Implement Exception Effect Registry and Evaluation Service

- Added IExceptionEffectRegistry interface and its implementation ExceptionEffectRegistry to manage exception effects based on type and reason.
- Created ExceptionAwareEvaluationService for evaluating policies with automatic exception loading from the repository.
- Developed unit tests for ExceptionAdapter and ExceptionEffectRegistry to ensure correct behavior and mappings of exceptions and effects.
- Enhanced exception loading logic to filter expired and non-active exceptions, and to respect maximum exceptions limit.
- Implemented caching mechanism in ExceptionAdapter to optimize repeated exception loading.

docs/implplan/SPRINT_3900_0002_0001_policy_engine_integration.md

@@ -0,0 +1,331 @@
+# Sprint 3900.0002.0001 · Exception Objects — Policy Engine Integration
+
+## Topic & Scope
+- Integrate Exception Objects with the Policy Engine evaluation pipeline.
+- Create adapter to convert persisted `ExceptionObject` entities into `PolicyEvaluationExceptions`.
+- Add exception loading during policy evaluation.
+- Ensure exceptions are applied during runtime evaluation with proper precedence.
+- **Working directory:** `src/Policy/StellaOps.Policy.Engine/` and `src/Policy/__Libraries/StellaOps.Policy.Exceptions/`
+
+## Dependencies & Concurrency
+- **Upstream**: Sprint 3900.0001.0001 (Schema & Model) — DONE
+- **Upstream**: Sprint 3900.0001.0002 (API & Workflow) — DONE
+- **Downstream**: Sprint 3900.0002.0002 (UI + Audit Pack Export)
+- **Safe to parallelize with**: Unrelated epics, UI development
+
+## Documentation Prerequisites
+- Sprint 3900.0001.0001 completion docs
+- Sprint 3900.0001.0002 completion docs
+- `docs/modules/policy/architecture.md`
+- `src/Policy/AGENTS.md`
+- Understanding of `PolicyEvaluationExceptions` and `PolicyEvaluationExceptionInstance` records
+
+---
+
+## Tasks
+
+### T1: Exception Adapter Service
+
+**Assignee**: Policy Team  
+**Story Points**: 5  
+**Status**: TODO
+
+**Description**:
+Create an adapter service that converts persisted `ExceptionObject` entities from the Exceptions library into `PolicyEvaluationExceptions` records used by the Policy Engine.
+
+**Implementation Path**: `src/Policy/StellaOps.Policy.Engine/Adapters/ExceptionAdapter.cs`
+
+**Acceptance Criteria**:
+- [ ] `IExceptionAdapter` interface with `Task<PolicyEvaluationExceptions> LoadExceptionsAsync(Guid tenantId, CancellationToken ct)`
+- [ ] `ExceptionAdapter` implementation that:
+  - [ ] Queries active exceptions from `IExceptionRepository`
+  - [ ] Filters to only `Active` status exceptions
+  - [ ] Filters to non-expired exceptions (expiresAt > now)
+  - [ ] Maps `ExceptionObject` → `PolicyEvaluationExceptionInstance`
+  - [ ] Maps `ExceptionType` + `ExceptionReason` → `PolicyExceptionEffect`
+  - [ ] Creates scope from `ExceptionScope` (purl patterns, vulnerability IDs, environments)
+- [ ] Caching layer with configurable TTL (default 60s)
+- [ ] Cache invalidation event handler for exception status changes
+
+**Type Mapping**:
+```csharp
+// From StellaOps.Policy.Exceptions.Models.ExceptionObject
+// To   StellaOps.Policy.Engine.Evaluation.PolicyEvaluationExceptionInstance
+
+// ExceptionScope → PolicyEvaluationExceptionScope
+// - purlPattern   → Tags (if component-based) or RuleNames (if policy-rule)
+// - vulnerabilityId → Sources (advisory source matching)
+// - environment   → Filter during loading
+```
+
+---
+
+### T2: Exception Effect Registry
+
+**Assignee**: Policy Team  
+**Story Points**: 3  
+**Status**: TODO  
+**Dependencies**: None
+
+**Description**:
+Create a registry for exception effects that maps `ExceptionType` and `ExceptionReason` combinations to `PolicyExceptionEffect` instances.
+
+**Implementation Path**: `src/Policy/StellaOps.Policy.Engine/Adapters/ExceptionEffectRegistry.cs`
+
+**Acceptance Criteria**:
+- [ ] `IExceptionEffectRegistry` interface
+- [ ] `ExceptionEffectRegistry` implementation with predefined effect mappings:
+
+| ExceptionType | ExceptionReason | Effect |
+|--------------|-----------------|--------|
+| `vulnerability` | `false_positive` | Suppress |
+| `vulnerability` | `wont_fix` | Suppress |
+| `vulnerability` | `vendor_pending` | Defer |
+| `vulnerability` | `compensating_control` | RequireControl |
+| `vulnerability` | `risk_accepted` | Suppress |
+| `vulnerability` | `not_affected` | Suppress |
+| `policy` | `exception_granted` | Suppress |
+| `policy` | `temporary_override` | Defer |
+| `unknown` | `pending_analysis` | Defer |
+| `component` | `deprecated_allowed` | Suppress |
+| `component` | `license_waiver` | Suppress |
+
+- [ ] Effect includes routing template for notifications
+- [ ] Effect includes max duration days for time-boxed exceptions
+- [ ] Registry can be extended via DI configuration
+
+---
+
+### T3: Evaluation Pipeline Integration
+
+**Assignee**: Policy Team  
+**Story Points**: 5  
+**Status**: TODO  
+**Dependencies**: T1, T2
+
+**Description**:
+Integrate the exception adapter into the `PolicyRuntimeEvaluationService` to load exceptions before evaluation.
+
+**Implementation Path**: `src/Policy/StellaOps.Policy.Engine/Services/PolicyRuntimeEvaluationService.cs`
+
+**Acceptance Criteria**:
+- [ ] Add `IExceptionAdapter` dependency to `PolicyRuntimeEvaluationService`
+- [ ] Load exceptions during `EvaluateAsync` before building evaluation context
+- [ ] Add tenant ID to `RuntimeEvaluationRequest` if not already present
+- [ ] Build `PolicyEvaluationExceptions` from adapter results
+- [ ] Existing `ApplyExceptions` logic handles the evaluation
+- [ ] Log exception application at Debug level
+- [ ] Emit telemetry counter for exceptions applied
+
+**Integration Point**:
+```csharp
+// In PolicyRuntimeEvaluationService.EvaluateAsync:
+// 1. Load compiled policy bundle (existing)
+// 2. Load active exceptions for tenant (NEW)
+// 3. Build evaluation context with exceptions (existing, now populated)
+// 4. Evaluate policy (existing)
+// 5. Apply exceptions (existing logic)
+```
+
+---
+
+### T4: Batch Evaluation Support
+
+**Assignee**: Policy Team  
+**Story Points**: 3  
+**Status**: TODO  
+**Dependencies**: T3
+
+**Description**:
+Optimize exception loading for batch evaluation scenarios where multiple findings are evaluated together.
+
+**Implementation Path**: `src/Policy/StellaOps.Policy.Engine/BatchEvaluation/BatchExceptionLoader.cs`
