Add execution waves documentation and function-level evidence readiness memo

- Created `execution-waves.md` to outline the execution waves for sprints, detailing shared prerequisites, parallelism guidance, and specific sprints involved in each wave. - Added `function-level-evidence.md` to capture the requirements for stable function-level evidence in Stella Ops scanners, including goals, scope, advisory requirements, workstreams, schema/API touchpoints, and a handoff checklist for the next agent.
2025-11-09 23:06:33 +02:00
parent cef4cb2c5a
commit 9df52d84aa
15 changed files with 751 additions and 56 deletions
--- a/docs/implplan/SPRINT_110_ingestion_evidence.md
+++ b/docs/implplan/SPRINT_110_ingestion_evidence.md
@@ -2,6 +2,15 @@

 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

+## Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 110.A AdvisoryAI | Advisory AI Guild · Docs Guild · SBOM Service Guild | Sprint 100.A – Attestor (closed 2025-11-09 per `docs/implplan/archived/SPRINT_100_identity_signing.md`) | DOING | WebService/Worker orchestration, guardrails, and docs are live; continue console/CLI coverage as endpoints land. |
+| 110.B Concelier | Concelier Core & WebService Guilds · Observability Guild · AirGap Guilds (Importer/Policy/Time) | Sprint 100.A – Attestor | DOING | Telemetry wiring started; mirror/air-gap tasks unlocked with AdvisoryAI evidence dependencies met. |
+| 110.C Excititor | Excititor WebService/Core Guilds · Observability Guild · Evidence Locker Guild | Sprint 100.A – Attestor | DOING | VEX justification enrichment and provenance metadata are underway; keep Link-Not-Merge blockers tracked. |
+| 110.D Mirror | Mirror Creator Guild · Exporter Guild · CLI Guild · AirGap Time Guild | Sprint 100.A – Attestor | TODO | Deterministic bundle assembler remains the gating task before DSSE/OCI work can proceed. |
+
 ## Status Snapshot (2025-11-04)

 - **Advisory AI** – 5 of 11 tasks are DONE (AIAI-31-001, AIAI-31-002, AIAI-31-003, AIAI-31-010, AIAI-31-011); orchestration pipeline (AIAI-31-004) and host wiring (AIAI-31-004A) remain TODO while downstream guardrails, CLI, and observability tracks (AIAI-31-004B/004C and AIAI-31-005 through AIAI-31-009) stay TODO pending cache/guardrail implementation and WebService/Worker hardening.
--- a/docs/implplan/SPRINT_140_runtime_signals.md
+++ b/docs/implplan/SPRINT_140_runtime_signals.md
@@ -4,4 +4,13 @@ Active items only. Completed/historic work now resides in docs/implplan/archived

 This file now only tracks the runtime & signals status snapshot. Active backlog lives in Sprint 141+ files.

+# Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 140.A Graph | Graph Indexer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner (phase I tracked under `docs/implplan/SPRINT_130_scanner_surface.md`) | TODO | Hold until Scanner surface work emits the analyzer artifacts required for clustering jobs. |
+| 140.B SbomService | SBOM Service Guild · Cartographer Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | TODO | Projection schema remains blocked on Concelier outputs; keep AirGap parity requirements in scope. |
+| 140.C Signals | Signals Guild · Authority Guild (for scopes) · Runtime Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | DOING | API skeleton and callgraph ingestion are active; runtime facts endpoint still depends on the same shared prerequisites. |
+| 140.D Zastava | Zastava Observer/Webhook Guilds · Security Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner | TODO | Surface.FS integration waits on Scanner surface caches; prep sealed-mode env helpers meanwhile. |
+
 # Sprint 140 - Runtime & Signals
--- a/docs/implplan/SPRINT_150_scheduling_automation.md
+++ b/docs/implplan/SPRINT_150_scheduling_automation.md
@@ -4,4 +4,13 @@ Active items only. Completed/historic work now resides in docs/implplan/archived

 This file now only tracks the scheduling & automation status snapshot. Active backlog lives in Sprint 151+ files.

+# Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 150.A Orchestrator | Orchestrator Service Guild · AirGap Policy/Controller Guilds · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 140.A – Graph | TODO | Pending confirmation that Scanner surface artifacts are ready; keep job telemetry work prepped for fast start. |
+| 150.B PacksRegistry | Packs Registry Guild · Exporter Guild · Security Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 140.A – Graph | TODO | Blocked on Orchestrator tenancy scaffolding; specs are ready once 150.A flips to DOING. |
+| 150.C Scheduler | Scheduler WebService/Worker Guilds · Findings Ledger Guild · Observability Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 140.A – Graph | TODO | Impact index improvements need Graph overlays; hold until 140.A status improves. |
+| 150.D TaskRunner | Task Runner Guild · AirGap Guilds · Evidence Locker Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 140.A – Graph | TODO | Execution engine upgrades staged; start once Orchestrator/Scheduler telemetry baselines exist. |
+
 # Sprint 150 - Scheduling & Automation
--- a/docs/implplan/SPRINT_160_export_evidence.md
+++ b/docs/implplan/SPRINT_160_export_evidence.md
@@ -4,4 +4,12 @@ Active items only. Completed/historic work now resides in docs/implplan/archived

 This file now only tracks the export & evidence status snapshot. Active backlog lives in Sprint 161+ files.

+# Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 160.A EvidenceLocker | Evidence Locker Guild · Security Guild · Docs Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | TODO | Waiting for orchestrator capsule data and AdvisoryAI evidence bundles to stabilize before wiring ingestion APIs. |
+| 160.B ExportCenter | Exporter Service Guild · Mirror Creator Guild · DevOps Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | TODO | Profiles can begin once EvidenceLocker contracts are published; keep DSSE/attestation specs ready. |
+| 160.C TimelineIndexer | Timeline Indexer Guild · Evidence Locker Guild · Security Guild | Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator | TODO | Postgres/RLS scaffolding drafted; hold for event schemas from orchestrator/notifications. |
+
 # Sprint 160 - Export & Evidence
--- a/docs/implplan/SPRINT_170_notifications_telemetry.md
+++ b/docs/implplan/SPRINT_170_notifications_telemetry.md
@@ -4,4 +4,11 @@ Active items only. Completed/historic work now resides in docs/implplan/archived

 This file now only tracks the notifications & telemetry status snapshot. Active backlog lives in Sprint 171+ files.

+# Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 170.A Notifier | Notifications Service Guild · Attestor Service Guild · Observability Guild | Sprint 150.A – Orchestrator | TODO | Needs orchestrator job events/attest data; keep templates staged for when job attestations land. |
+| 170.B Telemetry | Telemetry Core Guild · Observability Guild · Security Guild | Sprint 150.A – Orchestrator | TODO | Library scaffolding is ready but should launch once orchestrator/Policy consumers can adopt shared helpers. |
+
 # Sprint 170 - Notifications & Telemetry
--- a/docs/implplan/SPRINT_200_experience_sdks.md
+++ b/docs/implplan/SPRINT_200_experience_sdks.md
@@ -3,3 +3,14 @@
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

 This file now only tracks the Experience & SDKs status snapshot. Active backlog lives in Sprint 201 and later files.
+
+## Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 180.A CLI | DevEx/CLI Guild · Advisory AI Guild (for CLI verbs) · Evidence Locker Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Sprint 170.A – Notifier | TODO | Commands stay blocked on orchestrator + notifier scopes; finalize auth/output scaffolding so we can flip to DOING quickly. |
+| 180.B DevPortal | Developer Portal Guild · SDK Generator Guild · Platform Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Sprint 170.A – Notifier | TODO | Static site generator selection is pending; coordinate with CLI/SDK teams for shared examples. |
+| 180.C Graph Experiences (CLI/SDK) | Graph Guild · SDK Generator Guild · Policy Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Sprint 170.A – Notifier | TODO | Wait on Graph Indexer APIs from Sprint 141 before wiring SDK quickstarts. |
+| 180.D SDK | SDK Generator Guild · Service Guilds providing OpenAPI | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Sprint 170.A – Notifier | TODO | Downstream of orchestrator/export OAS consolidation; keep templates updated. |
+| 180.E UI | UI Guild · Console Guild · Notifications Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Sprint 170.A – Notifier | TODO | Exception center & graph canvas rely on policy/graph APIs; hold until upstream signals stabilize. |
+| 180.F Web | BE-Base Platform Guild · Platform Events Guild · Notifications Guild | Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 150.A – Orchestrator; Sprint 170.A – Notifier | TODO | Gateway routing can start once AdvisoryAI/Export endpoints finalize; prepare guard helpers now. |
--- a/docs/implplan/SPRINT_300_documentation_process.md
+++ b/docs/implplan/SPRINT_300_documentation_process.md
@@ -3,3 +3,10 @@
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

