feat: Enhance traceability and logging in Risk and Vulnerability clients

- Implemented shared trace ID generation utility for Risk and Vulnerability clients, ensuring consistent trace headers across API calls.
- Updated RiskHttpClient and VulnerabilityHttpClient to utilize the new trace ID generation method.
- Added validation for artifact metadata in PackRun endpoints, ensuring all artifacts include a digest and positive size.
- Enhanced logging payloads in PackRun to include artifact digests and sizes.
- Created a utility for generating trace IDs, preferring crypto.randomUUID when available, with a fallback to a ULID-style string.
- Added unit tests to verify the presence of trace IDs in HTTP requests for VulnerabilityHttpClient.
- Documented query-hash metrics for Vuln Explorer, detailing hashing rules and logging filters to ensure compliance with privacy standards.
- Consolidated findings from late-November reviews into a comprehensive advisory for Scanner and SBOM/VEX areas, outlining remediation tracks and gaps.

docs/implplan/SPRINT_0119_0001_0005_excititor_v.md

@@ -33,11 +33,11 @@
 ## Action Tracker
 | Focus | Action | Owner(s) | Due | Status |
 | --- | --- | --- | --- | --- |
-| VEX Lens enrichers | Define required fields/examples with Lens team (30-001). | WebService · Lens Guild | 2025-11-20 | TODO |
+| VEX Lens enrichers | Define required fields/examples with Lens team (30-001). | WebService · Lens Guild | 2025-11-20 | BLOCKED (awaiting Lens field list/examples) |
 | Vuln Explorer APIs | Finalize canonicalization + evidence endpoint (29-001/002). | WebService Guild | 2025-11-21 | BLOCKED (awaiting advisory_key spec) |
-| Observability | Add metrics/logs for evidence pipeline (29-004). | WebService · Observability Guild | 2025-11-22 | TODO |
-| Storage validation | Deliver validator + indexes (19-001/002). | Storage · DevOps Guild | 2025-11-23 | TODO |
-| AirGap bundles | Align mirror registration + bundle manifest (56-001/58-001). | WebService · Core · Evidence Locker | 2025-11-24 | TODO |
+| Observability | Add metrics/logs for evidence pipeline (29-004). | WebService · Observability Guild | 2025-11-22 | BLOCKED (depends on 29-002 endpoint shape) |
+| Storage validation | Deliver validator + indexes (19-001/002). | Storage · DevOps Guild | 2025-11-23 | DONE |
+| AirGap bundles | Align mirror registration + bundle manifest (56-001/58-001). | WebService · Core · Evidence Locker | 2025-11-24 | BLOCKED (mirror registration + bundle schema) |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -46,6 +46,7 @@
 | 2025-11-23 | Marked Vuln Explorer chain (29-001/002/004) BLOCKED pending `advisory_key` canonicalization spec from Vuln Explorer; Action Tracker updated. | Project Mgmt |
 | 2025-11-25 | Added `$jsonSchema` validator migration (`20251125-vex-raw-json-schema`) plus schema doc and rollback/runbook; marked EXCITITOR-STORE-AOC-19-001/002 DONE. | Implementer |
 | 2025-11-25 | Marked VEX Lens export (30-001) BLOCKED awaiting Lens field list; set AirGap 56-001/58-001 BLOCKED until mirror registration + bundle schema arrive. | Project Mgmt |
+| 2025-12-02 | Synced Action Tracker with Delivery Tracker (Lens/Observability/AirGap now BLOCKED; Storage validation DONE). | Implementer |
 
 ## Decisions & Risks
 - **Decisions**

docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md

@@ -46,6 +46,7 @@
 | 2025-12-01 | Completed 18-506: WebService `/scans/{id}/entrytrace` and CLI rendering now expose EntryTrace graph + confidence summaries alongside NDJSON stream. | Implementer |
 | 2025-12-01 | ZASTAVA-SURFACE-02: Observer resolves Surface manifest digests and `cas://` URIs, enriches drift evidence with artifact metadata, and counts failures via `zastava_surface_manifest_failures_total`. | Implementer |
 | 2025-12-01 | SCANNER-SORT-02: ComponentGraphBuilder sorts layer fragments by digest; regression test added. | Implementer |
+| 2025-12-02 | Surface FS determinism plumbing verified: injected ICryptoHash into FileSurfaceManifestStore test harness; `dotnet test …SurfaceManifestDeterminismVerifierTests` (2/2 pass) and full `StellaOps.Scanner.Surface.FS.Tests` suite (7/7 pass). | Implementer |
 
 ## Decisions & Risks
 - EntryTrace NDJSON export and replay completed; relies on deterministic `/proc` capture and preserved ordering for confidence adjustments.

docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md

@@ -30,18 +30,21 @@
 | 2 | 140.B SBOM Service wave | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 all DONE. Only SBOM-CONSOLE-23-001/002 remain BLOCKED. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
 | 3 | 140.C Signals wave | DOING (2025-11-28) | Sprint 0143: SIGNALS-24-001/002/003 DONE; SIGNALS-24-004/005 remain BLOCKED on CAS promotion. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
 | 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
-| 5 | DECAY-GAPS-140-005 | DOING (2025-12-01) | DSSE signer assigned (Alice Carter); proceed to sign `confidence_decay_config.yaml` by 2025-12-05. | Signals Guild · Product Mgmt | Address decay gaps U1–U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
-| 6 | UNKNOWN-GAPS-140-006 | DOING (2025-12-01) | DSSE signer assigned (Alice Carter); sign unknowns scoring manifest by 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1–UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
-| 7 | UNKNOWN-HEUR-GAPS-140-007 | DOING (2025-12-01) | DSSE signer assigned (Alice Carter); sign heuristic catalog/schema + fixtures by 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1–UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
+| 5 | DECAY-GAPS-140-005 | BLOCKED (2025-12-02) | cosign binary unavailable in environment; cannot sign `confidence_decay_config.yaml`. Needs cosign (or offline signer) to proceed by 2025-12-05. | Signals Guild · Product Mgmt | Address decay gaps U1–U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
+| 6 | UNKNOWN-GAPS-140-006 | BLOCKED (2025-12-02) | cosign binary unavailable; cannot sign unknowns scoring manifest. Needs cosign/offline signer before 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1–UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
+| 7 | UNKNOWN-HEUR-GAPS-140-007 | BLOCKED (2025-12-02) | cosign binary unavailable; cannot sign heuristic catalog/schema + fixtures. Needs cosign/offline signer before 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1–UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
+| 9 | COSIGN-INSTALL-140 | TODO | Install/provide cosign binary (or offline signer) in build environment by 2025-12-03 to unblock DSSE signing for tasks 5–7. | Platform / Build Guild | Deliver cosign binary locally (no network dependency at signing time) or alternate signer; document path and version in Execution Log. |
 | 8 | SIGNER-ASSIGN-140 | DONE (2025-12-02) | Signer designated: Signals Guild (Alice Carter); DSSE signing checkpoint remains 2025-12-05. | Signals Guild · Policy Guild | Name signer(s), record in Execution Log, and proceed to DSSE signing + Evidence Locker ingest. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-02 | Refreshed Decisions & Risks after signer assignment; DSSE signing fixed for 2025-12-05 and decay/unknowns/heuristics remain BLOCKED pending `cosign` availability in offline kit. | Project Mgmt |
 | 2025-12-02 | Marked DECAY-GAPS-140-005 / UNKNOWN-GAPS-140-006 / UNKNOWN-HEUR-GAPS-140-007 as BLOCKED pending DSSE signer assignment; added task SIGNER-ASSIGN-140 (BLOCKED) and DSSE signing checkpoint (2025-12-05). | Implementer |
 | 2025-12-02 | Flagged cascading risk to SPRINT_0143/0144/0150 if signer not assigned by 2025-12-03; will mirror BLOCKED status to dependent tasks if missed. | Implementer |
-| 2025-12-02 | Signer still unassigned; tasks 5–7 remain BLOCKED. Reminder: assignment due 2025-12-03 or BLOCKED will be mirrored into dependent sprints. | Implementer |
 | 2025-12-02 | Signer assigned: Alice Carter (Signals Guild). SIGNER-ASSIGN-140 set to DONE; proceed to DSSE signing on 2025-12-05. | Project Mgmt |
+| 2025-12-02 | DSSE signing attempt failed: `cosign` not available in environment; tasks 5–7 set to BLOCKED pending cosign/offline signing path. | Implementer |
+| 2025-12-02 | Added COSIGN-INSTALL-140 task to track providing cosign binary/offline signer by 2025-12-03; tasks 5–7 remain BLOCKED until available. | Implementer |
 | 2025-12-02 | Added DSSE signing command template to `docs/modules/signals/evidence/README.md` to streamline signing once signer is assigned. | Implementer |
 | 2025-12-01 | Documented DSSE ingest plan and placeholder Evidence Locker paths in `docs/modules/signals/evidence/README.md`; waiting on signer assignment. | Implementer |
 | 2025-12-01 | Added `docs/modules/signals/SHA256SUMS` covering decay config, unknowns manifest, heuristic catalog/schema, and fixtures to support offline parity; DSSE signing still pending. | Implementer |
@@ -76,8 +79,8 @@
 - Link-Not-Merge v1 schema frozen 2025-11-17; fixtures staged under `docs/modules/sbomservice/fixtures/lnm-v1/`; AirGap parity review scheduled for 2025-11-23 (see Next Checkpoints) must record hashes to fully unblock.
 - SBOM runtime/signals prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap review runbook ready (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`). Wave moves to TODO pending review completion and fixture hash upload.
 - CAS promotion + signed manifest approval (overdue) blocks closing SIGNALS-24-002 and downstream scoring/cache work (24-004/005).
-- Decay/Unknowns/heuristics remediation (U1–U10, UN1–UN10, UT1–UT10) now BLOCKED pending DSSE signer assignment. If signed configs/catalogs are not published by 2025-12-05, SIGNALS-24-004/005 readiness and Unknowns registry rollout slip. Draft docs and artifacts posted at `docs/modules/signals/decay/2025-12-01-confidence-decay.md`, `docs/modules/signals/decay/confidence_decay_config.yaml`, `docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md`, `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`, and `docs/modules/signals/heuristics/` (catalog, schema, fixtures); DSSE signatures pending. Hashes recorded in `docs/modules/signals/SHA256SUMS` for offline/air-gap parity; Evidence Locker ingest plan staged at `docs/modules/signals/evidence/README.md` and will be populated post-signing. Task SIGNER-ASSIGN-140 added and BLOCKED until signer is named; if not cleared by 2025-12-03, mirror BLOCKED status into SPRINT_0143/0144/0150 dependencies.
-- DSSE signing is currently unassigned; Signals/Policy signer must be designated by 2025-12-03 to keep 12-05 publication target; otherwise extend checkpoint and reflect slip in downstream sprints (0143/0144/0150).
+- Decay/Unknowns/heuristics remediation (U1–U10, UN1–UN10, UT1–UT10) remain BLOCKED on missing `cosign` binary even though signer is assigned (Alice Carter); DSSE signing scheduled for 2025-12-05. If the signing tool (or offline alternative) is not available by 2025-12-03, mirror BLOCKED status into SPRINT_0143/0144/0150. Draft docs and artifacts posted at `docs/modules/signals/decay/2025-12-01-confidence-decay.md`, `docs/modules/signals/decay/confidence_decay_config.yaml`, `docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md`, `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`, and `docs/modules/signals/heuristics/` (catalog, schema, fixtures); DSSE signatures pending. Hashes recorded in `docs/modules/signals/SHA256SUMS` for offline/air-gap parity; Evidence Locker ingest plan staged at `docs/modules/signals/evidence/README.md` and will be populated post-signing. COSIGN-INSTALL-140 added to track tool availability.
+- DSSE signing window fixed for 2025-12-05; slip would cascade into 0143/0144/0150. Ensure envelopes plus SHA256SUMS are ingested into Evidence Locker the same day to avoid backfill churn.
 - Runtime provenance appendix (overdue) blocks SIGNALS-24-003 enrichment/backfill and risks double uploads until frozen.
 - Surface.FS cache drop timeline (overdue) and Surface.Env owner assignment keep Zastava env/secret/admission tasks blocked.
 - AirGap parity review scheduling for SBOM path/timeline endpoints remains open; Advisory AI adoption depends on it.
@@ -102,7 +105,8 @@
 | 2025-12-04 | Unknowns schema review | Approve Unknowns registry schema/enums + deterministic scoring manifest (UN1–UN10) and offline bundle inclusion plan. | Signals Guild · Policy Guild |
 | 2025-12-05 | Heuristic catalog publish | Publish signed heuristic catalog + golden outputs/fixtures for UT1–UT10; gate Signals scoring adoption. | Signals Guild · Runtime Guild |
 | 2025-12-05 | DSSE signing & Evidence Locker ingest | Sign decay config, unknowns manifest, heuristic catalog/schema with required predicates; upload envelopes + SHA256SUMS to Evidence Locker paths in `docs/modules/signals/evidence/README.md`. | Signals Guild · Policy Guild |
-| 2025-12-03 | Assign DSSE signer | Designate signer(s) for decay config, unknowns manifest, heuristic catalog; unblock SIGNER-ASSIGN-140 and allow 12-05 signing. | Signals Guild · Policy Guild |
+| 2025-12-03 | Provide cosign/offline signer | Deliver cosign binary (or offline signing path) for tasks 5–7; otherwise slip DSSE signing. | Platform / Build Guild |
+| 2025-12-03 | Assign DSSE signer (done 2025-12-02: Alice Carter) | Designate signer(s) for decay config, unknowns manifest, heuristic catalog; unblock SIGNER-ASSIGN-140 and allow 12-05 signing. | Signals Guild · Policy Guild |
 
