feat: Add tests for RichGraphPublisher and RichGraphWriter

- Implement unit tests for RichGraphPublisher to verify graph publishing to CAS.
- Implement unit tests for RichGraphWriter to ensure correct writing of canonical graphs and metadata.

feat: Implement AOC Guard validation logic

- Add AOC Guard validation logic to enforce document structure and field constraints.
- Introduce violation codes for various validation errors.
- Implement tests for AOC Guard to validate expected behavior.

feat: Create Console Status API client and service

- Implement ConsoleStatusClient for fetching console status and streaming run events.
- Create ConsoleStatusService to manage console status polling and event subscriptions.
- Add tests for ConsoleStatusClient to verify API interactions.

feat: Develop Console Status component

- Create ConsoleStatusComponent for displaying console status and run events.
- Implement UI for showing status metrics and handling user interactions.
- Add styles for console status display.

test: Add tests for Console Status store

- Implement tests for ConsoleStatusStore to verify event handling and state management.

docs/api/gateway/findings-ledger-proxy.md

@@ -0,0 +1,33 @@
+# Findings Ledger Proxy Contract (Web V)
+
+## Status
+- Draft v0.1 (2025-12-01); to be validated at 2025-12-04 checkpoint with Findings Ledger Guild.
+
+## Scope
+- Gateway → Findings Ledger forwarding for vuln workflow actions (open/ack/close/export).
+- Idempotency and correlation headers; retry/backoff defaults for offline-safe behavior.
+
+## Required Headers
+- `X-Idempotency-Key`: deterministic hash of `tenant + route + body`; required on POST/PUT; 36–64 chars; ledger must treat as unique for 24h TTL.
+- `X-Correlation-Id`: UUID/ULID stable across gateway → ledger → notifier.
+- `X-Stella-Tenant` / `X-Stella-Project`: tenant/project scoping per tenant-auth contract.
+- `Authorization: Bearer <jwt>`: RS256/ES256 service token; `aud=stellaops-ledger`; scopes `ledger:write ledger:read`.
+- `Content-Type: application/json`.
+
+## Behavior
+- Delivery semantics: at-least-once from gateway; ledger must guarantee exactly-once per `X-Idempotency-Key`.
+- Retry/backoff (gateway):
+  - Base delay 500 ms; exponential factor 2; jitter ±20%; max 3 attempts; cap total wait ≤ 10 s.
+  - Offline kits: persist request NDJSON with headers; replay on next sync window.
+- Timeout: 5 s per attempt; fail with `ERR_LEDGER_TIMEOUT`.
+- Error mapping:
+  - 400 series → `ERR_LEDGER_BAD_REQUEST` (propagate `details`).
+  - 404 → `ERR_LEDGER_NOT_FOUND`.
+  - 409 → `ERR_LEDGER_CONFLICT` (idempotency violation).
+  - 429/503 → `ERR_LEDGER_RETRY`.
+  - All responses include `trace_id` and echo `X-Correlation-Id`.
+
+## Open Questions
+- Confirm ledger idempotency TTL (proposed 24h) and whether ETag is returned for optimistic concurrency.
+- Confirm expected payload schemas for each workflow action (open/ack/close/export).
+- Confirm whether ledger enforces ordering per `tenant_id`.

docs/api/gateway/notifications-severity.md

@@ -0,0 +1,55 @@
+# Notifications Severity Transition Events (Web V)
+
+## Status
+- Draft v0.1 (2025-12-01); to be confirmed at 2025-12-06 checkpoint with Notifications Guild.
+
+## Scope
+- Event schema for severity transitions emitted by Web gateway to notifier bus (WEB-RISK-68-001).
+- Traceability and audit linking for downstream consumers (Console, Observability).
+
+## Event Shape
+- `event_type`: `severity.transition.v1`
+- `tenant_id`: string (slug/UUID)
+- `project_id`: string | null
+- `finding_id`: string (hash/UUID)
+- `risk_id`: string | null
+- `from_severity`: enum [`none`, `info`, `low`, `medium`, `high`, `critical`]
+- `to_severity`: enum (same as above)
+- `transition_reason`: string (machine-friendly code)
+- `occurred_at`: string (UTC ISO-8601)
+- `trace_id`: string (ULID/UUID)
+- `correlation_id`: string (UUID/ULID)
+- `actor`: { `subject`: string, `type`: `user`|`service` }
+- `source`: `gateway`
+- `version`: `v1`
+
+## Delivery & QoS
+- Bus topic: `notifications.severity.transition.v1`.
+- At-least-once delivery; consumers must dedupe on `correlation_id + finding_id + to_severity`.
+- Ordering: best-effort per `tenant_id`; no cross-tenant ordering guarantee.
+- Retention: 7 days (proposed); DLQ on permanent failures with same schema plus `error`.
+
+## Sample Payload
+```json
+{
+  "event_type": "severity.transition.v1",
+  "tenant_id": "acme-tenant",
+  "project_id": "proj-ops",
+  "finding_id": "f-7e12d9",
+  "risk_id": "r-4421",
+  "from_severity": "medium",
+  "to_severity": "high",
+  "transition_reason": "exploit_seen",
+  "occurred_at": "2025-12-01T10:15:20Z",
+  "trace_id": "01HXYZABCD1234567890",
+  "correlation_id": "01HXYZABCD1234567890",
+  "actor": { "subject": "policy-svc", "type": "service" },
+  "source": "gateway",
+  "version": "v1"
+}
+```
+
+## Open Questions
+- Confirm retention period and DLQ topic naming.
+- Confirm whether VEX statement link/reference is required in payload.
+- Confirm if per-tenant rate limits apply to this topic.

