docs: Archive Sprint 3500 (PoE), Sprint 7100 (Proof Moats), and additional sprints

Archive completed sprint documentation and deliverables: ## SPRINT_3500 - Proof of Exposure (PoE) Implementation (COMPLETE ✅) - Windows filesystem hash sanitization (colon → underscore) - Namespace conflict resolution (Subgraph → PoESubgraph) - Mock test improvements with It.IsAny<>() - Direct orchestrator unit tests - 8/8 PoE tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-3500-poe/ ## SPRINT_7100.0001 - Proof-Driven Moats Core (COMPLETE ✅) - Four-tier backport detection system - 9 production modules (4,044 LOC) - Binary fingerprinting (TLSH + instruction hashing) - VEX integration with proof-carrying verdicts - 42+ unit tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_7100.0002 - Proof Moats Storage Layer (COMPLETE ✅) - PostgreSQL repository implementations - Database migrations (4 evidence tables + audit) - Test data seed scripts (12 evidence records, 3 CVEs) - Integration tests with Testcontainers - <100ms proof generation performance - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_3000_0200 - Authority Admin & Branding (COMPLETE ✅) - Console admin RBAC UI components - Branding editor with tenant isolation - Authority backend endpoints - Archived to: docs/implplan/archived/ ## Additional Documentation - CLI command reference and compliance guides - Module architecture docs (26 modules documented) - Data schemas and contracts - Operations runbooks - Security risk models - Product roadmap All archived sprints achieved 100% completion of planned deliverables. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 15:02:38 +02:00
parent fda92af9bc
commit b444284be5
77 changed files with 7673 additions and 556 deletions
--- a/docs2/modules/advisory-ai.md
+++ b/docs2/modules/advisory-ai.md
@@ -0,0 +1,23 @@
+# Advisory AI
+
+## Purpose
+Evidence-grounded analysis with guardrails and offline outputs.
+
+## Inputs
+- SBOMs and evidence bundles
+
+## Outputs
+- Structured findings and guidance artifacts
+
+## Data and storage
+- PostgreSQL and artifact store
+
+## Key dependencies
+- Scanner outputs
+- Policy evidence
+
+## Notes and boundaries
+- Guardrails required for outputs
+
+## Related docs
+- docs/modules/advisory-ai/architecture.md
--- a/docs2/modules/attestor.md
+++ b/docs2/modules/attestor.md
@@ -0,0 +1,23 @@
+# Attestor
+
+## Purpose
+Log DSSE bundles to Rekor and provide verification.
+
+## Inputs
+- DSSE bundles from Signer or Scanner
+
+## Outputs
+- Rekor entries and inclusion proofs
+
+## Data and storage
+- PostgreSQL receipts and indexes
+
+## Key dependencies
+- Rekor (optional)
+- Authority
+
+## Notes and boundaries
+- Does not sign
+
+## Related docs
+- docs/modules/attestor/architecture.md
--- a/docs2/modules/authority.md
+++ b/docs2/modules/authority.md
@@ -0,0 +1,28 @@
+# Authority
+
+## Purpose
+Issue short-lived OpTok tokens with DPoP or mTLS sender constraints.
+
+## Inputs
+- Client credentials, device code, or auth code
+- Signing keys and JWKS configuration
+
+## Outputs
+- JWT access tokens with audience and scope claims
+- JWKS and optional introspection responses
+
+## Data and storage
+- PostgreSQL for clients, roles, tenants
+- Valkey for DPoP nonce and jti caches
+
+## Key dependencies
+- PostgreSQL
+- Valkey
+- Optional KMS or HSM
+
+## Notes and boundaries
+- Does not issue PoE
+- Tokens are operational and short-lived
+
+## Related docs
+- docs/modules/authority/architecture.md
--- a/docs2/modules/benchmark.md
+++ b/docs2/modules/benchmark.md
@@ -0,0 +1,22 @@
+# Benchmark
+
+## Purpose
+Benchmark harness and ground-truth corpus management.
