feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries

- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys.
- Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations.
- Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.

docs/technical/README.md

@@ -0,0 +1,17 @@
+# Technical Documentation Index
+
+> Use this hub when you need the full implementation detail: architecture blueprints, data contracts, developer guides, and operations playbooks. Each section below links to the canonical sources already living in `docs/**`.
+
+## Sections
+- [Strategy & Core Specs](strategy/README.md)
+- [Platform Architecture & Module Dossiers](architecture/README.md)
+  - [Component map](architecture/component-map.md)
+- [Interfaces, Contracts & Schemas](interfaces/README.md)
+- [Development Guides & Tooling](development/README.md)
+- [Operations, Deployment & Offline](operations/README.md)
+- [Observability, Notifications & Telemetry](observability/README.md)
+- [Security, Risk & Governance](security/README.md)
+- [Process, Coordination & Change Logs](process/README.md)
+
+---
+Need a doc that is missing here? Raise an entry in `docs/TASKS.md` so the index stays complete.

docs/technical/architecture/README.md

@@ -0,0 +1,44 @@
+# Platform Architecture & Module Dossiers
+
+Use this index to locate architecture narratives, boundaries, and implementation plans for every Stella Ops component.
+
+## Core Views
+- [../high-level-architecture.md](../../high-level-architecture.md) – 10-minute overview of the end-to-end flow.
+- [../07_HIGH_LEVEL_ARCHITECTURE.md](../../07_HIGH_LEVEL_ARCHITECTURE.md) – exhaustive reference (data flows, trust boundaries, operational traits).
+- [../40_ARCHITECTURE_OVERVIEW.md](../../40_ARCHITECTURE_OVERVIEW.md) – design principles applied across modules.
+- [../scanner-core-contracts.md](../../scanner-core-contracts.md) – canonical DTOs shared by Scanner services and consumers.
+- Legacy service dossier: [../11_AUTHORITY.md](../../11_AUTHORITY.md) – Authority overview before module split.
+- UI documentation set: [../../ui/](../../ui/) (navigation, policies, findings, runs, tours).
+- Component map: [component-map.md](component-map.md) – quick descriptions of every `src/` module and how they interact.
+
+## Module Catalogue
+Each module directory bundles an ownership charter (`AGENTS.md`), current work (`TASKS.md`), architecture dossier, and implementation plan. Operations guides live under `operations/` where applicable.
+
+| Module | Architecture | Implementation Plan | Operations / Extras |
+|--------|--------------|---------------------|---------------------|
+| Authority | [architecture.md](../../modules/authority/architecture.md) | [implementation_plan.md](../../modules/authority/implementation_plan.md) | [operations](../../modules/authority/operations/) |
+| Advisory AI | [architecture.md](../../modules/advisory-ai/architecture.md) | [implementation_plan.md](../../modules/advisory-ai/implementation_plan.md) | — |
+| Attestor | [architecture.md](../../modules/attestor/architecture.md) | [implementation_plan.md](../../modules/attestor/implementation_plan.md) | — |
+| CLI | [architecture.md](../../modules/cli/architecture.md) | [implementation_plan.md](../../modules/cli/implementation_plan.md) | [operations/release-and-packaging.md](../../modules/cli/operations/release-and-packaging.md) |
+| CI Recipes | [architecture.md](../../modules/ci/architecture.md) | [implementation_plan.md](../../modules/ci/implementation_plan.md) | [recipes.md](../../modules/ci/recipes.md) |
+| Concelier | [architecture.md](../../modules/concelier/architecture.md) | [implementation_plan.md](../../modules/concelier/implementation_plan.md) | [operations/](../../modules/concelier/operations/) |
+| DevOps / Release | [architecture.md](../../modules/devops/architecture.md) | [implementation_plan.md](../../modules/devops/implementation_plan.md) | [runbooks](../../modules/devops/runbooks/) |
+| Excititor | [architecture.md](../../modules/excititor/architecture.md) | [implementation_plan.md](../../modules/excititor/implementation_plan.md) | [mirrors.md](../../modules/excititor/mirrors.md) |
+| Export Center | [architecture.md](../../modules/export-center/architecture.md) | [implementation_plan.md](../../modules/export-center/implementation_plan.md) | [operations/runbook.md](../../modules/export-center/operations/runbook.md) |
+| Graph | [architecture.md](../../modules/graph/architecture.md) | [implementation_plan.md](../../modules/graph/implementation_plan.md) | — |
+| Notify | [architecture.md](../../modules/notify/architecture.md) | [implementation_plan.md](../../modules/notify/implementation_plan.md) | — |
+| Orchestrator | [architecture.md](../../modules/orchestrator/architecture.md) | [implementation_plan.md](../../modules/orchestrator/implementation_plan.md) | — |
+| Platform | [architecture-overview.md](../../modules/platform/architecture-overview.md) + [architecture.md](../../modules/platform/architecture.md) | [implementation_plan.md](../../modules/platform/implementation_plan.md) | — |
+| Policy Engine | [architecture.md](../../modules/policy/architecture.md) | [implementation_plan.md](../../modules/policy/implementation_plan.md) | — |
+| Registry Token Service | [architecture.md](../../modules/registry/architecture.md) | [implementation_plan.md](../../modules/registry/implementation_plan.md) | [operations/token-service.md](../../modules/registry/operations/token-service.md) |
+| Scanner | [architecture.md](../../modules/scanner/architecture.md) | [implementation_plan.md](../../modules/scanner/implementation_plan.md) | [operations/](../../modules/scanner/operations/) |
+| Scheduler | [architecture.md](../../modules/scheduler/architecture.md) | [implementation_plan.md](../../modules/scheduler/implementation_plan.md) | [operations/](../../modules/scheduler/operations/) |
+| Signer | [architecture.md](../../modules/signer/architecture.md) | [implementation_plan.md](../../modules/signer/implementation_plan.md) | — |
+| Telemetry Stack | [architecture.md](../../modules/telemetry/architecture.md) | [implementation_plan.md](../../modules/telemetry/implementation_plan.md) | [operations/collector.md](../../modules/telemetry/operations/collector.md), [operations/storage.md](../../modules/telemetry/operations/storage.md) |
+| UI / Console | [architecture.md](../../modules/ui/architecture.md), [console-architecture.md](../../modules/ui/console-architecture.md) | [implementation_plan.md](../../modules/ui/implementation_plan.md) | — |
+| Vuln Explorer | [architecture.md](../../modules/vuln-explorer/architecture.md) | [implementation_plan.md](../../modules/vuln-explorer/implementation_plan.md) | — |
+| VEX Lens | [architecture.md](../../modules/vex-lens/architecture.md) | [implementation_plan.md](../../modules/vex-lens/implementation_plan.md) | — |
+| Vexer | [architecture.md](../../modules/vexer/architecture.md) | [implementation_plan.md](../../modules/vexer/implementation_plan.md) | [scoring.md](../../modules/vexer/scoring.md) |
+| Zastava | [architecture.md](../../modules/zastava/architecture.md) | [implementation_plan.md](../../modules/zastava/implementation_plan.md) | — |
+
+> **Tip:** Every module directory also exposes `README.md`, `AGENTS.md`, and `TASKS.md` for roles, current backlog, and ownership responsibilities.