docs/api/gateway/tenant-auth.md

@@ -0,0 +1,41 @@
+# Gateway Tenant Auth & ABAC Contract (Web V)
+
+## Status
+- Draft v0.1 (2025-12-01); to be confirmed at 2025-12-02 checkpoint with Policy Guild.
+
+## Scope
+- Gateway header/claim contract for tenant activation and scope validation across Web V endpoints.
+- ABAC overlay hooks with Policy Engine (attributes, evaluation order, failure modes).
+- Audit emission requirements for auth decisions (RBAC + ABAC).
+
+## Header & Claim Inputs
+- `Authorization: Bearer <jwt>` — RS256/ES256, optionally DPoP-bound; claims: `iss`, `sub`, `aud`, `exp`, `iat`, `nbf`, `jti`, optional `scp` (scopes) and `ten` (tenant).
+- `X-Stella-Tenant` — required, tenant slug or UUID; must match `ten` claim when present.
+- `X-Stella-Project` — optional project/workspace slug; required for project-scoped routes.
+- `X-Stella-Scopes` — optional override for service tokens; space-delimited (`policy:run notifier:emit`).
+- `X-Stella-Trace-Id` — propagated trace ID for audit linking; if absent, gateway generates ULID-based trace ID.
+- `X-Request-Id` — optional client request ID; echoed for idempotency diagnostics.
+
+## Processing Rules
+- Validate JWT signature against offline bundle trust roots; enforce `aud` ∈ {`stellaops-web`, `stellaops-gateway`} and `exp/nbf`.
+- Resolve tenant: prefer `X-Stella-Tenant`; fallback to `ten` claim when header missing; mismatch → `ERR_TENANT_MISMATCH`.
+- Scope evaluation:
+  - Base scopes from JWT `scp` or `X-Stella-Scopes`.
+  - Enforce required scopes per route; deny with `ERR_SCOPE_MISMATCH` on missing scope.
+- ABAC overlay:
+  - Attribute sources: JWT claims (`sub`, `roles`, `org`), headers (`X-Stella-Tenant`, `X-Stella-Project`), request path/query/body attributes per route contract.
+  - Evaluation order: RBAC allow → ABAC evaluate → deny overrides → allow.
+  - Failure → `ERR_ABAC_DENY` with `reason` and `trace_id`.
+- Determinism: reject requests lacking tenant header; no fallback to anonymous; enforce stable error codes.
+
+## Outputs
+- On success: downstream context includes `tenant_id`, `project_id`, `subject`, `scopes`, `abac_result`, `trace_id`, `request_id`.
+- On failure: structured envelope with `error.code`, `error.message`, `trace_id`, `request_id`; HTTP 401 for token errors, 403 for scope/ABAC denials, 400 for tenant mismatch/missing.
+
+## Audit & Telemetry
+- Emit DSSE-wrapped audit record: `{ tenant_id, project_id, subject, scopes, decision, reason_code, trace_id, request_id, route, ts_utc }`.
+- Counters: `gateway.auth.success`, `gateway.auth.denied`, `gateway.auth.abac_denied`, `gateway.auth.tenant_missing`, labeled by route and tenant.
+
+## Open Questions
+- Confirm whether DPoP binding is mandatory for Web gateway tokens.
+- Confirm canonical scope names for service tokens and whether `X-Stella-Scopes` should be allowed in prod.