up

docs/updates/2025-10-27-console-security-signoff.md

@@ -0,0 +1,48 @@
+# Console Security Checklist Sign-off — 2025-10-27
+
+## Summary
+
+- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build.
+- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
+- Result: **PASS** – console may progress with Sprint 23 release gating.
+
+## Authority client validation
+
+- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
+- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
+
+## CSP enforcement
+
+- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
+- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
+
+## Fresh-auth timer
+
+- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
+- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
+
+## DPoP binding test
+
+- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
+- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
+
+## Offline mode exercise
+
+- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
+- Imported Offline Kit manifest; parity checks report `OK` status.
+
+## Evidence parity
+
+- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
+- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
+
+## Monitoring & alerts
+
+- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
+- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
+
+## Sign-off
+
+- Reviewed by **Security Guild** (lead: `@sec-lfox`).  
+- Sign-off recorded in Sprint 23 tracker (`SPRINTS.md`, `DOCS-CONSOLE-23-018`).
+

docs/updates/2025-10-27-orch-operator-scope.md

@@ -0,0 +1,15 @@
+# 2025-10-27 — Orchestrator operator scope & audit metadata
+
+## Summary
+
+- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
+- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
+- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
+
+## Next steps
+
+| Team | Follow-up | Target |
+|------|-----------|--------|
+| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
+| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
+| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |

docs/updates/2025-10-27-policy-scope-migration.md

@@ -0,0 +1,15 @@
+# 2025-10-27 — Policy scope migration guidance
+
+## Summary
+
+- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
+- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
+- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
+
+## Next steps
+
+| Team | Follow-up | Target |
+|------|-----------|--------|
+| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
+| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
+| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |

docs/updates/2025-10-27-task-packs-docs.md

@@ -0,0 +1,15 @@
+# Docs Guild Update — Task Pack Docs (2025-10-27)
+
+- Added Task Pack core documentation set:
+  - `/docs/task-packs/spec.md`
+  - `/docs/task-packs/authoring-guide.md`
+  - `/docs/task-packs/registry.md`
+  - `/docs/task-packs/runbook.md`
+  - `/docs/security/pack-signing-and-rbac.md`
+  - `/docs/operations/cli-release-and-packaging.md`
+- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
+- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
+- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
+- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
+
+Artifacts: [Spec](../task-packs/spec.md), [Authoring guide](../task-packs/authoring-guide.md), [Registry](../task-packs/registry.md), [Runbook](../task-packs/runbook.md), [Signing/RBAC](../security/pack-signing-and-rbac.md), [CLI release runbook](../operations/cli-release-and-packaging.md).

docs/updates/2025-10-29-export-center-provenance.md

@@ -0,0 +1,9 @@
+# 2025-10-29 – Export Center provenance/signing doc
+
+## Summary
+- Authored `docs/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
+- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
+
+## Follow-ups
+- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
+- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.

docs/updates/2025-10-29-notify-docs.md

@@ -0,0 +1,10 @@
+# 2025-10-29 – Notifications Studio docs sync prep
+
+## Summary
+- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint 39.
+- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
+- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
+
+## Follow-ups
+- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
+- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.

docs/updates/2025-10-29-scheduler-policy-doc-refresh.md

@@ -0,0 +1,21 @@
+# 2025-10-29 — Scheduler/Policy Guild Doc Refresh
+
+## Summary
+- Extended `SCHED-MODELS-20-001` with environment metadata guidance, lifecycle semantics, and diff payload breakdown for Policy Engine runs.
+- Confirmed `StellaOps.Scheduler.Models.Tests` to keep sample fixtures in sync with the documentation.
+- Ready for distribution to Scheduler (Models/Worker/WebService) and Policy Engine guilds; link this update when posting to internal channels.
+
+## Suggested announcement
+> **Channel(s):** `#scheduler-guild`, `#policy-engine`  
+> **Message:**  
+> ```
+> Policy Engine run DTO docs just picked up a refresh (environment metadata, lifecycle+retry table, diff payload notes).  
+> • Doc: src/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md  
+> • Samples: samples/api/scheduler/policy-*.json  
+> • Tests: dotnet test src/StellaOps.Scheduler.Models.Tests  
+> Please review for orchestration + API consumer work; ping back if other fields need coverage.  
+> ```
+
+## Follow-up
+- [ ] Confirm both guilds acknowledge the documentation update.
+- [ ] Fold any feedback into Sprint 21 scheduler schema backlog if additional DTO changes are requested.

docs/updates/2025-10-31-console-security-refresh.md

@@ -0,0 +1,12 @@
+# 2025-10-31 — Console Security Docs Refresh
+
+## Summary
+- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
+- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
+- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
+- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
+
+## Impact
+- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
+- Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off.
+- Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access.