feat: Add tests for RichGraphPublisher and RichGraphWriter

- Implement unit tests for RichGraphPublisher to verify graph publishing to CAS.
- Implement unit tests for RichGraphWriter to ensure correct writing of canonical graphs and metadata.

feat: Implement AOC Guard validation logic

- Add AOC Guard validation logic to enforce document structure and field constraints.
- Introduce violation codes for various validation errors.
- Implement tests for AOC Guard to validate expected behavior.

feat: Create Console Status API client and service

- Implement ConsoleStatusClient for fetching console status and streaming run events.
- Create ConsoleStatusService to manage console status polling and event subscriptions.
- Add tests for ConsoleStatusClient to verify API interactions.

feat: Develop Console Status component

- Create ConsoleStatusComponent for displaying console status and run events.
- Implement UI for showing status metrics and handling user interactions.
- Add styles for console status display.

test: Add tests for Console Status store

- Implement tests for ConsoleStatusStore to verify event handling and state management.

docs/implplan/SPRINT_0153_0001_0003_orchestrator_iii.md

@@ -46,6 +46,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-01 | Full-suite `dotnet test` for Orchestrator solution aborted by host disk exhaustion (`No space left on device` / MSB5021). PackRun contract tests already pass; rerun full suite after freeing space (clean bin/obj, /tmp). | Implementer |
 | 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
 | 2025-11-07 | Still not started — Authority pack RBAC (AUTH-PACKS-43-001) remains blocked pending approvals/log-stream APIs. | Coordination |
 | 2025-11-17 | Coordinator approved interim token-scoped access for AUTH-PACKS-43-001; proceed with log-stream APIs using scoped tokens while full RBAC completes. | Coordination |
@@ -76,6 +77,7 @@
 
 
 ## Decisions & Risks
+- Full-suite test run currently blocked by disk exhaustion on host; free space (e.g., clean /tmp, bin/obj, caches) before rerunning to capture a clean green report.
 - Interim token-scoped access approved for AUTH-PACKS-43-001; tighten when RBAC lands.
 - Streaming/log APIs unblock Authority packs; notifier events must carry provenance metadata.
 - Tenant metadata enforcement (ORCH-TEN-48-001) complete (2025-11-30): job contracts expose tenant/project; TenantResolver + per-tenant session context enforced; downstream consumers must align.

docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md

@@ -94,4 +94,5 @@
 | 2025-11-30 | Added KMS envelope-handling pattern doc and closed Action 2; encryption risk now covered. | Implementer |
 | 2025-11-30 | Added risk-bundle provider matrix/signing baseline doc and closed Action 3; Wave 3 still waits on Sprint 0163 outputs. | Implementer |
 | 2025-11-30 | Wired RiskBundle worker DI/options, added filesystem store + signer config, and enabled host service scaffold; RiskBundle tests passing. | Implementer |
+| 2025-11-30 | Added RiskBundles worker default configuration (providers/storage/signing) to appsettings, keeping task 69-001 progressing under DOING. | Implementer |
 | 2025-11-30 | Implemented risk-bundle builder/signing/object store scaffolding and unit tests; set RISK-BUNDLE-69-001 to DOING pending upstream provider artefacts; `dotnet test --filter RiskBundle` passing. | Implementer |

docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md

@@ -59,6 +59,7 @@
 | EvidenceLocker digest schema pending. | Blocks digest table shape and evidence linkage (TIMELINE-OBS-53-001). | Track Action 2; keep tasks BLOCKED. | OPEN |
 | RLS review not scheduled. | Could delay production readiness of policies (TIMELINE-OBS-52-004). | Track Action 3; schedule with Security once draft ready. | OPEN |
 | Baseline docs may change (`docs/modules/orchestrator/event-envelope.md`, `docs/modules/evidence-locker/prep/2025-11-24-evidence-locker-contract.md`). | Schema drift could invalidate migrations. | Monitor upstream doc updates; re-run schema diff before coding resumes. | OPEN |
+| Workspace disk full prevents running `dotnet test`. | Tests for timeline ingestion/query remain unverified. | Free disk space, rerun timeline test suite. | OPEN |
 