+
+**Acceptance Criteria**:
+- [ ] `IBatchExceptionLoader` interface
+- [ ] Load exceptions once per batch (same tenant)
+- [ ] Scope filtering per-finding within the batch
+- [ ] Memory-efficient: don't duplicate exception instances
+- [ ] Wire into `BatchEvaluationModels.RuntimeEvaluationExecutor`
+
+---
+
+### T5: Exception Application Audit Trail
+
+**Assignee**: Policy Team  
+**Story Points**: 3  
+**Status**: TODO  
+**Dependencies**: T3
+
+**Description**:
+Record exception application in the evaluation result and audit trail.
+
+**Implementation Path**: `src/Policy/StellaOps.Policy.Engine/Services/ExceptionApplicationRecorder.cs`
+
+**Acceptance Criteria**:
+- [ ] `IExceptionApplicationRecorder` interface
+- [ ] Record when an exception is applied to a finding:
+  - [ ] Exception ID
+  - [ ] Finding context (purl, vulnerability ID, etc.)
+  - [ ] Original status
+  - [ ] Applied status
+  - [ ] Timestamp
+- [ ] Store in `policy.exception_applications` table (new)
+- [ ] Expose via ledger export for compliance
+
+**Schema Addition**:
+```sql
+CREATE TABLE policy.exception_applications (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL REFERENCES tenants(id),
+    exception_id UUID NOT NULL REFERENCES policy.exceptions(id),
+    finding_id VARCHAR(512) NOT NULL,
+    original_status VARCHAR(64) NOT NULL,
+    applied_status VARCHAR(64) NOT NULL,
+    purl VARCHAR(1024),
+    vulnerability_id VARCHAR(64),
+    evaluation_run_id UUID,
+    applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT fk_tenant FOREIGN KEY (tenant_id) REFERENCES tenants(id) ON DELETE CASCADE
+);
+
+CREATE INDEX idx_exception_applications_tenant_exception 
+    ON policy.exception_applications(tenant_id, exception_id);
+CREATE INDEX idx_exception_applications_finding 
+    ON policy.exception_applications(tenant_id, finding_id);
+```
+
+---
+
+### T6: DI Registration and Configuration
+
+**Assignee**: Policy Team  
+**Story Points**: 2  
+**Status**: TODO  
+**Dependencies**: T1, T2
+
+**Description**:
+Register exception integration services in the DI container.
+
+**Implementation Path**: `src/Policy/StellaOps.Policy.Engine/DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`
+
+**Acceptance Criteria**:
+- [ ] `AddPolicyExceptionIntegration()` extension method
+- [ ] Register `IExceptionAdapter` → `ExceptionAdapter`
+- [ ] Register `IExceptionEffectRegistry` → `ExceptionEffectRegistry`
+- [ ] Register `IBatchExceptionLoader` → `BatchExceptionLoader`
+- [ ] Register `IExceptionApplicationRecorder` → `ExceptionApplicationRecorder`
+- [ ] Configuration options for cache TTL
+- [ ] Configuration options for batch loading
+
+**Options Model**:
+```csharp
+public sealed class ExceptionIntegrationOptions
+{
+    public TimeSpan CacheTtl { get; set; } = TimeSpan.FromSeconds(60);
+    public int BatchSize { get; set; } = 1000;
+    public bool EnableAuditTrail { get; set; } = true;
+}
+```
+
+---
+
+### T7: Unit Tests
+
+**Assignee**: Policy Team  
+**Story Points**: 5  
+**Status**: TODO  
+**Dependencies**: T1-T6
+
+**Description**:
+Comprehensive unit tests for exception integration.
+
+**Implementation Path**: `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Adapters/`
+
+**Acceptance Criteria**:
+- [ ] `ExceptionAdapterTests`:
+  - [ ] Test mapping from `ExceptionObject` to `PolicyEvaluationExceptionInstance`
+  - [ ] Test filtering by status (only Active)
+  - [ ] Test filtering by expiry
+  - [ ] Test scope mapping
+  - [ ] Test caching behavior
+- [ ] `ExceptionEffectRegistryTests`:
+  - [ ] Test all effect mappings
+  - [ ] Test unknown type fallback
+- [ ] `PolicyEvaluatorExceptionIntegrationTests`:
+  - [ ] Test exception application during evaluation
+  - [ ] Test specificity ordering
+  - [ ] Test multiple matching exceptions
+  - [ ] Test no matching exception case
+- [ ] `BatchExceptionLoaderTests`:
+  - [ ] Test batch loading optimization
+  - [ ] Test tenant isolation
+
+---
+
+### T8: Integration Tests
+
+**Assignee**: Policy Team  
+**Story Points**: 3  
+**Status**: TODO  
+**Dependencies**: T7
+
+**Description**:
+Integration tests with PostgreSQL for exception loading.
+
+**Implementation Path**: `src/Policy/__Tests/StellaOps.Policy.Storage.Postgres.Tests/ExceptionIntegrationTests.cs`
+
+**Acceptance Criteria**:
+- [ ] Test full flow: Create exception → Activate → Evaluate finding → Exception applied
+- [ ] Test expired exception not applied
+- [ ] Test revoked exception not applied
+- [ ] Test tenant isolation
+- [ ] Test concurrent evaluation with cache
+
+---
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key Dependency | Owners | Task Definition |
+|---|---------|--------|----------------|--------|-----------------|
+| 1 | T1 | DONE | None | Policy Team | Exception Adapter Service |
+| 2 | T2 | DONE | None | Policy Team | Exception Effect Registry |
+| 3 | T3 | DONE | T1, T2 | Policy Team | Evaluation Pipeline Integration |
+| 4 | T4 | TODO | T3 | Policy Team | Batch Evaluation Support |
+| 5 | T5 | TODO | T3 | Policy Team | Exception Application Audit Trail |
+| 6 | T6 | DONE | T1, T2 | Policy Team | DI Registration and Configuration |
+| 7 | T7 | DOING | T1-T6 | Policy Team | Unit Tests |
+| 8 | T8 | TODO | T7 | Policy Team | Integration Tests |
+
+---
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2025-12-21 | Sprint created from Epic 3900 Batch 0002 planning. | Project Manager |
+
+---
+
+## Decisions & Risks
+
+### Open Decisions
+1. **Cache invalidation strategy**: Should we use event-driven invalidation or TTL-only?
+   - Current proposal: TTL with event-driven invalidation as optimization
+2. **Audit trail storage**: Separate table vs. extending existing ledger?
+   - Current proposal: New `policy.exception_applications` table for query efficiency
+
+### Risks
+1. **Performance**: Exception loading adds latency to evaluation
+   - Mitigation: Aggressive caching, batch loading
+2. **Cache coherence**: Stale exceptions might be applied
+   - Mitigation: Short TTL (60s), event-driven invalidation for critical changes
+
+---
+
+## Next Checkpoints
+
+| Date | Checkpoint | Accountable |
+|------|------------|-------------|
+| TBD | T1-T2 complete, T3 in progress | Policy Team |
+| TBD | All tasks DONE, ready for Sprint 3900.0002.0002 | Policy Team |