 This file now only tracks the documentation & process status snapshot. Active backlog lives in Sprint 301 and later files.
+
+## Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 200.A Docs Tasks.md ladder | Docs Guild · Ops Guild (for air-gap content) | Sprint 100.A – Attestor; Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 140.A – Graph; Sprint 150.A – Orchestrator; Sprint 160.A – EvidenceLocker; Sprint 170.A – Notifier; Sprint 180.A – CLI; Sprint 190.A – Ops Deployment | TODO | Tasks Md.I must flip to DOING first; each subsequent Md stage depends on the prior file, so keep sequencing strict. |
+| 200.B Module dossiers | Docs Guild · Respective Module Guilds (Authority, Concelier, etc.) | Same as above plus Ops Deployment evidence (Sprint 190.A) | TODO | Once Docs Tasks Md.I captures the updated process, we can move the per-module sprints (312‑335) to DOING in parallel; verify each module's AGENTS file before editing. |
--- a/docs/implplan/SPRINT_301_docs_tasks_md_i.md
+++ b/docs/implplan/SPRINT_301_docs_tasks_md_i.md
@@ -18,6 +18,6 @@ DOCS-AIRGAP-56-003 | TODO | Create `/docs/airgap/mirror-bundles.md` describing b
 DOCS-AIRGAP-56-004 | TODO | Publish `/docs/airgap/bootstrap.md` detailing Bootstrap Pack creation, validation, and install procedures. Dependencies: DOCS-AIRGAP-56-003. | Docs Guild, Deployment Guild (docs)
 DOCS-AIRGAP-57-001 | TODO | Write `/docs/airgap/staleness-and-time.md` explaining time anchors, drift policies, staleness budgets, and UI indicators. Dependencies: DOCS-AIRGAP-56-004. | Docs Guild, AirGap Time Guild (docs)
 DOCS-AIRGAP-57-002 | TODO | Publish `/docs/console/airgap.md` covering sealed badge, import wizard, staleness dashboards. Dependencies: DOCS-AIRGAP-57-001. | Docs Guild, Console Guild (docs)
-DOCS-SCANNER-DET-01 | TODO | Author `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates describing fragment DSSE, `_composition.json`, and offline verification (ties to Sprint 136 tasks). | Docs Guild, Scanner Guild (docs)
+DOCS-SCANNER-DET-01 | DOING (2025-11-09) | Author `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates describing fragment DSSE, `_composition.json`, and offline verification (ties to Sprint 136 tasks). Draft spec seeded in repo; remaining work covers guide updates + review. | Docs Guild, Scanner Guild (docs)
 DOCS-POLICY-DET-01 | TODO | Extend `docs/modules/policy/architecture.md` with determinism gate semantics, SPL examples, and provenance references for UI badge/policy blockers. | Docs Guild, Policy Guild (docs)
 DOCS-CLI-DET-01 | TODO | Document new `stella sbomer` verbs (`layer`, `compose`, `drift`, `verify`) with examples, exit codes, and Offline Kit instructions in `docs/cli/commands/sbomer.md`. Dependencies: CLI-SBOM-60-001/002. | Docs Guild, DevEx/CLI Guild (docs)
--- a/docs/implplan/SPRINT_400_runtime_facts_static_callgraph_union.md
+++ b/docs/implplan/SPRINT_400_runtime_facts_static_callgraph_union.md
@@ -15,7 +15,7 @@ SIGNALS-REACH-201-004 | DOING (2025-11-08) | Build the reachability scoring engi
 REPLAY-REACH-201-005 | DOING (2025-11-08) | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`)
 DOCS-REACH-201-006 | TODO | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operators’ workflow. | Docs Guild (`docs`)
 QA-REACH-201-007 | TODO | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. | QA Guild (`tests/README.md`)
-SCAN-GAP-201-008 | TODO | Deliver binary/language Symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}`, persist them to CAS via `StellaOps.Scanner.Reachability`, and document analyzer knobs. See `docs/reachability/REACHABILITY_GAP_TASKS.md#3`. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`)
-ZASTAVA-GAP-201-009 | TODO | Implement runtime NDJSON emission (`SymbolID`, hit counts, CAS URIs, entrypoint context) and ship operator runbook `docs/runbooks/reachability-runtime.md`, wiring `/signals/runtime-facts` once Sprint 401 endpoint lands. See `docs/reachability/REACHABILITY_GAP_TASKS.md#3`. | Zastava Observer Guild (`src/Zastava/StellaOps.Zastava.Observer`, `docs/modules/zastava/architecture.md`)
+GAP-SCAN-001 | TODO | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}` plus `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`)
+GAP-ZAS-002 | TODO | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint 401 lands ingestion. | Zastava Observer Guild (`src/Zastava/StellaOps.Zastava.Observer`, `docs/modules/zastava/architecture.md`, `docs/reachability/function-level-evidence.md`)

 > 2025-11-07: reachbench starter + expanded packs staged under repo root; consuming guilds must relocate fixtures into `tests/reachability/fixtures/` as part of QA-REACH-201-007 before enabling CI.
--- a/docs/implplan/SPRINT_401_reachability_evidence_chain.md
+++ b/docs/implplan/SPRINT_401_reachability_evidence_chain.md
@@ -3,9 +3,16 @@
 _Window:_ November 11 – November 22, 2025  
 _Theme:_ Finish the provable reachability pipeline (graph CAS → replay → DSSE → policy/UI) so Sprint 402 can focus on polish.

+## Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 401 Reachability Evidence Chain | Scanner Guild · Signals Guild · BE-Base Platform Guild · Policy Guild · UI/CLI Guilds · Docs Guild | Sprint 140 Runtime & Signals; Sprint 185 – Replay Core; Sprint 186 – Scanner Record Mode; Sprint 187 – Evidence Locker & CLI Integration | TODO | Foundation work (Sprint 400) is still in flight; advance only after Scanner record mode emits replay manifests and Evidence Locker APIs exist. |
+
 | Task ID | State | Task description | Owners (Source) |
 |---------|-------|------------------|-----------------|
 | GRAPH-CAS-401-001 | TODO | Finalize richgraph schema (`richgraph-v1`), emit canonical SymbolIDs, compute graph hash (BLAKE3), and store CAS manifests under `cas://reachability/graphs/{sha256}`. Update Scanner Worker adapters + fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) |
+| GAP-SYM-007 | TODO | Extend reachability evidence schema/DTOs with demangled symbol hints, `symbol.source`, confidence, and optional `code_block_hash`; ensure Scanner SBOM/evidence writers and CLI serializers emit the new fields deterministically. | Scanner Worker Guild & Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) |
 | SIGNALS-RUNTIME-401-002 | TODO | Ship `/signals/runtime-facts` ingestion for NDJSON (and gzip) batches, dedupe hits, and link runtime evidence CAS URIs to callgraph nodes. Include retention + RBAC tests. | Signals Guild (`src/Signals/StellaOps.Signals`) |
 | SIGNALS-SCORING-401-003 | TODO | Extend `ReachabilityScoringService` to lattice states (`Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed`), persist predicates + blocked edges, and expose `/graphs/{scanId}` CAS lookups. | Signals Guild (`src/Signals/StellaOps.Signals`) |
 | REPLAY-401-004 | TODO | Bump replay manifest to v2 (feeds, analyzers, policies), have `ReachabilityReplayWriter` enforce CAS registration + hash sorting, and add deterministic tests to `tests/reachability/StellaOps.Reachability.FixtureTests`. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) |
@@ -13,9 +20,10 @@ _Theme:_ Finish the provable reachability pipeline (graph CAS → replay → DSS
 | POLICY-VEX-401-006 | TODO | Policy Engine consumes reachability facts, emits OpenVEX with evidence references, updates SPL schema with `reachability.state/confidence` predicates, and produces API metrics. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) |
 | UI-CLI-401-007 | TODO | Implement CLI `stella graph explain` + UI explain drawer showing signed call-path, predicates, runtime hits, and DSSE pointers; include counterfactual controls. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) |
 | QA-DOCS-401-008 | TODO | Wire `reachbench-2025-expanded` fixtures into CI, document CAS layouts + replay steps in `docs/reachability/DELIVERY_GUIDE.md`, and publish operator runbook for runtime ingestion. | QA & Docs Guilds (`docs`, `tests/README.md`) |
-| SIGNALS-GAP-401-009 | TODO | Track `/signals/runtime-facts` GA and lattice scoring thresholds (policy-driven `max_path_conf`) with CAS-backed runtime storage per `docs/reachability/REACHABILITY_GAP_TASKS.md#3`. Emit `signals.fact.updated` events + retention docs. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/REACHABILITY_GAP_TASKS.md`) |
-| REPLAY-GAP-401-010 | TODO | Enforce BLAKE3 hashing + CAS registration for graphs/traces before manifest writes and document schema v2 impacts. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) |
-| POLICY-GAP-401-011 | TODO | Implement policy thresholds + OpenVEX evidence references (graph hash, runtime facts) so `status=affected` only when confidence ≥ configured value. Update SPL + API docs. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`) |
-| EXPERIENCE-GAP-401-012 | TODO | Expose reachability evidence to CLI/UI (explain drawer, `--evidence=graph`, `--threshold`) and update Notify templates + API reference accordingly. | UI & CLI Guilds, Notify Guild (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) |
+| GAP-SIG-003 | TODO | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states (`Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed`), and emit `signals.fact.updated` events. Document retention/RBAC. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) |
+| GAP-REP-004 | TODO | Enforce BLAKE3 hashing + CAS registration for graphs/traces before manifest writes, upgrade replay manifest v2 with analyzer versions/policy thresholds, and add deterministic tests. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) |
+| GAP-POL-005 | TODO | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence` in SPL/API, and generate OpenVEX evidence blocks referencing graph hashes + runtime facts with policy thresholds. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) |
+| GAP-VEX-006 | TODO | Wire Policy/Excititor/UI/CLI surfaces so VEX emission and explain drawers show call paths, graph hashes, and runtime hits; add CLI `--evidence=graph`/`--threshold` plus Notify template updates. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) |
+| GAP-DOC-008 | TODO | Publish the cross-module function-level evidence guide, update API/CLI references with the new `code_id` fields, and add OpenVEX/replay samples under `samples/reachability/**`. | Docs Guild (`docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md`) |

 > Use `docs/reachability/DELIVERY_GUIDE.md` for architecture context, dependencies, and acceptance tests.
--- a/docs/implplan/SPRINT_500_ops_offline.md
+++ b/docs/implplan/SPRINT_500_ops_offline.md
@@ -3,3 +3,13 @@
 Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

