.
+- **APPROVED**: 100MB per-section limit to prevent memory exhaustion.
+- **RISK**: Some ELF parsers may handle edge cases differently; use LibObjectFile or similar well-tested library.
+- **RISK**: Section ordering may vary by toolchain; normalize by sorting.
+
+## Next Checkpoints
+
+- Task 1-2 complete → Models and extractor ready for integration
+- Task 6-8 complete → Sprint can be marked DONE
+- Unblock Sprint 2 (BinaryDiffV1 predicate)

docs/implplan/SPRINT_20260113_001_002_ATTESTOR_binary_diff_predicate.md

@@ -0,0 +1,441 @@
+# Sprint 20260113_001_002_ATTESTOR - BinaryDiffV1 In-Toto Predicate
+
+## Topic & Scope
+
+- Define `BinaryDiffV1` in-toto predicate schema for binary-level diff attestations
+- Implement predicate builder and serializer
+- Integrate with existing DSSE signing infrastructure
+- Support both ELF section diffs and future PE/Mach-O extensions
+- **Working directory:** `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/`
+
+## Dependencies & Concurrency
+
+- **Depends on:** Sprint 001 (ELF Section Hash models)
+- Parallel work safe within Attestor module
+- Sprint 3 (CLI) depends on this sprint
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- in-toto attestation specification (https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md)
+- DSSE envelope specification (https://github.com/secure-systems-lab/dsse/blob/master/envelope.md)
+- Existing predicates: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/`
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | BINARYDIFF-SCHEMA-0001 | TODO | Sprint 001 models | Guild - Attestor | Define `BinaryDiffV1` predicate schema with JSON Schema and C# models. Include subjects, inputs, findings, and verification materials. |
+| 2 | BINARYDIFF-MODELS-0001 | TODO | Depends on BINARYDIFF-SCHEMA-0001 | Guild - Attestor | Implement C# record types for `BinaryDiffPredicate`, `BinaryDiffSubject`, `BinaryDiffInput`, `BinaryDiffFinding`, `SectionDelta`. |
+| 3 | BINARYDIFF-BUILDER-0001 | TODO | Depends on BINARYDIFF-MODELS-0001 | Guild - Attestor | Implement `BinaryDiffPredicateBuilder` with fluent API for constructing predicates from section hash comparisons. |
+| 4 | BINARYDIFF-SERIALIZER-0001 | TODO | Depends on BINARYDIFF-MODELS-0001 | Guild - Attestor | Implement canonical JSON serialization using RFC 8785. Register with existing `IPredicateSerializer` infrastructure. |
+| 5 | BINARYDIFF-SIGNER-0001 | TODO | Depends on all above | Guild - Attestor | Implement `BinaryDiffDsseSigner` following `WitnessDsseSigner` pattern. Payload type: `stellaops.binarydiff.v1`. |
+| 6 | BINARYDIFF-VERIFIER-0001 | TODO | Depends on BINARYDIFF-SIGNER-0001 | Guild - Attestor | Implement `BinaryDiffDsseVerifier` for signature and schema validation. |
+| 7 | BINARYDIFF-DI-0001 | TODO | Depends on all above | Guild - Attestor | Register all services in DI. Add `IOptions<BinaryDiffOptions>` for configuration. |
+| 8 | BINARYDIFF-TESTS-0001 | TODO | Depends on all above | Guild - Attestor | Add comprehensive unit tests covering: schema validation, serialization round-trip, signing/verification, edge cases (empty findings, large diffs). |
+| 9 | BINARYDIFF-JSONSCHEMA-0001 | TODO | Depends on BINARYDIFF-SCHEMA-0001 | Guild - Attestor | Publish JSON Schema to `docs/schemas/binarydiff-v1.schema.json` for external validation. |
+
+## Technical Specification
+
+### Predicate Type
+
+```
+stellaops.binarydiff.v1
+```
+
+### BinaryDiffV1 Schema
+
+```json
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.io/schemas/binarydiff-v1.schema.json",
+  "title": "BinaryDiffV1",
+  "description": "In-toto predicate for binary-level diff attestations",
+  "type": "object",
+  "required": ["predicateType", "subjects", "inputs", "findings", "metadata"],
+  "properties": {
+    "predicateType": {
+      "const": "stellaops.binarydiff.v1"
+    },
+    "subjects": {
+      "type": "array",
+      "items": { "$ref": "#/$defs/BinaryDiffSubject" },
+      "minItems": 1
+    },
+    "inputs": {
+      "$ref": "#/$defs/BinaryDiffInputs"
+    },
+    "findings": {
+      "type": "array",
+      "items": { "$ref": "#/$defs/BinaryDiffFinding" }
+    },
+    "metadata": {
+      "$ref": "#/$defs/BinaryDiffMetadata"
+    }
+  },
+  "$defs": {
+    "BinaryDiffSubject": {
+      "type": "object",
+      "required": ["name", "digest"],
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Image reference (e.g., docker://repo/app@sha256:...)"
+        },
+        "digest": {
+          "type": "object",
+          "additionalProperties": { "type": "string" }
+        },
+        "platform": {
+          "$ref": "#/$defs/Platform"
+        }
+      }
+    },
+    "BinaryDiffInputs": {
+      "type": "object",
+      "required": ["base", "target"],
+      "properties": {
+        "base": { "$ref": "#/$defs/ImageReference" },
+        "target": { "$ref": "#/$defs/ImageReference" }
+      }
+    },
+    "ImageReference": {
+      "type": "object",
+      "required": ["digest"],
+      "properties": {
+        "reference": { "type": "string" },
+        "digest": { "type": "string" },
+        "manifestDigest": { "type": "string" },
+        "platform": { "$ref": "#/$defs/Platform" }
+      }
+    },
+    "Platform": {
+      "type": "object",
+      "properties": {
+        "os": { "type": "string" },
+        "architecture": { "type": "string" },
+        "variant": { "type": "string" }
+      }
+    },
+    "BinaryDiffFinding": {
+      "type": "object",
+      "required": ["path", "changeType", "binaryFormat"],
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "File path within the image filesystem"
+        },
+        "changeType": {
+          "enum": ["added", "removed", "modified", "unchanged"]
+        },
+        "binaryFormat": {
+          "enum": ["elf", "pe", "macho", "unknown"]
+        },
+        "layerDigest": {
+          "type": "string",
+          "description": "Layer that introduced this change"
+        },
+        "baseHashes": {
+          "$ref": "#/$defs/SectionHashSet"
+        },
+        "targetHashes": {
+          "$ref": "#/$defs/SectionHashSet"
+        },
+        "sectionDeltas": {
+          "type": "array",
+          "items": { "$ref": "#/$defs/SectionDelta" }
+        },
+        "confidence": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "verdict": {
+          "enum": ["patched", "vanilla", "unknown", "incompatible"]
+        }
+      }
+    },
+    "SectionHashSet": {
+      "type": "object",
+      "properties": {
+        "buildId": { "type": "string" },
+        "fileHash": { "type": "string" },
+        "sections": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/$defs/SectionInfo"
+          }
+        }
+      }
+    },
+    "SectionInfo": {
+      "type": "object",
+      "required": ["sha256", "size"],
+      "properties": {
+        "sha256": { "type": "string" },
+        "blake3": { "type": "string" },
+        "size": { "type": "integer" }
+      }
+    },
+    "SectionDelta": {
+      "type": "object",
+      "required": ["section", "status"],
+      "properties": {
+        "section": {
+          "type": "string",
+          "description": "Section name (e.g., .text, .rodata)"
+        },
+        "status": {
+          "enum": ["identical", "modified", "added", "removed"]
+        },
+        "baseSha256": { "type": "string" },
+        "targetSha256": { "type": "string" },
+        "sizeDelta": { "type": "integer" }
+      }
+    },
+    "BinaryDiffMetadata": {
+      "type": "object",
+      "required": ["toolVersion", "analysisTimestamp"],
+      "properties": {
+        "toolVersion": { "type": "string" },
+        "analysisTimestamp": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "configDigest": { "type": "string" },
+        "totalBinaries": { "type": "integer" },
+        "modifiedBinaries": { "type": "integer" },
+        "analyzedSections": {
+          "type": "array",
+          "items": { "type": "string" }
+        }
+      }
+    }
+  }
+}
+```
+
+### C# Model Classes
+
+```csharp
+namespace StellaOps.Attestor.StandardPredicates.BinaryDiff;
+
+/// <summary>
+/// BinaryDiffV1 predicate for in-toto attestations.
+/// </summary>
+public sealed record BinaryDiffPredicate
+{
+    public const string PredicateType = "stellaops.binarydiff.v1";
+
+    public required ImmutableArray<BinaryDiffSubject> Subjects { get; init; }
+    public required BinaryDiffInputs Inputs { get; init; }
+    public required ImmutableArray<BinaryDiffFinding> Findings { get; init; }
+    public required BinaryDiffMetadata Metadata { get; init; }
+}
+
+public sealed record BinaryDiffSubject
+{
+    public required string Name { get; init; }
+    public required ImmutableDictionary<string, string> Digest { get; init; }
+    public Platform? Platform { get; init; }
+}
+
+public sealed record BinaryDiffInputs
+{
+    public required ImageReference Base { get; init; }
+    public required ImageReference Target { get; init; }
+}
+
+public sealed record ImageReference
+{
+    public string? Reference { get; init; }
+    public required string Digest { get; init; }
+    public string? ManifestDigest { get; init; }
+    public Platform? Platform { get; init; }
+}
+
+public sealed record Platform
+{
+    public required string Os { get; init; }
+    public required string Architecture { get; init; }
+    public string? Variant { get; init; }
+}
+
+public sealed record BinaryDiffFinding
+{
+    public required string Path { get; init; }
+    public required ChangeType ChangeType { get; init; }
+    public required BinaryFormat BinaryFormat { get; init; }
+    public string? LayerDigest { get; init; }
+    public SectionHashSet? BaseHashes { get; init; }
+    public SectionHashSet? TargetHashes { get; init; }
+    public ImmutableArray<SectionDelta> SectionDeltas { get; init; }
+    public double? Confidence { get; init; }
+    public Verdict? Verdict { get; init; }
+}
+
+public enum ChangeType { Added, Removed, Modified, Unchanged }
+public enum BinaryFormat { Elf, Pe, Macho, Unknown }
+public enum Verdict { Patched, Vanilla, Unknown, Incompatible }
+
+public sealed record SectionHashSet
+{
+    public string? BuildId { get; init; }
+    public required string FileHash { get; init; }
+    public required ImmutableDictionary<string, SectionInfo> Sections { get; init; }
+}
+
+public sealed record SectionInfo
+{
+    public required string Sha256 { get; init; }
+    public string? Blake3 { get; init; }
+    public required long Size { get; init; }
+}
+
+public sealed record SectionDelta
+{
+    public required string Section { get; init; }
+    public required SectionStatus Status { get; init; }
+    public string? BaseSha256 { get; init; }
+    public string? TargetSha256 { get; init; }
+    public long? SizeDelta { get; init; }
+}
+
+public enum SectionStatus { Identical, Modified, Added, Removed }
+
+public sealed record BinaryDiffMetadata
+{
+    public required string ToolVersion { get; init; }
+    public required DateTimeOffset AnalysisTimestamp { get; init; }
+    public string? ConfigDigest { get; init; }
+    public int TotalBinaries { get; init; }
+    public int ModifiedBinaries { get; init; }
+    public ImmutableArray<string> AnalyzedSections { get; init; }
+}
+```
+
+### Builder API
+
+```csharp
+public interface IBinaryDiffPredicateBuilder
+{
+    IBinaryDiffPredicateBuilder WithSubject(string name, string digest, Platform? platform = null);
+    IBinaryDiffPredicateBuilder WithInputs(ImageReference baseImage, ImageReference targetImage);
+    IBinaryDiffPredicateBuilder AddFinding(BinaryDiffFinding finding);
+    IBinaryDiffPredicateBuilder WithMetadata(Action<BinaryDiffMetadataBuilder> configure);
+    BinaryDiffPredicate Build();
+}
+```
+
+### DSSE Integration
+
+```csharp
+public interface IBinaryDiffDsseSigner
+{
+    Task<BinaryDiffDsseResult> SignAsync(
+        BinaryDiffPredicate predicate,
+        CancellationToken cancellationToken = default);
+}
+
+public sealed record BinaryDiffDsseResult
+{
+    public required string PayloadType { get; init; }  // stellaops.binarydiff.v1
+    public required byte[] Payload { get; init; }
+    public required ImmutableArray<DsseSignature> Signatures { get; init; }
+    public required string EnvelopeJson { get; init; }
+    public string? RekorLogIndex { get; init; }
+    public string? RekorEntryId { get; init; }
+}
+```
+
+### In-Toto Statement Wrapper
+
+```json
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "subject": [
+    {
+      "name": "docker://registry.example.com/app@sha256:abc123...",
+      "digest": {
+        "sha256": "abc123..."
+      }
+    }
+  ],
+  "predicateType": "stellaops.binarydiff.v1",
+  "predicate": {
+    "inputs": {
+      "base": { "digest": "sha256:old..." },
+      "target": { "digest": "sha256:new..." }
+    },
+    "findings": [
+      {
+        "path": "/usr/lib/libssl.so.3",
+        "changeType": "modified",
+        "binaryFormat": "elf",
+        "sectionDeltas": [
+          { "section": ".text", "status": "modified", "baseSha256": "...", "targetSha256": "..." }
+        ],
+        "confidence": 0.95,
+        "verdict": "patched"
+      }
+    ],
+    "metadata": {
+      "toolVersion": "1.0.0",
+      "analysisTimestamp": "2026-01-13T12:00:00Z"
+    }
+  }
+}
+```
+
+## Determinism Requirements
+
+1. **Canonical JSON**: RFC 8785 for all serialization before signing
+2. **Stable ordering**: Findings sorted by path; sections sorted by name
+3. **Timestamps**: From injected `TimeProvider`
+4. **Hash computation**: Use shared `CanonicalJsonSerializer`
+5. **DSSE PAE**: Use shared `DsseHelper.ComputePreAuthenticationEncoding`
+
+## Test Cases
+
+### Unit Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `Serialize_RoundTrip_Identical` | Serialize then deserialize | Identical predicate |
+| `Serialize_Canonical_DeterministicOutput` | Same predicate, multiple serializations | Byte-identical JSON |
+| `Build_ValidInputs_CreatesPredicate` | Builder with all required fields | Valid predicate |
+| `Build_MissingSubject_Throws` | Builder without subject | `ArgumentException` |
+| `Sign_ValidPredicate_ReturnsEnvelope` | Sign with test key | Valid DSSE envelope |
+| `Verify_ValidEnvelope_Succeeds` | Verify signed envelope | Verification passes |
+| `Verify_TamperedPayload_Fails` | Modified payload | Verification fails |
+| `Schema_ValidJson_Passes` | Valid JSON against schema | Schema validation passes |
+| `Schema_InvalidJson_Fails` | Missing required field | Schema validation fails |
+
+### Integration Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `SignAndSubmit_RekorIntegration` | Sign and submit to Rekor (test instance) | Log entry created |
+| `EndToEnd_DiffToAttestation` | From image diff to signed attestation | Valid DSSE with findings |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Predicate type `stellaops.binarydiff.v1` follows StellaOps naming convention.
+- **APPROVED**: Support both ELF and future PE/Mach-O via `binaryFormat` discriminator.
+- **RISK**: Schema evolution requires versioning strategy; defer to v2 if breaking changes needed.
+- **RISK**: Large diffs may produce large attestations; consider summary mode for >1000 findings.
+
+## Next Checkpoints
+
+- Task 1-4 complete → Schema and models ready for integration
+- Task 5-6 complete → Signing/verification operational
+- Task 8 complete → Sprint can be marked DONE
+- Unblock Sprint 3 (CLI)

docs/implplan/SPRINT_20260113_001_003_CLI_binary_diff_command.md

@@ -0,0 +1,358 @@
+# Sprint 20260113_001_003_CLI - Binary Diff Command Enhancement
+
+## Topic & Scope
+
+- Implement `stella scan diff --mode=elf` for binary-section-level diff
+- Add `--emit-dsse=<dir>` option for DSSE attestation output
+- Support human-readable table and JSON output formats
+- Integrate with existing scan infrastructure and OCI registry client
+- **Working directory:** `src/Cli/StellaOps.Cli/Commands/`
+
+## Dependencies & Concurrency
+
+- **Depends on:** Sprint 001 (ELF Section Hash Extractor)
+- **Depends on:** Sprint 002 (BinaryDiffV1 Predicate)
+- **BLOCKED RISK:** CLI tests under active modification; coordinate before touching test files
+- Parallel work safe for command implementation; test coordination required
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- `src/Cli/StellaOps.Cli/AGENTS.md` (if exists)
+- Existing CLI commands: `src/Cli/StellaOps.Cli/Commands/`
+- System.CommandLine documentation
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | CLI-DIFF-COMMAND-0001 | TODO | Sprint 001 & 002 complete | Guild - CLI | Create `BinaryDiffCommand` class under `Commands/Scan/` implementing `stella scan diff` subcommand with required options. |
+| 2 | CLI-DIFF-OPTIONS-0001 | TODO | Depends on CLI-DIFF-COMMAND-0001 | Guild - CLI | Define command options: `--base` (base image ref), `--target` (target image ref), `--mode` (elf/pe/auto), `--emit-dsse` (output dir), `--format` (table/json), `--platform` (os/arch). |
+| 3 | CLI-DIFF-SERVICE-0001 | TODO | Depends on CLI-DIFF-OPTIONS-0001 | Guild - CLI | Implement `BinaryDiffService` that orchestrates: image pull, layer extraction, section hash computation, diff computation, predicate building. |
+| 4 | CLI-DIFF-RENDERER-0001 | TODO | Depends on CLI-DIFF-SERVICE-0001 | Guild - CLI | Implement `BinaryDiffRenderer` for table and JSON output formats. Table shows path, change type, verdict, confidence. JSON outputs full diff structure. |
+| 5 | CLI-DIFF-DSSE-OUTPUT-0001 | TODO | Depends on CLI-DIFF-SERVICE-0001 | Guild - CLI | Implement DSSE output: one envelope per platform manifest, written to `--emit-dsse` directory with naming convention `{platform}-binarydiff.dsse.json`. |
+| 6 | CLI-DIFF-PROGRESS-0001 | TODO | Depends on CLI-DIFF-SERVICE-0001 | Guild - CLI | Add progress reporting for long-running operations: layer download progress, binary analysis progress, section hash computation. |
+| 7 | CLI-DIFF-DI-0001 | TODO | Depends on all above | Guild - CLI | Register all services in `Program.cs` DI setup. Wire up `IHttpClientFactory`, `IElfSectionHashExtractor`, `IBinaryDiffDsseSigner`. |
+| 8 | CLI-DIFF-HELP-0001 | TODO | Depends on CLI-DIFF-COMMAND-0001 | Guild - CLI | Add comprehensive help text, examples, and shell completions for the new command. |
+| 9 | CLI-DIFF-TESTS-0001 | BLOCKED | Depends on all above; CLI tests under active modification | Guild - CLI | Add unit tests for command parsing, service logic, and output rendering. Coordinate with other agent before modifying test files. |
+| 10 | CLI-DIFF-INTEGRATION-0001 | TODO | Depends on CLI-DIFF-TESTS-0001 | Guild - CLI | Add integration test with synthetic OCI images containing known ELF binaries. Verify end-to-end flow. |
+
+## Technical Specification
+
+### Command Syntax
+
+```bash
+# Basic usage
+stella scan diff --base <image-ref> --target <image-ref>
+
+# With binary mode
+stella scan diff --base docker://repo/app:1.0.0 --target docker://repo/app:1.0.1 --mode=elf
+
+# With DSSE output
+stella scan diff --base @sha256:abc... --target @sha256:def... \
+  --mode=elf --emit-dsse=./attestations/
+
+# JSON output
+stella scan diff --base image1 --target image2 --format=json > diff.json
+
+# Specific platform
+stella scan diff --base image1 --target image2 --platform=linux/amd64
+```
+
+### Command Options
+
+| Option | Short | Type | Required | Default | Description |
+|--------|-------|------|----------|---------|-------------|
+| `--base` | `-b` | string | Yes | - | Base image reference (tag or @digest) |
+| `--target` | `-t` | string | Yes | - | Target image reference (tag or @digest) |
+| `--mode` | `-m` | enum | No | `auto` | Analysis mode: `elf`, `pe`, `auto` |
+| `--emit-dsse` | `-d` | path | No | - | Directory for DSSE attestation output |
+| `--format` | `-f` | enum | No | `table` | Output format: `table`, `json`, `summary` |
+| `--platform` | `-p` | string | No | - | Platform filter (e.g., `linux/amd64`) |
+| `--include-unchanged` | - | bool | No | `false` | Include unchanged binaries in output |
+| `--sections` | - | string[] | No | all | Sections to analyze (e.g., `.text,.rodata`) |
+| `--registry-auth` | - | string | No | - | Path to Docker config for authentication |
+| `--timeout` | - | int | No | `300` | Timeout in seconds for operations |
+| `--verbose` | `-v` | bool | No | `false` | Enable verbose output |
+
+### Output Formats
+
+#### Table Format (Default)
+
+```
+Binary Diff: docker://repo/app:1.0.0 → docker://repo/app:1.0.1
+Platform: linux/amd64
+Analysis Mode: ELF Section Hashes
+
+PATH                          CHANGE    VERDICT    CONFIDENCE  SECTIONS CHANGED
+────────────────────────────────────────────────────────────────────────────────
+/usr/lib/libssl.so.3          modified  patched    0.95        .text, .rodata
+/usr/lib/libcrypto.so.3       modified  patched    0.92        .text
+/usr/bin/openssl              modified  unknown    0.75        .text, .data
+/usr/lib/libc.so.6            unchanged -          -           -
+
+Summary: 4 binaries analyzed, 3 modified, 1 unchanged
+         Patched: 2, Unknown: 1
+```
+
+#### JSON Format
+
+```json
+{
+  "schemaVersion": "1.0.0",
+  "base": {
+    "reference": "docker://repo/app:1.0.0",
+    "digest": "sha256:abc123..."
+  },
+  "target": {
+    "reference": "docker://repo/app:1.0.1",
+    "digest": "sha256:def456..."
+  },
+  "platform": {
+    "os": "linux",
+    "architecture": "amd64"
+  },
+  "analysisMode": "elf",
+  "timestamp": "2026-01-13T12:00:00Z",
+  "findings": [
+    {
+      "path": "/usr/lib/libssl.so.3",
+      "changeType": "modified",
+      "verdict": "patched",
+      "confidence": 0.95,
+      "sectionDeltas": [
+        { "section": ".text", "status": "modified" },
+        { "section": ".rodata", "status": "modified" }
+      ]
+    }
+  ],
+  "summary": {
+    "totalBinaries": 4,
+    "modified": 3,
+    "unchanged": 1,
+    "verdicts": {
+      "patched": 2,
+      "unknown": 1
+    }
+  }
+}
+```
+
+#### Summary Format
+
+```
+Binary Diff Summary
+───────────────────
+Base:     docker://repo/app:1.0.0 (sha256:abc123...)
+Target:   docker://repo/app:1.0.1 (sha256:def456...)
+Platform: linux/amd64
+
+Binaries: 4 total, 3 modified, 1 unchanged
+Verdicts: 2 patched, 1 unknown
+
+DSSE Attestation: ./attestations/linux-amd64-binarydiff.dsse.json
+```
+
+### DSSE Output Structure
+
+```
+attestations/
+├── linux-amd64-binarydiff.dsse.json     # DSSE envelope
+├── linux-amd64-binarydiff.payload.json  # Raw predicate (for inspection)
+└── linux-arm64-binarydiff.dsse.json     # (if multi-arch)
+```
+
+### Service Architecture
+
+```csharp
+namespace StellaOps.Cli.Services;
+
+public interface IBinaryDiffService
+{
+    Task<BinaryDiffResult> ComputeDiffAsync(
+        BinaryDiffRequest request,
+        IProgress<BinaryDiffProgress>? progress = null,
+        CancellationToken cancellationToken = default);
+}
+
+public sealed record BinaryDiffRequest
+{
+    public required string BaseImageRef { get; init; }
+    public required string TargetImageRef { get; init; }
+    public required BinaryDiffMode Mode { get; init; }
+    public Platform? Platform { get; init; }
+    public ImmutableArray<string>? Sections { get; init; }
+    public bool IncludeUnchanged { get; init; }
+    public string? RegistryAuthPath { get; init; }
+}
+
+public sealed record BinaryDiffResult
+{
+    public required ImageReference Base { get; init; }
+    public required ImageReference Target { get; init; }
+    public required Platform Platform { get; init; }
+    public required ImmutableArray<BinaryDiffFinding> Findings { get; init; }
+    public required BinaryDiffSummary Summary { get; init; }
+    public BinaryDiffPredicate? Predicate { get; init; }
+}
+
+public sealed record BinaryDiffProgress
+{
+    public required string Phase { get; init; }  // "pulling", "extracting", "analyzing", "diffing"
+    public required string CurrentItem { get; init; }
+    public required int Current { get; init; }
+    public required int Total { get; init; }
+}
+```
+
+### Command Implementation Pattern
+
+```csharp
+namespace StellaOps.Cli.Commands.Scan;
+
+public class BinaryDiffCommand : Command
+{
+    public BinaryDiffCommand() : base("diff", "Compare binaries between two images")
+    {
+        AddOption(BaseOption);
+        AddOption(TargetOption);
+        AddOption(ModeOption);
+        AddOption(EmitDsseOption);
+        AddOption(FormatOption);
+        AddOption(PlatformOption);
+        // ... other options
+    }
+
+    public static Option<string> BaseOption { get; } = new(
+        aliases: ["--base", "-b"],
+        description: "Base image reference (tag or @digest)")
+    {
+        IsRequired = true
+    };
+
+    // ... other options
+
+    public new class Handler : ICommandHandler
+    {
+        private readonly IBinaryDiffService _diffService;
+        private readonly IBinaryDiffDsseSigner _signer;
+        private readonly IBinaryDiffRenderer _renderer;
+        private readonly IConsole _console;
+
+        public async Task<int> InvokeAsync(InvocationContext context)
+        {
+            var cancellationToken = context.GetCancellationToken();
+
+            // Parse options
+            var baseRef = context.ParseResult.GetValueForOption(BaseOption)!;
+            var targetRef = context.ParseResult.GetValueForOption(TargetOption)!;
+            // ...
+
+            // Execute diff
+            var progress = new Progress<BinaryDiffProgress>(p =>
+                _console.WriteLine($"[{p.Phase}] {p.CurrentItem} ({p.Current}/{p.Total})"));
+
+            var result = await _diffService.ComputeDiffAsync(
+                new BinaryDiffRequest { ... },
+                progress,
+                cancellationToken);
+
+            // Emit DSSE if requested
+            if (!string.IsNullOrEmpty(emitDssePath))
+            {
+                var dsseResult = await _signer.SignAsync(result.Predicate!, cancellationToken);
+                await WriteDsseAsync(emitDssePath, result.Platform, dsseResult, cancellationToken);
+            }
+
+            // Render output
+            await _renderer.RenderAsync(result, format, _console.Out, cancellationToken);
+
+            return 0;
+        }
+    }
+}
+```
+
+### Error Handling
+
+| Error | Exit Code | Message |
+|-------|-----------|---------|
+| Invalid base image | 1 | `Error: Unable to resolve base image '{ref}': {reason}` |
+| Invalid target image | 1 | `Error: Unable to resolve target image '{ref}': {reason}` |
+| Authentication failed | 2 | `Error: Registry authentication failed for '{registry}'` |
+| Platform not found | 3 | `Error: Platform '{platform}' not found in image index` |
+| No ELF binaries | 0 | `Warning: No ELF binaries found in images` (success with warning) |
+| Timeout | 124 | `Error: Operation timed out after {timeout}s` |
+| Network error | 5 | `Error: Network error: {message}` |
+
+### Progress Reporting
+
+```
+[pulling] Fetching base manifest... (1/4)
+[pulling] Fetching target manifest... (2/4)
+[pulling] Downloading layers... (3/4)
+  └─ sha256:abc123... 45.2 MB/128.5 MB (35%)
+[extracting] Extracting base layers... (1/8)
+[extracting] Extracting target layers... (5/8)
+[analyzing] Computing section hashes... (1/156)
+  └─ /usr/lib/libssl.so.3
+[analyzing] Computing section hashes... (78/156)
+  └─ /usr/bin/python3.11
+[diffing] Comparing binaries... (1/156)
+[complete] Analysis complete.
+```
+
+## Determinism Requirements
+
+1. **Output ordering**: Findings sorted by path
+2. **Timestamps**: From injected `TimeProvider`
+3. **Hash formats**: Lowercase hexadecimal
+4. **JSON output**: RFC 8785 canonical when `--format=json`
+5. **DSSE files**: Canonical JSON serialization
+
+## Test Cases
+
+### Unit Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `ParseOptions_ValidArgs_Succeeds` | All required options provided | Options parsed correctly |
+| `ParseOptions_MissingBase_Fails` | Missing --base | Parse error |
+| `ComputeDiff_IdenticalImages_NoChanges` | Same image for base and target | Empty findings, summary shows 0 modified |
+| `ComputeDiff_ModifiedBinary_DetectsChange` | Binary with .text change | Finding with modified status |
+| `ComputeDiff_AddedBinary_Detected` | Binary in target only | Finding with added status |
+| `ComputeDiff_RemovedBinary_Detected` | Binary in base only | Finding with removed status |
+| `RenderTable_ValidResult_FormatsCorrectly` | Result with findings | Properly formatted table |
+| `RenderJson_ValidResult_CanonicalOutput` | Same result, multiple renders | Byte-identical JSON |
+| `EmitDsse_ValidResult_CreatesFile` | With --emit-dsse | DSSE file created |
+
+### Integration Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `EndToEnd_RealImages_ProducesOutput` | Two synthetic OCI images | Valid diff output |
+| `EndToEnd_WithDsse_ValidAttestation` | Diff with --emit-dsse | Verifiable DSSE |
+| `MultiArch_SpecificPlatform_FiltersCorrectly` | Multi-arch image with --platform | Only specified platform analyzed |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+| 2026-01-13 | Task CLI-DIFF-TESTS-0001 marked BLOCKED: CLI tests under active modification. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Command placed under `stella scan diff` (not separate `stella-scan image diff` as in advisory).
+- **APPROVED**: Support `--mode=elf` initially; `--mode=pe` and `--mode=auto` stubbed for future.
+- **BLOCKED**: CLI tests require coordination with other agent work; tests deferred.
+- **RISK**: Long-running operations need robust timeout and cancellation handling.
+- **RISK**: Large images may cause memory pressure; consider streaming approach for layer extraction.
+
+## Next Checkpoints
+
+- Task 1-6 complete → Command implementation ready
+- Task 7-8 complete → Help and DI wired up
+- Task 9-10 complete (after unblock) → Sprint can be marked DONE

docs/implplan/SPRINT_20260113_001_004_DOCS_binary_diff_attestation.md

@@ -0,0 +1,351 @@
+# Sprint 20260113_001_004_DOCS - Binary Diff Attestation Documentation
+
+## Topic & Scope
+
+- Create architecture documentation for binary diff attestation feature
+- Update CLI reference with new `stella scan diff` command
+- Publish BinaryDiffV1 predicate JSON Schema
+- Add developer guide for extending binary analysis
+- **Working directory:** `docs/`
+
+## Dependencies & Concurrency
+
+- Can proceed in parallel with Sprints 2-3 (after Sprint 1 models stabilize)
+- No blocking dependencies for initial documentation drafts
+- Final documentation review after all implementation sprints complete
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `CLAUDE.md` (for documentation standards)
+- Existing module docs: `docs/modules/scanner/`
+- Existing CLI docs: `docs/API_CLI_REFERENCE.md`
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | DOCS-ARCH-0001 | TODO | Sprint 001 models | Guild - Docs | Create `docs/modules/scanner/binary-diff-attestation.md` architecture document covering ELF section hashing, diff computation, and DSSE attestation flow. |
+| 2 | DOCS-CLI-0001 | TODO | Sprint 003 command spec | Guild - Docs | Update `docs/API_CLI_REFERENCE.md` with `stella scan diff` command documentation including all options, examples, and output formats. |
+| 3 | DOCS-SCHEMA-0001 | TODO | Sprint 002 schema | Guild - Docs | Publish `docs/schemas/binarydiff-v1.schema.json` with full JSON Schema definition and validation examples. |
+| 4 | DOCS-DEVGUIDE-0001 | TODO | All sprints | Guild - Docs | Create `docs/dev/extending-binary-analysis.md` developer guide for adding new binary formats (PE, Mach-O) and custom section extractors. |
+| 5 | DOCS-EXAMPLES-0001 | TODO | Sprint 003 complete | Guild - Docs | Add usage examples to `docs/examples/binary-diff/` with sample commands, expected outputs, and DSSE verification steps. |
+| 6 | DOCS-GLOSSARY-0001 | TODO | None | Guild - Docs | Update `docs/GLOSSARY.md` (if exists) or create glossary entries for: section hash, binary diff, vendor backport, DSSE envelope. |
+| 7 | DOCS-CHANGELOG-0001 | TODO | All sprints complete | Guild - Docs | Add changelog entry for binary diff attestation feature in `CHANGELOG.md`. |
+| 8 | DOCS-REVIEW-0001 | TODO | All above complete | Guild - Docs | Final documentation review: cross-link all docs, verify examples work, spell-check, ensure consistency with existing docs. |
+
+## Documentation Deliverables
+
+### 1. Architecture Document
+
+**File:** `docs/modules/scanner/binary-diff-attestation.md`
+
+**Outline:**
+
+```markdown
+# Binary Diff Attestation
+
+## Overview
+- Purpose and use cases
+- Relationship to SBOM and VEX
+
+## Architecture
+
+### Component Diagram
+- ElfSectionHashExtractor
+- BinaryDiffService
+- BinaryDiffPredicateBuilder
+- BinaryDiffDsseSigner
+
+### Data Flow
+1. Image resolution
+2. Layer extraction
+3. Binary identification
+4. Section hash computation
+5. Diff computation
+6. Predicate construction
+7. DSSE signing
+
+## ELF Section Hashing
+
+### Target Sections
+- .text (executable code)
+- .rodata (read-only data)
+- .data (initialized data)
+- .symtab (symbol table)
+- .dynsym (dynamic symbols)
+
+### Hash Algorithm
+- SHA-256 primary
+- BLAKE3 optional
+
+### Determinism Guarantees
+- Stable ordering
+- Canonical serialization
+
+## BinaryDiffV1 Predicate
+
+### Schema Overview
+- Subjects (image references)
+- Inputs (base/target)
+- Findings (per-binary deltas)
+- Metadata
+
+### Evidence Properties
+- Section hashes in SBOM
+- Confidence scoring
+- Verdict classification
+
+## DSSE Attestation
+
+### Envelope Structure
+- Payload type: stellaops.binarydiff.v1
+- Signature algorithm
+- Rekor submission
+
+### Verification
+- cosign compatibility
+- Offline verification
+
+## Integration Points
+
+### VEX Mapping
+- Linking to vulnerability status
+- Backport evidence
+
+### Policy Engine
+- Binary evidence rules
+- Trust thresholds
+
+## Configuration
+
+### Options
+- Section selection
+- Hash algorithms
+- Output formats
+
+## Limitations and Future Work
+
+### Current Limitations
+- ELF only (PE/Mach-O planned)
+- Single-platform per invocation
+
+### Roadmap
+- PE section analysis (M2)
+- Mach-O section analysis (M2)
+- Vendor backport corpus (M3)
+```
+
+### 2. CLI Reference Update
+
+**File:** `docs/API_CLI_REFERENCE.md` (append to Scan section)
+
+**Content:**
+
+```markdown
+### stella scan diff
+
+Compare binaries between two container images at the section level.
+
+#### Synopsis
+
+```bash
+stella scan diff --base <image-ref> --target <image-ref> [options]
+```
+
+#### Description
+
+The `diff` command performs binary-level comparison between two container images,
+analyzing ELF section hashes to detect changes and classify them as patches,
+vanilla updates, or unknown modifications.
+
+#### Options
+
+| Option | Description |
+|--------|-------------|
+| `--base`, `-b` | Base image reference (required) |
+| `--target`, `-t` | Target image reference (required) |
+| `--mode`, `-m` | Analysis mode: `elf`, `pe`, `auto` (default: `auto`) |
+| `--emit-dsse`, `-d` | Directory for DSSE attestation output |
+| `--format`, `-f` | Output format: `table`, `json`, `summary` (default: `table`) |
+| `--platform`, `-p` | Platform filter (e.g., `linux/amd64`) |
+| `--include-unchanged` | Include unchanged binaries in output |
+| `--sections` | Sections to analyze (comma-separated) |
+| `--registry-auth` | Path to Docker config for authentication |
+| `--timeout` | Timeout in seconds (default: 300) |
+| `--verbose`, `-v` | Enable verbose output |
+
+#### Examples
+
+**Basic comparison:**
+```bash
+stella scan diff --base myapp:1.0.0 --target myapp:1.0.1
+```
+
+**With DSSE attestation output:**
+```bash
+stella scan diff -b myapp:1.0.0 -t myapp:1.0.1 \
+  --mode=elf --emit-dsse=./attestations/
+```
+
+**JSON output for automation:**
+```bash
+stella scan diff -b myapp:1.0.0 -t myapp:1.0.1 --format=json > diff.json
+```
+
+**Specific platform:**
+```bash
+stella scan diff -b myapp:1.0.0 -t myapp:1.0.1 --platform=linux/arm64
+```
+
+#### Output
+
+**Table format** shows a summary of changes:
+```
+PATH                          CHANGE    VERDICT    CONFIDENCE
+/usr/lib/libssl.so.3          modified  patched    0.95
+/usr/lib/libcrypto.so.3       modified  patched    0.92
+```
+
+**JSON format** provides full diff details for programmatic consumption.
+
+#### Exit Codes
+
+| Code | Description |
+|------|-------------|
+| 0 | Success |
+| 1 | Invalid image reference |
+| 2 | Authentication failed |
+| 3 | Platform not found |
+| 124 | Timeout |
+| 5 | Network error |
+
+#### See Also
+
+- `stella scan layers` - List layers in an image
+- `stella scan sbom` - Generate SBOM for an image
+- [Binary Diff Attestation Architecture](../modules/scanner/binary-diff-attestation.md)
+```
+
+### 3. JSON Schema
+
+**File:** `docs/schemas/binarydiff-v1.schema.json`
+
+(Full schema as defined in Sprint 002)
+
+### 4. Developer Guide
+
+**File:** `docs/dev/extending-binary-analysis.md`
+
+**Outline:**
+
+```markdown
+# Extending Binary Analysis
+
+## Overview
+
+This guide explains how to add support for new binary formats (PE, Mach-O)
+or custom section extractors to the binary diff attestation system.
+
+## Architecture
+
+### Extractor Interface
+- ISectionHashExtractor<TConfig>
+- Registration pattern
+- Configuration binding
+
+### Adding a New Format
+
+#### Step 1: Define Models
+- Section hash models
+- Format-specific metadata
+
+#### Step 2: Implement Extractor
+- Parse binary format
+- Extract sections
+- Compute hashes
+
+#### Step 3: Register Services
+- DI registration
+- Configuration binding
+- Format detection
+
+#### Step 4: Add Tests
+- Unit test fixtures
+- Golden file comparisons
+- Edge cases
+
+### Example: PE Section Extractor
+
+```csharp
+public class PeSectionHashExtractor : ISectionHashExtractor<PeConfig>
+{
+    // Implementation example
+}
+```
+
+## Best Practices
+
+### Determinism
+- Stable ordering
+- Canonical hashing
+- Injected dependencies
+
+### Performance
+- Streaming large binaries
+- Caching strategies
+- Parallel extraction
+
+### Security
+- Input validation
+- Memory limits
+- Malformed input handling
+```
+
+### 5. Usage Examples
+
+**Directory:** `docs/examples/binary-diff/`
+
+**Files:**
+
+```
+binary-diff/
+├── README.md                    # Overview and prerequisites
+├── basic-comparison.md          # Simple diff example
+├── dsse-attestation.md          # DSSE output and verification
+├── policy-integration.md        # Using diffs in policy rules
+├── ci-cd-integration.md         # GitHub Actions / GitLab CI examples
+└── sample-outputs/
+    ├── diff-table.txt           # Sample table output
+    ├── diff.json                # Sample JSON output
+    └── attestation.dsse.json    # Sample DSSE envelope
+```
+
+## Quality Checklist
+
+- [ ] All code examples compile/run
+- [ ] All links are valid
+- [ ] Consistent terminology with existing docs
+- [ ] No spelling/grammar errors
+- [ ] Screenshots/diagrams where helpful
+- [ ] Cross-references to related docs
+- [ ] Version compatibility noted
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Documentation follows existing StellaOps documentation patterns.
+- **APPROVED**: JSON Schema published under `docs/schemas/` for external consumption.
+- **RISK**: Documentation may need updates if implementation details change; defer final review until code complete.
+
+## Next Checkpoints
+
+- Task 1-3 complete → Core documentation in place
+- Task 4-5 complete → Developer and user resources ready
+- Task 8 complete → Sprint can be marked DONE

docs/implplan/SPRINT_20260113_002_000_INDEX_image_index_resolution.md

@@ -0,0 +1,197 @@
+# Sprint Batch 20260113_002 - Image Index Resolution CLI
+
+## Executive Summary
+
+This sprint batch implements **OCI multi-arch image inspection** capabilities, enabling users to enumerate image indices, platform manifests, and layer digests through CLI commands. This completes the "index -> manifests -> layers" flow requested in the OCI Layer-Level Image Integrity advisory.
+
+**Scope:** OCI image index resolution with Docker & OCI media type support
+**Effort Estimate:** 4-5 story points across 3 sprints
+**Priority:** Medium (usability enhancement)
+
+## Background
+
+### Advisory Requirements
+
+The original advisory specified:
+
+> Resolve an image index (if present), list all platform manifests, then for each manifest list ordered layer digests and sizes. Accept Docker and OCI media types.
+
+### Existing Capabilities
+
+| Component | Status | Location |
+|-----------|--------|----------|
+| `OciIndex` record | EXISTS | `src/Concelier/__Libraries/.../OciIndex.cs` |
+| `OciManifest` record | EXISTS | `src/Concelier/__Libraries/.../OciManifest.cs` |
+| `OciRegistryClient` | EXISTS | `src/Excititor/__Libraries/.../Fetch/OciRegistryClient.cs` |
+| `OciImageReferenceParser` | EXISTS | `src/Cli/StellaOps.Cli/Services/OciImageReferenceParser.cs` |
+| `LayeredRootFileSystem` | EXISTS | `src/Scanner/__Libraries/.../FileSystem/LayeredRootFileSystem.cs` |
+
+### Gap Analysis
+
+| Capability | Status |
+|------------|--------|
+| Parse OCI image index from registry | Partial (records exist, no handler) |
+| Walk index -> platform manifests | MISSING |
+| CLI `image inspect` verb | MISSING |
+| JSON output with canonical digests | MISSING |
+
+## Sprint Index
+
+| Sprint | ID | Module | Topic | Status | Owner |
+|--------|-----|--------|-------|--------|-------|
+| 1 | SPRINT_20260113_002_001 | SCANNER | OCI Image Index Inspector Service | TODO | Guild - Scanner |
+| 2 | SPRINT_20260113_002_002 | CLI | Image Inspect Command | TODO | Guild - CLI |
+| 3 | SPRINT_20260113_002_003 | DOCS | Image Inspection Documentation | TODO | Guild - Docs |
+
+## Dependencies
+
+```
++-----------------------------------------------------------------------+
+|                         Dependency Graph                               |
++-----------------------------------------------------------------------+
+|                                                                       |
+|   Sprint 1 (Inspector Service)                                        |
+|         |                                                             |
+|         +------------------+                                          |
+|         v                  v                                          |
+|   Sprint 2 (CLI)    Sprint 3 (Docs)                                   |
+|                                                                       |
++-----------------------------------------------------------------------+
+```
+
+- **Sprint 1** is foundational (no dependencies)
+- **Sprint 2** depends on Sprint 1 (uses inspector service)
+- **Sprint 3** can proceed in parallel with Sprint 2
+
+**Cross-Batch Dependencies:**
+- None (this batch is independent of 001)
+
+## Acceptance Criteria (Batch-Level)
+
+### Must Have
+
+1. **Image Index Resolution**
+   - Accept image reference (tag or digest)
+   - Detect and parse image index (multi-arch) vs single manifest
+   - Return platform manifest list with os/arch/variant
+
+2. **Layer Enumeration**
+   - For each platform manifest: ordered layer digests
+   - Include layer sizes and media types
+   - Support both Docker and OCI media types
+
+3. **CLI Command**
+   - `stella image inspect <reference>` with output formats
+   - `--resolve-index` flag to walk multi-arch structure
+   - `--print-layers` flag to include layer details
+   - JSON output with canonical ordering
+
+4. **Documentation**
+   - CLI reference for new commands
+   - Architecture doc for inspector service
+
+### Should Have
+
+- Platform filtering (`--platform linux/amd64`)
+- Config blob inspection (`--config` flag)
+- Cache manifest responses (in-memory, session-scoped)
+
+### Deferred (Out of Scope)
+
+- `skopeo` or `ctr` CLI integration (use HTTP API)
+- Offline image tar inspection (handled by existing LayeredRootFileSystem)
+- Image pulling/export (out of scope)
+
+## Technical Context
+
+### Key Files to Create/Extend
+
+| Component | File | Purpose |
+|-----------|------|---------|
+| Inspector Service | `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/OciImageInspector.cs` | NEW: Unified index/manifest inspection |
+| Inspector Models | `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/OciInspectionModels.cs` | NEW: Inspection result models |
+| CLI Command | `src/Cli/StellaOps.Cli/Commands/ImageCommandGroup.cs` | NEW: `stella image` command group |
+| CLI Handler | `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Image.cs` | NEW: Image command handlers |
+
+### Output Schema
+
+```json
+{
+  "reference": "docker.io/library/nginx:latest",
+  "resolvedDigest": "sha256:abc123...",
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "isMultiArch": true,
+  "platforms": [
+    {
+      "os": "linux",
+      "architecture": "amd64",
+      "variant": null,
+      "manifestDigest": "sha256:def456...",
+      "configDigest": "sha256:ghi789...",
+      "layers": [
+        {
+          "order": 0,
+          "digest": "sha256:layer1...",
+          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+          "size": 31457280
+        }
+      ],
+      "totalSize": 157286400
+    }
+  ],
+  "inspectedAt": "2026-01-13T12:00:00Z",
+  "inspectorVersion": "1.0.0"
+}
+```
+
+### Determinism Requirements
+
+Per CLAUDE.md Section 8:
+
+1. **Ordering**: Platforms sorted by os/arch/variant; layers by order
+2. **Timestamps**: From injected `TimeProvider`
+3. **JSON serialization**: Canonical key ordering
+4. **InvariantCulture**: All size/number formatting
+
+## Risk Assessment
+
+| Risk | Likelihood | Impact | Mitigation |
+|------|------------|--------|------------|
+| Registry auth complexity | Medium | Medium | Use existing `OciRegistryClient` auth handling |
+| Rate limiting on public registries | Low | Low | Implement retry with backoff |
+| Non-standard manifest schemas | Low | Medium | Graceful degradation with warnings |
+
+## Success Metrics
+
+- [ ] All unit tests pass
+- [ ] Integration tests against Docker Hub, GHCR, and mock registry
+- [ ] CLI completions and help work correctly
+- [ ] JSON output is valid and deterministic
+
+## Documentation Prerequisites
+
+Before starting implementation, reviewers must read:
+
+- `docs/README.md`
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `CLAUDE.md` Section 8 (Code Quality & Determinism Rules)
+- OCI Image Index Spec: https://github.com/opencontainers/image-spec/blob/main/image-index.md
+- OCI Image Manifest Spec: https://specs.opencontainers.org/image-spec/manifest/
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint batch created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED 2026-01-13**: Use HTTP Registry API v2 only; no external CLI tool dependencies.
+- **APPROVED 2026-01-13**: Single-manifest images return as degenerate case (1-element platform list).
+- **RISK**: Some registries may not support OCI index; handle Docker manifest list as fallback.
+
+## Next Checkpoints
+
+- Sprint 1 completion -> Sprint 2 can start
+- All sprints complete -> Integration testing checkpoint
+- Integrate with Batch 001 CLI commands post-completion