docs/technical/architecture/component-map.md

@@ -0,0 +1,77 @@
+# Platform Component Map
+
+Concise descriptions of every top-level component under `src/`, summarising the role documented across Stella Ops technical guides and how each module interacts with the rest of the platform. Use this as a quick orientation map before diving into the module-specific dossiers listed in [architecture/README.md](README.md).
+
+## Advisory & Evidence Services
+- **AdvisoryAI** — Experimental intelligence helpers that summarise and prioritise advisory data for humans. Ingests canonical observations from Concelier/Excititor, adds explainable insights, and feeds UI/CLI and Policy workflows. See `docs/modules/advisory-ai/architecture.md`.
+- **Concelier** — Canonical advisory ingestion engine enforcing the Aggregation-Only Contract (AOC). Produces immutable observations/linksets consumed by Policy Engine, Graph, Scheduler, and Export Center. Docs in `docs/modules/concelier/architecture.md` and `docs/ingestion/aggregation-only-contract.md`.
+- **Excititor** — VEX statement normaliser applying AOC guardrails. Supplies VEX observations to Policy Engine, VEX Lens, Scheduler, and UI. Reference `docs/modules/excititor/architecture.md` and `docs/vex/aggregation.md`.
+- **VexLens** — Provides focused exploration of VEX evidence, conflict analysis, and waiver insights for UI/CLI. Backed by Excititor and Policy Engine (`docs/modules/vex-lens/architecture.md`).
+- **EvidenceLocker** — Long-term store for signed evidence bundles (DSSE, SRM, policy waivers). Integrates with Attestor, Export Center, Policy, and replay tooling (`docs/forensics/evidence-locker.md`). 
+- **ExportCenter** — Packages reproducible evidence bundles and mirror artefacts for online/offline distribution. Pulls from Concelier, Excititor, Policy, Scanner, Attestor, and Registry (`docs/modules/export-center/architecture.md`). 
+- **Mirror** — Feed and artefact mirroring services supporting Offline Update Kits, registry mirrors, and air-gapped updates (`docs/modules/devops/architecture.md`, `docs/airgap/`). 
+
+## Scanning, SBOM & Risk
+- **Scanner** — Deterministic scanning with API + worker pair. Generates SBOM fragments, emits SRM/DSSE-ready reports, hands results to Signer/Attestor, and surfaces status to Scheduler/CLI/UI (`docs/modules/scanner/architecture.md`). 
+- **SbomService** — SBOM inventory store and delta cache leveraged by Scanner, Policy Engine, Cartographer, and Export Center (`docs/modules/scanner/architecture.md`, SBOM sections). 
+- **RiskEngine** — Consolidates Policy verdicts, runtime signals, and graph overlays into prioritised risk views (`docs/modules/policy/architecture.md`, `docs/modules/graph/architecture.md`). 
+- **Findings** — Materialises effective findings from Policy Engine outputs and evidence. Feeds UI, CLI, Notify, and Governance dashboards (`docs/modules/policy/architecture.md`, findings sections). 
+- **Cartographer** — Builds identity graphs from SBOM/advisory data for Graph Explorer and RiskEngine (`docs/modules/graph/architecture.md`). 
+- **Graph** — Graph API + indexer, exposing relationship queries to UI/CLI/Scheduler (`docs/modules/graph/architecture.md`). 
+- **VulnExplorer** — Explorer for vulnerabilities that combines Concelier data, graph overlays, and Policy results for UI/CLI consumption (`docs/modules/vuln-explorer/architecture.md`). 
+
+## Policy & Governance
+- **Policy** — Policy Engine core libraries and services executing lattice logic across SBOM, advisory, and VEX evidence. Emits explain traces, drives Findings, Notifier, and Export Center (`docs/modules/policy/architecture.md`). 
+- **Policy Studio / TaskRunner / PacksRegistry** — Authoring, automation, and reusable template services that orchestrate policy and operational workflows (`docs/task-packs/`, `docs/modules/cli/`, `docs/modules/ui/`). 
+- **Governance components** (Authority scopes, Policy governance, Console policy UI) are covered in `docs/security/policy-governance.md` and `docs/modules/ui/policies.md`.
+
+## Identity, Signing & Provenance
+- **Authority** — Identity provider issuing short-lived OpToks, enforcing scopes/tenancy, and powering every module’s authentication story (`docs/11_AUTHORITY.md`, `docs/modules/authority/architecture.md`). 
+- **Signer** — DSSE signing backend supporting keyless/keyful modes with Authority-managed trust roots (`docs/modules/signer/architecture.md`). 
+- **Attestor** — Manages proof bundles, optional Rekor mirror, and distribution to consumers (`docs/modules/attestor/architecture.md`). 
+- **Provenance** — Utilities and services for DSSE/SLSA provenance verification, consumed by Export Center, EvidenceLocker, and Replay (`docs/modules/export-center/provenance-and-signing.md`). 
+- **IssuerDirectory** — Directory of trust issuers/KMS bindings used by Authority, Signer, Attestor, Export Center, and AirGap cryptographic profiles (`docs/modules/authority/architecture.md`, trust sections). 