 This file now only tracks the Ops & Offline status snapshot. Active backlog lives in Sprint 501 and later files.
+
+## Wave coordination
+
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 190.A Ops Deployment | Deployment Guild · DevEx Guild · Advisory AI Guild | Sprint 100.A – Attestor; Sprint 110.A – AdvisoryAI; Sprint 120.A – AirGap; Sprint 130.A – Scanner; Sprint 140.A – Graph; Sprint 150.A – Orchestrator; Sprint 160.A – EvidenceLocker; Sprint 170.A – Notifier; Sprint 180.A – CLI | TODO | Compose/Helm quickstarts can move to DOING once orchestrator + notifier deployments are validated in staging. |
+| 190.B Ops DevOps | DevOps Guild · Security Guild · Mirror Creator Guild | Same as above | TODO | Sealed-mode CI harness is partially in place (DEVOPS-AIRGAP-57-002 DOING); keep remaining egress/offline tasks gated on Ops Deployment readiness. |
+| 190.C Ops Offline Kit | Offline Kit Guild · Packs Registry Guild · Exporter Guild | Same as above | TODO | Needs artifacts from Ops Deployment & DevOps waves (mirror bundles, sealed-mode verification). |
+| 190.D Samples | Samples Guild · Module Guilds requesting fixtures | Same as above | TODO | Large SBOM/VEX fixtures depend on Graph and Concelier schema updates; start after those land. |
+| 190.E AirGap Controller | AirGap Controller Guild · DevOps Guild · Authority Guild | Same as above | TODO | Seal/unseal state machine should launch only after Attestor/Authority sealed-mode changes are confirmed in Ops Deployment. |
--- a/docs/implplan/execution-waves.md
+++ b/docs/implplan/execution-waves.md
@@ -0,0 +1,563 @@
+# Execution Waves
+
+_Generated on 2025-11-09 after scanning docs/implplan/SPRINT_*.md._
+
+Each wave groups sprints that declare the same leading dependency. Start waves only when their shared prerequisites are satisfied; if a prerequisite references another sprint, treat the wave as sequential until that sprint is DONE.
+
+## Wave 1 — Foundational / No explicit dependency
+
+- Shared prerequisite(s): None (explicit)
+- Parallelism guidance: No upstream sprint recorded; confirm module AGENTS and readiness gates before parallel execution.
+- Sprints:
+  - SPRINT_110_ingestion_evidence.md — Sprint 110 - Ingestion & Evidence
+  - SPRINT_130_scanner_surface.md — Sprint 130 - Scanner & Surface
+  - SPRINT_137_scanner_gap_design.md — Sprint 137 - Scanner & Surface
+  - SPRINT_138_scanner_ruby_parity.md — Sprint 138 - Scanner & Surface
+  - SPRINT_140_runtime_signals.md — Sprint 140 - Runtime & Signals
+  - SPRINT_150_scheduling_automation.md — Sprint 150 - Scheduling & Automation
+  - SPRINT_160_export_evidence.md — Sprint 160 - Export & Evidence
+  - SPRINT_170_notifications_telemetry.md — Sprint 170 - Notifications & Telemetry
+  - SPRINT_200_experience_sdks.md — Sprint 200 - Experience & SDKs
+  - SPRINT_300_documentation_process.md — Sprint 300 - Documentation & Process
+  - SPRINT_401_reachability_evidence_chain.md — Sprint 401 – Reachability Evidence Chain
+  - SPRINT_500_ops_offline.md — Sprint 500 - Ops & Offline
+
+## Wave 2 — Sprint 100.A - Attestor
+
+- Shared prerequisite(s): Sprint 100.A - Attestor
+- Parallelism guidance: Prerequisite Sprint 100.A (Attestor) closed on 2025-11-09; these sprints may run together once module blockers clear.
+- Sprints:
+  - SPRINT_111_advisoryai.md — Sprint 111 - Ingestion & Evidence · 110.A) AdvisoryAI
+  - SPRINT_112_concelier_i.md — Sprint 112 - Ingestion & Evidence · 110.B) Concelier.I
+  - SPRINT_119_excititor_i.md — Sprint 119 - Ingestion & Evidence · 110.C) Excititor.I
+  - SPRINT_125_mirror.md — Sprint 125 - Ingestion & Evidence · 110.D) Mirror
+
+## Wave 3 — Sprint 110.B - Concelier.I
+
+- Shared prerequisite(s): Sprint 110.B - Concelier.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_113_concelier_ii.md — Sprint 113 - Ingestion & Evidence · 110.B) Concelier.II
+
+## Wave 4 — Sprint 110.B - Concelier.II
+
+- Shared prerequisite(s): Sprint 110.B - Concelier.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_114_concelier_iii.md — Sprint 114 - Ingestion & Evidence · 110.B) Concelier.III
+
+## Wave 5 — Sprint 110.B - Concelier.III
+
+- Shared prerequisite(s): Sprint 110.B - Concelier.III
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_115_concelier_iv.md — Sprint 115 - Ingestion & Evidence · 110.B) Concelier.IV
+
+## Wave 6 — Sprint 110.B - Concelier.IV
+
+- Shared prerequisite(s): Sprint 110.B - Concelier.IV
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_116_concelier_v.md — Sprint 116 - Ingestion & Evidence · 110.B) Concelier.V
+
+## Wave 7 — Sprint 110.B - Concelier.V
+
+- Shared prerequisite(s): Sprint 110.B - Concelier.V
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_117_concelier_vi.md — Sprint 117 - Ingestion & Evidence · 110.B) Concelier.VI
+
+## Wave 8 — Sprint 110.C - Excititor.I
+
+- Shared prerequisite(s): Sprint 110.C - Excititor.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_120_excititor_ii.md — Sprint 120 - Ingestion & Evidence · 110.C) Excititor.II
+
+## Wave 9 — Sprint 110.A - AdvisoryAI (must land before this track).
+
+- Shared prerequisite(s): Sprint 110.A - AdvisoryAI (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_120_policy_reasoning.md — Sprint 120 - Policy & Reasoning
+  - SPRINT_123_policy_reasoning.md — Sprint 123 - Policy & Reasoning
+
+## Wave 10 — Sprint 110.C - Excititor.II
+
+- Shared prerequisite(s): Sprint 110.C - Excititor.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_121_excititor_iii.md — Sprint 121 - Ingestion & Evidence · 110.C) Excititor.III
+
+## Wave 11 — Sprint 120.B - Findings.I (must land before this track).
+
+- Shared prerequisite(s): Sprint 120.B - Findings.I (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_121_policy_reasoning.md — Sprint 121 - Policy & Reasoning
+
+## Wave 12 — Sprint 110.C - Excititor.III
+
+- Shared prerequisite(s): Sprint 110.C - Excititor.III
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_122_excititor_iv.md — Sprint 122 - Ingestion & Evidence · 110.C) Excititor.IV
+
+## Wave 13 — Sprint 120.B - Findings.II (must land before this track).
+
+- Shared prerequisite(s): Sprint 120.B - Findings.II (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_122_policy_reasoning.md — Sprint 122 - Policy & Reasoning
+
+## Wave 14 — Sprint 110.C - Excititor.IV
+
+- Shared prerequisite(s): Sprint 110.C - Excititor.IV
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_123_excititor_v.md — Sprint 123 - Ingestion & Evidence · 110.C) Excititor.V
+
+## Wave 15 — Sprint 110.C - Excititor.V
+
+- Shared prerequisite(s): Sprint 110.C - Excititor.V
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_124_excititor_vi.md — Sprint 124 - Ingestion & Evidence · 110.C) Excititor.VI
+
+## Wave 16 — Sprint 120.C - Policy.I (must land before this track).
+
+- Shared prerequisite(s): Sprint 120.C - Policy.I (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_124_policy_reasoning.md — Sprint 124 - Policy & Reasoning
+
+## Wave 17 — Sprint 120.C - Policy.II (must land before this track).
+
+- Shared prerequisite(s): Sprint 120.C - Policy.II (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_125_policy_reasoning.md — Sprint 125 - Policy & Reasoning
+
+## Wave 18 — Sprint 120.C - Policy.III (must land before this track).
+
+- Shared prerequisite(s): Sprint 120.C - Policy.III (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_126_policy_reasoning.md — Sprint 126 - Policy & Reasoning
+
+## Wave 19 — Sprint 120.C - Policy.IV (must land before this track).
+
+- Shared prerequisite(s): Sprint 120.C - Policy.IV (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_127_policy_reasoning.md — Sprint 127 - Policy & Reasoning
+
+## Wave 20 — Sprint 120.C - Policy.V (must land before this track).
+
+- Shared prerequisite(s): Sprint 120.C - Policy.V (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_128_policy_reasoning.md — Sprint 128 - Policy & Reasoning
+
+## Wave 21 — Sprint 120.C - Policy.VI (must land before this track).
+
+- Shared prerequisite(s): Sprint 120.C - Policy.VI (must land before this track).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_129_policy_reasoning.md — Sprint 129 - Policy & Reasoning
+
+## Wave 22 — Sprint 130 - 1. Scanner.I — Scanner & Surface focus on Scanner (phase I).
+
+- Shared prerequisite(s): Sprint 130 - 1. Scanner.I — Scanner & Surface focus on Scanner (phase I).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_131_scanner_surface.md — Sprint 131 - Scanner & Surface
+
+## Wave 23 — Sprint 131 - 2. Scanner.II — Scanner & Surface focus on Scanner (phase II).