docs/implplan/SPRINT_20260113_002_001_SCANNER_image_inspector_service.md

@@ -0,0 +1,271 @@
+# Sprint 20260113_002_001_SCANNER - OCI Image Index Inspector Service
+
+## Topic & Scope
+
+- Implement unified OCI image inspection service
+- Support image index (multi-arch) and single manifest resolution
+- Walk index -> platform manifests -> ordered layers
+- Support both Docker and OCI media types
+- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/`
+
+## Dependencies & Concurrency
+
+- No blocking dependencies (foundational sprint)
+- Uses existing `OciRegistryClient` for HTTP operations
+- Sprint 2 (CLI) depends on this sprint
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- OCI Image Index Spec: https://github.com/opencontainers/image-spec/blob/main/image-index.md
+- OCI Image Manifest Spec: https://specs.opencontainers.org/image-spec/manifest/
+- Docker Manifest List: https://docs.docker.com/registry/spec/manifest-v2-2/
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | IMG-INSPECT-MODELS-0001 | TODO | None | Guild - Scanner | Define `ImageInspectionResult`, `PlatformManifest`, `LayerInfo` models in `src/Scanner/__Libraries/StellaOps.Scanner.Contracts/OciInspectionModels.cs`. Include all OCI/Docker discriminators. |
+| 2 | IMG-INSPECT-INTERFACE-0001 | TODO | Depends on MODELS-0001 | Guild - Scanner | Define `IOciImageInspector` interface with `InspectAsync(reference, options, ct)` signature. Options include: resolveIndex, includeLayers, platformFilter. |
+| 3 | IMG-INSPECT-IMPL-0001 | TODO | Depends on INTERFACE-0001 | Guild - Scanner | Implement `OciImageInspector` class. Handle HEAD request for manifest detection, then GET for content. Detect index vs manifest by media type. |
+| 4 | IMG-INSPECT-INDEX-0001 | TODO | Depends on IMPL-0001 | Guild - Scanner | Implement index resolution: parse `application/vnd.oci.image.index.v1+json` and `application/vnd.docker.distribution.manifest.list.v2+json`. Extract platform descriptors. |
+| 5 | IMG-INSPECT-MANIFEST-0001 | TODO | Depends on IMPL-0001 | Guild - Scanner | Implement manifest parsing: `application/vnd.oci.image.manifest.v1+json` and `application/vnd.docker.distribution.manifest.v2+json`. Extract config and layers. |
+| 6 | IMG-INSPECT-LAYERS-0001 | TODO | Depends on MANIFEST-0001 | Guild - Scanner | For each manifest, enumerate layers with: order (0-indexed), digest, mediaType, size. Support compressed and uncompressed variants. |
+| 7 | IMG-INSPECT-AUTH-0001 | TODO | Depends on IMPL-0001 | Guild - Scanner | Integrate with existing registry auth: token-based, basic, anonymous. Handle 401 -> token refresh flow. |
+| 8 | IMG-INSPECT-DI-0001 | TODO | Depends on all above | Guild - Scanner | Register `IOciImageInspector` in `ServiceCollectionExtensions.cs`. Inject `TimeProvider`, `IHttpClientFactory`, `ILogger`. |
+| 9 | IMG-INSPECT-TESTS-0001 | TODO | Depends on all above | Guild - Scanner | Unit tests covering: single manifest, multi-arch index, Docker manifest list, missing manifest, auth errors, malformed responses. |
+| 10 | IMG-INSPECT-INTEGRATION-0001 | TODO | Depends on TESTS-0001 | Guild - Scanner | Integration tests against mock OCI registry (testcontainers or in-memory). Test real Docker Hub and GHCR in CI. |
+
+## Technical Specification
+
+### Models
+
+```csharp
+namespace StellaOps.Scanner.Contracts;
+
+/// <summary>
+/// Result of inspecting an OCI image reference.
+/// </summary>
+public sealed record ImageInspectionResult
+{
+    /// <summary>Original image reference provided.</summary>
+    public required string Reference { get; init; }
+
+    /// <summary>Resolved digest of the index or manifest.</summary>
+    public required string ResolvedDigest { get; init; }
+
+    /// <summary>Media type of the resolved artifact.</summary>
+    public required string MediaType { get; init; }
+
+    /// <summary>True if this is a multi-arch image index.</summary>
+    public required bool IsMultiArch { get; init; }
+
+    /// <summary>Platform manifests (1 for single-arch, N for multi-arch).</summary>
+    public required ImmutableArray<PlatformManifest> Platforms { get; init; }
+
+    /// <summary>Inspection timestamp (UTC).</summary>
+    public required DateTimeOffset InspectedAt { get; init; }
+
+    /// <summary>Inspector version for reproducibility.</summary>
+    public required string InspectorVersion { get; init; }
+
+    /// <summary>Registry that was queried.</summary>
+    public required string Registry { get; init; }
+
+    /// <summary>Repository name.</summary>
+    public required string Repository { get; init; }
+
+    /// <summary>Warnings encountered during inspection.</summary>
+    public ImmutableArray<string> Warnings { get; init; } = [];
+}
+
+/// <summary>
+/// A platform-specific manifest within an image index.
+/// </summary>
+public sealed record PlatformManifest
+{
+    /// <summary>Operating system (e.g., "linux", "windows").</summary>
+    public required string Os { get; init; }
+
+    /// <summary>CPU architecture (e.g., "amd64", "arm64").</summary>
+    public required string Architecture { get; init; }
+
+    /// <summary>Architecture variant (e.g., "v8" for arm64).</summary>
+    public string? Variant { get; init; }
+
+    /// <summary>OS version (mainly for Windows).</summary>
+    public string? OsVersion { get; init; }
+
+    /// <summary>Digest of this platform's manifest.</summary>
+    public required string ManifestDigest { get; init; }
+
+    /// <summary>Media type of the manifest.</summary>
+    public required string ManifestMediaType { get; init; }
+
+    /// <summary>Digest of the config blob.</summary>
+    public required string ConfigDigest { get; init; }
+
+    /// <summary>Ordered list of layers.</summary>
+    public required ImmutableArray<LayerInfo> Layers { get; init; }
+
+    /// <summary>Total size of all layers in bytes.</summary>
+    public required long TotalSize { get; init; }
+
+    /// <summary>Platform string (os/arch/variant).</summary>
+    public string PlatformString => Variant is null
+        ? $"{Os}/{Architecture}"
+        : $"{Os}/{Architecture}/{Variant}";
+}
+
+/// <summary>
+/// Information about a single layer.
+/// </summary>
+public sealed record LayerInfo
+{
+    /// <summary>Layer order (0-indexed, application order).</summary>
+    public required int Order { get; init; }
+
+    /// <summary>Layer digest (sha256:...).</summary>
+    public required string Digest { get; init; }
+
+    /// <summary>Media type of the layer blob.</summary>
+    public required string MediaType { get; init; }
+
+    /// <summary>Compressed size in bytes.</summary>
+    public required long Size { get; init; }
+
+    /// <summary>Optional annotations from the manifest.</summary>
+    public ImmutableDictionary<string, string>? Annotations { get; init; }
+}
+```
+
+### Interface
+
+```csharp
+namespace StellaOps.Scanner.Storage.Oci;
+
+public interface IOciImageInspector
+{
+    /// <summary>
+    /// Inspects an OCI image reference.
+    /// </summary>
+    /// <param name="reference">Image reference (e.g., "nginx:latest", "ghcr.io/org/app@sha256:...").</param>
+    /// <param name="options">Inspection options.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Inspection result or null if not found.</returns>
+    Task<ImageInspectionResult?> InspectAsync(
+        string reference,
+        ImageInspectionOptions? options = null,
+        CancellationToken cancellationToken = default);
+}
+
+public sealed record ImageInspectionOptions
+{
+    /// <summary>Resolve multi-arch index to platform manifests (default: true).</summary>
+    public bool ResolveIndex { get; init; } = true;
+
+    /// <summary>Include layer details (default: true).</summary>
+    public bool IncludeLayers { get; init; } = true;
+
+    /// <summary>Filter to specific platform (e.g., "linux/amd64").</summary>
+    public string? PlatformFilter { get; init; }
+
+    /// <summary>Maximum platforms to inspect (default: unlimited).</summary>
+    public int? MaxPlatforms { get; init; }
+
+    /// <summary>Request timeout.</summary>
+    public TimeSpan? Timeout { get; init; }
+}
+```
+
+### Media Type Handling
+
+| Media Type | Type | Handling |
+|------------|------|----------|
+| `application/vnd.oci.image.index.v1+json` | OCI Index | Parse as index, enumerate manifests |
+| `application/vnd.docker.distribution.manifest.list.v2+json` | Docker List | Parse as index (compatible) |
+| `application/vnd.oci.image.manifest.v1+json` | OCI Manifest | Parse as manifest, extract layers |
+| `application/vnd.docker.distribution.manifest.v2+json` | Docker Manifest | Parse as manifest (compatible) |
+| Other | Unknown | Return warning, skip or fail per config |
+
+### Algorithm
+
+```pseudo
+function InspectAsync(reference, options):
+    parsed = ParseReference(reference)  // registry, repo, tag/digest
+
+    // Step 1: Resolve to digest
+    digest = HEAD(registry, repo, parsed.tagOrDigest)
+    mediaType = response.headers["Content-Type"]
+
+    // Step 2: Get manifest content
+    body = GET(registry, repo, digest, Accept: mediaType)
+
+    // Step 3: Classify and parse
+    if mediaType in [OCI_INDEX, DOCKER_MANIFEST_LIST]:
+        index = ParseIndex(body)
+        platforms = []
+        for descriptor in index.manifests:
+            if options.platformFilter and not matches(descriptor, filter):
+                continue
+            manifest = await InspectManifest(registry, repo, descriptor.digest)
+            platforms.append(manifest)
+        return Result(isMultiArch=true, platforms)
+    else:
+        manifest = ParseManifest(body)
+        platform = ExtractPlatform(manifest.config)
+        layers = ExtractLayers(manifest)
+        return Result(isMultiArch=false, [platform])
+```
+
+### Determinism Requirements
+
+1. **Platform ordering**: Sort by os ASC, architecture ASC, variant ASC
+2. **Layer ordering**: Preserve manifest order (0-indexed)
+3. **Timestamps**: From injected `TimeProvider`
+4. **JSON**: Canonical serialization for any digest computation
+5. **Warnings**: Sorted lexicographically
+
+## Test Cases
+
+### Unit Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `Inspect_SingleManifest_ReturnsSinglePlatform` | Image without index | 1 platform, layers present |
+| `Inspect_MultiArchIndex_ReturnsAllPlatforms` | Image with 5 platforms | 5 platforms, each with layers |
+| `Inspect_DockerManifestList_Parses` | Legacy Docker format | Correctly parsed as index |
+| `Inspect_PlatformFilter_ReturnsFiltered` | Filter to linux/amd64 | Only matching platform returned |
+| `Inspect_NotFound_ReturnsNull` | 404 response | Returns null, no exception |
+| `Inspect_AuthRequired_RefreshesToken` | 401 -> token refresh | Successful after refresh |
+| `Inspect_Deterministic_SameOutput` | Same image, multiple calls | Identical result (ignoring timestamp) |
+
+### Integration Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `Inspect_DockerHub_NginxLatest` | Public Docker Hub image | Multi-arch result with linux/amd64, linux/arm64 |
+| `Inspect_GHCR_PublicImage` | GitHub Container Registry | Valid result |
+| `Inspect_MockRegistry_AllScenarios` | Testcontainers registry | All edge cases covered |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Single manifest images return as 1-element platforms array for API consistency.
+- **APPROVED**: Use existing `OciRegistryClient` for HTTP operations where compatible.
+- **RISK**: Some registries return incorrect Content-Type; handle by sniffing JSON structure.
+- **RISK**: Large multi-arch images (10+ platforms) may be slow; add max_platforms limit.
+
+## Next Checkpoints
+
+- Task 1-3 complete -> Basic inspection working
+- Task 4-6 complete -> Full index/manifest/layer resolution
+- Task 9-10 complete -> Sprint can be marked DONE
+- Unblock Sprint 2 (CLI)

docs/implplan/SPRINT_20260113_002_002_CLI_image_inspect_command.md

@@ -0,0 +1,283 @@
+# Sprint 20260113_002_002_CLI - Image Inspect Command
+
+## Topic & Scope
+
+- Implement `stella image inspect` CLI command
+- Support `--resolve-index`, `--print-layers`, `--platform` flags
+- JSON and human-readable output formats
+- Integrate with OCI Image Inspector service
+- **Working directory:** `src/Cli/StellaOps.Cli/Commands/`
+
+## Dependencies & Concurrency
+
+- **Depends on:** Sprint 002_001 (OCI Image Inspector Service)
+- Parallel work safe within CLI module
+- Sprint 3 (Docs) can proceed in parallel
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- `src/Cli/StellaOps.Cli/AGENTS.md` (if exists)
+- Existing CLI patterns in `LayerSbomCommandGroup.cs`
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | CLI-IMAGE-GROUP-0001 | TODO | None | Guild - CLI | Create `ImageCommandGroup.cs` with `stella image` root command and subcommand registration. |
+| 2 | CLI-IMAGE-INSPECT-0001 | TODO | Depends on GROUP-0001 | Guild - CLI | Implement `stella image inspect <reference>` command with options: `--resolve-index`, `--print-layers`, `--platform`, `--output`. |
+| 3 | CLI-IMAGE-HANDLER-0001 | TODO | Depends on INSPECT-0001, Sprint 001 service | Guild - CLI | Implement `CommandHandlers.Image.cs` with `HandleInspectImageAsync` that calls `IOciImageInspector`. |
+| 4 | CLI-IMAGE-OUTPUT-TABLE-0001 | TODO | Depends on HANDLER-0001 | Guild - CLI | Implement table output for human-readable display using Spectre.Console. Show platforms, layers, sizes. |
+| 5 | CLI-IMAGE-OUTPUT-JSON-0001 | TODO | Depends on HANDLER-0001 | Guild - CLI | Implement JSON output with canonical ordering. Match schema from Sprint 001 models. |
+| 6 | CLI-IMAGE-REGISTER-0001 | TODO | Depends on all above | Guild - CLI | Register `ImageCommandGroup` in `CommandFactory.cs`. Wire DI for `IOciImageInspector`. |
+| 7 | CLI-IMAGE-TESTS-0001 | TODO | Depends on all above | Guild - CLI | Unit tests covering: successful inspect, not found, auth error, invalid reference, output formats. |
+| 8 | CLI-IMAGE-GOLDEN-0001 | TODO | Depends on TESTS-0001 | Guild - CLI | Golden output tests for determinism: same input produces identical output across runs. |
+
+## Technical Specification
+
+### Command Structure
+
+```
+stella image <subcommand>
+
+Subcommands:
+  inspect    Inspect OCI image manifest and layers
+```
+
+### `stella image inspect` Command
+
+```
+stella image inspect <reference> [options]
+
+Arguments:
+  <reference>    Image reference (e.g., nginx:latest, ghcr.io/org/app@sha256:...)
+
+Options:
+  --resolve-index, -r    Resolve multi-arch index to platform manifests (default: true)
+  --print-layers, -l     Include layer details in output (default: true)
+  --platform, -p         Filter to specific platform (e.g., linux/amd64)
+  --output, -o           Output format: table (default), json
+  --verbose, -v          Show detailed information including warnings
+  --timeout              Request timeout in seconds (default: 60)
+
+Examples:
+  stella image inspect nginx:latest
+  stella image inspect nginx:latest --output json
+  stella image inspect nginx:latest --platform linux/arm64
+  stella image inspect ghcr.io/org/app@sha256:abc123... --print-layers
+```
+
+### Output Examples
+
+#### Table Output (Default)
+
+```
+Image: nginx:latest
+Resolved Digest: sha256:abc123...
+Media Type: application/vnd.oci.image.index.v1+json
+Multi-Arch: Yes (5 platforms)
+
+Platforms:
++-------+--------------+----------+---------+---------------+------------+
+| OS    | Architecture | Variant  | Layers  | Total Size    | Manifest   |
++-------+--------------+----------+---------+---------------+------------+
+| linux | amd64        | -        | 7       | 142.3 MB      | sha256:... |
+| linux | arm64        | v8       | 7       | 138.1 MB      | sha256:... |
+| linux | arm         | v7       | 7       | 135.2 MB      | sha256:... |
+| linux | 386          | -        | 7       | 145.8 MB      | sha256:... |
+| linux | ppc64le      | -        | 7       | 148.5 MB      | sha256:... |
++-------+--------------+----------+---------+---------------+------------+
+
+Layers (linux/amd64):
++-------+------------------+------------------------------------------------+----------+
+| Order | Size             | Digest                                         | Type     |
++-------+------------------+------------------------------------------------+----------+
+| 0     | 31.4 MB          | sha256:a803e7c4b030...                         | tar+gzip |
+| 1     | 62.5 MB          | sha256:8a6e7b1c9d2e...                         | tar+gzip |
+| ...   | ...              | ...                                            | ...      |
++-------+------------------+------------------------------------------------+----------+
+
+Inspected at: 2026-01-13T12:00:00Z
+```
+
+#### JSON Output
+
+```json
+{
+  "reference": "nginx:latest",
+  "resolvedDigest": "sha256:abc123...",
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "isMultiArch": true,
+  "registry": "docker.io",
+  "repository": "library/nginx",
+  "platforms": [
+    {
+      "os": "linux",
+      "architecture": "amd64",
+      "variant": null,
+      "manifestDigest": "sha256:def456...",
+      "configDigest": "sha256:ghi789...",
+      "layers": [
+        {
+          "order": 0,
+          "digest": "sha256:layer1...",
+          "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+          "size": 31457280
+        }
+      ],
+      "totalSize": 157286400
+    }
+  ],
+  "inspectedAt": "2026-01-13T12:00:00Z",
+  "inspectorVersion": "1.0.0"
+}
+```
+
+### Implementation
+
+```csharp
+// ImageCommandGroup.cs
+namespace StellaOps.Cli.Commands;
+
+public static class ImageCommandGroup
+{
+    public static Command Build(
+        IServiceProvider services,
+        StellaOpsCliOptions options,
+        Option<bool> verboseOption,
+        CancellationToken cancellationToken)
+    {
+        var imageCommand = new Command("image", "OCI image operations");
+
+        imageCommand.AddCommand(BuildInspectCommand(services, options, verboseOption, cancellationToken));
+
+        return imageCommand;
+    }
+
+    private static Command BuildInspectCommand(
+        IServiceProvider services,
+        StellaOpsCliOptions options,
+        Option<bool> verboseOption,
+        CancellationToken cancellationToken)
+    {
+        var referenceArg = new Argument<string>("reference")
+        {
+            Description = "Image reference (e.g., nginx:latest, ghcr.io/org/app@sha256:...)"
+        };
+
+        var resolveIndexOption = new Option<bool>("--resolve-index", new[] { "-r" })
+        {
+            Description = "Resolve multi-arch index to platform manifests",
+            DefaultValue = true
+        };
+
+        var printLayersOption = new Option<bool>("--print-layers", new[] { "-l" })
+        {
+            Description = "Include layer details in output",
+            DefaultValue = true
+        };
+
+        var platformOption = new Option<string?>("--platform", new[] { "-p" })
+        {
+            Description = "Filter to specific platform (e.g., linux/amd64)"
+        };
+
+        var outputOption = new Option<string>("--output", new[] { "-o" })
+        {
+            Description = "Output format: table (default), json"
+        };
+
+        var timeoutOption = new Option<int>("--timeout")
+        {
+            Description = "Request timeout in seconds",
+            DefaultValue = 60
+        };
+
+        var inspect = new Command("inspect", "Inspect OCI image manifest and layers")
+        {
+            referenceArg,
+            resolveIndexOption,
+            printLayersOption,
+            platformOption,
+            outputOption,
+            timeoutOption,
+            verboseOption
+        };
+
+        inspect.SetAction(async (parseResult, _) =>
+        {
+            var reference = parseResult.GetValue(referenceArg) ?? string.Empty;
+            var resolveIndex = parseResult.GetValue(resolveIndexOption);
+            var printLayers = parseResult.GetValue(printLayersOption);
+            var platform = parseResult.GetValue(platformOption);
+            var output = parseResult.GetValue(outputOption) ?? "table";
+            var timeout = parseResult.GetValue(timeoutOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return await CommandHandlers.HandleInspectImageAsync(
+                services, reference, resolveIndex, printLayers,
+                platform, output, timeout, verbose, cancellationToken);
+        });
+
+        return inspect;
+    }
+}
+```
+
+### Error Handling
+
+| Scenario | Exit Code | Message |
+|----------|-----------|---------|
+| Success | 0 | (output) |
+| Image not found | 1 | `Error: Image not found: <reference>` |
+| Auth required | 2 | `Error: Authentication required for <registry>` |
+| Invalid reference | 2 | `Error: Invalid image reference: <reference>` |
+| Network error | 2 | `Error: Network error: <message>` |
+| Timeout | 2 | `Error: Request timed out` |
+
+### Determinism Requirements
+
+1. **Ordering**: JSON keys sorted; platforms sorted by os/arch/variant
+2. **Size formatting**: Use InvariantCulture for all numbers
+3. **Timestamps**: Display as UTC ISO-8601
+4. **Digest truncation**: Consistent truncation (e.g., first 12 chars for display)
+
+## Test Cases
+
+### Unit Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `Inspect_ValidReference_ReturnsSuccess` | Mock successful inspection | Exit code 0, valid output |
+| `Inspect_NotFound_ReturnsError` | 404 from registry | Exit code 1, error message |
+| `Inspect_InvalidReference_ReturnsError` | Malformed reference | Exit code 2, validation error |
+| `Inspect_JsonOutput_ValidJson` | Request JSON format | Parseable JSON output |
+| `Inspect_TableOutput_FormatsCorrectly` | Default table format | Table with headers and rows |
+| `Inspect_PlatformFilter_FiltersResults` | Filter to linux/amd64 | Only matching platform in output |
+
+### Golden Output Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `Inspect_Json_Deterministic` | Same input, multiple runs | Byte-identical JSON |
+| `Inspect_Table_Deterministic` | Same input, multiple runs | Identical table output |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Table output as default (more user-friendly).
+- **APPROVED**: JSON output matches service model exactly (no transformation).
+- **RISK**: CLI tests may conflict with other agent work; coordinate ownership.
+- **RISK**: Table formatting may truncate long digests; use consistent truncation.
+
+## Next Checkpoints
+
+- Task 1-3 complete -> Basic command working
+- Task 4-5 complete -> Both output formats working
+- Task 7-8 complete -> Sprint can be marked DONE

docs/implplan/SPRINT_20260113_002_003_DOCS_image_inspection.md

@@ -0,0 +1,102 @@
+# Sprint 20260113_002_003_DOCS - Image Inspection Documentation
+
+## Topic & Scope
+
+- Document OCI Image Inspector architecture
+- Create CLI reference for `stella image inspect`
+- Add usage examples and troubleshooting guide
+- **Working directory:** `docs/`
+
+## Dependencies & Concurrency
+
+- Can proceed in parallel with Sprint 002_002
+- Should finalize after Sprint 002_001 models are stable
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | DOCS-IMAGE-ARCH-0001 | TODO | Sprint 001 complete | Guild - Docs | Create `docs/modules/scanner/image-inspection.md` documenting the OCI Image Inspector service architecture, supported media types, and integration points. |
+| 2 | DOCS-IMAGE-CLI-0001 | TODO | Sprint 002 complete | Guild - Docs | Add `stella image inspect` to CLI reference in `docs/API_CLI_REFERENCE.md`. Include all options, examples, and exit codes. |
+| 3 | DOCS-IMAGE-EXAMPLES-0001 | TODO | Depends on CLI-0001 | Guild - Docs | Create practical usage examples in `docs/guides/image-inspection-guide.md` covering Docker Hub, GHCR, private registries, and CI/CD integration. |
+| 4 | DOCS-IMAGE-TROUBLESHOOT-0001 | TODO | Depends on EXAMPLES-0001 | Guild - Docs | Add troubleshooting section for common issues: auth failures, rate limits, unsupported media types. |
+
+## Technical Specification
+
+### Architecture Documentation Outline
+
+```markdown
+# OCI Image Inspection
+
+## Overview
+- Purpose and use cases
+- Supported registries and media types
+
+## Architecture
+- IOciImageInspector interface
+- Index vs manifest resolution flow
+- Platform enumeration algorithm
+
+## Media Type Support
+| Media Type | Description | Support |
+|------------|-------------|---------|
+| ... | ... | ... |
+
+## Integration Points
+- CLI integration
+- Programmatic usage
+- Webhook/CI integration
+
+## Configuration
+- Registry authentication
+- Timeout and retry settings
+
+## Determinism
+- Output ordering guarantees
+- Reproducibility considerations
+```
+
+### CLI Reference Addition
+
+```markdown
+## stella image inspect
+
+Inspect OCI image manifest and layers.
+
+### Synopsis
+stella image inspect <reference> [options]
+
+### Arguments
+| Argument | Description |
+|----------|-------------|
+| reference | Image reference (tag or digest) |
+
+### Options
+| Option | Description | Default |
+|--------|-------------|---------|
+| --resolve-index, -r | Resolve multi-arch index | true |
+| --print-layers, -l | Include layer details | true |
+| --platform, -p | Platform filter | (all) |
+| --output, -o | Output format (table, json) | table |
+
+### Examples
+...
+
+### Exit Codes
+| Code | Meaning |
+|------|---------|
+| 0 | Success |
+| 1 | Image not found |
+| 2 | Error (auth, network, invalid input) |
+```
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Next Checkpoints
+
+- All tasks complete -> Sprint can be marked DONE
+- Coordinate with Sprint 002_001/002 for accuracy

docs/implplan/SPRINT_20260113_003_000_INDEX_vex_evidence_linking.md

@@ -0,0 +1,233 @@
+# Sprint Batch 20260113_003 - VEX Evidence Auto-Linking
+
+## Executive Summary
+
+This sprint batch implements **automatic linking** between VEX exploitability status and DSSE binary-diff evidence bundles. When a binary analysis determines a vulnerability is "not_affected" due to a vendor backport, the system automatically links the VEX assertion to the cryptographic evidence that proves the claim.
+
+**Scope:** VEX-to-evidence linking for binary-diff attestations
+**Effort Estimate:** 3-4 story points across 2 sprints
+**Priority:** Medium (completes evidence chain)
+
+## Background
+
+### Advisory Requirements
+
+The original advisory specified:
+
+> Surface exploitability conclusions via CycloneDX VEX (e.g., "CVE-X.Y not affected due to backported fix; evidence -> DSSE bundle link").
+
+> For each CVE in SBOM components, attach exploitability status with `analysis.justification` ("component_not_present", "vulnerable_code_not_in_execute_path", "fixed", etc.) and `analysis.detail` linking the DSSE evidence URI.
+
+### Existing Capabilities
+
+| Component | Status | Location |
+|-----------|--------|----------|
+| `VexPredicate` | EXISTS | `src/Attestor/__Libraries/.../Predicates/VexPredicate.cs` |
+| `VexDeltaEntity` | EXISTS | `src/Excititor/__Libraries/.../Observations/VexDeltaModels.cs` |
+| `CycloneDxExporter` | EXISTS | `src/Excititor/__Libraries/.../CycloneDxExporter.cs` |
+| `BinaryDiffV1 Predicate` | IN PROGRESS | Batch 001 Sprint 002 |
+| `BinaryDiffDsseSigner` | IN PROGRESS | Batch 001 Sprint 002 |
+
+### Gap Analysis
+
+| Capability | Status |
+|------------|--------|
+| Store DSSE bundle URIs with VEX assertions | MISSING |
+| Auto-link binary-diff evidence to VEX | MISSING |
+| Emit `analysis.detail` with evidence URI in CycloneDX VEX | MISSING |
+| CLI `stella vex gen` with evidence links | PARTIAL |
+
+## Sprint Index
+
+| Sprint | ID | Module | Topic | Status | Owner |
+|--------|-----|--------|-------|--------|-------|
+| 1 | SPRINT_20260113_003_001 | EXCITITOR | VEX Evidence Linker Service | TODO | Guild - Excititor |
+| 2 | SPRINT_20260113_003_002 | CLI | VEX Generation with Evidence Links | TODO | Guild - CLI |
+
+## Dependencies
+
+```
++-----------------------------------------------------------------------+
+|                         Dependency Graph                               |
++-----------------------------------------------------------------------+
+|                                                                       |
+|   Batch 001 (Binary Diff Attestation)                                 |
+|         |                                                             |
+|         v                                                             |
+|   Sprint 1 (VEX Evidence Linker)                                      |
+|         |                                                             |
+|         v                                                             |
+|   Sprint 2 (CLI Integration)                                          |
+|                                                                       |
++-----------------------------------------------------------------------+
+```
+
+**Cross-Batch Dependencies:**
+- Batch 001 Sprint 002 (BinaryDiffV1 predicate) must be complete
+- VEX Evidence Linker consumes DSSE bundle URIs from binary diff
+
+## Acceptance Criteria (Batch-Level)
+
+### Must Have
+
+1. **Evidence URI Storage**
+   - Store DSSE bundle URIs alongside VEX assertions
+   - Support multiple evidence sources per VEX entry
+   - URIs point to OCI artifact digests or CAS addresses
+
+2. **Auto-Link on Binary Diff**
+   - When binary diff detects "patched" verdict, create VEX link
+   - Link includes: DSSE envelope digest, predicate type, confidence score
+   - Justification auto-set to "vulnerable_code_not_in_execute_path" or "code_not_reachable"
+
+3. **CycloneDX VEX Output**
+   - `analysis.detail` contains evidence URI
+   - `analysis.response` includes evidence metadata
+   - Compatible with CycloneDX VEX 1.5+ schema
+
+4. **CLI Integration**
+   - `stella vex gen` includes `--link-evidence` flag
+   - JSON output contains evidence links
+   - Human-readable output shows evidence summary
+
+### Should Have
+
+- Confidence threshold filtering (only link if confidence >= X)
+- Evidence chain validation (verify DSSE before linking)
+
+### Deferred (Out of Scope)
+
+- UI for evidence visualization (follow-up sprint)
+- Evidence refresh/update workflow
+- Third-party evidence import
+
+## Technical Context
+
+### Key Files to Create/Extend
+
+| Component | File | Purpose |
+|-----------|------|---------|
+| Evidence Linker | `src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinker.cs` | NEW: Service to link VEX -> DSSE |
+| Evidence Models | `src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinkModels.cs` | NEW: Link models |
+| CycloneDX Mapper | `src/Excititor/__Libraries/.../CycloneDxVexMapper.cs` | EXTEND: Add evidence links |
+| CLI Handler | `src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs` | EXTEND: Add evidence option |
+
+### VEX with Evidence Link Schema (CycloneDX)
+
+```json
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "vulnerabilities": [
+    {
+      "id": "CVE-2023-12345",
+      "source": { "name": "NVD" },
+      "analysis": {
+        "state": "not_affected",
+        "justification": "code_not_reachable",
+        "detail": "Binary analysis confirms vendor backport applied. Evidence: oci://registry.example.com/evidence@sha256:abc123",
+        "response": ["update"],
+        "firstIssued": "2026-01-13T12:00:00Z"
+      },
+      "affects": [
+        {
+          "ref": "urn:cdx:stellaops/app@1.0.0/libssl.so.3",
+          "versions": [{ "version": "3.0.2", "status": "unaffected" }]
+        }
+      ],
+      "properties": [
+        {
+          "name": "stellaops:evidence:type",
+          "value": "binary-diff"
+        },
+        {
+          "name": "stellaops:evidence:uri",
+          "value": "oci://registry.example.com/evidence@sha256:abc123..."
+        },
+        {
+          "name": "stellaops:evidence:confidence",
+          "value": "0.95"
+        },
+        {
+          "name": "stellaops:evidence:predicate-type",
+          "value": "stellaops.binarydiff.v1"
+        }
+      ]
+    }
+  ]
+}
+```
+
+### Evidence Link Model
+
+```csharp
+public sealed record VexEvidenceLink
+{
+    /// <summary>Type of evidence (binary-diff, reachability, runtime, etc.).</summary>
+    public required string EvidenceType { get; init; }
+
+    /// <summary>URI to the DSSE bundle (oci://, cas://, file://).</summary>
+    public required string EvidenceUri { get; init; }
+
+    /// <summary>Digest of the DSSE envelope.</summary>
+    public required string EnvelopeDigest { get; init; }
+
+    /// <summary>Predicate type in the DSSE envelope.</summary>
+    public required string PredicateType { get; init; }
+
+    /// <summary>Confidence score (0.0-1.0).</summary>
+    public required double Confidence { get; init; }
+
+    /// <summary>When the evidence was created.</summary>
+    public required DateTimeOffset CreatedAt { get; init; }
+
+    /// <summary>Signer identity (key ID or certificate subject).</summary>
+    public string? SignerIdentity { get; init; }
+
+    /// <summary>Rekor log index if submitted to transparency log.</summary>
+    public string? RekorLogIndex { get; init; }
+}
+```
+
+## Risk Assessment
+
+| Risk | Likelihood | Impact | Mitigation |
+|------|------------|--------|------------|
+| Evidence URI format inconsistency | Medium | Medium | Define URI schema spec; validate on link |
+| Stale evidence links | Medium | Low | Include evidence timestamp; optional refresh |
+| Large evidence bundles | Low | Medium | Link to bundle, don't embed content |
+
+## Success Metrics
+
+- [ ] VEX output includes evidence links when available
+- [ ] Evidence URIs resolve to valid DSSE bundles
+- [ ] CLI shows evidence in human-readable format
+- [ ] CycloneDX VEX validates against schema
+
+## Documentation Prerequisites
+
+Before starting implementation, reviewers must read:
+
+- `docs/README.md`
+- `docs/ARCHITECTURE_REFERENCE.md`
+- `CLAUDE.md` Section 8 (Code Quality & Determinism Rules)
+- CycloneDX VEX specification: https://cyclonedx.org/capabilities/vex/
+- Batch 001 BinaryDiffV1 predicate schema
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint batch created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED 2026-01-13**: Evidence stored as URI references, not embedded content.
+- **APPROVED 2026-01-13**: Use CycloneDX `properties[]` for Stella-specific evidence metadata.
+- **RISK**: CycloneDX `analysis.detail` has length limits; use URI not full content.
+
+## Next Checkpoints
+
+- Batch 001 Sprint 002 complete -> Sprint 1 can start
+- Sprint 1 complete -> Sprint 2 can start
+- All sprints complete -> Integration testing checkpoint

docs/implplan/SPRINT_20260113_003_001_EXCITITOR_vex_evidence_linker.md

@@ -0,0 +1,377 @@
+# Sprint 20260113_003_001_EXCITITOR - VEX Evidence Linker Service
+
+## Topic & Scope
+
+- Implement VEX-to-evidence linking service
+- Auto-link binary-diff attestations to VEX assertions
+- Store evidence URIs alongside VEX entries
+- Emit evidence metadata in CycloneDX VEX output
+- **Working directory:** `src/Excititor/__Libraries/StellaOps.Excititor.Core/`
+
+## Dependencies & Concurrency
+
+- **Depends on:** Batch 001 Sprint 002 (BinaryDiffV1 predicate)
+- Parallel work safe within Excititor module
+- Sprint 2 (CLI) depends on this sprint
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- CycloneDX VEX specification: https://cyclonedx.org/capabilities/vex/
+- Batch 001 BinaryDiffV1 predicate schema
+- Existing VEX models in `src/Excititor/__Libraries/.../VexDeltaModels.cs`
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | VEX-LINK-MODELS-0001 | TODO | None | Guild - Excititor | Define `VexEvidenceLink`, `VexEvidenceLinkSet`, and `EvidenceType` enum in `Evidence/VexEvidenceLinkModels.cs`. Include URI, digest, predicate type, confidence, timestamps. |
+| 2 | VEX-LINK-INTERFACE-0001 | TODO | Depends on MODELS-0001 | Guild - Excititor | Define `IVexEvidenceLinker` interface with `LinkAsync(vexEntry, evidenceSource, ct)` and `GetLinksAsync(vexEntryId, ct)` methods. |
+| 3 | VEX-LINK-BINARYDIFF-0001 | TODO | Depends on INTERFACE-0001, Batch 001 | Guild - Excititor | Implement `BinaryDiffEvidenceLinker` that extracts evidence from `BinaryDiffPredicate` findings and creates `VexEvidenceLink` entries. |
+| 4 | VEX-LINK-STORE-0001 | TODO | Depends on MODELS-0001 | Guild - Excititor | Implement `IVexEvidenceLinkStore` interface and in-memory implementation. Define PostgreSQL schema for persistent storage. |
+| 5 | VEX-LINK-AUTOLINK-0001 | TODO | Depends on BINARYDIFF-0001 | Guild - Excititor | Implement auto-linking pipeline: when binary-diff produces "patched" verdict, create VEX link with appropriate justification. |
+| 6 | VEX-LINK-CYCLONEDX-0001 | TODO | Depends on AUTOLINK-0001 | Guild - Excititor | Extend `CycloneDxVexMapper` to emit `analysis.detail` with evidence URI and `properties[]` with evidence metadata. |
+| 7 | VEX-LINK-VALIDATION-0001 | TODO | Depends on all above | Guild - Excititor | Implement evidence validation: verify DSSE signature before accepting link. Optional: verify Rekor inclusion. |
+| 8 | VEX-LINK-DI-0001 | TODO | Depends on all above | Guild - Excititor | Register all services in DI. Add `IOptions<VexEvidenceLinkOptions>` for configuration (confidence threshold, validation mode). |
+| 9 | VEX-LINK-TESTS-0001 | TODO | Depends on all above | Guild - Excititor | Unit tests covering: link creation, storage, auto-linking, CycloneDX output, validation success/failure. |
+
+## Technical Specification
+
+### Models
+
+```csharp
+namespace StellaOps.Excititor.Core.Evidence;
+
+/// <summary>
+/// Link between a VEX assertion and supporting evidence.
+/// </summary>
+public sealed record VexEvidenceLink
+{
+    /// <summary>Unique link identifier.</summary>
+    public required string LinkId { get; init; }
+
+    /// <summary>VEX entry this evidence supports.</summary>
+    public required string VexEntryId { get; init; }
+
+    /// <summary>Type of evidence.</summary>
+    public required EvidenceType EvidenceType { get; init; }
+
+    /// <summary>URI to the evidence artifact (oci://, cas://, https://).</summary>
+    public required string EvidenceUri { get; init; }
+
+    /// <summary>Digest of the DSSE envelope (sha256:...).</summary>
+    public required string EnvelopeDigest { get; init; }
+
+    /// <summary>Predicate type in the DSSE envelope.</summary>
+    public required string PredicateType { get; init; }
+
+    /// <summary>Confidence score from the evidence (0.0-1.0).</summary>
+    public required double Confidence { get; init; }
+
+    /// <summary>Justification derived from evidence.</summary>
+    public required VexJustification Justification { get; init; }
+
+    /// <summary>When the evidence was created.</summary>
+    public required DateTimeOffset EvidenceCreatedAt { get; init; }
+
+    /// <summary>When the link was created.</summary>
+    public required DateTimeOffset LinkedAt { get; init; }
+
+    /// <summary>Signer identity (key ID or certificate subject).</summary>
+    public string? SignerIdentity { get; init; }
+
+    /// <summary>Rekor log index if submitted to transparency log.</summary>
+    public string? RekorLogIndex { get; init; }
+
+    /// <summary>Whether the evidence signature was validated.</summary>
+    public bool SignatureValidated { get; init; }
+
+    /// <summary>Additional metadata as key-value pairs.</summary>
+    public ImmutableDictionary<string, string> Metadata { get; init; }
+        = ImmutableDictionary<string, string>.Empty;
+}
+
+/// <summary>
+/// Types of evidence that can support VEX assertions.
+/// </summary>
+public enum EvidenceType
+{
+    /// <summary>Binary-level diff showing patch applied.</summary>
+    BinaryDiff,
+
+    /// <summary>Call graph analysis showing code not reachable.</summary>
+    ReachabilityAnalysis,
+
+    /// <summary>Runtime analysis showing code not executed.</summary>
+    RuntimeAnalysis,
+
+    /// <summary>Human attestation (manual review).</summary>
+    HumanAttestation,
+
+    /// <summary>Vendor advisory or statement.</summary>
+    VendorAdvisory,
+
+    /// <summary>Other/custom evidence type.</summary>
+    Other
+}
+
+/// <summary>
+/// VEX justification codes (CycloneDX compatible).
+/// </summary>
+public enum VexJustification
+{
+    CodeNotPresent,
+    CodeNotReachable,
+    RequiresConfiguration,
+    RequiresDependency,
+    RequiresEnvironment,
+    ProtectedByCompiler,
+    ProtectedAtRuntime,
+    ProtectedAtPerimeter,
+    ProtectedByMitigatingControl
+}
+
+/// <summary>
+/// Collection of evidence links for a VEX entry.
+/// </summary>
+public sealed record VexEvidenceLinkSet
+{
+    /// <summary>VEX entry ID.</summary>
+    public required string VexEntryId { get; init; }
+
+    /// <summary>All evidence links, sorted by confidence descending.</summary>
+    public required ImmutableArray<VexEvidenceLink> Links { get; init; }
+
+    /// <summary>Highest confidence among all links.</summary>
+    public double MaxConfidence => Links.IsEmpty ? 0 : Links.Max(l => l.Confidence);
+
+    /// <summary>Primary link (highest confidence).</summary>
+    public VexEvidenceLink? PrimaryLink => Links.IsEmpty ? null : Links[0];
+}
+```
+
+### Interfaces
+
+```csharp
+namespace StellaOps.Excititor.Core.Evidence;
+
+/// <summary>
+/// Service for linking VEX assertions to supporting evidence.
+/// </summary>
+public interface IVexEvidenceLinker
+{
+    /// <summary>
+    /// Creates a link between a VEX entry and evidence.
+    /// </summary>
+    Task<VexEvidenceLink> LinkAsync(
+        string vexEntryId,
+        EvidenceSource source,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Gets all evidence links for a VEX entry.
+    /// </summary>
+    Task<VexEvidenceLinkSet> GetLinksAsync(
+        string vexEntryId,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Auto-links evidence from a binary diff result.
+    /// </summary>
+    Task<ImmutableArray<VexEvidenceLink>> AutoLinkFromBinaryDiffAsync(
+        BinaryDiffPredicate diff,
+        string dsseEnvelopeUri,
+        CancellationToken cancellationToken = default);
+}
+
+/// <summary>
+/// Source of evidence for linking.
+/// </summary>
+public sealed record EvidenceSource
+{
+    /// <summary>Evidence type.</summary>
+    public required EvidenceType Type { get; init; }
+
+    /// <summary>URI to the evidence artifact.</summary>
+    public required string Uri { get; init; }
+
+    /// <summary>Digest of the artifact.</summary>
+    public required string Digest { get; init; }
+
+    /// <summary>Predicate type if DSSE/in-toto.</summary>
+    public string? PredicateType { get; init; }
+
+    /// <summary>Confidence score.</summary>
+    public double Confidence { get; init; } = 1.0;
+
+    /// <summary>DSSE envelope bytes for validation.</summary>
+    public byte[]? EnvelopeBytes { get; init; }
+}
+
+/// <summary>
+/// Storage for evidence links.
+/// </summary>
+public interface IVexEvidenceLinkStore
+{
+    Task SaveAsync(VexEvidenceLink link, CancellationToken ct = default);
+    Task<VexEvidenceLink?> GetAsync(string linkId, CancellationToken ct = default);
+    Task<ImmutableArray<VexEvidenceLink>> GetByVexEntryAsync(string vexEntryId, CancellationToken ct = default);
+    Task DeleteAsync(string linkId, CancellationToken ct = default);
+}
+```
+
+### Auto-Link Algorithm
+
+```pseudo
+function AutoLinkFromBinaryDiff(diff, dsseUri):
+    links = []
+
+    for finding in diff.findings where finding.verdict == Patched:
+        // Determine affected VEX entry
+        vexEntryId = LookupVexEntry(finding.path, diff.inputs.target)
+
+        if vexEntryId is null:
+            continue  // No matching VEX entry
+
+        // Determine justification from finding
+        justification = DetermineJustification(finding)
+
+        // Create link
+        link = VexEvidenceLink {
+            linkId: GenerateId(vexEntryId, dsseUri),
+            vexEntryId: vexEntryId,
+            evidenceType: BinaryDiff,
+            evidenceUri: dsseUri,
+            envelopeDigest: ComputeDigest(diff),
+            predicateType: "stellaops.binarydiff.v1",
+            confidence: finding.confidence ?? 0.9,
+            justification: justification,
+            evidenceCreatedAt: diff.metadata.analysisTimestamp,
+            linkedAt: timeProvider.GetUtcNow()
+        }
+
+        links.append(link)
+
+    return links
+
+function DetermineJustification(finding):
+    // If .text section changed -> code was patched
+    if finding.sectionDeltas.any(d => d.section == ".text" && d.status == Modified):
+        return CodeNotPresent  // Vulnerable code removed/replaced
+
+    // If only .rodata changed -> data patched
+    if finding.sectionDeltas.all(d => d.section != ".text"):
+        return ProtectedAtRuntime  // Runtime behavior changed
+
+    return CodeNotReachable  // Default for verified patches
+```
+
+### CycloneDX Output Enhancement
+
+```csharp
+// In CycloneDxVexMapper
+private void MapEvidenceLinks(VulnerabilityAnalysis analysis, VexEvidenceLinkSet links)
+{
+    if (links.PrimaryLink is null) return;
+
+    var primary = links.PrimaryLink;
+
+    // Set analysis.detail with evidence URI
+    analysis.Detail = $"Evidence: {primary.EvidenceUri}";
+
+    // Add evidence properties
+    analysis.Properties ??= [];
+    analysis.Properties.Add(new Property
+    {
+        Name = "stellaops:evidence:type",
+        Value = primary.EvidenceType.ToString().ToLowerInvariant()
+    });
+    analysis.Properties.Add(new Property
+    {
+        Name = "stellaops:evidence:uri",
+        Value = primary.EvidenceUri
+    });
+    analysis.Properties.Add(new Property
+    {
+        Name = "stellaops:evidence:confidence",
+        Value = primary.Confidence.ToString("F2", CultureInfo.InvariantCulture)
+    });
+    analysis.Properties.Add(new Property
+    {
+        Name = "stellaops:evidence:predicate-type",
+        Value = primary.PredicateType
+    });
+
+    if (primary.RekorLogIndex is not null)
+    {
+        analysis.Properties.Add(new Property
+        {
+            Name = "stellaops:evidence:rekor-index",
+            Value = primary.RekorLogIndex
+        });
+    }
+}
+```
+
+### Configuration
+
+```yaml
+excititor:
+  evidence:
+    linking:
+      enabled: true
+      autoLinkOnBinaryDiff: true
+      confidenceThreshold: 0.8
+      validateSignatures: true
+      validateRekorInclusion: false
+      maxLinksPerEntry: 10
+```
+
+## Determinism Requirements
+
+1. **Link ID generation**: Deterministic from vexEntryId + evidenceUri
+2. **Ordering**: Links sorted by confidence DESC, then by linkedAt ASC
+3. **Timestamps**: From injected `TimeProvider`
+4. **Confidence formatting**: Two decimal places, InvariantCulture
+
+## Test Cases
+
+### Unit Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `Link_ValidSource_CreatesLink` | Link with valid evidence | Link created with correct fields |
+| `Link_DuplicateSource_Deduplicates` | Same source linked twice | Single link returned |
+| `AutoLink_PatchedFinding_CreatesLinks` | Binary diff with patched verdict | Links created for affected entries |
+| `AutoLink_VanillaFinding_NoLinks` | Binary diff with vanilla verdict | No links created |
+| `GetLinks_ExistingEntry_ReturnsSet` | Query by VEX entry ID | All links returned, sorted |
+| `MapCycloneDx_WithLinks_IncludesEvidence` | CycloneDX export with links | Properties contain evidence metadata |
+| `Validate_ValidSignature_Succeeds` | DSSE with valid signature | Validation passes |
+| `Validate_InvalidSignature_Rejects` | DSSE with bad signature | Validation fails, link rejected |
+
+### Integration Tests
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `EndToEnd_BinaryDiffToVex_LinksEvidence` | Full pipeline from diff to VEX | VEX output contains evidence links |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Evidence stored as URIs, not embedded content.
+- **APPROVED**: Auto-link only for high-confidence findings (>= threshold).
+- **RISK**: Signature validation may fail for offline evidence; add bypass option.
+- **RISK**: VEX entry lookup requires correlation logic; may need component PURL matching.
+
+## Next Checkpoints
+
+- Task 1-4 complete -> Core linking operational
+- Task 5-6 complete -> Auto-link and CycloneDX working
+- Task 9 complete -> Sprint can be marked DONE
+- Unblock Sprint 2 (CLI)

docs/implplan/SPRINT_20260113_003_002_CLI_vex_evidence_integration.md

@@ -0,0 +1,132 @@
+# Sprint 20260113_003_002_CLI - VEX Generation with Evidence Links
+
+## Topic & Scope
+
+- Extend `stella vex gen` command with evidence linking
+- Add `--link-evidence` flag to include binary-diff evidence
+- Display evidence summary in human-readable output
+- Emit evidence metadata in JSON output
+- **Working directory:** `src/Cli/StellaOps.Cli/Commands/`
+
+## Dependencies & Concurrency
+
+- **Depends on:** Sprint 003_001 (VEX Evidence Linker)
+- Extends existing `VexGenCommandGroup.cs`
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- Existing VEX CLI in `src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs`
+- Sprint 003_001 models and interfaces
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | CLI-VEX-EVIDENCE-OPT-0001 | TODO | None | Guild - CLI | Add `--link-evidence` option to `stella vex gen` command. Default: true if evidence available. |
+| 2 | CLI-VEX-EVIDENCE-HANDLER-0001 | TODO | Depends on OPT-0001, Sprint 001 | Guild - CLI | Extend VEX generation handler to call `IVexEvidenceLinker.GetLinksAsync()` and include in output. |
+| 3 | CLI-VEX-EVIDENCE-JSON-0001 | TODO | Depends on HANDLER-0001 | Guild - CLI | Emit evidence links in JSON output under `evidence` key per vulnerability. |
+| 4 | CLI-VEX-EVIDENCE-TABLE-0001 | TODO | Depends on HANDLER-0001 | Guild - CLI | Show evidence summary in table output: type, confidence, URI (truncated). |
+| 5 | CLI-VEX-EVIDENCE-TESTS-0001 | TODO | Depends on all above | Guild - CLI | Unit tests for evidence flag, output formats, missing evidence handling. |
+
+## Technical Specification
+
+### Command Enhancement
+
+```
+stella vex gen <scan-id> [options]
+
+Existing options:
+  --output, -o          Output format (json, table, cyclonedx)
+  --format, -f          VEX format (openvex, cyclonedx)
+
+New options:
+  --link-evidence       Include evidence links in output (default: true)
+  --evidence-threshold  Minimum confidence for evidence (default: 0.8)
+  --show-evidence-uri   Show full evidence URIs (default: truncated)
+```
+
+### Output Examples
+
+#### Table Output with Evidence
+
+```
+VEX Report for scan abc123
+
++----------------+-------------+----------------+------------+------------------+
+| CVE            | Component   | Status         | Confidence | Evidence         |
++----------------+-------------+----------------+------------+------------------+
+| CVE-2023-12345 | libssl.so.3 | not_affected   | 0.95       | binary-diff [OK] |
+| CVE-2023-67890 | libcrypto   | affected       | -          | (none)           |
+| CVE-2024-11111 | nginx       | not_affected   | 0.88       | reachability     |
++----------------+-------------+----------------+------------+------------------+
+
+Evidence Details:
+  CVE-2023-12345: oci://registry/evidence@sha256:abc123...
+                  Type: binary-diff, Predicate: stellaops.binarydiff.v1
+                  Signer: CN=StellaOps Signing Key
+```
+
+#### JSON Output with Evidence
+
+```json
+{
+  "scanId": "abc123",
+  "generatedAt": "2026-01-13T12:00:00Z",
+  "vulnerabilities": [
+    {
+      "id": "CVE-2023-12345",
+      "component": "libssl.so.3",
+      "status": "not_affected",
+      "justification": "code_not_present",
+      "evidence": {
+        "type": "binary-diff",
+        "uri": "oci://registry/evidence@sha256:abc123...",
+        "confidence": 0.95,
+        "predicateType": "stellaops.binarydiff.v1",
+        "validatedSignature": true,
+        "rekorIndex": "12345678"
+      }
+    }
+  ]
+}
+```
+
+### Implementation Notes
+
+```csharp
+// Extend HandleVexGenAsync
+if (linkEvidence)
+{
+    var linker = services.GetRequiredService<IVexEvidenceLinker>();
+    foreach (var entry in vexEntries)
+    {
+        var links = await linker.GetLinksAsync(entry.Id, ct);
+        if (links.PrimaryLink is not null && links.MaxConfidence >= evidenceThreshold)
+        {
+            entry.Evidence = links.PrimaryLink;
+        }
+    }
+}
+```
+
+## Test Cases
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `VexGen_WithEvidence_IncludesLinks` | Evidence available | Links in output |
+| `VexGen_NoEvidence_OmitsField` | No evidence | `evidence: null` |
+| `VexGen_BelowThreshold_Filtered` | Low confidence evidence | Evidence omitted |
+| `VexGen_TableFormat_ShowsSummary` | Table output | Evidence column populated |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Next Checkpoints
+
+- All tasks complete -> Sprint can be marked DONE
+- Batch 003 complete -> Evidence chain operational