+
+## Scheduling, Orchestration & Automation
+- **Scheduler** — Detects advisory/VEX deltas and orchestrates deterministic rescan runs toward Scanner and Policy Engine (`docs/modules/scheduler/architecture.md`). 
+- **Orchestrator** — Central coordination service dispatching jobs (scans, exports, policy runs) to modules, working closely with Scheduler, CLI, and UI (`docs/modules/orchestrator/architecture.md`). 
+- **TaskRunner** — Executes automation packs sourced from PacksRegistry, integrating with Orchestrator, CLI, Notify, and Authority (`docs/task-packs/runbook.md`). 
+- **Signals** — Ingests runtime posture signals and feeds Policy/Notifier workflows (`docs/modules/zastava/architecture.md`, signals sections). 
+- **TimelineIndexer** — Builds timelines of evidence/events for forensics and audit tooling (`docs/forensics/timeline.md`). 
+
+## Notification & UI
+- **Notifier** — New notifications studio with rule engine, digesting, and channel plug-ins (`docs/notifications/overview.md`). 
+- **Notify** — Legacy notification service referenced in backlog/cleanup docs; still handles existing deployments (`docs/modules/notify/architecture.md`). 
+- **UI** — Angular console surfacing scans, policy authoring, VEX evidence, runtime posture, and admin flows. Talks to Web gateway, Authority, Policy, Concelier, Scheduler, Notify, etc. (`docs/modules/ui/architecture.md`). 
+- **DevPortal** — Developer onboarding portal consuming Api definitions, CLI samples, and Authority auth flows (`docs/modules/devops/architecture.md`, dev portal sections). 
+
+## Runtime & Registry
+- **Registry** — Anonymous registry/token service hosting platform images and Offline Kit artefacts (`docs/modules/registry/architecture.md`). 
+- **Zastava** — Runtime observer/admission controller ensuring signed images, SBOM availability, and policy verdict enforcement in live clusters (`docs/modules/zastava/architecture.md`). 
+- **Signals** (shared above) plus runtime components integrate tightly with Zastava and Policy Engine. 
+- **Bench** — Performance benchmarking toolset validating platform SLAs (`docs/12_PERFORMANCE_WORKBOOK.md`). 
+
+## Offline, Telemetry & Infrastructure
+- **AirGap** — Bundles Offline Update Kits, enforces sealed-mode operations, and distributes trust roots/feeds (`docs/10_OFFLINE_KIT.md`, `docs/airgap/`). 
+- **Telemetry** — OpenTelemetry collector/storage deployment tooling, observability integrations, and offline metrics packages (`docs/modules/telemetry/architecture.md`, `docs/observability/`). 
+- **Mirror** and **ExportCenter** (above) complement AirGap by keeping offline mirrors in sync. 
+- **Tools** — Collection of utility programs (fixture generators, smoke tests, migration scripts) supporting all modules (`docs/dev/fixtures.md`, module-specific tooling sections). 
+
+## CLI, SDK, Web Gateway
+- **Cli** — Native command-line interface orchestrating scans, policy operations, offline workflows, and evidence replay (`docs/modules/cli/architecture.md`). 
+- **Sdk** — Shared SDK packages for third-party integration (C#, TS, etc.), wrapping Authority auth and API definitions (`docs/api/`). 
+- **Web** — API gateway/BFF exposing module APIs to UI/CLI and external clients, performing auth & route orchestration (`docs/modules/platform/architecture-overview.md`, gateway sections). 
+
+## Remaining Shared Libraries
+- **Api**, **Sdk**, **__Libraries** — Core shared contracts and helper libraries referenced throughout modules (configuration, messaging, federation). Each module dossier highlights its shared dependencies. 
+- **Aoc** library (mentioned above) is reused by ingestion components and verification tooling to enforce the Aggregation-Only Contract. 
+
+## How It All Connects
+High-level flows (see `docs/high-level-architecture.md` for diagrams):
+1. **Ingest** — Concelier and Excititor use AOC to ingest advisories/VEX; Scheduler observes deltas. 
+2. **Scan & Evaluate** — Scanner generates SBOM evidence and hands to Signer/Attestor; Policy Engine merges SBOM, advisory, VEX, runtime signals; RiskEngine prioritises. 
+3. **Store & Export** — EvidenceLocker and Export Center package results; Registry serves artefacts; AirGap bundles offline editions. 
+4. **Observe & Notify** — Telemetry captures metrics/traces/logs; Notifier/Notify deliver alerts; UI/CLI/Web expose operations; TimelineIndexer builds audit trails. 
+5. **Govern & Secure** — Authority, IssuerDirectory, Signer, and Attestor maintain trust; Policy governance and console experiences let teams manage waivers and approvals. 
+
+Refer back to module-specific documentation for APIs, configuration, schema details, and operational runbooks. This component map will stay updated alongside module architecture changes—log updates in `docs/updates/` whenever new modules are introduced or deprecated.