+
+- Shared prerequisite(s): Sprint 131 - 2. Scanner.II — Scanner & Surface focus on Scanner (phase II).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_132_scanner_surface.md — Sprint 132 - Scanner & Surface
+
+## Wave 24 — Sprint 132 - 3. Scanner.III — Scanner & Surface focus on Scanner (phase III).
+
+- Shared prerequisite(s): Sprint 132 - 3. Scanner.III — Scanner & Surface focus on Scanner (phase III).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_133_scanner_surface.md — Sprint 133 - Scanner & Surface
+
+## Wave 25 — Sprint 133 - 4. Scanner.IV — Scanner & Surface focus on Scanner (phase IV).
+
+- Shared prerequisite(s): Sprint 133 - 4. Scanner.IV — Scanner & Surface focus on Scanner (phase IV).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_134_scanner_surface.md — Sprint 134 - Scanner & Surface
+
+## Wave 26 — Sprint 134 - 5. Scanner.V — Scanner & Surface focus on Scanner (phase V).
+
+- Shared prerequisite(s): Sprint 134 - 5. Scanner.V — Scanner & Surface focus on Scanner (phase V).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_135_scanner_surface.md — Sprint 135 - Scanner & Surface
+
+## Wave 27 — Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (phase VI).
+
+- Shared prerequisite(s): Sprint 135 - 6. Scanner.VI — Scanner & Surface focus on Scanner (phase VI).
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_136_scanner_surface.md — Sprint 136 - Scanner & Surface
+
+## Wave 28 — Sprint 120.A - AirGap, Sprint 130.A - Scanner
+
+- Shared prerequisite(s): Sprint 120.A - AirGap, Sprint 130.A - Scanner
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_141_graph.md — Sprint 141 - Runtime & Signals · 140.A) Graph
+  - SPRINT_142_sbomservice.md — Sprint 142 - Runtime & Signals · 140.B) SbomService
+  - SPRINT_143_signals.md — Sprint 143 - Runtime & Signals · 140.C) Signals
+  - SPRINT_144_zastava.md — Sprint 144 - Runtime & Signals · 140.D) Zastava
+
+## Wave 29 — Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph
+
+- Shared prerequisite(s): Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_151_orchestrator_i.md — Sprint 151 - Scheduling & Automation · 150.A) Orchestrator.I
+  - SPRINT_154_packsregistry.md — Sprint 154 - Scheduling & Automation · 150.B) PacksRegistry
+  - SPRINT_155_scheduler_i.md — Sprint 155 - Scheduling & Automation · 150.C) Scheduler.I
+  - SPRINT_157_taskrunner_i.md — Sprint 157 - Scheduling & Automation · 150.D) TaskRunner.I
+
+## Wave 30 — Sprint 150.A - Orchestrator.I
+
+- Shared prerequisite(s): Sprint 150.A - Orchestrator.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_152_orchestrator_ii.md — Sprint 152 - Scheduling & Automation · 150.A) Orchestrator.II
+
+## Wave 31 — Sprint 150.A - Orchestrator.II
+
+- Shared prerequisite(s): Sprint 150.A - Orchestrator.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_153_orchestrator_iii.md — Sprint 153 - Scheduling & Automation · 150.A) Orchestrator.III
+
+## Wave 32 — Sprint 150.C - Scheduler.I
+
+- Shared prerequisite(s): Sprint 150.C - Scheduler.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_156_scheduler_ii.md — Sprint 156 - Scheduling & Automation · 150.C) Scheduler.II
+
+## Wave 33 — Sprint 150.D - TaskRunner.I
+
+- Shared prerequisite(s): Sprint 150.D - TaskRunner.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_158_taskrunner_ii.md — Sprint 158 - Scheduling & Automation · 150.D) TaskRunner.II
+
+## Wave 34 — Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
+
+- Shared prerequisite(s): Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_161_evidencelocker.md — Sprint 161 - Export & Evidence · 160.A) EvidenceLocker
+  - SPRINT_162_exportcenter_i.md — Sprint 162 - Export & Evidence · 160.B) ExportCenter.I
+  - SPRINT_165_timelineindexer.md — Sprint 165 - Export & Evidence · 160.C) TimelineIndexer
+
+## Wave 35 — Sprint 160.B - ExportCenter.I
+
+- Shared prerequisite(s): Sprint 160.B - ExportCenter.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_163_exportcenter_ii.md — Sprint 163 - Export & Evidence · 160.B) ExportCenter.II
+
+## Wave 36 — Sprint 160.B - ExportCenter.II
+
+- Shared prerequisite(s): Sprint 160.B - ExportCenter.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_164_exportcenter_iii.md — Sprint 164 - Export & Evidence · 160.B) ExportCenter.III
+
+## Wave 37 — Sprint 150.A - Orchestrator
+
+- Shared prerequisite(s): Sprint 150.A - Orchestrator
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_171_notifier_i.md — Sprint 171 - Notifications & Telemetry · 170.A) Notifier.I
+  - SPRINT_174_telemetry.md — Sprint 174 - Notifications & Telemetry · 170.B) Telemetry
+
+## Wave 38 — Sprint 170.A - Notifier.I
+
+- Shared prerequisite(s): Sprint 170.A - Notifier.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_172_notifier_ii.md — Sprint 172 - Notifications & Telemetry · 170.A) Notifier.II
+
+## Wave 39 — Sprint 170.A - Notifier.II
+
+- Shared prerequisite(s): Sprint 170.A - Notifier.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_173_notifier_iii.md — Sprint 173 - Notifications & Telemetry · 170.A) Notifier.III
+
+## Wave 40 — Sprint 160 Export & Evidence
+
+- Shared prerequisite(s): Sprint 160 Export & Evidence
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_185_shared_replay_primitives.md — Sprint 185 - Replay Core · 185.A) Shared Replay Primitives
+
+## Wave 41 — Sprint 185 Replay Core Foundations, Sprint 130 Scanner & Surface
+
+- Shared prerequisite(s): Sprint 185 Replay Core Foundations, Sprint 130 Scanner & Surface
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_186_record_deterministic_execution.md — Sprint 186 - Scanner Replay · 186.A) Record & Deterministic Execution
+
+## Wave 42 — Sprint 186 Scanner Record Mode, Sprint 160 Export & Evidence, Sprint 180 Experience & SDKs
+
+- Shared prerequisite(s): Sprint 186 Scanner Record Mode, Sprint 160 Export & Evidence, Sprint 180 Experience & SDKs
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_187_evidence_locker_cli_integration.md — Sprint 187 - Replay Delivery · 187.A) Evidence Locker & CLI Integration
+
+## Wave 43 — Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier
+
+- Shared prerequisite(s): Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_201_cli_i.md — Sprint 201 - Experience & SDKs · 180.A) Cli.I
+  - SPRINT_206_devportal.md — Sprint 206 - Experience & SDKs · 180.B) DevPortal
+  - SPRINT_207_graph.md — Sprint 207 - Experience & SDKs · 180.C) Graph
+  - SPRINT_208_sdk.md — Sprint 208 - Experience & SDKs · 180.D) Sdk
+  - SPRINT_209_ui_i.md — Sprint 209 - Experience & SDKs · 180.E) UI.I
+  - SPRINT_212_web_i.md — Sprint 212 - Experience & SDKs · 180.F) Web.I
+
+## Wave 44 — Sprint 180.A - Cli.I
+
+- Shared prerequisite(s): Sprint 180.A - Cli.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_202_cli_ii.md — Sprint 202 - Experience & SDKs · 180.A) Cli.II
+
+## Wave 45 — Sprint 180.A - Cli.II
+
+- Shared prerequisite(s): Sprint 180.A - Cli.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_203_cli_iii.md — Sprint 203 - Experience & SDKs · 180.A) Cli.III
+
+## Wave 46 — Sprint 180.A - Cli.III
+
+- Shared prerequisite(s): Sprint 180.A - Cli.III
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_204_cli_iv.md — Sprint 204 - Experience & SDKs · 180.A) Cli.IV
+
+## Wave 47 — Sprint 180.A - Cli.IV
+
+- Shared prerequisite(s): Sprint 180.A - Cli.IV
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_205_cli_v.md — Sprint 205 - Experience & SDKs · 180.A) Cli.V
+
+## Wave 48 — Sprint 180.E - UI.I
+
+- Shared prerequisite(s): Sprint 180.E - UI.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_210_ui_ii.md — Sprint 210 - Experience & SDKs · 180.E) UI.II
+
+## Wave 49 — Sprint 180.E - UI.II
+
+- Shared prerequisite(s): Sprint 180.E - UI.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_211_ui_iii.md — Sprint 211 - Experience & SDKs · 180.E) UI.III
+
+## Wave 50 — Sprint 180.F - Web.I
+
+- Shared prerequisite(s): Sprint 180.F - Web.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_213_web_ii.md — Sprint 213 - Experience & SDKs · 180.F) Web.II
+
+## Wave 51 — Sprint 180.F - Web.II
+
+- Shared prerequisite(s): Sprint 180.F - Web.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_214_web_iii.md — Sprint 214 - Experience & SDKs · 180.F) Web.III
+
+## Wave 52 — Sprint 180.F - Web.III
+
+- Shared prerequisite(s): Sprint 180.F - Web.III
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_215_web_iv.md — Sprint 215 - Experience & SDKs · 180.F) Web.IV
+
+## Wave 53 — Sprint 180.F - Web.IV
+