 ---
 

docs/implplan/SPRINT_0151_0001_0001_orchestrator_i.md

@@ -86,6 +86,7 @@
 | 2025-12-02 | ORCH-GAPS-151-016: added replay inputs lock record + deterministic hashing to capture inputs.lock (policy/graph/tool images/seeds/env) tied to replay manifest hash. | Implementer |
 | 2025-12-02 | ORCH-GAPS-151-016: added replay inputs lock schema, DSSE hash recipe, and conformance tests to ensure hash/manifest alignment. | Implementer |
 | 2025-12-02 | ORCH-GAPS-151-016: added pack-run log integrity fields (canonical SHA-256 + size) with deterministic hashing and updated log tests. | Implementer |
+| 2025-12-02 | ORCH-GAPS-151-016: enforced artifact digest+size validation on pack-run completion and included artifact digests/sizes in completion events. | Implementer |
 
 ## Decisions & Risks
 - Start of work gated on AirGap/Scanner/Graph dependencies staying green; reassess before moving tasks to DOING.

docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md

@@ -45,9 +45,9 @@
 | 15f | SBOM-TESTS-186-015F | BLOCKED (2025-11-30) | BLOCKED by 15a-15e. | Sbomer Guild · QA Guild (`src/Sbomer/__Tests`) | Roundtrip tests: SPDX→CDX→SPDX with diff assertion; determinism tests (same input → same hash); SPDX 3.0.1 spec compliance validation. |
 | 16 | DOCS-REPLAY-186-004 | BLOCKED (2025-11-30) | BLOCKED until replay schema settled (depends on 186-001). | Docs Guild | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade); link from replay docs and Scanner architecture. |
 | 17 | DOCS-SBOM-186-017 | BLOCKED (2025-11-30) | BLOCKED by 15a-15f and scope extension to Sbomer docs. | Docs Guild (`docs/modules/sbomer/spdx-3.md`) | Document SPDX 3.0.1 implementation: data model, serialization formats, CDX mapping table, storage schema, hash computation, migration guide from SPDX 2.3. |
-| 18 | SCANNER-GAPS-186-018 | TODO | None; informs tasks 1–17. | Product Mgmt · Scanner Guild · Sbomer Guild · Policy Guild | Address scanner blueprint gaps SC1–SC10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: standards convergence roadmap (CVSS v4/CycloneDX 1.7/SLSA 1.2), CDX1.7+CBOM outputs with citations, SLSA Source Track capture, compatibility adapters (v4→v3.1, CDX1.7→1.6, SLSA1.2→1.0), determinism CI for new formats, binary/source evidence alignment (build-id/symbol/patch-oracle), API/UI surfacing of new metadata, baseline fixtures, governance/approvals, and offline-kit parity. |
-| 19 | SPINE-GAPS-186-019 | TODO | None; informs tasks 1–18. | Product Mgmt · Scanner Guild · Policy Guild · Authority Guild | Address SBOM/VEX spine gaps SP1–SP10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned API/DTO schemas, predicate/edge schema with required evidence, Unknowns workflow contract + SLA, DSSE-signed bundle manifest with hashes, deterministic diff rules/fixtures, feed snapshot freeze/staleness, mandated DSSE per stage with Rekor/mirror policy, policy lattice versioning, performance/pagination limits, and crosswalk mapping between SBOM/VEX/graph/policy outputs. |
-| 20 | COMPETITOR-GAPS-186-020 | TODO | None; informs ingest/normalization tasks. | Product Mgmt · Scanner Guild · Sbomer Guild | Address competitor ingest gaps CM1–CM10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: external SBOM/scan normalization & adapters (Syft/Trivy/Clair), signature/provenance verification, DB snapshot governance with staleness, anomaly regression tests, offline ingest kits with DSSE, fallback rules, source tool/version transparency, and benchmark parity for external baselines. |
+| 18 | SCANNER-GAPS-186-018 | TODO | Use `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC1–SC10) to scope remediation actions. | Product Mgmt · Scanner Guild · Sbomer Guild · Policy Guild | Address scanner blueprint gaps SC1–SC10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: standards convergence roadmap (CVSS v4/CycloneDX 1.7/SLSA 1.2), CDX1.7+CBOM outputs with citations, SLSA Source Track capture, compatibility adapters (v4→v3.1, CDX1.7→1.6, SLSA1.2→1.0), determinism CI for new formats, binary/source evidence alignment (build-id/symbol/patch-oracle), API/UI surfacing of new metadata, baseline fixtures, governance/approvals, and offline-kit parity. |
+| 19 | SPINE-GAPS-186-019 | TODO | Findings doc now available; derive SP1–SP10 tasks from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Policy Guild · Authority Guild | Address SBOM/VEX spine gaps SP1–SP10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned API/DTO schemas, predicate/edge schema with required evidence, Unknowns workflow contract + SLA, DSSE-signed bundle manifest with hashes, deterministic diff rules/fixtures, feed snapshot freeze/staleness, mandated DSSE per stage with Rekor/mirror policy, policy lattice versioning, performance/pagination limits, and crosswalk mapping between SBOM/VEX/graph/policy outputs. |
+| 20 | COMPETITOR-GAPS-186-020 | TODO | Findings doc now available; derive CM1–CM10 actions from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Sbomer Guild | Address competitor ingest gaps CM1–CM10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: external SBOM/scan normalization & adapters (Syft/Trivy/Clair), signature/provenance verification, DB snapshot governance with staleness, anomaly regression tests, offline ingest kits with DSSE, fallback rules, source tool/version transparency, and benchmark parity for external baselines. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -72,6 +72,8 @@
 | 2025-12-01 | Added SCANNER-GAPS-186-018 to capture SC1–SC10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
 | 2025-12-01 | Added SPINE-GAPS-186-019 to capture SP1–SP10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
 | 2025-12-01 | Added COMPETITOR-GAPS-186-020 to capture CM1–CM10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
+| 2025-12-02 | Added `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC/SP/CM gap details) and unblocked tasks 18–20 to TODO. | Implementer |
+| 2025-12-02 | Replaced legacy sprint file `SPRINT_186_record_deterministic_execution.md` with a stub pointing to this canonical file to prevent divergence. | Implementer |
 
 ## Decisions & Risks
 | Item | Impact | Mitigation / Next Step | Status |
@@ -84,6 +86,7 @@
 | BLOCKER (186-013): Cache key/DSSE validation contract missing. | Layer cache work cannot start. | Define shared schema; keep 186-013 BLOCKED. | OPEN |
 | Risk (SPDX 3.0.1 canonicalisation). | Non-deterministic output could break hashing. | Keep 15a–15f BLOCKED until scope includes `src/Sbomer` and canonical rules reviewed. | OPEN |
 | Scope gap: sprint working directory excludes `src/Sbomer`. | Tasks 15/15a–15f/17 cannot start. | PM to extend scope or move tasks to Sbomer sprint; logged in Execution Log. | OPEN |
+| Missing findings doc for tasks 18–20. | Cannot scope SC/ SP/ CM gap remediation without source content. | RESOLVED 2025-12-02: `docs/product-advisories/31-Nov-2025 FINDINGS.md` added; tasks 18–20 set to TODO. | CLOSED |
 