docs/technical/development/README.md

@@ -0,0 +1,33 @@
+# Development Guides & Tooling
+
+Resources for contributors building features, plug-ins, connectors, and tests.
+
+## Engineering Standards & Quality
+- [../18_CODING_STANDARDS.md](../../18_CODING_STANDARDS.md) – language guidelines, project layout, review expectations.
+- [../19_TEST_SUITE_OVERVIEW.md](../../19_TEST_SUITE_OVERVIEW.md) – unit, integration, golden, and determinism test strategy.
+- [../12_PERFORMANCE_WORKBOOK.md](../../12_PERFORMANCE_WORKBOOK.md) – benchmark targets and reference rigs.
+- [../cli-vs-ui-parity.md](../../cli-vs-ui-parity.md) – CLI vs Console feature parity tracking.
+- [../scanner-core-contracts.md](../../scanner-core-contracts.md) – DTO fixtures consumed by tests.
+
+## Plug-ins, Connectors & Extensions
+- [../10_PLUGIN_SDK_GUIDE.md](../../10_PLUGIN_SDK_GUIDE.md) – plug-in lifecycle, manifests, packaging.
+- [../10_CONCELIER_CLI_QUICKSTART.md](../../10_CONCELIER_CLI_QUICKSTART.md) – local Concelier + CLI workflow for advisory ingestion.
+- Developer guides under [../dev/](../../dev/):
+  - Connector playbooks (`30_EXCITITOR_CONNECTOR_GUIDE.md`, `30_VEXER_CONNECTOR_GUIDE.md`, `concelier-connector-research-20251011.md`, `kisa_connector_notes.md`).
+  - Authority and DPoP guidance (`31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, `authority-dpop-mtls-plan.md`, `authority-plugin-di-coordination.md`, `authority-rate-limit-tuning-outline.md`, `32_AUTH_CLIENT_GUIDE.md`).
+  - Analyzer and cache configuration (`SCANNER_CACHE_CONFIGURATION.md`, `java-analyzer-observation-plan.md`, `EXCITITOR_STATEMENT_BACKFILL.md`).
+  - Normalisation & merge references (`aoc-normalization-removal-notes.md`, `merge_semver_playbook.md`, `normalized-rule-recipes.md`, `normalized_versions_rollout.md`).
+  - Operational templates and fixtures (`templates/`, `fixtures.md`).
+  - Mongo/Cartographer details (`mongo_indices.md`, `cartographer-graph-handshake.md`).
+
+## CLI, SDKs & Automation
+- [../09_API_CLI_REFERENCE.md](../../09_API_CLI_REFERENCE.md) – authoritative CLI commands and flags (use for scripting).
+- [../api/sdk-openapi-program.md](../../api/sdk-openapi-program.md) – guidance for downstream SDK generation.
+- [../policy/gateway.md](../../policy/gateway.md) & [../policy/dsl.md](../../policy/dsl.md) – foundations for automating policy programs.
+
+## Scaffolding & Examples
+- [../examples/policies/README.md](../../examples/policies/README.md) – sample policy bundles.
+- [../examples/ui-tours.md](../../examples/ui-tours.md) and [../assets/ui/tours/README.md](../../assets/ui/tours/README.md) – console tour authoring guides.
+- [../task-packs/](../../task-packs/) – reusable task templates for sprints.
+- [../faq/policy-faq.md](../../faq/policy-faq.md) – policy author FAQ.
+- [../faq/](../../faq/) – additional Q&A sets useful during development.