+- Shared prerequisite(s): Sprint 180.F - Web.IV
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_216_web_v.md — Sprint 216 - Experience & SDKs · 180.F) Web.V
+
+## Wave 54 — Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
+
+- Shared prerequisite(s): Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
+- Parallelism guidance: Prerequisite Sprint 100.A (Attestor) closed on 2025-11-09; these sprints may run together once module blockers clear.
+- Sprints:
+  - SPRINT_301_docs_tasks_md_i.md — Sprint 301 - Documentation & Process · 200.A) Docs Tasks.Md.I
+  - SPRINT_312_docs_modules_advisory_ai.md — Sprint 312 - Documentation & Process · 200.B) Docs Modules Advisory Ai
+  - SPRINT_313_docs_modules_attestor.md — Sprint 313 - Documentation & Process · 200.C) Docs Modules Attestor
+  - SPRINT_314_docs_modules_authority.md — Sprint 314 - Documentation & Process · 200.D) Docs Modules Authority
+  - SPRINT_315_docs_modules_ci.md — Sprint 315 - Documentation & Process · 200.E) Docs Modules Ci
+  - SPRINT_316_docs_modules_cli.md — Sprint 316 - Documentation & Process · 200.F) Docs Modules Cli
+  - SPRINT_317_docs_modules_concelier.md — Sprint 317 - Documentation & Process · 200.G) Docs Modules Concelier
+  - SPRINT_318_docs_modules_devops.md — Sprint 318 - Documentation & Process · 200.H) Docs Modules Devops
+  - SPRINT_319_docs_modules_excititor.md — Sprint 319 - Documentation & Process · 200.I) Docs Modules Excititor
+  - SPRINT_320_docs_modules_export_center.md — Sprint 320 - Documentation & Process · 200.J) Docs Modules Export Center
+  - SPRINT_321_docs_modules_graph.md — Sprint 321 - Documentation & Process · 200.K) Docs Modules Graph
+  - SPRINT_322_docs_modules_notify.md — Sprint 322 - Documentation & Process · 200.L) Docs Modules Notify
+  - SPRINT_323_docs_modules_orchestrator.md — Sprint 323 - Documentation & Process · 200.M) Docs Modules Orchestrator
+  - SPRINT_324_docs_modules_platform.md — Sprint 324 - Documentation & Process · 200.N) Docs Modules Platform
+  - SPRINT_325_docs_modules_policy.md — Sprint 325 - Documentation & Process · 200.O) Docs Modules Policy
+  - SPRINT_326_docs_modules_registry.md — Sprint 326 - Documentation & Process · 200.P) Docs Modules Registry
+  - SPRINT_327_docs_modules_scanner.md — Sprint 327 - Documentation & Process · 200.Q) Docs Modules Scanner
+  - SPRINT_328_docs_modules_scheduler.md — Sprint 328 - Documentation & Process · 200.R) Docs Modules Scheduler
+  - SPRINT_329_docs_modules_signer.md — Sprint 329 - Documentation & Process · 200.S) Docs Modules Signer
+  - SPRINT_330_docs_modules_telemetry.md — Sprint 330 - Documentation & Process · 200.T) Docs Modules Telemetry
+  - SPRINT_331_docs_modules_ui.md — Sprint 331 - Documentation & Process · 200.U) Docs Modules Ui
+  - SPRINT_332_docs_modules_vex_lens.md — Sprint 332 - Documentation & Process · 200.V) Docs Modules Vex Lens
+  - SPRINT_333_docs_modules_excititor.md — Sprint 333 - Documentation & Process · 200.W) Docs Modules Excititor
+  - SPRINT_334_docs_modules_vuln_explorer.md — Sprint 334 - Documentation & Process · 200.X) Docs Modules Vuln Explorer
+  - SPRINT_335_docs_modules_zastava.md — Sprint 335 - Documentation & Process · 200.Y) Docs Modules Zastava
+
+## Wave 55 — Sprint 200.A - Docs Tasks.Md.I
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_302_docs_tasks_md_ii.md — Sprint 302 - Documentation & Process · 200.A) Docs Tasks.Md.II
+
+## Wave 56 — Sprint 200.A - Docs Tasks.Md.II
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_303_docs_tasks_md_iii.md — Sprint 303 - Documentation & Process · 200.A) Docs Tasks.Md.III
+
+## Wave 57 — Sprint 200.A - Docs Tasks.Md.III
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.III
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_304_docs_tasks_md_iv.md — Sprint 304 - Documentation & Process · 200.A) Docs Tasks.Md.IV
+
+## Wave 58 — Sprint 200.A - Docs Tasks.Md.IV
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.IV
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_305_docs_tasks_md_v.md — Sprint 305 - Documentation & Process · 200.A) Docs Tasks.Md.V
+
+## Wave 59 — Sprint 200.A - Docs Tasks.Md.V
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.V
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_306_docs_tasks_md_vi.md — Sprint 306 - Documentation & Process · 200.A) Docs Tasks.Md.VI
+
+## Wave 60 — Sprint 200.A - Docs Tasks.Md.VI
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.VI
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_307_docs_tasks_md_vii.md — Sprint 307 - Documentation & Process · 200.A) Docs Tasks.Md.VII
+
+## Wave 61 — Sprint 200.A - Docs Tasks.Md.VII
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.VII
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_308_docs_tasks_md_viii.md — Sprint 308 - Documentation & Process · 200.A) Docs Tasks.Md.VIII
+
+## Wave 62 — Sprint 200.A - Docs Tasks.Md.VIII
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.VIII
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_309_docs_tasks_md_ix.md — Sprint 309 - Documentation & Process · 200.A) Docs Tasks.Md.IX
+
+## Wave 63 — Sprint 200.A - Docs Tasks.Md.IX
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.IX
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_310_docs_tasks_md_x.md — Sprint 310 - Documentation & Process · 200.A) Docs Tasks.Md.X
+
+## Wave 64 — Sprint 200.A - Docs Tasks.Md.X
+
+- Shared prerequisite(s): Sprint 200.A - Docs Tasks.Md.X
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_311_docs_tasks_md_xi.md — Sprint 311 - Documentation & Process · 200.A) Docs Tasks.Md.XI
+
+## Wave 65 — Sprint 140 Runtime Signals, Sprint 185 Replay Core, Sprint 186 Scanner Record Mode, Sprint 187 Evidence & CLI Replay
+
+- Shared prerequisite(s): Sprint 140 Runtime Signals, Sprint 185 Replay Core, Sprint 186 Scanner Record Mode, Sprint 187 Evidence & CLI Replay
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_400_runtime_facts_static_callgraph_union.md — Sprint 400 - Reachability Delivery · 201.A) Runtime facts + static callgraph union
+
+## Wave 66 — Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
+
+- Shared prerequisite(s): Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
+- Parallelism guidance: Prerequisite Sprint 100.A (Attestor) closed on 2025-11-09; these sprints may run together once module blockers clear.
+- Sprints:
+  - SPRINT_501_ops_deployment_i.md — Sprint 501 - Ops & Offline · 190.A) Ops Deployment.I
+  - SPRINT_503_ops_devops_i.md — Sprint 503 - Ops & Offline · 190.B) Ops Devops.I
+  - SPRINT_508_ops_offline_kit.md — Sprint 508 - Ops & Offline · 190.C) Ops Offline Kit
+  - SPRINT_509_samples.md — Sprint 509 - Ops & Offline · 190.D) Samples
+  - SPRINT_510_airgap.md — Sprint 510 - Ops & Offline · 190.E) AirGap
+  - SPRINT_511_api.md — Sprint 511 - Ops & Offline · 190.F) Api
+  - SPRINT_512_bench.md — Sprint 512 - Ops & Offline · 190.G) Bench
+  - SPRINT_513_provenance.md — Sprint 513 - Ops & Offline · 190.H) Provenance
+  - SPRINT_514_sovereign_crypto_enablement.md — Sprint 514 - Ops & Offline · 190.K) Sovereign Crypto Enablement
+
+## Wave 67 — Sprint 190.A - Ops Deployment.I
+
+- Shared prerequisite(s): Sprint 190.A - Ops Deployment.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_502_ops_deployment_ii.md — Sprint 502 - Ops & Offline · 190.A) Ops Deployment.II
+
+## Wave 68 — Sprint 190.B - Ops Devops.I
+
+- Shared prerequisite(s): Sprint 190.B - Ops Devops.I
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_504_ops_devops_ii.md — Sprint 504 - Ops & Offline · 190.B) Ops Devops.II
+
+## Wave 69 — Sprint 190.B - Ops Devops.II
+
+- Shared prerequisite(s): Sprint 190.B - Ops Devops.II
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_505_ops_devops_iii.md — Sprint 505 - Ops & Offline · 190.B) Ops Devops.III
+
+## Wave 70 — Sprint 190.B - Ops Devops.III
+
+- Shared prerequisite(s): Sprint 190.B - Ops Devops.III
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_506_ops_devops_iv.md — Sprint 506 - Ops & Offline · 190.B) Ops Devops.IV
+
+## Wave 71 — Sprint 190.B - Ops Devops.IV
+
+- Shared prerequisite(s): Sprint 190.B - Ops Devops.IV
+- Parallelism guidance: Sequential: wait until every referenced sprint is DONE before starting items in this wave.
+- Sprints:
+  - SPRINT_507_ops_devops_v.md — Sprint 507 - Ops & Offline · 190.B) Ops Devops.V
--- a/docs/reachability/DELIVERY_GUIDE.md
+++ b/docs/reachability/DELIVERY_GUIDE.md
@@ -103,6 +103,7 @@ Each sprint is two weeks; refer to `docs/implplan/SPRINT_401_reachability_eviden
 ## 7. Documentation & Runbooks