docs/implplan/SPRINT_3900_0002_0002_ui_audit_export.md

@@ -0,0 +1,311 @@
+# Sprint 3900.0002.0002 · Exception Objects — UI & Audit Pack Export
+
+## Topic & Scope
+- Wire existing Exception UI components to the Exception API.
+- Complete the exception management dashboard.
+- Add audit pack export for exception decisions.
+- Create compliance report generation for exceptions.
+- **Working directory:** `src/Web/StellaOps.Web/` and `src/ExportCenter/`
+
+## Dependencies & Concurrency
+- **Upstream**: Sprint 3900.0001.0001 (Schema & Model) — DONE
+- **Upstream**: Sprint 3900.0001.0002 (API & Workflow) — DONE
+- **Upstream**: Sprint 3900.0002.0001 (Policy Engine Integration) — for full E2E testing
+- **Safe to parallelize with**: Sprint 3900.0002.0001 (most UI tasks don't require engine integration)
+
+## Documentation Prerequisites
+- Sprint 3900.0001.0002 completion docs (API spec)
+- `docs/modules/ui/architecture.md`
+- `src/Web/StellaOps.Web/src/app/core/api/exception.client.ts` — existing API client
+- `src/Web/StellaOps.Web/src/app/features/exceptions/` — existing components
+
+---
+
+## Tasks
+
+### T1: Exception Dashboard Page
+
+**Assignee**: UI Team  
+**Story Points**: 5  
+**Status**: TODO
+
+**Description**:
+Create the main exception management dashboard page that wires existing components together.
+
+**Implementation Path**: `src/Web/StellaOps.Web/src/app/features/exceptions/exception-dashboard.component.ts`
+
+**Acceptance Criteria**:
+- [ ] Route: `/exceptions`
+- [ ] Wire `ExceptionCenterComponent` with real API data
+- [ ] Integrate `ExceptionApiHttpClient` for CRUD operations
+- [ ] Handle loading, error, and empty states
+- [ ] Implement create exception flow with `ExceptionWizardComponent`
+- [ ] Implement exception detail view
+- [ ] Implement status transition with confirmation dialogs
+- [ ] Real-time updates via `ExceptionEventsClient` (SSE)
+
+---
+
+### T2: Exception Detail Panel
+
+**Assignee**: UI Team  
+**Story Points**: 3  
+**Status**: TODO
+
+**Description**:
+Create a detail panel/drawer for viewing and editing individual exceptions.
+
+**Implementation Path**: `src/Web/StellaOps.Web/src/app/features/exceptions/exception-detail.component.ts`
+
+**Acceptance Criteria**:
+- [ ] Display full exception details (scope, rationale, evidence refs)
+- [ ] Show exception history/audit trail
+- [ ] Edit rationale and metadata (if status allows)
+- [ ] Status transition buttons with role-based visibility
+- [ ] Extend expiry action
+- [ ] Evidence reference links (if applicable)
+- [ ] Related findings summary
+
+---
+
+### T3: Exception Approval Queue
+
+**Assignee**: UI Team  
+**Story Points**: 3  
+**Status**: TODO
+
+**Description**:
+Create a dedicated view for approvers to manage pending exception requests.
+
+**Implementation Path**: `src/Web/StellaOps.Web/src/app/features/exceptions/exception-approval-queue.component.ts`
+
+**Acceptance Criteria**:
+- [ ] Route: `/exceptions/approvals`
+- [ ] Filter to `proposed` status by default
+- [ ] Show requester, scope, rationale summary
+- [ ] Bulk approve/reject capability
+- [ ] Comment required for rejection
+- [ ] Show time since request (SLA indicator)
+- [ ] Role-based access (only approvers see this route)
+
+---
+
+### T4: Exception Inline Creation
+
+**Assignee**: UI Team  
+**Story Points**: 2  
+**Status**: TODO
+
+**Description**:
+Enhance `ExceptionDraftInlineComponent` to submit to the real API.
+
+**Implementation Path**: `src/Web/StellaOps.Web/src/app/features/exceptions/exception-draft-inline.component.ts`
+
+**Acceptance Criteria**:
+- [ ] Wire to `ExceptionApiHttpClient.createException()`
+- [ ] Pre-fill scope from finding context
+- [ ] Validate before submission
+- [ ] Show success/error feedback
+- [ ] Navigate to exception detail on success
+
+---
+
+### T5: Exception Badge Integration
+
+**Assignee**: UI Team  
+**Story Points**: 2  
+**Status**: TODO
+
+**Description**:
+Wire `ExceptionBadgeComponent` to show exception status on findings.
+
+**Implementation Path**: `src/Web/StellaOps.Web/src/app/shared/components/exception-badge.component.ts`
+
+**Acceptance Criteria**:
+- [ ] Input: finding context (purl, vulnerability ID)
+- [ ] Query API to check if exception applies
+- [ ] Show badge with exception status and tooltip
+- [ ] Click navigates to exception detail
+- [ ] Cache exception checks per session
+
+---
+
+### T6: Audit Pack Export — Exception Report
+
+**Assignee**: Export Team  
+**Story Points**: 5  
+**Status**: TODO
+
+**Description**:
+Create exception report generator for audit pack export.
+
+**Implementation Path**: `src/ExportCenter/__Libraries/StellaOps.ExportCenter.Reports/ExceptionReport/`
+
+**Acceptance Criteria**:
+- [ ] `IExceptionReportGenerator` interface
+- [ ] `ExceptionReportGenerator` implementation
+- [ ] Report includes:
+  - [ ] All active exceptions with full audit trail
+  - [ ] Exception application history (from `policy.exception_applications`)
+  - [ ] Approval chain for each exception
+  - [ ] Expiry timeline
+  - [ ] Scope details
+- [ ] PDF format with professional styling
+- [ ] JSON format for machine processing
+- [ ] NDJSON format for streaming
+
+**Report Structure**:
+```json
+{
+  "reportId": "uuid",
+  "generatedAt": "ISO8601",
+  "tenant": "tenant-id",
+  "reportPeriod": { "from": "ISO8601", "to": "ISO8601" },
+  "summary": {
+    "totalExceptions": 42,
+    "activeExceptions": 15,
+    "expiredExceptions": 20,
+    "revokedExceptions": 7,
+    "applicationsInPeriod": 1234
+  },
+  "exceptions": [
+    {
+      "id": "uuid",
+      "status": "active",
+      "type": "vulnerability",
+      "reason": "compensating_control",
+      "scope": { ... },
+      "timeline": [
+        { "event": "created", "at": "ISO8601", "by": "user" },
+        { "event": "approved", "at": "ISO8601", "by": "approver" },
+        { "event": "activated", "at": "ISO8601", "by": "system" }
+      ],
+      "applications": [
+        { "findingId": "...", "appliedAt": "ISO8601" }
+      ]
+    }
+  ]
+}
+```
+
+---
+
+### T7: Export Center Integration
+
+**Assignee**: Export Team  
+**Story Points**: 3  
+**Status**: TODO  
+**Dependencies**: T6
+
+**Description**:
+Register exception report in Export Center and add API endpoint.
+
+**Implementation Path**: `src/ExportCenter/StellaOps.ExportCenter.WebService/`
+
+**Acceptance Criteria**:
+- [ ] Register `ExceptionReportGenerator` in DI
+- [ ] Add `/api/v1/exports/exceptions` endpoint
+- [ ] Support query parameters: `from`, `to`, `format`, `includeApplications`
+- [ ] Async generation for large reports
+- [ ] Progress tracking for long-running exports
+- [ ] Download link with expiry
+
+---
+
+### T8: UI Unit Tests
+
+**Assignee**: UI Team  
+**Story Points**: 3  
+**Status**: TODO  
+**Dependencies**: T1-T5
+
+**Description**:
+Unit tests for exception UI components.
+
+**Implementation Path**: `src/Web/StellaOps.Web/src/app/features/exceptions/*.spec.ts`
+
+**Acceptance Criteria**:
+- [ ] `ExceptionDashboardComponent` tests:
+  - [ ] Loads exceptions on init
+  - [ ] Handles error states
+  - [ ] Creates exception via wizard
+- [ ] `ExceptionDetailComponent` tests:
+  - [ ] Displays exception data
+  - [ ] Handles status transitions
+- [ ] `ExceptionApprovalQueueComponent` tests:
+  - [ ] Filters to proposed status
+  - [ ] Approve/reject flow
+- [ ] Mock API client for isolation
+
+---
+
+### T9: E2E Tests
+
+**Assignee**: QA Team  
+**Story Points**: 5  
+**Status**: TODO  
+**Dependencies**: T1-T7, Sprint 3900.0002.0001
+
+**Description**:
+End-to-end tests for exception management flow.
+
+**Implementation Path**: `tests/e2e/exceptions/`
+
+**Acceptance Criteria**:
+- [ ] Create exception flow (UI → API → DB)
+- [ ] Approval workflow (submit → approve → activate)
+- [ ] Exception application during scan
+- [ ] Export report generation
+- [ ] Expiry handling
+- [ ] Role-based access control
+- [ ] Offline/air-gap scenario (if applicable)
+
+---
+
+## Delivery Tracker
+
+| # | Task ID | Status | Key Dependency | Owners | Task Definition |
+|---|---------|--------|----------------|--------|-----------------|
+| 1 | T1 | TODO | None | UI Team | Exception Dashboard Page |
+| 2 | T2 | TODO | None | UI Team | Exception Detail Panel |
+| 3 | T3 | TODO | None | UI Team | Exception Approval Queue |
+| 4 | T4 | TODO | None | UI Team | Exception Inline Creation |
+| 5 | T5 | TODO | None | UI Team | Exception Badge Integration |
+| 6 | T6 | TODO | None | Export Team | Audit Pack Export — Exception Report |
+| 7 | T7 | TODO | T6 | Export Team | Export Center Integration |
+| 8 | T8 | TODO | T1-T5 | UI Team | UI Unit Tests |
+| 9 | T9 | TODO | T1-T7, Sprint 0002.0001 | QA Team | E2E Tests |
+
+---
+
+## Execution Log
+
+| Date (UTC) | Update | Owner |
+|------------|--------|-------|
+| 2025-12-21 | Sprint created from Epic 3900 Batch 0002 planning. | Project Manager |
+
+---
+
+## Decisions & Risks
+
+### Open Decisions
+1. **Real-time updates**: SSE vs polling for exception status changes?
+   - Current proposal: SSE via `ExceptionEventsClient` (already implemented)
+2. **Report format priority**: Which formats to implement first?
+   - Current proposal: JSON (machine), PDF (compliance), NDJSON (streaming)
+
+### Risks
+1. **UI component integration**: Existing components may need refactoring
+   - Mitigation: Review components before wiring, plan refactoring if needed
+2. **Export performance**: Large exception sets may be slow
+   - Mitigation: Async generation, streaming for NDJSON
+
+---
+
+## Next Checkpoints
+
+| Date | Checkpoint | Accountable |
+|------|------------|-------------|
+| TBD | T1-T5 complete (UI wiring) | UI Team |
+| TBD | T6-T7 complete (Export) | Export Team |
+| TBD | All tasks DONE, Epic 3900 complete | Policy Team |