docs/technical/interfaces/README.md

@@ -0,0 +1,48 @@
+# Interfaces, Contracts & Schemas
+
+Specifications covering APIs, data contracts, event envelopes, and enforcement models.
+
+## External & Internal APIs
+- [../09_API_CLI_REFERENCE.md](../../09_API_CLI_REFERENCE.md) – canonical REST and CLI surface (scan, policy, auth, health).
+- [../api/policy.md](../../api/policy.md) – Policy Engine REST endpoints.
+- Module APIs: see relevant module architecture docs (e.g., [../../modules/export-center/api.md](../../modules/export-center/api.md)).
+
+## Policy & Decisioning
+- [../policy/overview.md](../../policy/overview.md) – Policy Engine fundamentals.
+- [../policy/dsl.md](../../policy/dsl.md) – `stella-dsl@1` grammar.
+- [../policy/lifecycle.md](../../policy/lifecycle.md) – creation, promotion, approval flows.
+- [../policy/runs.md](../../policy/runs.md) – execution orchestrations.
+- [../policy/exception-effects.md](../../policy/exception-effects.md) – waiver semantics.
+- [../policy/gateway.md](../../policy/gateway.md) – gateway service contract.
+- [../60_POLICY_TEMPLATES.md](../../60_POLICY_TEMPLATES.md) – YAML/Rego samples.
+
+## Data Schemas & Storage Contracts
+- [../11_DATA_SCHEMAS.md](../../11_DATA_SCHEMAS.md) – MongoDB/Redis/document shapes.
+- JSON schemas under [../schemas/](../../schemas/) – policy diff, explain trace, run request, run status, preview sample, report sample.
+- [../../modules/scanner/architecture.md](../../modules/scanner/architecture.md) – SBOM cache and scan job contracts.
+- [../../scanner-core-contracts.md](../../scanner-core-contracts.md) – shared scanner DTOs.
+
+## Events & Messaging
+- [../events/README.md](../../events/README.md) – event catalogue (`scanner.scan.completed@1`, `scheduler.rescan.delta@1`, etc.).
+- Payload schemas in [../events/*.json](../../events/) and samples in [../events/samples/](../../events/samples/).
+- [../observability/policy.md](../../observability/policy.md) and [../observability/ui-telemetry.md](../../observability/ui-telemetry.md) – telemetry event guidance.
+
+## Ingestion & Evidence Contracts
+- [../ingestion/aggregation-only-contract.md](../../ingestion/aggregation-only-contract.md) – Aggregation-Only Contract reference.
+- [../aoc/aoc-guardrails.md](../../aoc/aoc-guardrails.md) – guardrails checklist.
+- [../advisories/aggregation.md](../../advisories/aggregation.md) – advisory observation schema.
+- [../vex/aggregation.md](../../vex/aggregation.md) – VEX observation schema.
+- [../../modules/concelier/operations/connectors/](../../modules/concelier/operations/connectors/) – connector-specific payload notes.
+
+## Identity, Quota & Licence Enforcement
+- [../license-jwt-quota.md](../../license-jwt-quota.md) – offline quota token design.
+- [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) – enforcement sequence diagram.
+- [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – free tier policy.
+- [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) and [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – pair with [../29_LEGAL_FAQ_QUOTA.md](../../29_LEGAL_FAQ_QUOTA.md) for legal framing.
+- [../../modules/authority/architecture.md](../../modules/authority/architecture.md) – OpTok issuance & validation contracts.
+- [../../modules/registry/architecture.md](../../modules/registry/architecture.md) – token service scope and audit requirements.
+
+## Transparency & Attestation
+- [../../modules/attestor/architecture.md](../../modules/attestor/architecture.md) – DSSE/Rekor bundle contracts.
+- [../../modules/signer/architecture.md](../../modules/signer/architecture.md) – signing workflow contracts.
+- [../../modules/export-center/provenance-and-signing.md](../../modules/export-center/provenance-and-signing.md) – export bundle evidence artefacts.