 ## Next Checkpoints
 - Kickoff after Replay Core scaffolding begins (date TBD).

docs/implplan/SPRINT_0216_0001_0001_web_v.md

@@ -70,6 +70,8 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-02 | Risk/Vuln clients now share trace ID generator util; vulnerability client emits trace headers across list/detail/stats; spec asserts header. | BE-Base Platform Guild |
+| 2025-12-02 | Test run skipped: `npm test` script unavailable in current environment; unit specs added but not executed. | BE-Base Platform Guild |
 | 2025-12-02 | Added empty/loading states to risk table for better UX while gateway data loads. | BE-Base Platform Guild |
 | 2025-12-02 | Risk client now prefers `crypto.randomUUID()` for trace IDs with ULID fallback; keeps correlation without external deps. | BE-Base Platform Guild |
 | 2025-12-02 | Added unit specs for vulnerability HTTP client headers and vulnerability detail component rendering; tests not executed locally. | BE-Base Platform Guild |

docs/implplan/SPRINT_186_record_deterministic_execution.md

@@ -1,39 +1,3 @@
-# Sprint 186 - Scanner Replay · 186.A) Record & Deterministic Execution
+# Legacy Redirect
 
-[Scanner Replay] 186.A) Record & Deterministic Execution  
-Depends on: Sprint 185 Replay Core Foundations, Sprint 130 Scanner & Surface  
-Summary: Enable Scanner services to emit replay manifests/bundles, wire deterministic analyzer execution, and align signing flows.
-
-Task ID | State | Task description | Owners (Source)
---- | --- | --- | ---
-SCAN-REPLAY-186-001 | DONE (2025-11-26) | Implement `record` mode in `StellaOps.Scanner.WebService` (manifest assembly, policy/feed/tool hash capture, CAS uploads) and document the workflow in `docs/modules/scanner/architecture.md` with references to `docs/replay/DETERMINISTIC_REPLAY.md` Section 6. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`)
-SCAN-REPLAY-186-002 | DOING (2025-11-27) | Update `StellaOps.Scanner.Worker` analyzers to consume sealed input bundles, enforce deterministic ordering, and contribute Merkle metadata; extend `docs/modules/scanner/deterministic-execution.md` (new) summarising invariants drawn from `docs/replay/DETERMINISTIC_REPLAY.md` Section 4. | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/deterministic-execution.md`) |
-SIGN-REPLAY-186-003 | TODO | Extend Signer/Authority DSSE flows to cover replay manifest/bundle payload types with multi-profile support; refresh `docs/modules/signer/architecture.md` and `docs/modules/authority/architecture.md` to capture the new signing/verification path referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 5. | Signing Guild (`src/Signer/StellaOps.Signer`, `src/Authority/StellaOps.Authority`)
-SIGN-CORE-186-004 | TODO | Replace the HMAC demo implementation in `StellaOps.Signer` with StellaOps.Cryptography providers (keyless + KMS), including provider selection, key material loading, and cosign-compatible DSSE signature output. | Signing Guild (`src/Signer/StellaOps.Signer`, `src/__Libraries/StellaOps.Cryptography`)
-SIGN-CORE-186-005 | TODO | Refactor `SignerStatementBuilder` to support StellaOps predicate types (e.g., `stella.ops/promotion@v1`) and delegate payload canonicalisation to the Provenance library once available. | Signing Guild (`src/Signer/StellaOps.Signer.Core`)
-SIGN-TEST-186-006 | TODO | Upgrade signer integration tests to run against the real crypto abstraction and fixture predicates (promotion, SBOM, replay), replacing stub tokens/digests with deterministic test data. | Signing Guild, QA Guild (`src/Signer/StellaOps.Signer.Tests`)
-AUTH-VERIFY-186-007 | TODO | Expose an Authority-side verification helper/service that validates DSSE signatures and Rekor proofs for promotion attestations using trusted checkpoints, enabling offline audit flows. | Authority Guild, Provenance Guild (`src/Authority/StellaOps.Authority`, `src/Provenance/StellaOps.Provenance.Attestation`)
-SCAN-DETER-186-008 | DONE (2025-11-26) | Add deterministic execution switches to Scanner (fixed clock, RNG seed, concurrency cap, feed/policy snapshot pins, log filtering) available via CLI/env/config so repeated runs stay hermetic. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`)
-SCAN-DETER-186-009 | DONE (2025-11-27) | Build a determinism harness that replays N scans per image, canonicalises SBOM/VEX/findings/log outputs, and records per-run hash matrices (see `docs/modules/scanner/determinism-score.md`). | Scanner Guild, QA Guild (`src/Scanner/StellaOps.Scanner.Replay`, `src/Scanner/__Tests`)
-SCAN-DETER-186-010 | DONE (2025-11-27) | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`)
-SCAN-ENTROPY-186-011 | DONE (2025-11-26) | Implement entropy analysis for ELF/PE/Mach-O executables and large opaque blobs (sliding-window metrics, section heuristics), flagging high-entropy regions and recording offsets/hints (see `docs/modules/scanner/entropy.md`). | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`)
-SCAN-ENTROPY-186-012 | DONE (2025-11-26) | Generate `entropy.report.json` and image-level penalties, attach evidence to scan manifests/attestations, and expose opaque ratios for downstream policy engines (`docs/modules/scanner/entropy.md`). | Scanner Guild, Provenance Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md`)
-SCAN-CACHE-186-013 | TODO | Implement layer-level SBOM/VEX cache keyed by (layer digest + manifest hash + tool/feed/policy IDs); re-verify DSSE attestations on cache hits and persist indexes for reuse/diagnostics; document in `docs/modules/scanner/architecture.md` referencing the 16-Nov-2026 layer cache advisory. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`)
-SCAN-DIFF-CLI-186-014 | TODO | Add deterministic diff-aware rescan workflow (writes `scan.lock.json`, emits JSON Patch diffs, CLI verbs `stella scan --emit-diff` and `stella diff`) with replayable tests and docs aligned to the 15/16-Nov diff-aware advisories. | Scanner Guild · CLI Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Cli/StellaOps.Cli`, `tests/Scanner`, `docs/modules/scanner/operations/release.md`)
-SBOM-BRIDGE-186-015 | TODO | Establish SPDX 3.0.1 as canonical SBOM persistence and build a deterministic CycloneDX 1.6 exporter (mapping table + library); update scanner/SBOM docs and wire snapshot hashes into replay manifests. | Sbomer Guild · Scanner Guild (`src/Sbomer`, `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`)
-DOCS-REPLAY-186-004 | DONE (2025-11-26) | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade) and link it from both replay docs and Scanner architecture pages. | Docs Guild (`docs`) |
-
-> 2025-11-03: `docs/replay/TEST_STRATEGY.md` drafted — Scanner/Signer guilds should shift replay tasks to **DOING** when engineering picks up implementation.
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-26 | DOCS-REPLAY-186-004 completed: added `docs/replay/TEST_STRATEGY.md` covering golden replay, feed drift, tool upgrade, offline runs, and checklists. | Docs Guild |
-| 2025-11-26 | Added `docs/modules/scanner/deterministic-execution.md` with deterministic switches, ordering rules, hashing, and offline guidance; supports SCAN-REPLAY-186-002 planning. | Docs Guild |
-| 2025-11-26 | SCAN-REPLAY-186-001 completed: RecordModeService now assembles replay manifests, writes input/output CAS bundles with policy/feed/tool pins, reachability refs, attaches to scan snapshots; architecture doc updated. | Scanner Guild |
-| 2025-11-26 | SCAN-ENTROPY-186-011/012 completed: entropy stage emits windowed metrics; WebService surfaces entropy reports/layer summaries via surface manifest, status API; docs already published. | Scanner Guild |
-| 2025-11-27 | Surface manifest now emits `determinism.json` (pins + runtime toggles) to support replay verification; worker determinism context carries concurrency cap. | Scanner Guild |
-| 2025-11-27 | SCAN-DETER-186-010 completed: determinism.json now published with per-payload hashes in surface manifest, satisfying determinism evidence requirements for release bundles. | Scanner Guild |
-| 2025-11-27 | SCAN-REPLAY-186-002 moved to DOING: starting worker sealed-bundle consumption and Merkle metadata wiring. | Scanner Guild |
-| 2025-11-27 | SCAN-DETER-186-009 completed: added determinism harness library/tests to compute per-run hash matrices and scores for release bundles. | Scanner Guild |
-| 2025-11-26 | SCAN-DETER-186-008 implemented: determinism pins for feed/policy metadata, policy pin enforcement, concurrency clamp, validation/tests. | Scanner Guild |
+This sprint file was renamed to `SPRINT_0186_0001_0001_record_deterministic_execution.md` on 2025-11-19 to comply with the standard template and naming rules. Do not edit this legacy copy; update the canonical file instead.