docs/implplan/SPRINT_20260113_004_000_INDEX_golden_pairs_pilot.md

@@ -0,0 +1,273 @@
+# Sprint Batch 20260113_004 - Golden Pairs Pilot (Vendor Backport Corpus)
+
+## Executive Summary
+
+This sprint batch implements a **curated dataset infrastructure** for binary patch verification. "Golden pairs" are matched sets of stock (upstream) vs vendor-patched binaries tied to specific CVEs, enabling validation of the binary diff system's ability to detect vendor backports.
+
+**Scope:** Pilot corpus with 3 CVEs (Dirty Pipe, sudo Baron Samedit, PrintNightmare)
+**Effort Estimate:** 5-6 story points across 3 sprints
+**Priority:** Medium (validation infrastructure)
+
+## Background
+
+### Advisory Requirements
+
+The original advisory specified:
+
+> A curated dataset of **stock vs vendor-patched binaries** tied to authoritative **CVE + patch evidence** lets Stella Ops prove (with bytes) that a fix is present, powering deterministic VEX and "evidence-first" decisions.
+
+> **Starter CVEs (tiny pilot):**
+> - **Linux:** Dirty Pipe (CVE-2022-0847) - kernel backport showcase
+> - **Unix userland:** sudo "Baron Samedit" (CVE-2021-3156) - classic multi-distro patch
+> - **Windows:** PrintNightmare (CVE-2021-34527) - PE + KB workflow
+
+### Why Golden Pairs Matter
+
+1. **Validation**: Ground truth for testing binary diff accuracy
+2. **Regression Testing**: Detect if changes break patch detection
+3. **Precision Metrics**: Measure actual false positive/negative rates
+4. **Documentation**: Examples of vendor backport patterns
+
+### Existing Capabilities
+
+| Component | Status | Location |
+|-----------|--------|----------|
+| ELF Section Hash Extractor | IN PROGRESS | Batch 001 Sprint 001 |
+| BinaryDiffV1 Predicate | IN PROGRESS | Batch 001 Sprint 002 |
+| Function Fingerprinting | EXISTS | `src/BinaryIndex/__Libraries/.../FingerprintModels.cs` |
+| Build-ID Index | EXISTS | `src/Scanner/.../Index/OfflineBuildIdIndex.cs` |
+
+### Gap Analysis
+
+| Capability | Status |
+|------------|--------|
+| Golden pairs data model | MISSING |
+| Package mirror scripts | MISSING |
+| Diff pipeline for corpus | MISSING |
+| Validation harness | MISSING |
+
+## Sprint Index
+
+| Sprint | ID | Module | Topic | Status | Owner |
+|--------|-----|--------|-------|--------|-------|
+| 1 | SPRINT_20260113_004_001 | TOOLS | Golden Pairs Data Model & Schema | TODO | Guild - Tools |
+| 2 | SPRINT_20260113_004_002 | TOOLS | Mirror & Diff Pipeline | TODO | Guild - Tools |
+| 3 | SPRINT_20260113_004_003 | TOOLS | Pilot CVE Corpus (3 CVEs) | TODO | Guild - Tools |
+
+## Dependencies
+
+```
++-----------------------------------------------------------------------+
+|                         Dependency Graph                               |
++-----------------------------------------------------------------------+
+|                                                                       |
+|   Batch 001 (ELF Section Hashes)                                      |
+|         |                                                             |
+|         v                                                             |
+|   Sprint 1 (Data Model)                                               |
+|         |                                                             |
+|         v                                                             |
+|   Sprint 2 (Mirror & Diff Pipeline)                                   |
+|         |                                                             |
+|         v                                                             |
+|   Sprint 3 (Pilot Corpus)                                             |
+|                                                                       |
++-----------------------------------------------------------------------+
+```
+
+**Cross-Batch Dependencies:**
+- Batch 001 Sprint 001 (ELF Section Hashes) should be complete for validation
+- Pipeline uses section hashes for diff validation
+
+## Acceptance Criteria (Batch-Level)
+
+### Must Have
+
+1. **Data Model**
+   - Schema for golden pair metadata (CVE, package, distro, versions)
+   - Support for ELF (Linux) and PE (Windows) binaries
+   - Storage for original + patched binaries with hashes
+   - Links to vendor advisories and patch commits
+
+2. **Mirror Scripts**
+   - Fetch pre-patch and post-patch package versions
+   - Support Debian/Ubuntu apt repos
+   - Hash verification on download
+   - Deterministic mirroring (reproducible)
+
+3. **Diff Pipeline**
+   - Run section hash extraction on pairs
+   - Produce comparison JSON report
+   - Compute match/mismatch metrics
+   - Validate against expected outcomes
+
+4. **Pilot Corpus (3 CVEs)**
+   - CVE-2022-0847 (Dirty Pipe): Linux kernel pair
+   - CVE-2021-3156 (Baron Samedit): sudo binary pair
+   - CVE-2021-34527 (PrintNightmare): Windows spoolsv.dll pair (if PE ready)
+
+### Should Have
+
+- Debug symbol extraction (dbgsym packages)
+- Function-level diff report
+- CI integration for regression testing
+
+### Deferred (Out of Scope)
+
+- Ghidra/Diaphora integration (separate sprint)
+- Full multi-distro coverage
+- Automated corpus updates
+
+## Technical Context
+
+### Repository Layout
+
+```
+src/Tools/GoldenPairs/
++-- StellaOps.Tools.GoldenPairs/
+|   +-- Models/
+|   |   +-- GoldenPairMetadata.cs
+|   |   +-- BinaryArtifact.cs
+|   |   +-- DiffReport.cs
+|   +-- Services/
+|   |   +-- PackageMirrorService.cs
+|   |   +-- DiffPipelineService.cs
+|   |   +-- ValidationService.cs
+|   +-- Program.cs
++-- __Tests/
+    +-- StellaOps.Tools.GoldenPairs.Tests/
+
+datasets/golden-pairs/
++-- CVE-2022-0847/
+|   +-- metadata.json
+|   +-- original/
+|   |   +-- vmlinux-5.16.11
+|   |   +-- vmlinux-5.16.11.sha256
+|   +-- patched/
+|   |   +-- vmlinux-5.16.12
+|   |   +-- vmlinux-5.16.12.sha256
+|   +-- diff-report.json
+|   +-- golden-diff.json (expected outcomes)
+|   +-- advisories/
+|       +-- ubuntu-usn-####.md
+|       +-- kernel-commit.txt
++-- CVE-2021-3156/
+|   +-- ...
++-- index.json (corpus manifest)
++-- README.md
+```
+
+### Metadata Schema
+
+```json
+{
+  "$schema": "https://stellaops.io/schemas/golden-pair-v1.schema.json",
+  "cve": "CVE-2022-0847",
+  "name": "Dirty Pipe",
+  "description": "Linux kernel pipe buffer flag handling vulnerability",
+  "severity": "high",
+  "artifact": {
+    "name": "vmlinux",
+    "format": "elf",
+    "architecture": "x86_64"
+  },
+  "original": {
+    "package": "linux-image-5.16.11-generic",
+    "version": "5.16.11",
+    "distro": "Ubuntu 22.04",
+    "source": "apt://archive.ubuntu.com/ubuntu",
+    "sha256": "abc123...",
+    "buildId": "def456..."
+  },
+  "patched": {
+    "package": "linux-image-5.16.12-generic",
+    "version": "5.16.12",
+    "distro": "Ubuntu 22.04",
+    "source": "apt://archive.ubuntu.com/ubuntu",
+    "sha256": "ghi789...",
+    "buildId": "jkl012..."
+  },
+  "patch": {
+    "commit": "9d2231c5d74e13b2a0546fee6737ee4446017903",
+    "upstream": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=...",
+    "functions_changed": ["copy_page_to_iter_pipe", "push_pipe"]
+  },
+  "advisories": [
+    {"source": "ubuntu", "id": "USN-5317-1", "url": "https://ubuntu.com/security/notices/USN-5317-1"},
+    {"source": "nvd", "id": "CVE-2022-0847", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0847"}
+  ],
+  "expected_diff": {
+    "sections_changed": [".text"],
+    "sections_identical": [".rodata", ".data"],
+    "verdict": "patched",
+    "confidence_min": 0.9
+  },
+  "created_at": "2026-01-13T12:00:00Z",
+  "created_by": "StellaOps Golden Pairs Tool v1.0.0"
+}
+```
+
+### Diff Report Schema
+
+```json
+{
+  "cve": "CVE-2022-0847",
+  "original": {"sha256": "...", "buildId": "..."},
+  "patched": {"sha256": "...", "buildId": "..."},
+  "sections": [
+    {"name": ".text", "status": "modified", "original_hash": "...", "patched_hash": "...", "size_delta": 1024},
+    {"name": ".rodata", "status": "identical", "hash": "..."},
+    {"name": ".data", "status": "identical", "hash": "..."}
+  ],
+  "verdict": "patched",
+  "confidence": 0.95,
+  "matches_expected": true,
+  "analyzed_at": "2026-01-13T12:00:00Z",
+  "tool_version": "1.0.0"
+}
+```
+
+## Risk Assessment
+
+| Risk | Likelihood | Impact | Mitigation |
+|------|------------|--------|------------|
+| Package availability | Medium | High | Cache packages locally; document alternatives |
+| Kernel binary size | Medium | Medium | Extract specific objects, not full vmlinux |
+| Windows PE complexity | High | Medium | Defer PrintNightmare if PE support not ready |
+| Hash instability | Low | Medium | Pin to specific package versions |
+
+## Success Metrics
+
+- [ ] 3 CVE pairs with complete metadata
+- [ ] Mirror scripts fetch correct versions
+- [ ] Diff pipeline produces expected verdicts
+- [ ] CI regression test passes
+- [ ] Documentation complete
+
+## Documentation Prerequisites
+
+Before starting implementation, reviewers must read:
+
+- `docs/README.md`
+- `CLAUDE.md` Section 8 (Code Quality & Determinism Rules)
+- Batch 001 ELF section hash schema
+- ELF specification for section analysis
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint batch created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED 2026-01-13**: Pilot with 3 CVEs; expand corpus in follow-up sprint.
+- **APPROVED 2026-01-13**: Focus on ELF first; PE support conditional on Batch 001 progress.
+- **APPROVED 2026-01-13**: Store binaries in datasets/, not in git LFS initially.
+- **RISK**: Kernel binaries are large; consider extracting specific .ko modules instead.
+
+## Next Checkpoints
+
+- Sprint 1 complete -> Data model ready for population
+- Sprint 2 complete -> Pipeline can process pairs
+- Sprint 3 complete -> Pilot corpus validated, CI integrated

docs/implplan/SPRINT_20260113_004_001_TOOLS_golden_pairs_data_model.md

@@ -0,0 +1,346 @@
+# Sprint 20260113_004_001_TOOLS - Golden Pairs Data Model & Schema
+
+## Topic & Scope
+
+- Define data model for golden pair metadata
+- Create JSON schema for validation
+- Implement C# models for tooling
+- Design storage structure for artifacts
+- **Working directory:** `src/Tools/GoldenPairs/`
+
+## Dependencies & Concurrency
+
+- No blocking dependencies (foundational sprint)
+- Sprint 2 (Pipeline) depends on this sprint's models
+- Can proceed in parallel with Batch 001
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- ELF section types and flags
+- PE section characteristics
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | GP-MODEL-METADATA-0001 | TODO | None | Guild - Tools | Define `GoldenPairMetadata` record with CVE, artifact, original/patched refs, patch info, advisories, expected diff. |
+| 2 | GP-MODEL-ARTIFACT-0001 | TODO | None | Guild - Tools | Define `BinaryArtifact` record with package, version, distro, source, hashes, buildId, symbols availability. |
+| 3 | GP-MODEL-DIFF-0001 | TODO | None | Guild - Tools | Define `GoldenDiffReport` record with section comparison, verdict, confidence, tool version. |
+| 4 | GP-SCHEMA-JSON-0001 | TODO | Depends on MODEL-* | Guild - Tools | Create JSON Schema `golden-pair-v1.schema.json` for metadata validation. Publish to `docs/schemas/`. |
+| 5 | GP-SCHEMA-INDEX-0001 | TODO | Depends on SCHEMA-JSON | Guild - Tools | Create corpus index schema `golden-pairs-index.schema.json` for dataset manifest. |
+| 6 | GP-STORAGE-LAYOUT-0001 | TODO | Depends on MODEL-* | Guild - Tools | Document storage layout in `datasets/golden-pairs/README.md`. Include artifact naming conventions. |
+| 7 | GP-MODEL-LOADER-0001 | TODO | Depends on all models | Guild - Tools | Implement `GoldenPairLoader` service to read/validate metadata from filesystem. |
+| 8 | GP-MODEL-TESTS-0001 | TODO | Depends on all above | Guild - Tools | Unit tests for model serialization, schema validation, loader functionality. |
+
+## Technical Specification
+
+### Core Models
+
+```csharp
+namespace StellaOps.Tools.GoldenPairs.Models;
+
+/// <summary>
+/// Metadata for a golden pair (stock vs patched binary).
+/// </summary>
+public sealed record GoldenPairMetadata
+{
+    /// <summary>CVE identifier (e.g., "CVE-2022-0847").</summary>
+    public required string Cve { get; init; }
+
+    /// <summary>Human-readable vulnerability name.</summary>
+    public required string Name { get; init; }
+
+    /// <summary>Brief description of the vulnerability.</summary>
+    public string? Description { get; init; }
+
+    /// <summary>Severity level (critical, high, medium, low).</summary>
+    public required string Severity { get; init; }
+
+    /// <summary>Target artifact information.</summary>
+    public required ArtifactInfo Artifact { get; init; }
+
+    /// <summary>Original (unpatched) binary.</summary>
+    public required BinaryArtifact Original { get; init; }
+
+    /// <summary>Patched binary.</summary>
+    public required BinaryArtifact Patched { get; init; }
+
+    /// <summary>Patch commit/change information.</summary>
+    public required PatchInfo Patch { get; init; }
+
+    /// <summary>Security advisories for this CVE.</summary>
+    public ImmutableArray<AdvisoryRef> Advisories { get; init; } = [];
+
+    /// <summary>Expected diff results for validation.</summary>
+    public required ExpectedDiff ExpectedDiff { get; init; }
+
+    /// <summary>When this pair was created.</summary>
+    public required DateTimeOffset CreatedAt { get; init; }
+
+    /// <summary>Tool version that created this pair.</summary>
+    public required string CreatedBy { get; init; }
+}
+
+/// <summary>
+/// Information about the target artifact.
+/// </summary>
+public sealed record ArtifactInfo
+{
+    /// <summary>Artifact name (e.g., "vmlinux", "sudo", "spoolsv.dll").</summary>
+    public required string Name { get; init; }
+
+    /// <summary>Binary format (elf, pe, macho).</summary>
+    public required string Format { get; init; }
+
+    /// <summary>CPU architecture (x86_64, aarch64, etc.).</summary>
+    public required string Architecture { get; init; }
+
+    /// <summary>Operating system (linux, windows, darwin).</summary>
+    public string Os { get; init; } = "linux";
+}
+
+/// <summary>
+/// A binary artifact in the golden pair.
+/// </summary>
+public sealed record BinaryArtifact
+{
+    /// <summary>Package name (e.g., "linux-image-5.16.11-generic").</summary>
+    public required string Package { get; init; }
+
+    /// <summary>Package version.</summary>
+    public required string Version { get; init; }
+
+    /// <summary>Distribution (e.g., "Ubuntu 22.04", "Debian 11").</summary>
+    public required string Distro { get; init; }
+
+    /// <summary>Package source (apt://, https://, file://).</summary>
+    public required string Source { get; init; }
+
+    /// <summary>SHA-256 hash of the binary.</summary>
+    public required string Sha256 { get; init; }
+
+    /// <summary>ELF Build-ID or PE GUID (if available).</summary>
+    public string? BuildId { get; init; }
+
+    /// <summary>Debug symbols available.</summary>
+    public bool HasDebugSymbols { get; init; }
+
+    /// <summary>Path to debug symbols package.</summary>
+    public string? DebugSymbolsSource { get; init; }
+
+    /// <summary>Relative path within the package.</summary>
+    public string? PathInPackage { get; init; }
+}
+
+/// <summary>
+/// Information about the security patch.
+/// </summary>
+public sealed record PatchInfo
+{
+    /// <summary>Commit hash of the fix.</summary>
+    public required string Commit { get; init; }
+
+    /// <summary>URL to upstream commit.</summary>
+    public string? Upstream { get; init; }
+
+    /// <summary>Functions changed by the patch.</summary>
+    public ImmutableArray<string> FunctionsChanged { get; init; } = [];
+
+    /// <summary>Files changed by the patch.</summary>
+    public ImmutableArray<string> FilesChanged { get; init; } = [];
+
+    /// <summary>Patch summary.</summary>
+    public string? Summary { get; init; }
+}
+
+/// <summary>
+/// Reference to a security advisory.
+/// </summary>
+public sealed record AdvisoryRef
+{
+    /// <summary>Advisory source (ubuntu, debian, nvd, msrc, etc.).</summary>
+    public required string Source { get; init; }
+
+    /// <summary>Advisory identifier (e.g., "USN-5317-1").</summary>
+    public required string Id { get; init; }
+
+    /// <summary>URL to the advisory.</summary>
+    public required string Url { get; init; }
+}
+
+/// <summary>
+/// Expected diff results for validation.
+/// </summary>
+public sealed record ExpectedDiff
+{
+    /// <summary>Sections expected to be modified.</summary>
+    public ImmutableArray<string> SectionsChanged { get; init; } = [];
+
+    /// <summary>Sections expected to be identical.</summary>
+    public ImmutableArray<string> SectionsIdentical { get; init; } = [];
+
+    /// <summary>Expected verdict (patched, vanilla, unknown).</summary>
+    public required string Verdict { get; init; }
+
+    /// <summary>Minimum confidence score expected.</summary>
+    public double ConfidenceMin { get; init; } = 0.9;
+}
+```
+
+### Diff Report Model
+
+```csharp
+/// <summary>
+/// Report from comparing a golden pair.
+/// </summary>
+public sealed record GoldenDiffReport
+{
+    /// <summary>CVE being analyzed.</summary>
+    public required string Cve { get; init; }
+
+    /// <summary>Original binary info.</summary>
+    public required ArtifactHashInfo Original { get; init; }
+
+    /// <summary>Patched binary info.</summary>
+    public required ArtifactHashInfo Patched { get; init; }
+
+    /// <summary>Section-by-section comparison.</summary>
+    public required ImmutableArray<SectionComparison> Sections { get; init; }
+
+    /// <summary>Overall verdict.</summary>
+    public required string Verdict { get; init; }
+
+    /// <summary>Confidence score (0.0-1.0).</summary>
+    public required double Confidence { get; init; }
+
+    /// <summary>Whether result matches expected.</summary>
+    public required bool MatchesExpected { get; init; }
+
+    /// <summary>Discrepancies from expected (if any).</summary>
+    public ImmutableArray<string> Discrepancies { get; init; } = [];
+
+    /// <summary>Analysis timestamp.</summary>
+    public required DateTimeOffset AnalyzedAt { get; init; }
+
+    /// <summary>Tool version.</summary>
+    public required string ToolVersion { get; init; }
+}
+
+public sealed record ArtifactHashInfo
+{
+    public required string Sha256 { get; init; }
+    public string? BuildId { get; init; }
+}
+
+public sealed record SectionComparison
+{
+    public required string Name { get; init; }
+    public required string Status { get; init; }  // identical, modified, added, removed
+    public string? OriginalHash { get; init; }
+    public string? PatchedHash { get; init; }
+    public long? SizeDelta { get; init; }
+}
+```
+
+### JSON Schema (Excerpt)
+
+```json
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.io/schemas/golden-pair-v1.schema.json",
+  "title": "GoldenPairMetadata",
+  "type": "object",
+  "required": ["cve", "name", "severity", "artifact", "original", "patched", "patch", "expectedDiff", "createdAt", "createdBy"],
+  "properties": {
+    "cve": {
+      "type": "string",
+      "pattern": "^CVE-\\d{4}-\\d{4,}$"
+    },
+    "name": { "type": "string", "minLength": 1 },
+    "severity": { "enum": ["critical", "high", "medium", "low"] },
+    "artifact": { "$ref": "#/$defs/ArtifactInfo" },
+    "original": { "$ref": "#/$defs/BinaryArtifact" },
+    "patched": { "$ref": "#/$defs/BinaryArtifact" },
+    "patch": { "$ref": "#/$defs/PatchInfo" },
+    "advisories": {
+      "type": "array",
+      "items": { "$ref": "#/$defs/AdvisoryRef" }
+    },
+    "expectedDiff": { "$ref": "#/$defs/ExpectedDiff" },
+    "createdAt": { "type": "string", "format": "date-time" },
+    "createdBy": { "type": "string" }
+  },
+  "$defs": {
+    "ArtifactInfo": {
+      "type": "object",
+      "required": ["name", "format", "architecture"],
+      "properties": {
+        "name": { "type": "string" },
+        "format": { "enum": ["elf", "pe", "macho"] },
+        "architecture": { "type": "string" }
+      }
+    }
+    // ... additional definitions
+  }
+}
+```
+
+### Storage Layout
+
+```
+datasets/golden-pairs/
++-- index.json                    # Corpus manifest
++-- README.md                     # Documentation
++-- CVE-2022-0847/
+|   +-- metadata.json             # GoldenPairMetadata
+|   +-- original/
+|   |   +-- vmlinux               # Unpatched binary
+|   |   +-- vmlinux.sha256        # Hash file
+|   |   +-- vmlinux.sections.json # Pre-computed section hashes
+|   +-- patched/
+|   |   +-- vmlinux               # Patched binary
+|   |   +-- vmlinux.sha256
+|   |   +-- vmlinux.sections.json
+|   +-- diff-report.json          # Comparison output
+|   +-- advisories/
+|       +-- USN-5317-1.txt        # Advisory text
++-- CVE-2021-3156/
+    +-- ...
+```
+
+## Determinism Requirements
+
+1. **Hashes**: SHA-256 lowercase hex, no prefix
+2. **Timestamps**: UTC ISO-8601
+3. **Ordering**: Sections sorted by name; advisories sorted by source+id
+4. **JSON**: Canonical formatting (sorted keys, 2-space indent)
+
+## Test Cases
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `Serialize_RoundTrip_Identical` | Serialize then deserialize | Identical metadata |
+| `Validate_ValidSchema_Passes` | Valid JSON against schema | Validation passes |
+| `Validate_MissingCve_Fails` | Missing required field | Validation fails |
+| `Load_ExistingPair_ReturnsMetadata` | Load from filesystem | Correct metadata |
+| `Load_MissingFiles_ReturnsError` | Missing artifact files | Error with details |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Store binaries outside git, reference by hash.
+- **APPROVED**: Pre-compute section hashes for faster diff pipeline.
+- **RISK**: Large binaries may exceed storage limits; use compression.
+
+## Next Checkpoints
+
+- Task 1-3 complete -> Core models ready
+- Task 4-6 complete -> Schema and storage documented
+- Task 7-8 complete -> Sprint can be marked DONE

docs/implplan/SPRINT_20260113_004_002_TOOLS_mirror_diff_pipeline.md

@@ -0,0 +1,330 @@
+# Sprint 20260113_004_002_TOOLS - Mirror & Diff Pipeline
+
+## Topic & Scope
+
+- Implement package mirror service for Debian/Ubuntu
+- Create diff pipeline service for golden pair validation
+- Build validation harness for expected outcomes
+- Support reproducible artifact fetching
+- **Working directory:** `src/Tools/GoldenPairs/`
+
+## Dependencies & Concurrency
+
+- **Depends on:** Sprint 004_001 (Data Model)
+- **Depends on:** Batch 001 Sprint 001 (ELF Section Hashes)
+- Sprint 3 (Pilot Corpus) depends on this sprint
+
+## Documentation Prerequisites
+
+- `docs/README.md`
+- `CLAUDE.md` Section 8 (Determinism Rules)
+- Sprint 004_001 data models
+- Batch 001 `ElfSectionHashExtractor` interface
+- Debian/Ubuntu apt repository structure
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | GP-MIRROR-INTERFACE-0001 | TODO | None | Guild - Tools | Define `IPackageMirrorService` interface with `FetchAsync(artifact, destination, ct)` signature. Support verification and resume. |
+| 2 | GP-MIRROR-APT-0001 | TODO | Depends on INTERFACE | Guild - Tools | Implement `AptPackageMirrorService` for Debian/Ubuntu. Parse Packages.gz, download .deb, extract target binary. |
+| 3 | GP-MIRROR-VERIFY-0001 | TODO | Depends on APT | Guild - Tools | Implement hash verification: compare downloaded SHA-256 with metadata. Fail if mismatch. |
+| 4 | GP-DIFF-INTERFACE-0001 | TODO | Sprint 001 models | Guild - Tools | Define `IDiffPipelineService` interface with `DiffAsync(pair, ct)` returning `GoldenDiffReport`. |
+| 5 | GP-DIFF-IMPL-0001 | TODO | Depends on INTERFACE, Batch 001 | Guild - Tools | Implement `DiffPipelineService` that: loads metadata, extracts section hashes, compares, produces report. |
+| 6 | GP-DIFF-VALIDATE-0001 | TODO | Depends on IMPL | Guild - Tools | Implement validation against `expectedDiff`: check sections changed/identical, verdict, confidence threshold. |
+| 7 | GP-CLI-MIRROR-0001 | TODO | Depends on MIRROR-* | Guild - Tools | Add `golden-pairs mirror <cve>` CLI command to fetch artifacts for a pair. |
+| 8 | GP-CLI-DIFF-0001 | TODO | Depends on DIFF-* | Guild - Tools | Add `golden-pairs diff <cve>` CLI command to run diff and validation. |
+| 9 | GP-CLI-VALIDATE-0001 | TODO | Depends on all above | Guild - Tools | Add `golden-pairs validate` CLI command to run all pairs and produce summary. |
+| 10 | GP-TESTS-0001 | TODO | Depends on all above | Guild - Tools | Unit and integration tests for mirror, diff, validation services. |
+
+## Technical Specification
+
+### Mirror Service Interface
+
+```csharp
+namespace StellaOps.Tools.GoldenPairs.Services;
+
+/// <summary>
+/// Service for mirroring package artifacts.
+/// </summary>
+public interface IPackageMirrorService
+{
+    /// <summary>
+    /// Fetches an artifact from its source.
+    /// </summary>
+    /// <param name="artifact">Artifact to fetch.</param>
+    /// <param name="destination">Local destination path.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Result with hash and path.</returns>
+    Task<MirrorResult> FetchAsync(
+        BinaryArtifact artifact,
+        string destination,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Verifies a local artifact against expected hash.
+    /// </summary>
+    Task<bool> VerifyAsync(
+        string path,
+        string expectedSha256,
+        CancellationToken cancellationToken = default);
+}
+
+public sealed record MirrorResult
+{
+    public required bool Success { get; init; }
+    public required string LocalPath { get; init; }
+    public required string ActualSha256 { get; init; }
+    public bool HashMatches { get; init; }
+    public string? ErrorMessage { get; init; }
+    public long BytesDownloaded { get; init; }
+}
+```
+
+### Apt Mirror Implementation
+
+```csharp
+public class AptPackageMirrorService : IPackageMirrorService
+{
+    private readonly IHttpClientFactory _httpClientFactory;
+    private readonly ILogger<AptPackageMirrorService> _logger;
+
+    public async Task<MirrorResult> FetchAsync(
+        BinaryArtifact artifact,
+        string destination,
+        CancellationToken ct = default)
+    {
+        // Parse source URI: apt://archive.ubuntu.com/ubuntu/pool/main/l/linux/...
+        var uri = ParseAptUri(artifact.Source);
+
+        // Download .deb package
+        var debPath = Path.Combine(destination, $"{artifact.Package}.deb");
+        await DownloadWithRetryAsync(uri, debPath, ct);
+
+        // Extract target binary from .deb
+        var binaryPath = await ExtractFromDebAsync(debPath, artifact.PathInPackage, destination, ct);
+
+        // Verify hash
+        var actualHash = await ComputeSha256Async(binaryPath, ct);
+        var hashMatches = string.Equals(actualHash, artifact.Sha256, StringComparison.OrdinalIgnoreCase);
+
+        return new MirrorResult
+        {
+            Success = hashMatches,
+            LocalPath = binaryPath,
+            ActualSha256 = actualHash,
+            HashMatches = hashMatches,
+            ErrorMessage = hashMatches ? null : $"Hash mismatch: expected {artifact.Sha256}, got {actualHash}"
+        };
+    }
+
+    private async Task<string> ExtractFromDebAsync(
+        string debPath,
+        string? pathInPackage,
+        string destination,
+        CancellationToken ct)
+    {
+        // .deb is ar archive containing data.tar.* with actual files
+        // Use ar + tar to extract, or SharpCompress library
+        // ...
+    }
+}
+```
+
+### Diff Pipeline Interface
+
+```csharp
+/// <summary>
+/// Pipeline for diffing golden pairs.
+/// </summary>
+public interface IDiffPipelineService
+{
+    /// <summary>
+    /// Runs diff analysis on a golden pair.
+    /// </summary>
+    Task<GoldenDiffReport> DiffAsync(
+        GoldenPairMetadata pair,
+        DiffOptions? options = null,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Validates a diff report against expected outcomes.
+    /// </summary>
+    ValidationResult Validate(GoldenDiffReport report, ExpectedDiff expected);
+}
+
+public sealed record DiffOptions
+{
+    /// <summary>Sections to analyze (default: all).</summary>
+    public ImmutableArray<string>? SectionFilter { get; init; }
+
+    /// <summary>Skip hash computation if pre-computed hashes exist.</summary>
+    public bool UsePrecomputedHashes { get; init; } = true;
+
+    /// <summary>Include function-level analysis if debug symbols available.</summary>
+    public bool IncludeFunctionAnalysis { get; init; } = false;
+}
+
+public sealed record ValidationResult
+{
+    public required bool IsValid { get; init; }
+    public required ImmutableArray<string> Errors { get; init; }
+    public required ImmutableArray<string> Warnings { get; init; }
+}
+```
+
+### Diff Pipeline Implementation
+
+```csharp
+public class DiffPipelineService : IDiffPipelineService
+{
+    private readonly IElfSectionHashExtractor _elfExtractor;
+    private readonly TimeProvider _timeProvider;
+    private readonly ILogger<DiffPipelineService> _logger;
+
+    public async Task<GoldenDiffReport> DiffAsync(
+        GoldenPairMetadata pair,
+        DiffOptions? options = null,
+        CancellationToken ct = default)
+    {
+        options ??= new DiffOptions();
+
+        // Get or compute section hashes
+        var originalHashes = await GetSectionHashesAsync(pair, isOriginal: true, options, ct);
+        var patchedHashes = await GetSectionHashesAsync(pair, isOriginal: false, options, ct);
+
+        // Compare sections
+        var sections = CompareSections(originalHashes, patchedHashes, options.SectionFilter);
+
+        // Determine verdict
+        var (verdict, confidence) = DetermineVerdict(sections, pair.ExpectedDiff);
+
+        // Validate against expected
+        var matchesExpected = ValidateAgainstExpected(sections, verdict, confidence, pair.ExpectedDiff);
+
+        return new GoldenDiffReport
+        {
+            Cve = pair.Cve,
+            Original = new ArtifactHashInfo { Sha256 = pair.Original.Sha256, BuildId = pair.Original.BuildId },
+            Patched = new ArtifactHashInfo { Sha256 = pair.Patched.Sha256, BuildId = pair.Patched.BuildId },
+            Sections = sections,
+            Verdict = verdict,
+            Confidence = confidence,
+            MatchesExpected = matchesExpected.IsValid,
+            Discrepancies = matchesExpected.Errors,
+            AnalyzedAt = _timeProvider.GetUtcNow(),
+            ToolVersion = GetToolVersion()
+        };
+    }
+
+    private (string verdict, double confidence) DetermineVerdict(
+        ImmutableArray<SectionComparison> sections,
+        ExpectedDiff expected)
+    {
+        var textSection = sections.FirstOrDefault(s => s.Name == ".text");
+
+        if (textSection is null)
+            return ("unknown", 0.5);
+
+        if (textSection.Status == "modified")
+        {
+            // .text changed -> likely patched
+            var otherChanges = sections.Count(s => s.Status == "modified" && s.Name != ".text");
+            var confidence = otherChanges > 2 ? 0.7 : 0.95;  // Too many changes = less certain
+            return ("patched", confidence);
+        }
+
+        if (textSection.Status == "identical")
+        {
+            return ("vanilla", 0.9);
+        }
+
+        return ("unknown", 0.5);
+    }
+}
+```
+
+### CLI Commands
+
+```
+golden-pairs <command>
+
+Commands:
+  mirror <cve>       Fetch artifacts for a golden pair
+  diff <cve>         Run diff analysis on a golden pair
+  validate           Validate all golden pairs in corpus
+  list               List all available golden pairs
+
+Examples:
+  golden-pairs mirror CVE-2022-0847
+  golden-pairs diff CVE-2022-0847 --output json
+  golden-pairs validate --fail-fast
+```
+
+### CI Integration
+
+```yaml
+# .gitea/workflows/golden-pairs-validation.yml
+name: Golden Pairs Validation
+
+on:
+  push:
+    paths:
+      - 'datasets/golden-pairs/**'
+      - 'src/Tools/GoldenPairs/**'
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-dotnet@v4
+      - run: dotnet build src/Tools/GoldenPairs/
+      - run: dotnet run --project src/Tools/GoldenPairs/ -- validate --output trx
+      - uses: dorny/test-reporter@v1
+        with:
+          name: Golden Pairs
+          path: 'golden-pairs.trx'
+          reporter: dotnet-trx
+```
+
+## Determinism Requirements
+
+1. **Download order**: Single-threaded to ensure reproducibility
+2. **Hash computation**: Identical algorithm as Batch 001
+3. **Timestamps**: From injected `TimeProvider`
+4. **Report ordering**: Sections sorted by name
+
+## Test Cases
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `Mirror_ValidPackage_Downloads` | Download existing package | Success, hash matches |
+| `Mirror_MissingPackage_Fails` | Download non-existent package | Failure with error message |
+| `Mirror_HashMismatch_Fails` | Download with wrong hash | Failure, hash mismatch reported |
+| `Diff_ModifiedText_ReturnsPatched` | Pair with .text changed | Verdict: patched |
+| `Diff_IdenticalAll_ReturnsVanilla` | Pair with no changes | Verdict: vanilla |
+| `Validate_MatchesExpected_Passes` | Diff matches expectedDiff | IsValid: true |
+| `Validate_WrongVerdict_Fails` | Diff disagrees with expected | IsValid: false, error listed |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Support apt:// sources first; add RPM later.
+- **APPROVED**: Cache downloaded packages locally to avoid re-fetch.
+- **RISK**: Apt repository structure may vary; handle exceptions gracefully.
+- **RISK**: Some packages may be removed from mirrors; document fallbacks.
+
+## Next Checkpoints
+
+- Task 1-3 complete -> Mirror service operational
+- Task 4-6 complete -> Diff pipeline operational
+- Task 7-9 complete -> CLI usable
+- Task 10 complete -> Sprint can be marked DONE

docs/implplan/SPRINT_20260113_004_003_TOOLS_pilot_corpus.md

@@ -0,0 +1,259 @@
+# Sprint 20260113_004_003_TOOLS - Pilot CVE Corpus (3 CVEs)
+
+## Topic & Scope
+
+- Populate pilot corpus with 3 CVE golden pairs
+- CVE-2022-0847 (Dirty Pipe): Linux kernel
+- CVE-2021-3156 (Baron Samedit): sudo userland
+- CVE-2021-34527 (PrintNightmare): Windows PE (conditional)
+- Document each pair with advisories and patch info
+- **Working directory:** `datasets/golden-pairs/`
+
+## Dependencies & Concurrency
+
+- **Depends on:** Sprint 004_001 (Data Model)
+- **Depends on:** Sprint 004_002 (Pipeline)
+- **Depends on:** Batch 001 Sprint 001 (ELF Section Hashes) for validation
+- Final sprint in batch
+
+## Documentation Prerequisites
+
+- Sprint 004_001 data models
+- Sprint 004_002 pipeline services
+- Vulnerability details for each CVE
+- Package sources for target distros
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+|---|---------|--------|---------------------------|--------|-----------------|
+| 1 | GP-CORPUS-DIRTYPIPE-META-0001 | TODO | None | Guild - Tools | Create `CVE-2022-0847/metadata.json` with full golden pair metadata. Identify Ubuntu 22.04 kernel package versions. |
+| 2 | GP-CORPUS-DIRTYPIPE-FETCH-0001 | TODO | Depends on META, Sprint 002 | Guild - Tools | Fetch vmlinux binaries for pre-patch (5.16.11) and post-patch (5.16.12) versions using mirror service. |
+| 3 | GP-CORPUS-DIRTYPIPE-DIFF-0001 | TODO | Depends on FETCH | Guild - Tools | Run diff pipeline, validate .text section change, verify verdict matches expected. |
+| 4 | GP-CORPUS-DIRTYPIPE-DOCS-0001 | TODO | Depends on all above | Guild - Tools | Document advisory links, patch commit, functions changed. Archive advisory PDFs. |
+| 5 | GP-CORPUS-BARON-META-0001 | TODO | None | Guild - Tools | Create `CVE-2021-3156/metadata.json`. Identify Debian 11 sudo package versions. |
+| 6 | GP-CORPUS-BARON-FETCH-0001 | TODO | Depends on META, Sprint 002 | Guild - Tools | Fetch sudo binaries for pre-patch and post-patch versions. |
+| 7 | GP-CORPUS-BARON-DIFF-0001 | TODO | Depends on FETCH | Guild - Tools | Run diff pipeline, validate, verify verdict. |
+| 8 | GP-CORPUS-BARON-DOCS-0001 | TODO | Depends on all above | Guild - Tools | Document advisory links, patch commit. |
+| 9 | GP-CORPUS-PRINT-META-0001 | TODO (CONDITIONAL) | PE support ready | Guild - Tools | Create `CVE-2021-34527/metadata.json` if PE section hashing available. |
+| 10 | GP-CORPUS-INDEX-0001 | TODO | Depends on all pairs | Guild - Tools | Create `index.json` corpus manifest listing all pairs with summary. |
+| 11 | GP-CORPUS-README-0001 | TODO | Depends on INDEX | Guild - Tools | Create `README.md` with corpus documentation, usage instructions, extension guide. |
+| 12 | GP-CORPUS-CI-0001 | TODO | Depends on all above | Guild - Tools | Add CI workflow to validate corpus on changes. Integrate with test reporting. |
+
+## Technical Specification
+
+### CVE-2022-0847 (Dirty Pipe)
+
+**Vulnerability:** Linux kernel pipe buffer flag handling allows privilege escalation.
+
+**Target:**
+- Binary: `vmlinux` (or specific .ko module `fs/pipe.c`)
+- Architecture: x86_64
+- Format: ELF
+
+**Package Sources (Ubuntu 22.04):**
+- Pre-patch: `linux-image-5.16.11-generic` from `archive.ubuntu.com`
+- Post-patch: `linux-image-5.16.12-generic`
+
+**Patch Info:**
+- Commit: `9d2231c5d74e13b2a0546fee6737ee4446017903`
+- Functions: `copy_page_to_iter_pipe`, `push_pipe`
+- Files: `fs/pipe.c`, `lib/iov_iter.c`
+
+**Expected Diff:**
+- `.text`: MODIFIED (vulnerability fix)
+- `.rodata`: IDENTICAL or MODIFIED (string changes)
+- Verdict: `patched`
+- Confidence: >= 0.9
+
+**Advisories:**
+- USN-5317-1: https://ubuntu.com/security/notices/USN-5317-1
+- NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-0847
+
+### CVE-2021-3156 (Baron Samedit)
+
+**Vulnerability:** Heap-based buffer overflow in sudo sudoedit.
+
+**Target:**
+- Binary: `/usr/bin/sudo`
+- Architecture: x86_64
+- Format: ELF
+
+**Package Sources (Debian 11):**
+- Pre-patch: `sudo_1.9.5p2-3` from `snapshot.debian.org`
+- Post-patch: `sudo_1.9.5p2-3+deb11u1`
+
+**Patch Info:**
+- Functions: `set_cmnd`, `sudoedit_setup`
+- Files: `src/sudoers.c`, `src/sudoedit.c`
+
+**Expected Diff:**
+- `.text`: MODIFIED
+- Verdict: `patched`
+
+**Advisories:**
+- DSA-4839-1: https://www.debian.org/security/2021/dsa-4839
+- NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-3156
+
+### CVE-2021-34527 (PrintNightmare) - CONDITIONAL
+
+**Vulnerability:** Windows Print Spooler remote code execution.
+
+**Target:**
+- Binary: `spoolsv.dll` or `localspl.dll`
+- Architecture: x64
+- Format: PE
+
+**Condition:** Only include if PE section hashing from Batch 001 is available.
+
+**Package Sources:**
+- Microsoft Update Catalog KB5004945
+- Or: Extract from Windows ISO
+
+**Expected Diff:**
+- `.text`: MODIFIED
+- Verdict: `patched`
+
+### Metadata Template
+
+```json
+{
+  "cve": "CVE-2022-0847",
+  "name": "Dirty Pipe",
+  "description": "A flaw was found in the way the pipe buffer flag was handled in the Linux kernel. An unprivileged local user could exploit this flaw to overwrite data in arbitrary read-only files.",
+  "severity": "high",
+  "artifact": {
+    "name": "vmlinux",
+    "format": "elf",
+    "architecture": "x86_64",
+    "os": "linux"
+  },
+  "original": {
+    "package": "linux-image-5.16.11-generic",
+    "version": "5.16.11",
+    "distro": "Ubuntu 22.04",
+    "source": "apt://archive.ubuntu.com/ubuntu/pool/main/l/linux/linux-image-5.16.11-generic_5.16.11-amd64.deb",
+    "sha256": "TODO_COMPUTE_AFTER_FETCH",
+    "buildId": "TODO_EXTRACT_AFTER_FETCH",
+    "hasDebugSymbols": false,
+    "pathInPackage": "/boot/vmlinux-5.16.11-generic"
+  },
+  "patched": {
+    "package": "linux-image-5.16.12-generic",
+    "version": "5.16.12",
+    "distro": "Ubuntu 22.04",
+    "source": "apt://archive.ubuntu.com/ubuntu/pool/main/l/linux/linux-image-5.16.12-generic_5.16.12-amd64.deb",
+    "sha256": "TODO_COMPUTE_AFTER_FETCH",
+    "buildId": "TODO_EXTRACT_AFTER_FETCH",
+    "hasDebugSymbols": false,
+    "pathInPackage": "/boot/vmlinux-5.16.12-generic"
+  },
+  "patch": {
+    "commit": "9d2231c5d74e13b2a0546fee6737ee4446017903",
+    "upstream": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d2231c5d74e13b2a0546fee6737ee4446017903",
+    "functionsChanged": ["copy_page_to_iter_pipe", "push_pipe"],
+    "filesChanged": ["fs/pipe.c", "lib/iov_iter.c"],
+    "summary": "Fix PIPE_BUF_FLAG_CAN_MERGE handling to prevent arbitrary file overwrites"
+  },
+  "advisories": [
+    {
+      "source": "ubuntu",
+      "id": "USN-5317-1",
+      "url": "https://ubuntu.com/security/notices/USN-5317-1"
+    },
+    {
+      "source": "nvd",
+      "id": "CVE-2022-0847",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0847"
+    }
+  ],
+  "expectedDiff": {
+    "sectionsChanged": [".text"],
+    "sectionsIdentical": [".rodata", ".data", ".bss"],
+    "verdict": "patched",
+    "confidenceMin": 0.9
+  },
+  "createdAt": "2026-01-13T12:00:00Z",
+  "createdBy": "StellaOps Golden Pairs Tool v1.0.0"
+}
+```
+
+### Corpus Index
+
+```json
+{
+  "version": "1.0.0",
+  "generatedAt": "2026-01-13T12:00:00Z",
+  "pairs": [
+    {
+      "cve": "CVE-2022-0847",
+      "name": "Dirty Pipe",
+      "severity": "high",
+      "format": "elf",
+      "status": "validated",
+      "lastValidated": "2026-01-13T12:00:00Z"
+    },
+    {
+      "cve": "CVE-2021-3156",
+      "name": "Baron Samedit",
+      "severity": "high",
+      "format": "elf",
+      "status": "validated",
+      "lastValidated": "2026-01-13T12:00:00Z"
+    }
+  ],
+  "summary": {
+    "total": 2,
+    "validated": 2,
+    "failed": 0
+  }
+}
+```
+
+## Validation Workflow
+
+```bash
+# 1. Fetch artifacts
+golden-pairs mirror CVE-2022-0847
+golden-pairs mirror CVE-2021-3156
+
+# 2. Run diff analysis
+golden-pairs diff CVE-2022-0847 --output json > CVE-2022-0847/diff-report.json
+golden-pairs diff CVE-2021-3156 --output json > CVE-2021-3156/diff-report.json
+
+# 3. Validate all
+golden-pairs validate --all
+# Expected output:
+# CVE-2022-0847: PASS (verdict=patched, confidence=0.95)
+# CVE-2021-3156: PASS (verdict=patched, confidence=0.92)
+# Summary: 2/2 passed
+```
+
+## Test Cases
+
+| Test | Description | Expected |
+|------|-------------|----------|
+| `DirtyPipe_Validate_Passes` | Full pipeline for CVE-2022-0847 | Verdict: patched, matches expected |
+| `BaronSamedit_Validate_Passes` | Full pipeline for CVE-2021-3156 | Verdict: patched, matches expected |
+| `Index_AllPairs_Listed` | Load index.json | All pairs enumerated |
+| `CI_Workflow_Succeeds` | Run validation in CI | All tests pass |
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2026-01-13 | Sprint created from advisory analysis. | Project Mgmt |
+
+## Decisions & Risks
+
+- **APPROVED**: Start with ELF only; PrintNightmare conditional on PE support.
+- **APPROVED**: Use Debian snapshot archive for reproducible sudo packages.
+- **RISK**: Kernel binaries are very large; consider extracting specific .ko modules.
+- **RISK**: Package removal from archives; cache locally after first fetch.
+
+## Next Checkpoints
+
+- Task 1-4 complete -> Dirty Pipe pair validated
+- Task 5-8 complete -> Baron Samedit pair validated
+- Task 10-12 complete -> Corpus published, CI integrated
+- Sprint and Batch complete

docs/modules/attestor/rekor-verification-design.md

@@ -1,19 +1,20 @@
 # Rekor Verification Technical Design
 
 **Document ID**: DOCS-ATTEST-REKOR-001
-**Version**: 1.0
+**Version**: 2.0
-**Last Updated**: 2025-12-14
+**Last Updated**: 2026-01-13
 **Status**: Draft
 
 ---
 
 ## 1. OVERVIEW
 
-This document provides the comprehensive technical design for Rekor transparency log verification in StellaOps. It covers three key capabilities:
+This document provides the comprehensive technical design for Rekor transparency log verification in StellaOps. It covers four key capabilities:
 
 1. **Merkle Proof Verification** - Cryptographic verification of inclusion proofs
 2. **Durable Retry Queue** - Reliable submission with failure recovery
 3. **Time Skew Validation** - Replay protection via timestamp validation
+4. **Tile-Based Verification (v2)** - Support for Rekor v2 Sunlight format
 
 ### Related Sprints
 
@@ -22,6 +23,7 @@ This document provides the comprehensive technical design for Rekor transparency
 | SPRINT_3000_0001_0001 | P0 | Merkle Proof Verification |
 | SPRINT_3000_0001_0002 | P1 | Rekor Retry Queue & Metrics |
 | SPRINT_3000_0001_0003 | P2 | Time Skew Validation |
+| SPRINT_3000_0001_0004 | P1 | Rekor v2 Tile-Based Verification |
 