+
+## Inputs
+- Corpora, fixtures, and tooling
+
+## Outputs
+- Benchmark results and reports
+
+## Data and storage
+- Bench artifacts and fixtures
+
+## Key dependencies
+- Scanner and Policy
+
+## Notes and boundaries
+- Determinism and accuracy checks
+
+## Related docs
+- docs/modules/benchmark/architecture.md
--- a/docs2/modules/binaryindex.md
+++ b/docs2/modules/binaryindex.md
@@ -0,0 +1,22 @@
+# BinaryIndex
+
+## Purpose
+Binary identity mapping for patch-aware matching.
+
+## Inputs
+- Binary identifiers and metadata
+
+## Outputs
+- Binary to advisory mappings
+
+## Data and storage
+- PostgreSQL
+
+## Key dependencies
+- Scanner analyzers
+
+## Notes and boundaries
+- Complements patch and backport handling
+
+## Related docs
+- docs/modules/binaryindex/architecture.md
--- a/docs2/modules/ci.md
+++ b/docs2/modules/ci.md
@@ -0,0 +1,22 @@
+# CI Recipes
+
+## Purpose
+Deterministic CI pipeline templates and guardrails.
+
+## Inputs
+- Source code and build inputs
+
+## Outputs
+- Reproducible build and test flows
+
+## Data and storage
+- Pipeline templates
+
+## Key dependencies
+- Build tooling
+
+## Notes and boundaries
+- Offline-friendly pipelines
+
+## Related docs
+- docs/modules/ci/architecture.md
--- a/docs2/modules/cli.md
+++ b/docs2/modules/cli.md
@@ -0,0 +1,25 @@
+# CLI
+
+## Purpose
+Automation and verification for scanning, export, and replay.
+
+## Inputs
+- User commands and offline bundles
+
+## Outputs
+- API calls and local verification reports
+
+## Data and storage
+- Local cache and artifacts
+
+## Key dependencies
+- Authority
+- Scanner
+- Signer
+- Attestor
+
+## Notes and boundaries
+- CLI never signs directly
+
+## Related docs
+- docs/modules/cli/architecture.md
--- a/docs2/modules/concelier.md
+++ b/docs2/modules/concelier.md
@@ -0,0 +1,25 @@
+# Concelier
+
+## Purpose
+Ingest advisory feeds under the Aggregation-Only Contract (AOC).
+
+## Inputs
+- Vendor and ecosystem advisories
+
+## Outputs
+- Raw advisory facts and linksets
+- Deterministic exports
+
+## Data and storage
+- PostgreSQL vuln schema
+
+## Key dependencies
+- Authority
+- PostgreSQL
+
+## Notes and boundaries
+- No derived severity at ingest
+
+## Related docs
+- docs/modules/concelier/architecture.md
+- docs/ingestion/aggregation-only-contract.md
--- a/docs2/modules/devops.md
+++ b/docs2/modules/devops.md
@@ -0,0 +1,22 @@
+# DevOps and Release
+
+## Purpose
+Release trains, signing, and distribution workflows.
+
+## Inputs
+- Build outputs and manifests
+
+## Outputs
+- Signed images, SBOMs, and release bundles
+
+## Data and storage
+- Release manifests and artifact indexes
+
+## Key dependencies
+- Signer and Attestor
+
+## Notes and boundaries
+- Supports offline kit packaging
+
+## Related docs
+- docs/modules/devops/architecture.md
--- a/docs2/modules/excititor.md
+++ b/docs2/modules/excititor.md
@@ -0,0 +1,23 @@
+# Excititor
+
+## Purpose
+Ingest VEX statements under AOC and preserve conflicts.
+
+## Inputs
+- OpenVEX, CSAF VEX, CycloneDX VEX
+
+## Outputs
+- VEX observations and consensus views
+
+## Data and storage
+- PostgreSQL vex schema
+
+## Key dependencies
+- Authority
+- Issuer Directory
+
+## Notes and boundaries
+- No policy decisions at ingest
+
+## Related docs
+- docs/modules/excititor/architecture.md
--- a/docs2/modules/export-center.md
+++ b/docs2/modules/export-center.md
@@ -0,0 +1,23 @@
+# Export Center
+
+## Purpose
+Produce deterministic export bundles and offline layouts.