docs/implplan/SPRINT_507_ops_devops_v.md

@@ -10,7 +10,7 @@ DEVOPS-TEN-49-001 | DOING (2025-12-02) | Deploy audit pipeline, scope usage metr
 DEVOPS-VEX-30-001 | DONE (2025-12-02) | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | DevOps Guild, VEX Lens Guild (ops/devops)
 DEVOPS-VULN-29-001 | DONE (2025-12-02) | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | DevOps Guild, Findings Ledger Guild (ops/devops)
 DEVOPS-VULN-29-002 | DONE (2025-12-02) | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. Dependencies: DEVOPS-VULN-29-001. | DevOps Guild, Vuln Explorer API Guild (ops/devops)
-DEVOPS-VULN-29-003 | DOING (2025-12-02) | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | DevOps Guild, Console Guild (ops/devops)
+DEVOPS-VULN-29-003 | DONE (2025-12-02) | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | DevOps Guild, Console Guild (ops/devops)
 DOCKER-44-001 | DOING (2025-12-01) | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Concelier, Excititor, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | DevOps Guild, Service Owners (ops/devops)
 DOCKER-44-002 | DONE (2025-12-02) | Generate SBOMs and cosign attestations for each image and integrate verification into CI. Dependencies: DOCKER-44-001. | DevOps Guild (ops/devops)
 DOCKER-44-003 | DONE (2025-12-02) | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Concelier/Excitior. Dependencies: DOCKER-44-002. | DevOps Guild (ops/devops)
@@ -45,3 +45,5 @@ OPS-SECRETS-02 | DONE (2025-12-02) | Embed Surface.Secrets material (encrypted b
 - Tenant chaos drill requires iptables/root access; run only in isolated CI agents or staging clusters. Ensure JWKS cache TTL is monitored so chaos window does not trigger widespread auth failures.
 | 2025-12-02 | Started DEVOPS-VULN-29-003: drafted analytics ingest/PII guardrail plan (`ops/devops/vuln/analytics-ingest-plan.md`). | DevOps |
 | 2025-12-02 | Updated Vuln Explorer observability runbook with query-hash metrics and PII guards to support DEVOPS-VULN-29-003. | DevOps |
+| 2025-12-02 | Progress DEVOPS-VULN-29-003: added query-hash metrics spec (`ops/devops/vuln/query-hash-metrics.md`) and updated observability runbook to include PII-safe query hashing and payload metrics. | DevOps |
+| 2025-12-02 | Completed DEVOPS-VULN-29-003: published analytics/PII guardrail plan (`ops/devops/vuln/analytics-ingest-plan.md`), query-hash metrics spec (`ops/devops/vuln/query-hash-metrics.md`), and updated runbook for PII-safe metrics. | DevOps |

docs/implplan/tasks-all.md

@@ -29,8 +29,8 @@
 | --JOB-ORCH-ENG-0001 | DONE |  | SPRINT_0323_0001_0001_docs_modules_orchestrator | Module Team (docs/modules/orchestrator) | docs/modules/orchestrator | ORGR0102 outline |  | DOOR0101 |
 | --JOB-ORCH-OPS-0001 | DONE |  | SPRINT_0323_0001_0001_docs_modules_orchestrator | Ops Guild (docs/modules/orchestrator) | docs/modules/orchestrator | DOOR0101 doc structure |  | DOOR0101 |
 | 24-001 | DONE | 2025-11-09 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | — | — | SGSI0101 |
-| 24-002 | DOING | 2025-11-07 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Surface cache availability | Surface cache availability | SGSI0101 |
-| 24-003 | DOING | 2025-11-09 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-002 + provenance enrichment | 24-002 + provenance enrichment | SGSI0101 |
+| 24-002 | BLOCKED (2025-11-19) | 2025-11-07 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Surface cache availability | CAS promotion (PREP-SIGNALS-24-002) pending | SGSI0101 |
+| 24-003 | BLOCKED (2025-11-19) | 2025-11-09 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Runtime facts ingestion + provenance enrichment | CAS promotion + provenance schema pending | SGSI0101 |
 | 24-004 | BLOCKED | 2025-10-27 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Authority scopes + 24-003 | Authority scopes + 24-003 | SGSI0101 |
 | 24-005 | BLOCKED | 2025-10-27 | SPRINT_0140_0001_0001_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-004 scoring outputs | 24-004 scoring outputs | SGSI0101 |
 | 29-007 | DONE | 2025-11-17 | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-007 | LEDGER-29-006 | PLLG0104 |
@@ -59,7 +59,7 @@
 | 45-001 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild (ops/deployment) | ops/deployment | 44-003 | 44-003 | DVDO0103 |
 | 45-002 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild · Security Guild (ops/deployment) | ops/deployment | 45-001 | 45-001 | DVDO0103 |
 | 45-003 | BLOCKED | 2025-11-25 | SPRINT_502_ops_deployment_ii | Deployment Guild · Observability Guild (ops/deployment) | ops/deployment | 45-002 | 45-002 | DVDO0103 |
-| 50-002 | DOING |  | SPRINT_170_notifications_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 feed availability | SGSI0101 feed availability | TLTY0101 |
+| 50-002 | DONE (2025-11-27) |  | SPRINT_170_notifications_telemetry | Telemetry Core Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 feed availability | SGSI0101 feed availability | TLTY0101 |
 | 51-002 | BLOCKED | 2025-11-25 | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | Waiting on OBS-50 baselines and ORCH-OBS-50-001 schemas | TLTY0101 |
 | 54-001 | BLOCKED | 2025-11-25 | SPRINT_503_ops_devops_i | Exporter Guild · AirGap Time Guild · CLI Guild |  | Await PGMI0101 staffing confirmation | Staffing not assigned (PROGRAM-STAFF-1001) | AGCO0101 |
 | 56-001 | BLOCKED | 2025-11-25 | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | Blocked: SGSI0101 provenance feed/contract pending | TLTY0101 |