 - Place developer-facing updates here (`docs/reachability`).
+- [Function-level evidence guide](function-level-evidence.md) captures the Nov 2025 advisory scope, task references, and schema expectations; keep it in lockstep with sprint status.
 - Operator runbooks (`docs/runbooks/reachability-runtime.md`) – TODO reference to be added when runtime pipeline lands.
 - Update module dossiers (Scanner, Signals, Replay, Authority, Policy, UI) once each guild lands work.

--- a/docs/reachability/REACHABILITY_GAP_TASKS.md
+++ b/docs/reachability/REACHABILITY_GAP_TASKS.md
@@ -1,49 +0,0 @@
-# Reachability Evidence – Gap Analysis & Task References
-
-_Last updated: 2025-11-09 (Business Analysis role)._  
-_Scope:_ outline the missing functionality required to make binary-level reachability evidence first-class across Scanner, Signals, Policy, Replay, and VEX emission.
-
-## 1. Source Materials
-
-| Area | Reference |
-|------|-----------|
-| Architecture vision | `docs/reachability/DELIVERY_GUIDE.md`, `docs/modules/platform/architecture-overview.md:145` |
-| Active sprints | `docs/implplan/SPRINT_400_runtime_facts_static_callgraph_union.md`, `docs/implplan/SPRINT_401_reachability_evidence_chain.md` |
-| Current implementations | `src/Signals/StellaOps.Signals/Program.cs:214-287`, `src/Signals/StellaOps.Signals/Services/CallgraphIngestionService.cs`, `src/Signals/StellaOps.Signals/Services/ReachabilityScoringService.cs`, `src/Scanner/__Libraries/StellaOps.Scanner.Reachability`, `tests/reachability/*` |
-
-Use this document to break down outstanding work into actionable tasks and to keep documentation links synchronized.
-
-## 2. Current Snapshot (11 Nov 2025)
-
-1. **Callgraph ingestion exists** – Signals exposes `/signals/callgraphs` and stores graphs + CAS metadata (`Program.cs`, `CallgraphIngestionService`).
-2. **Reachability recompute API exists but is simplistic** – BFS scoring with static confidences, no lattice states, no CAS evidence linking.
-3. **Runtime ingestion is a stub** – `/signals/runtime-facts` returns HTTP 501.
-4. **Scanner Worker doesn’t emit canonical SymbolIDs/graphs** – `StellaOps.Scanner.Reachability` library exists, yet Worker binaries do not reference it.
-5. **Replay manifests record reachability via helpers** – `ReachabilityReplayWriter` can add graph/trace refs, but manifests don’t enforce CAS registration/hashing.
-6. **Policy/UI still consume coarse `reachability:*` tags** – no OpenVEX evidence blocks or graph hashes attached to statements/events.
-
-## 3. Gap Breakdown & Tasks
-
-Canonical sprint tracking for these tasks now lives in `docs/implplan/SPRINT_400_runtime_facts_static_callgraph_union.md` and `docs/implplan/SPRINT_401_reachability_evidence_chain.md`. Use the table below as a consolidated reference when planning cross-guild work.
-
-| Task ID | Module / Doc anchor | Description | Dependencies | Deliverables |
-|---------|--------------------|-------------|--------------|--------------|
-| GAP-SCAN-001 | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md` | Implement binary/language Symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}`. Persist graphs to CAS and register them via `ReachabilityGraphBuilder`. | Sprint 400 `SCAN-REACH-201-002` | Analyzer services + config docs updated, sample graph fixtures, regression tests under `tests/reachability/StellaOps.ScannerSignals.IntegrationTests`. |
-| GAP-ZAS-002 | `src/Zastava/StellaOps.Zastava.Observer`, `docs/modules/zastava/architecture.md` | Stream runtime NDJSON batches with `SymbolID`, hit counts, CAS URIs to `/signals/runtime-facts`. Capture build-ids + entrypoint context per sprint spec. | Sprint 400 `ZASTAVA-REACH-201-001` | Observer implementation, operator runbook `docs/runbooks/reachability-runtime.md`, fixture updates. |
-| GAP-SIG-003 | `src/Signals/StellaOps.Signals/Program.cs`, `ReachabilityScoringService.cs`, `docs/reachability/DELIVERY_GUIDE.md#5.2` | Finish `/signals/runtime-facts`, introduce CAS-backed runtime storage, extend scoring to lattice states (`Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed`) with per-path confidence accumulation. Emit `signals.fact.updated` events. | Sprint 401 `SIGNALS-RUNTIME-401-002`, `SIGNALS-SCORING-401-003` | API schema, Mongo indices, deterministic scoring tests (`tests/reachability/StellaOps.Signals.Reachability.Tests`). |
-| GAP-REP-004 | `src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md` | Enforce CAS registration + BLAKE3 hashing for graphs/traces before manifest writes. Upgrade manifest schema v2 to include analyzer versions + policy thresholds. | Sprint 400 `REPLAY-REACH-201-005`, Sprint 401 `REPLAY-401-004` | Updated schema docs, fixture pack coverage (`tests/reachability/StellaOps.Replay.Core.Tests`). |
-| GAP-POL-005 | `src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md` | Ingest Signals reachability facts, expose `reachability.state/confidence` in SPL, and generate OpenVEX evidence blocks referencing graph hashes + runtime facts. Implement policy threshold (e.g., affected if `max_path_conf ≥ 0.6`). | Sprint 401 `POLICY-VEX-401-006` | Updated policy schemas (`policy-scoring-schema@1.json`), OpenVEX templates, backend tests.
-| GAP-VEX-006 | `docs/modules/excititor/architecture.md`, `docs/modules/ui/architecture.md`, `docs/implplan/SPRINT_401_reachability_evidence_chain.md` | Wire VEX emission/UI surfaces: CLI/UI explain drawer with call-path visualization, DSSE evidence attachments, `--threshold` and `--evidence=graph` flags. | Sprint 401 `UI-CLI-401-007` | CLI documentation, UI walkthrough, Notify templates referencing reachability evidence. |
-
-## 4. Documentation Actions
-
-1. **Module dossiers** – Once each GAP task lands, update the matching module architecture doc to reflect binary reachability specifics (symbol schema, APIs, thresholds).
-2. **Runbooks** – Create `docs/runbooks/reachability-runtime.md` for operators (Zastava deployment, retention, troubleshooting) and extend `docs/runbooks/replay_ops.md` with reachability CAS sections.
-3. **API references** – Add `/signals/runtime-facts` and explain reachability fields to `docs/09_API_CLI_REFERENCE.md` and `docs/api/policy.md`.
-4. **Sample payloads** – Under `samples/`, add OpenVEX examples that include `facts.type = stella.reachability` with `graph_hash`, entrypoints, and analyzer versions.
-
-## 5. Next Steps for Business Analysis
-
- Socialize this gap list with module owners; confirm task ownership aligns with the sprint trackers.
- Link this document from `docs/reachability/DELIVERY_GUIDE.md` so engineers can reference the gap tasks quickly.
- Revisit after Sprint 401 midpoint to mark completed tasks and add any newly discovered blockers.
--- a/docs/reachability/function-level-evidence.md
+++ b/docs/reachability/function-level-evidence.md
@@ -0,0 +1,102 @@
+# Function-Level Evidence Readiness (Nov 2025 Advisory)
+
+_Last updated: 2025-11-09. Owner: Business Analysis Guild._
+
+This memo captures the outstanding work required to make Stella Ops scanners emit stable, function-level evidence that matches the November 2025 advisory. It does **not** implement any code; instead it enumerates requirements, links them to sprint tasks, and spells out the schema/API updates that the next agent must land.