 ---
 
@@ -405,6 +407,225 @@ public TimeSkewResult Validate(DateTimeOffset integratedTime, DateTimeOffset loc
 }
 ```
 
+### 3.4 Tile-Based Verification (Rekor v2)
+
+Rekor v2 introduces a tile-based log structure following the Sunlight/C2SP `tlog-tiles` specification. This enables offline-capable verification and more efficient proof computation.
+
+#### 3.4.1 Architecture Overview
+
+In tile-based logs, the Merkle tree is stored in fixed-size chunks (tiles) of 256 entries each:
+
+```
+                    Tile Structure (256 entries/tile)
+    ───────────────────────────────────────────────────────────
+                           Level 2 (root)
+                              [Tile]
+                             /      \
+                    Level 1 (intermediate)
+                   [Tile 0]  [Tile 1]  ...
+                   /      \
+              Level 0 (leaves)
+    [Tile 0] [Tile 1] [Tile 2] [Tile 3] ...
+
+    Each tile contains up to 256 hashes (32 bytes each = 8KB max)
+```
+
+#### 3.4.2 Log Version Configuration
+
+StellaOps supports automatic version detection and explicit version selection:
+
+```csharp
+public enum RekorLogVersion
+{
+    Auto = 0,   // Auto-detect based on endpoint availability
+    V1 = 1,     // Traditional Trillian-based Rekor (API proofs)
+    V2 = 2      // Tile-based Sunlight format
+}
+```
+
+**Version Selection Logic:**
+
+| Version | PreferTileProofs | Result |
+|---------|------------------|--------|
+| V2 | (any) | Always use tile proofs |
+| V1 | (any) | Always use API proofs |
+| Auto | true | Prefer tile proofs if available |
+| Auto | false | Use API proofs (default) |
+
+#### 3.4.3 Checkpoint Format
+
+V2 checkpoints follow the `c2sp.org/tlog-tiles` format:
+
+```
+rekor.sigstore.dev - 2605736670972794746
+<tree_size>
+<root_hash_base64>
+
+- rekor.sigstore.dev <signature_base64>
+```
+
+**Checkpoint Components:**
+- **Line 1**: Origin identifier (log name + instance)
+- **Line 2**: Tree size (number of leaves)
+- **Line 3**: Root hash (base64-encoded SHA-256)
+- **Blank line**: Separator
+- **Signature lines**: One or more `- <origin> <signature>` lines
+
+#### 3.4.4 Tile Path Calculation
+
+Tiles are fetched via URL paths following the scheme:
+
+```
+GET {tile_base_url}/tile/{level}/{index:03d}[.p/{partial_width}]
+
+Examples:
+- /tile/0/000        # Level 0, tile 0 (entries 0-255)
+- /tile/0/001        # Level 0, tile 1 (entries 256-511)
+- /tile/1/000        # Level 1, tile 0 (intermediate hashes)
+- /tile/0/042.p/128  # Partial tile with 128 entries
+```
+
+#### 3.4.5 Implementation Classes
+
+**IRekorTileClient Interface:**
+
+```csharp
+public interface IRekorTileClient
+{
+    Task<RekorTileCheckpoint?> GetCheckpointAsync(
+        RekorBackend backend,
+        CancellationToken cancellationToken = default);
+
+    Task<RekorTileData?> GetTileAsync(
+        RekorBackend backend,
+        int level,
+        long index,
+        CancellationToken cancellationToken = default);
+
+    Task<RekorTileEntry?> GetEntryAsync(
+        RekorBackend backend,
+        long logIndex,
+        CancellationToken cancellationToken = default);
+
+    Task<RekorTileInclusionProof?> ComputeInclusionProofAsync(
+        RekorBackend backend,
+        long logIndex,
+        long treeSize,
+        CancellationToken cancellationToken = default);
+}
+```
+
+**RekorTileData Model:**
+
+```csharp
+public sealed class RekorTileData
+{
+    public required int Level { get; init; }
+    public required long Index { get; init; }
+    public required int Width { get; init; }  // Number of hashes (max 256)
+    public required byte[] Hashes { get; init; }  // Width * 32 bytes
+
+    public byte[] GetHash(int position)
+    {
+        if (position < 0 || position >= Width)
+            throw new ArgumentOutOfRangeException(nameof(position));
+
+        var result = new byte[32];
+        Array.Copy(Hashes, position * 32, result, 0, 32);
+        return result;
+    }
+}
+```
+
+#### 3.4.6 Proof Computation Algorithm
+
+Computing an inclusion proof from tiles:
+
+```python
+def compute_inclusion_proof(log_index, tree_size, tile_client):
+    """Compute inclusion proof by fetching necessary tiles."""
+    proof_path = []
+    level = 0
+    index = log_index
+    size = tree_size
+
+    while size > 1:
+        tile_index = index // 256
+        position_in_tile = index % 256
+
+        # Determine sibling position
+        if index % 2 == 1:
+            sibling_pos = position_in_tile - 1
+        else:
+            sibling_pos = position_in_tile + 1 if position_in_tile + 1 < size else None
+
+        if sibling_pos is not None:
+            tile = tile_client.get_tile(level, tile_index)
+            proof_path.append(tile.get_hash(sibling_pos))
+
+        index = index // 2
+        size = (size + 1) // 2
+        level += 1
+
+    return proof_path
+```
+
+#### 3.4.7 Configuration
+
+```yaml
+attestor:
+  rekor:
+    primary:
+      url: https://rekor.sigstore.dev
+      # Version: Auto, V1, or V2
+      version: Auto
+      # Custom tile base URL (optional, defaults to {url}/tile/)
+      tile_base_url: ""
+      # Log ID for multi-log environments (hex-encoded SHA-256)
+      log_id: "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
+      # Prefer tile proofs when version is Auto
+      prefer_tile_proofs: false
+```
+
+**Environment Variables:**
+
+```bash
+# Rekor v2 Configuration
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+REKOR_VERSION=Auto           # Auto, V1, or V2
+REKOR_TILE_BASE_URL=         # Optional custom tile endpoint
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+REKOR_PREFER_TILE_PROOFS=false
+```
+
+#### 3.4.8 Offline Verification Benefits
+
+Tile-based verification enables true offline capability:
+
+1. **Pre-fetch tiles**: Download all necessary tiles during online phase
+2. **Bundle checkpoint**: Include signed checkpoint with offline kit
+3. **Local proof computation**: Compute proofs entirely from local tile data
+4. **No API dependency**: Verification works without Rekor connectivity
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                    Offline Verification                      │
+├─────────────────────────────────────────────────────────────┤
+│                                                              │
+│  ┌─────────────┐     ┌──────────────┐     ┌──────────────┐  │
+│  │ Checkpoint  │────►│ Tile Cache   │────►│ Proof        │  │
+│  │ (signed)    │     │ (local)      │     │ Verifier     │  │
+│  └─────────────┘     └──────────────┘     └──────────────┘  │
+│                                                              │
+│  Advantages:                                                 │
+│  - No network round-trips for proof fetching                │
+│  - Deterministic verification (same tiles = same proof)     │
+│  - Caching efficiency (tiles are immutable)                 │
+│  - Air-gap compatible                                        │
+│                                                              │
+└─────────────────────────────────────────────────────────────┘
+```
+
 ---
 
 ## 4. DATA FLOW
@@ -688,4 +909,7 @@ attestor:
 - [RFC 6962: Certificate Transparency](https://datatracker.ietf.org/doc/html/rfc6962)
 - [Sigstore Rekor](https://github.com/sigstore/rekor)
 - [Transparency.dev Checkpoint Format](https://github.com/transparency-dev/formats)
+- [C2SP tlog-tiles Specification](https://c2sp.org/tlog-tiles) - Tile-based transparency log format
+- [Sunlight CT Log](https://github.com/FiloSottile/sunlight) - Reference implementation for tile-based logs
+- [Sigstore Rekor v2 Announcement](https://blog.sigstore.dev/) - Official Rekor v2 migration information
 - [Advisory: Rekor Integration Technical Reference](../../../product/advisories/14-Dec-2025%20-%20Rekor%20Integration%20Technical%20Reference.md)

docs/modules/scanner/binary-diff-attestation.md

@@ -0,0 +1,355 @@
+# Binary Diff Attestation
+
+## Overview
+
+Binary Diff Attestation enables verification of binary-level changes between container images, producing cryptographically signed evidence of what changed at the ELF/PE section level. This capability is essential for:
+
+- **Vendor backport detection**: Identify when a vendor has patched a binary without changing version numbers
+- **Supply chain verification**: Prove that expected changes (and no unexpected changes) occurred between releases
+- **VEX evidence generation**: Provide concrete evidence for "not_affected" or "fixed" vulnerability status claims
+- **Audit trail**: Maintain verifiable records of binary modifications across deployments
+
+### Relationship to SBOM and VEX
+
+Binary diff attestations complement SBOM and VEX documents:
+
+| Artifact | Purpose | Granularity |
+|----------|---------|-------------|
+| SBOM | Inventory of components | Package/library level |
+| VEX | Exploitability status | Vulnerability level |
+| Binary Diff Attestation | Change evidence | Section/function level |
+
+The attestation provides the *evidence* that supports VEX claims. For example, a VEX statement claiming a CVE is "fixed" due to a vendor backport can reference the binary diff attestation showing the `.text` section hash changed.
+
+## Architecture
+
+### Component Diagram
+
+```
+┌──────────────────────────────────────────────────────────────────────────────┐
+│                          Binary Diff Attestation Flow                         │
+├──────────────────────────────────────────────────────────────────────────────┤
+│                                                                              │
+│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐   │
+│  │   OCI       │    │   Layer     │    │   Binary    │    │  Section    │   │
+│  │  Registry   │───▶│ Extraction  │───▶│ Detection   │───▶│   Hash      │   │
+│  │  Client     │    │             │    │             │    │ Extractor   │   │
+│  └─────────────┘    └─────────────┘    └─────────────┘    └──────┬──────┘   │
+│                                                                   │          │
+│         Base Image ─────────────────────────────────────┐        │          │
+│         Target Image ───────────────────────────────────┤        ▼          │
+│                                                         │  ┌─────────────┐  │
+│                                                         └─▶│   Diff      │  │
+│                                                            │ Computation │  │
+│                                                            └──────┬──────┘  │
+│                                                                   │          │
+│                                                                   ▼          │
+│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐   │
+│  │   DSSE      │◀───│  Predicate  │◀───│  Finding    │◀───│   Verdict   │   │
+│  │   Signer    │    │  Builder    │    │ Aggregation │    │ Classifier  │   │
+│  └──────┬──────┘    └─────────────┘    └─────────────┘    └─────────────┘   │
+│         │                                                                    │
+│         ▼                                                                    │
+│  ┌─────────────┐    ┌─────────────┐                                         │
+│  │   Rekor     │    │  File       │                                         │
+│  │ Submission  │    │  Output     │                                         │
+│  └─────────────┘    └─────────────┘                                         │
+│                                                                              │
+└──────────────────────────────────────────────────────────────────────────────┘
+```
+
+### Key Components
+
+| Component | Location | Responsibility |
+|-----------|----------|----------------|
+| `ElfSectionHashExtractor` | `Scanner.Analyzers.Native` | Extract per-section SHA-256 hashes from ELF binaries |
+| `BinaryDiffService` | `Cli.Services` | Orchestrate diff computation between two images |
+| `BinaryDiffPredicateBuilder` | `Attestor.StandardPredicates` | Construct BinaryDiffV1 in-toto predicates |
+| `BinaryDiffDsseSigner` | `Attestor.StandardPredicates` | Sign predicates with DSSE envelopes |
+
+### Data Flow
+
+1. **Image Resolution**: Resolve base and target image references to manifest digests
+2. **Layer Extraction**: Download and extract layers from both images
+3. **Binary Identification**: Identify ELF binaries in both filesystems
+4. **Section Hash Computation**: Compute SHA-256 for each target section in each binary
+5. **Diff Computation**: Compare section hashes between base and target
+6. **Verdict Classification**: Classify changes as patched/vanilla/unknown
+7. **Predicate Construction**: Build BinaryDiffV1 predicate with findings
+8. **DSSE Signing**: Sign predicate and optionally submit to Rekor
+
+## ELF Section Hashing
+
+### Target Sections
+
+The following ELF sections are analyzed for hash computation:
+
+| Section | Purpose | Backport Relevance |
+|---------|---------|-------------------|
+| `.text` | Executable code | **High** - Patched functions modify this section |
+| `.rodata` | Read-only data (strings, constants) | Medium - String constants may change with patches |
+| `.data` | Initialized global/static variables | Low - Rarely changes for security patches |
+| `.symtab` | Symbol table (function names, addresses) | **High** - Function signature changes |
+| `.dynsym` | Dynamic symbols (exports) | **High** - Exported API changes |
+
+### Hash Algorithm
+
+**Primary**: SHA-256
+- Industry standard, widely supported
+- Collision-resistant for security applications
+
+**Optional**: BLAKE3-256
+- Faster computation for large binaries
+- Enabled via configuration
+
+### Hash Computation
+
+```
+For each ELF binary:
+  1. Parse ELF header
+  2. Locate section headers
+  3. For each target section:
+     a. Read section contents
+     b. Compute SHA-256(contents)
+     c. Store: {name, offset, size, sha256}
+  4. Sort sections by name (lexicographic)
+  5. Return ElfSectionHashSet
+```
+
+### Determinism Guarantees
+
+All operations produce deterministic output:
+
+| Aspect | Guarantee |
+|--------|-----------|
+| Section ordering | Sorted lexicographically by name |
+| Hash format | Lowercase hexadecimal, no prefix |
+| Timestamps | From injected `TimeProvider` |
+| JSON serialization | RFC 8785 canonical JSON |
+
+## BinaryDiffV1 Predicate
+
+### Schema Overview
+
+The `BinaryDiffV1` predicate follows in-toto attestation format:
+
+```json
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "subject": [
+    {
+      "name": "docker://repo/app@sha256:target...",
+      "digest": { "sha256": "target..." }
+    }
+  ],
+  "predicateType": "stellaops.binarydiff.v1",
+  "predicate": {
+    "inputs": {
+      "base": { "digest": "sha256:base..." },
+      "target": { "digest": "sha256:target..." }
+    },
+    "findings": [...],
+    "metadata": {...}
+  }
+}
+```
+
+### Predicate Fields
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `subjects` | array | Target image references with digests |
+| `inputs.base` | object | Base image reference |
+| `inputs.target` | object | Target image reference |
+| `findings` | array | Per-binary diff findings |
+| `metadata` | object | Tool version, timestamp, config |
+
+### Finding Structure
+
+Each finding represents a binary comparison:
+
+```json
+{
+  "path": "/usr/lib/libssl.so.3",
+  "changeType": "modified",
+  "binaryFormat": "elf",
+  "sectionDeltas": [
+    { "section": ".text", "status": "modified" },
+    { "section": ".rodata", "status": "identical" }
+  ],
+  "confidence": 0.95,
+  "verdict": "patched"
+}
+```
+
+### Verdicts
+
+| Verdict | Meaning | Confidence Threshold |
+|---------|---------|---------------------|
+| `patched` | Binary shows evidence of security patch | >= 0.90 |
+| `vanilla` | Binary matches upstream/unmodified | >= 0.95 |
+| `unknown` | Cannot determine patch status | < 0.90 |
+| `incompatible` | Cannot compare (different architecture, etc.) | N/A |
+
+## DSSE Attestation
+
+### Envelope Structure
+
+```json
+{
+  "payloadType": "stellaops.binarydiff.v1",
+  "payload": "<base64-encoded predicate>",
+  "signatures": [
+    {
+      "keyid": "...",
+      "sig": "<base64-encoded signature>"
+    }
+  ]
+}
+```
+
+### Signature Algorithm
+
+- **Default**: Ed25519
+- **Alternative**: ECDSA P-256, RSA-PSS (via `ICryptoProviderRegistry`)
+- **Keyless**: Sigstore Fulcio certificate chain
+
+### Rekor Submission
+
+When Rekor is enabled:
+
+1. DSSE envelope is submitted to Rekor transparency log
+2. Inclusion proof is retrieved
+3. Rekor metadata is stored in result
+
+```json
+{
+  "rekorLogIndex": 12345678,
+  "rekorEntryId": "abc123...",
+  "integratedTime": "2026-01-13T12:00:00Z"
+}
+```
+
+### Verification
+
+Binary diff attestations can be verified with:
+
+```bash
+# Using cosign
+cosign verify-attestation \
+  --type stellaops.binarydiff.v1 \
+  --certificate-identity-regexp '.*' \
+  --certificate-oidc-issuer-regexp '.*' \
+  docker://repo/app:1.0.1
+
+# Using stella CLI
+stella verify attestation ./binarydiff.dsse.json \
+  --type stellaops.binarydiff.v1
+```
+
+## Integration Points
+
+### VEX Mapping
+
+Binary diff evidence can support VEX claims:
+
+```json
+{
+  "vulnerability": "CVE-2024-1234",
+  "status": "fixed",
+  "justification": "vulnerable_code_not_present",
+  "detail": "Vendor backport applied; evidence in binary diff attestation",
+  "evidence": {
+    "attestationRef": "sha256:dsse-envelope-hash...",
+    "finding": {
+      "path": "/usr/lib/libssl.so.3",
+      "verdict": "patched",
+      "confidence": 0.95
+    }
+  }
+}
+```
+
+### Policy Engine
+
+Policy rules can reference binary diff evidence:
+
+```rego
+# Accept high-confidence patch verdicts as mitigation
+allow contains decision if {
+    input.binaryDiff.findings[_].verdict == "patched"
+    input.binaryDiff.findings[_].confidence >= 0.90
+    decision := {
+        "action": "accept",
+        "reason": "Binary diff shows patched code",
+        "evidence": input.binaryDiff.attestationRef
+    }
+}
+```
+
+### SBOM Properties
+
+Section hashes appear in SBOM component properties:
+
+```json
+{
+  "type": "library",
+  "name": "libssl.so.3",
+  "properties": [
+    {"name": "evidence:section:.text:sha256", "value": "abc123..."},
+    {"name": "evidence:section:.rodata:sha256", "value": "def456..."},
+    {"name": "evidence:extractor-version", "value": "1.0.0"}
+  ]
+}
+```
+
+## Configuration
+
+### Scanner Options
+
+```yaml
+scanner:
+  native:
+    sectionHashes:
+      enabled: true
+      algorithms:
+        - sha256
+        - blake3  # optional
+      sections:
+        - .text
+        - .rodata
+        - .data
+        - .symtab
+        - .dynsym
+      maxSectionSize: 104857600  # 100MB limit
+```
+
+### CLI Options
+
+See [CLI Reference](../../API_CLI_REFERENCE.md#stella-scan-diff) for full option documentation.
+
+## Limitations and Future Work
+
+### Current Limitations
+
+1. **ELF only**: PE and Mach-O support planned for M2
+2. **Single platform**: Multi-platform diff requires multiple invocations
+3. **No function-level analysis**: Section-level granularity only
+4. **Confidence scoring**: Based on section changes, not semantic analysis
+
+### Roadmap
+
+| Milestone | Capability |
+|-----------|------------|
+| M2 | PE section analysis for Windows containers |
+| M2 | Mach-O section analysis for macOS binaries |
+| M3 | Vendor backport corpus with curated test fixtures |
+| M3 | Function-level diff using DWARF debug info |
+| M4 | ML-based verdict classification |
+
+## References
+
+- [BinaryDiffV1 JSON Schema](../../schemas/binarydiff-v1.schema.json)
+- [in-toto Attestation Specification](https://github.com/in-toto/attestation)
+- [DSSE Envelope Specification](https://github.com/secure-systems-lab/dsse)
+- [ELF Specification](https://refspecs.linuxfoundation.org/elf/elf.pdf)

docs/operations/rekor-policy.md

@@ -184,6 +184,18 @@ attestor:
     # Rekor server URL (default: public Sigstore Rekor)
     serverUrl: "https://rekor.sigstore.dev"
 
+    # Log version: Auto, V1, or V2 (V2 uses tile-based Sunlight format)
+    version: Auto
+
+    # Log ID for multi-log environments (hex-encoded SHA-256)
+    logId: "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
+
+    # Tile base URL for V2 (optional, defaults to {serverUrl}/tile/)
+    tileBaseUrl: ""
+
+    # Prefer tile proofs when version is Auto
+    preferTileProofs: false
+
     # Submission tier: graph-only | with-edges
     tier: graph-only
 
@@ -225,7 +237,9 @@ attestor:
 
 ## Related Documentation
 
+- [Rekor Verification Technical Design](../modules/attestor/rekor-verification-design.md) - Full technical design including v2 tile support
 - [Attestor AGENTS.md](../../src/Attestor/StellaOps.Attestor/AGENTS.md)
 - [Scanner Score Proofs API](../api/scanner-score-proofs-api.md)
 - [Offline Kit Specification](../OFFLINE_KIT.md)
 - [Sigstore Rekor Documentation](https://docs.sigstore.dev/rekor/overview/)
+- [C2SP tlog-tiles Specification](https://c2sp.org/tlog-tiles) - Tile-based transparency log format (v2)

docs/schemas/binarydiff-v1.schema.json

@@ -0,0 +1,344 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.io/schemas/binarydiff-v1.schema.json",
+  "title": "BinaryDiffV1",
+  "description": "In-toto predicate schema for binary-level diff attestations between container images",
+  "type": "object",
+  "required": ["predicateType", "inputs", "findings", "metadata"],
+  "additionalProperties": false,
+  "properties": {
+    "predicateType": {
+      "const": "stellaops.binarydiff.v1",
+      "description": "Predicate type identifier"
+    },
+    "inputs": {
+      "$ref": "#/$defs/BinaryDiffInputs",
+      "description": "Base and target image references"
+    },
+    "findings": {
+      "type": "array",
+      "items": {
+        "$ref": "#/$defs/BinaryDiffFinding"
+      },
+      "description": "Per-binary diff findings"
+    },
+    "metadata": {
+      "$ref": "#/$defs/BinaryDiffMetadata",
+      "description": "Analysis metadata"
+    }
+  },
+  "$defs": {
+    "BinaryDiffInputs": {
+      "type": "object",
+      "required": ["base", "target"],
+      "additionalProperties": false,
+      "properties": {
+        "base": {
+          "$ref": "#/$defs/ImageReference",
+          "description": "Base image reference"
+        },
+        "target": {
+          "$ref": "#/$defs/ImageReference",
+          "description": "Target image reference"
+        }
+      }
+    },
+    "ImageReference": {
+      "type": "object",
+      "required": ["digest"],
+      "additionalProperties": false,
+      "properties": {
+        "reference": {
+          "type": "string",
+          "description": "Full image reference (e.g., docker://repo/image:tag)",
+          "examples": ["docker://registry.example.com/app:1.0.0"]
+        },
+        "digest": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "Image digest in sha256:hex format"
+        },
+        "manifestDigest": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "Platform-specific manifest digest"
+        },
+        "platform": {
+          "$ref": "#/$defs/Platform"
+        }
+      }
+    },
+    "Platform": {
+      "type": "object",
+      "required": ["os", "architecture"],
+      "additionalProperties": false,
+      "properties": {
+        "os": {
+          "type": "string",
+          "description": "Operating system (e.g., linux, windows)",
+          "examples": ["linux", "windows"]
+        },
+        "architecture": {
+          "type": "string",
+          "description": "CPU architecture (e.g., amd64, arm64)",
+          "examples": ["amd64", "arm64", "386"]
+        },
+        "variant": {
+          "type": "string",
+          "description": "Architecture variant (e.g., v8 for arm64)",
+          "examples": ["v7", "v8"]
+        }
+      }
+    },
+    "BinaryDiffFinding": {
+      "type": "object",
+      "required": ["path", "changeType", "binaryFormat"],
+      "additionalProperties": false,
+      "properties": {
+        "path": {
+          "type": "string",
+          "description": "File path within the container filesystem",
+          "examples": ["/usr/lib/libssl.so.3", "/usr/bin/openssl"]
+        },
+        "changeType": {
+          "type": "string",
+          "enum": ["added", "removed", "modified", "unchanged"],
+          "description": "Type of change detected"
+        },
+        "binaryFormat": {
+          "type": "string",
+          "enum": ["elf", "pe", "macho", "unknown"],
+          "description": "Binary format detected"
+        },
+        "layerDigest": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "Layer digest that introduced this file/change"
+        },
+        "baseHashes": {
+          "$ref": "#/$defs/SectionHashSet",
+          "description": "Section hashes from base image binary"
+        },
+        "targetHashes": {
+          "$ref": "#/$defs/SectionHashSet",
+          "description": "Section hashes from target image binary"
+        },
+        "sectionDeltas": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/SectionDelta"
+          },
+          "description": "Per-section comparison results"
+        },
+        "confidence": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1,
+          "description": "Confidence score for verdict (0.0-1.0)"
+        },
+        "verdict": {
+          "type": "string",
+          "enum": ["patched", "vanilla", "unknown", "incompatible"],
+          "description": "Classification of the binary change"
+        }
+      }
+    },
+    "SectionHashSet": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "buildId": {
+          "type": "string",
+          "pattern": "^[a-f0-9]+$",
+          "description": "GNU Build-ID from .note.gnu.build-id section"
+        },
+        "fileHash": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{64}$",
+          "description": "SHA-256 hash of the entire file"
+        },
+        "extractorVersion": {
+          "type": "string",
+          "description": "Version of the section hash extractor"
+        },
+        "sections": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/$defs/SectionInfo"
+          },
+          "description": "Map of section name to section info"
+        }
+      }
+    },
+    "SectionInfo": {
+      "type": "object",
+      "required": ["sha256", "size"],
+      "additionalProperties": false,
+      "properties": {
+        "sha256": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{64}$",
+          "description": "SHA-256 hash of section contents"
+        },
+        "blake3": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{64}$",
+          "description": "Optional BLAKE3-256 hash of section contents"
+        },
+        "size": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Section size in bytes"
+        },
+        "offset": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Section offset in file"
+        },
+        "type": {
+          "type": "string",
+          "description": "ELF section type (e.g., SHT_PROGBITS)"
+        },
+        "flags": {
+          "type": "string",
+          "description": "ELF section flags (e.g., SHF_ALLOC | SHF_EXECINSTR)"
+        }
+      }
+    },
+    "SectionDelta": {
+      "type": "object",
+      "required": ["section", "status"],
+      "additionalProperties": false,
+      "properties": {
+        "section": {
+          "type": "string",
+          "description": "Section name (e.g., .text, .rodata)",
+          "examples": [".text", ".rodata", ".data", ".symtab", ".dynsym"]
+        },
+        "status": {
+          "type": "string",
+          "enum": ["identical", "modified", "added", "removed"],
+          "description": "Section comparison status"
+        },
+        "baseSha256": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{64}$",
+          "description": "SHA-256 of section in base binary"
+        },
+        "targetSha256": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{64}$",
+          "description": "SHA-256 of section in target binary"
+        },
+        "sizeDelta": {
+          "type": "integer",
+          "description": "Size difference (target - base) in bytes"
+        }
+      }
+    },
+    "BinaryDiffMetadata": {
+      "type": "object",
+      "required": ["toolVersion", "analysisTimestamp"],
+      "additionalProperties": false,
+      "properties": {
+        "toolVersion": {
+          "type": "string",
+          "description": "Version of the binary diff tool",
+          "examples": ["1.0.0", "2026.01.0"]
+        },
+        "analysisTimestamp": {
+          "type": "string",
+          "format": "date-time",
+          "description": "UTC timestamp of analysis (ISO-8601)"
+        },
+        "configDigest": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "SHA-256 of analysis configuration for reproducibility"
+        },
+        "totalBinaries": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Total number of binaries analyzed"
+        },
+        "modifiedBinaries": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Number of binaries with modifications"
+        },
+        "analyzedSections": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "List of section names analyzed",
+          "examples": [[".text", ".rodata", ".data", ".symtab", ".dynsym"]]
+        },
+        "hashAlgorithms": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["sha256", "blake3"]
+          },
+          "description": "Hash algorithms used"
+        }
+      }
+    }
+  },
+  "examples": [
+    {
+      "predicateType": "stellaops.binarydiff.v1",
+      "inputs": {
+        "base": {
+          "reference": "docker://registry.example.com/app:1.0.0",
+          "digest": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
+          "platform": {
+            "os": "linux",
+            "architecture": "amd64"
+          }
+        },
+        "target": {
+          "reference": "docker://registry.example.com/app:1.0.1",
+          "digest": "sha256:def456abc789012345678901234567890123456789012345678901234567efgh",
+          "platform": {
+            "os": "linux",
+            "architecture": "amd64"
+          }
+        }
+      },
+      "findings": [
+        {
+          "path": "/usr/lib/libssl.so.3",
+          "changeType": "modified",
+          "binaryFormat": "elf",
+          "sectionDeltas": [
+            {
+              "section": ".text",
+              "status": "modified",
+              "baseSha256": "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
+              "targetSha256": "fedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321",
+              "sizeDelta": 256
+            },
+            {
+              "section": ".rodata",
+              "status": "identical",
+              "baseSha256": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
+              "targetSha256": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
+              "sizeDelta": 0
+            }
+          ],
+          "confidence": 0.95,
+          "verdict": "patched"
+        }
+      ],
+      "metadata": {
+        "toolVersion": "1.0.0",
+        "analysisTimestamp": "2026-01-13T12:00:00Z",
+        "totalBinaries": 156,
+        "modifiedBinaries": 3,
+        "analyzedSections": [".text", ".rodata", ".data", ".symtab", ".dynsym"],
+        "hashAlgorithms": ["sha256"]
+      }
+    }
+  ]
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/Rekor/RekorReceiptTests.cs

@@ -0,0 +1,262 @@
+// -----------------------------------------------------------------------------
+// RekorReceiptTests.cs
+// Description: Unit tests for standardized Rekor receipt schema.
+// -----------------------------------------------------------------------------
+
+using System.Text.Json;
+using FluentAssertions;
+using StellaOps.Attestor.Core.Rekor;
+using Xunit;
+
+namespace StellaOps.Attestor.Core.Tests.Rekor;
+
+[Trait("Category", "Unit")]
+[Trait("Category", "Rekor")]
+public sealed class RekorReceiptTests
+{
+    [Fact]
+    public void RekorReceipt_SerializesToValidJson()
+    {
+        // Arrange
+        var receipt = CreateValidReceipt();
+
+        // Act
+        var json = JsonSerializer.Serialize(receipt, new JsonSerializerOptions { WriteIndented = true });
+
+        // Assert
+        json.Should().NotBeNullOrEmpty();
+        json.Should().Contain("\"schemaVersion\":");
+        json.Should().Contain("\"uuid\":");
+        json.Should().Contain("\"logIndex\":");
+        json.Should().Contain("\"checkpoint\":");
+        json.Should().Contain("\"inclusionProof\":");
+    }
+
+    [Fact]
+    public void RekorReceipt_RoundtripsCorrectly()
+    {
+        // Arrange
+        var original = CreateValidReceipt();
+
+        // Act
+        var json = JsonSerializer.Serialize(original);
+        var deserialized = JsonSerializer.Deserialize<RekorReceipt>(json);
+
+        // Assert
+        deserialized.Should().NotBeNull();
+        deserialized!.Uuid.Should().Be(original.Uuid);
+        deserialized.LogIndex.Should().Be(original.LogIndex);
+        deserialized.LogId.Should().Be(original.LogId);
+        deserialized.IntegratedTime.Should().Be(original.IntegratedTime);
+        deserialized.EntryKind.Should().Be(original.EntryKind);
+        deserialized.EntryBodyHash.Should().Be(original.EntryBodyHash);
+        deserialized.Checkpoint.Origin.Should().Be(original.Checkpoint.Origin);
+        deserialized.InclusionProof.LeafHash.Should().Be(original.InclusionProof.LeafHash);
+    }
+
+    [Fact]
+    public void RekorReceipt_IntegratedTimeUtc_ConvertsCorrectly()
+    {
+        // Arrange
+        var unixTime = 1704067200L; // 2024-01-01 00:00:00 UTC
+        var receipt = CreateValidReceipt() with { IntegratedTime = unixTime };
+
+        // Act
+        var utc = receipt.IntegratedTimeUtc;
+
+        // Assert
+        utc.Year.Should().Be(2024);
+        utc.Month.Should().Be(1);
+        utc.Day.Should().Be(1);
+        utc.Hour.Should().Be(0);
+        utc.Minute.Should().Be(0);
+        utc.Second.Should().Be(0);
+    }
+
+    [Fact]
+    public void RekorReceipt_EntryUrl_FormsCorrectly()
+    {
+        // Arrange
+        var receipt = CreateValidReceipt() with
+        {
+            LogUrl = "https://rekor.sigstore.dev",
+            Uuid = "abc123def456"
+        };
+
+        // Act
+        var entryUrl = receipt.EntryUrl;
+
+        // Assert
+        entryUrl.Should().Be("https://rekor.sigstore.dev/api/v1/log/entries/abc123def456");
+    }
+
+    [Fact]
+    public void RekorReceipt_EntryUrl_HandlesTrailingSlash()
+    {
+        // Arrange
+        var receipt = CreateValidReceipt() with
+        {
+            LogUrl = "https://rekor.sigstore.dev/",
+            Uuid = "abc123"
+        };
+
+        // Act
+        var entryUrl = receipt.EntryUrl;
+
+        // Assert
+        entryUrl.Should().Be("https://rekor.sigstore.dev/api/v1/log/entries/abc123");
+    }
+
+    [Fact]
+    public void RekorCheckpointV2_TimestampUtc_ConvertsCorrectly()
+    {
+        // Arrange
+        var checkpoint = new RekorCheckpointV2
+        {
+            Origin = "test-origin",
+            Size = 1000,
+            RootHash = "abc123",
+            Timestamp = 1704067200L,
+            Signature = "sig123"
+        };
+
+        // Act
+        var utc = checkpoint.TimestampUtc;
+
+        // Assert
+        utc.Year.Should().Be(2024);
+    }
+
+    [Fact]
+    public void RekorInclusionProofV2_SerializesHashesCorrectly()
+    {
+        // Arrange
+        var proof = new RekorInclusionProofV2
+        {
+            LogIndex = 1000,
+            TreeSize = 2000,
+            RootHash = "root123",
+            LeafHash = "leaf456",
+            Hashes = ["hash1", "hash2", "hash3"]
+        };
+
+        // Act
+        var json = JsonSerializer.Serialize(proof);
+        var deserialized = JsonSerializer.Deserialize<RekorInclusionProofV2>(json);
+
+        // Assert
+        deserialized.Should().NotBeNull();
+        deserialized!.Hashes.Should().HaveCount(3);
+        deserialized.Hashes.Should().ContainInOrder("hash1", "hash2", "hash3");
+    }
+
+    [Fact]
+    public void RekorReceiptVerificationResult_WhenValid_IsHealthy()
+    {
+        // Arrange
+        var result = new RekorReceiptVerificationResult
+        {
+            IsValid = true,
+            CheckpointSignatureValid = true,
+            InclusionProofValid = true,
+            EntryHashValid = true,
+            TimeSkewAcceptable = true,
+            VerifiedAt = DateTimeOffset.UtcNow
+        };
+
+        // Assert
+        result.IsValid.Should().BeTrue();
+        result.Errors.Should().BeEmpty();
+    }
+
+    [Fact]
+    public void RekorReceiptVerificationResult_WhenInvalid_ContainsErrors()
+    {
+        // Arrange
+        var result = new RekorReceiptVerificationResult
+        {
+            IsValid = false,
+            CheckpointSignatureValid = false,
+            InclusionProofValid = true,
+            EntryHashValid = true,
+            TimeSkewAcceptable = true,
+            Errors = ["Checkpoint signature verification failed"],
+            VerifiedAt = DateTimeOffset.UtcNow
+        };
+
+        // Assert
+        result.IsValid.Should().BeFalse();
+        result.Errors.Should().Contain("Checkpoint signature verification failed");
+    }
+
+    [Fact]
+    public void RekorReceiptVerificationOptions_HasSensibleDefaults()
+    {
+        // Arrange & Act
+        var options = new RekorReceiptVerificationOptions();
+
+        // Assert
+        options.MaxClockSkewSeconds.Should().Be(300); // 5 minutes
+        options.AllowOfflineVerification.Should().BeTrue();
+        options.MaxOfflineCheckpointAgeHours.Should().Be(24);
+        options.RequireCheckpointSignature.Should().BeTrue();
+    }
+
+    [Fact]
+    public void RekorReceipt_IncludesOptionalPolicyFields()
+    {
+        // Arrange
+        var receipt = CreateValidReceipt() with
+        {
+            PolicyHash = "sha256:policy123",
+            GraphRevision = "rev-456",
+            IdempotencyKey = "idem-789"
+        };
+
+        // Act
+        var json = JsonSerializer.Serialize(receipt);
+        var deserialized = JsonSerializer.Deserialize<RekorReceipt>(json);
+
+        // Assert
+        deserialized!.PolicyHash.Should().Be("sha256:policy123");
+        deserialized.GraphRevision.Should().Be("rev-456");
+        deserialized.IdempotencyKey.Should().Be("idem-789");
+    }
+
+    [Fact]
+    public void RekorReceipt_SchemaVersion_DefaultsTo1_0_0()
+    {
+        // Arrange
+        var receipt = CreateValidReceipt();
+
+        // Assert
+        receipt.SchemaVersion.Should().Be("1.0.0");
+    }
+
+    private static RekorReceipt CreateValidReceipt() => new()
+    {
+        Uuid = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
+        LogIndex = 12345,
+        LogId = "rekor.sigstore.dev - 2605736670972794746",
+        LogUrl = "https://rekor.sigstore.dev",
+        IntegratedTime = DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
+        EntryKind = "dsse",
+        EntryBodyHash = "sha256:abcdef123456",
+        Checkpoint = new RekorCheckpointV2
+        {
+            Origin = "rekor.sigstore.dev - 2605736670972794746",
+            Size = 50000,
+            RootHash = "abc123def456",
+            Timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
+            Signature = "MEUCIQDtest..."
+        },
+        InclusionProof = new RekorInclusionProofV2
+        {
+            LogIndex = 12345,
+            TreeSize = 50000,
+            RootHash = "abc123def456",
+            LeafHash = "leaf789xyz",
+            Hashes = ["hash1", "hash2", "hash3"]
+        }
+    };
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/Transparency/TransparencyStatusProviderTests.cs

@@ -0,0 +1,249 @@
+// -----------------------------------------------------------------------------
+// TransparencyStatusProviderTests.cs
+// Description: Unit tests for transparency status provider.
+// -----------------------------------------------------------------------------
+
+using FluentAssertions;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using StellaOps.Attestor.Core.Transparency;
+using Xunit;
+using OptionsFactory = Microsoft.Extensions.Options.Options;
+
+namespace StellaOps.Attestor.Core.Tests.Transparency;
+
+[Trait("Category", "Unit")]
+[Trait("Category", "Transparency")]
+public sealed class TransparencyStatusProviderTests : IDisposable
+{
+    private readonly FakeTimeProvider _timeProvider;
+    private readonly TransparencyStatusProvider _provider;
+
+    public TransparencyStatusProviderTests()
+    {
+        _timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
+        var options = OptionsFactory.Create(new TransparencyStatusOptions
+        {
+            MaxCheckpointAgeHours = 24,
+            CriticalCheckpointAgeHours = 72,
+            RekorBackendUrl = "https://rekor.sigstore.dev"
+        });
+
+        _provider = new TransparencyStatusProvider(
+            NullLogger<TransparencyStatusProvider>.Instance,
+            options,
+            _timeProvider);
+    }
+
+    [Fact]
+    public async Task GetStatusAsync_WhenNeverSynced_ReturnsUnknown()
+    {
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.Status.Should().Be(TransparencyStatusLevel.Unknown);
+        status.LastSyncAt.Should().BeNull();
+        status.Message.Should().Contain("never synced");
+    }
+
+    [Fact]
+    public async Task GetStatusAsync_WhenRecentlySync_ReturnsHealthy()
+    {
+        // Arrange
+        var syncTime = _timeProvider.GetUtcNow().AddHours(-1);
+        _provider.RecordSync(syncTime, 12345);
+
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.Status.Should().Be(TransparencyStatusLevel.Healthy);
+        status.LastSyncAt.Should().Be(syncTime);
+        status.LastSyncAgeHours.Should().BeApproximately(1, 0.1);
+        status.LastCheckpointTreeSize.Should().Be(12345);
+    }
+
+    [Fact]
+    public async Task GetStatusAsync_WhenSyncStale_ReturnsDegraded()
+    {
+        // Arrange - sync 30 hours ago (exceeds 24h threshold)
+        var syncTime = _timeProvider.GetUtcNow().AddHours(-30);
+        _provider.RecordSync(syncTime, 12345);
+
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.Status.Should().Be(TransparencyStatusLevel.Degraded);
+        status.LastSyncAgeHours.Should().BeApproximately(30, 0.1);
+        status.Message.Should().Contain("stale");
+    }
+
+    [Fact]
+    public async Task GetStatusAsync_WhenSyncCriticallyStale_ReturnsUnhealthy()
+    {
+        // Arrange - sync 80 hours ago (exceeds 72h critical threshold)
+        var syncTime = _timeProvider.GetUtcNow().AddHours(-80);
+        _provider.RecordSync(syncTime, 12345);
+
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.Status.Should().Be(TransparencyStatusLevel.Unhealthy);
+        status.Message.Should().Contain("critically stale");
+    }
+
+    [Fact]
+    public async Task GetStatusAsync_WhenOfflineModeWithFreshCheckpoint_ReturnsOffline()
+    {
+        // Arrange - create provider without backend URL (offline mode)
+        var offlineOptions = OptionsFactory.Create(new TransparencyStatusOptions
+        {
+            MaxCheckpointAgeHours = 24,
+            RekorBackendUrl = null // Offline mode
+        });
+
+        using var offlineProvider = new TransparencyStatusProvider(
+            NullLogger<TransparencyStatusProvider>.Instance,
+            offlineOptions,
+            _timeProvider);
+
+        var syncTime = _timeProvider.GetUtcNow().AddHours(-1);
+        offlineProvider.RecordSync(syncTime, 12345);
+
+        // Act
+        var status = await offlineProvider.GetStatusAsync();
+
+        // Assert
+        status.Status.Should().Be(TransparencyStatusLevel.Offline);
+        status.OfflineMode.Should().BeTrue();
+        status.Message.Should().Contain("offline mode");
+    }
+
+    [Fact]
+    public void RecordSubmission_TracksMetrics()
+    {
+        // Arrange
+        var latency1 = TimeSpan.FromMilliseconds(100);
+        var latency2 = TimeSpan.FromMilliseconds(200);
+        var latency3 = TimeSpan.FromMilliseconds(150);
+
+        // Act
+        _provider.RecordSubmission(true, latency1);
+        _provider.RecordSubmission(true, latency2);
+        _provider.RecordSubmission(false, latency3);
+
+        // Assert
+        var status = _provider.GetStatusAsync().Result;
+        status.Metrics.Should().NotBeNull();
+        status.Metrics!.SubmissionsLastHour.Should().Be(3);
+        status.Metrics.SuccessfulSubmissionsLastHour.Should().Be(2);
+        status.Metrics.FailedSubmissionsLastHour.Should().Be(1);
+        status.Metrics.AvgSubmissionLatencyMs.Should().Be(150); // (100+200)/2 = 150 (only successful)
+    }
+
+    [Fact]
+    public void RecordVerification_TracksMetrics()
+    {
+        // Act
+        _provider.RecordVerification(true, false);
+        _provider.RecordVerification(true, true);
+        _provider.RecordVerification(false, false);
+
+        // Assert
+        var status = _provider.GetStatusAsync().Result;
+        status.Metrics.Should().NotBeNull();
+        status.Metrics!.VerificationsLastHour.Should().Be(3);
+        status.Metrics.SuccessfulVerificationsLastHour.Should().Be(2);
+        status.Metrics.OfflineVerificationsLastHour.Should().Be(1);
+    }
+
+    [Fact]
+    public async Task GetStatusAsync_ReportsQueueDepths()
+    {
+        // Arrange
+        _provider.UpdateQueueDepths(submissionQueue: 5, deadLetterQueue: 2);
+
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.SubmissionQueueDepth.Should().Be(5);
+        status.DeadLetterQueueDepth.Should().Be(2);
+    }
+
+    [Fact]
+    public async Task GetStatusAsync_ReportsConfiguration()
+    {
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.MaxCheckpointAgeHours.Should().Be(24);
+        status.RekorBackend.Should().Be("https://rekor.sigstore.dev");
+        status.EnforcementEnabled.Should().BeFalse(); // default
+    }
+
+    [Fact]
+    public async Task IsCheckpointFresh_WhenWithinThreshold_ReturnsTrue()
+    {
+        // Arrange
+        var syncTime = _timeProvider.GetUtcNow().AddHours(-12);
+        _provider.RecordSync(syncTime, 12345);
+
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.IsCheckpointFresh.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task IsCheckpointFresh_WhenExceedsThreshold_ReturnsFalse()
+    {
+        // Arrange
+        var syncTime = _timeProvider.GetUtcNow().AddHours(-30);
+        _provider.RecordSync(syncTime, 12345);
+
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.IsCheckpointFresh.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task IsHealthy_WhenHealthyOrDegraded_ReturnsTrue()
+    {
+        // Arrange - fresh sync (healthy)
+        var syncTime = _timeProvider.GetUtcNow().AddHours(-1);
+        _provider.RecordSync(syncTime, 12345);
+
+        // Act
+        var status = await _provider.GetStatusAsync();
+
+        // Assert
+        status.IsHealthy.Should().BeTrue();
+    }
+
+    public void Dispose()
+    {
+        _provider.Dispose();
+    }
+
+    private sealed class FakeTimeProvider : TimeProvider
+    {
+        private DateTimeOffset _utcNow;
+
+        public FakeTimeProvider(DateTimeOffset utcNow)
+        {
+            _utcNow = utcNow;
+        }
+
+        public override DateTimeOffset GetUtcNow() => _utcNow;
+
+        public void Advance(TimeSpan duration) => _utcNow = _utcNow.Add(duration);
+    }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Options/AttestorOptions.cs

@@ -121,6 +121,30 @@ public sealed class AttestorOptions
         public int PollIntervalMs { get; set; } = 250;
 
         public int MaxAttempts { get; set; } = 60;
+
+        /// <summary>
+        /// Log version to use: Auto, V1, or V2.
+        /// V2 uses tile-based (Sunlight) log structure.
+        /// Default: Auto (backward compatible).
+        /// </summary>
+        public string Version { get; set; } = "Auto";
+
+        /// <summary>
+        /// Base URL for tile fetching in Rekor v2.
+        /// If not specified, defaults to {Url}/tile/.
+        /// </summary>
+        public string? TileBaseUrl { get; set; }
+
+        /// <summary>
+        /// Log ID (SHA-256 of log's public key) for multi-log environments.
+        /// Production Rekor: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+        /// </summary>
+        public string? LogId { get; set; }
+
+        /// <summary>
+        /// When true and Version is Auto, prefer tile-based proofs over v1 proofs.
+        /// </summary>
+        public bool PreferTileProofs { get; set; } = false;
     }
 
     public sealed class RekorMirrorOptions : RekorBackendOptions

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/IRekorTileClient.cs

@@ -0,0 +1,208 @@
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Attestor.Core.Rekor;
+
+/// <summary>
+/// Client for fetching proofs from Rekor v2 tile-based logs.
+/// Tile-based logs store the Merkle tree in fixed-size chunks (tiles)
+/// that can be fetched directly for offline-capable verification.
+/// </summary>
+public interface IRekorTileClient
+{
+    /// <summary>
+    /// Fetches the latest signed checkpoint from the tile log.
+    /// The checkpoint contains the current tree size and root hash.
+    /// </summary>
+    /// <param name="backend">Rekor backend configuration</param>
+    /// <param name="cancellationToken">Cancellation token</param>
+    /// <returns>The checkpoint response, or null if not available</returns>
+    Task<RekorTileCheckpoint?> GetCheckpointAsync(
+        RekorBackend backend,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Fetches a tile from the log.
+    /// Tiles are fixed-size chunks of the Merkle tree.
+    /// </summary>
+    /// <param name="backend">Rekor backend configuration</param>
+    /// <param name="level">The tree level (0 = leaves)</param>
+    /// <param name="index">The tile index at this level</param>
+    /// <param name="cancellationToken">Cancellation token</param>
+    /// <returns>The tile data, or null if not found</returns>
+    Task<RekorTileData?> GetTileAsync(
+        RekorBackend backend,
+        int level,
+        long index,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Fetches an entry from the log by its index.
+    /// </summary>
+    /// <param name="backend">Rekor backend configuration</param>
+    /// <param name="logIndex">The log index of the entry</param>
+    /// <param name="cancellationToken">Cancellation token</param>
+    /// <returns>The entry data, or null if not found</returns>
+    Task<RekorTileEntry?> GetEntryAsync(
+        RekorBackend backend,
+        long logIndex,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Computes an inclusion proof for an entry using tile data.
+    /// This fetches the necessary tiles and constructs the proof path.
+    /// </summary>
+    /// <param name="backend">Rekor backend configuration</param>
+    /// <param name="logIndex">The log index of the entry</param>
+    /// <param name="treeSize">The tree size for the proof (from checkpoint)</param>
+    /// <param name="cancellationToken">Cancellation token</param>
+    /// <returns>The computed proof, or null if tiles are unavailable</returns>
+    Task<RekorTileInclusionProof?> ComputeInclusionProofAsync(
+        RekorBackend backend,
+        long logIndex,
+        long treeSize,
+        CancellationToken cancellationToken = default);
+}
+
+/// <summary>
+/// Checkpoint from a Rekor v2 tile-based log.
+/// </summary>
+public sealed class RekorTileCheckpoint
+{
+    /// <summary>
+    /// The log origin identifier.
+    /// </summary>
+    public required string Origin { get; init; }
+
+    /// <summary>
+    /// Current tree size (number of entries).
+    /// </summary>
+    public required long TreeSize { get; init; }
+
+    /// <summary>
+    /// Root hash of the Merkle tree at this size.
+    /// </summary>
+    public required byte[] RootHash { get; init; }
+
+    /// <summary>
+    /// Raw checkpoint note text for signature verification.
+    /// </summary>
+    public required string RawCheckpoint { get; init; }
+
+    /// <summary>
+    /// Signatures on the checkpoint.
+    /// </summary>
+    public required IReadOnlyList<RekorCheckpointSignature> Signatures { get; init; }
+}
+
+/// <summary>
+/// A signature on a Rekor checkpoint.
+/// </summary>
+public sealed class RekorCheckpointSignature
+{
+    /// <summary>
+    /// Key ID or hint for the signing key.
+    /// </summary>
+    public required string KeyHint { get; init; }
+
+    /// <summary>
+    /// The signature bytes.
+    /// </summary>
+    public required byte[] Signature { get; init; }
+}
+
+/// <summary>
+/// Data from a Merkle tree tile.
+/// </summary>
+public sealed class RekorTileData
+{
+    /// <summary>
+    /// The level in the tree (0 = leaf level).
+    /// </summary>
+    public required int Level { get; init; }
+
+    /// <summary>
+    /// The tile index at this level.
+    /// </summary>
+    public required long Index { get; init; }
+
+    /// <summary>
+    /// The tile width (number of entries in this tile, may be partial).
+    /// </summary>
+    public required int Width { get; init; }
+
+    /// <summary>
+    /// The hash data in this tile.
+    /// Each hash is 32 bytes (SHA-256).
+    /// </summary>
+    public required byte[] Hashes { get; init; }
+
+    /// <summary>
+    /// Gets the hash at the given position within the tile.
+    /// </summary>
+    public byte[] GetHash(int position)
+    {
+        if (position < 0 || position >= Width)
+        {
+            throw new ArgumentOutOfRangeException(nameof(position));
+        }
+
+        var result = new byte[32];
+        Array.Copy(Hashes, position * 32, result, 0, 32);
+        return result;
+    }
+}
+
+/// <summary>
+/// An entry from a Rekor tile-based log.
+/// </summary>
+public sealed class RekorTileEntry
+{
+    /// <summary>
+    /// The log index of this entry.
+    /// </summary>
+    public required long LogIndex { get; init; }
+
+    /// <summary>
+    /// The entry data (typically the leaf hash input).
+    /// </summary>
+    public required byte[] Data { get; init; }
+
+    /// <summary>
+    /// The integrated time when this entry was added.
+    /// </summary>
+    public DateTimeOffset? IntegratedTime { get; init; }
+}
+
+/// <summary>
+/// An inclusion proof computed from tile data.
+/// </summary>
+public sealed class RekorTileInclusionProof
+{
+    /// <summary>
+    /// The log index of the entry.
+    /// </summary>
+    public required long LogIndex { get; init; }
+
+    /// <summary>
+    /// The tree size for this proof.
+    /// </summary>
+    public required long TreeSize { get; init; }
+
+    /// <summary>
+    /// The leaf hash of the entry.
+    /// </summary>
+    public required byte[] LeafHash { get; init; }
+
+    /// <summary>
+    /// The proof path (sibling hashes from leaf to root).
+    /// </summary>
+    public required IReadOnlyList<byte[]> Path { get; init; }
+
+    /// <summary>
+    /// The expected root hash for verification.
+    /// </summary>
+    public required byte[] RootHash { get; init; }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorBackend.cs

@@ -2,15 +2,82 @@ using System;
 
 namespace StellaOps.Attestor.Core.Rekor;
 
+/// <summary>
+/// Specifies the Rekor log version/format to use.
+/// </summary>
+public enum RekorLogVersion
+{
+    /// <summary>
+    /// Automatically detect log version from server capabilities.
+    /// </summary>
+    Auto = 0,
+
+    /// <summary>
+    /// Rekor v1 with Trillian-backed Merkle tree.
+    /// </summary>
+    V1 = 1,
+
+    /// <summary>
+    /// Rekor v2 with tile-based (Sunlight) log structure.
+    /// Provides cheaper operation and simpler verification.
+    /// </summary>
+    V2 = 2
+}
+
 public sealed class RekorBackend
 {
     public required string Name { get; init; }
 
     public required Uri Url { get; init; }
 
+    /// <summary>
+    /// Log version to use. Default is Auto for backward compatibility.
+    /// Set to V2 to explicitly opt into tile-based verification.
+    /// </summary>
+    public RekorLogVersion Version { get; init; } = RekorLogVersion.Auto;
+
+    /// <summary>
+    /// Base URL for tile fetching in Rekor v2.
+    /// If not specified, tiles are fetched from {Url}/tile/.
+    /// Only used when Version is V2 or Auto detects v2 capabilities.
+    /// </summary>
+    public Uri? TileBaseUrl { get; init; }
+
+    /// <summary>
+    /// Log ID (SHA-256 of the log's public key) for multi-log environments.
+    /// Used to match entries to the correct log when verifying bundles.
+    /// Production Rekor: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+    /// </summary>
+    public string? LogId { get; init; }
+
+    /// <summary>
+    /// Whether to prefer tile-based proofs when available.
+    /// When true and Version is Auto, will attempt tile fetching first.
+    /// </summary>
+    public bool PreferTileProofs { get; init; } = false;
+
     public TimeSpan ProofTimeout { get; init; } = TimeSpan.FromSeconds(15);
 