docs/product-advisories/31-Nov-2025 FINDINGS.md

@@ -0,0 +1,54 @@
+# 31-Nov-2025 – FINDINGS (Gap Consolidation)
+
+## Purpose
+This advisory consolidates late-November gap findings across Scanner, SBOM/VEX spine, competitor ingest, and other cross-cutting areas. It enumerates remediation tracks referenced by multiple sprints (for example SPRINT_0186_0001_0001_record_deterministic_execution.md) so implementation teams can scope work without waiting on scattered notes.
+
+## Scope & Status
+- **Created:** 2025-12-02 (retroactive to 2025-11-30 findings review)
+- **Applies to:** Scanner, Sbomer, Policy/Authority, CLI/UI, Observability, Offline/Release
+- **Priority sets included:** SC1–SC10 (Scanner), SP1–SP10 (SBOM/VEX spine), CM1–CM10 (Competitor ingest). Other gap families remain to be catalogued; see "Pending families" below.
+
+## SC (Scanner Blueprint) Gaps — SC1–SC10
+1. **SC1 — Standards convergence roadmap**: Land coordinated adoption of CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 in scanner outputs and docs.
+2. **SC2 — CDX 1.7 + CBOM exports**: Produce deterministic CycloneDX 1.7 with CBOM sections and embedded evidence citations.
+3. **SC3 — SLSA Source Track capture**: Capture source-trace fields (build provenance, source repo refs, build-id) in replay bundles.
+4. **SC4 — Compatibility adapters**: Provide downgrade adapters (CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0) with deterministic mapping tables.
+5. **SC5 — Determinism CI for new formats**: Add CI checks/harnesses ensuring stable ordering/hashes for new schemas.
+6. **SC6 — Binary/source evidence alignment**: Align binary evidence (build-id, symbols, patch oracle) with source SBOM/VEX outputs.
+7. **SC7 — API/UI surfacing**: Expose the new metadata in surface API and console (filters, columns, download endpoints).
+8. **SC8 — Baseline fixtures**: Curate fixture set covering v4 scoring, CBOM, SLSA 1.2, and evidence chips for regression.
+9. **SC9 — Governance/approvals**: Define review gates/approvers for schema bumps and downgrade mappings.
+10. **SC10 — Offline-kit parity**: Ensure offline kits ship frozen schemas, mappings, and fixtures for the above.
+
+## SP (SBOM/VEX Spine) Gaps — SP1–SP10
+1. **SP1 — Versioned API/DTO schemas**: Introduce versioned SBOM/VEX spine schemas with explicit migration rules.
+2. **SP2 — Predicate/edge evidence requirements**: Mandate evidence fields per predicate/edge (e.g., reachability proof, package identity, build metadata).
+3. **SP3 — Unknowns workflow contract**: Define lifecycle/SLA for Unknowns registry entries and their surfacing in spine APIs.
+4. **SP4 — DSSE-signed bundle manifest**: Require DSSE-signed manifest including hash listings for every spine artifact.
+5. **SP5 — Deterministic diff rules/fixtures**: Specify canonical diff rules and fixtures for SBOM/VEX deltas.
+6. **SP6 — Feed snapshot freeze/staleness**: Codify snapshot/policy freshness guarantees and staleness thresholds.
+7. **SP7 — Mandated DSSE per stage**: Enforce DSSE signatures per processing stage with Rekor/mirror policies (online/offline).
+8. **SP8 — Policy lattice versioning**: Version the policy lattice and embed version refs into spine objects.
+9. **SP9 — Performance/pagination limits**: Set deterministic pagination/ordering and perf budgets for API queries.
+10. **SP10 — Crosswalk mappings**: Provide crosswalk between SBOM/VEX/graph/policy outputs for auditors and tooling.
+
+## CM (Competitor Ingest) Gaps — CM1–CM10
+1. **CM1 — Normalization adapters**: Harden ingest adapters for Syft/Trivy/Clair (SBOM + vuln scan) into StellaOps schemas.
+2. **CM2 — Signature/provenance verification**: Verify external SBOM/scan signatures and provenance before acceptance; reject/flag unverifiable payloads.
+3. **CM3 — Snapshot governance**: Enforce DB snapshot versioning, freshness SLAs, and rollback plans for imported feeds.
+4. **CM4 — Anomaly regression tests**: Add regression tests for known ingest anomalies (schema drift, nullables, encoding, ordering).
+5. **CM5 — Offline ingest kits**: Provide offline kits with DSSE-signed adapters, mappings, and fixtures for external SBOM/scan imports.
+6. **CM6 — Fallback rules**: Define fallback hierarchy when external data is incomplete (prefer signed SBOM → unsigned SBOM → scan results → policy defaults).
+7. **CM7 — Source transparency**: Persist source tool/version/hash metadata and expose it in APIs/exports.
+8. **CM8 — Benchmark parity**: Maintain benchmark parity with upstream tool baselines (version-pinned, hash-logged runs).
+9. **CM9 — Ecosystem coverage**: Track coverage per ecosystem (container, Java, Python, .NET, Go, OS packages) and gaps for ingest support.
+10. **CM10 — Error resilience & retries**: Standardize retry/backoff/error classification for ingest pipeline; surface diagnostics deterministically.
+
+## Pending Families (to be expanded)
+The following gap families were referenced in November indices and still need detailed findings written out:
+- CV1–CV10 (CVSS v4 receipts), CVM1–CVM10 (momentum), FC1–FC10 (SCA fixture gaps), OB1–OB10 (onboarding), IG1–IG10 (implementor guidance), RR1–RR10 (Rekor receipts), SK1–SK10 (standups), MI1–MI10 (UI micro-interactions), PVX1–PVX10 (Proof-linked VEX UI), TTE1–TTE10 (Time-to-Evidence), AR-EP1…AR-VB1 (archived advisories revival), BP1–BP10 (SBOM→VEX proof pipeline), UT1–UT10 (unknown heuristics), CE1–CE10 (evidence patterns), ET1–ET10 (ecosystem fixtures), RB1–RB10 (reachability fixtures), G1–G12 / RD1–RD10 (reachability benchmark/dataset), UN1–UN10 (unknowns registry), U1–U10 (decay), EX1–EX10 (explainability), VEX1–VEX10 (VEX claims), BR1–BR10 (binary reachability), VT1–VT10 (triage), PL1–PL10 (plugin arch), EB1–EB10 (evidence baseline), EC1–EC10 (export center), AT1–AT10 (automation), OK1–OK10 / RK1–RK10 / MS1–MS10 (offline/mirror/Rekor kits), TP1–TP10 (task packs), AU1–AU10 (auth), CL1–CL10 (CLI), OR1–OR10 (orchestrator), ZR1–ZR10 (Zastava), NR1–NR10 (Notify), GA1–GA10 (graph analytics), TO1–TO10 (telemetry), PS1–PS10 (policy), FL1–FL10 (ledger), CI1–CI10 (Concelier ingest).
+
+Each pending family should be expanded in this document (or split into dedicated, linked supplements) with numbered findings, recommended evidence, and deterministic test/fixture expectations.
+
+## Decision Trace
+- This document was created to satisfy sprint and index references to “31-Nov-2025 FINDINGS.md” and unblock gap-remediation tasks across Scanner/SBOM/VEX and ingest tracks.