+
+## Inputs
+- Raw facts, policy outputs, SBOMs
+
+## Outputs
+- JSON exports, Trivy DB, mirror bundles
+
+## Data and storage
+- RustFS and PostgreSQL
+
+## Key dependencies
+- Signer
+- Attestor
+
+## Notes and boundaries
+- Exports are deterministic and content-addressed
+
+## Related docs
+- docs/modules/export-center/architecture.md
--- a/docs2/modules/gateway.md
+++ b/docs2/modules/gateway.md
@@ -0,0 +1,22 @@
+# Gateway
+
+## Purpose
+HTTP ingress and routing for service APIs.
+
+## Inputs
+- External requests with tokens
+
+## Outputs
+- Routed requests and responses
+
+## Data and storage
+- Routing configuration
+
+## Key dependencies
+- Authority
+
+## Notes and boundaries
+- Optional in some deployments
+
+## Related docs
+- docs/modules/gateway/architecture.md
--- a/docs2/modules/graph.md
+++ b/docs2/modules/graph.md
@@ -0,0 +1,22 @@
+# Graph Explorer
+
+## Purpose
+Graph indexing and exploration APIs.
+
+## Inputs
+- Graph snapshots and overlays
+
+## Outputs
+- Graph queries and exports
+
+## Data and storage
+- PostgreSQL and index artifacts
+
+## Key dependencies
+- Scanner and Policy outputs
+
+## Notes and boundaries
+- Supports offline export
+
+## Related docs
+- docs/modules/graph/architecture.md
--- a/docs2/modules/index.md
+++ b/docs2/modules/index.md
@@ -2,150 +2,38 @@

 ## Core services

-Authority
- Purpose: issue OpTok tokens with DPoP or mTLS sender constraints.
- Inputs: client credentials, device code, or auth code.
- Outputs: JWT access tokens with tenant, audience, and scope claims.
- Storage: PostgreSQL for client and tenant data, Valkey for DPoP nonce cache.
-
-Signer
- Purpose: produce DSSE envelopes and enforce Proof of Entitlement (PoE).
- Inputs: signing requests from trusted services and PoE proof.
- Outputs: DSSE bundles for SBOMs, reports, and exports.
- Storage: audit logs only; keys live in KMS or keyless providers.
-
-Attestor
- Purpose: log DSSE bundles to Rekor and provide verification APIs.
- Inputs: DSSE bundles from Signer or Scanner.
- Outputs: Rekor entries and proofs, verification results.
- Storage: PostgreSQL for receipts and indexes.
-
-Scanner (Web + Worker)
- Purpose: deterministic SBOM generation, inventory and usage views, diffs.
- Inputs: image digest or SBOM, analyzer manifests, policy snapshots.
- Outputs: SBOMs, diffs, reachability graphs, evidence bundles.
- Storage: RustFS for artifacts, PostgreSQL for metadata, Valkey for queues.
-
-Concelier
- Purpose: ingest and normalize advisory sources under AOC.
- Inputs: vendor and ecosystem advisory feeds.
- Outputs: raw advisory facts, linksets, deterministic exports.
- Storage: PostgreSQL (vuln schema).
-
-Excititor
- Purpose: ingest VEX statements under AOC and preserve conflicts.
- Inputs: OpenVEX, CSAF VEX, CycloneDX VEX.
- Outputs: normalized VEX observations and consensus views.
- Storage: PostgreSQL (vex schema).
-
-Policy Engine
- Purpose: deterministic policy evaluation with explain traces and unknowns.
- Inputs: SBOM inventory, advisory facts, VEX evidence, reachability.
- Outputs: verdicts, effective findings, decision traces, derived VEX.
- Storage: PostgreSQL (policy schema).
-
-Scheduler
- Purpose: impact selection and analysis-only re-evaluation.
- Inputs: advisory and VEX deltas, BOM index metadata.
- Outputs: rescan jobs and delta events.
- Storage: PostgreSQL (scheduler schema), Valkey for queues.
-
-Notify
- Purpose: route events to channels with rules and templates.