     public TimeSpan PollInterval { get; init; } = TimeSpan.FromMilliseconds(250);
 
     public int MaxAttempts { get; init; } = 60;
+
+    /// <summary>
+    /// Returns the effective tile base URL, defaulting to {Url}/tile/ if not specified.
+    /// </summary>
+    public Uri GetEffectiveTileBaseUrl()
+    {
+        if (TileBaseUrl is not null)
+        {
+            return TileBaseUrl;
+        }
+
+        var baseUri = Url.ToString().TrimEnd('/');
+        return new Uri($"{baseUri}/tile/", UriKind.Absolute);
+    }
+
+    /// <summary>
+    /// Known log ID for the public Sigstore Rekor production instance.
+    /// </summary>
+    public const string SigstoreProductionLogId = "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d";
 }

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorReceipt.cs

@@ -0,0 +1,429 @@
+// -----------------------------------------------------------------------------
+// RekorReceipt.cs
+// Description: Standardized Rekor transparency log receipt per Sigstore conventions.
+// Implements receipt schema standardization from SBOM-VEX-policy advisory.
+// References: https://docs.sigstore.dev/logging/overview/, Rekor v2 GA
+// -----------------------------------------------------------------------------
+
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Attestor.Core.Rekor;
+
+/// <summary>
+/// Standardized Rekor transparency log receipt following Sigstore conventions.
+/// </summary>
+/// <remarks>
+/// This receipt format aligns with:
+/// - Rekor v2 GA specification (https://blog.sigstore.dev/rekor-v2-ga/)
+/// - Sigstore bundle format (https://docs.sigstore.dev/bundle/)
+/// - RFC 6962 certificate transparency log semantics
+///
+/// Design principles:
+/// - All fields use deterministic JSON property names
+/// - Timestamps use Unix seconds for interoperability
+/// - Hashes use lowercase hex encoding
+/// - Inclusion proofs follow RFC 6962 structure
+/// </remarks>
+public sealed record RekorReceipt
+{
+    /// <summary>
+    /// Schema version for this receipt format.
+    /// </summary>
+    [JsonPropertyName("schemaVersion")]
+    public string SchemaVersion { get; init; } = "1.0.0";
+
+    /// <summary>
+    /// Unique entry identifier (64-character hex string derived from entry hash).
+    /// </summary>
+    [JsonPropertyName("uuid")]
+    public required string Uuid { get; init; }
+
+    /// <summary>
+    /// Log index (position in the log, monotonically increasing).
+    /// </summary>
+    [JsonPropertyName("logIndex")]
+    public required long LogIndex { get; init; }
+
+    /// <summary>
+    /// Log ID identifying the specific Rekor instance/shard.
+    /// </summary>
+    [JsonPropertyName("logId")]
+    public required string LogId { get; init; }
+
+    /// <summary>
+    /// Base URL of the Rekor log instance.
+    /// </summary>
+    [JsonPropertyName("logUrl")]
+    public required string LogUrl { get; init; }
+
+    /// <summary>
+    /// Unix timestamp (seconds) when the entry was integrated into the log.
+    /// </summary>
+    [JsonPropertyName("integratedTime")]
+    public required long IntegratedTime { get; init; }
+
+    /// <summary>
+    /// Entry kind (e.g., "intoto", "hashedrekord", "dsse").
+    /// </summary>
+    [JsonPropertyName("entryKind")]
+    public required string EntryKind { get; init; }
+
+    /// <summary>
+    /// Entry API version within the kind.
+    /// </summary>
+    [JsonPropertyName("entryVersion")]
+    public string EntryVersion { get; init; } = "0.0.2";
+
+    /// <summary>
+    /// SHA-256 hash of the canonicalized entry body (lowercase hex).
+    /// </summary>
+    [JsonPropertyName("entryBodyHash")]
+    public required string EntryBodyHash { get; init; }
+
+    /// <summary>
+    /// Signed checkpoint (signed tree head) in note format.
+    /// </summary>
+    [JsonPropertyName("checkpoint")]
+    public required RekorCheckpointV2 Checkpoint { get; init; }
+
+    /// <summary>
+    /// Inclusion proof demonstrating entry is in the log.
+    /// </summary>
+    [JsonPropertyName("inclusionProof")]
+    public required RekorInclusionProofV2 InclusionProof { get; init; }
+
+    /// <summary>
+    /// Optional SET (Signed Entry Timestamp) for backward compatibility.
+    /// </summary>
+    [JsonPropertyName("signedEntryTimestamp")]
+    public string? SignedEntryTimestamp { get; init; }
+
+    /// <summary>
+    /// Policy hash linking this receipt to a specific policy evaluation.
+    /// </summary>
+    [JsonPropertyName("policyHash")]
+    public string? PolicyHash { get; init; }
+
+    /// <summary>
+    /// Graph revision ID for reachability context.
+    /// </summary>
+    [JsonPropertyName("graphRevision")]
+    public string? GraphRevision { get; init; }
+
+    /// <summary>
+    /// Idempotency key used for submission (for deduplication tracking).
+    /// </summary>
+    [JsonPropertyName("idempotencyKey")]
+    public string? IdempotencyKey { get; init; }
+
+    // Computed properties
+
+    /// <summary>
+    /// Gets the integrated time as a DateTimeOffset (UTC).
+    /// </summary>
+    [JsonIgnore]
+    public DateTimeOffset IntegratedTimeUtc =>
+        DateTimeOffset.FromUnixTimeSeconds(IntegratedTime);
+
+    /// <summary>
+    /// Gets the full entry URL for direct access.
+    /// </summary>
+    [JsonIgnore]
+    public string EntryUrl => $"{LogUrl.TrimEnd('/')}/api/v1/log/entries/{Uuid}";
+}
+
+/// <summary>
+/// Rekor v2 checkpoint (signed tree head) following note format.
+/// </summary>
+/// <remarks>
+/// Checkpoint format per Rekor v2 specification:
+/// - Origin identifies the log
+/// - Size is the tree size at checkpoint
+/// - RootHash is the Merkle root
+/// - Signature is over the checkpoint note body
+/// </remarks>
+public sealed record RekorCheckpointV2
+{
+    /// <summary>
+    /// Origin line identifying the log (e.g., "rekor.sigstore.dev - 2605736670972794746").
+    /// </summary>
+    [JsonPropertyName("origin")]
+    public required string Origin { get; init; }
+
+    /// <summary>
+    /// Tree size at time of checkpoint.
+    /// </summary>
+    [JsonPropertyName("size")]
+    public required long Size { get; init; }
+
+    /// <summary>
+    /// Merkle tree root hash (lowercase hex).
+    /// </summary>
+    [JsonPropertyName("rootHash")]
+    public required string RootHash { get; init; }
+
+    /// <summary>
+    /// Unix timestamp (seconds) of the checkpoint.
+    /// </summary>
+    [JsonPropertyName("timestamp")]
+    public required long Timestamp { get; init; }
+
+    /// <summary>
+    /// Base64-encoded signature over the checkpoint note.
+    /// </summary>
+    [JsonPropertyName("signature")]
+    public required string Signature { get; init; }
+
+    /// <summary>
+    /// Key ID or hint for signature verification.
+    /// </summary>
+    [JsonPropertyName("keyHint")]
+    public string? KeyHint { get; init; }
+
+    /// <summary>
+    /// Raw note body for signature verification (base64-encoded).
+    /// </summary>
+    [JsonPropertyName("noteBody")]
+    public string? NoteBody { get; init; }
+
+    /// <summary>
+    /// Gets the timestamp as a DateTimeOffset (UTC).
+    /// </summary>
+    [JsonIgnore]
+    public DateTimeOffset TimestampUtc =>
+        DateTimeOffset.FromUnixTimeSeconds(Timestamp);
+}
+
+/// <summary>
+/// Rekor v2 inclusion proof following RFC 6962.
+/// </summary>
+/// <remarks>
+/// Inclusion proof structure:
+/// - LeafHash is H(0x00 || entry)
+/// - Hashes are the sibling nodes from leaf to root
+/// - TreeSize and LogIndex define the proof context
+/// </remarks>
+public sealed record RekorInclusionProofV2
+{
+    /// <summary>
+    /// Log index of the entry being proven.
+    /// </summary>
+    [JsonPropertyName("logIndex")]
+    public required long LogIndex { get; init; }
+
+    /// <summary>
+    /// Tree size at time of proof generation.
+    /// </summary>
+    [JsonPropertyName("treeSize")]
+    public required long TreeSize { get; init; }
+
+    /// <summary>
+    /// Root hash at time of proof (lowercase hex).
+    /// </summary>
+    [JsonPropertyName("rootHash")]
+    public required string RootHash { get; init; }
+
+    /// <summary>
+    /// Leaf hash (SHA-256 of 0x00 || entry body, lowercase hex).
+    /// </summary>
+    [JsonPropertyName("leafHash")]
+    public required string LeafHash { get; init; }
+
+    /// <summary>
+    /// Inclusion proof hashes from leaf to root (lowercase hex, ordered).
+    /// </summary>
+    [JsonPropertyName("hashes")]
+    public required IReadOnlyList<string> Hashes { get; init; }
+
+    /// <summary>
+    /// Checkpoint reference containing the signed tree head.
+    /// </summary>
+    [JsonPropertyName("checkpoint")]
+    public string? CheckpointRef { get; init; }
+}
+
+/// <summary>
+/// Result of verifying a Rekor receipt.
+/// </summary>
+public sealed record RekorReceiptVerificationResult
+{
+    /// <summary>
+    /// Whether the receipt is valid.
+    /// </summary>
+    public required bool IsValid { get; init; }
+
+    /// <summary>
+    /// Whether the checkpoint signature verified.
+    /// </summary>
+    public required bool CheckpointSignatureValid { get; init; }
+
+    /// <summary>
+    /// Whether the inclusion proof verified against the root.
+    /// </summary>
+    public required bool InclusionProofValid { get; init; }
+
+    /// <summary>
+    /// Whether the entry hash matches the leaf.
+    /// </summary>
+    public required bool EntryHashValid { get; init; }
+
+    /// <summary>
+    /// Time skew in seconds (positive = receipt ahead of local clock).
+    /// </summary>
+    public double TimeSkewSeconds { get; init; }
+
+    /// <summary>
+    /// Whether time skew is within acceptable bounds.
+    /// </summary>
+    public required bool TimeSkewAcceptable { get; init; }
+
+    /// <summary>
+    /// Any verification errors encountered.
+    /// </summary>
+    public IReadOnlyList<string> Errors { get; init; } = [];
+
+    /// <summary>
+    /// Verification diagnostics for debugging.
+    /// </summary>
+    public IReadOnlyDictionary<string, string> Diagnostics { get; init; } =
+        new Dictionary<string, string>();
+
+    /// <summary>
+    /// When the verification was performed (UTC).
+    /// </summary>
+    public required DateTimeOffset VerifiedAt { get; init; }
+
+    /// <summary>
+    /// Whether this was verified in offline mode.
+    /// </summary>
+    public bool OfflineVerification { get; init; }
+}
+
+/// <summary>
+/// Options for Rekor receipt verification.
+/// </summary>
+public sealed record RekorReceiptVerificationOptions
+{
+    /// <summary>
+    /// Maximum allowed clock skew in seconds (default: 300 = 5 minutes).
+    /// </summary>
+    public int MaxClockSkewSeconds { get; init; } = 300;
+
+    /// <summary>
+    /// Whether to allow offline verification using cached checkpoints.
+    /// </summary>
+    public bool AllowOfflineVerification { get; init; } = true;
+
+    /// <summary>
+    /// Path to offline checkpoint bundle for air-gapped verification.
+    /// </summary>
+    public string? OfflineCheckpointBundlePath { get; init; }
+
+    /// <summary>
+    /// Maximum checkpoint age in hours for offline verification (default: 24).
+    /// </summary>
+    public int MaxOfflineCheckpointAgeHours { get; init; } = 24;
+
+    /// <summary>
+    /// Whether to require checkpoint signature verification.
+    /// </summary>
+    public bool RequireCheckpointSignature { get; init; } = true;
+
+    /// <summary>
+    /// Trusted public keys for checkpoint verification (PEM or base64 DER).
+    /// </summary>
+    public IReadOnlyList<string> TrustedPublicKeys { get; init; } = [];
+
+    /// <summary>
+    /// Trusted log IDs (if empty, all known logs are trusted).
+    /// </summary>
+    public IReadOnlyList<string> TrustedLogIds { get; init; } = [];
+}
+
+/// <summary>
+/// Service for verifying Rekor receipts.
+/// </summary>
+public interface IRekorReceiptVerifier
+{
+    /// <summary>
+    /// Verifies a Rekor receipt.
+    /// </summary>
+    Task<RekorReceiptVerificationResult> VerifyAsync(
+        RekorReceipt receipt,
+        RekorReceiptVerificationOptions? options = null,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Verifies the inclusion proof without network access.
+    /// </summary>
+    RekorReceiptVerificationResult VerifyInclusionProofOffline(
+        RekorReceipt receipt,
+        byte[] entryBody,
+        RekorReceiptVerificationOptions? options = null);
+}
+
+/// <summary>
+/// Factory for creating Rekor receipts from submission responses.
+/// </summary>
+public static class RekorReceiptFactory
+{
+    /// <summary>
+    /// Creates a standardized receipt from a submission response.
+    /// </summary>
+    public static RekorReceipt FromSubmissionResponse(
+        RekorSubmissionResponse response,
+        string logId,
+        string logUrl,
+        string entryKind,
+        string entryBodyHash,
+        string? policyHash = null,
+        string? graphRevision = null,
+        string? idempotencyKey = null)
+    {
+        ArgumentNullException.ThrowIfNull(response);
+        ArgumentException.ThrowIfNullOrEmpty(logId);
+        ArgumentException.ThrowIfNullOrEmpty(logUrl);
+        ArgumentException.ThrowIfNullOrEmpty(entryKind);
+        ArgumentException.ThrowIfNullOrEmpty(entryBodyHash);
+
+        if (response.Proof?.Checkpoint is null)
+        {
+            throw new ArgumentException("Response must include checkpoint proof", nameof(response));
+        }
+
+        if (response.Proof?.Inclusion is null)
+        {
+            throw new ArgumentException("Response must include inclusion proof", nameof(response));
+        }
+
+        return new RekorReceipt
+        {
+            Uuid = response.Uuid,
+            LogIndex = response.Index ?? throw new ArgumentException("Response must include index"),
+            LogId = logId,
+            LogUrl = logUrl,
+            IntegratedTime = response.IntegratedTime ?? throw new ArgumentException("Response must include integrated time"),
+            EntryKind = entryKind,
+            EntryBodyHash = entryBodyHash,
+            Checkpoint = new RekorCheckpointV2
+            {
+                Origin = response.Proof.Checkpoint.Origin ?? logId,
+                Size = response.Proof.Checkpoint.Size,
+                RootHash = response.Proof.Checkpoint.RootHash ?? throw new ArgumentException("Checkpoint must include root hash"),
+                Timestamp = response.Proof.Checkpoint.Timestamp?.ToUnixTimeSeconds() ?? response.IntegratedTime.Value,
+                Signature = "" // Will be populated from actual response
+            },
+            InclusionProof = new RekorInclusionProofV2
+            {
+                LogIndex = response.Index.Value,
+                TreeSize = response.Proof.Checkpoint.Size,
+                RootHash = response.Proof.Checkpoint.RootHash,
+                LeafHash = response.Proof.Inclusion.LeafHash ?? throw new ArgumentException("Inclusion proof must include leaf hash"),
+                Hashes = response.Proof.Inclusion.Path
+            },
+            PolicyHash = policyHash,
+            GraphRevision = graphRevision,
+            IdempotencyKey = idempotencyKey
+        };
+    }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Transparency/TransparencyServiceExtensions.cs

@@ -0,0 +1,46 @@
+// -----------------------------------------------------------------------------
+// TransparencyServiceExtensions.cs
+// Description: DI extensions for transparency status services.
+// -----------------------------------------------------------------------------
+
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace StellaOps.Attestor.Core.Transparency;
+
+/// <summary>
+/// Extension methods for registering transparency services.
+/// </summary>
+public static class TransparencyServiceExtensions
+{
+    /// <summary>
+    /// Adds transparency status services to the service collection.
+    /// </summary>
+    /// <param name="services">The service collection.</param>
+    /// <param name="configure">Optional configuration action.</param>
+    /// <returns>The service collection for chaining.</returns>
+    public static IServiceCollection AddTransparencyStatus(
+        this IServiceCollection services,
+        Action<TransparencyStatusOptions>? configure = null)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+
+        // Register options
+        if (configure is not null)
+        {
+            services.Configure(configure);
+        }
+        else
+        {
+            services.AddOptions<TransparencyStatusOptions>();
+        }
+
+        // Register provider
+        services.TryAddSingleton<ITransparencyStatusProvider, TransparencyStatusProvider>();
+
+        // Ensure TimeProvider is available
+        services.TryAddSingleton(TimeProvider.System);
+
+        return services;
+    }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Transparency/TransparencyStatus.cs

@@ -0,0 +1,425 @@
+// -----------------------------------------------------------------------------
+// TransparencyStatus.cs
+// Description: Transparency log freshness status for health endpoints.
+// Implements "last sync" freshness badge from SBOM-VEX-policy advisory.
+// -----------------------------------------------------------------------------
+
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Attestor.Core.Transparency;
+
+/// <summary>
+/// Transparency log freshness status for health endpoints and status bars.
+/// </summary>
+/// <remarks>
+/// Implements the "last sync" freshness badge pattern:
+/// - Shows when transparency log was last successfully synced
+/// - Indicates whether operations are using verified or degraded mode
+/// - Provides clear guidance for air-gapped environments
+/// </remarks>
+public sealed record TransparencyStatus
+{
+    /// <summary>
+    /// Overall transparency status.
+    /// </summary>
+    [JsonPropertyName("status")]
+    public required TransparencyStatusLevel Status { get; init; }
+
+    /// <summary>
+    /// Human-readable status message.
+    /// </summary>
+    [JsonPropertyName("message")]
+    public required string Message { get; init; }
+
+    /// <summary>
+    /// When the transparency log was last successfully synced (UTC).
+    /// </summary>
+    [JsonPropertyName("lastSyncAt")]
+    public DateTimeOffset? LastSyncAt { get; init; }
+
+    /// <summary>
+    /// Age of the last sync in hours.
+    /// </summary>
+    [JsonPropertyName("lastSyncAgeHours")]
+    public double? LastSyncAgeHours { get; init; }
+
+    /// <summary>
+    /// When the checkpoint was last verified (UTC).
+    /// </summary>
+    [JsonPropertyName("lastCheckpointVerifiedAt")]
+    public DateTimeOffset? LastCheckpointVerifiedAt { get; init; }
+
+    /// <summary>
+    /// Latest verified checkpoint tree size.
+    /// </summary>
+    [JsonPropertyName("lastCheckpointTreeSize")]
+    public long? LastCheckpointTreeSize { get; init; }
+
+    /// <summary>
+    /// Whether the service is operating in offline/air-gapped mode.
+    /// </summary>
+    [JsonPropertyName("offlineMode")]
+    public bool OfflineMode { get; init; }
+
+    /// <summary>
+    /// Whether transparency verification is enforced (vs. best-effort).
+    /// </summary>
+    [JsonPropertyName("enforcementEnabled")]
+    public bool EnforcementEnabled { get; init; }
+
+    /// <summary>
+    /// Configured maximum checkpoint age before warning (hours).
+    /// </summary>
+    [JsonPropertyName("maxCheckpointAgeHours")]
+    public int MaxCheckpointAgeHours { get; init; }
+
+    /// <summary>
+    /// Primary Rekor backend URL.
+    /// </summary>
+    [JsonPropertyName("rekorBackend")]
+    public string? RekorBackend { get; init; }
+
+    /// <summary>
+    /// Mirror Rekor backend URL (for air-gapped or fallback).
+    /// </summary>
+    [JsonPropertyName("rekorMirror")]
+    public string? RekorMirror { get; init; }
+
+    /// <summary>
+    /// Submission queue depth (pending entries awaiting transparency anchoring).
+    /// </summary>
+    [JsonPropertyName("submissionQueueDepth")]
+    public int SubmissionQueueDepth { get; init; }
+
+    /// <summary>
+    /// Number of entries in dead-letter queue (failed submissions).
+    /// </summary>
+    [JsonPropertyName("deadLetterQueueDepth")]
+    public int DeadLetterQueueDepth { get; init; }
+
+    /// <summary>
+    /// Metrics for recent operations.
+    /// </summary>
+    [JsonPropertyName("metrics")]
+    public TransparencyMetrics? Metrics { get; init; }
+
+    /// <summary>
+    /// Health check details for each backend.
+    /// </summary>
+    [JsonPropertyName("backends")]
+    public IReadOnlyList<TransparencyBackendStatus> Backends { get; init; } = [];
+
+    /// <summary>
+    /// Whether the status indicates healthy operation.
+    /// </summary>
+    [JsonIgnore]
+    public bool IsHealthy => Status is TransparencyStatusLevel.Healthy or TransparencyStatusLevel.Degraded;
+
+    /// <summary>
+    /// Whether the checkpoint is considered fresh.
+    /// </summary>
+    [JsonIgnore]
+    public bool IsCheckpointFresh =>
+        LastSyncAgeHours.HasValue && LastSyncAgeHours.Value <= MaxCheckpointAgeHours;
+}
+
+/// <summary>
+/// Transparency status level for health indicators.
+/// </summary>
+public enum TransparencyStatusLevel
+{
+    /// <summary>
+    /// All transparency backends are healthy and synced.
+    /// </summary>
+    Healthy,
+
+    /// <summary>
+    /// Operating with stale checkpoint or fallback backend.
+    /// </summary>
+    Degraded,
+
+    /// <summary>
+    /// Operating in offline mode with acceptable checkpoint age.
+    /// </summary>
+    Offline,
+
+    /// <summary>
+    /// Transparency verification is unavailable or severely degraded.
+    /// </summary>
+    Unhealthy,
+
+    /// <summary>
+    /// Transparency status is unknown (not yet initialized).
+    /// </summary>
+    Unknown
+}
+
+/// <summary>
+/// Metrics for transparency operations.
+/// </summary>
+public sealed record TransparencyMetrics
+{
+    /// <summary>
+    /// Total submissions in the last hour.
+    /// </summary>
+    [JsonPropertyName("submissionsLastHour")]
+    public int SubmissionsLastHour { get; init; }
+
+    /// <summary>
+    /// Successful submissions in the last hour.
+    /// </summary>
+    [JsonPropertyName("successfulSubmissionsLastHour")]
+    public int SuccessfulSubmissionsLastHour { get; init; }
+
+    /// <summary>
+    /// Failed submissions in the last hour.
+    /// </summary>
+    [JsonPropertyName("failedSubmissionsLastHour")]
+    public int FailedSubmissionsLastHour { get; init; }
+
+    /// <summary>
+    /// Total verifications in the last hour.
+    /// </summary>
+    [JsonPropertyName("verificationsLastHour")]
+    public int VerificationsLastHour { get; init; }
+
+    /// <summary>
+    /// Successful verifications in the last hour.
+    /// </summary>
+    [JsonPropertyName("successfulVerificationsLastHour")]
+    public int SuccessfulVerificationsLastHour { get; init; }
+
+    /// <summary>
+    /// Average submission latency in milliseconds.
+    /// </summary>
+    [JsonPropertyName("avgSubmissionLatencyMs")]
+    public double AvgSubmissionLatencyMs { get; init; }
+
+    /// <summary>
+    /// P95 submission latency in milliseconds.
+    /// </summary>
+    [JsonPropertyName("p95SubmissionLatencyMs")]
+    public double P95SubmissionLatencyMs { get; init; }
+
+    /// <summary>
+    /// Offline verifications in the last hour.
+    /// </summary>
+    [JsonPropertyName("offlineVerificationsLastHour")]
+    public int OfflineVerificationsLastHour { get; init; }
+}
+
+/// <summary>
+/// Status of a single transparency backend.
+/// </summary>
+public sealed record TransparencyBackendStatus
+{
+    /// <summary>
+    /// Backend identifier (e.g., "rekor.sigstore.dev", "rekor-mirror.internal").
+    /// </summary>
+    [JsonPropertyName("id")]
+    public required string Id { get; init; }
+
+    /// <summary>
+    /// Backend URL.
+    /// </summary>
+    [JsonPropertyName("url")]
+    public required string Url { get; init; }
+
+    /// <summary>
+    /// Whether this is the primary backend.
+    /// </summary>
+    [JsonPropertyName("primary")]
+    public bool Primary { get; init; }
+
+    /// <summary>
+    /// Backend health status.
+    /// </summary>
+    [JsonPropertyName("status")]
+    public required BackendHealthStatus Status { get; init; }
+
+    /// <summary>
+    /// When the backend was last checked.
+    /// </summary>
+    [JsonPropertyName("lastCheckedAt")]
+    public DateTimeOffset? LastCheckedAt { get; init; }
+
+    /// <summary>
+    /// Latest response latency in milliseconds.
+    /// </summary>
+    [JsonPropertyName("latencyMs")]
+    public double? LatencyMs { get; init; }
+
+    /// <summary>
+    /// Error message if unhealthy.
+    /// </summary>
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+
+    /// <summary>
+    /// Latest checkpoint tree size from this backend.
+    /// </summary>
+    [JsonPropertyName("treeSize")]
+    public long? TreeSize { get; init; }
+}
+
+/// <summary>
+/// Health status of a backend.
+/// </summary>
+public enum BackendHealthStatus
+{
+    /// <summary>
+    /// Backend is healthy and responding.
+    /// </summary>
+    Healthy,
+
+    /// <summary>
+    /// Backend is responding slowly.
+    /// </summary>
+    Slow,
+
+    /// <summary>
+    /// Backend is unreachable or erroring.
+    /// </summary>
+    Unhealthy,
+
+    /// <summary>
+    /// Backend status is unknown.
+    /// </summary>
+    Unknown
+}
+
+/// <summary>
+/// Service for retrieving transparency status.
+/// </summary>
+public interface ITransparencyStatusProvider
+{
+    /// <summary>
+    /// Gets the current transparency status.
+    /// </summary>
+    Task<TransparencyStatus> GetStatusAsync(CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Forces a refresh of the transparency status (e.g., recheck backends).
+    /// </summary>
+    Task<TransparencyStatus> RefreshAsync(CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Records a successful submission for metrics.
+    /// </summary>
+    void RecordSubmission(bool success, TimeSpan latency);
+
+    /// <summary>
+    /// Records a verification attempt for metrics.
+    /// </summary>
+    void RecordVerification(bool success, bool offline);
+
+    /// <summary>
+    /// Updates the last sync timestamp.
+    /// </summary>
+    void RecordSync(DateTimeOffset syncTime, long treeSize);
+}
+
+/// <summary>
+/// Configuration for transparency status provider.
+/// </summary>
+public sealed record TransparencyStatusOptions
+{
+    /// <summary>
+    /// Maximum checkpoint age in hours before status becomes degraded (default: 24).
+    /// </summary>
+    public int MaxCheckpointAgeHours { get; init; } = 24;
+
+    /// <summary>
+    /// Maximum checkpoint age in hours before status becomes unhealthy (default: 72).
+    /// </summary>
+    public int CriticalCheckpointAgeHours { get; init; } = 72;
+
+    /// <summary>
+    /// Backend health check interval in seconds (default: 60).
+    /// </summary>
+    public int HealthCheckIntervalSeconds { get; init; } = 60;
+
+    /// <summary>
+    /// Backend timeout in seconds (default: 10).
+    /// </summary>
+    public int BackendTimeoutSeconds { get; init; } = 10;
+
+    /// <summary>
+    /// Latency threshold for "slow" status in milliseconds (default: 2000).
+    /// </summary>
+    public int SlowLatencyThresholdMs { get; init; } = 2000;
+
+    /// <summary>
+    /// Whether to enable enforcement mode (fail operations without transparency).
+    /// </summary>
+    public bool EnforcementEnabled { get; init; } = false;
+
+    /// <summary>
+    /// Primary Rekor backend URL.
+    /// </summary>
+    public string? RekorBackendUrl { get; init; }
+
+    /// <summary>
+    /// Mirror Rekor backend URL.
+    /// </summary>
+    public string? RekorMirrorUrl { get; init; }
+}
+
+/// <summary>
+/// Interface for checking transparency backend health.
+/// Implemented in infrastructure layer with HTTP client support.
+/// </summary>
+public interface ITransparencyBackendHealthChecker
+{
+    /// <summary>
+    /// Checks the health of a transparency backend.
+    /// </summary>
+    /// <param name="url">The backend URL to check.</param>
+    /// <param name="timeoutSeconds">Timeout in seconds.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Health check result.</returns>
+    Task<BackendHealthCheckResult> CheckHealthAsync(
+        string url,
+        int timeoutSeconds,
+        CancellationToken cancellationToken = default);
+}
+
+/// <summary>
+/// Result of a backend health check.
+/// </summary>
+public sealed record BackendHealthCheckResult
+{
+    /// <summary>
+    /// Whether the backend is healthy.
+    /// </summary>
+    public required bool IsHealthy { get; init; }
+
+    /// <summary>
+    /// Response latency in milliseconds.
+    /// </summary>
+    public required double LatencyMs { get; init; }
+
+    /// <summary>
+    /// Error message if unhealthy.
+    /// </summary>
+    public string? Error { get; init; }
+
+    /// <summary>
+    /// Creates a healthy result.
+    /// </summary>
+    public static BackendHealthCheckResult Healthy(double latencyMs) => new()
+    {
+        IsHealthy = true,
+        LatencyMs = latencyMs
+    };
+
+    /// <summary>
+    /// Creates an unhealthy result.
+    /// </summary>
+    public static BackendHealthCheckResult Unhealthy(string error, double latencyMs = 0) => new()
+    {
+        IsHealthy = false,
+        LatencyMs = latencyMs,
+        Error = error
+    };
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Transparency/TransparencyStatusProvider.cs

@@ -0,0 +1,347 @@
+// -----------------------------------------------------------------------------
+// TransparencyStatusProvider.cs
+// Description: Default implementation of transparency status provider.
+// Tracks sync times, metrics, and backend health for freshness indicators.
+// -----------------------------------------------------------------------------
+
+using System.Collections.Concurrent;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace StellaOps.Attestor.Core.Transparency;
+
+/// <summary>
+/// Default implementation of <see cref="ITransparencyStatusProvider"/>.
+/// </summary>
+public sealed class TransparencyStatusProvider : ITransparencyStatusProvider, IDisposable
+{
+    private readonly ILogger<TransparencyStatusProvider> _logger;
+    private readonly TransparencyStatusOptions _options;
+    private readonly TimeProvider _timeProvider;
+    private readonly ITransparencyBackendHealthChecker? _healthChecker;
+
+    private readonly object _lock = new();
+    private DateTimeOffset? _lastSyncAt;
+    private long _lastTreeSize;
+    private DateTimeOffset? _lastCheckpointVerifiedAt;
+
+    // Metrics tracking (thread-safe)
+    private readonly ConcurrentQueue<MetricEntry> _submissionMetrics = new();
+    private readonly ConcurrentQueue<MetricEntry> _verificationMetrics = new();
+
+    // Backend status cache
+    private readonly ConcurrentDictionary<string, TransparencyBackendStatus> _backendStatuses = new();
+    private DateTimeOffset _lastHealthCheck = DateTimeOffset.MinValue;
+
+    // Queue depth tracking
+    private int _submissionQueueDepth;
+    private int _deadLetterQueueDepth;
+
+    public TransparencyStatusProvider(
+        ILogger<TransparencyStatusProvider> logger,
+        IOptions<TransparencyStatusOptions> options,
+        TimeProvider timeProvider,
+        ITransparencyBackendHealthChecker? healthChecker = null)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _options = options?.Value ?? throw new ArgumentNullException(nameof(options));
+        _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
+        _healthChecker = healthChecker;
+    }
+
+    /// <inheritdoc />
+    public async Task<TransparencyStatus> GetStatusAsync(CancellationToken cancellationToken = default)
+    {
+        var now = _timeProvider.GetUtcNow();
+
+        // Check if we need to refresh backend health
+        if (now - _lastHealthCheck > TimeSpan.FromSeconds(_options.HealthCheckIntervalSeconds))
+        {
+            await RefreshBackendHealthAsync(cancellationToken);
+        }
+
+        return BuildStatus(now);
+    }
+
+    /// <inheritdoc />
+    public async Task<TransparencyStatus> RefreshAsync(CancellationToken cancellationToken = default)
+    {
+        await RefreshBackendHealthAsync(cancellationToken);
+        return BuildStatus(_timeProvider.GetUtcNow());
+    }
+
+    /// <inheritdoc />
+    public void RecordSubmission(bool success, TimeSpan latency)
+    {
+        var entry = new MetricEntry(
+            _timeProvider.GetUtcNow(),
+            success,
+            false,
+            latency.TotalMilliseconds);
+
+        _submissionMetrics.Enqueue(entry);
+        PruneOldMetrics(_submissionMetrics);
+
+        _logger.LogDebug(
+            "Recorded transparency submission: success={Success}, latency={LatencyMs}ms",
+            success,
+            latency.TotalMilliseconds);
+    }
+
+    /// <inheritdoc />
+    public void RecordVerification(bool success, bool offline)
+    {
+        var entry = new MetricEntry(
+            _timeProvider.GetUtcNow(),
+            success,
+            offline,
+            0);
+
+        _verificationMetrics.Enqueue(entry);
+        PruneOldMetrics(_verificationMetrics);
+
+        _logger.LogDebug(
+            "Recorded transparency verification: success={Success}, offline={Offline}",
+            success,
+            offline);
+    }
+
+    /// <inheritdoc />
+    public void RecordSync(DateTimeOffset syncTime, long treeSize)
+    {
+        lock (_lock)
+        {
+            _lastSyncAt = syncTime;
+            _lastTreeSize = treeSize;
+            _lastCheckpointVerifiedAt = _timeProvider.GetUtcNow();
+        }
+
+        _logger.LogInformation(
+            "Recorded transparency sync: time={SyncTime}, treeSize={TreeSize}",
+            syncTime,
+            treeSize);
+    }
+
+    /// <summary>
+    /// Updates the queue depths for status reporting.
+    /// </summary>
+    public void UpdateQueueDepths(int submissionQueue, int deadLetterQueue)
+    {
+        Interlocked.Exchange(ref _submissionQueueDepth, submissionQueue);
+        Interlocked.Exchange(ref _deadLetterQueueDepth, deadLetterQueue);
+    }
+
+    private TransparencyStatus BuildStatus(DateTimeOffset now)
+    {
+        double? lastSyncAgeHours = null;
+        DateTimeOffset? lastSync;
+        long lastTreeSize;
+        DateTimeOffset? lastCheckpointVerified;
+
+        lock (_lock)
+        {
+            lastSync = _lastSyncAt;
+            lastTreeSize = _lastTreeSize;
+            lastCheckpointVerified = _lastCheckpointVerifiedAt;
+
+            if (_lastSyncAt.HasValue)
+            {
+                lastSyncAgeHours = (now - _lastSyncAt.Value).TotalHours;
+            }
+        }
+
+        var (status, message) = DetermineStatus(lastSyncAgeHours);
+        var metrics = CalculateMetrics(now);
+        var backends = _backendStatuses.Values.ToList();
+
+        return new TransparencyStatus
+        {
+            Status = status,
+            Message = message,
+            LastSyncAt = lastSync,
+            LastSyncAgeHours = lastSyncAgeHours,
+            LastCheckpointVerifiedAt = lastCheckpointVerified,
+            LastCheckpointTreeSize = lastTreeSize > 0 ? lastTreeSize : null,
+            OfflineMode = string.IsNullOrEmpty(_options.RekorBackendUrl),
+            EnforcementEnabled = _options.EnforcementEnabled,
+            MaxCheckpointAgeHours = _options.MaxCheckpointAgeHours,
+            RekorBackend = _options.RekorBackendUrl,
+            RekorMirror = _options.RekorMirrorUrl,
+            SubmissionQueueDepth = _submissionQueueDepth,
+            DeadLetterQueueDepth = _deadLetterQueueDepth,
+            Metrics = metrics,
+            Backends = backends
+        };
+    }
+
+    private (TransparencyStatusLevel, string) DetermineStatus(double? lastSyncAgeHours)
+    {
+        // No backend configured - offline mode
+        if (string.IsNullOrEmpty(_options.RekorBackendUrl))
+        {
+            if (lastSyncAgeHours is null)
+            {
+                return (TransparencyStatusLevel.Offline, "Operating in offline mode - no checkpoint synced");
+            }
+
+            if (lastSyncAgeHours <= _options.MaxCheckpointAgeHours)
+            {
+                return (TransparencyStatusLevel.Offline, $"Operating in offline mode - checkpoint is {lastSyncAgeHours:F1}h old");
+            }
+
+            return (TransparencyStatusLevel.Unhealthy, $"Offline mode with stale checkpoint ({lastSyncAgeHours:F1}h old)");
+        }
+
+        // No sync ever
+        if (lastSyncAgeHours is null)
+        {
+            return (TransparencyStatusLevel.Unknown, "Transparency log never synced");
+        }
+
+        // Fresh checkpoint
+        if (lastSyncAgeHours <= _options.MaxCheckpointAgeHours)
+        {
+            return (TransparencyStatusLevel.Healthy, $"Transparency log synced {lastSyncAgeHours:F1}h ago");
+        }
+
+        // Stale but acceptable
+        if (lastSyncAgeHours <= _options.CriticalCheckpointAgeHours)
+        {
+            return (TransparencyStatusLevel.Degraded, $"Transparency log checkpoint is stale ({lastSyncAgeHours:F1}h old)");
+        }
+
+        // Critical staleness
+        return (TransparencyStatusLevel.Unhealthy, $"Transparency log checkpoint is critically stale ({lastSyncAgeHours:F1}h old)");
+    }
+
+    private TransparencyMetrics CalculateMetrics(DateTimeOffset now)
+    {
+        var oneHourAgo = now.AddHours(-1);
+
+        var recentSubmissions = _submissionMetrics
+            .Where(m => m.Timestamp >= oneHourAgo)
+            .ToList();
+
+        var recentVerifications = _verificationMetrics
+            .Where(m => m.Timestamp >= oneHourAgo)
+            .ToList();
+
+        var successfulSubmissions = recentSubmissions.Where(m => m.Success).ToList();
+        var latencies = successfulSubmissions.Select(m => m.LatencyMs).OrderBy(l => l).ToList();
+
+        return new TransparencyMetrics
+        {
+            SubmissionsLastHour = recentSubmissions.Count,
+            SuccessfulSubmissionsLastHour = successfulSubmissions.Count,
+            FailedSubmissionsLastHour = recentSubmissions.Count - successfulSubmissions.Count,
+            VerificationsLastHour = recentVerifications.Count,
+            SuccessfulVerificationsLastHour = recentVerifications.Count(m => m.Success),
+            AvgSubmissionLatencyMs = latencies.Count > 0 ? latencies.Average() : 0,
+            P95SubmissionLatencyMs = latencies.Count > 0 ? Percentile(latencies, 95) : 0,
+            OfflineVerificationsLastHour = recentVerifications.Count(m => m.Offline)
+        };
+    }
+
+    private async Task RefreshBackendHealthAsync(CancellationToken cancellationToken)
+    {
+        _lastHealthCheck = _timeProvider.GetUtcNow();
+
+        var tasks = new List<Task>();
+
+        if (!string.IsNullOrEmpty(_options.RekorBackendUrl))
+        {
+            tasks.Add(CheckBackendHealthAsync("primary", _options.RekorBackendUrl, true, cancellationToken));
+        }
+
+        if (!string.IsNullOrEmpty(_options.RekorMirrorUrl))
+        {
+            tasks.Add(CheckBackendHealthAsync("mirror", _options.RekorMirrorUrl, false, cancellationToken));
+        }
+
+        if (tasks.Count > 0)
+        {
+            await Task.WhenAll(tasks);
+        }
+    }
+
+    private async Task CheckBackendHealthAsync(
+        string id,
+        string url,
+        bool primary,
+        CancellationToken cancellationToken)
+    {
+        var status = new TransparencyBackendStatus
+        {
+            Id = id,
+            Url = url,
+            Primary = primary,
+            Status = BackendHealthStatus.Unknown,
+            LastCheckedAt = _timeProvider.GetUtcNow()
+        };
+
+        if (_healthChecker is null)
+        {
+            _backendStatuses[id] = status;
+            return;
+        }
+
+        try
+        {
+            var result = await _healthChecker.CheckHealthAsync(
+                url,
+                _options.BackendTimeoutSeconds,
+                cancellationToken);
+
+            var healthStatus = result.IsHealthy
+                ? (result.LatencyMs > _options.SlowLatencyThresholdMs ? BackendHealthStatus.Slow : BackendHealthStatus.Healthy)
+                : BackendHealthStatus.Unhealthy;
+
+            status = status with
+            {
+                Status = healthStatus,
+                LatencyMs = result.LatencyMs,
+                Error = result.Error
+            };
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Failed to check transparency backend health: {Url}", url);
+            status = status with
+            {
+                Status = BackendHealthStatus.Unhealthy,
+                Error = ex.Message
+            };
+        }
+
+        _backendStatuses[id] = status;
+    }
+
+    private void PruneOldMetrics(ConcurrentQueue<MetricEntry> queue)
+    {
+        var cutoff = _timeProvider.GetUtcNow().AddHours(-2);
+
+        while (queue.TryPeek(out var entry) && entry.Timestamp < cutoff)
+        {
+            queue.TryDequeue(out _);
+        }
+    }
+
+    private static double Percentile(List<double> values, int percentile)
+    {
+        if (values.Count == 0) return 0;
+
+        var index = (int)Math.Ceiling(percentile / 100.0 * values.Count) - 1;
+        return values[Math.Max(0, Math.Min(index, values.Count - 1))];
+    }
+
+    public void Dispose()
+    {
+        // No unmanaged resources to dispose
+    }
+
+    private sealed record MetricEntry(
+        DateTimeOffset Timestamp,
+        bool Success,
+        bool Offline,
+        double LatencyMs);
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/HttpRekorTileClient.cs

@@ -0,0 +1,469 @@
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Net;
+using System.Net.Http;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Attestor.Core.Rekor;
+
+namespace StellaOps.Attestor.Infrastructure.Rekor;
+
+/// <summary>
+/// HTTP client for fetching proofs from Rekor v2 tile-based logs.
+/// Implements the Sunlight/C2SP tlog-tiles specification.
+/// </summary>
+internal sealed class HttpRekorTileClient : IRekorTileClient
+{
+    private const int TileHeight = 8; // Standard tile height (2^8 = 256 entries per tile)
+    private const int TileWidth = 1 << TileHeight; // 256 entries per full tile
+    private const int HashSize = 32; // SHA-256
+
+    private readonly HttpClient _httpClient;
+    private readonly ILogger<HttpRekorTileClient> _logger;
+
+    public HttpRekorTileClient(HttpClient httpClient, ILogger<HttpRekorTileClient> logger)
+    {
+        _httpClient = httpClient;
+        _logger = logger;
+    }
+
+    /// <inheritdoc />
+    public async Task<RekorTileCheckpoint?> GetCheckpointAsync(
+        RekorBackend backend,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(backend);
+
+        var checkpointUrl = new Uri(backend.GetEffectiveTileBaseUrl(), "../checkpoint");
+        _logger.LogDebug("Fetching checkpoint from {Url}", checkpointUrl);
+
+        try
+        {
+            using var request = new HttpRequestMessage(HttpMethod.Get, checkpointUrl);
+            using var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == HttpStatusCode.NotFound)
+            {
+                _logger.LogDebug("Checkpoint not found at {Url}", checkpointUrl);
+                return null;
+            }
+
+            response.EnsureSuccessStatusCode();
+
+            var content = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            return ParseCheckpoint(content);
+        }
+        catch (HttpRequestException ex)
+        {
+            _logger.LogWarning(ex, "Failed to fetch checkpoint from {Url}", checkpointUrl);
+            return null;
+        }
+    }
+
+    /// <inheritdoc />
+    public async Task<RekorTileData?> GetTileAsync(
+        RekorBackend backend,
+        int level,
+        long index,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(backend);
+
+        // Tile path format: tile/{level}/{index...} where index is split into directories
+        var tilePath = FormatTilePath(level, index);
+        var tileUrl = new Uri(backend.GetEffectiveTileBaseUrl(), tilePath);
+
+        _logger.LogDebug("Fetching tile at level {Level} index {Index} from {Url}", level, index, tileUrl);
+
+        try
+        {
+            using var request = new HttpRequestMessage(HttpMethod.Get, tileUrl);
+            using var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == HttpStatusCode.NotFound)
+            {
+                _logger.LogDebug("Tile not found at {Url}", tileUrl);
+                return null;
+            }
+
+            response.EnsureSuccessStatusCode();
+
+            var data = await response.Content.ReadAsByteArrayAsync(cancellationToken).ConfigureAwait(false);
+            var width = data.Length / HashSize;
+
+            return new RekorTileData
+            {
+                Level = level,
+                Index = index,
+                Width = width,
+                Hashes = data
+            };
+        }
+        catch (HttpRequestException ex)
+        {
+            _logger.LogWarning(ex, "Failed to fetch tile from {Url}", tileUrl);
+            return null;
+        }
+    }
+
+    /// <inheritdoc />
+    public async Task<RekorTileEntry?> GetEntryAsync(
+        RekorBackend backend,
+        long logIndex,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(backend);
+
+        // Entry path format: tile/entries/{index...}
+        var entryPath = FormatEntryPath(logIndex);
+        var entryUrl = new Uri(backend.GetEffectiveTileBaseUrl(), entryPath);
+
+        _logger.LogDebug("Fetching entry at index {Index} from {Url}", logIndex, entryUrl);
+
+        try
+        {
+            using var request = new HttpRequestMessage(HttpMethod.Get, entryUrl);
+            using var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == HttpStatusCode.NotFound)
+            {
+                _logger.LogDebug("Entry not found at {Url}", entryUrl);
+                return null;
+            }
+
+            response.EnsureSuccessStatusCode();
+
+            var data = await response.Content.ReadAsByteArrayAsync(cancellationToken).ConfigureAwait(false);
+
+            return new RekorTileEntry
+            {
+                LogIndex = logIndex,
+                Data = data,
+                IntegratedTime = null // Would need to parse from entry format
+            };
+        }
+        catch (HttpRequestException ex)
+        {
+            _logger.LogWarning(ex, "Failed to fetch entry from {Url}", entryUrl);
+            return null;
+        }
+    }
+
+    /// <inheritdoc />
+    public async Task<RekorTileInclusionProof?> ComputeInclusionProofAsync(
+        RekorBackend backend,
+        long logIndex,
+        long treeSize,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(backend);
+
+        if (logIndex < 0 || logIndex >= treeSize)
+        {
+            _logger.LogWarning("Invalid log index {Index} for tree size {Size}", logIndex, treeSize);
+            return null;
+        }
+
+        _logger.LogDebug("Computing inclusion proof for index {Index} in tree of size {Size}", logIndex, treeSize);
+
+        try
+        {
+            // Fetch the leaf tile to get the leaf hash
+            var leafTileIndex = logIndex / TileWidth;
+            var leafTile = await GetTileAsync(backend, 0, leafTileIndex, cancellationToken).ConfigureAwait(false);
+
+            if (leafTile is null)
+            {
+                _logger.LogWarning("Failed to fetch leaf tile for index {Index}", logIndex);
+                return null;
+            }
+
+            var positionInTile = (int)(logIndex % TileWidth);
+            if (positionInTile >= leafTile.Width)
+            {
+                _logger.LogWarning("Position {Position} exceeds tile width {Width}", positionInTile, leafTile.Width);
+                return null;
+            }
+
+            var leafHash = leafTile.GetHash(positionInTile);
+
+            // Compute the proof path by fetching required tiles
+            var path = await ComputeProofPathAsync(backend, logIndex, treeSize, cancellationToken).ConfigureAwait(false);
+
+            if (path is null)
+            {
+                return null;
+            }
+
+            // Compute expected root hash from path
+            var rootHash = ComputeRootFromPath(leafHash, logIndex, treeSize, path);
+
+            return new RekorTileInclusionProof
+            {
+                LogIndex = logIndex,
+                TreeSize = treeSize,
+                LeafHash = leafHash,
+                Path = path,
+                RootHash = rootHash
+            };
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Failed to compute inclusion proof for index {Index}", logIndex);
+            return null;
+        }
+    }
+
+    private async Task<IReadOnlyList<byte[]>?> ComputeProofPathAsync(
+        RekorBackend backend,
+        long logIndex,
+        long treeSize,
+        CancellationToken cancellationToken)
+    {
+        var path = new List<byte[]>();
+        var index = logIndex;
+        var size = treeSize;
+        var level = 0;
+
+        while (size > 1)
+        {
+            var siblingIndex = index ^ 1; // XOR to get sibling
+            var tileIndex = siblingIndex / TileWidth;
+            var positionInTile = (int)(siblingIndex % TileWidth);
+
+            // Only add sibling if it exists in the tree
+            if (siblingIndex < size)
+            {
+                var tile = await GetTileAsync(backend, level, tileIndex, cancellationToken).ConfigureAwait(false);
+
+                if (tile is null || positionInTile >= tile.Width)
+                {
+                    // For partial trees, compute ephemeral hash if needed
+                    _logger.LogDebug("Sibling at level {Level} index {Index} not in tile, tree may be partial", level, siblingIndex);
+
+                    // For now, return null if we can't get the sibling
+                    // A full implementation would handle partial tiles
+                    return null;
+                }
+
+                path.Add(tile.GetHash(positionInTile));
+            }
+
+            index /= 2;
+            size = (size + 1) / 2;
+            level++;
+        }
+
+        return path;
+    }
+
+    private static byte[] ComputeRootFromPath(byte[] leafHash, long logIndex, long treeSize, IReadOnlyList<byte[]> path)
+    {
+        var current = leafHash;
+        var index = logIndex;
+        var size = treeSize;
+        var pathIndex = 0;
+
+        while (size > 1 && pathIndex < path.Count)
+        {
+            var siblingIndex = index ^ 1;
+
+            if (siblingIndex < size)
+            {
+                var sibling = path[pathIndex++];
+
+                // Hash order depends on position
+                current = (index & 1) == 0
+                    ? HashPair(current, sibling)
+                    : HashPair(sibling, current);
+            }
+
+            index /= 2;
+            size = (size + 1) / 2;
+        }
+
+        return current;
+    }
+
+    private static byte[] HashPair(byte[] left, byte[] right)
+    {
+        using var sha256 = System.Security.Cryptography.SHA256.Create();
+
+        // RFC 6962: H(0x01 || left || right)
+        var input = new byte[1 + left.Length + right.Length];
+        input[0] = 0x01;
+        Array.Copy(left, 0, input, 1, left.Length);
+        Array.Copy(right, 0, input, 1 + left.Length, right.Length);
+
+        return sha256.ComputeHash(input);
+    }
+
+    private RekorTileCheckpoint? ParseCheckpoint(string content)
+    {
+        // Checkpoint format (Go signed note format):
+        // <origin>
+        // <tree_size>
+        // <root_hash_base64>
+        // [optional extension lines]
+        //
+        // <signature_line>...
+
+        var lines = content.Split('\n', StringSplitOptions.None);
+
+        if (lines.Length < 4)
+        {
+            _logger.LogWarning("Checkpoint has too few lines: {Count}", lines.Length);
+            return null;
+        }
+
+        var origin = lines[0];
+        if (!long.TryParse(lines[1], NumberStyles.None, CultureInfo.InvariantCulture, out var treeSize))
+        {
+            _logger.LogWarning("Invalid tree size in checkpoint: {Line}", lines[1]);
+            return null;
+        }
+
+        byte[] rootHash;
+        try
+        {
+            rootHash = Convert.FromBase64String(lines[2]);
+        }
+        catch (FormatException)
+        {
+            _logger.LogWarning("Invalid root hash base64 in checkpoint: {Line}", lines[2]);
+            return null;
+        }
+
+        // Find the blank line that separates checkpoint from signatures
+        var signatureStartIndex = -1;
+        for (var i = 3; i < lines.Length; i++)
+        {
+            if (string.IsNullOrWhiteSpace(lines[i]))
+            {
+                signatureStartIndex = i + 1;
+                break;
+            }
+        }
+
+        var signatures = new List<RekorCheckpointSignature>();
+        if (signatureStartIndex > 0)
+        {
+            for (var i = signatureStartIndex; i < lines.Length; i++)
+            {
+                var sigLine = lines[i];
+                if (string.IsNullOrWhiteSpace(sigLine))
+                {
+                    continue;
+                }
+
+                // Signature format: <key_hint> <signature_base64>
+                var parts = sigLine.Split(' ', 2);
+                if (parts.Length >= 2)
+                {
+                    try
+                    {
+                        signatures.Add(new RekorCheckpointSignature
+                        {
+                            KeyHint = parts[0],
+                            Signature = Convert.FromBase64String(parts[1])
+                        });
+                    }
+                    catch (FormatException)
+                    {
+                        _logger.LogDebug("Skipping invalid signature line: {Line}", sigLine);
+                    }
+                }
+            }
+        }
+
+        // Extract raw checkpoint (everything before signatures)
+        var rawCheckpointEnd = signatureStartIndex > 0 ? signatureStartIndex - 1 : lines.Length;
+        var rawCheckpoint = string.Join('\n', lines[..rawCheckpointEnd]);
+
+        return new RekorTileCheckpoint
+        {
+            Origin = origin,
+            TreeSize = treeSize,
+            RootHash = rootHash,
+            RawCheckpoint = rawCheckpoint,
+            Signatures = signatures
+        };
+    }
+
+    private static string FormatTilePath(int level, long index)
+    {
+        // Tile path uses base-1000 directory structure for scalability
+        // e.g., tile/0/x001/234 for level 0, index 1234
+        var sb = new StringBuilder();
+        sb.Append(level.ToString(CultureInfo.InvariantCulture));
+        sb.Append('/');
+
+        if (index == 0)
+        {
+            sb.Append("000");
+        }
+        else
+        {
+            var parts = new List<string>();
+            var remaining = index;
+            while (remaining > 0)
+            {
+                parts.Add((remaining % 1000).ToString("D3", CultureInfo.InvariantCulture));
+                remaining /= 1000;
+            }
+
+            parts.Reverse();
+            // First part doesn't need leading zeros padding to 3 digits if it's the most significant
+            if (parts.Count > 0)
+            {
+                parts[0] = parts[0].TrimStart('0');
+                if (string.IsNullOrEmpty(parts[0]))
+                {
+                    parts[0] = "0";
+                }
+            }
+
+            sb.Append(string.Join('/', parts));
+        }
+
+        return sb.ToString();
+    }
+
+    private static string FormatEntryPath(long index)
+    {
+        // Entry path: entries/{index...}
+        var sb = new StringBuilder("entries/");
+
+        if (index == 0)
+        {
+            sb.Append("000");
+        }
+        else
+        {
+            var parts = new List<string>();
+            var remaining = index;
+            while (remaining > 0)
+            {
+                parts.Add((remaining % 1000).ToString("D3", CultureInfo.InvariantCulture));
+                remaining /= 1000;
+            }
+
+            parts.Reverse();
+            if (parts.Count > 0)
+            {
+                parts[0] = parts[0].TrimStart('0');
+                if (string.IsNullOrEmpty(parts[0]))
+                {
+                    parts[0] = "0";
+                }
+            }
+
+            sb.Append(string.Join('/', parts));
+        }
+
+        return sb.ToString();
+    }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/RekorBackendResolver.cs