docs/technical/observability/README.md

@@ -0,0 +1,29 @@
+# Observability, Notifications & Telemetry
+
+Guides for capturing metrics, logs, traces, and delivering notifications.
+
+## Observability Stack
+- [../observability/observability.md](../../observability/observability.md) – AOC observability overview.
+- [../observability/policy.md](../../observability/policy.md) – policy-specific telemetry guidance.
+- [../observability/ui-telemetry.md](../../observability/ui-telemetry.md) – UI instrumentation and SSE tracing.
+- Telemetry module docs: [../../modules/telemetry/architecture.md](../../modules/telemetry/architecture.md), [../../modules/telemetry/implementation_plan.md](../../modules/telemetry/implementation_plan.md), [../../modules/telemetry/operations/collector.md](../../modules/telemetry/operations/collector.md), [../../modules/telemetry/operations/storage.md](../../modules/telemetry/operations/storage.md).
+- Authority / Scanner dashboards: see respective module `operations/*.json` and Grafana runbooks.
+
+## Events & Streaming
+- [../events/README.md](../../events/README.md) – canonical event definitions.
+- Payload schemas (JSON): [../events/scanner.scan.completed@1.json](../../events/scanner.scan.completed@1.json), [../events/scanner.report.ready@1.json](../../events/scanner.report.ready@1.json), [../events/scheduler.rescan.delta@1.json](../../events/scheduler.rescan.delta@1.json), [../events/attestor.logged@1.json](../../events/attestor.logged@1.json), etc.
+- [../events/samples/](../../events/samples/) – sample payloads with validation workflow.
+- [../../modules/export-center/provenance-and-signing.md](../../modules/export-center/provenance-and-signing.md) – provenance event integration.
+
+## Notifications Studio
+- [../notifications/overview.md](../../notifications/overview.md) – architecture and channels.
+- [../notifications/rules.md](../../notifications/rules.md) – rule authoring.
+- [../notifications/templates.md](../../notifications/templates.md) – template management.
+- [../notifications/digests.md](../../notifications/digests.md) – digest scheduling.
+- [../../modules/notify/architecture.md](../../modules/notify/architecture.md) & [../../modules/notify/implementation_plan.md](../../modules/notify/implementation_plan.md) – implementation detail.
+
+## Metrics & Dashboards
+- Scanner analyzers dashboard: [../../modules/scanner/operations/analyzers-grafana-dashboard.json](../../modules/scanner/operations/analyzers-grafana-dashboard.json).
+- Scheduler worker dashboards & alert rules: [../../modules/scheduler/operations/worker-grafana-dashboard.json](../../modules/scheduler/operations/worker-grafana-dashboard.json), [../../modules/scheduler/operations/worker-prometheus-rules.yaml](../../modules/scheduler/operations/worker-prometheus-rules.yaml).
+- Authority monitoring: [../../modules/authority/operations/monitoring.md](../../modules/authority/operations/monitoring.md).
+- DevOps observability tasks: see [../../modules/devops/architecture.md](../../modules/devops/architecture.md) and runbooks.

docs/technical/operations/README.md

@@ -0,0 +1,47 @@
+# Operations, Deployment & Offline
+
+Deployment, runtime operations, and air-gap playbooks for running Stella Ops in production.
+
+## Install & Upgrade
+- [../21_INSTALL_GUIDE.md](../../21_INSTALL_GUIDE.md) – canonical install guide (Docker, air-gap considerations).
+- [../install/docker.md](../../install/docker.md) – Docker install recipes.
+- [../deploy/containers.md](../../deploy/containers.md) – container deployment guidance for AOC environments.
+- [../deploy/console.md](../../deploy/console.md) – console deployment specifics.
+- [../13_RELEASE_ENGINEERING_PLAYBOOK.md](../../13_RELEASE_ENGINEERING_PLAYBOOK.md) – release automation, signing, reproducibility.
+- [../artifacts/bom-index/README.md](../../artifacts/bom-index/README.md) – BOM index artifact layout for Offline Kit exports.
+
+## Offline & Sovereign Operations
+- [../quickstart.md](../../quickstart.md) – 5-minute path to first scan (useful for smoke testing installs).
+- [../10_OFFLINE_KIT.md](../../10_OFFLINE_KIT.md) & [../24_OFFLINE_KIT.md](../../24_OFFLINE_KIT.md) – bundle contents, import/export workflow.
+- [../airgap/airgap-mode.md](../../airgap/airgap-mode.md) – configuration for sealed environments.
+- [../license-jwt-quota.md](../../license-jwt-quota.md) – offline quota token lifecycle.
+- [../10_CONCELIER_CLI_QUICKSTART.md](../../10_CONCELIER_CLI_QUICKSTART.md) – workstation ingest/export workflow (operators).
+
+## Hardening & Governance
+- [../17_SECURITY_HARDENING_GUIDE.md](../../17_SECURITY_HARDENING_GUIDE.md) – platform hardening checklist.
+- [../accessibility.md](../../accessibility.md) – accessibility checklist for console deployments.
+- [../security/console-security.md](../../security/console-security.md) – console-specific controls.
+- [../security/authority-scopes.md](../../security/authority-scopes.md) – Authority scope model.
+- [../security/rate-limits.md](../../security/rate-limits.md) – throttling policy reference.
+- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance guardrails.
+- [../security/audit-events.md](../../security/audit-events.md) – audit event catalogue.
+- [../security/revocation-bundle.md](../../security/revocation-bundle.md) & [../security/revocation-bundle-example.json](../../security/revocation-bundle-example.json) – revocation workflow.
+- [../security/password-hashing.md](../../security/password-hashing.md) – credential storage details.
+
+## Module Runbooks & Ops Guides
+- Module operations directories under [../../modules/](../../modules/) (Authority backups/monitoring, Concelier connectors, Scanner analyzers, Scheduler worker dashboards, Export Center runbook, DevOps launch readiness, Telemetry collector/storage, etc.).
+- [../runtime/SCANNER_RUNTIME_READINESS.md](../../runtime/SCANNER_RUNTIME_READINESS.md) – runtime readiness checklist.
+- Notifications Studio operations: see [../notifications/architecture.md](../../notifications/architecture.md), [../notifications/overview.md](../../notifications/overview.md), [../notifications/rules.md](../../notifications/rules.md), [../notifications/templates.md](../../notifications/templates.md), [../notifications/digests.md](../../notifications/digests.md).
+- Additional notification flows: [../notifications/pack-approvals-integration.md](../../notifications/pack-approvals-integration.md).
+- Observability operations: [../observability/observability.md](../../observability/observability.md), [../observability/ui-telemetry.md](../../observability/ui-telemetry.md).
+
+## DevOps & Release Automation
+- [../devops/policy-schema-export.md](../../devops/policy-schema-export.md) – policy schema export automation.
+- [../modules/devops/runbooks/launch-readiness.md](../../modules/devops/runbooks/launch-readiness.md), [../modules/devops/runbooks/launch-cutover.md](../../modules/devops/runbooks/launch-cutover.md), [../modules/devops/runbooks/deployment-upgrade.md](../../modules/devops/runbooks/deployment-upgrade.md), [../modules/devops/runbooks/nuget-preview-bootstrap.md](../../modules/devops/runbooks/nuget-preview-bootstrap.md).
+- [../modules/registry/operations/token-service.md](../../modules/registry/operations/token-service.md) – registry token runbook.
+- [../modules/concelier/operations/mirror.md](../../modules/concelier/operations/mirror.md) – mirror operations.
+- [../modules/concelier/operations/connectors/](../../modules/concelier/operations/connectors/) – connector-specific procedures (ACSC, CCCS, CERT-Bund, etc.).
+- [../modules/authority/operations/](../../modules/authority/operations/) – key rotation, monitoring, backup/restore.
+- [../modules/scanner/operations/](../../modules/scanner/operations/) – analyzer management, entrypoint guides, RustFS migration.
+- [../modules/scheduler/operations/](../../modules/scheduler/operations/) – worker dashboards, Prometheus rules.
+- [../modules/telemetry/operations/](../../modules/telemetry/operations/) – collector/storage deployment.