- Inputs: scan and scheduler events.
- Outputs: deliveries to Slack, Teams, email, webhooks.
- Storage: PostgreSQL (notify schema), Valkey for queues.
-
-Export Center
- Purpose: deterministic export bundles and offline mirror layouts.
- Inputs: raw facts, policy outputs, SBOMs and evidence bundles.
- Outputs: JSON exports, Trivy DB exports, mirror bundles, offline kits.
- Storage: RustFS and PostgreSQL.
-
-CLI
- Purpose: automation and verification for scanning, export, and replay.
- Inputs: user commands and offline bundles.
- Outputs: API calls, local verification reports.
-
-UI and Console
- Purpose: operator console for scans, policy, VEX, and notifications.
- Inputs: API responses, SSE streams.
- Outputs: operational workflows and audit views.
-
-Advisory AI
- Purpose: evidence-grounded analysis with guardrails.
- Inputs: SBOM and evidence bundles.
- Outputs: structured findings and guidance artifacts.
-
-Orchestrator
- Purpose: job DAGs and pack runs for automation.
- Inputs: job definitions and run requests.
- Outputs: run status, job artifacts.
- Storage: PostgreSQL (orchestrator schema).
-
-Registry Token Service
- Purpose: issue tokens for internal registry and scoped pulls.
- Inputs: client credentials.
- Outputs: short-lived registry tokens.
-
-Graph Explorer
- Purpose: graph indexing and exploration for evidence and relationships.
- Inputs: graph snapshots and overlays.
- Outputs: graph queries and exports.
-
-VEX Lens
- Purpose: reproducible consensus views over VEX statements.
- Inputs: normalized VEX observations and trust weights.
- Outputs: consensus status and evidence refs.
-
-Vulnerability Explorer
- Purpose: triage workflows and evidence ledger views.
- Inputs: effective findings and Decision Capsules.
- Outputs: triage actions and audit records.
-
-Telemetry Stack
- Purpose: metrics, logs, traces, and dashboards.
- Inputs: service telemetry and audit events.
- Outputs: dashboards and alerts.
-
-DevOps and Release
- Purpose: release trains, signing, and distribution workflows.
- Inputs: build artifacts and manifests.
- Outputs: signed releases and offline kit bundles.
-
-Platform
- Purpose: cross-cutting determinism, offline, and identity rules.
-
-CI Recipes
- Purpose: deterministic CI templates and guardrails.
-
-Zastava
- Purpose: runtime observer and optional admission enforcement.
- Inputs: runtime facts and policy verdicts.
- Outputs: runtime events and admission decisions.
+- [Authority](authority.md)
+- [Signer](signer.md)
+- [Attestor](attestor.md)
+- [Scanner](scanner.md)
+- [Concelier](concelier.md)
+- [Excititor](excititor.md)
+- [Policy Engine](policy.md)
+- [Scheduler](scheduler.md)
+- [Notify](notify.md)
+- [Export Center](export-center.md)
+- [CLI](cli.md)
+- [UI and Console](ui.md)
+- [Advisory AI](advisory-ai.md)
+- [Orchestrator](orchestrator.md)
+- [Registry Token Service](registry.md)
+- [Graph Explorer](graph.md)
+- [VEX Lens](vex-lens.md)
+- [Vulnerability Explorer](vuln-explorer.md)
+- [Telemetry Stack](telemetry.md)
+- [DevOps and Release](devops.md)
+- [Platform](platform.md)
+- [CI Recipes](ci.md)
+- [Zastava](zastava.md)

 ## Supporting and adjacent modules

-Issuer Directory
- Trust registry for VEX issuers and keys.
-
-VexHub
- Aggregation and distribution of VEX statements for downstream consumers.
-
-SBOM Service
- Deterministic SBOM projections and lineage ledger.
-
-Signals
- Reachability scoring, unknowns registry, and signal APIs.
-
-TaskRunner
- Deterministic task pack execution with approvals and evidence capture.
-
-BinaryIndex
- Binary identity mapping for patch-aware and backport-aware matching.
-
-Benchmark
- Benchmark harness and ground-truth corpus management.