@@ -47,9 +47,43 @@ internal static class RekorBackendResolver
         {
             Name = name,
             Url = new Uri(options.Url, UriKind.Absolute),
+            Version = ParseLogVersion(options.Version),
+            TileBaseUrl = string.IsNullOrWhiteSpace(options.TileBaseUrl)
+                ? null
+                : new Uri(options.TileBaseUrl, UriKind.Absolute),
+            LogId = options.LogId,
+            PreferTileProofs = options.PreferTileProofs,
             ProofTimeout = TimeSpan.FromMilliseconds(options.ProofTimeoutMs),
             PollInterval = TimeSpan.FromMilliseconds(options.PollIntervalMs),
             MaxAttempts = options.MaxAttempts
         };
     }
+
+    /// <summary>
+    /// Parses the log version string to the enum value.
+    /// </summary>
+    private static RekorLogVersion ParseLogVersion(string? version)
+    {
+        if (string.IsNullOrWhiteSpace(version))
+        {
+            return RekorLogVersion.Auto;
+        }
+
+        return version.Trim().ToUpperInvariant() switch
+        {
+            "AUTO" => RekorLogVersion.Auto,
+            "V1" or "1" => RekorLogVersion.V1,
+            "V2" or "2" => RekorLogVersion.V2,
+            _ => RekorLogVersion.Auto
+        };
+    }
+
+    /// <summary>
+    /// Determines if the backend should use tile-based verification.
+    /// </summary>
+    public static bool ShouldUseTileProofs(RekorBackend backend)
+    {
+        return backend.Version == RekorLogVersion.V2 ||
+               (backend.Version == RekorLogVersion.Auto && backend.PreferTileProofs);
+    }
 }

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/ServiceCollectionExtensions.cs

@@ -96,6 +96,20 @@ public static class ServiceCollectionExtensions
         });
         services.AddSingleton<IRekorClient>(sp => sp.GetRequiredService<HttpRekorClient>());
 
+        // Rekor v2 tile-based client for Sunlight/tile log format
+        services.AddHttpClient<HttpRekorTileClient>((sp, client) =>
+        {
+            var options = sp.GetRequiredService<IOptions<AttestorOptions>>().Value;
+            var timeoutMs = options.Rekor.Primary.ProofTimeoutMs;
+            if (timeoutMs <= 0)
+            {
+                timeoutMs = 15_000;
+            }
+
+            client.Timeout = TimeSpan.FromMilliseconds(timeoutMs);
+        });
+        services.AddSingleton<IRekorTileClient>(sp => sp.GetRequiredService<HttpRekorTileClient>());
+
         services.AddHttpClient<HttpTransparencyWitnessClient>((sp, client) =>
         {
             var options = sp.GetRequiredService<IOptions<AttestorOptions>>().Value;

src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/HttpRekorTileClientTests.cs

@@ -0,0 +1,313 @@
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using FluentAssertions;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Attestor.Core.Rekor;
+using StellaOps.Attestor.Infrastructure.Rekor;
+using StellaOps.TestKit;
+using Xunit;
+
+namespace StellaOps.Attestor.Infrastructure.Tests;
+
+public sealed class HttpRekorTileClientTests
+{
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task GetCheckpointAsync_ValidCheckpoint_ParsesCorrectly()
+    {
+        // Arrange
+        var checkpoint = """
+            rekor.sigstore.dev - 2605736670972794746
+            12345678
+            rMj3G9LfM9C6Xt0qpV3pHbM2q5lPvKjS0mOmV8jXwAk=
+
+            - rekor.sigstore.dev ABC123signature==
+            """;
+
+        var client = CreateClient(new CheckpointHandler(checkpoint));
+        var backend = CreateBackend();
+
+        // Act
+        var result = await client.GetCheckpointAsync(backend, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result!.Origin.Should().Be("rekor.sigstore.dev - 2605736670972794746");
+        result.TreeSize.Should().Be(12345678);
+        result.RootHash.Should().NotBeNullOrEmpty();
+        result.Signatures.Should().HaveCount(1);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task GetCheckpointAsync_NotFound_ReturnsNull()
+    {
+        // Arrange
+        var client = CreateClient(new NotFoundHandler());
+        var backend = CreateBackend();
+
+        // Act
+        var result = await client.GetCheckpointAsync(backend, CancellationToken.None);
+
+        // Assert
+        result.Should().BeNull();
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task GetTileAsync_ValidTile_ReturnsTileData()
+    {
+        // Arrange - 256 hashes (32 bytes each) = 8192 bytes
+        var tileData = new byte[32 * 4]; // 4 hashes for simplicity
+        Random.Shared.NextBytes(tileData);
+
+        var client = CreateClient(new TileHandler(tileData));
+        var backend = CreateBackend();
+
+        // Act
+        var result = await client.GetTileAsync(backend, level: 0, index: 0, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result!.Level.Should().Be(0);
+        result.Index.Should().Be(0);
+        result.Width.Should().Be(4);
+        result.Hashes.Should().Equal(tileData);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task GetTileAsync_NotFound_ReturnsNull()
+    {
+        // Arrange
+        var client = CreateClient(new NotFoundHandler());
+        var backend = CreateBackend();
+
+        // Act
+        var result = await client.GetTileAsync(backend, level: 0, index: 999999, CancellationToken.None);
+
+        // Assert
+        result.Should().BeNull();
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void RekorTileData_GetHash_ReturnsCorrectHash()
+    {
+        // Arrange
+        var hash1 = new byte[32];
+        var hash2 = new byte[32];
+        Random.Shared.NextBytes(hash1);
+        Random.Shared.NextBytes(hash2);
+
+        var hashes = new byte[64];
+        Array.Copy(hash1, 0, hashes, 0, 32);
+        Array.Copy(hash2, 0, hashes, 32, 32);
+
+        var tile = new RekorTileData
+        {
+            Level = 0,
+            Index = 0,
+            Width = 2,
+            Hashes = hashes
+        };
+
+        // Act & Assert
+        tile.GetHash(0).Should().Equal(hash1);
+        tile.GetHash(1).Should().Equal(hash2);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void RekorTileData_GetHash_OutOfRange_Throws()
+    {
+        // Arrange
+        var tile = new RekorTileData
+        {
+            Level = 0,
+            Index = 0,
+            Width = 2,
+            Hashes = new byte[64]
+        };
+
+        // Act & Assert
+        var action = () => tile.GetHash(2);
+        action.Should().Throw<ArgumentOutOfRangeException>();
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void RekorBackend_GetEffectiveTileBaseUrl_WithoutConfig_ReturnsDefault()
+    {
+        // Arrange
+        var backend = new RekorBackend
+        {
+            Name = "test",
+            Url = new Uri("https://rekor.sigstore.dev"),
+            Version = RekorLogVersion.V2
+        };
+
+        // Act
+        var result = backend.GetEffectiveTileBaseUrl();
+
+        // Assert
+        result.Should().Be(new Uri("https://rekor.sigstore.dev/tile/"));
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void RekorBackend_GetEffectiveTileBaseUrl_WithConfig_ReturnsConfigured()
+    {
+        // Arrange
+        var backend = new RekorBackend
+        {
+            Name = "test",
+            Url = new Uri("https://rekor.sigstore.dev"),
+            Version = RekorLogVersion.V2,
+            TileBaseUrl = new Uri("https://tiles.rekor.sigstore.dev/")
+        };
+
+        // Act
+        var result = backend.GetEffectiveTileBaseUrl();
+
+        // Assert
+        result.Should().Be(new Uri("https://tiles.rekor.sigstore.dev/"));
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Theory]
+    [InlineData(RekorLogVersion.V2, false, true)]
+    [InlineData(RekorLogVersion.V1, false, false)]
+    [InlineData(RekorLogVersion.V1, true, false)]
+    [InlineData(RekorLogVersion.Auto, false, false)]
+    [InlineData(RekorLogVersion.Auto, true, true)]
+    public void ShouldUseTileProofs_ReturnsExpected(RekorLogVersion version, bool preferTiles, bool expected)
+    {
+        // Arrange
+        var backend = new RekorBackend
+        {
+            Name = "test",
+            Url = new Uri("https://rekor.sigstore.dev"),
+            Version = version,
+            PreferTileProofs = preferTiles
+        };
+
+        // Act
+        var result = RekorBackendResolver.ShouldUseTileProofs(backend);
+
+        // Assert
+        result.Should().Be(expected);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task GetEntryAsync_NotFound_ReturnsNull()
+    {
+        // Arrange
+        var client = CreateClient(new NotFoundHandler());
+        var backend = CreateBackend();
+
+        // Act
+        var result = await client.GetEntryAsync(backend, logIndex: 12345, CancellationToken.None);
+
+        // Assert
+        result.Should().BeNull();
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task ComputeInclusionProofAsync_InvalidIndex_ReturnsNull()
+    {
+        // Arrange
+        var client = CreateClient(new NotFoundHandler());
+        var backend = CreateBackend();
+
+        // Act - index >= treeSize
+        var result = await client.ComputeInclusionProofAsync(backend, logIndex: 100, treeSize: 50, CancellationToken.None);
+
+        // Assert
+        result.Should().BeNull();
+    }
+
+    private static HttpRekorTileClient CreateClient(HttpMessageHandler handler)
+    {
+        var httpClient = new HttpClient(handler)
+        {
+            BaseAddress = new Uri("https://rekor.sigstore.dev")
+        };
+
+        return new HttpRekorTileClient(httpClient, NullLogger<HttpRekorTileClient>.Instance);
+    }
+
+    private static RekorBackend CreateBackend()
+    {
+        return new RekorBackend
+        {
+            Name = "primary",
+            Url = new Uri("https://rekor.sigstore.dev"),
+            Version = RekorLogVersion.V2
+        };
+    }
+
+    private sealed class CheckpointHandler : HttpMessageHandler
+    {
+        private readonly string _checkpoint;
+
+        public CheckpointHandler(string checkpoint)
+        {
+            _checkpoint = checkpoint;
+        }
+
+        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+        {
+            var path = request.RequestUri?.AbsolutePath ?? string.Empty;
+
+            if (path.Contains("checkpoint", StringComparison.OrdinalIgnoreCase))
+            {
+                return Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)
+                {
+                    Content = new StringContent(_checkpoint, Encoding.UTF8, "text/plain")
+                });
+            }
+
+            return Task.FromResult(new HttpResponseMessage(HttpStatusCode.NotFound));
+        }
+    }
+
+    private sealed class TileHandler : HttpMessageHandler
+    {
+        private readonly byte[] _tileData;
+
+        public TileHandler(byte[] tileData)
+        {
+            _tileData = tileData;
+        }
+
+        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+        {
+            var path = request.RequestUri?.AbsolutePath ?? string.Empty;
+
+            if (path.Contains("tile/", StringComparison.OrdinalIgnoreCase) && !path.Contains("checkpoint", StringComparison.OrdinalIgnoreCase))
+            {
+                return Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)
+                {
+                    Content = new ByteArrayContent(_tileData)
+                });
+            }
+
+            return Task.FromResult(new HttpResponseMessage(HttpStatusCode.NotFound));
+        }
+    }
+
+    private sealed class NotFoundHandler : HttpMessageHandler
+    {
+        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+        {
+            return Task.FromResult(new HttpResponseMessage(HttpStatusCode.NotFound));
+        }
+    }
+}

src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/RekorBackendResolverTests.cs

@@ -1,6 +1,7 @@
 using System;
 using FluentAssertions;
 using StellaOps.Attestor.Core.Options;
+using StellaOps.Attestor.Core.Rekor;
 using StellaOps.Attestor.Infrastructure.Rekor;
 using StellaOps.TestKit;
 using Xunit;
@@ -35,6 +36,155 @@ public sealed class RekorBackendResolverTests
         backend.Url.Should().Be(new Uri("https://rekor.primary.example"));
     }
 
+    [Trait("Category", TestCategories.Unit)]
+    [Theory]
+    [InlineData("Auto", RekorLogVersion.Auto)]
+    [InlineData("auto", RekorLogVersion.Auto)]
+    [InlineData("V1", RekorLogVersion.V1)]
+    [InlineData("v1", RekorLogVersion.V1)]
+    [InlineData("1", RekorLogVersion.V1)]
+    [InlineData("V2", RekorLogVersion.V2)]
+    [InlineData("v2", RekorLogVersion.V2)]
+    [InlineData("2", RekorLogVersion.V2)]
+    [InlineData("", RekorLogVersion.Auto)]
+    [InlineData(null, RekorLogVersion.Auto)]
+    [InlineData("invalid", RekorLogVersion.Auto)]
+    public void ResolveBackend_ParsesVersionCorrectly(string? versionString, RekorLogVersion expected)
+    {
+        var options = new AttestorOptions
+        {
+            Rekor = new AttestorOptions.RekorOptions
+            {
+                Primary = new AttestorOptions.RekorBackendOptions
+                {
+                    Url = "https://rekor.sigstore.dev",
+                    Version = versionString ?? "Auto"
+                }
+            }
+        };
+
+        var backend = RekorBackendResolver.ResolveBackend(options, "primary", allowFallbackToPrimary: false);
+
+        backend.Version.Should().Be(expected);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void ResolveBackend_WithTileBaseUrl_SetsProperty()
+    {
+        var options = new AttestorOptions
+        {
+            Rekor = new AttestorOptions.RekorOptions
+            {
+                Primary = new AttestorOptions.RekorBackendOptions
+                {
+                    Url = "https://rekor.sigstore.dev",
+                    Version = "V2",
+                    TileBaseUrl = "https://rekor.sigstore.dev/tile/"
+                }
+            }
+        };
+
+        var backend = RekorBackendResolver.ResolveBackend(options, "primary", allowFallbackToPrimary: false);
+
+        backend.Version.Should().Be(RekorLogVersion.V2);
+        backend.TileBaseUrl.Should().Be(new Uri("https://rekor.sigstore.dev/tile/"));
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void ResolveBackend_WithLogId_SetsProperty()
+    {
+        var options = new AttestorOptions
+        {
+            Rekor = new AttestorOptions.RekorOptions
+            {
+                Primary = new AttestorOptions.RekorBackendOptions
+                {
+                    Url = "https://rekor.sigstore.dev",
+                    LogId = RekorBackend.SigstoreProductionLogId
+                }
+            }
+        };
+
+        var backend = RekorBackendResolver.ResolveBackend(options, "primary", allowFallbackToPrimary: false);
+
+        backend.LogId.Should().Be(RekorBackend.SigstoreProductionLogId);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void ResolveBackend_WithPreferTileProofs_SetsProperty()
+    {
+        var options = new AttestorOptions
+        {
+            Rekor = new AttestorOptions.RekorOptions
+            {
+                Primary = new AttestorOptions.RekorBackendOptions
+                {
+                    Url = "https://rekor.sigstore.dev",
+                    PreferTileProofs = true
+                }
+            }
+        };
+
+        var backend = RekorBackendResolver.ResolveBackend(options, "primary", allowFallbackToPrimary: false);
+
+        backend.PreferTileProofs.Should().BeTrue();
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Theory]
+    [InlineData(RekorLogVersion.V2, false, true)]
+    [InlineData(RekorLogVersion.V1, true, false)]
+    [InlineData(RekorLogVersion.Auto, true, true)]
+    [InlineData(RekorLogVersion.Auto, false, false)]
+    public void ShouldUseTileProofs_ReturnsCorrectValue(RekorLogVersion version, bool preferTileProofs, bool expected)
+    {
+        var backend = new RekorBackend
+        {
+            Name = "test",
+            Url = new Uri("https://rekor.sigstore.dev"),
+            Version = version,
+            PreferTileProofs = preferTileProofs
+        };
+
+        var result = RekorBackendResolver.ShouldUseTileProofs(backend);
+
+        result.Should().Be(expected);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void GetEffectiveTileBaseUrl_WithoutTileBaseUrl_ReturnsDefault()
+    {
+        var backend = new RekorBackend
+        {
+            Name = "test",
+            Url = new Uri("https://rekor.sigstore.dev")
+        };
+
+        var result = backend.GetEffectiveTileBaseUrl();
+
+        result.Should().Be(new Uri("https://rekor.sigstore.dev/tile/"));
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void GetEffectiveTileBaseUrl_WithTileBaseUrl_ReturnsConfigured()
+    {
+        var backend = new RekorBackend
+        {
+            Name = "test",
+            Url = new Uri("https://rekor.sigstore.dev"),
+            TileBaseUrl = new Uri("https://custom.tile.endpoint/v2/tile/")
+        };
+
+        var result = backend.GetEffectiveTileBaseUrl();
+
+        result.Should().Be(new Uri("https://custom.tile.endpoint/v2/tile/"));
+    }
+
     [Trait("Category", TestCategories.Unit)]
     [Fact]
     public void ResolveBackend_UnknownBackend_ThrowsWhenFallbackDisabled()

src/Concelier/__Libraries/StellaOps.Concelier.SourceIntel/ChangelogParser.cs

@@ -147,7 +147,7 @@ public static partial class ChangelogParser
                 }
 
                 currentDate = ParseRpmDate(headerMatch.Groups[1].Value);
-                currentVersion = headerMatch.Groups[2].Value;
+                currentVersion = headerMatch.Groups[2].Value.Trim();
                 currentCves.Clear();
                 currentBugs.Clear();
                 currentDescription.Clear();

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/EmailConfiguredCheck.cs

@@ -0,0 +1,161 @@
+using Microsoft.Extensions.Configuration;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if email (SMTP) notification channel is properly configured.
+/// </summary>
+public sealed class EmailConfiguredCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.email.configured";
+
+    /// <inheritdoc />
+    public string Name => "Email Configuration";
+
+    /// <inheritdoc />
+    public string Description => "Verify email (SMTP) notification channel is properly configured";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Warn;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "email", "smtp", "quick", "configuration"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromMilliseconds(100);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        var emailConfig = context.Configuration.GetSection("Notify:Channels:Email");
+        return emailConfig.Exists();
+    }
+
+    /// <inheritdoc />
+    public Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+        var emailConfig = context.Configuration.GetSection("Notify:Channels:Email");
+
+        var smtpHost = emailConfig["SmtpHost"] ?? emailConfig["Host"];
+        var smtpPort = emailConfig.GetValue<int?>("SmtpPort") ?? emailConfig.GetValue<int?>("Port") ?? 0;
+        var fromAddress = emailConfig["FromAddress"] ?? emailConfig["From"];
+        var enabled = emailConfig.GetValue<bool>("Enabled", true);
+        var useSsl = emailConfig.GetValue<bool>("UseSsl", true);
+        var username = emailConfig["Username"];
+
+        var hasHost = !string.IsNullOrWhiteSpace(smtpHost);
+        var hasFrom = !string.IsNullOrWhiteSpace(fromAddress);
+        var hasValidPort = smtpPort > 0 && smtpPort <= 65535;
+
+        if (!hasHost)
+        {
+            return Task.FromResult(builder
+                .Fail("SMTP host is not configured")
+                .WithEvidence("Email configuration status", eb => eb
+                    .Add("SmtpHost", "(not set)")
+                    .Add("SmtpPort", smtpPort > 0 ? smtpPort.ToString() : "(not set)")
+                    .Add("FromAddress", hasFrom ? fromAddress! : "(not set)")
+                    .Add("Enabled", enabled.ToString()))
+                .WithCauses(
+                    "SMTP host not set in configuration",
+                    "Missing Notify:Channels:Email:SmtpHost setting")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Add SMTP configuration",
+                        "# Add to appsettings.json:\n" +
+                        "# \"Notify\": { \"Channels\": { \"Email\": {\n" +
+                        "#   \"SmtpHost\": \"smtp.example.com\",\n" +
+                        "#   \"SmtpPort\": 587,\n" +
+                        "#   \"FromAddress\": \"noreply@example.com\",\n" +
+                        "#   \"UseSsl\": true\n" +
+                        "# } } }",
+                        CommandType.FileEdit)
+                    .AddStep(2, "Or set via environment variables",
+                        "export Notify__Channels__Email__SmtpHost=\"smtp.example.com\"\n" +
+                        "export Notify__Channels__Email__SmtpPort=\"587\"\n" +
+                        "export Notify__Channels__Email__FromAddress=\"noreply@example.com\"",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        if (!hasValidPort)
+        {
+            return Task.FromResult(builder
+                .Warn("SMTP port is not configured or invalid")
+                .WithEvidence("Email configuration status", eb => eb
+                    .Add("SmtpHost", smtpHost!)
+                    .Add("SmtpPort", smtpPort > 0 ? smtpPort.ToString() : "(not set or invalid)")
+                    .Add("FromAddress", hasFrom ? fromAddress! : "(not set)")
+                    .Add("Enabled", enabled.ToString())
+                    .Add("Note", "Common ports: 25 (unencrypted), 465 (SSL), 587 (TLS/STARTTLS)"))
+                .WithCauses(
+                    "SMTP port not specified",
+                    "Invalid port number")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Set SMTP port",
+                        "# Common SMTP ports:\n# 25 - Standard SMTP (often blocked)\n# 465 - SMTP over SSL\n# 587 - SMTP with STARTTLS (recommended)",
+                        CommandType.Manual))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        if (!hasFrom)
+        {
+            return Task.FromResult(builder
+                .Warn("From address is not configured")
+                .WithEvidence("Email configuration status", eb => eb
+                    .Add("SmtpHost", smtpHost!)
+                    .Add("SmtpPort", smtpPort.ToString())
+                    .Add("FromAddress", "(not set)")
+                    .Add("Enabled", enabled.ToString()))
+                .WithCauses(
+                    "From address not configured",
+                    "Emails may be rejected without a valid sender")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Set from address",
+                        "# Add Notify:Channels:Email:FromAddress to configuration",
+                        CommandType.FileEdit))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        if (!enabled)
+        {
+            return Task.FromResult(builder
+                .Warn("Email channel is configured but disabled")
+                .WithEvidence("Email configuration status", eb => eb
+                    .Add("SmtpHost", smtpHost!)
+                    .Add("SmtpPort", smtpPort.ToString())
+                    .Add("FromAddress", fromAddress!)
+                    .Add("Enabled", "false")
+                    .Add("UseSsl", useSsl.ToString())
+                    .Add("HasCredentials", !string.IsNullOrWhiteSpace(username) ? "yes" : "no"))
+                .WithCauses(
+                    "Email notifications explicitly disabled")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Enable email notifications",
+                        "# Set Notify:Channels:Email:Enabled to true",
+                        CommandType.FileEdit))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        return Task.FromResult(builder
+            .Pass("Email notification channel is properly configured")
+            .WithEvidence("Email configuration status", eb => eb
+                .Add("SmtpHost", smtpHost!)
+                .Add("SmtpPort", smtpPort.ToString())
+                .Add("FromAddress", fromAddress!)
+                .Add("Enabled", "true")
+                .Add("UseSsl", useSsl.ToString())
+                .Add("HasCredentials", !string.IsNullOrWhiteSpace(username) ? "yes" : "no"))
+            .Build());
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/EmailConnectivityCheck.cs

@@ -0,0 +1,186 @@
+using System.Globalization;
+using System.Net.Sockets;
+using Microsoft.Extensions.Configuration;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if the configured SMTP server is reachable.
+/// </summary>
+public sealed class EmailConnectivityCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.email.connectivity";
+
+    /// <inheritdoc />
+    public string Name => "Email Connectivity";
+
+    /// <inheritdoc />
+    public string Description => "Verify SMTP server is reachable";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Warn;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "email", "smtp", "connectivity", "network"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromSeconds(5);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        var emailConfig = context.Configuration.GetSection("Notify:Channels:Email");
+        var smtpHost = emailConfig["SmtpHost"] ?? emailConfig["Host"];
+        var smtpPort = emailConfig.GetValue<int?>("SmtpPort") ?? emailConfig.GetValue<int?>("Port") ?? 0;
+
+        return !string.IsNullOrWhiteSpace(smtpHost) && smtpPort > 0;
+    }
+
+    /// <inheritdoc />
+    public async Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var emailConfig = context.Configuration.GetSection("Notify:Channels:Email");
+        var smtpHost = emailConfig["SmtpHost"] ?? emailConfig["Host"]!;
+        var smtpPort = emailConfig.GetValue<int?>("SmtpPort") ?? emailConfig.GetValue<int?>("Port") ?? 587;
+
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+
+        try
+        {
+            using var tcpClient = new TcpClient();
+
+            // Set connection timeout
+            using var timeoutCts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+            timeoutCts.CancelAfter(TimeSpan.FromSeconds(10));
+
+            await tcpClient.ConnectAsync(smtpHost, smtpPort, timeoutCts.Token);
+
+            if (tcpClient.Connected)
+            {
+                // Try to read the SMTP banner
+                using var stream = tcpClient.GetStream();
+                stream.ReadTimeout = 5000;
+
+                var buffer = new byte[1024];
+                string? banner = null;
+
+                try
+                {
+                    var bytesRead = await stream.ReadAsync(buffer, timeoutCts.Token);
+                    if (bytesRead > 0)
+                    {
+                        banner = System.Text.Encoding.ASCII.GetString(buffer, 0, bytesRead).Trim();
+                    }
+                }
+                catch
+                {
+                    // Banner read failed, but connection succeeded
+                }
+
+                var isSmtp = banner?.StartsWith("220", StringComparison.Ordinal) == true;
+
+                if (isSmtp)
+                {
+                    return builder
+                        .Pass("SMTP server is reachable and responding")
+                        .WithEvidence("SMTP connectivity test", eb => eb
+                            .Add("SmtpHost", smtpHost)
+                            .Add("SmtpPort", smtpPort.ToString(CultureInfo.InvariantCulture))
+                            .Add("Banner", banner?.Length > 100 ? banner[..100] + "..." : banner ?? "(none)"))
+                        .Build();
+                }
+
+                return builder
+                    .Info("Connection to SMTP port succeeded but banner not recognized")
+                    .WithEvidence("SMTP connectivity test", eb => eb
+                        .Add("SmtpHost", smtpHost)
+                        .Add("SmtpPort", smtpPort.ToString(CultureInfo.InvariantCulture))
+                        .Add("Banner", banner ?? "(none)")
+                        .Add("Note", "Connection succeeded but response doesn't look like SMTP"))
+                    .Build();
+            }
+
+            return builder
+                .Fail("Failed to connect to SMTP server")
+                .WithEvidence("SMTP connectivity test", eb => eb
+                    .Add("SmtpHost", smtpHost)
+                    .Add("SmtpPort", smtpPort.ToString(CultureInfo.InvariantCulture)))
+                .WithCauses(
+                    "SMTP server not running",
+                    "Wrong host or port",
+                    "Firewall blocking connection")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Test port connectivity",
+                        $"nc -zv {smtpHost} {smtpPort}",
+                        CommandType.Shell)
+                    .AddStep(2, "Test with telnet",
+                        $"telnet {smtpHost} {smtpPort}",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+        catch (OperationCanceledException) when (ct.IsCancellationRequested)
+        {
+            throw;
+        }
+        catch (OperationCanceledException)
+        {
+            return builder
+                .Fail("SMTP connection timed out")
+                .WithEvidence("SMTP connectivity test", eb => eb
+                    .Add("SmtpHost", smtpHost)
+                    .Add("SmtpPort", smtpPort.ToString(CultureInfo.InvariantCulture))
+                    .Add("Error", "Connection timeout (10s)"))
+                .WithCauses(
+                    "SMTP server not responding",
+                    "Network latency too high",
+                    "Firewall blocking connection",
+                    "Wrong host or port")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Test DNS resolution",
+                        $"nslookup {smtpHost}",
+                        CommandType.Shell)
+                    .AddStep(2, "Test port connectivity",
+                        $"nc -zv -w 10 {smtpHost} {smtpPort}",
+                        CommandType.Shell)
+                    .AddStep(3, "Check firewall rules",
+                        "# Ensure outbound connections to SMTP ports are allowed",
+                        CommandType.Manual))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+        catch (SocketException ex)
+        {
+            return builder
+                .Fail($"Cannot connect to SMTP server: {ex.Message}")
+                .WithEvidence("SMTP connectivity test", eb => eb
+                    .Add("SmtpHost", smtpHost)
+                    .Add("SmtpPort", smtpPort.ToString(CultureInfo.InvariantCulture))
+                    .Add("SocketError", ex.SocketErrorCode.ToString())
+                    .Add("Error", ex.Message))
+                .WithCauses(
+                    "DNS resolution failure",
+                    "SMTP server not running on specified port",
+                    "Network connectivity issue",
+                    "Firewall blocking connection")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Test DNS resolution",
+                        $"nslookup {smtpHost}",
+                        CommandType.Shell)
+                    .AddStep(2, "Test port connectivity",
+                        $"nc -zv {smtpHost} {smtpPort}",
+                        CommandType.Shell)
+                    .AddStep(3, "Verify SMTP host and port settings",
+                        "# Common SMTP ports: 25, 465 (SSL), 587 (STARTTLS)",
+                        CommandType.Manual))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/NotifyQueueHealthCheck.cs

@@ -0,0 +1,232 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if the notification queue (Redis or NATS) is healthy.
+/// </summary>
+public sealed class NotifyQueueHealthCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.queue.health";
+
+    /// <inheritdoc />
+    public string Name => "Notification Queue Health";
+
+    /// <inheritdoc />
+    public string Description => "Verify notification event and delivery queues are healthy";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Fail;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "queue", "redis", "nats", "infrastructure"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromSeconds(5);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        // Check if any queue configuration exists
+        var queueConfig = context.Configuration.GetSection("Notify:Queue");
+        var transportKind = queueConfig["Transport"] ?? queueConfig["Kind"];
+        return !string.IsNullOrWhiteSpace(transportKind);
+    }
+
+    /// <inheritdoc />
+    public async Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+        var queueConfig = context.Configuration.GetSection("Notify:Queue");
+        var transportKind = queueConfig["Transport"] ?? queueConfig["Kind"] ?? "unknown";
+
+        // Try to get the event queue health check from DI
+        var eventQueueHealthCheck = context.Services.GetService<StellaOps.Notify.Queue.NotifyQueueHealthCheck>();
+        var deliveryQueueHealthCheck = context.Services.GetService<StellaOps.Notify.Queue.NotifyDeliveryQueueHealthCheck>();
+
+        if (eventQueueHealthCheck == null && deliveryQueueHealthCheck == null)
+        {
+            return builder
+                .Skip("No notification queue health checks registered")
+                .WithEvidence("Queue health check status", eb => eb
+                    .Add("Transport", transportKind)
+                    .Add("EventQueueHealthCheck", "not registered")
+                    .Add("DeliveryQueueHealthCheck", "not registered"))
+                .Build();
+        }
+
+        var results = new List<(string Name, HealthCheckResult Result)>();
+
+        // Check event queue
+        if (eventQueueHealthCheck != null)
+        {
+            try
+            {
+                var eventContext = new HealthCheckContext
+                {
+                    Registration = new HealthCheckRegistration(
+                        "notify-event-queue",
+                        eventQueueHealthCheck,
+                        HealthStatus.Unhealthy,
+                        null)
+                };
+
+                var eventResult = await eventQueueHealthCheck.CheckHealthAsync(eventContext, ct);
+                results.Add(("EventQueue", eventResult));
+            }
+            catch (Exception ex)
+            {
+                results.Add(("EventQueue", new HealthCheckResult(
+                    HealthStatus.Unhealthy,
+                    "Event queue health check threw exception",
+                    ex)));
+            }
+        }
+
+        // Check delivery queue
+        if (deliveryQueueHealthCheck != null)
+        {
+            try
+            {
+                var deliveryContext = new HealthCheckContext
+                {
+                    Registration = new HealthCheckRegistration(
+                        "notify-delivery-queue",
+                        deliveryQueueHealthCheck,
+                        HealthStatus.Unhealthy,
+                        null)
+                };
+
+                var deliveryResult = await deliveryQueueHealthCheck.CheckHealthAsync(deliveryContext, ct);
+                results.Add(("DeliveryQueue", deliveryResult));
+            }
+            catch (Exception ex)
+            {
+                results.Add(("DeliveryQueue", new HealthCheckResult(
+                    HealthStatus.Unhealthy,
+                    "Delivery queue health check threw exception",
+                    ex)));
+            }
+        }
+
+        // Aggregate results
+        var allHealthy = results.All(r => r.Result.Status == HealthStatus.Healthy);
+        var anyUnhealthy = results.Any(r => r.Result.Status == HealthStatus.Unhealthy);
+
+        if (allHealthy)
+        {
+            return builder
+                .Pass($"Notification queue ({transportKind}) is healthy")
+                .WithEvidence("Queue health check results", eb =>
+                {
+                    eb.Add("Transport", transportKind);
+                    foreach (var (name, result) in results)
+                    {
+                        eb.Add($"{name}Status", result.Status.ToString());
+                        if (!string.IsNullOrEmpty(result.Description))
+                        {
+                            eb.Add($"{name}Message", result.Description);
+                        }
+                    }
+                })
+                .Build();
+        }
+
+        if (anyUnhealthy)
+        {
+            var unhealthyQueues = results
+                .Where(r => r.Result.Status == HealthStatus.Unhealthy)
+                .Select(r => r.Name)
+                .ToList();
+
+            return builder
+                .Fail($"Notification queue unhealthy: {string.Join(", ", unhealthyQueues)}")
+                .WithEvidence("Queue health check results", eb =>
+                {
+                    eb.Add("Transport", transportKind);
+                    foreach (var (name, result) in results)
+                    {
+                        eb.Add($"{name}Status", result.Status.ToString());
+                        if (!string.IsNullOrEmpty(result.Description))
+                        {
+                            eb.Add($"{name}Message", result.Description);
+                        }
+                    }
+                })
+                .WithCauses(
+                    "Queue server not running",
+                    "Network connectivity issues",
+                    "Authentication failure",
+                    "Incorrect connection string")
+                .WithRemediation(rb =>
+                {
+                    if (transportKind.Equals("redis", StringComparison.OrdinalIgnoreCase) ||
+                        transportKind.Equals("valkey", StringComparison.OrdinalIgnoreCase))
+                    {
+                        rb.AddStep(1, "Check Redis/Valkey server status",
+                            "redis-cli ping",
+                            CommandType.Shell)
+                          .AddStep(2, "Verify Redis connection settings",
+                            "# Check Notify:Queue:Redis:ConnectionString in configuration",
+                            CommandType.Manual)
+                          .AddStep(3, "Check Redis server logs",
+                            "docker logs <redis-container-name>",
+                            CommandType.Shell);
+                    }
+                    else if (transportKind.Equals("nats", StringComparison.OrdinalIgnoreCase))
+                    {
+                        rb.AddStep(1, "Check NATS server status",
+                            "nats server ping",
+                            CommandType.Shell)
+                          .AddStep(2, "Verify NATS connection settings",
+                            "# Check Notify:Queue:Nats:Url in configuration",
+                            CommandType.Manual)
+                          .AddStep(3, "Check NATS server logs",
+                            "docker logs <nats-container-name>",
+                            CommandType.Shell);
+                    }
+                    else
+                    {
+                        rb.AddStep(1, "Verify queue transport configuration",
+                            "# Check Notify:Queue:Transport setting",
+                            CommandType.Manual);
+                    }
+                })
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+
+        // Degraded state
+        return builder
+            .Warn("Notification queue in degraded state")
+            .WithEvidence("Queue health check results", eb =>
+            {
+                eb.Add("Transport", transportKind);
+                foreach (var (name, result) in results)
+                {
+                    eb.Add($"{name}Status", result.Status.ToString());
+                    if (!string.IsNullOrEmpty(result.Description))
+                    {
+                        eb.Add($"{name}Message", result.Description);
+                    }
+                }
+            })
+            .WithCauses(
+                "Queue server experiencing issues",
+                "High latency",
+                "Resource constraints")
+            .WithRemediation(rb => rb
+                .AddStep(1, "Check queue server health",
+                    "# Review queue server metrics and logs",
+                    CommandType.Manual))
+            .WithVerification($"stella doctor --check {CheckId}")
+            .Build();
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/SlackConfiguredCheck.cs

@@ -0,0 +1,109 @@
+using System.Globalization;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+using StellaOps.Notify.Engine;
+using StellaOps.Notify.Models;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if Slack notification channels are properly configured.
+/// </summary>
+public sealed class SlackConfiguredCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.slack.configured";
+
+    /// <inheritdoc />
+    public string Name => "Slack Configuration";
+
+    /// <inheritdoc />
+    public string Description => "Verify Slack notification channel is properly configured";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Warn;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "slack", "quick", "configuration"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromMilliseconds(100);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        // Check if Slack is configured in settings
+        var slackConfig = context.Configuration.GetSection("Notify:Channels:Slack");
+        return slackConfig.Exists();
+    }
+
+    /// <inheritdoc />
+    public Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+        var slackConfig = context.Configuration.GetSection("Notify:Channels:Slack");
+
+        var webhookUrl = slackConfig["WebhookUrl"];
+        var channel = slackConfig["Channel"];
+        var enabled = slackConfig.GetValue<bool>("Enabled", true);
+
+        var hasWebhook = !string.IsNullOrWhiteSpace(webhookUrl);
+        var hasChannel = !string.IsNullOrWhiteSpace(channel);
+
+        if (!hasWebhook)
+        {
+            return Task.FromResult(builder
+                .Fail("Slack webhook URL is not configured")
+                .WithEvidence("Slack configuration status", eb => eb
+                    .Add("WebhookUrl", "(not set)")
+                    .Add("Channel", hasChannel ? channel! : "(not set)")
+                    .Add("Enabled", enabled.ToString()))
+                .WithCauses(
+                    "Slack webhook URL not set in configuration",
+                    "Missing Notify:Channels:Slack:WebhookUrl setting",
+                    "Environment variable not bound to configuration")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Add Slack webhook URL to configuration",
+                        "# Add to appsettings.json or environment:\n" +
+                        "# \"Notify\": { \"Channels\": { \"Slack\": { \"WebhookUrl\": \"https://hooks.slack.com/services/...\" } } }",
+                        CommandType.FileEdit)
+                    .AddStep(2, "Or set via environment variable",
+                        "export Notify__Channels__Slack__WebhookUrl=\"https://hooks.slack.com/services/YOUR/WEBHOOK/URL\"",
+                        CommandType.Shell)
+                    .WithSafetyNote("Slack webhook URLs are secrets - store in a secrets manager"))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        if (!enabled)
+        {
+            return Task.FromResult(builder
+                .Warn("Slack channel is configured but disabled")
+                .WithEvidence("Slack configuration status", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("Channel", hasChannel ? channel! : "(default)")
+                    .Add("Enabled", "false"))
+                .WithCauses(
+                    "Slack notifications explicitly disabled in configuration")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Enable Slack notifications",
+                        "# Set Notify:Channels:Slack:Enabled to true in configuration",
+                        CommandType.FileEdit))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        return Task.FromResult(builder
+            .Pass("Slack notification channel is properly configured")
+            .WithEvidence("Slack configuration status", eb => eb
+                .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                .Add("Channel", hasChannel ? channel! : "(default)")
+                .Add("Enabled", "true"))
+            .Build());
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/SlackConnectivityCheck.cs

@@ -0,0 +1,153 @@
+using System.Globalization;
+using System.Net.Http;
+using System.Text;
+using System.Text.Json;
+using Microsoft.Extensions.DependencyInjection;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if the configured Slack webhook endpoint is reachable.
+/// </summary>
+public sealed class SlackConnectivityCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.slack.connectivity";
+
+    /// <inheritdoc />
+    public string Name => "Slack Connectivity";
+
+    /// <inheritdoc />
+    public string Description => "Verify Slack webhook endpoint is reachable";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Warn;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "slack", "connectivity", "network"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromSeconds(5);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        var webhookUrl = context.Configuration["Notify:Channels:Slack:WebhookUrl"];
+        return !string.IsNullOrWhiteSpace(webhookUrl) &&
+               Uri.TryCreate(webhookUrl, UriKind.Absolute, out _);
+    }
+
+    /// <inheritdoc />
+    public async Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var webhookUrl = context.Configuration["Notify:Channels:Slack:WebhookUrl"]!;
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+
+        try
+        {
+            var httpClientFactory = context.Services.GetRequiredService<IHttpClientFactory>();
+            var httpClient = httpClientFactory.CreateClient("DoctorHealthCheck");
+            httpClient.Timeout = TimeSpan.FromSeconds(10);
+
+            // Send a minimal test payload to Slack
+            // Note: This won't actually post a message if the payload is invalid,
+            // but it will verify the endpoint is reachable and responds
+            var testPayload = new { text = "" }; // Empty text won't post but validates endpoint
+            var content = new StringContent(
+                JsonSerializer.Serialize(testPayload),
+                Encoding.UTF8,
+                "application/json");
+
+            var response = await httpClient.PostAsync(webhookUrl, content, ct);
+            var responseBody = await response.Content.ReadAsStringAsync(ct);
+
+            // Slack returns "no_text" for empty messages, which proves connectivity
+            if (response.IsSuccessStatusCode || responseBody.Contains("no_text", StringComparison.OrdinalIgnoreCase))
+            {
+                return builder
+                    .Pass("Slack webhook endpoint is reachable")
+                    .WithEvidence("Slack connectivity test", eb => eb
+                        .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                        .Add("StatusCode", ((int)response.StatusCode).ToString(CultureInfo.InvariantCulture))
+                        .Add("Response", responseBody.Length > 100 ? responseBody[..100] + "..." : responseBody))
+                    .Build();
+            }
+
+            return builder
+                .Warn($"Slack webhook returned unexpected response: {response.StatusCode}")
+                .WithEvidence("Slack connectivity test", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("StatusCode", ((int)response.StatusCode).ToString(CultureInfo.InvariantCulture))
+                    .Add("Response", responseBody.Length > 200 ? responseBody[..200] + "..." : responseBody))
+                .WithCauses(
+                    "Invalid or expired webhook URL",
+                    "Slack workspace configuration changed",
+                    "Webhook URL revoked or regenerated",
+                    "Rate limiting by Slack")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Verify webhook URL in Slack App settings",
+                        "# Go to https://api.slack.com/apps -> Your App -> Incoming Webhooks",
+                        CommandType.Manual)
+                    .AddStep(2, "Test webhook manually",
+                        $"curl -X POST -H 'Content-type: application/json' --data '{{\"text\":\"Doctor test\"}}' '{DoctorPluginContext.Redact(webhookUrl)}'",
+                        CommandType.Shell)
+                    .AddStep(3, "Regenerate webhook if needed",
+                        "# Create a new webhook URL in Slack and update configuration",
+                        CommandType.Manual))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+        catch (TaskCanceledException)
+        {
+            return builder
+                .Fail("Slack webhook connection timed out")
+                .WithEvidence("Slack connectivity test", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("Error", "Connection timeout (10s)"))
+                .WithCauses(
+                    "Network connectivity issue to Slack",
+                    "Firewall blocking outbound HTTPS",
+                    "Proxy configuration required",
+                    "Slack service degradation")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Check network connectivity",
+                        "curl -v https://hooks.slack.com/",
+                        CommandType.Shell)
+                    .AddStep(2, "Check Slack status",
+                        "# Visit https://status.slack.com for service status",
+                        CommandType.Manual)
+                    .AddStep(3, "Verify proxy settings if applicable",
+                        "echo $HTTP_PROXY $HTTPS_PROXY",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+        catch (HttpRequestException ex)
+        {
+            return builder
+                .Fail($"Cannot reach Slack webhook: {ex.Message}")
+                .WithEvidence("Slack connectivity test", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("Error", ex.Message))
+                .WithCauses(
+                    "DNS resolution failure",
+                    "Network connectivity issue",
+                    "TLS/SSL certificate problem",
+                    "Firewall blocking connection")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Test DNS resolution",
+                        "nslookup hooks.slack.com",
+                        CommandType.Shell)
+                    .AddStep(2, "Test HTTPS connectivity",
+                        "curl -v https://hooks.slack.com/",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/TeamsConfiguredCheck.cs

@@ -0,0 +1,125 @@
+using Microsoft.Extensions.Configuration;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if Microsoft Teams notification channels are properly configured.
+/// </summary>
+public sealed class TeamsConfiguredCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.teams.configured";
+
+    /// <inheritdoc />
+    public string Name => "Teams Configuration";
+
+    /// <inheritdoc />
+    public string Description => "Verify Microsoft Teams notification channel is properly configured";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Warn;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "teams", "quick", "configuration"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromMilliseconds(100);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        var teamsConfig = context.Configuration.GetSection("Notify:Channels:Teams");
+        return teamsConfig.Exists();
+    }
+
+    /// <inheritdoc />
+    public Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+        var teamsConfig = context.Configuration.GetSection("Notify:Channels:Teams");
+
+        var webhookUrl = teamsConfig["WebhookUrl"];
+        var enabled = teamsConfig.GetValue<bool>("Enabled", true);
+
+        var hasWebhook = !string.IsNullOrWhiteSpace(webhookUrl);
+        var isValidUrl = hasWebhook && Uri.TryCreate(webhookUrl, UriKind.Absolute, out var uri) &&
+                         (uri.Host.Contains("webhook.office.com", StringComparison.OrdinalIgnoreCase) ||
+                          uri.Host.Contains("microsoft.com", StringComparison.OrdinalIgnoreCase));
+
+        if (!hasWebhook)
+        {
+            return Task.FromResult(builder
+                .Fail("Teams webhook URL is not configured")
+                .WithEvidence("Teams configuration status", eb => eb
+                    .Add("WebhookUrl", "(not set)")
+                    .Add("Enabled", enabled.ToString()))
+                .WithCauses(
+                    "Teams webhook URL not set in configuration",
+                    "Missing Notify:Channels:Teams:WebhookUrl setting",
+                    "Environment variable not bound to configuration")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Create Teams Incoming Webhook",
+                        "# In Teams: Channel > Connectors > Incoming Webhook > Create",
+                        CommandType.Manual)
+                    .AddStep(2, "Add webhook URL to configuration",
+                        "# Add to appsettings.json:\n" +
+                        "# \"Notify\": { \"Channels\": { \"Teams\": { \"WebhookUrl\": \"https://...webhook.office.com/...\" } } }",
+                        CommandType.FileEdit)
+                    .AddStep(3, "Or set via environment variable",
+                        "export Notify__Channels__Teams__WebhookUrl=\"https://YOUR_WEBHOOK_URL\"",
+                        CommandType.Shell)
+                    .WithSafetyNote("Teams webhook URLs are secrets - store securely"))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        if (!isValidUrl)
+        {
+            return Task.FromResult(builder
+                .Warn("Teams webhook URL format appears invalid")
+                .WithEvidence("Teams configuration status", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("Enabled", enabled.ToString())
+                    .Add("ValidationNote", "Expected webhook.office.com or microsoft.com domain"))
+                .WithCauses(
+                    "Webhook URL is not from Microsoft domain",
+                    "Malformed URL in configuration",
+                    "Legacy webhook URL format")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Verify webhook URL",
+                        "# Teams webhook URLs typically look like:\n# https://YOUR_TENANT.webhook.office.com/webhookb2/...",
+                        CommandType.Manual))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        if (!enabled)
+        {
+            return Task.FromResult(builder
+                .Warn("Teams channel is configured but disabled")
+                .WithEvidence("Teams configuration status", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("Enabled", "false"))
+                .WithCauses(
+                    "Teams notifications explicitly disabled in configuration")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Enable Teams notifications",
+                        "# Set Notify:Channels:Teams:Enabled to true in configuration",
+                        CommandType.FileEdit))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        return Task.FromResult(builder
+            .Pass("Teams notification channel is properly configured")
+            .WithEvidence("Teams configuration status", eb => eb
+                .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                .Add("Enabled", "true"))
+            .Build());
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/TeamsConnectivityCheck.cs

@@ -0,0 +1,169 @@
+using System.Globalization;
+using System.Net.Http;
+using System.Text;
+using System.Text.Json;
+using Microsoft.Extensions.DependencyInjection;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if the configured Microsoft Teams webhook endpoint is reachable.
+/// </summary>
+public sealed class TeamsConnectivityCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.teams.connectivity";
+
+    /// <inheritdoc />
+    public string Name => "Teams Connectivity";
+
+    /// <inheritdoc />
+    public string Description => "Verify Microsoft Teams webhook endpoint is reachable";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Warn;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "teams", "connectivity", "network"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromSeconds(5);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        var webhookUrl = context.Configuration["Notify:Channels:Teams:WebhookUrl"];