docs/implplan/archived/SPRINT_0140_0001_0001_runtime_signals.md

@@ -178,21 +178,21 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 
 | Task ID | State | Notes |
 | --- | --- | --- |
-| SBOM-AIAI-31-001 | TODO | Advisory AI path/timeline endpoints specced; awaiting projection schema finalization. |
-| SBOM-AIAI-31-002 | TODO | Metrics/dashboards tied to 31-001; blocked on the same schema availability. |
-| SBOM-CONSOLE-23-001 | TODO | Console catalog API draft complete; depends on Concelier/Cartographer payload definitions. |
-| SBOM-CONSOLE-23-002 | TODO | Global component lookup API needs 23-001 responses + cache hints before work can start. |
-| SBOM-ORCH-32-001 | TODO | Orchestrator registration is sequenced after projection schema because payload shapes map into job metadata. |
-| SBOM-ORCH-33-001 | TODO | Backpressure/telemetry features depend on 32-001 workers. |
-| SBOM-ORCH-34-001 | TODO | Backfill + watermark logic requires the orchestrator integration from 33-001. |
-| SBOM-SERVICE-21-001 | TODO | Link-Not-Merge v1 frozen (2025-11-17); proceed with projection schema + fixtures. |
-| SBOM-SERVICE-21-002 | TODO | Depends on 21-001 implementation; schema now frozen. |
-| SBOM-SERVICE-21-003 | TODO | Entry point/service node management follows 21-002; proceed with stub fixtures. |
-| SBOM-SERVICE-21-004 | TODO | Observability wiring to follow 21-003; unblock with mock feeds. |
-| SBOM-SERVICE-23-001 | TODO | Asset metadata extensions queued once 21-004 observability baseline exists. |
-| SBOM-SERVICE-23-002 | TODO | Asset update events depend on 23-001 schema. |
-| SBOM-VULN-29-001 | TODO | Inventory evidence feed deferred until projection schema + runtime align. |
-| SBOM-VULN-29-002 | TODO | Resolver feed requires 29-001 event payloads. |
+| SBOM-AIAI-31-001 | DONE (2025-12-05) | Advisory AI endpoints delivered (`/sbom/paths`, `/sbom/versions`) with deterministic paging; see Sprint 0142. |
+| SBOM-AIAI-31-002 | DONE (2025-12-05) | Metrics/dashboards delivered; see Sprint 0142. |
+| SBOM-CONSOLE-23-001 | DONE (2025-12-03) | Console SBOM catalog API delivered and tested; see Sprint 0142. |
+| SBOM-CONSOLE-23-002 | DONE (2025-12-03) | Component lookup API delivered and tested; see Sprint 0142. |
+| SBOM-ORCH-32-001 | DONE (2025-11-23) | Orchestrator registration endpoints delivered; see Sprint 0142. |
+| SBOM-ORCH-33-001 | DONE (2025-11-23) | Backpressure/telemetry controls delivered; see Sprint 0142. |
+| SBOM-ORCH-34-001 | DONE (2025-11-23) | Backfill + watermark logic delivered; see Sprint 0142. |
+| SBOM-SERVICE-21-001 | DONE (2025-12-05) | LNM v1 fixtures + projection schema/API delivered; see Sprint 0142. |
+| SBOM-SERVICE-21-002 | DONE (2025-12-05) | Projection version events + schema stabilization delivered; see Sprint 0142. |
+| SBOM-SERVICE-21-003 | DONE (2025-12-05) | Entrypoint/service-node management delivered; see Sprint 0142. |
+| SBOM-SERVICE-21-004 | DONE (2025-12-05) | Observability wiring delivered; see Sprint 0142. |
+| SBOM-SERVICE-23-001 | DONE (2025-12-05) | Asset metadata extensions delivered; see Sprint 0142. |
+| SBOM-SERVICE-23-002 | DONE (2025-12-05) | Asset update events delivered; see Sprint 0142. |
+| SBOM-VULN-29-001 | DONE (2025-11-23) | Inventory evidence feed delivered; see Sprint 0142. |
+| SBOM-VULN-29-002 | DONE (2025-11-24) | Resolver feed + NDJSON export delivered; see Sprint 0142. |
 