-
-Gateway and Router (optional)
- Edge routing and transport abstraction for deployments that require a shared ingress.
+- [Issuer Directory](issuer-directory.md)
+- [VexHub](vexhub.md)
+- [SBOM Service](sbomservice.md)
+- [Signals](signals.md)
+- [TaskRunner](taskrunner.md)
+- [BinaryIndex](binaryindex.md)
+- [Benchmark](benchmark.md)
+- [Gateway](gateway.md)
+- [Router](router.md)
--- a/docs2/modules/issuer-directory.md
+++ b/docs2/modules/issuer-directory.md
@@ -0,0 +1,22 @@
+# Issuer Directory
+
+## Purpose
+Trust registry for VEX issuers and keys.
+
+## Inputs
+- Issuer metadata and key material
+
+## Outputs
+- Trust weights and issuer resolution
+
+## Data and storage
+- PostgreSQL
+
+## Key dependencies
+- Authority
+
+## Notes and boundaries
+- Consumed by VEX Lens and Excititor
+
+## Related docs
+- docs/modules/issuer-directory/architecture.md
--- a/docs2/modules/notify.md
+++ b/docs2/modules/notify.md
@@ -0,0 +1,24 @@
+# Notify
+
+## Purpose
+Route events to channels with rules and templates.
+
+## Inputs
+- Scanner and Scheduler events
+
+## Outputs
+- Deliveries to Slack, Teams, email, webhooks
+
+## Data and storage
+- PostgreSQL notify schema
+- Valkey queues
+
+## Key dependencies
+- Valkey
+- SMTP or chat APIs
+
+## Notes and boundaries
+- Does not make policy decisions
+
+## Related docs
+- docs/modules/notify/architecture.md
--- a/docs2/modules/orchestrator.md
+++ b/docs2/modules/orchestrator.md
@@ -0,0 +1,22 @@
+# Orchestrator
+
+## Purpose
+DAG workflows and pack runs for automation.
+
+## Inputs
+- Job definitions and run requests
+
+## Outputs
+- Run status and job artifacts
+
+## Data and storage
+- PostgreSQL orchestrator schema
+
+## Key dependencies
+- Scheduler and TaskRunner
+
+## Notes and boundaries
+- Focuses on job orchestration
+
+## Related docs
+- docs/modules/orchestrator/architecture.md
--- a/docs2/modules/platform.md
+++ b/docs2/modules/platform.md
@@ -0,0 +1,23 @@
+# Platform
+
+## Purpose
+Cross-cutting rules for determinism, identity, and offline posture.
+
+## Inputs
+- Module policies and shared contracts
+
+## Outputs
+- Shared constraints and guidance
+
+## Data and storage
+- Docs and shared libraries
+
+## Key dependencies
+- All modules
+
+## Notes and boundaries
+- Defines baseline invariants
+
+## Related docs
+- docs/modules/platform/architecture-overview.md
+- docs/modules/platform/architecture.md
--- a/docs2/modules/policy.md
+++ b/docs2/modules/policy.md
@@ -0,0 +1,27 @@
+# Policy Engine
+
+## Purpose
+Evaluate deterministic policy and produce verdicts with explain traces.
+
+## Inputs
+- SBOM inventory
+- Advisories
+- VEX evidence
+- Reachability
+
+## Outputs
+- Verdicts, effective findings, derived VEX
+
+## Data and storage
+- PostgreSQL policy schema
+
+## Key dependencies
+- Concelier
+- Excititor
+- Signals
+
+## Notes and boundaries
+- Only component that produces derived findings
+
+## Related docs
+- docs/modules/policy/architecture.md
--- a/docs2/modules/registry.md
+++ b/docs2/modules/registry.md
@@ -0,0 +1,22 @@
+# Registry Token Service
+
+## Purpose
+Issue short-lived registry access tokens.