docs/technical/process/README.md

@@ -0,0 +1,25 @@
+# Process, Coordination & Change Logs
+
+Use these artefacts to understand team ownership, active workstreams, and historical updates.
+
+## Ownership & Roles
+- [../AGENTS.md](../../AGENTS.md) – global agent/role definitions.
+- Module ownership: each directory under [../modules/](../../modules/) includes `AGENTS.md`, `TASKS.md`, and `README.md` describing responsibilities.
+
+## Work Tracking
+- [../TASKS.md](../../TASKS.md) – Docs Guild task board.
+- Sprint plans and historical boards: [../implplan/SPRINTS.md](../../implplan/SPRINTS.md), [../implplan/SPRINTS_PRIOR_20251028.md](../../implplan/SPRINTS_PRIOR_20251028.md), [../implplan/SPRINTS_PRIOR_20251027.md](../../implplan/SPRINTS_PRIOR_20251027.md), [../implplan/SPRINTS_PRIOR_20251025.md](../../implplan/SPRINTS_PRIOR_20251025.md), [../implplan/SPRINTS_PRIOR_20251021.md](../../implplan/SPRINTS_PRIOR_20251021.md), [../implplan/SPRINTS_PRIOR_20251019.md](../../implplan/SPRINTS_PRIOR_20251019.md).
+- Execution plan: [../implplan/EXECPLAN.md](../../implplan/EXECPLAN.md).
+- Backlog hygiene and consolidation notes: [../backlog/](../../backlog/).
+- Task packs and reusable templates: [../task-packs/](../../task-packs/).
+
+## Communication & Updates
+- Architecture decision records: [../adr/index.md](../../adr/index.md) (template in [../adr/0000-template.md](../../adr/0000-template.md)).
+- RFCs in flight: [../rfcs/authority-plugin-ldap.md](../../rfcs/authority-plugin-ldap.md).
+- Release notes & updates: [../updates/](../../updates/).
+- Frequently asked questions: [../faq/](../../faq/).
+- Examples and golden data: [../examples/](../../examples/), [../events/samples/](../../events/samples/).
+
+## Supporting References
+- Risk & governance: [../risk/risk-profiles.md](../../risk/risk-profiles.md), [../security/policy-governance.md](../../security/policy-governance.md).
+- Observability/process integration: [../events/orchestrator-scanner-events.md](../../events/orchestrator-scanner-events.md), [../events/README.md](../../events/README.md).