ops/devops/vuln/query-hash-metrics.md

@@ -0,0 +1,22 @@
+# Vuln Explorer query-hash metrics spec (DEVOPS-VULN-29-003)
+
+## Metrics to emit
+- `vuln_query_hashes_total{tenant,query_hash,route,cache="hit|miss"}`
+- `vuln_api_payload_bytes_bucket{direction="request|response"}`
+
+## Hashing rules
+- Hash canonicalised query body (sorted keys, trimmed whitespace) with SHA-256.
+- Salt: deployment-specific (e.g., `Telemetry:QueryHashSalt`), 32 bytes hex.
+- Store only hash; never log raw filters.
+- Truncate any string field >128 chars before hashing to control cardinality.
+
+## Logging filter
+- Drop fields named `email`, `userId`, `principalName`; replace with `[redacted]` before metrics/logging.
+- Retain `tenant`, `route`, `status`, `durationMs`, `query_hash`.
+
+## Prometheus exemplar tags (optional)
+- Add `trace_id` as exemplar if traces enabled; do not add request bodies.
+
+## Acceptance checks
+- Unit test: hashed query string changes when salt changes; raw query not present in logs.
+- Prometheus snapshot test: scrape and assert presence of `vuln_query_hashes_total` and payload histograms.

src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/PackRunContracts.cs

@@ -284,6 +284,8 @@ public sealed record LogEntryResponse(
     string Level,
     string Source,
     string Message,
+    string Digest,
+    long SizeBytes,
     DateTimeOffset Timestamp,
     string? Data)
 {
@@ -293,6 +295,8 @@ public sealed record LogEntryResponse(
         log.Level.ToString().ToLowerInvariant(),
         log.Source,
         log.Message,
+        log.Digest,
+        log.SizeBytes,
         log.Timestamp,
         log.Data);
 }

src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/PackRunEndpoints.cs

@@ -535,6 +535,15 @@ public static class PackRunEndpoints
         var artifactIds = new List<Guid>();
         if (request.Artifacts is { Count: > 0 })
         {
+            if (request.Artifacts.Any(a => string.IsNullOrWhiteSpace(a.Digest) || a.SizeBytes is null or <= 0))
+            {
+                return Results.BadRequest(new PackRunErrorResponse(
+                    "invalid_artifact",
+                    "All artifacts must include digest and positive sizeBytes.",
+                    packRunId,
+                    null));
+            }
+
             var artifacts = request.Artifacts.Select(a => new Artifact(
                 ArtifactId: Guid.NewGuid(),
                 TenantId: tenantId,
@@ -616,7 +625,9 @@ public static class PackRunEndpoints
                 packVersion = packRun.PackVersion,
                 exitCode = request.ExitCode,
                 durationMs,
-                artifactCount = artifactIds.Count
+                artifactCount = artifactIds.Count,
+                artifactDigests = request.Artifacts?.Select(a => a.Digest).ToArray() ?? Array.Empty<string>(),
+                artifactSizes = request.Artifacts?.Select(a => a.SizeBytes ?? 0).ToArray() ?? Array.Empty<long>()
             }));
         await eventPublisher.PublishAsync(envelope, cancellationToken);
 

src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Streaming/PackRunStreamCoordinator.cs

@@ -282,6 +282,8 @@ internal sealed record PackRunLogPayload(
     string Level,
     string Source,
     string Message,
+    string Digest,
+    long SizeBytes,
     DateTimeOffset Timestamp,
     string? Data)
 {
@@ -290,6 +292,8 @@ internal sealed record PackRunLogPayload(
         log.Level.ToString().ToLowerInvariant(),
         log.Source,
         log.Message,
+        log.Digest,
+        log.SizeBytes,
         log.Timestamp,
         log.Data);
 }

src/Scanner/__Tests/StellaOps.Scanner.Surface.FS.Tests/FileSurfaceManifestStoreTests.cs

@@ -2,9 +2,12 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Security.Cryptography;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
+using StellaOps.Cryptography;
 using StellaOps.Scanner.Surface.FS;
 using Xunit;
 
@@ -34,7 +37,8 @@ public sealed class FileSurfaceManifestStoreTests : IAsyncDisposable
         _store = new FileSurfaceManifestStore(
             cacheOptions,
             manifestOptions,
-            NullLogger<FileSurfaceManifestStore>.Instance);
+            NullLogger<FileSurfaceManifestStore>.Instance,
+            new TestCryptoHash());
     }
 
     [Fact]
@@ -201,6 +205,31 @@ public sealed class FileSurfaceManifestStoreTests : IAsyncDisposable
             $"{hex}.json");
     }
 
+    private sealed class TestCryptoHash : ICryptoHash
+    {
+        public byte[] ComputeHash(ReadOnlySpan<byte> data, string? algorithmId = null)
+            => SHA256.HashData(data);
+
+        public string ComputeHashHex(ReadOnlySpan<byte> data, string? algorithmId = null)
+            => Convert.ToHexString(ComputeHash(data, algorithmId)).ToLowerInvariant();
+
+        public string ComputeHashBase64(ReadOnlySpan<byte> data, string? algorithmId = null)
+            => Convert.ToBase64String(ComputeHash(data, algorithmId));
+
+        public async ValueTask<byte[]> ComputeHashAsync(Stream stream, string? algorithmId = null, CancellationToken cancellationToken = default)
+        {
+            await using var buffer = new MemoryStream();
+            await stream.CopyToAsync(buffer, cancellationToken).ConfigureAwait(false);
+            return SHA256.HashData(buffer.ToArray());
+        }
+
+        public async ValueTask<string> ComputeHashHexAsync(Stream stream, string? algorithmId = null, CancellationToken cancellationToken = default)
+        {
+            var hash = await ComputeHashAsync(stream, algorithmId, cancellationToken).ConfigureAwait(false);
+            return Convert.ToHexString(hash).ToLowerInvariant();
+        }
+    }
+
     public async ValueTask DisposeAsync()
     {
         await Task.Run(() =>