+
+## Inputs
+- Client credentials and scope
+
+## Outputs
+- Scoped registry tokens
+
+## Data and storage
+- PostgreSQL or in-memory cache
+
+## Key dependencies
+- Authority
+
+## Notes and boundaries
+- Tokens are short-lived
+
+## Related docs
+- docs/modules/registry/architecture.md
--- a/docs2/modules/router.md
+++ b/docs2/modules/router.md
@@ -0,0 +1,22 @@
+# Router
+
+## Purpose
+Transport abstraction for routing to service instances.
+
+## Inputs
+- Service registrations and frames
+
+## Outputs
+- Routed frames and responses
+
+## Data and storage
+- Routing state and endpoint descriptors
+
+## Key dependencies
+- Gateway
+
+## Notes and boundaries
+- Optional in some deployments
+
+## Related docs
+- docs/modules/router/architecture.md
--- a/docs2/modules/sbomservice.md
+++ b/docs2/modules/sbomservice.md
@@ -0,0 +1,22 @@
+# SBOM Service
+
+## Purpose
+Serve deterministic SBOM projections and lineage.
+
+## Inputs
+- SBOMs from Scanner or uploads
+
+## Outputs
+- SBOM projections and lineage ledger
+
+## Data and storage
+- PostgreSQL and RustFS
+
+## Key dependencies
+- Scanner
+
+## Notes and boundaries
+- Append-only SBOM versions
+
+## Related docs
+- docs/modules/sbomservice/architecture.md
--- a/docs2/modules/scanner.md
+++ b/docs2/modules/scanner.md
@@ -0,0 +1,29 @@
+# Scanner
+
+## Purpose
+Generate deterministic SBOMs, diffs, and reachability evidence.
+
+## Inputs
+- Image digest or SBOM
+- Analyzer manifests and config
+
+## Outputs
+- SBOM inventory and usage views
+- Diffs and reports
+- Reachability graphs
+
+## Data and storage
+- RustFS for artifacts
+- PostgreSQL for metadata
+- Valkey for queues
+
+## Key dependencies
+- RustFS
+- PostgreSQL
+- Valkey
+
+## Notes and boundaries
+- Does not decide pass or fail
+
+## Related docs
+- docs/modules/scanner/architecture.md
--- a/docs2/modules/scheduler.md
+++ b/docs2/modules/scheduler.md
@@ -0,0 +1,26 @@
+# Scheduler
+
+## Purpose
+Select impacted images and trigger analysis-only re-evaluation.
+
+## Inputs
+- Advisory and VEX deltas
+- BOM index metadata
+
+## Outputs
+- Re-evaluation jobs and delta events
+
+## Data and storage
+- PostgreSQL scheduler schema
+- Valkey queues
+
+## Key dependencies
+- Scanner WebService
+- Concelier
+- Excititor
+
+## Notes and boundaries
+- Does not rescan by default
+
+## Related docs
+- docs/modules/scheduler/architecture.md
--- a/docs2/modules/signals.md
+++ b/docs2/modules/signals.md
@@ -0,0 +1,23 @@
+# Signals
+
+## Purpose
+Reachability scoring, unknowns registry, and signal APIs.
+
+## Inputs
+- Call graphs and runtime facts
+
+## Outputs
+- Reachability facts and unknowns records
+
+## Data and storage
+- PostgreSQL and artifact store
+
+## Key dependencies
+- Scanner and Zastava
+
+## Notes and boundaries
+- Deterministic scoring with unknowns pressure
+
+## Related docs
+- docs/modules/signals/evidence/README.md
+- docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md
--- a/docs2/modules/signer.md
+++ b/docs2/modules/signer.md
@@ -0,0 +1,25 @@
+# Signer
+
+## Purpose
+Produce DSSE envelopes and enforce Proof of Entitlement (PoE).
+
+## Inputs
+- Signing requests from trusted services
+- OpTok and PoE
+
+## Outputs
+- DSSE bundles for SBOMs, reports, and exports
+
+## Data and storage
+- Audit logs only
+
+## Key dependencies
+- Authority
+- OCI registry referrers
+- KMS or Fulcio
+
+## Notes and boundaries
+- Does not write to Rekor
+
+## Related docs
+- docs/modules/signer/architecture.md
--- a/docs2/modules/taskrunner.md
+++ b/docs2/modules/taskrunner.md
@@ -0,0 +1,22 @@
+# TaskRunner
+
+## Purpose
+Execute task packs deterministically with approvals and evidence.