 ### 140.C Signals
 
@@ -208,12 +208,12 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
 
 | Task ID | State | Notes |
 | --- | --- | --- |
-| ZASTAVA-ENV-01 | TODO | Observer adoption of Surface.Env helpers paused while Surface.FS cache contract finalizes. |
-| ZASTAVA-ENV-02 | TODO | Webhook helper migration follows ENV-01 completion. |
-| ZASTAVA-SECRETS-01 | TODO | Surface.Secrets wiring for Observer pending published cache endpoints. |
-| ZASTAVA-SECRETS-02 | TODO | Webhook secret retrieval cascades from SECRETS-01 work. |
-| ZASTAVA-SURFACE-01 | TODO | Surface.FS client integration blocked on Scanner layer metadata; tests ready once packages mirror offline dependencies. |
-| ZASTAVA-SURFACE-02 | TODO | Admission enforcement requires SURFACE-01 so webhook responses can gate on cache freshness. |
+| ZASTAVA-ENV-01 | DONE (2025-11-18) | Observer adoption of Surface.Env helpers shipped; see Sprint 0144. |
+| ZASTAVA-ENV-02 | DONE (2025-11-18) | Webhook helper migration shipped; see Sprint 0144. |
+| ZASTAVA-SECRETS-01 | DONE (2025-11-18) | Observer Surface.Secrets wiring shipped; see Sprint 0144. |
+| ZASTAVA-SECRETS-02 | DONE (2025-11-18) | Webhook secret retrieval shipped; see Sprint 0144. |
+| ZASTAVA-SURFACE-01 | DONE (2025-11-18) | Surface.FS client integration shipped; see Sprint 0144. |
+| ZASTAVA-SURFACE-02 | DONE (2025-11-18) | Admission enforcement shipped; see Sprint 0144. |
 
 ## In-flight focus (DOING items)
 
@@ -290,9 +290,9 @@ Signals DOING cleared (24-002/003 DONE). SIGNALS-24-004/005 delivered with deter
 | --- | --- | --- | --- |
 | SIGNALS-24-002 CAS promotion + signed manifests | 2025-11-14 | BLOCKED | Waiting on Platform Storage approval; CAS checklist published (`docs/signals/cas-promotion-24-002.md`). |
 | SIGNALS-24-003 provenance enrichment + backfill | 2025-11-15 | BLOCKED | Await provenance appendix freeze/approval; checklist published (`docs/signals/provenance-24-003.md`). |
-| Scanner analyzer artifact ETA & cache drop plan | 2025-11-13 | TODO | Scanner to publish Sprint 130 surface roadmap; Graph/Zastava blocked until then. |
+| Scanner analyzer artifact ETA & cache drop plan | 2025-11-13 | OVERDUE | No in-repo publication located; Graph/Zastava shipped against mock bundle, but parity revalidation still needs real cache ETA + manifests. |
 | Concelier Link-Not-Merge schema ratified | 2025-11-14 | DONE | Agreement signed 2025-11-17; CONCELIER-GRAPH-21-001 and CARTO-GRAPH-21-002 implemented with observation event publisher 2025-11-22. AirGap review next. |
-| Surface.Env helper adoption checklist | 2025-11-15 | TODO | Zastava guild preparing sealed-mode test harness; depends on Surface guild office hours outcomes. |
+| Surface.Env helper adoption checklist | 2025-11-15 | DONE (2025-11-18) | Zastava Surface.Env/Secrets/FS adoption shipped in Sprint 0144; ownership recorded in `docs/modules/zastava/surface-env-owner-manifest.md`. |
 
 ## Decisions needed (before 2025-11-15, refreshed 2025-11-13)
 

docs/implplan/archived/SPRINT_0211_0001_0003_ui_iii.md

@@ -3,7 +3,7 @@
 ## Topic & Scope
 - Phase III UI uplift focusing on Policy Studio RBAC updates and reachability-first experiences across Vulnerability Explorer, Why drawer, SBOM Graph, and the new Reachability Center.
 - Surface reachability evidence (columns, badges, call paths, timelines, halos) and align Console policy workspace with scopes `policy:author/review/approve/operate/audit/simulate`.
-- Active items only; completed/historic work live in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
+- Active items only; completed/historic work tracked in `docs/implplan/archived/all-tasks.md` (compat pointer: `docs/implplan/archived/tasks.md`).
 - **Working directory:** `src/Web/StellaOps.Web`.
 - Continues UI stream after `SPRINT_0210_0001_0002_ui_ii.md` (UI II).
 