+        return !string.IsNullOrWhiteSpace(webhookUrl) &&
+               Uri.TryCreate(webhookUrl, UriKind.Absolute, out _);
+    }
+
+    /// <inheritdoc />
+    public async Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var webhookUrl = context.Configuration["Notify:Channels:Teams:WebhookUrl"]!;
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+
+        try
+        {
+            var httpClientFactory = context.Services.GetRequiredService<IHttpClientFactory>();
+            var httpClient = httpClientFactory.CreateClient("DoctorHealthCheck");
+            httpClient.Timeout = TimeSpan.FromSeconds(10);
+
+            // Teams Adaptive Card format for connectivity test
+            // Using a minimal card that validates the endpoint
+            var testPayload = new
+            {
+                type = "message",
+                attachments = new[]
+                {
+                    new
+                    {
+                        contentType = "application/vnd.microsoft.card.adaptive",
+                        contentUrl = (string?)null,
+                        content = new
+                        {
+                            type = "AdaptiveCard",
+                            body = Array.Empty<object>(),
+                            version = "1.0"
+                        }
+                    }
+                }
+            };
+
+            var content = new StringContent(
+                JsonSerializer.Serialize(testPayload),
+                Encoding.UTF8,
+                "application/json");
+
+            var response = await httpClient.PostAsync(webhookUrl, content, ct);
+            var responseBody = await response.Content.ReadAsStringAsync(ct);
+
+            if (response.IsSuccessStatusCode)
+            {
+                return builder
+                    .Pass("Teams webhook endpoint is reachable")
+                    .WithEvidence("Teams connectivity test", eb => eb
+                        .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                        .Add("StatusCode", ((int)response.StatusCode).ToString(CultureInfo.InvariantCulture))
+                        .Add("Response", responseBody.Length > 100 ? responseBody[..100] + "..." : responseBody))
+                    .Build();
+            }
+
+            return builder
+                .Warn($"Teams webhook returned unexpected response: {response.StatusCode}")
+                .WithEvidence("Teams connectivity test", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("StatusCode", ((int)response.StatusCode).ToString(CultureInfo.InvariantCulture))
+                    .Add("Response", responseBody.Length > 200 ? responseBody[..200] + "..." : responseBody))
+                .WithCauses(
+                    "Invalid or expired webhook URL",
+                    "Teams connector disabled or deleted",
+                    "Webhook URL revoked",
+                    "Microsoft 365 tenant configuration changed")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Verify webhook in Teams",
+                        "# Go to Teams channel > Connectors > Configured > Incoming Webhook",
+                        CommandType.Manual)
+                    .AddStep(2, "Test webhook manually",
+                        $"curl -H 'Content-Type: application/json' -d '{{\"text\":\"Doctor test\"}}' '{DoctorPluginContext.Redact(webhookUrl)}'",
+                        CommandType.Shell)
+                    .AddStep(3, "Recreate webhook if needed",
+                        "# Delete and recreate the Incoming Webhook connector in Teams",
+                        CommandType.Manual))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+        catch (TaskCanceledException)
+        {
+            return builder
+                .Fail("Teams webhook connection timed out")
+                .WithEvidence("Teams connectivity test", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("Error", "Connection timeout (10s)"))
+                .WithCauses(
+                    "Network connectivity issue to Microsoft",
+                    "Firewall blocking outbound HTTPS",
+                    "Proxy configuration required",
+                    "Microsoft 365 service degradation")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Check network connectivity",
+                        "curl -v https://webhook.office.com/",
+                        CommandType.Shell)
+                    .AddStep(2, "Check Microsoft 365 status",
+                        "# Visit https://status.office.com for service status",
+                        CommandType.Manual)
+                    .AddStep(3, "Verify proxy settings if applicable",
+                        "echo $HTTP_PROXY $HTTPS_PROXY",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+        catch (HttpRequestException ex)
+        {
+            return builder
+                .Fail($"Cannot reach Teams webhook: {ex.Message}")
+                .WithEvidence("Teams connectivity test", eb => eb
+                    .Add("WebhookUrl", DoctorPluginContext.Redact(webhookUrl))
+                    .Add("Error", ex.Message))
+                .WithCauses(
+                    "DNS resolution failure",
+                    "Network connectivity issue",
+                    "TLS/SSL certificate problem",
+                    "Firewall blocking connection")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Test DNS resolution",
+                        "nslookup webhook.office.com",
+                        CommandType.Shell)
+                    .AddStep(2, "Test HTTPS connectivity",
+                        "curl -v https://webhook.office.com/",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/WebhookConfiguredCheck.cs

@@ -0,0 +1,128 @@
+using Microsoft.Extensions.Configuration;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if generic webhook notification channels are properly configured.
+/// </summary>
+public sealed class WebhookConfiguredCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.webhook.configured";
+
+    /// <inheritdoc />
+    public string Name => "Webhook Configuration";
+
+    /// <inheritdoc />
+    public string Description => "Verify generic webhook notification channel is properly configured";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Warn;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "webhook", "quick", "configuration"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromMilliseconds(100);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        var webhookConfig = context.Configuration.GetSection("Notify:Channels:Webhook");
+        return webhookConfig.Exists();
+    }
+
+    /// <inheritdoc />
+    public Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+        var webhookConfig = context.Configuration.GetSection("Notify:Channels:Webhook");
+
+        var url = webhookConfig["Url"] ?? webhookConfig["Endpoint"];
+        var enabled = webhookConfig.GetValue<bool>("Enabled", true);
+        var method = webhookConfig["Method"] ?? "POST";
+        var contentType = webhookConfig["ContentType"] ?? "application/json";
+
+        var hasUrl = !string.IsNullOrWhiteSpace(url);
+        var isValidUrl = hasUrl && Uri.TryCreate(url, UriKind.Absolute, out var uri) &&
+                         (uri.Scheme == Uri.UriSchemeHttp || uri.Scheme == Uri.UriSchemeHttps);
+
+        if (!hasUrl)
+        {
+            return Task.FromResult(builder
+                .Fail("Webhook URL is not configured")
+                .WithEvidence("Webhook configuration status", eb => eb
+                    .Add("Url", "(not set)")
+                    .Add("Enabled", enabled.ToString())
+                    .Add("Method", method)
+                    .Add("ContentType", contentType))
+                .WithCauses(
+                    "Webhook URL not set in configuration",
+                    "Missing Notify:Channels:Webhook:Url setting",
+                    "Environment variable not bound to configuration")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Add webhook URL to configuration",
+                        "# Add to appsettings.json:\n" +
+                        "# \"Notify\": { \"Channels\": { \"Webhook\": { \"Url\": \"https://your-endpoint/webhook\" } } }",
+                        CommandType.FileEdit)
+                    .AddStep(2, "Or set via environment variable",
+                        "export Notify__Channels__Webhook__Url=\"https://your-endpoint/webhook\"",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        if (!isValidUrl)
+        {
+            return Task.FromResult(builder
+                .Fail("Webhook URL format is invalid")
+                .WithEvidence("Webhook configuration status", eb => eb
+                    .Add("Url", url!)
+                    .Add("Enabled", enabled.ToString())
+                    .Add("ValidationError", "URL must be a valid HTTP or HTTPS URL"))
+                .WithCauses(
+                    "Malformed URL in configuration",
+                    "Missing protocol (http:// or https://)",
+                    "Invalid characters in URL")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Fix URL format",
+                        "# Ensure URL starts with http:// or https:// and is properly encoded",
+                        CommandType.Manual))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        if (!enabled)
+        {
+            return Task.FromResult(builder
+                .Warn("Webhook channel is configured but disabled")
+                .WithEvidence("Webhook configuration status", eb => eb
+                    .Add("Url", DoctorPluginContext.Redact(url))
+                    .Add("Enabled", "false")
+                    .Add("Method", method)
+                    .Add("ContentType", contentType))
+                .WithCauses(
+                    "Webhook notifications explicitly disabled in configuration")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Enable webhook notifications",
+                        "# Set Notify:Channels:Webhook:Enabled to true in configuration",
+                        CommandType.FileEdit))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build());
+        }
+
+        return Task.FromResult(builder
+            .Pass("Webhook notification channel is properly configured")
+            .WithEvidence("Webhook configuration status", eb => eb
+                .Add("Url", DoctorPluginContext.Redact(url))
+                .Add("Enabled", "true")
+                .Add("Method", method)
+                .Add("ContentType", contentType))
+            .Build());
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/Checks/WebhookConnectivityCheck.cs

@@ -0,0 +1,166 @@
+using System.Globalization;
+using System.Net.Http;
+using Microsoft.Extensions.DependencyInjection;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugins;
+
+namespace StellaOps.Doctor.Plugin.Notify.Checks;
+
+/// <summary>
+/// Checks if the configured webhook endpoint is reachable.
+/// </summary>
+public sealed class WebhookConnectivityCheck : IDoctorCheck
+{
+    private const string PluginId = "stellaops.doctor.notify";
+    private const string CategoryName = "Notifications";
+
+    /// <inheritdoc />
+    public string CheckId => "check.notify.webhook.connectivity";
+
+    /// <inheritdoc />
+    public string Name => "Webhook Connectivity";
+
+    /// <inheritdoc />
+    public string Description => "Verify generic webhook endpoint is reachable";
+
+    /// <inheritdoc />
+    public DoctorSeverity DefaultSeverity => DoctorSeverity.Warn;
+
+    /// <inheritdoc />
+    public IReadOnlyList<string> Tags => ["notify", "webhook", "connectivity", "network"];
+
+    /// <inheritdoc />
+    public TimeSpan EstimatedDuration => TimeSpan.FromSeconds(5);
+
+    /// <inheritdoc />
+    public bool CanRun(DoctorPluginContext context)
+    {
+        var url = context.Configuration["Notify:Channels:Webhook:Url"] ??
+                  context.Configuration["Notify:Channels:Webhook:Endpoint"];
+        return !string.IsNullOrWhiteSpace(url) &&
+               Uri.TryCreate(url, UriKind.Absolute, out _);
+    }
+
+    /// <inheritdoc />
+    public async Task<DoctorCheckResult> RunAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        var url = context.Configuration["Notify:Channels:Webhook:Url"] ??
+                  context.Configuration["Notify:Channels:Webhook:Endpoint"]!;
+        var builder = context.CreateResult(CheckId, PluginId, CategoryName);
+
+        try
+        {
+            var httpClientFactory = context.Services.GetRequiredService<IHttpClientFactory>();
+            var httpClient = httpClientFactory.CreateClient("DoctorHealthCheck");
+            httpClient.Timeout = TimeSpan.FromSeconds(10);
+
+            // Use HEAD request first to avoid side effects, fall back to GET
+            var uri = new Uri(url);
+            HttpResponseMessage? response = null;
+
+            try
+            {
+                var headRequest = new HttpRequestMessage(HttpMethod.Head, uri);
+                response = await httpClient.SendAsync(headRequest, ct);
+            }
+            catch (HttpRequestException)
+            {
+                // HEAD might not be supported, try OPTIONS
+                var optionsRequest = new HttpRequestMessage(HttpMethod.Options, uri);
+                response = await httpClient.SendAsync(optionsRequest, ct);
+            }
+
+            // For connectivity test, any response (even 4xx for auth required) means endpoint is reachable
+            var isReachable = (int)response.StatusCode < 500;
+
+            if (isReachable)
+            {
+                var diagnosis = response.IsSuccessStatusCode
+                    ? "Webhook endpoint is reachable and responding"
+                    : $"Webhook endpoint is reachable (status: {response.StatusCode})";
+
+                var severity = response.IsSuccessStatusCode ? DoctorSeverity.Pass : DoctorSeverity.Info;
+
+                return builder
+                    .WithSeverity(severity, diagnosis)
+                    .WithEvidence("Webhook connectivity test", eb => eb
+                        .Add("Url", DoctorPluginContext.Redact(url))
+                        .Add("StatusCode", ((int)response.StatusCode).ToString(CultureInfo.InvariantCulture))
+                        .Add("TestMethod", "HEAD/OPTIONS")
+                        .Add("Note", response.IsSuccessStatusCode
+                            ? "Endpoint responding normally"
+                            : "Endpoint reachable but may require authentication"))
+                    .Build();
+            }
+
+            return builder
+                .Warn($"Webhook endpoint returned server error: {response.StatusCode}")
+                .WithEvidence("Webhook connectivity test", eb => eb
+                    .Add("Url", DoctorPluginContext.Redact(url))
+                    .Add("StatusCode", ((int)response.StatusCode).ToString(CultureInfo.InvariantCulture)))
+                .WithCauses(
+                    "Webhook endpoint server is experiencing issues",
+                    "Endpoint service is down",
+                    "Backend service unavailable")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Check webhook endpoint status",
+                        $"curl -I {DoctorPluginContext.Redact(url)}",
+                        CommandType.Shell)
+                    .AddStep(2, "Verify endpoint service is running",
+                        "# Check the service hosting your webhook endpoint",
+                        CommandType.Manual)
+                    .AddStep(3, "Check endpoint logs",
+                        "# Review logs on the webhook endpoint server",
+                        CommandType.Manual))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+        catch (TaskCanceledException)
+        {
+            return builder
+                .Fail("Webhook endpoint connection timed out")
+                .WithEvidence("Webhook connectivity test", eb => eb
+                    .Add("Url", DoctorPluginContext.Redact(url))
+                    .Add("Error", "Connection timeout (10s)"))
+                .WithCauses(
+                    "Endpoint server not responding",
+                    "Network connectivity issue",
+                    "Firewall blocking connection",
+                    "DNS resolution slow or failing")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Test basic connectivity",
+                        $"curl -v --max-time 10 {DoctorPluginContext.Redact(url)}",
+                        CommandType.Shell)
+                    .AddStep(2, "Check DNS resolution",
+                        $"nslookup {new Uri(url).Host}",
+                        CommandType.Shell)
+                    .AddStep(3, "Test port connectivity",
+                        $"nc -zv {new Uri(url).Host} {(new Uri(url).Port > 0 ? new Uri(url).Port : (new Uri(url).Scheme == "https" ? 443 : 80))}",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+        catch (HttpRequestException ex)
+        {
+            return builder
+                .Fail($"Cannot reach webhook endpoint: {ex.Message}")
+                .WithEvidence("Webhook connectivity test", eb => eb
+                    .Add("Url", DoctorPluginContext.Redact(url))
+                    .Add("Error", ex.Message))
+                .WithCauses(
+                    "DNS resolution failure",
+                    "Network connectivity issue",
+                    "TLS/SSL certificate problem",
+                    "Invalid URL")
+                .WithRemediation(rb => rb
+                    .AddStep(1, "Test DNS resolution",
+                        $"nslookup {new Uri(url).Host}",
+                        CommandType.Shell)
+                    .AddStep(2, "Test connectivity",
+                        $"curl -v {DoctorPluginContext.Redact(url)}",
+                        CommandType.Shell))
+                .WithVerification($"stella doctor --check {CheckId}")
+                .Build();
+        }
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/NotifyDoctorPlugin.cs

@@ -0,0 +1,71 @@
+using Microsoft.Extensions.DependencyInjection;
+using StellaOps.Doctor.Plugin.Notify.Checks;
+using StellaOps.Doctor.Plugins;
+using StellaOps.Notify.Engine;
+
+namespace StellaOps.Doctor.Plugin.Notify;
+
+/// <summary>
+/// Doctor plugin for notification channel diagnostics (Slack, Teams, Email, Webhooks, Queue).
+/// </summary>
+public sealed class NotifyDoctorPlugin : IDoctorPlugin
+{
+    private static readonly Version PluginVersion = new(1, 0, 0);
+    private static readonly Version MinVersion = new(1, 0, 0);
+
+    /// <inheritdoc />
+    public string PluginId => "stellaops.doctor.notify";
+
+    /// <inheritdoc />
+    public string DisplayName => "Notifications";
+
+    /// <inheritdoc />
+    public DoctorCategory Category => DoctorCategory.Notify;
+
+    /// <inheritdoc />
+    public Version Version => PluginVersion;
+
+    /// <inheritdoc />
+    public Version MinEngineVersion => MinVersion;
+
+    /// <inheritdoc />
+    public bool IsAvailable(IServiceProvider services)
+    {
+        // Plugin is available if any notification health providers are registered
+        var providers = services.GetService<IEnumerable<INotifyChannelHealthProvider>>();
+        return providers?.Any() == true;
+    }
+
+    /// <inheritdoc />
+    public IReadOnlyList<IDoctorCheck> GetChecks(DoctorPluginContext context)
+    {
+        return new IDoctorCheck[]
+        {
+            // Slack checks
+            new SlackConfiguredCheck(),
+            new SlackConnectivityCheck(),
+
+            // Teams checks
+            new TeamsConfiguredCheck(),
+            new TeamsConnectivityCheck(),
+
+            // Webhook checks
+            new WebhookConfiguredCheck(),
+            new WebhookConnectivityCheck(),
+
+            // Email checks
+            new EmailConfiguredCheck(),
+            new EmailConnectivityCheck(),
+
+            // Queue health
+            new NotifyQueueHealthCheck()
+        };
+    }
+
+    /// <inheritdoc />
+    public Task InitializeAsync(DoctorPluginContext context, CancellationToken ct)
+    {
+        // No initialization required
+        return Task.CompletedTask;
+    }
+}

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/StellaOps.Doctor.Plugin.Notify.csproj

@@ -0,0 +1,25 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <RootNamespace>StellaOps.Doctor.Plugin.Notify</RootNamespace>
+    <Description>Notification channel checks for Stella Ops Doctor diagnostics - Slack, Teams, Email, Webhooks, Queue</Description>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Doctor\StellaOps.Doctor.csproj" />
+    <ProjectReference Include="..\..\..\Notify\__Libraries\StellaOps.Notify.Engine\StellaOps.Notify.Engine.csproj" />
+    <ProjectReference Include="..\..\..\Notify\__Libraries\StellaOps.Notify.Models\StellaOps.Notify.Models.csproj" />
+    <ProjectReference Include="..\..\..\Notify\__Libraries\StellaOps.Notify.Queue\StellaOps.Notify.Queue.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" />
+    <PackageReference Include="Microsoft.Extensions.Http" />
+  </ItemGroup>
+
+</Project>

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Notify/TASKS.md

@@ -0,0 +1,70 @@
+# StellaOps.Doctor.Plugin.Notify
+
+## Overview
+
+Doctor plugin for notification channel diagnostics - validates and tests Slack, Teams, Email, Webhook, and Queue configurations.
+
+## Checks
+
+| Check ID | Name | Description | Severity |
+|----------|------|-------------|----------|
+| `check.notify.slack.configured` | Slack Configuration | Validates Slack webhook URL and settings | Warn |
+| `check.notify.slack.connectivity` | Slack Connectivity | Tests actual connectivity to Slack webhook | Warn |
+| `check.notify.teams.configured` | Teams Configuration | Validates Teams webhook URL and settings | Warn |
+| `check.notify.teams.connectivity` | Teams Connectivity | Tests actual connectivity to Teams webhook | Warn |
+| `check.notify.webhook.configured` | Webhook Configuration | Validates generic webhook URL and settings | Warn |
+| `check.notify.webhook.connectivity` | Webhook Connectivity | Tests actual connectivity to webhook endpoint | Warn |
+| `check.notify.email.configured` | Email Configuration | Validates SMTP host, port, and sender settings | Warn |
+| `check.notify.email.connectivity` | Email Connectivity | Tests TCP connectivity to SMTP server | Warn |
+| `check.notify.queue.health` | Queue Health | Wraps existing Notify queue health checks | Critical |
+
+## Configuration Paths
+
+### Slack
+- `Notify:Channels:Slack:WebhookUrl` - Slack incoming webhook URL
+- `Notify:Channels:Slack:Enabled` - Enable/disable channel
+- `Notify:Channels:Slack:Channel` - Default channel override
+
+### Teams
+- `Notify:Channels:Teams:WebhookUrl` - Teams incoming webhook URL
+- `Notify:Channels:Teams:Enabled` - Enable/disable channel
+
+### Webhook
+- `Notify:Channels:Webhook:Url` or `Endpoint` - Webhook endpoint URL
+- `Notify:Channels:Webhook:Enabled` - Enable/disable channel
+- `Notify:Channels:Webhook:Method` - HTTP method (default: POST)
+- `Notify:Channels:Webhook:ContentType` - Content type (default: application/json)
+
+### Email
+- `Notify:Channels:Email:SmtpHost` or `Host` - SMTP server hostname
+- `Notify:Channels:Email:SmtpPort` or `Port` - SMTP port (25/465/587)
+- `Notify:Channels:Email:FromAddress` or `From` - Sender email address
+- `Notify:Channels:Email:Enabled` - Enable/disable channel
+- `Notify:Channels:Email:UseSsl` - Use SSL/TLS
+- `Notify:Channels:Email:Username` - SMTP credentials
+
+### Queue
+- `Notify:Queue:Transport` or `Kind` - Queue transport type (redis/nats)
+- `Notify:Queue:Redis:ConnectionString` - Redis connection string
+- `Notify:Queue:Nats:Url` - NATS server URL
+
+## Dependencies
+
+- `StellaOps.Doctor` - Core Doctor plugin infrastructure
+- `StellaOps.Notify.Engine` - Notify channel health provider interfaces
+- `StellaOps.Notify.Models` - Notify data models
+- `StellaOps.Notify.Queue` - Queue health check implementations
+
+## Status
+
+- [x] Plugin skeleton
+- [x] Slack configuration check
+- [x] Slack connectivity check
+- [x] Teams configuration check
+- [x] Teams connectivity check
+- [x] Webhook configuration check
+- [x] Webhook connectivity check
+- [x] Email configuration check
+- [x] Email connectivity check
+- [x] Queue health check wrapper
+- [x] Unit tests

src/Doctor/__Plugins/StellaOps.Doctor.Plugin.Observability/StellaOps.Doctor.Plugin.Observability.csproj

@@ -11,7 +11,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\..\..\..\__Libraries\StellaOps.Doctor\StellaOps.Doctor.csproj" />
+    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Doctor\StellaOps.Doctor.csproj" />
   </ItemGroup>
 
   <ItemGroup>

src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/Checks/EmailConfiguredCheckTests.cs

@@ -0,0 +1,192 @@
+using FluentAssertions;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugin.Notify.Checks;
+using StellaOps.Doctor.Plugins;
+using Xunit;
+
+namespace StellaOps.Doctor.Plugin.Notify.Tests.Checks;
+
+[Trait("Category", "Unit")]
+public class EmailConfiguredCheckTests
+{
+    private readonly EmailConfiguredCheck _check = new();
+
+    [Fact]
+    public void CheckId_ReturnsExpectedValue()
+    {
+        // Assert
+        _check.CheckId.Should().Be("check.notify.email.configured");
+    }
+
+    [Fact]
+    public void CanRun_ReturnsFalse_WhenEmailNotConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>());
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeFalse();
+    }
+
+    [Fact]
+    public void CanRun_ReturnsTrue_WhenEmailSectionExists()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Email:SmtpHost"] = "smtp.example.com"
+        });
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task RunAsync_Fails_WhenSmtpHostNotSet()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Email:SmtpPort"] = "587"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Fail);
+        result.Diagnosis.Should().Contain("host");
+    }
+
+    [Fact]
+    public async Task RunAsync_Warns_WhenSmtpPortInvalid()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Email:SmtpHost"] = "smtp.example.com",
+            ["Notify:Channels:Email:SmtpPort"] = "0",
+            ["Notify:Channels:Email:FromAddress"] = "noreply@example.com"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Warn);
+        result.Diagnosis.Should().Contain("port");
+    }
+
+    [Fact]
+    public async Task RunAsync_Warns_WhenFromAddressMissing()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Email:SmtpHost"] = "smtp.example.com",
+            ["Notify:Channels:Email:SmtpPort"] = "587"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Warn);
+        result.Diagnosis.Should().Contain("From");
+    }
+
+    [Fact]
+    public async Task RunAsync_Warns_WhenDisabled()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Email:SmtpHost"] = "smtp.example.com",
+            ["Notify:Channels:Email:SmtpPort"] = "587",
+            ["Notify:Channels:Email:FromAddress"] = "noreply@example.com",
+            ["Notify:Channels:Email:Enabled"] = "false"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Warn);
+        result.Diagnosis.Should().Contain("disabled");
+    }
+
+    [Fact]
+    public async Task RunAsync_Passes_WhenProperlyConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Email:SmtpHost"] = "smtp.example.com",
+            ["Notify:Channels:Email:SmtpPort"] = "587",
+            ["Notify:Channels:Email:FromAddress"] = "noreply@example.com",
+            ["Notify:Channels:Email:Enabled"] = "true",
+            ["Notify:Channels:Email:UseSsl"] = "true"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Pass);
+    }
+
+    [Fact]
+    public async Task RunAsync_SupportsAlternativeHostKey()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Email:Host"] = "smtp.example.com",
+            ["Notify:Channels:Email:Port"] = "587",
+            ["Notify:Channels:Email:From"] = "noreply@example.com"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Pass);
+    }
+
+    [Fact]
+    public void Tags_ContainsExpectedValues()
+    {
+        // Assert
+        _check.Tags.Should().Contain("notify");
+        _check.Tags.Should().Contain("email");
+        _check.Tags.Should().Contain("smtp");
+        _check.Tags.Should().Contain("configuration");
+    }
+
+    [Fact]
+    public void DefaultSeverity_IsWarn()
+    {
+        // Assert
+        _check.DefaultSeverity.Should().Be(DoctorSeverity.Warn);
+    }
+
+    private static DoctorPluginContext CreateContext(Dictionary<string, string?> configValues)
+    {
+        var config = new ConfigurationBuilder()
+            .AddInMemoryCollection(configValues)
+            .Build();
+
+        return new DoctorPluginContext
+        {
+            Services = new ServiceCollection().BuildServiceProvider(),
+            Configuration = config,
+            TimeProvider = TimeProvider.System,
+            Logger = NullLogger.Instance,
+            EnvironmentName = "Test",
+            PluginConfig = config.GetSection("Doctor:Plugins")
+        };
+    }
+}

src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/Checks/NotifyQueueHealthCheckTests.cs

@@ -0,0 +1,133 @@
+using FluentAssertions;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugin.Notify.Checks;
+using StellaOps.Doctor.Plugins;
+using Xunit;
+
+namespace StellaOps.Doctor.Plugin.Notify.Tests.Checks;
+
+[Trait("Category", "Unit")]
+public class NotifyQueueHealthCheckTests
+{
+    private readonly NotifyQueueHealthCheck _check = new();
+
+    [Fact]
+    public void CheckId_ReturnsExpectedValue()
+    {
+        // Assert
+        _check.CheckId.Should().Be("check.notify.queue.health");
+    }
+
+    [Fact]
+    public void CanRun_ReturnsFalse_WhenQueueNotConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>());
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeFalse();
+    }
+
+    [Fact]
+    public void CanRun_ReturnsTrue_WhenQueueTransportConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Queue:Transport"] = "redis"
+        });
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeTrue();
+    }
+
+    [Fact]
+    public void CanRun_ReturnsTrue_WhenQueueKindConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Queue:Kind"] = "nats"
+        });
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task RunAsync_Skips_WhenNoHealthChecksRegistered()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Queue:Transport"] = "redis"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Skip);
+        result.Diagnosis.Should().Contain("registered");
+    }
+
+    [Fact]
+    public void Tags_ContainsExpectedValues()
+    {
+        // Assert
+        _check.Tags.Should().Contain("notify");
+        _check.Tags.Should().Contain("queue");
+        _check.Tags.Should().Contain("redis");
+        _check.Tags.Should().Contain("nats");
+        _check.Tags.Should().Contain("infrastructure");
+    }
+
+    [Fact]
+    public void DefaultSeverity_IsFail()
+    {
+        // Assert
+        _check.DefaultSeverity.Should().Be(DoctorSeverity.Fail);
+    }
+
+    [Fact]
+    public void EstimatedDuration_IsReasonable()
+    {
+        // Assert
+        _check.EstimatedDuration.Should().BeGreaterThan(TimeSpan.Zero);
+        _check.EstimatedDuration.Should().BeLessThanOrEqualTo(TimeSpan.FromSeconds(10));
+    }
+
+    [Fact]
+    public void Name_IsNotEmpty()
+    {
+        // Assert
+        _check.Name.Should().NotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public void Description_IsNotEmpty()
+    {
+        // Assert
+        _check.Description.Should().NotBeNullOrEmpty();
+    }
+
+    private static DoctorPluginContext CreateContext(Dictionary<string, string?> configValues)
+    {
+        var config = new ConfigurationBuilder()
+            .AddInMemoryCollection(configValues)
+            .Build();
+
+        return new DoctorPluginContext
+        {
+            Services = new ServiceCollection().BuildServiceProvider(),
+            Configuration = config,
+            TimeProvider = TimeProvider.System,
+            Logger = NullLogger.Instance,
+            EnvironmentName = "Test",
+            PluginConfig = config.GetSection("Doctor:Plugins")
+        };
+    }
+}

src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/Checks/SlackConfiguredCheckTests.cs

@@ -0,0 +1,155 @@
+using FluentAssertions;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugin.Notify.Checks;
+using StellaOps.Doctor.Plugins;
+using Xunit;
+
+namespace StellaOps.Doctor.Plugin.Notify.Tests.Checks;
+
+[Trait("Category", "Unit")]
+public class SlackConfiguredCheckTests
+{
+    private readonly SlackConfiguredCheck _check = new();
+
+    [Fact]
+    public void CheckId_ReturnsExpectedValue()
+    {
+        // Assert
+        _check.CheckId.Should().Be("check.notify.slack.configured");
+    }
+
+    [Fact]
+    public void CanRun_ReturnsFalse_WhenSlackNotConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>());
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeFalse();
+    }
+
+    [Fact]
+    public void CanRun_ReturnsTrue_WhenSlackSectionExists()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Slack:WebhookUrl"] = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXX"
+        });
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task RunAsync_Fails_WhenWebhookUrlNotSet()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Slack:Enabled"] = "true"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Fail);
+        result.Diagnosis.Should().Contain("not configured");
+    }
+
+    [Fact]
+    public async Task RunAsync_Passes_WhenWebhookUrlSet()
+    {
+        // Arrange - note: SlackConfiguredCheck doesn't validate URL format, only presence
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Slack:WebhookUrl"] = "any-non-empty-value"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert - passes because webhook URL is set (format validation is done by connectivity check)
+        result.Severity.Should().Be(DoctorSeverity.Pass);
+    }
+
+    [Fact]
+    public async Task RunAsync_Warns_WhenDisabled()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Slack:WebhookUrl"] = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXX",
+            ["Notify:Channels:Slack:Enabled"] = "false"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Warn);
+        result.Diagnosis.Should().Contain("disabled");
+    }
+
+    [Fact]
+    public async Task RunAsync_Passes_WhenProperlyConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Slack:WebhookUrl"] = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXX",
+            ["Notify:Channels:Slack:Enabled"] = "true",
+            ["Notify:Channels:Slack:Channel"] = "#alerts"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Pass);
+    }
+
+    [Fact]
+    public void Tags_ContainsExpectedValues()
+    {
+        // Assert
+        _check.Tags.Should().Contain("notify");
+        _check.Tags.Should().Contain("slack");
+        _check.Tags.Should().Contain("configuration");
+    }
+
+    [Fact]
+    public void DefaultSeverity_IsWarn()
+    {
+        // Assert
+        _check.DefaultSeverity.Should().Be(DoctorSeverity.Warn);
+    }
+
+    [Fact]
+    public void EstimatedDuration_IsQuick()
+    {
+        // Assert
+        _check.EstimatedDuration.Should().BeLessThanOrEqualTo(TimeSpan.FromSeconds(1));
+    }
+
+    private static DoctorPluginContext CreateContext(Dictionary<string, string?> configValues)
+    {
+        var config = new ConfigurationBuilder()
+            .AddInMemoryCollection(configValues)
+            .Build();
+
+        return new DoctorPluginContext
+        {
+            Services = new ServiceCollection().BuildServiceProvider(),
+            Configuration = config,
+            TimeProvider = TimeProvider.System,
+            Logger = NullLogger.Instance,
+            EnvironmentName = "Test",
+            PluginConfig = config.GetSection("Doctor:Plugins")
+        };
+    }
+}

src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/Checks/TeamsConfiguredCheckTests.cs

@@ -0,0 +1,147 @@
+using FluentAssertions;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugin.Notify.Checks;
+using StellaOps.Doctor.Plugins;
+using Xunit;
+
+namespace StellaOps.Doctor.Plugin.Notify.Tests.Checks;
+
+[Trait("Category", "Unit")]
+public class TeamsConfiguredCheckTests
+{
+    private readonly TeamsConfiguredCheck _check = new();
+
+    [Fact]
+    public void CheckId_ReturnsExpectedValue()
+    {
+        // Assert
+        _check.CheckId.Should().Be("check.notify.teams.configured");
+    }
+
+    [Fact]
+    public void CanRun_ReturnsFalse_WhenTeamsNotConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>());
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeFalse();
+    }
+
+    [Fact]
+    public void CanRun_ReturnsTrue_WhenTeamsSectionExists()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Teams:WebhookUrl"] = "https://webhook.office.com/..."
+        });
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task RunAsync_Fails_WhenWebhookUrlNotSet()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Teams:Enabled"] = "true"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Fail);
+    }
+
+    [Fact]
+    public async Task RunAsync_Warns_WhenNotOfficeComDomain()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Teams:WebhookUrl"] = "https://example.com/webhook"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Warn);
+        result.Diagnosis.Should().Contain("invalid");
+    }
+
+    [Fact]
+    public async Task RunAsync_Warns_WhenDisabled()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Teams:WebhookUrl"] = "https://webhook.office.com/webhookb2/xxx",
+            ["Notify:Channels:Teams:Enabled"] = "false"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Warn);
+        result.Diagnosis.Should().Contain("disabled");
+    }
+
+    [Fact]
+    public async Task RunAsync_Passes_WhenProperlyConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Teams:WebhookUrl"] = "https://webhook.office.com/webhookb2/xxx@xxx/IncomingWebhook/xxx/xxx",
+            ["Notify:Channels:Teams:Enabled"] = "true"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Pass);
+    }
+
+    [Fact]
+    public void Tags_ContainsExpectedValues()
+    {
+        // Assert
+        _check.Tags.Should().Contain("notify");
+        _check.Tags.Should().Contain("teams");
+        _check.Tags.Should().Contain("configuration");
+    }
+
+    [Fact]
+    public void DefaultSeverity_IsWarn()
+    {
+        // Assert
+        _check.DefaultSeverity.Should().Be(DoctorSeverity.Warn);
+    }
+
+    private static DoctorPluginContext CreateContext(Dictionary<string, string?> configValues)
+    {
+        var config = new ConfigurationBuilder()
+            .AddInMemoryCollection(configValues)
+            .Build();
+
+        return new DoctorPluginContext
+        {
+            Services = new ServiceCollection().BuildServiceProvider(),
+            Configuration = config,
+            TimeProvider = TimeProvider.System,
+            Logger = NullLogger.Instance,
+            EnvironmentName = "Test",
+            PluginConfig = config.GetSection("Doctor:Plugins")
+        };
+    }
+}

src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/Checks/WebhookConfiguredCheckTests.cs

@@ -0,0 +1,165 @@
+using FluentAssertions;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Doctor.Models;
+using StellaOps.Doctor.Plugin.Notify.Checks;
+using StellaOps.Doctor.Plugins;
+using Xunit;
+
+namespace StellaOps.Doctor.Plugin.Notify.Tests.Checks;
+
+[Trait("Category", "Unit")]
+public class WebhookConfiguredCheckTests
+{
+    private readonly WebhookConfiguredCheck _check = new();
+
+    [Fact]
+    public void CheckId_ReturnsExpectedValue()
+    {
+        // Assert
+        _check.CheckId.Should().Be("check.notify.webhook.configured");
+    }
+
+    [Fact]
+    public void CanRun_ReturnsFalse_WhenWebhookNotConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>());
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeFalse();
+    }
+
+    [Fact]
+    public void CanRun_ReturnsTrue_WhenWebhookSectionExists()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Webhook:Url"] = "https://example.com/webhook"
+        });
+
+        // Act & Assert
+        _check.CanRun(context).Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task RunAsync_Fails_WhenUrlNotSet()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Webhook:Enabled"] = "true"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Fail);
+        result.Diagnosis.Should().Contain("URL");
+    }
+
+    [Fact]
+    public async Task RunAsync_Fails_WhenUrlInvalid()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Webhook:Url"] = "not-a-valid-url"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Fail);
+        result.Diagnosis.Should().Contain("format");
+    }
+
+    [Fact]
+    public async Task RunAsync_Warns_WhenDisabled()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Webhook:Url"] = "https://example.com/webhook",
+            ["Notify:Channels:Webhook:Enabled"] = "false"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Warn);
+        result.Diagnosis.Should().Contain("disabled");
+    }
+
+    [Fact]
+    public async Task RunAsync_Passes_WhenProperlyConfigured()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Webhook:Url"] = "https://example.com/webhook",
+            ["Notify:Channels:Webhook:Enabled"] = "true",
+            ["Notify:Channels:Webhook:Method"] = "POST"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Pass);
+    }
+
+    [Fact]
+    public async Task RunAsync_SupportsEndpointAlternativeKey()
+    {
+        // Arrange
+        var context = CreateContext(new Dictionary<string, string?>
+        {
+            ["Notify:Channels:Webhook:Endpoint"] = "https://example.com/webhook"
+        });
+
+        // Act
+        var result = await _check.RunAsync(context, CancellationToken.None);
+
+        // Assert
+        result.Severity.Should().Be(DoctorSeverity.Pass);
+    }
+
+    [Fact]
+    public void Tags_ContainsExpectedValues()
+    {
+        // Assert
+        _check.Tags.Should().Contain("notify");
+        _check.Tags.Should().Contain("webhook");
+        _check.Tags.Should().Contain("configuration");
+    }
+
+    [Fact]
+    public void DefaultSeverity_IsWarn()
+    {
+        // Assert
+        _check.DefaultSeverity.Should().Be(DoctorSeverity.Warn);
+    }
+
+    private static DoctorPluginContext CreateContext(Dictionary<string, string?> configValues)
+    {
+        var config = new ConfigurationBuilder()
+            .AddInMemoryCollection(configValues)
+            .Build();
+
+        return new DoctorPluginContext
+        {
+            Services = new ServiceCollection().BuildServiceProvider(),
+            Configuration = config,
+            TimeProvider = TimeProvider.System,
+            Logger = NullLogger.Instance,
+            EnvironmentName = "Test",
+            PluginConfig = config.GetSection("Doctor:Plugins")
+        };
+    }
+}

src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/NotifyDoctorPluginTests.cs

@@ -0,0 +1,178 @@
+using FluentAssertions;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+using StellaOps.Doctor.Plugins;
+using StellaOps.Notify.Engine;
+using Xunit;
+
+namespace StellaOps.Doctor.Plugin.Notify.Tests;
+
+[Trait("Category", "Unit")]
+public class NotifyDoctorPluginTests
+{
+    private readonly NotifyDoctorPlugin _plugin = new();
+
+    [Fact]
+    public void PluginId_ReturnsExpectedValue()
+    {
+        // Assert
+        _plugin.PluginId.Should().Be("stellaops.doctor.notify");
+    }
+
+    [Fact]
+    public void Category_IsNotify()
+    {
+        // Assert
+        _plugin.Category.Should().Be(DoctorCategory.Notify);
+    }
+
+    [Fact]
+    public void DisplayName_IsNotifications()
+    {
+        // Assert
+        _plugin.DisplayName.Should().Be("Notifications");
+    }
+
+    [Fact]
+    public void IsAvailable_ReturnsFalse_WhenNoHealthProvidersRegistered()
+    {
+        // Arrange
+        var services = new ServiceCollection().BuildServiceProvider();
+
+        // Act & Assert
+        _plugin.IsAvailable(services).Should().BeFalse();
+    }
+
+    [Fact]
+    public void IsAvailable_ReturnsTrue_WhenHealthProvidersRegistered()
+    {
+        // Arrange
+        var mockProvider = new Mock<INotifyChannelHealthProvider>();
+        var services = new ServiceCollection()
+            .AddSingleton(mockProvider.Object)
+            .BuildServiceProvider();
+
+        // Act & Assert
+        _plugin.IsAvailable(services).Should().BeTrue();
+    }
+
+    [Fact]
+    public void GetChecks_ReturnsNineChecks()
+    {
+        // Arrange
+        var context = CreateContext();
+
+        // Act
+        var checks = _plugin.GetChecks(context);
+
+        // Assert
+        checks.Should().HaveCount(9);
+    }
+
+    [Fact]
+    public void GetChecks_ContainsSlackChecks()
+    {
+        // Arrange
+        var context = CreateContext();
+
+        // Act
+        var checks = _plugin.GetChecks(context);
+
+        // Assert
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.slack.configured");
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.slack.connectivity");
+    }
+
+    [Fact]
+    public void GetChecks_ContainsTeamsChecks()
+    {
+        // Arrange
+        var context = CreateContext();
+
+        // Act
+        var checks = _plugin.GetChecks(context);
+
+        // Assert
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.teams.configured");
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.teams.connectivity");
+    }
+
+    [Fact]
+    public void GetChecks_ContainsWebhookChecks()
+    {
+        // Arrange
+        var context = CreateContext();
+
+        // Act
+        var checks = _plugin.GetChecks(context);
+
+        // Assert
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.webhook.configured");
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.webhook.connectivity");
+    }
+
+    [Fact]
+    public void GetChecks_ContainsEmailChecks()
+    {
+        // Arrange
+        var context = CreateContext();
+
+        // Act
+        var checks = _plugin.GetChecks(context);
+
+        // Assert
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.email.configured");
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.email.connectivity");
+    }
+
+    [Fact]
+    public void GetChecks_ContainsQueueHealthCheck()
+    {
+        // Arrange
+        var context = CreateContext();
+
+        // Act
+        var checks = _plugin.GetChecks(context);
+
+        // Assert
+        checks.Select(c => c.CheckId).Should().Contain("check.notify.queue.health");
+    }
+
+    [Fact]
+    public async Task InitializeAsync_CompletesWithoutError()
+    {
+        // Arrange
+        var context = CreateContext();
+
+        // Act & Assert
+        await _plugin.Invoking(p => p.InitializeAsync(context, CancellationToken.None))
+            .Should().NotThrowAsync();
+    }
+
+    [Fact]
+    public void Version_IsNotNull()
+    {
+        // Assert
+        _plugin.Version.Should().NotBeNull();
+        _plugin.Version.Major.Should().BeGreaterThanOrEqualTo(1);
+    }
+
+    private static DoctorPluginContext CreateContext()
+    {
+        var config = new ConfigurationBuilder()
+            .AddInMemoryCollection(new Dictionary<string, string?>())
+            .Build();
+
+        return new DoctorPluginContext
+        {
+            Services = new ServiceCollection().BuildServiceProvider(),
+            Configuration = config,
+            TimeProvider = TimeProvider.System,
+            Logger = NullLogger.Instance,
+            EnvironmentName = "Test",
+            PluginConfig = config.GetSection("Doctor:Plugins")
+        };
+    }
+}

src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/StellaOps.Doctor.Plugin.Notify.Tests.csproj

@@ -0,0 +1,25 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Moq" />
+    <PackageReference Include="FluentAssertions" />
+    <PackageReference Include="coverlet.collector">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\__Plugins\StellaOps.Doctor.Plugin.Notify\StellaOps.Doctor.Plugin.Notify.csproj" />
+  </ItemGroup>
+
+</Project>

src/Doctor/__Tests/StellaOps.Doctor.Plugin.Notify.Tests/TASKS.md

@@ -0,0 +1,80 @@
+# StellaOps.Doctor.Plugin.Notify.Tests
+
+## Overview
+
+Unit tests for the Notification Doctor Plugin that validates Slack, Teams, Email, Webhook, and Queue configurations.
+
+## Test Coverage
+
+### Plugin Tests
+- [x] PluginId validation
+- [x] Category is Notify
+- [x] DisplayName is Notifications
+- [x] IsAvailable returns false when no health providers registered
+- [x] IsAvailable returns true when health providers registered
+- [x] GetChecks returns all nine checks
+- [x] InitializeAsync completes without error
+- [x] Version validation
+
+### SlackConfiguredCheck Tests
+- [x] CheckId validation
+- [x] CanRun returns false when not configured
+- [x] CanRun returns true when section exists
+- [x] Fails when WebhookUrl not set
+- [x] Fails when WebhookUrl invalid
+- [x] Warns when disabled
+- [x] Passes when properly configured
+- [x] Tags validation
+- [x] DefaultSeverity is Warn
+
+### TeamsConfiguredCheck Tests
+- [x] CheckId validation
+- [x] CanRun returns false when not configured
+- [x] CanRun returns true when section exists
+- [x] Fails when WebhookUrl not set
+- [x] Warns when not webhook.office.com domain
+- [x] Warns when disabled
+- [x] Passes when properly configured
+- [x] Tags validation
+- [x] DefaultSeverity is Warn
+
+### WebhookConfiguredCheck Tests
+- [x] CheckId validation
+- [x] CanRun returns false when not configured
+- [x] CanRun returns true when section exists
+- [x] Fails when URL not set
+- [x] Fails when URL invalid
+- [x] Warns when disabled
+- [x] Passes when properly configured
+- [x] Supports Endpoint alternative key
+- [x] Tags validation
+- [x] DefaultSeverity is Warn
+
+### EmailConfiguredCheck Tests
+- [x] CheckId validation
+- [x] CanRun returns false when not configured
+- [x] CanRun returns true when section exists
+- [x] Fails when SmtpHost not set
+- [x] Warns when SmtpPort invalid
+- [x] Warns when FromAddress missing
+- [x] Warns when disabled
+- [x] Passes when properly configured
+- [x] Supports alternative Host/Port/From keys
+- [x] Tags validation
+- [x] DefaultSeverity is Warn
+
+### NotifyQueueHealthCheck Tests
+- [x] CheckId validation
+- [x] CanRun returns false when not configured
+- [x] CanRun returns true when Transport configured
+- [x] CanRun returns true when Kind configured
+- [x] Skips when no health checks registered
+- [x] Tags validation
+- [x] DefaultSeverity is Critical
+- [x] EstimatedDuration validation
+
+## Future Work
+
+- [ ] Integration tests with actual SMTP server (Testcontainers)
+- [ ] Integration tests with actual Redis/NATS (Testcontainers)
+- [ ] Mock HTTP handler tests for connectivity checks

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/CombinedRuntimeAdapter.cs

@@ -30,7 +30,7 @@ public sealed class CombinedRuntimeAdapter : IExportAdapter
 
     private static readonly JsonWriterOptions WriterOptions = new()
     {
-        Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
+        Encoder = JavaScriptEncoder.Default,
         Indented = false,
         SkipValidation = false
     };
@@ -66,7 +66,9 @@ public sealed class CombinedRuntimeAdapter : IExportAdapter
 
             if (!result.Success)
             {
-                return ExportAdapterResult.Failed(result.ErrorMessage ?? "Combined export failed");
+                return ExportAdapterResult.Failed(
+                    result.ErrorMessage ?? "Combined export failed",
+                    context.TimeProvider);
             }
 
             var counts = new ExportManifestCounts
@@ -106,12 +108,12 @@ public sealed class CombinedRuntimeAdapter : IExportAdapter
         }
         catch (OperationCanceledException)
         {
-            return ExportAdapterResult.Failed("Export cancelled");
+            return ExportAdapterResult.Failed("Export cancelled", context.TimeProvider);
         }
         catch (Exception ex)
         {
             _logger.LogError(ex, "Combined runtime export failed");
-            return ExportAdapterResult.Failed($"Export failed: {ex.Message}");
+            return ExportAdapterResult.Failed($"Export failed: {ex.Message}", context.TimeProvider);
         }
     }
 
@@ -187,10 +189,13 @@ public sealed class CombinedRuntimeAdapter : IExportAdapter
         {
             cancellationToken.ThrowIfCancellationRequested();
 
-            var content = await context.DataFetcher.FetchAsync(item, cancellationToken);
+                var content = await context.DataFetcher.FetchAsync(item, cancellationToken);
             if (!content.Success)
             {
-                itemResults.Add(AdapterItemResult.Failed(item.ItemId, content.ErrorMessage ?? "Failed to fetch"));
+                itemResults.Add(AdapterItemResult.Failed(
+                    item.ItemId,
+                    content.ErrorMessage ?? "Failed to fetch",
+                    context.TimeProvider));
                 continue;
             }
 
@@ -220,7 +225,10 @@ public sealed class CombinedRuntimeAdapter : IExportAdapter
             var content = await context.DataFetcher.FetchAsync(item, cancellationToken);
             if (!content.Success)
             {
-                itemResults.Add(AdapterItemResult.Failed(item.ItemId, content.ErrorMessage ?? "Failed to fetch"));
+                itemResults.Add(AdapterItemResult.Failed(
+                    item.ItemId,
+                    content.ErrorMessage ?? "Failed to fetch",
+                    context.TimeProvider));
                 continue;
             }
 

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/ExportAdapterModels.cs

@@ -58,13 +58,13 @@ public sealed record AdapterItemResult
 
     public DateTimeOffset ProcessedAt { get; init; }
 
-    public static AdapterItemResult Failed(Guid itemId, string errorMessage)
+    public static AdapterItemResult Failed(Guid itemId, string errorMessage, TimeProvider? timeProvider = null)
         => new()
         {
             ItemId = itemId,
             Success = false,
             ErrorMessage = errorMessage,
-            ProcessedAt = DateTimeOffset.UtcNow
+            ProcessedAt = (timeProvider ?? TimeProvider.System).GetUtcNow()
         };
 }
 
@@ -87,8 +87,13 @@ public sealed record ExportAdapterResult
 
     public DateTimeOffset CompletedAt { get; init; }
 
-    public static ExportAdapterResult Failed(string errorMessage)
+    public static ExportAdapterResult Failed(string errorMessage, TimeProvider? timeProvider = null)
-        => new() { Success = false, ErrorMessage = errorMessage, CompletedAt = DateTimeOffset.UtcNow };
+        => new()
+        {
+            Success = false,
+            ErrorMessage = errorMessage,
+            CompletedAt = (timeProvider ?? TimeProvider.System).GetUtcNow()
+        };
 }
 
 /// <summary>

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/IExportAdapter.cs

@@ -1,3 +1,4 @@
+using StellaOps.Determinism;
 using StellaOps.ExportCenter.Core.Planner;
 
 namespace StellaOps.ExportCenter.Core.Adapters;
@@ -88,6 +89,11 @@ public sealed record ExportAdapterContext
     /// Time provider for deterministic timestamps.
     /// </summary>
     public TimeProvider TimeProvider { get; init; } = TimeProvider.System;
+
+    /// <summary>
+    /// GUID provider for deterministic identifiers.
+    /// </summary>
+    public IGuidProvider GuidProvider { get; init; } = SystemGuidProvider.Instance;
 }
 
 /// <summary>

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/JsonPolicyAdapter.cs

@@ -78,7 +78,9 @@ public sealed class JsonPolicyAdapter : IExportAdapter
                 }
                 else
                 {
-                    return ExportAdapterResult.Failed(ndjsonResult.ErrorMessage ?? "NDJSON export failed");
+                    return ExportAdapterResult.Failed(
+                        ndjsonResult.ErrorMessage ?? "NDJSON export failed",
+                        context.TimeProvider);
                 }
             }
             else
@@ -131,12 +133,12 @@ public sealed class JsonPolicyAdapter : IExportAdapter
         }
         catch (OperationCanceledException)
         {
-            return ExportAdapterResult.Failed("Export cancelled");
+            return ExportAdapterResult.Failed("Export cancelled", context.TimeProvider);
         }
         catch (Exception ex)
         {
             _logger.LogError(ex, "JSON policy export failed");
-            return ExportAdapterResult.Failed($"Export failed: {ex.Message}");
+            return ExportAdapterResult.Failed($"Export failed: {ex.Message}", context.TimeProvider);
         }
     }
 
@@ -185,19 +187,25 @@ public sealed class JsonPolicyAdapter : IExportAdapter
             var content = await context.DataFetcher.FetchAsync(item, cancellationToken);
             if (!content.Success)
             {