 ### Risk table
 | Risk | Severity | Mitigation / Owner |
@@ -71,6 +72,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-01 | Testing blocked: runner reports “No space left on device”; timeline module tests not executed. | Implementer |
 | 2025-11-30 | Ran TimelineIndexer unit tests (TimelineIndexer.Tests) successfully after ingestion worker + query option fixes; still waiting on transport schema to wire NATS/Redis. | Implementer |
 | 2025-11-30 | Implemented TimelineIngestionWorker with subscriber abstraction, session dedupe, and metrics counters; awaiting NATS/Redis subject schema to wire real transports. | Implementer |
 | 2025-11-30 | Started TIMELINE-OBS-52-002: added ingestion service, Postgres store, and deterministic payload hashing; queue bindings pending schema alignment. | Implementer |

docs/implplan/SPRINT_0200_0001_0001_experience_sdks.md

@@ -0,0 +1,72 @@
+# Sprint 0200-0001-0001 · Experience & SDKs Snapshot
+
+## Topic & Scope
+- Snapshot of Experience & SDKs stream (waves 180.A–F); active backlog now lives in later sprints (201+).
+- Maintain visibility of wave readiness while upstream dependencies land.
+- **Working directory:** `docs/implplan` (coordination only).
+
+## Dependencies & Concurrency
+- Upstream gating sprints: 120.A (AirGap), 130.A (Scanner), 150.A (Orchestrator), 170.A (Notifier), 141 (Graph Indexer for 180.C).
+- All waves remain TODO until upstream APIs/contracts finalize; no concurrent execution planned.
+
+## Documentation Prerequisites
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/implplan/AGENTS.md
+
+## Delivery Tracker
+| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
+| --- | --- | --- | --- | --- | --- |
+| 1 | EXP-SNAPSHOT-200 | TODO | Keep wave readiness current; migrate active items to sprint 201+. | Project Mgmt · Experience Guild | Maintain Experience & SDKs status snapshot; no implementation tracked here. |
+
+## Wave Coordination
+| Wave | Guild owners | Shared prerequisites | Status | Notes |
+| --- | --- | --- | --- | --- |
+| 180.A CLI | DevEx/CLI Guild · Advisory AI Guild · Evidence Locker Guild | Sprint 120.A – AirGap; 130.A – Scanner; 150.A – Orchestrator; 170.A – Notifier | TODO | Commands blocked on orchestrator + notifier scopes; finalize auth/output scaffolding to flip to DOING. |
+| 180.B DevPortal | Developer Portal Guild · SDK Generator Guild · Platform Guild | Same as above | TODO | Static site generator selection pending; align examples with CLI/SDK teams. |
+| 180.C Graph Experiences (CLI/SDK) | Graph Guild · SDK Generator Guild · Policy Guild | Same as above + Sprint 141 Graph Indexer APIs | TODO | Wait on Graph Indexer APIs before wiring SDK quickstarts. |
+| 180.D SDK | SDK Generator Guild · Service Guilds providing OpenAPI | Same as above | TODO | Downstream of orchestrator/export OAS consolidation; keep templates updated. |
+| 180.E UI | UI Guild · Console Guild · Notifications Guild | Same as above | TODO | Exception center & graph canvas rely on policy/graph APIs; hold until upstream signals stabilize. |
+| 180.F Web | BE-Base Platform Guild · Platform Events Guild · Notifications Guild | Same as above | TODO | Gateway routing can start once AdvisoryAI/Export endpoints finalize; prepare guard helpers now. |
+
+## Wave Detail Snapshots
+| Wave | Entry criteria | Exit evidence | Notes |
+| --- | --- | --- | --- |
+| 180.A CLI | Orchestrator + Notifier scopes finalized; auth/output scaffolding approved. | CLI verbs implemented for new scopes; determinism tests passing; docs synced. | Track in Sprint 201+. |
+| 180.B DevPortal | Static site generator chosen; shared examples sourced; platform routing approved. | DevPortal sections published with examples; CI build green. | Track in Sprint 201+. |
+| 180.C Graph Exp | Graph Indexer APIs (Sprint 141) stable; policy contracts approved. | SDK/CLI quickstarts for graph queries published; regression tests passing. | Track in Sprint 201+. |
+| 180.D SDK | Consolidated OAS from services published; SDK templates refreshed. | SDKs generated with pinned versions and offline bundles; smoke tests pass. | Track in Sprint 201+. |
+| 180.E UI | Policy/graph APIs stable; notifier integration contract signed. | Exception center & graph canvas shipped behind feature flag; UX docs updated. | Track in Sprint 201+. |
+| 180.F Web | AdvisoryAI/Export endpoints finalized; gateway guard helpers ready. | Web gateway routing committed with guards; incident/webhook paths tested. | Track in Sprint 201+. |
+
+## Interlocks
+- Orchestrator + Notifier scopes for CLI verbs.
+- Graph Indexer API availability (Sprint 141) for 180.C.
+- OAS consolidation for SDK generation (180.D).
+- Platform routing/guards for Web/UI experiences (180.E/F).
+
+## Upcoming Checkpoints
+- 2025-12-07 · Review upstream sprint signals (141/150/170) and decide which waves move to Sprint 201.
+
+## Action Tracker
+| ID | Action | Owner | Due (UTC) | Status | Notes |
+| --- | --- | --- | --- | --- | --- |
+| AT-01 | Collect upstream readiness signals (141/150/170) and propose Sprint 201 wave starts. | Project Mgmt | 2025-12-07 | TODO | Source signals from sprint execution logs. |
+| AT-02 | Confirm static site generator choice for DevPortal wave. | DevPortal Guild | 2025-12-07 | TODO | Needed before moving wave 180.B to DOING. |
+
+## Decisions & Risks
+- Experience waves remain paused pending upstream API/contracts; track readiness rather than implementation here.
+
+| Risk | Impact | Mitigation | Owner | Status |
+| --- | --- | --- | --- | --- |
+| Upstream Orchestrator/Notifier scopes slip. | Delays CLI/Web experience delivery. | Pull scope signals weekly; shift to Sprint 201 once stable. | Project Mgmt | OPEN |
+| Graph Indexer APIs unstable. | SDK/CLI graph quickstarts would rework. | Gate 180.C until Sprint 141 publishes stable APIs. | Project Mgmt | OPEN |
+| DevPortal generator choice stalls content. | Docs/SDK examples miss deadlines. | AT-02 to choose generator; reuse CLI/SDK examples for consistency. | DevPortal Guild | OPEN |
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2025-11-30 | Normalized to docs/implplan template; added delivery tracker placeholder, wave details, interlocks, actions, risks. | Project Mgmt |
+| 2025-11-08 | Archived completed items to `docs/implplan/archived/tasks.md`; file now tracks status snapshot only. | Project Mgmt |
+| 2025-11-30 | Renamed from `SPRINT_200_experience_sdks.md` to `SPRINT_0200_0001_0001_experience_sdks.md`; added legacy redirect stub. | Project Mgmt |