@@ -56,11 +56,11 @@
 ## Action Tracker
 | # | Action | Owner | Due | Status |
 | --- | --- | --- | --- | --- |
-| 1 | Confirm final Policy Studio scopes and RBAC copy with Policy Engine owners. | UI Guild + Policy Guild | 2025-12-03 | TODO |
+| 1 | Confirm final Policy Studio scopes and RBAC copy with Policy Engine owners. | UI Guild + Policy Guild | 2025-12-03 | DONE (2025-12-12) |
 | 2 | Deliver reachability evidence fixture (columns, call paths, overlays) for SIG-26 chain; bench schema + 10k/50k callgraph/runtime fixtures published, overlay/coverage slices still pending. | Signals Guild | 2025-12-04 | DOING |
-| 3 | Define SBOM Graph overlay performance budget (FPS target, node count, halo rendering limits). | UI Guild | 2025-12-05 | TODO |
+| 3 | Define SBOM Graph overlay performance budget (FPS target, node count, halo rendering limits) and record in `docs/modules/ui/architecture.md` §10. | UI Guild | 2025-12-05 | DONE (2025-12-21) |
 | 4 | Align UI III work to `src/Web/StellaOps.Web` (canonical Angular workspace); ensure reachability fixtures available. | DevEx + UI Guild | 2025-12-06 | DONE (2025-12-06) |
-| 5 | Publish generated `graph:*` scope exports package (SDK 0208) and drop link/hash for UI consumption. | SDK Generator Guild | 2025-12-08 | TODO |
+| 5 | Publish generated `graph:*` scope exports package (SDK 0208) and drop link/hash for UI consumption. | SDK Generator Guild | 2025-12-08 | BLOCKED (2025-12-21) |
 | 6 | Provide deterministic SIG-26 fixture bundle (columns/badges JSON, call-path/timeline NDJSON, overlay halos, coverage/missing-sensor datasets) with perf budget notes. | Signals Guild + Graph Platform Guild | 2025-12-09 | DOING |
 
 ## Decisions & Risks
@@ -87,3 +87,4 @@
 | 2025-12-06 | Added ordered unblock plan for SIG-26 chain (scope exports -> fixtures -> sequential tasks). | Project Mgmt |
 | 2025-12-12 | Synced SIG-26 upstream outputs: WEB-SIG-26-001..003 completed (SPRINT_0216_0001_0001_web_v) and BENCH-SIG-26-001/002 published schema + 10k/50k fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`). Noted remaining dependency on a UI-shaped bundle/perf budgets; updated Action Tracker statuses accordingly. | Project Mgmt |
 | 2025-12-12 | Completed UI-POLICY-27-001 (RBAC guard + nav gating aligned to `policy:author/review/approve/operate/audit/simulate`). Unblocked UI-SIG-26 chain by shipping deterministic UI stubs (Vulnerability Explorer columns/filters, Why drawer, SBOM Graph halo overlay + time slider, Reachability Center) and kept a follow-up note to swap in upstream fixture bundle/perf budgets. `ng test` and `playwright test` green locally. | Implementer |
+| 2025-12-21 | Action Tracker update: (1) treated `policy:*` scopes as stable (see `docs/11_AUTHORITY.md`), (3) added SBOM Graph overlay budgets to `docs/modules/ui/architecture.md`, (5) still BLOCKED pending a published/generated scopes export artifact; UI continues to use the stub `src/Web/StellaOps.Web/src/app/core/auth/scopes.ts`. | Project Mgmt |

docs/implplan/archived/SPRINT_0216_0001_0001_web_v.md

@@ -2,7 +2,7 @@
 
 ## Topic & Scope
 - Phase V gateway uplift: risk routing, signals reachability overlays, tenant scoping/ABAC, VEX consensus streaming, and vuln proxy/export telemetry.
-- Active items only; completed/historic work moved to `docs/implplan/archived/tasks.md` (last updated 2025-11-08).
+- Active items only; completed/historic work tracked in `docs/implplan/archived/all-tasks.md` (compat pointer: `docs/implplan/archived/tasks.md`).
 - Evidence: routed APIs with RBAC/ABAC, signed URL handling, reachability filters, notifier/ledger hooks, and gateway telemetry.
 - **Working directory:** `src/Web/StellaOps.Web`.
 
@@ -60,11 +60,11 @@
 ## Action Tracker
 | # | Action | Owner | Due (UTC) | Status |
 | --- | --- | --- | --- | --- |
-| 1 | Provide stable npm install path (mirror or node_modules tarball) to clear `npm ci` hangs for risk/signals gateway tests. | Platform Ops | 2025-12-07 | TODO |
-| 2 | Publish Signals API contract + fixtures (callgraphs/facts, reachability scoring) for WEB-SIG-26-001..003. | Signals Guild | 2025-12-08 | TODO |
-| 3 | If any ABAC header mapping delta beyond v1.0 exists, publish update note + sample request. | BE-Base Platform Guild | 2025-12-08 | TODO |
-| 4 | Publish VEX consensus stream contract (RBAC/ABAC, caching, SSE payload) and sample to `docs/api/vex/consensus.md`. | VEX Lens Guild | 2025-12-09 | TODO |
-| 5 | Provide Findings Ledger idempotency header wiring example for gateway vuln workflow (forwarding). | Findings Ledger Guild | 2025-12-09 | TODO |
+| 1 | Provide stable npm install path (mirror or node_modules tarball) to clear `npm ci` hangs for risk/signals gateway tests. | Platform Ops | 2025-12-07 | DONE (2025-12-20) |
+| 2 | Publish Signals API contract + fixtures (callgraphs/facts, reachability scoring) for WEB-SIG-26-001..003. | Signals Guild | 2025-12-08 | DONE (2025-12-20) |
+| 3 | If any ABAC header mapping delta beyond v1.0 exists, publish update note + sample request. | BE-Base Platform Guild | 2025-12-08 | DONE (2025-12-20) |
+| 4 | Publish VEX consensus stream contract (RBAC/ABAC, caching, SSE payload) and sample to `docs/api/vex/consensus.md`. | VEX Lens Guild | 2025-12-09 | DONE (2025-12-20) |
+| 5 | Provide Findings Ledger idempotency header wiring example for gateway vuln workflow (forwarding). | Findings Ledger Guild | 2025-12-09 | DONE (2025-12-20) |
 
 ## Decisions & Risks
 | Risk | Impact | Mitigation | Owner | Status |
@@ -72,7 +72,7 @@
 | Tenant header/ABAC contract slips | Blocks WEB-TEN-47-001/48-001/49-001 and delays RBAC enforcement across routes | Contract published 2025-12-01 in `docs/api/gateway/tenant-auth.md`; enforce via Gateway:Auth flags | BE-Base Platform Guild | Mitigated |
 | Findings Ledger idempotency headers unclear | WEB-VULN-29-002/003 cannot forward workflow actions safely | Contract published 2025-12-01 in `docs/api/gateway/findings-ledger-proxy.md`; use TTL 24h + ETag/If-Match | Findings Ledger Guild | Mitigated |
 | Notifications event schema not finalized | WEB-RISK-68-001 cannot emit severity transition events with trace metadata | Event schema v1.0 published 2025-12-01 in `docs/api/gateway/notifications-severity.md`; rate limit + DLQ included | Notifications Guild | Mitigated |
-| Workspace storage exhaustion prevents command execution | Blocks code inspection and implementation for WEB-RISK-66-001 and subsequent tasks | Free space action completed; monitor disk and rerun gateway scaffolding | Platform Ops | Monitoring |
+| Workspace storage exhaustion prevents command execution | Blocks code inspection and implementation for WEB-RISK-66-001 and subsequent tasks | Free space action completed; monitor disk and rerun gateway scaffolding | Platform Ops | Mitigated (2025-12-20) |
 