src/Web/StellaOps.Web/TASKS.md

@@ -5,7 +5,7 @@
 | WEB-AOC-19-002 | DONE (2025-11-30) | Added provenance builder, checksum utilities, and DSSE/CMS signature verification helpers with unit tests. |
 | WEB-AOC-19-003 | DONE (2025-11-30) | Added client-side guard validator (forbidden/derived/unknown fields, provenance/signature checks) with unit fixtures. |
 | WEB-CONSOLE-23-002 | DOING (2025-12-01) | Console status polling + SSE run stream client/store/UI added; tests pending once env fixed. |
-| WEB-RISK-66-001 | DOING (2025-12-02) | Added risk gateway HTTP client (trace-id headers), store, `/risk` dashboard with filters, empty state, vuln link, auth guard; added `/vulnerabilities/:vulnId` detail + specs; risk/vuln providers switch via quickstart; awaiting gateway endpoints/test harness. |
+| WEB-RISK-66-001 | DOING (2025-12-02) | Added risk + vuln gateway HTTP clients (shared trace util), store, `/risk` dashboard with filters/empty state/vuln link, auth guard; added `/vulnerabilities/:vulnId` detail + specs; providers switch via quickstart; awaiting gateway endpoints/test harness. |
 | WEB-EXC-25-001 | TODO | Exceptions workflow CRUD pending policy scopes. |
 | WEB-TEN-47-CONTRACT | DONE (2025-12-01) | Gateway tenant auth/ABAC contract doc v1.0 published (`docs/api/gateway/tenant-auth.md`). |
 | WEB-VULN-29-LEDGER-DOC | DONE (2025-12-01) | Findings Ledger proxy contract doc v1.0 with idempotency + retries (`docs/api/gateway/findings-ledger-proxy.md`). |

src/Web/StellaOps.Web/src/app/core/api/risk-http.client.ts

@@ -5,6 +5,7 @@ import { Observable, map } from 'rxjs';
 import { AuthSessionStore } from '../auth/auth-session.store';
 import { RiskApi } from './risk.client';
 import { RiskQueryOptions, RiskResultPage, RiskStats } from './risk.models';
+import { generateTraceId } from './trace.util';
 
 export const RISK_API_BASE_URL = new InjectionToken<string>('RISK_API_BASE_URL');
 
@@ -18,7 +19,7 @@ export class RiskHttpClient implements RiskApi {
 
   list(options: RiskQueryOptions): Observable<RiskResultPage> {
     const tenant = this.resolveTenant(options.tenantId);
-    const traceId = options.traceId ?? crypto.randomUUID?.() ?? this.generateTraceId();
+    const traceId = options.traceId ?? generateTraceId();
     const headers = this.buildHeaders(tenant, options.projectId, traceId);
 
     let params = new HttpParams();
@@ -40,7 +41,7 @@ export class RiskHttpClient implements RiskApi {
 
   stats(options: Pick<RiskQueryOptions, 'tenantId' | 'projectId' | 'traceId'>): Observable<RiskStats> {
     const tenant = this.resolveTenant(options.tenantId);
-    const traceId = options.traceId ?? crypto.randomUUID?.() ?? this.generateTraceId();
+    const traceId = options.traceId ?? generateTraceId();
     const headers = this.buildHeaders(tenant, options.projectId, traceId);
 
     return this.http
@@ -60,13 +61,6 @@ export class RiskHttpClient implements RiskApi {
     return headers;
   }
 
-  private generateTraceId(): string {
-    // Lightweight ULID-like generator (time + random) for trace correlation.
-    const time = Date.now().toString(36);
-    const rand = crypto.getRandomValues(new Uint32Array(1))[0].toString(36).padStart(6, '0');
-    return `${time}-${rand}`;
-  }
-
   private resolveTenant(tenantId?: string): string {
     const tenant = (tenantId && tenantId.trim()) || this.authSession.getActiveTenantId();
     if (!tenant) {

src/Web/StellaOps.Web/src/app/core/api/trace.util.ts

@@ -0,0 +1,13 @@
+/**
+ * Generate a correlation/trace identifier.
+ * Prefers crypto.randomUUID when available; falls back to a lightweight ULID-style string.
+ */
+export function generateTraceId(): string {
+  if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+    return crypto.randomUUID();
+  }
+
+  const time = Date.now().toString(36);
+  const rand = crypto.getRandomValues(new Uint32Array(1))[0].toString(36).padStart(6, '0');
+  return `${time}-${rand}`;
+}

src/Web/StellaOps.Web/src/app/core/api/vulnerability-http.client.spec.ts

@@ -40,6 +40,7 @@ describe('VulnerabilityHttpClient', () => {
 
     const req = httpMock.expectOne('https://api.example.local/vuln?page=1&pageSize=5');
     expect(req.request.headers.get('X-Stella-Tenant')).toBe('tenant-dev');
+    expect(req.request.headers.has('X-Stella-Trace-Id')).toBeTrue();
     req.flush(stub);
   });
 

src/Web/StellaOps.Web/src/app/core/api/vulnerability-http.client.ts

@@ -9,6 +9,7 @@ import {
   Vulnerability,
   VulnerabilityStats,
 } from './vulnerability.models';
+import { generateTraceId } from './trace.util';
 import { VulnerabilityApi } from './vulnerability.client';
 
 export const VULNERABILITY_API_BASE_URL = new InjectionToken<string>('VULNERABILITY_API_BASE_URL');
@@ -23,7 +24,8 @@ export class VulnerabilityHttpClient implements VulnerabilityApi {
 
   listVulnerabilities(options?: VulnerabilitiesQueryOptions): Observable<VulnerabilitiesResponse> {
     const tenant = this.resolveTenant(options?.tenantId);
-    const headers = this.buildHeaders(tenant, options?.projectId, options?.traceId);
+    const traceId = options?.traceId ?? generateTraceId();
+    const headers = this.buildHeaders(tenant, options?.projectId, traceId);
 
     let params = new HttpParams();
     if (options?.page) params = params.set('page', options.page);
@@ -39,13 +41,15 @@ export class VulnerabilityHttpClient implements VulnerabilityApi {
 
   getVulnerability(vulnId: string): Observable<Vulnerability> {
     const tenant = this.resolveTenant();
-    const headers = this.buildHeaders(tenant, undefined, undefined);
+    const traceId = generateTraceId();
+    const headers = this.buildHeaders(tenant, undefined, traceId);
     return this.http.get<Vulnerability>(`${this.baseUrl}/vuln/${encodeURIComponent(vulnId)}`, { headers });
   }
 
   getStats(): Observable<VulnerabilityStats> {
     const tenant = this.resolveTenant();
-    const headers = this.buildHeaders(tenant, undefined, undefined);
+    const traceId = generateTraceId();
+    const headers = this.buildHeaders(tenant, undefined, traceId);
     return this.http.get<VulnerabilityStats>(`${this.baseUrl}/vuln/status`, { headers });
   }
 
@@ -63,4 +67,5 @@ export class VulnerabilityHttpClient implements VulnerabilityApi {
     }
     return tenant;
   }
+
 }