+
+---
+
+## 1. Goal & Scope
+
+**Goal.** Anchor every vulnerability finding to an immutable `{artifact_digest, code_id}` tuple plus optional symbol hints so replayers can prove reachability against stripped binaries.
+
+**Scope.** Scanner analyzers, runtime ingestion, Signals scoring, Replay manifests, Policy/VEX emission, CLI/UI explainers, and documentation/runbooks needed to operationalise the advisory.
+
+Out of scope: implementing disassemblers or symbol servers; those will be handled inside the module-specific backlog tasks referenced below.
+
+---
+
+## 2. Advisory Requirements vs. System Gaps
+
+| Requirement | Current gap | Task references | Notes |
+|-------------|-------------|-----------------|-------|
+| Immutable code identity (`code_id` = `{format, build_id, start, length}` + optional `code_block_hash`) | Callgraph nodes are opaque strings with no address metadata. | Sprint 401 `GRAPH-CAS-401-001`, `GAP-SCAN-001`, `GAP-SYM-007` | `code_id` should live alongside existing `SymbolID` helpers so analyzers can emit it without duplicating logic. |
+| Symbol hints (demangled name, source, confidence) | No schema fields for symbol metadata; demangling is ad-hoc per analyzer. | `GAP-SYM-007` | Require deterministic casing + `symbol.source ∈ {DWARF,PDB,SYM,none}`. |
+| Runtime facts mapped to code anchors | `/signals/runtime-facts` is a stub; Zastava streams only Build-IDs. | Sprint 400 `ZASTAVA-REACH-201-001`, Sprint 401 `SIGNALS-RUNTIME-401-002`, `GAP-ZAS-002`, `GAP-SIG-003` | Need NDJSON schema documenting `code_id`, `symbol.sid`, `hit_count`, `loader_base`. |
+| Replay/DSSE coverage | Replay manifests don’t enforce hash/CAS registration for graphs/traces. | Sprint 400 `REPLAY-REACH-201-005`, Sprint 401 `REPLAY-401-004`, `GAP-REP-004` | Extend manifest v2 with analyzer versions + BLAKE3 digests; add DSSE predicate types. |
+| Policy/VEX/UI explainability | Policy uses coarse `reachability:*` tags; UI/CLI cannot show call paths or evidence hashes. | Sprint 401 `POLICY-VEX-401-006`, `UI-CLI-401-007`, `GAP-POL-005`, `GAP-VEX-006`, `EXPERIENCE-GAP-401-012` | Evidence blocks must cite `code_id`, graph hash, runtime CAS URI, analyzer version. |
+| Operator documentation & samples | No guide shows how to replay `{build_id,start,len}` across CLI/API. | Sprint 401 `QA-DOCS-401-008`, `GAP-DOC-008` | Produce samples under `samples/reachability/**` plus CLI walkthroughs. |
+
+---
+
+## 3. Workstreams & Expectations
+
+### 3.1 Scanner Symbolization (GAP-SCAN-001 / GAP-SYM-007)
+
+* Define `SymbolID` helpers that glue together `{artifact_digest, file`, optional `section`, `addr`, `length`, `code_block_hash`}.
+* Update analyzer contracts so every analyzer returns both `symbol_id` and `code_id`, with demangled names stored under the new `symbol` block.
+* Persist the data into `richgraph-v1` payloads and attach CAS URIs via `StellaOps.Scanner.Reachability`.
+* Deliver fixtures in `tests/reachability/StellaOps.ScannerSignals.IntegrationTests` that prove determinism (same hash when analyzer flags reorder).
+
+### 3.2 Runtime + Signals (GAP-ZAS-002 / GAP-SIG-003)
+
+* Extend Zastava Observer NDJSON schema to emit: `symbol_id`, `code_id`, `hit_count`, `observed_at`, `loader_base`, `process.buildId`.
+* Implement `/signals/runtime-facts` ingestion (gzip + NDJSON) with CAS-backed storage under `cas://reachability/runtime/{sha256}`.
+* Update `ReachabilityScoringService` to lattice states and include runtime evidence references plus CAS URIs in `ReachabilityFactDocument.Metadata`.
+
+### 3.3 Replay & Evidence (GAP-REP-004)
+
+* Enforce CAS registration + BLAKE3 hashing before manifest writes (graphs and traces).
+* Teach `ReachabilityReplayWriter` to require analyzer name/version, graph kind, `code_id` coverage summary.
+* Update `docs/replay/DETERMINISTIC_REPLAY.md` once schema v2 is finalized.
+
+### 3.4 Policy, VEX, CLI/UI (GAP-POL-005 / GAP-VEX-006)
+
+* Policy Engine: ingest new reachability facts, expose `reachability.state`, `max_path_conf`, and `evidence.graph_hash` via SPL + API.
+* CLI/UI: add `stella graph explain` and explain drawer showing call path (`SymbolID` list), code anchors, runtime hits, DSSE references.
+* Notify templates: include short evidence summary (first hop + truncated `code_id`).
+
+### 3.5 Documentation & Samples (GAP-DOC-008)
+
+* Publish schema diffs in `docs/data/evidence-schema.md` (new file) covering SBOM evidence nodes, runtime NDJSON, and API responses.
+* Write CLI/API walkthroughs in `docs/09_API_CLI_REFERENCE.md` and `docs/api/policy.md` showing how to request reachability evidence and verify DSSE chains.
+* Produce OpenVEX + replay samples under `samples/reachability/` showing `facts.type = "stella.reachability"` with `graph_hash` and `code_id` arrays.
+
+---
+
+## 4. Schema & API Touchpoints
+
+The next implementation pass must cover the following documents/files (create them if missing):
+
+1. `docs/data/evidence-schema.md` – authoritative schema for `{code_id, symbol, tool}` blocks.
+2. `docs/runbooks/reachability-runtime.md` – operator steps for staging runtime ingestion bundles, retention, and troubleshooting.
+3. `docs/runbooks/replay_ops.md` – add section detailing replay verification using the new graph/runtime CAS entries.
+
+API contracts to amend:
+
+- `POST /signals/callgraphs` response should include `graphHash` (BLAKE3) once `GRAPH-CAS-401-001` lands.
+- `POST /signals/runtime-facts` request body schema (NDJSON) with `symbol_id`, `code_id`, `hit_count`, `loader_base`.
+- `GET /policy/findings` payload must surface `reachability.evidence[]` objects.
+
+---
+
+## 5. Test & Fixture Expectations
+
+- **Reachbench fixtures**: update golden cases with `code_id` + `symbol` metadata. Ensure both reachable/unreachable variants still pass once graphs contain the richer IDs.
+- **Signals unit tests**: add deterministic tests for lattice scoring + runtime evidence linking (`tests/reachability/StellaOps.Signals.Reachability.Tests`).
+- **Replay tests**: extend `tests/reachability/StellaOps.Replay.Core.Tests` to assert manifest v2 serialization and hash enforcement.
+
+All fixtures must remain deterministic: sort nodes/edges, normalise casing, and freeze timestamps in test data.
+
+---
+
+## 6. Handoff Checklist for the Next Agent
+
+1. Confirm sprint entries (`SPRINT_400` and `SPRINT_401`) remain in sync when moving `GAP-*` tasks to DOING/DONE.
+2. Start with `GAP-SYM-007` (schema/helper implementation) because downstream work depends on the new `code_id` payload shape.
+3. Once schema PR merges, coordinate with Signals + Policy guilds to align on CAS naming and DSSE predicates before wiring APIs.
+4. Update the docs listed in §4 as each component lands; keep this file current with statuses and links to PRs/ADRs.
+5. Before shipping, run the reachbench fixtures end-to-end and capture hashes for inclusion in replay docs.
+
+Keep this document updated as tasks change state; it is the authoritative hand-off note for the advisory.
+