+
+## Inputs
+- Task pack definitions and run requests
+
+## Outputs
+- Run status, artifacts, DSSE bundles
+
+## Data and storage
+- PostgreSQL and artifact store
+
+## Key dependencies
+- Signer and Attestor
+
+## Notes and boundaries
+- Supports sealed mode
+
+## Related docs
+- docs/modules/taskrunner/architecture.md
--- a/docs2/modules/telemetry.md
+++ b/docs2/modules/telemetry.md
@@ -0,0 +1,22 @@
+# Telemetry Stack
+
+## Purpose
+Metrics, logs, traces, dashboards, and alerts.
+
+## Inputs
+- Service telemetry and audit logs
+
+## Outputs
+- Dashboards and alert rules
+
+## Data and storage
+- Telemetry store and dashboards
+
+## Key dependencies
+- All services
+
+## Notes and boundaries
+- Offline bundle support
+
+## Related docs
+- docs/modules/telemetry/architecture.md
--- a/docs2/modules/ui.md
+++ b/docs2/modules/ui.md
@@ -0,0 +1,22 @@
+# UI and Console
+
+## Purpose
+Operator console for scans, policy, VEX, and notifications.
+
+## Inputs
+- API responses and event streams
+
+## Outputs
+- Workflow actions and audit views
+
+## Data and storage
+- Browser storage for preferences
+
+## Key dependencies
+- Backend APIs
+
+## Notes and boundaries
+- Offline-friendly, no external CDN
+
+## Related docs
+- docs/modules/ui/architecture.md
--- a/docs2/modules/vex-lens.md
+++ b/docs2/modules/vex-lens.md
@@ -0,0 +1,23 @@
+# VEX Lens
+
+## Purpose
+Compute reproducible consensus views over VEX statements.
+
+## Inputs
+- VEX observations and trust weights
+
+## Outputs
+- Consensus status and evidence refs
+
+## Data and storage
+- PostgreSQL
+
+## Key dependencies
+- Excititor and Issuer Directory
+
+## Notes and boundaries
+- Preserves conflicts and provenance
+
+## Related docs
+- docs/modules/vex-lens/architecture.md
+- docs/modules/vexlens/architecture.md
--- a/docs2/modules/vexhub.md
+++ b/docs2/modules/vexhub.md
@@ -0,0 +1,22 @@
+# VexHub
+
+## Purpose
+Aggregate and distribute VEX statements.
+
+## Inputs
+- Upstream VEX sources
+
+## Outputs
+- Normalized VEX feeds
+
+## Data and storage
+- PostgreSQL
+
+## Key dependencies
+- Excititor
+
+## Notes and boundaries
+- Feeds VEX Lens and Policy
+
+## Related docs
+- docs/modules/vexhub/architecture.md
--- a/docs2/modules/vuln-explorer.md
+++ b/docs2/modules/vuln-explorer.md
@@ -0,0 +1,22 @@
+# Vulnerability Explorer
+
+## Purpose
+Triage workflows and evidence ledger views.
+
+## Inputs
+- Effective findings and Decision Capsules
+
+## Outputs
+- Triage actions and audit records
+
+## Data and storage
+- PostgreSQL
+
+## Key dependencies
+- Policy Engine and evidence bundles
+
+## Notes and boundaries
+- Triage is evidence-linked
+
+## Related docs
+- docs/modules/vuln-explorer/architecture.md
--- a/docs2/modules/zastava.md
+++ b/docs2/modules/zastava.md
@@ -0,0 +1,22 @@
+# Zastava
+
+## Purpose
+Runtime observer and optional admission enforcement.
+
+## Inputs
+- Runtime facts, policy verdicts
+
+## Outputs
+- Runtime events and admission decisions
+
+## Data and storage
+- Local cache and event stream
+
+## Key dependencies
+- Scanner WebService and Policy
+
+## Notes and boundaries
+- Does not compute SBOMs
+
+## Related docs
+- docs/modules/zastava/architecture.md