docs/implplan/SPRINT_0202_0001_0001_cli_ii.md

@@ -23,8 +23,8 @@
 | 2 | CLI-EXC-25-001 | DONE (2025-11-28) | None | DevEx/CLI Guild | `stella exceptions` CRUD/import/export commands + HTTP client/models. |
 | 3 | CLI-EXC-25-002 | DONE (2025-11-28) | 25-001 | DevEx/CLI Guild | Policy simulate flags `--with-exception/--without-exception`. |
 | 4 | CLI-EXPORT-35-001 | BLOCKED (2025-10-29) | Await export profiles API/spec (task definition incomplete in legacy doc). | DevEx/CLI Guild | Implement `stella export profiles` (full description pending). |
-| 5 | CLI-EXPORT-36-001 | TODO | Depends on 35-001. | DevEx/CLI Guild | Distribution commands `stella export distribute`, `run download --resume`, progress bars. |
-| 6 | CLI-EXPORT-37-001 | TODO | Depends on 36-001. | DevEx/CLI Guild | Scheduling/retention + `export verify` (signature/hash validation). |
+| 5 | CLI-EXPORT-36-001 | BLOCKED (2025-11-30) | Depends on 35-001 (spec not published). | DevEx/CLI Guild | Distribution commands `stella export distribute`, `run download --resume`, progress bars. |
+| 6 | CLI-EXPORT-37-001 | BLOCKED (2025-11-30) | Depends on 36-001. | DevEx/CLI Guild | Scheduling/retention + `export verify` (signature/hash validation). |
 | 7 | CLI-FORENSICS-53-001 | DONE (2025-11-28) | None | DevEx/CLI · Evidence Locker Guild | Forensic snapshot create/list/show commands + models/clients. |
 | 8 | CLI-FORENSICS-54-001 | DONE (2025-11-28) | None | DevEx/CLI · Provenance Guild | `stella forensic verify` checksums/DSSE/timeline validation. |
 | 9 | CLI-FORENSICS-54-002 | DONE (2025-11-28) | None | DevEx/CLI · Provenance Guild | `stella forensic attest show` for DSSE/in-toto attestations. |
@@ -34,7 +34,7 @@
 | 13 | CLI-LNM-22-002 | DONE (2025-11-28) | None | DevEx/CLI Guild | VEX observations commands `vex obs get/linkset show`. |
 | 14 | CLI-NOTIFY-38-001 | BLOCKED (2025-10-29) | Await Notify rules API/contract. | DevEx/CLI Guild | Implement `stella notify rules ...` (spec pending). |
 | 15 | CLI-NOTIFY-39-001 | BLOCKED (2025-10-29) | Depends on 38-001. | DevEx/CLI Guild | `stella notify simulate`/digest/diff/schedule with dry-run. |
-| 16 | CLI-NOTIFY-40-001 | TODO | Depends on 39-001. | DevEx/CLI Guild | Ack token redemption, escalations, localization previews, channel health checks. |
+| 16 | CLI-NOTIFY-40-001 | BLOCKED (2025-11-30) | Depends on 39-001 (spec pending). | DevEx/CLI Guild | Ack token redemption, escalations, localization previews, channel health checks. |
 | 17 | CLI-OBS-50-001 | DONE (2025-11-28) | None | DevEx/CLI Guild | Traceparent propagation handler and logging. |
 