-                return AdapterItemResult.Failed(item.ItemId, content.ErrorMessage ?? "Failed to fetch content");
+                return AdapterItemResult.Failed(
+                    item.ItemId,
+                    content.ErrorMessage ?? "Failed to fetch content",
+                    context.TimeProvider);
             }
 
             if (string.IsNullOrEmpty(content.JsonContent))
             {
-                return AdapterItemResult.Failed(item.ItemId, "Item content is empty");
+                return AdapterItemResult.Failed(item.ItemId, "Item content is empty", context.TimeProvider);
             }
 
             // Normalize the data content
             var normalized = _normalizer.Normalize(content.JsonContent);
             if (!normalized.Success)
             {
-                return AdapterItemResult.Failed(item.ItemId, normalized.ErrorMessage ?? "Normalization failed");
+                return AdapterItemResult.Failed(
+                    item.ItemId,
+                    normalized.ErrorMessage ?? "Normalization failed",
+                    context.TimeProvider);
             }
 
             // Get policy metadata if evaluator is available
@@ -223,12 +231,15 @@ public sealed class JsonPolicyAdapter : IExportAdapter
             if (compression != CompressionFormat.None)
             {
                 var compressed = _compressor.CompressBytes(outputBytes, compression);
-                if (!compressed.Success)
+                    if (!compressed.Success)
-                {
+                    {
-                    return AdapterItemResult.Failed(item.ItemId, compressed.ErrorMessage ?? "Compression failed");
+                        return AdapterItemResult.Failed(
+                            item.ItemId,
+                            compressed.ErrorMessage ?? "Compression failed",
+                            context.TimeProvider);
+                    }
+                    outputBytes = compressed.CompressedData!;
                 }
-                outputBytes = compressed.CompressedData!;
-            }
 
             // Write to file
             var fileName = BuildFileName(item, context.Config);
@@ -257,7 +268,7 @@ public sealed class JsonPolicyAdapter : IExportAdapter
         catch (Exception ex)
         {
             _logger.LogWarning(ex, "Failed to process item {ItemId}", item.ItemId);
-            return AdapterItemResult.Failed(item.ItemId, ex.Message);
+            return AdapterItemResult.Failed(item.ItemId, ex.Message, context.TimeProvider);
         }
     }
 
@@ -307,20 +318,26 @@ public sealed class JsonPolicyAdapter : IExportAdapter
                 var content = await context.DataFetcher.FetchAsync(item, cancellationToken);
                 if (!content.Success)
                 {
-                    itemResults.Add(AdapterItemResult.Failed(item.ItemId, content.ErrorMessage ?? "Failed to fetch"));
+                    itemResults.Add(AdapterItemResult.Failed(
+                        item.ItemId,
+                        content.ErrorMessage ?? "Failed to fetch",
+                        context.TimeProvider));
                     continue;
                 }
 
                 if (string.IsNullOrEmpty(content.JsonContent))
                 {
-                    itemResults.Add(AdapterItemResult.Failed(item.ItemId, "Empty content"));
+                    itemResults.Add(AdapterItemResult.Failed(item.ItemId, "Empty content", context.TimeProvider));
                     continue;
                 }
 
                 var normalized = _normalizer.Normalize(content.JsonContent);
                 if (!normalized.Success)
                 {
-                    itemResults.Add(AdapterItemResult.Failed(item.ItemId, normalized.ErrorMessage ?? "Normalization failed"));
+                    itemResults.Add(AdapterItemResult.Failed(
+                        item.ItemId,
+                        normalized.ErrorMessage ?? "Normalization failed",
+                        context.TimeProvider));
                     continue;
                 }
 
@@ -348,7 +365,7 @@ public sealed class JsonPolicyAdapter : IExportAdapter
             }
             catch (Exception ex)
             {
-                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message));
+                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message, context.TimeProvider));
             }
         }
 

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/JsonRawAdapter.cs

@@ -68,7 +68,9 @@ public sealed class JsonRawAdapter : IExportAdapter
                 }
                 else
                 {
-                    return ExportAdapterResult.Failed(ndjsonResult.ErrorMessage ?? "NDJSON export failed");
+                    return ExportAdapterResult.Failed(
+                        ndjsonResult.ErrorMessage ?? "NDJSON export failed",
+                        context.TimeProvider);
                 }
             }
             else
@@ -124,12 +126,12 @@ public sealed class JsonRawAdapter : IExportAdapter
         }
         catch (OperationCanceledException)
         {
-            return ExportAdapterResult.Failed("Export cancelled");
+            return ExportAdapterResult.Failed("Export cancelled", context.TimeProvider);
         }
         catch (Exception ex)
         {
             _logger.LogError(ex, "JSON raw export failed");
-            return ExportAdapterResult.Failed($"Export failed: {ex.Message}");
+            return ExportAdapterResult.Failed($"Export failed: {ex.Message}", context.TimeProvider);
         }
     }
 
@@ -178,19 +180,25 @@ public sealed class JsonRawAdapter : IExportAdapter
             var content = await context.DataFetcher.FetchAsync(item, cancellationToken);
             if (!content.Success)
             {
-                return AdapterItemResult.Failed(item.ItemId, content.ErrorMessage ?? "Failed to fetch content");
+                return AdapterItemResult.Failed(
+                    item.ItemId,
+                    content.ErrorMessage ?? "Failed to fetch content",
+                    context.TimeProvider);
             }
 
             if (string.IsNullOrEmpty(content.JsonContent))
             {
-                return AdapterItemResult.Failed(item.ItemId, "Item content is empty");
+                return AdapterItemResult.Failed(item.ItemId, "Item content is empty", context.TimeProvider);
             }
 
             // Normalize JSON
             var normalized = _normalizer.Normalize(content.JsonContent);
             if (!normalized.Success)
             {
-                return AdapterItemResult.Failed(item.ItemId, normalized.ErrorMessage ?? "Normalization failed");
+                return AdapterItemResult.Failed(
+                    item.ItemId,
+                    normalized.ErrorMessage ?? "Normalization failed",
+                    context.TimeProvider);
             }
 
             // Apply pretty print if requested
@@ -209,7 +217,10 @@ public sealed class JsonRawAdapter : IExportAdapter
                 var compressed = _compressor.CompressBytes(outputBytes, compression);
                 if (!compressed.Success)
                 {
-                    return AdapterItemResult.Failed(item.ItemId, compressed.ErrorMessage ?? "Compression failed");
+                    return AdapterItemResult.Failed(
+                        item.ItemId,
+                        compressed.ErrorMessage ?? "Compression failed",
+                        context.TimeProvider);
                 }
                 outputBytes = compressed.CompressedData!;
             }
@@ -241,7 +252,7 @@ public sealed class JsonRawAdapter : IExportAdapter
         catch (Exception ex)
         {
             _logger.LogWarning(ex, "Failed to process item {ItemId}", item.ItemId);
-            return AdapterItemResult.Failed(item.ItemId, ex.Message);
+            return AdapterItemResult.Failed(item.ItemId, ex.Message, context.TimeProvider);
         }
     }
 
@@ -261,20 +272,26 @@ public sealed class JsonRawAdapter : IExportAdapter
                 var content = await context.DataFetcher.FetchAsync(item, cancellationToken);
                 if (!content.Success)
                 {
-                    itemResults.Add(AdapterItemResult.Failed(item.ItemId, content.ErrorMessage ?? "Failed to fetch"));
+                    itemResults.Add(AdapterItemResult.Failed(
+                        item.ItemId,
+                        content.ErrorMessage ?? "Failed to fetch",
+                        context.TimeProvider));
                     continue;
                 }
 
                 if (string.IsNullOrEmpty(content.JsonContent))
                 {
-                    itemResults.Add(AdapterItemResult.Failed(item.ItemId, "Empty content"));
+                    itemResults.Add(AdapterItemResult.Failed(item.ItemId, "Empty content", context.TimeProvider));
                     continue;
                 }
 
                 var normalized = _normalizer.Normalize(content.JsonContent);
                 if (!normalized.Success)
                 {
-                    itemResults.Add(AdapterItemResult.Failed(item.ItemId, normalized.ErrorMessage ?? "Normalization failed"));
+                    itemResults.Add(AdapterItemResult.Failed(
+                        item.ItemId,
+                        normalized.ErrorMessage ?? "Normalization failed",
+                        context.TimeProvider));
                     continue;
                 }
 
@@ -292,7 +309,7 @@ public sealed class JsonRawAdapter : IExportAdapter
             }
             catch (Exception ex)
             {
-                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message));
+                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message, context.TimeProvider));
             }
         }
 

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/MirrorAdapter.cs

@@ -50,7 +50,7 @@ public sealed class MirrorAdapter : IExportAdapter
                 context.Items.Count);
 
             // Create temp directory for staging files
-            var tempDir = Path.Combine(Path.GetTempPath(), $"mirror-{Guid.NewGuid():N}");
+            var tempDir = Path.Combine(Path.GetTempPath(), $"mirror-{context.GuidProvider.NewGuid():N}");
             Directory.CreateDirectory(tempDir);
 
             try
@@ -81,7 +81,7 @@ public sealed class MirrorAdapter : IExportAdapter
 
                 // Build the mirror bundle
                 var request = new MirrorBundleBuildRequest(
-                    Guid.TryParse(context.CorrelationId, out var runId) ? runId : Guid.NewGuid(),
+                    Guid.TryParse(context.CorrelationId, out var runId) ? runId : context.GuidProvider.NewGuid(),
                     context.TenantId,
                     MirrorBundleVariant.Full,
                     selectors,
@@ -176,7 +176,7 @@ public sealed class MirrorAdapter : IExportAdapter
         catch (Exception ex)
         {
             _logger.LogError(ex, "Failed to build mirror bundle");
-            return ExportAdapterResult.Failed($"Mirror bundle build failed: {ex.Message}");
+            return ExportAdapterResult.Failed($"Mirror bundle build failed: {ex.Message}", context.TimeProvider);
         }
     }
 
@@ -297,13 +297,13 @@ public sealed class MirrorAdapter : IExportAdapter
                     OutputPath = tempFilePath,
                     OutputSizeBytes = new FileInfo(tempFilePath).Length,
                     ContentHash = content.OriginalHash,
-                    ProcessedAt = DateTimeOffset.UtcNow
+                    ProcessedAt = context.TimeProvider.GetUtcNow()
                 });
             }
             catch (Exception ex)
             {
                 _logger.LogWarning(ex, "Failed to process item {ItemId}", item.ItemId);
-                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message));
+                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message, context.TimeProvider));
             }
         }
 

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/MirrorDeltaAdapter.cs

@@ -60,7 +60,8 @@ public sealed class MirrorDeltaAdapter : IExportAdapter
             if (deltaOptions is null)
             {
                 return ExportAdapterResult.Failed(
-                    "Delta options required: provide 'baseExportId' and 'baseManifestDigest' in context metadata");
+                    "Delta options required: provide 'baseExportId' and 'baseManifestDigest' in context metadata",
+                    context.TimeProvider);
             }
 
             _logger.LogInformation(
@@ -68,7 +69,7 @@ public sealed class MirrorDeltaAdapter : IExportAdapter
                 deltaOptions.BaseExportId, context.Items.Count);
 
             // Create temp directory for staging files
-            var tempDir = Path.Combine(Path.GetTempPath(), $"mirror-delta-{Guid.NewGuid():N}");
+            var tempDir = Path.Combine(Path.GetTempPath(), $"mirror-delta-{context.GuidProvider.NewGuid():N}");
             Directory.CreateDirectory(tempDir);
 
             try
@@ -100,7 +101,9 @@ public sealed class MirrorDeltaAdapter : IExportAdapter
                 var deltaResult = await _deltaService.ComputeDeltaAsync(deltaRequest, cancellationToken);
                 if (!deltaResult.Success)
                 {
-                    return ExportAdapterResult.Failed(deltaResult.ErrorMessage ?? "Delta computation failed");
+                    return ExportAdapterResult.Failed(
+                        deltaResult.ErrorMessage ?? "Delta computation failed",
+                        context.TimeProvider);
                 }
 
                 // If no changes, return early with empty delta
@@ -123,7 +126,7 @@ public sealed class MirrorDeltaAdapter : IExportAdapter
 
                 // Create the delta bundle request
                 var bundleRequest = new MirrorBundleBuildRequest(
-                    Guid.TryParse(context.CorrelationId, out var runId) ? runId : Guid.NewGuid(),
+                    Guid.TryParse(context.CorrelationId, out var runId) ? runId : context.GuidProvider.NewGuid(),
                     context.TenantId,
                     MirrorBundleVariant.Delta,
                     selectors,
@@ -236,7 +239,9 @@ public sealed class MirrorDeltaAdapter : IExportAdapter
         catch (Exception ex)
         {
             _logger.LogError(ex, "Failed to build mirror delta bundle");
-            return ExportAdapterResult.Failed($"Mirror delta bundle build failed: {ex.Message}");
+            return ExportAdapterResult.Failed(
+                $"Mirror delta bundle build failed: {ex.Message}",
+                context.TimeProvider);
         }
     }
 
@@ -320,7 +325,8 @@ public sealed class MirrorDeltaAdapter : IExportAdapter
                 {
                     itemResults.Add(AdapterItemResult.Failed(
                         item.ItemId,
-                        content.ErrorMessage ?? "Failed to fetch content or content is empty"));
+                        content.ErrorMessage ?? "Failed to fetch content or content is empty",
+                        context.TimeProvider));
                     continue;
                 }
 
@@ -330,7 +336,8 @@ public sealed class MirrorDeltaAdapter : IExportAdapter
                 {
                     itemResults.Add(AdapterItemResult.Failed(
                         item.ItemId,
-                        $"Unknown item kind: {item.Kind}"));
+                        $"Unknown item kind: {item.Kind}",
+                        context.TimeProvider));
                     continue;
                 }
 
@@ -388,7 +395,7 @@ public sealed class MirrorDeltaAdapter : IExportAdapter
             catch (Exception ex)
             {
                 _logger.LogWarning(ex, "Failed to process item {ItemId}", item.ItemId);
-                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message));
+                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message, context.TimeProvider));
             }
         }
 

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/Trivy/TrivyDbAdapter.cs

@@ -71,11 +71,12 @@ public sealed class TrivyDbAdapter : IExportAdapter
             if (_options.SchemaVersion != SupportedSchemaVersion)
             {
                 return ExportAdapterResult.Failed(
-                    $"Unsupported Trivy DB schema version {_options.SchemaVersion}. Only v{SupportedSchemaVersion} is supported.");
+                    $"Unsupported Trivy DB schema version {_options.SchemaVersion}. Only v{SupportedSchemaVersion} is supported.",
+                    context.TimeProvider);
             }
 
             // Create temp directory for staging
-            var tempDir = Path.Combine(Path.GetTempPath(), $"trivy-db-{Guid.NewGuid():N}");
+            var tempDir = Path.Combine(Path.GetTempPath(), $"trivy-db-{context.GuidProvider.NewGuid():N}");
             Directory.CreateDirectory(tempDir);
 
             try
@@ -100,7 +101,8 @@ public sealed class TrivyDbAdapter : IExportAdapter
                 if (totalVulnCount == 0 && !_options.AllowEmpty)
                 {
                     return ExportAdapterResult.Failed(
-                        "No vulnerabilities mapped. Set AllowEmpty=true to allow empty bundles.");
+                        "No vulnerabilities mapped. Set AllowEmpty=true to allow empty bundles.",
+                        context.TimeProvider);
                 }
 
                 _logger.LogInformation(
@@ -202,7 +204,9 @@ public sealed class TrivyDbAdapter : IExportAdapter
         catch (Exception ex)
         {
             _logger.LogError(ex, "Failed to build Trivy DB bundle");
-            return ExportAdapterResult.Failed($"Trivy DB bundle build failed: {ex.Message}");
+            return ExportAdapterResult.Failed(
+                $"Trivy DB bundle build failed: {ex.Message}",
+                context.TimeProvider);
         }
     }
 
@@ -285,7 +289,8 @@ public sealed class TrivyDbAdapter : IExportAdapter
                 {
                     itemResults.Add(AdapterItemResult.Failed(
                         item.ItemId,
-                        content.ErrorMessage ?? "Failed to fetch content or content is empty"));
+                        content.ErrorMessage ?? "Failed to fetch content or content is empty",
+                        context.TimeProvider));
                     continue;
                 }
 
@@ -298,7 +303,7 @@ public sealed class TrivyDbAdapter : IExportAdapter
                     {
                         ItemId = item.ItemId,
                         Success = true,
-                        ProcessedAt = DateTimeOffset.UtcNow
+                        ProcessedAt = context.TimeProvider.GetUtcNow()
                     });
                     continue;
                 }
@@ -327,13 +332,13 @@ public sealed class TrivyDbAdapter : IExportAdapter
                     ItemId = item.ItemId,
                     Success = true,
                     ContentHash = content.OriginalHash,
-                    ProcessedAt = DateTimeOffset.UtcNow
+                    ProcessedAt = context.TimeProvider.GetUtcNow()
                 });
             }
             catch (Exception ex)
             {
                 _logger.LogWarning(ex, "Failed to process item {ItemId}", item.ItemId);
-                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message));
+                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message, context.TimeProvider));
             }
         }
     }
@@ -384,7 +389,7 @@ public sealed class TrivyDbAdapter : IExportAdapter
         int vulnerabilityCount)
     {
         var now = context.TimeProvider.GetUtcNow();
-        var runId = Guid.TryParse(context.CorrelationId, out var id) ? id : Guid.NewGuid();
+        var runId = Guid.TryParse(context.CorrelationId, out var id) ? id : context.GuidProvider.NewGuid();
 
         return new TrivyDbMetadata
         {

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/Trivy/TrivyJavaDbAdapter.cs

@@ -77,7 +77,7 @@ public sealed class TrivyJavaDbAdapter : IExportAdapter
                 context.Items.Count);
 
             // Create temp directory for staging
-            var tempDir = Path.Combine(Path.GetTempPath(), $"trivy-java-db-{Guid.NewGuid():N}");
+            var tempDir = Path.Combine(Path.GetTempPath(), $"trivy-java-db-{context.GuidProvider.NewGuid():N}");
             Directory.CreateDirectory(tempDir);
 
             try
@@ -110,7 +110,8 @@ public sealed class TrivyJavaDbAdapter : IExportAdapter
                 if (totalVulnCount == 0 && !_options.AllowEmpty)
                 {
                     return ExportAdapterResult.Failed(
-                        "No Java vulnerabilities mapped. Set AllowEmpty=true to allow empty bundles.");
+                        "No Java vulnerabilities mapped. Set AllowEmpty=true to allow empty bundles.",
+                        context.TimeProvider);
                 }
 
                 _logger.LogInformation(
@@ -209,7 +210,9 @@ public sealed class TrivyJavaDbAdapter : IExportAdapter
         catch (Exception ex)
         {
             _logger.LogError(ex, "Failed to build Trivy Java DB bundle");
-            return ExportAdapterResult.Failed($"Trivy Java DB bundle build failed: {ex.Message}");
+            return ExportAdapterResult.Failed(
+                $"Trivy Java DB bundle build failed: {ex.Message}",
+                context.TimeProvider);
         }
     }
 
@@ -286,7 +289,8 @@ public sealed class TrivyJavaDbAdapter : IExportAdapter
                 {
                     itemResults.Add(AdapterItemResult.Failed(
                         item.ItemId,
-                        content.ErrorMessage ?? "Failed to fetch content or content is empty"));
+                        content.ErrorMessage ?? "Failed to fetch content or content is empty",
+                        context.TimeProvider));
                     continue;
                 }
 
@@ -299,7 +303,7 @@ public sealed class TrivyJavaDbAdapter : IExportAdapter
                     {
                         ItemId = item.ItemId,
                         Success = true,
-                        ProcessedAt = DateTimeOffset.UtcNow
+                        ProcessedAt = context.TimeProvider.GetUtcNow()
                     });
                     continue;
                 }
@@ -359,13 +363,13 @@ public sealed class TrivyJavaDbAdapter : IExportAdapter
                     ItemId = item.ItemId,
                     Success = true,
                     ContentHash = content.OriginalHash,
-                    ProcessedAt = DateTimeOffset.UtcNow
+                    ProcessedAt = context.TimeProvider.GetUtcNow()
                 });
             }
             catch (Exception ex)
             {
                 _logger.LogWarning(ex, "Failed to process item {ItemId}", item.ItemId);
-                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message));
+                itemResults.Add(AdapterItemResult.Failed(item.ItemId, ex.Message, context.TimeProvider));
             }
         }
     }
@@ -454,7 +458,7 @@ public sealed class TrivyJavaDbAdapter : IExportAdapter
         int vulnerabilityCount)
     {
         var now = context.TimeProvider.GetUtcNow();
-        var runId = Guid.TryParse(context.CorrelationId, out var id) ? id : Guid.NewGuid();
+        var runId = Guid.TryParse(context.CorrelationId, out var id) ? id : context.GuidProvider.NewGuid();
 
         return new TrivyJavaDbMetadata
         {

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Planner/ExportScopeResolver.cs

@@ -1,3 +1,6 @@
+using System.Buffers.Binary;
+using System.Security.Cryptography;
+using System.Text;
 using System.Text.RegularExpressions;
 using Microsoft.Extensions.Logging;
 
@@ -40,7 +43,7 @@ public sealed class ExportScopeResolver : IExportScopeResolver
         var items = GenerateResolvedItems(tenantId, scope);
 
         // Apply sampling if configured
-        var (sampledItems, samplingMetadata) = ApplySampling(items, scope.Sampling);
+        var (sampledItems, samplingMetadata) = ApplySampling(items, scope.Sampling, tenantId, scope);
 
         // Apply max items limit
         var maxItems = scope.MaxItems ?? DefaultMaxItems;
@@ -223,7 +226,7 @@ public sealed class ExportScopeResolver : IExportScopeResolver
             foreach (var sourceRef in scope.SourceRefs)
             {
                 var kind = scope.TargetKinds.FirstOrDefault() ?? "sbom";
-                items.Add(CreateResolvedItem(sourceRef, kind, now));
+                items.Add(CreateResolvedItem(tenantId, sourceRef, kind, now));
             }
         }
         else
@@ -237,7 +240,7 @@ public sealed class ExportScopeResolver : IExportScopeResolver
                 for (var i = 0; i < itemsPerKind; i++)
                 {
                     var sourceRef = $"{kind}-{tenantId:N}-{i:D4}";
-                    items.Add(CreateResolvedItem(sourceRef, kind, now.AddHours(-i)));
+                    items.Add(CreateResolvedItem(tenantId, sourceRef, kind, now.AddHours(-i)));
                 }
             }
         }
@@ -285,11 +288,12 @@ public sealed class ExportScopeResolver : IExportScopeResolver
         return items;
     }
 
-    private ResolvedExportItem CreateResolvedItem(string sourceRef, string kind, DateTimeOffset createdAt)
+    private static ResolvedExportItem CreateResolvedItem(Guid tenantId, string sourceRef, string kind, DateTimeOffset createdAt)
     {
+        var itemId = CreateDeterministicItemId(tenantId, sourceRef, kind);
         return new ResolvedExportItem
         {
-            ItemId = Guid.NewGuid(),
+            ItemId = itemId,
             Kind = kind,
             SourceRef = sourceRef,
             Name = $"{kind}-{sourceRef}",
@@ -308,14 +312,16 @@ public sealed class ExportScopeResolver : IExportScopeResolver
 
     private static (List<ResolvedExportItem> Items, SamplingMetadata? Metadata) ApplySampling(
         List<ResolvedExportItem> items,
-        SamplingConfig? sampling)
+        SamplingConfig? sampling,
+        Guid tenantId,
+        ExportScope scope)
     {
         if (sampling is null || sampling.Strategy == SamplingStrategy.None)
         {
             return (items, null);
         }
 
-        var seed = sampling.Seed ?? Environment.TickCount;
+        var seed = sampling.Seed ?? ComputeDeterministicSeed(tenantId, scope);
         var size = Math.Min(sampling.Size, items.Count);
 
         List<ResolvedExportItem> sampled;
@@ -382,4 +388,66 @@ public sealed class ExportScopeResolver : IExportScopeResolver
             _ => item.Metadata.TryGetValue(field, out var value) ? value : "unknown"
         };
     }
+
+    private static Guid CreateDeterministicItemId(Guid tenantId, string sourceRef, string kind)
+    {
+        var seed = $"{tenantId:D}|{kind}|{sourceRef}";
+        var hash = SHA256.HashData(Encoding.UTF8.GetBytes(seed));
+        return new Guid(hash.AsSpan(0, 16).ToArray());
+    }
+
+    private static int ComputeDeterministicSeed(Guid tenantId, ExportScope scope)
+    {
+        var builder = new StringBuilder();
+        builder.Append("tenant=").Append(tenantId.ToString("D"));
+        AppendList(builder, "targets", scope.TargetKinds);
+        AppendList(builder, "sources", scope.SourceRefs);
+        AppendList(builder, "tags", scope.Tags);
+        AppendList(builder, "namespaces", scope.Namespaces);
+        AppendList(builder, "exclude", scope.ExcludePatterns);
+        AppendList(builder, "runIds", scope.RunIds.Select(id => id.ToString("D")).ToList());
+
+        if (scope.DateRange is not null)
+        {
+            builder.Append("|dateField=").Append(scope.DateRange.Field.ToString());
+            if (scope.DateRange.From.HasValue)
+            {
+                builder.Append("|dateFrom=").Append(scope.DateRange.From.Value.ToString("O", CultureInfo.InvariantCulture));
+            }
+            if (scope.DateRange.To.HasValue)
+            {
+                builder.Append("|dateTo=").Append(scope.DateRange.To.Value.ToString("O", CultureInfo.InvariantCulture));
+            }
+        }
+
+        if (scope.MaxItems.HasValue)
+        {
+            builder.Append("|maxItems=").Append(scope.MaxItems.Value.ToString(CultureInfo.InvariantCulture));
+        }
+
+        if (scope.Sampling is not null)
+        {
+            builder.Append("|sampling=").Append(scope.Sampling.Strategy.ToString());
+            builder.Append("|sampleSize=").Append(scope.Sampling.Size.ToString(CultureInfo.InvariantCulture));
+            if (!string.IsNullOrWhiteSpace(scope.Sampling.StratifyBy))
+            {
+                builder.Append("|stratifyBy=").Append(scope.Sampling.StratifyBy);
+            }
+        }
+
+        var hash = SHA256.HashData(Encoding.UTF8.GetBytes(builder.ToString()));
+        return BinaryPrimitives.ReadInt32LittleEndian(hash.AsSpan(0, 4));
+    }
+
+    private static void AppendList(StringBuilder builder, string label, IReadOnlyList<string> values)
+    {
+        if (values.Count == 0)
+        {
+            return;
+        }
+
+        builder.Append('|').Append(label).Append('=');
+        var ordered = values.OrderBy(v => v, StringComparer.Ordinal);
+        builder.Append(string.Join(",", ordered));
+    }
 }

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Api/ExportApiEndpointsTests.cs

@@ -0,0 +1,40 @@
+using System.Reflection;
+using StellaOps.ExportCenter.Core.Domain;
+using StellaOps.ExportCenter.WebService.Api;
+using Xunit;
+
+namespace StellaOps.ExportCenter.Tests.Api;
+
+public sealed class ExportApiEndpointsTests
+{
+    [Fact]
+    public void MapToProfileResponse_InvalidJson_ReturnsNullConfig()
+    {
+        var now = new DateTimeOffset(2025, 1, 2, 14, 0, 0, TimeSpan.Zero);
+        var profile = new ExportProfile
+        {
+            ProfileId = Guid.NewGuid(),
+            TenantId = Guid.NewGuid(),
+            Name = "test",
+            Kind = ExportProfileKind.AdHoc,
+            Status = ExportProfileStatus.Active,
+            ScopeJson = "{invalid",
+            FormatJson = "{invalid",
+            SigningJson = "{invalid",
+            CreatedAt = now,
+            UpdatedAt = now
+        };
+
+        var method = typeof(ExportApiEndpoints).GetMethod(
+            "MapToProfileResponse",
+            BindingFlags.NonPublic | BindingFlags.Static);
+
+        Assert.NotNull(method);
+
+        var response = (ExportProfileResponse)method!.Invoke(null, new object[] { profile })!;
+
+        Assert.Null(response.Scope);
+        Assert.Null(response.Format);
+        Assert.Null(response.Signing);
+    }
+}

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Api/ExportApiRepositoryTests.cs

@@ -1,12 +1,19 @@
 using Microsoft.Extensions.Logging.Abstractions;
 using StellaOps.ExportCenter.Core.Domain;
 using StellaOps.ExportCenter.WebService.Api;
+using StellaOps.TestKit;
 
 namespace StellaOps.ExportCenter.Tests.Api;
 
 public class ExportApiRepositoryTests
 {
-    private readonly Guid _tenantId = Guid.NewGuid();
+    private readonly Guid _tenantId = Guid.Parse("00000000-0000-0000-0000-000000000001");
+    private readonly FakeTimeProvider _timeProvider;
+
+    public ExportApiRepositoryTests()
+    {
+        _timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero));
+    }
 
     // ========================================================================
     // Profile Repository Tests
@@ -16,7 +23,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_CreateAsync_StoresProfile()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile = CreateTestProfile();
 
         // Act
@@ -31,7 +38,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_GetByIdAsync_ReturnsStoredProfile()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile = CreateTestProfile();
         await repo.CreateAsync(profile);
 
@@ -48,7 +55,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_GetByIdAsync_ReturnsNull_WhenNotFound()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
 
         // Act
         var retrieved = await repo.GetByIdAsync(_tenantId, Guid.NewGuid());
@@ -61,7 +68,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_GetByIdAsync_ReturnsNull_WhenWrongTenant()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile = CreateTestProfile();
         await repo.CreateAsync(profile);
 
@@ -76,7 +83,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_ListAsync_ReturnsAllProfilesForTenant()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile1 = CreateTestProfile("Profile 1");
         var profile2 = CreateTestProfile("Profile 2");
         var otherTenantProfile = CreateTestProfile("Other Tenant") with { TenantId = Guid.NewGuid() };
@@ -98,7 +105,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_ListAsync_FiltersByStatus()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var activeProfile = CreateTestProfile("Active") with { Status = ExportProfileStatus.Active };
         var draftProfile = CreateTestProfile("Draft") with { Status = ExportProfileStatus.Draft };
 
@@ -118,7 +125,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_ListAsync_FiltersByKind()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var adhocProfile = CreateTestProfile("AdHoc") with { Kind = ExportProfileKind.AdHoc };
         var scheduledProfile = CreateTestProfile("Scheduled") with { Kind = ExportProfileKind.Scheduled };
 
@@ -138,7 +145,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_ListAsync_SearchesByName()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile1 = CreateTestProfile("Daily SBOM Export");
         var profile2 = CreateTestProfile("Weekly VEX Export");
 
@@ -158,7 +165,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_UpdateAsync_ModifiesProfile()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile = CreateTestProfile();
         await repo.CreateAsync(profile);
 
@@ -179,7 +186,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_ArchiveAsync_SetsArchivedStatus()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile = CreateTestProfile();
         await repo.CreateAsync(profile);
 
@@ -193,13 +200,15 @@ public class ExportApiRepositoryTests
         Assert.NotNull(retrieved);
         Assert.Equal(ExportProfileStatus.Archived, retrieved.Status);
         Assert.NotNull(retrieved.ArchivedAt);
+        Assert.Equal(_timeProvider.GetUtcNow(), retrieved.ArchivedAt);
+        Assert.Equal(_timeProvider.GetUtcNow(), retrieved.UpdatedAt);
     }
 
     [Fact]
     public async Task ProfileRepo_IsNameUniqueAsync_ReturnsTrueForUniqueName()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile = CreateTestProfile("Existing Profile");
         await repo.CreateAsync(profile);
 
@@ -214,7 +223,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_IsNameUniqueAsync_ReturnsFalseForDuplicateName()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile = CreateTestProfile("Existing Profile");
         await repo.CreateAsync(profile);
 
@@ -229,7 +238,7 @@ public class ExportApiRepositoryTests
     public async Task ProfileRepo_IsNameUniqueAsync_ExcludesSpecifiedProfile()
     {
         // Arrange
-        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance);
+        var repo = new InMemoryExportProfileRepository(NullLogger<InMemoryExportProfileRepository>.Instance, _timeProvider);
         var profile = CreateTestProfile("Existing Profile");
         await repo.CreateAsync(profile);
 
@@ -248,7 +257,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_CreateAsync_StoresRun()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
         var run = CreateTestRun();
 
         // Act
@@ -263,7 +272,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_GetByIdAsync_ReturnsStoredRun()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
         var run = CreateTestRun();
         await repo.CreateAsync(run);
 
@@ -279,7 +288,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_ListAsync_FiltersByProfileId()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
         var profileId1 = Guid.NewGuid();
         var profileId2 = Guid.NewGuid();
 
@@ -302,7 +311,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_ListAsync_FiltersByStatus()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
         var runningRun = CreateTestRun() with { Status = ExportRunStatus.Running };
         var completedRun = CreateTestRun() with { Status = ExportRunStatus.Completed };
 
@@ -322,7 +331,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_CancelAsync_CancelsQueuedRun()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
         var run = CreateTestRun() with { Status = ExportRunStatus.Queued };
         await repo.CreateAsync(run);
 
@@ -334,13 +343,14 @@ public class ExportApiRepositoryTests
 
         var retrieved = await repo.GetByIdAsync(_tenantId, run.RunId);
         Assert.Equal(ExportRunStatus.Cancelled, retrieved?.Status);
+        Assert.Equal(_timeProvider.GetUtcNow(), retrieved?.CompletedAt);
     }
 
     [Fact]
     public async Task RunRepo_CancelAsync_CancelsRunningRun()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
         var run = CreateTestRun() with { Status = ExportRunStatus.Running };
         await repo.CreateAsync(run);
 
@@ -355,7 +365,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_CancelAsync_ReturnsFalseForCompletedRun()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
         var run = CreateTestRun() with { Status = ExportRunStatus.Completed };
         await repo.CreateAsync(run);
 
@@ -370,7 +380,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_GetActiveRunsCountAsync_CountsRunningRuns()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
 
         await repo.CreateAsync(CreateTestRun() with { Status = ExportRunStatus.Running });
         await repo.CreateAsync(CreateTestRun() with { Status = ExportRunStatus.Running });
@@ -388,7 +398,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_GetActiveRunsCountAsync_FiltersByProfileId()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
         var profileId = Guid.NewGuid();
 
         await repo.CreateAsync(CreateTestRun() with { ProfileId = profileId, Status = ExportRunStatus.Running });
@@ -405,7 +415,7 @@ public class ExportApiRepositoryTests
     public async Task RunRepo_GetQueuedRunsCountAsync_CountsQueuedRuns()
     {
         // Arrange
-        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance);
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
 
         await repo.CreateAsync(CreateTestRun() with { Status = ExportRunStatus.Queued });
         await repo.CreateAsync(CreateTestRun() with { Status = ExportRunStatus.Queued });
@@ -418,6 +428,23 @@ public class ExportApiRepositoryTests
         Assert.Equal(2, count);
     }
 
+    [Fact]
+    public async Task RunRepo_DequeueNextRunAsync_MarksRunAsRunning()
+    {
+        // Arrange
+        var repo = new InMemoryExportRunRepository(NullLogger<InMemoryExportRunRepository>.Instance, _timeProvider);
+        var run = CreateTestRun() with { Status = ExportRunStatus.Queued };
+        await repo.CreateAsync(run);
+
+        // Act
+        var dequeued = await repo.DequeueNextRunAsync(_tenantId);
+
+        // Assert
+        Assert.NotNull(dequeued);
+        Assert.Equal(ExportRunStatus.Running, dequeued!.Status);
+        Assert.Equal(_timeProvider.GetUtcNow(), dequeued.StartedAt);
+    }
+
     // ========================================================================
     // Artifact Repository Tests
     // ========================================================================
@@ -507,8 +534,8 @@ public class ExportApiRepositoryTests
             Description = "Test profile description",
             Kind = ExportProfileKind.AdHoc,
             Status = ExportProfileStatus.Active,
-            CreatedAt = DateTimeOffset.UtcNow,
+            CreatedAt = _timeProvider.GetUtcNow(),
-            UpdatedAt = DateTimeOffset.UtcNow
+            UpdatedAt = _timeProvider.GetUtcNow()
         };
     }
 
@@ -522,7 +549,7 @@ public class ExportApiRepositoryTests
             Status = ExportRunStatus.Running,
             Trigger = ExportRunTrigger.Api,
             CorrelationId = Guid.NewGuid().ToString(),
-            CreatedAt = DateTimeOffset.UtcNow
+            CreatedAt = _timeProvider.GetUtcNow()
         };
     }
 
@@ -539,7 +566,8 @@ public class ExportApiRepositoryTests
             SizeBytes = 1024,
             ContentType = "application/json",
             Checksum = "sha256:abc123",
-            CreatedAt = DateTimeOffset.UtcNow
+            CreatedAt = _timeProvider.GetUtcNow()
         };
     }
 }
+

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Api/ExportApiServiceCollectionExtensionsTests.cs

@@ -0,0 +1,31 @@
+using Microsoft.Extensions.DependencyInjection;
+using StellaOps.ExportCenter.WebService.Api;
+using Xunit;
+
+namespace StellaOps.ExportCenter.Tests.Api;
+
+public sealed class ExportApiServiceCollectionExtensionsTests
+{
+    [Fact]
+    public void AddExportApiServices_Throws_WhenInMemoryNotAllowed()
+    {
+        var services = new ServiceCollection();
+
+        var exception = Assert.Throws<InvalidOperationException>(() =>
+            services.AddExportApiServices(_ => { }, allowInMemoryRepositories: false));
+
+        Assert.Contains("In-memory export repositories are disabled", exception.Message);
+    }
+
+    [Fact]
+    public void AddExportApiServices_AllowsExplicitInMemoryRegistration()
+    {
+        var services = new ServiceCollection();
+
+        services.AddExportApiServices(_ => { }, allowInMemoryRepositories: true);
+        var provider = services.BuildServiceProvider();
+
+        var repo = provider.GetService<IExportProfileRepository>();
+        Assert.NotNull(repo);
+    }
+}

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Api/ExportAuditServiceTests.cs

@@ -1,5 +1,6 @@
 using Microsoft.Extensions.Logging.Abstractions;
 using StellaOps.ExportCenter.WebService.Api;
+using StellaOps.Determinism;
 
 namespace StellaOps.ExportCenter.Tests.Api;
 
@@ -12,6 +13,7 @@ public class ExportAuditServiceTests
     {
         _auditService = new ExportAuditService(
             NullLogger<ExportAuditService>.Instance,
+            new SequentialGuidProvider(),
             TimeProvider.System);
     }
 

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Api/OpenApiDiscoveryEndpointsTests.cs

@@ -0,0 +1,59 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.Hosting;
+using StellaOps.ExportCenter.WebService;
+using Xunit;
+
+namespace StellaOps.ExportCenter.Tests.Api;
+
+public sealed class OpenApiDiscoveryEndpointsTests
+{
+    [Fact]
+    public void MapOpenApiDiscovery_AllowsAnonymousWhenConfigured()
+    {
+        var builder = CreateBuilder();
+        builder.Configuration["OpenApi:AllowAnonymous"] = "true";
+
+        var app = builder.Build();
+        app.MapOpenApiDiscovery();
+
+        var endpoint = GetEndpoint(app, "/.well-known/openapi");
+        var allowAnonymous = endpoint.Metadata.GetMetadata<IAllowAnonymous>();
+
+        Assert.NotNull(allowAnonymous);
+    }
+
+    [Fact]
+    public void MapOpenApiDiscovery_DoesNotAllowAnonymousWhenDisabled()
+    {
+        var builder = CreateBuilder();
+        builder.Configuration["OpenApi:AllowAnonymous"] = "false";
+
+        var app = builder.Build();
+        app.MapOpenApiDiscovery();
+
+        var endpoint = GetEndpoint(app, "/.well-known/openapi");
+        var allowAnonymous = endpoint.Metadata.GetMetadata<IAllowAnonymous>();
+
+        Assert.Null(allowAnonymous);
+    }
+
+    private static RouteEndpoint GetEndpoint(IEndpointRouteBuilder app, string pattern)
+    {
+        var endpoints = app.DataSources.SelectMany(source => source.Endpoints).OfType<RouteEndpoint>();
+        return endpoints.Single(endpoint => string.Equals(endpoint.RoutePattern.RawText, pattern, StringComparison.Ordinal));
+    }
+
+    private static WebApplicationBuilder CreateBuilder()
+    {
+        var contentRoot = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString("N"));
+        Directory.CreateDirectory(contentRoot);
+
+        return WebApplication.CreateBuilder(new WebApplicationOptions
+        {
+            EnvironmentName = Environments.Production,
+            ContentRootPath = contentRoot
+        });
+    }
+}

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/AuditBundle/AuditBundleJobHandlerTests.cs

@@ -0,0 +1,40 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Determinism;
+using StellaOps.ExportCenter.Client.Models;
+using StellaOps.ExportCenter.Tests;
+using StellaOps.ExportCenter.WebService.AuditBundle;
+using Xunit;
+
+namespace StellaOps.ExportCenter.Tests.AuditBundle;
+
+public sealed class AuditBundleJobHandlerTests
+{
+    [Fact]
+    public async Task CreateBundleAsync_UsesGuidProvider()
+    {
+        var timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 1, 2, 10, 0, 0, TimeSpan.Zero));
+        var guidProvider = new SequentialGuidProvider();
+        var handler = new AuditBundleJobHandler(
+            NullLogger<AuditBundleJobHandler>.Instance,
+            guidProvider,
+            timeProvider);
+
+        var request = new CreateAuditBundleRequest(
+            new BundleSubjectRefDto(
+                "container",
+                "example-image",
+                new Dictionary<string, string> { ["sha256"] = "abc123" }),
+            TimeWindow: null,
+            IncludeContent: new AuditBundleContentSelection(
+                VulnReports: false,
+                Sbom: false,
+                VexDecisions: false,
+                PolicyEvaluations: false,
+                Attestations: false));
+
+        var result = await handler.CreateBundleAsync(request, "actor-1", "Actor One", CancellationToken.None);
+
+        Assert.NotNull(result.Response);
+        Assert.Equal("bndl-00000000000000000000000000000001", result.Response!.BundleId);
+    }
+}

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Deprecation/DeprecationHeaderExtensionsTests.cs

@@ -46,8 +46,8 @@ public sealed class DeprecationHeaderExtensionsTests
     {
         var context = CreateHttpContext();
         var info = new DeprecationInfo(
-            DeprecatedAt: DateTimeOffset.UtcNow,
+            DeprecatedAt: new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
-            SunsetAt: DateTimeOffset.UtcNow.AddMonths(6),
+            SunsetAt: new DateTimeOffset(2025, 7, 1, 0, 0, 0, TimeSpan.Zero),
             SuccessorPath: "/v1/new",
             DocumentationUrl: "https://docs.example.com/migration");
 
@@ -76,8 +76,8 @@ public sealed class DeprecationHeaderExtensionsTests
     {
         var context = CreateHttpContext();
         var info = new DeprecationInfo(
-            DeprecatedAt: DateTimeOffset.UtcNow,
+            DeprecatedAt: new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
-            SunsetAt: DateTimeOffset.UtcNow.AddMonths(6),
+            SunsetAt: new DateTimeOffset(2025, 7, 1, 0, 0, 0, TimeSpan.Zero),
             SuccessorPath: "/v1/new",
             Reason: "Custom deprecation reason");
 
@@ -123,8 +123,8 @@ public sealed class DeprecationHeaderExtensionsTests
     private static DeprecationInfo CreateSampleDeprecationInfo()
     {
         return new DeprecationInfo(
-            DeprecatedAt: DateTimeOffset.UtcNow,
+            DeprecatedAt: new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
-            SunsetAt: DateTimeOffset.UtcNow.AddMonths(6),
+            SunsetAt: new DateTimeOffset(2025, 7, 1, 0, 0, 0, TimeSpan.Zero),
             SuccessorPath: "/v1/new-endpoint");
     }
 }

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Deprecation/DeprecationInfoTests.cs

@@ -8,46 +8,54 @@ public sealed class DeprecationInfoTests
     [Fact]
     public void IsPastSunset_WhenSunsetInFuture_ReturnsFalse()
     {
+        var now = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var timeProvider = new FixedTimeProvider(now);
         var info = new DeprecationInfo(
-            DeprecatedAt: DateTimeOffset.UtcNow.AddMonths(-1),
+            DeprecatedAt: now.AddMonths(-1),
-            SunsetAt: DateTimeOffset.UtcNow.AddMonths(6),
+            SunsetAt: now.AddMonths(6),
             SuccessorPath: "/v1/new");
 
-        Assert.False(info.IsPastSunset);
+        Assert.False(info.IsPastSunsetAt(timeProvider));
     }
 
     [Fact]
     public void IsPastSunset_WhenSunsetInPast_ReturnsTrue()
     {
+        var now = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var timeProvider = new FixedTimeProvider(now);
         var info = new DeprecationInfo(
-            DeprecatedAt: DateTimeOffset.UtcNow.AddMonths(-12),
+            DeprecatedAt: now.AddMonths(-12),
-            SunsetAt: DateTimeOffset.UtcNow.AddMonths(-1),
+            SunsetAt: now.AddMonths(-1),
             SuccessorPath: "/v1/new");
 
-        Assert.True(info.IsPastSunset);
+        Assert.True(info.IsPastSunsetAt(timeProvider));
     }
 
     [Fact]
     public void DaysUntilSunset_CalculatesCorrectly()
     {
-        var sunset = DateTimeOffset.UtcNow.AddDays(30);
+        var now = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var timeProvider = new FixedTimeProvider(now);
+        var sunset = now.AddDays(30);
         var info = new DeprecationInfo(
-            DeprecatedAt: DateTimeOffset.UtcNow,
+            DeprecatedAt: now,
             SunsetAt: sunset,
             SuccessorPath: "/v1/new");
 
-        Assert.Equal(30, info.DaysUntilSunset);
+        Assert.Equal(30, info.DaysUntilSunsetAt(timeProvider));
     }
 
     [Fact]
     public void DaysUntilSunset_WhenPastSunset_ReturnsZero()
     {
+        var now = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var timeProvider = new FixedTimeProvider(now);
         var info = new DeprecationInfo(
-            DeprecatedAt: DateTimeOffset.UtcNow.AddMonths(-12),
+            DeprecatedAt: now.AddMonths(-12),
-            SunsetAt: DateTimeOffset.UtcNow.AddMonths(-1),
+            SunsetAt: now.AddMonths(-1),
             SuccessorPath: "/v1/new");
 
-        Assert.Equal(0, info.DaysUntilSunset);
+        Assert.Equal(0, info.DaysUntilSunsetAt(timeProvider));
     }
 
     [Fact]
@@ -69,4 +77,16 @@ public sealed class DeprecationInfoTests
         Assert.Equal("https://docs.example.com", info.DocumentationUrl);
         Assert.Equal("Replaced by new API", info.Reason);
     }
+
+    private sealed class FixedTimeProvider : TimeProvider
+    {
+        private readonly DateTimeOffset _utcNow;
+
+        public FixedTimeProvider(DateTimeOffset utcNow)
+        {
+            _utcNow = utcNow;
+        }
+
+        public override DateTimeOffset GetUtcNow() => _utcNow;
+    }
 }

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Distribution/ExportDistributionLifecycleTests.cs

@@ -1,6 +1,7 @@
 using Microsoft.Extensions.Logging.Abstractions;
 using StellaOps.ExportCenter.Core.Domain;
 using StellaOps.ExportCenter.WebService.Distribution;
+using StellaOps.Determinism;
 
 namespace StellaOps.ExportCenter.Tests.Distribution;
 
@@ -9,17 +10,20 @@ public sealed class ExportDistributionLifecycleTests
     private readonly InMemoryExportDistributionRepository _repository;
     private readonly ExportDistributionLifecycle _lifecycle;
     private readonly TestTimeProvider _timeProvider;
+    private readonly IGuidProvider _guidProvider;
     private readonly Guid _tenantId = Guid.NewGuid();
     private readonly Guid _runId = Guid.NewGuid();
     private readonly Guid _profileId = Guid.NewGuid();
 
     public ExportDistributionLifecycleTests()
     {
-        _repository = new InMemoryExportDistributionRepository();
         _timeProvider = new TestTimeProvider(new DateTimeOffset(2024, 6, 15, 12, 0, 0, TimeSpan.Zero));
+        _guidProvider = new SequentialGuidProvider();
+        _repository = new InMemoryExportDistributionRepository(_timeProvider);
         _lifecycle = new ExportDistributionLifecycle(
             _repository,
             NullLogger<ExportDistributionLifecycle>.Instance,
+            _guidProvider,
             _timeProvider);
     }
 

src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Distribution/InMemoryExportDistributionRepositoryTests.cs

@@ -1,20 +1,30 @@
+using Microsoft.Extensions.Options;
 using StellaOps.ExportCenter.Core.Domain;
+using StellaOps.ExportCenter.Tests;
 using StellaOps.ExportCenter.WebService.Distribution;
 
 namespace StellaOps.ExportCenter.Tests.Distribution;
 
 public sealed class InMemoryExportDistributionRepositoryTests
 {
-    private readonly InMemoryExportDistributionRepository _repository = new();
+    private readonly FakeTimeProvider _timeProvider;
+    private readonly InMemoryExportDistributionRepository _repository;
     private readonly Guid _tenantId = Guid.NewGuid();
     private readonly Guid _runId = Guid.NewGuid();
 
+    public InMemoryExportDistributionRepositoryTests()
+    {
+        _timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero));
+        _repository = new InMemoryExportDistributionRepository(_timeProvider);
+    }
+
     private ExportDistribution CreateDistribution(
         Guid? distributionId = null,
         Guid? tenantId = null,
         Guid? runId = null,
         string? idempotencyKey = null,
-        ExportDistributionStatus status = ExportDistributionStatus.Pending)
+        ExportDistributionStatus status = ExportDistributionStatus.Pending,
+        DateTimeOffset? createdAt = null)
     {
         return new ExportDistribution
         {
@@ -28,7 +38,7 @@ public sealed class InMemoryExportDistributionRepositoryTests
             ArtifactHash = "sha256:abc123",
             SizeBytes = 1024,
             IdempotencyKey = idempotencyKey,
-            CreatedAt = DateTimeOffset.UtcNow
+            CreatedAt = createdAt ?? _timeProvider.GetUtcNow()
         };
     }
 
@@ -138,7 +148,7 @@ public sealed class InMemoryExportDistributionRepositoryTests
     [Fact]
     public async Task ListExpiredAsync_ReturnsOnlyExpired()
     {
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();
 
         var expired = new ExportDistribution
         {
@@ -151,7 +161,7 @@ public sealed class InMemoryExportDistributionRepositoryTests
             ArtifactPath = "/test",
             RetentionExpiresAt = now.AddDays(-1),
             MarkedForDeletion = false,
-            CreatedAt = now.AddDays(-30)
+            CreatedAt = now.AddHours(-1)
         };
 
         var notExpired = new ExportDistribution
@@ -165,7 +175,7 @@ public sealed class InMemoryExportDistributionRepositoryTests
             ArtifactPath = "/test",
             RetentionExpiresAt = now.AddDays(30),
             MarkedForDeletion = false,
-            CreatedAt = now.AddDays(-30)
+            CreatedAt = now.AddHours(-1)
         };
 
         await _repository.CreateAsync(expired);
@@ -273,6 +283,7 @@ public sealed class InMemoryExportDistributionRepositoryTests
         var updated = await _repository.GetByIdAsync(_tenantId, distribution.DistributionId);
         Assert.True(updated?.MarkedForDeletion);
         Assert.NotNull(updated?.DeletedAt);
+        Assert.Equal(_timeProvider.GetUtcNow(), updated?.DeletedAt);
     }
 
     [Fact]
@@ -339,4 +350,50 @@ public sealed class InMemoryExportDistributionRepositoryTests
         var result = _repository.ListByRunAsync(_tenantId, _runId).GetAwaiter().GetResult();
         Assert.Empty(result);
     }
+
+    [Fact]
+    public async Task PruneStale_RemovesEntriesBeyondRetention()
+    {
+        var options = Options.Create(new InMemoryExportDistributionOptions
+        {
+            RetentionPeriod = TimeSpan.FromHours(1),
+            MaxEntries = 0
+        });
+        var timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 1, 1, 12, 0, 0, TimeSpan.Zero));
+        var repository = new InMemoryExportDistributionRepository(timeProvider, options);
+
+        var stale = CreateDistribution(createdAt: timeProvider.GetUtcNow().AddHours(-2));
+        var fresh = CreateDistribution(createdAt: timeProvider.GetUtcNow().AddMinutes(-30));
+
+        await repository.CreateAsync(stale);
+        await repository.CreateAsync(fresh);
+
+        var result = await repository.ListByRunAsync(_tenantId, _runId);
+
+        Assert.Single(result);
+        Assert.Equal(fresh.DistributionId, result[0].DistributionId);
+    }
+
+    [Fact]
+    public async Task PruneStale_RespectsMaxEntries()
+    {
+        var options = Options.Create(new InMemoryExportDistributionOptions
+        {
+            RetentionPeriod = TimeSpan.Zero,
+            MaxEntries = 1
+        });
+        var timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 1, 1, 12, 0, 0, TimeSpan.Zero));
+        var repository = new InMemoryExportDistributionRepository(timeProvider, options);
+
+        var older = CreateDistribution(createdAt: timeProvider.GetUtcNow().AddMinutes(-10));
+        var newer = CreateDistribution(createdAt: timeProvider.GetUtcNow());
+
+        await repository.CreateAsync(older);
+        await repository.CreateAsync(newer);
+
+        var result = await repository.ListByRunAsync(_tenantId, _runId);
+
+        Assert.Single(result);
+        Assert.Equal(newer.DistributionId, result[0].DistributionId);
+    }
 }