 ### Unblock Plan (ordered)
 1) Stabilize npm install/test path (registry mirror or node_modules tarball) to clear `npm ci` hangs blocking WEB-RISK-66-001 chain.
@@ -85,6 +85,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-20 | Sprint closed: `src/Web/StellaOps.Web` unit tests now run and pass (`npm test`); updated WEB-RISK-66-001 task status and archived task ledger statuses; Action Tracker marked DONE. | Implementer |
 | 2025-12-11 | **Tenant chain complete:** Completed WEB-TEN-47-001..49-001. Implemented: TenantActivationService (JWT verification, scope matching, decision audit), TenantHttpInterceptor (tenant headers), TenantPersistenceService (DB session tenant_id, storage paths, audit metadata), AbacService (ABAC overlay with Policy Engine, caching), and AbacOverlayClient (audit decisions API, service token minting). | BE-Base Platform Guild |
 | 2025-12-02 | WEB-RISK-66-001: risk HTTP client/store now handle 429 rate-limit responses with retry-after hints and RateLimitError wiring; unit specs added (execution deferred—npm test not yet run). | BE-Base Platform Guild |
 | 2025-12-02 | WEB-RISK-66-001: added Playwright/Chromium auto-detection (ms-playwright cache + playwright-core browsers) to test runner; attempted npm ci to run specs but installs hung/spinner in this workspace, so tests remain not executed. | BE-Base Platform Guild |