docs/technical/security/README.md

@@ -0,0 +1,35 @@
+# Security, Risk & Governance
+
+Authoritative sources for threat models, governance, compliance, and security operations.
+
+## Policies & Governance
+- [../13_SECURITY_POLICY.md](../../13_SECURITY_POLICY.md) – responsible disclosure, support windows.
+- [../11_GOVERNANCE.md](../../11_GOVERNANCE.md) – project governance charter.
+- [../12_CODE_OF_CONDUCT.md](../../12_CODE_OF_CONDUCT.md) – community expectations.
+- [../17_SECURITY_HARDENING_GUIDE.md](../../17_SECURITY_HARDENING_GUIDE.md) – deployment hardening steps.
+- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance specifics.
+- [../29_LEGAL_FAQ_QUOTA.md](../../29_LEGAL_FAQ_QUOTA.md) – legal interpretation of quota.
+- [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – quota policy reference.
+- [../risk/risk-profiles.md](../../risk/risk-profiles.md) – organisational risk personas.
+
+## Threat Models & Security Architecture
+- [../security/authority-threat-model.md](../../security/authority-threat-model.md) – Authority service threat analysis.
+- [../security/authority-scopes.md](../../security/authority-scopes.md) – scope model.
+- [../security/console-security.md](../../security/console-security.md) – Console posture guidance.
+- [../security/pack-signing-and-rbac.md](../../security/pack-signing-and-rbac.md) – pack signing, RBAC guardrails.
+- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance controls.
+- [../security/rate-limits.md](../../security/rate-limits.md) – rate limiting behaviour.
+- [../security/password-hashing.md](../../security/password-hashing.md) – credential storage.
+
+## Audit, Revocation & Compliance
+- [../security/audit-events.md](../../security/audit-events.md) – audit event taxonomy.
+- [../security/revocation-bundle.md](../../security/revocation-bundle.md) & [../security/revocation-bundle-example.json](../../security/revocation-bundle-example.json) – revocation process.
+- [../license-jwt-quota.md](../../license-jwt-quota.md) – licence/quota enforcement controls.
+- [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) – quota enforcement sequence.
+- [../10_OFFLINE_KIT.md](../../10_OFFLINE_KIT.md) & [../24_OFFLINE_KIT.md](../../24_OFFLINE_KIT.md) – tamper-evident offline artefacts.
+- [../security/](../../security/) – browse for additional deep dives (audit, scopes, rate limits).
+
+## Supporting Material
+- Module operations security notes: [../../modules/authority/operations/key-rotation.md](../../modules/authority/operations/key-rotation.md), [../../modules/concelier/operations/authority-audit-runbook.md](../../modules/concelier/operations/authority-audit-runbook.md), [../../modules/zastava/README.md](../../modules/zastava/README.md) (runtime enforcement).
+- [../observability/policy.md](../../observability/policy.md) – security-relevant telemetry for policy.
+- [../updates/2025-10-27-console-security-signoff.md](../../updates/2025-10-27-console-security-signoff.md) & [../updates/2025-10-31-console-security-refresh.md](../../updates/2025-10-31-console-security-refresh.md) – recent security sign-offs.

docs/technical/strategy/README.md

@@ -0,0 +1,22 @@
+# Strategy & Core Specifications
+
+Foundational references that describe Stella Ops’ goals, scope, and differentiators.
+
+- [../03_VISION.md](../../03_VISION.md) – north-star, KPIs, quarterly themes.
+- [../04_FEATURE_MATRIX.md](../../04_FEATURE_MATRIX.md) – capability matrix by tier (free, community, commercial).
+- [../05_SYSTEM_REQUIREMENTS_SPEC.md](../../05_SYSTEM_REQUIREMENTS_SPEC.md) – functional and non-functional requirements for the `v0.1.0-alpha` release (quota, scanning, policy, SLAs).
+- [../40_ARCHITECTURE_OVERVIEW.md](../../40_ARCHITECTURE_OVERVIEW.md) – guiding principles and platform-level design rationale.
+- [../moat.md](../../moat.md) – differentiating workstreams (deterministic replay, lattice policy, sovereign crypto readiness, attestation graph).
+- [../05_ROADMAP.md](../../05_ROADMAP.md) – legacy pointer to the public web roadmap (kept for historical links).
+- [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – free tier policy framing.
+- [../29_LEGAL_FAQ_QUOTA.md](../../29_LEGAL_FAQ_QUOTA.md) – legal interpretation of quota enforcement under AGPL-3.0.
+- [../13_SECURITY_POLICY.md](../../13_SECURITY_POLICY.md) – responsible disclosure support window and release line commitments.
+- [../14_GLOSSARY_OF_TERMS.md](../../14_GLOSSARY_OF_TERMS.md) – canonical vocabulary used across documentation.
+- [../15_UI_GUIDE.md](../../15_UI_GUIDE.md) – UX overview for stakeholders evaluating the console.
+- [../23_FAQ_MATRIX.md](../../23_FAQ_MATRIX.md) – stakeholder FAQ.
+
+## Related Concepts
+- [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) and [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) align business policy with enforcement diagrams.
+- [../license-jwt-quota.md](../../license-jwt-quota.md) – offline licensing narrative for quota tokens.
+- [../moat.md](../../moat.md) – includes procurement-grade trust statement blueprint.
+- [../10_OFFLINE_KIT.md](../../10_OFFLINE_KIT.md) & [../24_OFFLINE_KIT.md](../../24_OFFLINE_KIT.md) – strategic offline story (also referenced in Operations).