docs/implplan/archived/all-tasks.md

@@ -642,9 +642,9 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | UI-SIG-26-002 | TODO | Enhance Why drawer with call path/timeline. | UI Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | UI-SIG-26-003 | TODO | Add reachability overlay/time slider to SBOM Graph. | UI Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | UI-SIG-26-004 | TODO | Build Reachability Center + missing sensor view. | UI Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-001 | TODO | Expose signals proxy endpoints with pagination and RBAC. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-002 | TODO | Join reachability data into policy/vuln responses. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-003 | TODO | Support reachability overrides in simulate APIs. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-001 | DONE (2025-12-11) | Expose signals proxy endpoints with pagination and RBAC. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-002 | DONE (2025-12-11) | Join reachability data into policy/vuln responses. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-003 | DONE (2025-12-11) | Support reachability overrides in simulate APIs. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-001 | BLOCKED (2025-10-27) | Publish `/docs/policy/studio-overview.md` with lifecycle + roles. | Docs & Policy Guilds | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-002 | BLOCKED (2025-10-27) | Write `/docs/policy/authoring.md` with templates/snippets/lint rules. | Docs & Console Guilds | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-003 | BLOCKED (2025-10-27) | Document `/docs/policy/versioning-and-publishing.md`. | Docs & Policy Registry Guilds | Path: docs | 2025-10-19 |
@@ -815,10 +815,10 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-009 | TODO | Instrument API telemetry (latency, workflow counts, exports). | Vuln Explorer API & Observability Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-010 | TODO | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. | Vuln Explorer API & QA Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-011 | TODO | Ship deployment/offline manifests, health checks, scaling docs. | Vuln Explorer API & DevOps Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-001 | TODO | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-002 | TODO | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-003 | TODO | Expose simulation/export orchestration with SSE/progress + signed links. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-004 | TODO | Aggregate Vuln Explorer telemetry (latency, errors, exports). | BE-Base Platform & Observability Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-001 | DONE (2025-12-11) | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-002 | DONE (2025-12-11) | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-003 | DONE (2025-12-11) | Expose simulation/export orchestration with SSE/progress + signed links. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-004 | DONE (2025-12-11) | Aggregate Vuln Explorer telemetry (latency, errors, exports). | BE-Base Platform & Observability Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-001 | TODO | Publish `/docs/vex/consensus-overview.md`. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-002 | TODO | Write `/docs/vex/consensus-algorithm.md`. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-003 | TODO | Document `/docs/vex/issuer-directory.md`. | Docs Guild | Path: docs | 2025-10-19 |
@@ -850,7 +850,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-009 | TODO | Instrument metrics/logs/traces; publish dashboards/alerts. | VEX Lens & Observability Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-010 | TODO | Build unit/property/integration/load tests and determinism harness. | VEX Lens & QA Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-011 | TODO | Provide deployment manifests, scaling guides, offline seeds, runbooks. | VEX Lens & DevOps Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | WEB-VEX-30-007 | TODO | Route `/vex/consensus` APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). | BE-Base Platform Guild, VEX Lens Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | WEB-VEX-30-007 | DONE (2025-12-11) | Route `/vex/consensus` APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). | BE-Base Platform Guild, VEX Lens Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | DOCS-AIAI-31-001 | TODO | Publish Advisory AI overview doc. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | DOCS-AIAI-31-002 | TODO | Publish architecture doc for Advisory AI. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | DOCS-AIAI-31-003..009 | TODO | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. | Docs Guild | Path: docs | 2025-10-19 |
@@ -1090,7 +1090,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | DEVOPS-TEN-47-001 | TODO | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. | DevOps Guild | Path: ops/devops | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | AUTH-TEN-47-001 | TODO | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | CLI-TEN-47-001 | TODO | Ship `stella login`, `whoami`, `tenants list`, and tenant flag persistence with secure token storage. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | WEB-TEN-47-001 | TODO | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | WEB-TEN-47-001 | DONE (2025-12-11) | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | DOCS-TEN-48-001 | TODO | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md` (imposed rule). | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | DEVOPS-TEN-48-001 | TODO | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. | DevOps Guild | Path: ops/devops | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | CONCELIER-TEN-48-001 | TODO | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 |
@@ -1101,12 +1101,12 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | ORCH-TEN-48-001 | TODO | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | POLICY-TEN-48-001 | TODO | Add `tenant_id`/`project_id` to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | TASKRUN-TEN-48-001 | TODO | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | WEB-TEN-48-001 | TODO | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | WEB-TEN-48-001 | DONE (2025-12-11) | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | DOCS-TEN-49-001 | TODO | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, `/docs/install/configuration-reference.md` updates (imposed rule). | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | DEVOPS-TEN-49-001 | TODO | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. | DevOps Guild | Path: ops/devops | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | AUTH-TEN-49-001 | TODO | Implement service accounts, delegation tokens (`act` chain), per-tenant quotas, and audit log streaming. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | CLI-TEN-49-001 | TODO | Add service account token minting, delegation, and `--impersonate` banner/controls. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | WEB-TEN-49-001 | TODO | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | WEB-TEN-49-001 | DONE (2025-12-11) | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-INSTALL-50-001 | TODO | Add `/docs/install/telemetry-stack.md` for collector deployment and offline packaging. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-OBS-50-001 | BLOCKED (2025-10-26) | Author `/docs/observability/overview.md` with imposed rule banner and architecture context. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-OBS-50-002 | TODO | Document telemetry standards (fields, scrubbing, sampling) under `/docs/observability/telemetry-standards.md`. | Docs Guild | Path: docs | 2025-10-19 |
@@ -1404,8 +1404,8 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | POLICY-RISK-66-004 | BLOCKED (2025-11-26) | Blocked by 66-003; Policy libraries need config shape. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | RISK-ENGINE-66-001 | DONE (2025-11-25) | Deterministic risk queue/worker/registry scaffolded. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | RISK-ENGINE-66-002 | DONE (2025-11-25) | Transforms/clamping/gating implemented. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | WEB-RISK-66-001 | TODO | Expose risk API routing in gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | WEB-RISK-66-002 | TODO | Handle explainability downloads. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | WEB-RISK-66-001 | DONE (2025-12-11) | Expose risk API routing in gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | WEB-RISK-66-002 | DONE (2025-12-11) | Handle explainability downloads. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | DOCS-RISK-67-001 | TODO | Publish explainability doc. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | DOCS-RISK-67-002 | TODO | Publish risk API doc. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | DOCS-RISK-67-003 | TODO | Publish console risk UI doc. | Docs Guild | Path: docs | 2025-10-19 |
@@ -1423,7 +1423,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | RISK-ENGINE-67-001 | DONE (2025-11-25) | Integrated CVSS/KEV providers. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | RISK-ENGINE-67-002 | DONE (2025-11-25) | Added VEX gate provider. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | RISK-ENGINE-67-003 | DONE (2025-11-25) | Fix availability/criticality/exposure providers added. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | WEB-RISK-67-001 | TODO | Provide risk status endpoint. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | WEB-RISK-67-001 | DONE (2025-12-11) | Provide risk status endpoint. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | DOCS-RISK-68-001 | TODO | Publish risk bundle doc. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | DOCS-RISK-68-002 | TODO | Update AOC invariants doc. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | CLI-RISK-68-001 | TODO | Add risk bundle verification command. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 |
@@ -1434,7 +1434,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | POLICY-RISK-68-002 | BLOCKED (2025-11-26) | Blocked until overrides/export signing rules are agreed. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | RISK-ENGINE-68-001 | DONE (2025-11-25) | Persist scoring results & explanations. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | RISK-ENGINE-68-002 | DONE (2025-11-25) | Expose jobs/results/explanations APIs. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 |
-| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | WEB-RISK-68-001 | TODO | Emit severity transition events via gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
+| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | WEB-RISK-68-001 | DONE (2025-12-11) | Emit severity transition events via gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | DOCS-RISK-67-001..004 | TODO | (Carry) ensure docs updated from simulation release. | Docs Guild | Path: docs | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | RISK-BUNDLE-69-001 | TODO | Build risk bundle. | Risk Bundle Export Guild | Path: src/ExportCenter/StellaOps.ExportCenter.RiskBundles | 2025-10-19 |
 | docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | RISK-BUNDLE-69-002 | TODO | Integrate bundle into pipelines. | Risk Bundle Export Guild | Path: src/ExportCenter/StellaOps.ExportCenter.RiskBundles | 2025-10-19 |
@@ -1593,5 +1593,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
 | docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md | Update note | 2025-11-07 – Concelier advisory chunks API | INFO | **Subject:** Paragraph-anchored advisory chunks land for Advisory AI |  |  | 2025-11-07 |
 | docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md | Update note | 2025-11-09 — Authority LDAP Plug-in Readiness (PLG7.IMPL-005) | INFO | - Added a dedicated LDAP quick-reference section to the Authority plug-in developer guide covering mutual TLS requirements, DN→role regex mappings, Mongo-backed claim caching, and the client-provisioning audit mirror. |  |  | 2025-11-09 |
 | docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md | Update note | 2025-11-12 – Notifications Attestation Template Suite | INFO | - Introduced the canonical `tmpl-attest-*` template family covering verification failures, expiring attestations, key rotations, and transparency anomalies. |  |  | 2025-11-12 |
-| docs/implplan/archived/SPRINT_0203_0001_0003_cli_iii.md | Sprint 0203 CLI III | ALL | DONE (2025-12-10) | DevEx/CLI Guild | src/Cli/StellaOps.Cli | 2025-12-10 |
-| docs/implplan/archived/SPRINT_0186_0001_0001_record_deterministic_execution.md | Sprint 0186 Record & Deterministic Execution | ALL | DONE (2025-12-10) | Scanner/Signer/Authority Guilds | src/Scanner; src/Signer; src/Authority | 2025-12-10 |
+| docs/implplan/archived/SPRINT_0203_0001_0003_cli_iii.md | Sprint 0203 CLI III | ALL | DONE (2025-12-10) | All tasks. | DevEx/CLI Guild | src/Cli/StellaOps.Cli | 2025-12-10 |
+| docs/implplan/archived/SPRINT_0186_0001_0001_record_deterministic_execution.md | Sprint 0186 Record & Deterministic Execution | ALL | DONE (2025-12-10) | All tasks. | Scanner/Signer/Authority Guilds | src/Scanner; src/Signer; src/Authority | 2025-12-10 |
+| docs/implplan/archived/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md | Sprint 0406 Scanner Node Detection Gaps | ALL | DONE (2025-12-13) | Close Node analyzer detection gaps with deterministic fixtures/docs/bench. | Node Analyzer Guild + QA Guild | Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`; Docs: `docs/modules/scanner/analyzers-node.md` | 2025-12-21 |
+| docs/implplan/archived/SPRINT_0411_0001_0001_semantic_entrypoint_engine.md | Sprint 0411 Semantic Entrypoint Engine | ALL | DONE (2025-12-20) | Semantic entrypoint schema + language adapters + capability/threat/boundary inference, integrated into EntryTrace with tests, docs, and CLI semantic output. | Scanner Guild; QA Guild; Docs Guild; CLI Guild | src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic | 2025-12-21 |

docs/implplan/archived/tasks.md

@@ -0,0 +1,7 @@
+# Archived Tasks (Ledger)
+
+This file is kept for backward compatibility: many archived sprints reference `docs/implplan/archived/tasks.md` as the location for completed/historic work.
+
+- Consolidated ledger: `docs/implplan/archived/all-tasks.md`
+- Legacy migration log: `docs/implplan/archived/updates/tasks.md`
+

docs/modules/ui/architecture.md

@@ -241,8 +241,11 @@ export interface NotifyDelivery {
 
 ---
 
-## 10) Performance budgets
-
+## 10) Performance budgets
+
+* **SBOM Graph overlays**: maintain >= 45 FPS pan/zoom/hover up to ~2,500 nodes / 10,000 edges (baseline laptop); degrade via LOD + sampling above this.
+* **Reachability halo limits**: cap visible halos to <= 2,000 at once; beyond this, aggregate (counts/heat) and require zoom-in or filtering to expand.
+
 * **TTI** ≤ 1.5 s on 4G/slow CPU (first visit), ≤ 0.6 s repeat (HTTP/2, cached).
 * **JS** initial < 300 KB gz (lazy routes).
 * **SBOM list**: render 10k rows in < 70 ms with virtualization; filter in < 150 ms.