 ## Wave Coordination
@@ -57,7 +57,10 @@
 - Set once export/notify specs drop (target dates TBD from owning teams).
 
 ## Action Tracker
-- None; populate when export/notify contract dates are provided.
+| ID | Action | Owner | Due (UTC) | Status | Notes |
+| --- | --- | --- | --- | --- | --- |
+| AT-EXP-01 | Publish export profiles/distribution/scheduling API spec and CLI auth scopes. | Export Center Guild · DevOps Guild | 2025-12-05 | Open | Unblocks CLI-EXPORT-35-001/36-001/37-001. |
+| AT-NFY-01 | Provide Notify rules/simulate/digest contract and payload schema. | Notifier Guild | 2025-12-05 | Open | Unblocks CLI-NOTIFY-38-001/39-001/40-001. |
 
 ## Decisions & Risks
 - Blocked tasks lack published API/contract details (export profiles; notify rules/simulation). Cannot start without specs.
@@ -72,4 +75,6 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-30 | Set CLI-EXPORT-36-001/37-001 and CLI-NOTIFY-40-001 to BLOCKED pending upstream specs; added Action Tracker items AT-EXP-01 and AT-NFY-01. | Project Mgmt |
+| 2025-11-30 | Synced `docs/implplan/tasks-all.md` to reflect DONE and BLOCKED statuses and the canonical sprint filename `SPRINT_0202_0001_0001_cli_ii.md`. | Project Mgmt |
 | 2025-11-30 | Normalized sprint to standard template; renamed to `SPRINT_0202_0001_0001_cli_ii.md`; added waves/interlocks/risks; preserved statuses. | Project Mgmt |

docs/implplan/SPRINT_0208_0001_0001_sdk.md

@@ -28,10 +28,10 @@
 | 6 | SDKGEN-63-004 | BLOCKED (2025-11-26) | Awaiting frozen aggregate OAS digest to generate Java alpha; scaffolds/smokes ready with hash guard. | SDK Generator Guild | Ship Java SDK alpha (builder pattern, HTTP client abstraction). |
 | 7 | SDKGEN-64-001 | BLOCKED (2025-11-30) | Depends on 63-004; waiting for frozen aggregate OAS and Java alpha before mapping CLI surfaces. | SDK Generator Guild · CLI Guild | Switch CLI to consume TS or Go SDK; ensure parity once Wave B artifacts land. |
 | 8 | SDKGEN-64-002 | BLOCKED (2025-11-30) | Depends on 64-001; blocked until SDKGEN-64-001 completes. | SDK Generator Guild · Console Guild | Integrate SDKs into Console data providers where feasible. |
-| 9 | SDKREL-63-001 | TODO | Set up signing keys/provenance; stage CI pipelines across registries. | SDK Release Guild · `src/Sdk/StellaOps.Sdk.Release` | Configure CI pipelines for npm, PyPI, Maven Central staging, and Go proxies with signing and provenance attestations. |
-| 10 | SDKREL-63-002 | TODO | Requires 63-001; connect OAS diff feed. | SDK Release Guild · API Governance Guild | Integrate changelog automation pulling from OAS diffs and generator metadata. |
-| 11 | SDKREL-64-001 | TODO | Wait for 63-002; design Notifications Studio channel scopes. | SDK Release Guild · Notifications Guild | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. |
-| 12 | SDKREL-64-002 | TODO | Requires 64-001; define offline bundle manifest. | SDK Release Guild · Export Center Guild | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. |
+| 9 | SDKREL-63-001 | BLOCKED (2025-11-30) | Awaiting signing key provisioning (Action #7); cannot stage CI signing/provenance. | SDK Release Guild · `src/Sdk/StellaOps.Sdk.Release` | Configure CI pipelines for npm, PyPI, Maven Central staging, and Go proxies with signing and provenance attestations. |
+| 10 | SDKREL-63-002 | BLOCKED (2025-11-30) | Blocked until 63-001 unblocks; needs CI signing path + OAS diff feed. | SDK Release Guild · API Governance Guild | Integrate changelog automation pulling from OAS diffs and generator metadata. |
+| 11 | SDKREL-64-001 | BLOCKED (2025-11-30) | Blocked until 63-001 unblocks; Notifications channels require signed release events. | SDK Release Guild · Notifications Guild | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. |
+| 12 | SDKREL-64-002 | BLOCKED (2025-11-30) | Depends on SDKGEN-64-001 artifacts and signed releases; manifest format ready. | SDK Release Guild · Export Center Guild | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. |
 
 ## Wave Coordination
 - Single wave covering generator and release work; language tracks branch after SDKGEN-62-002.
@@ -44,12 +44,14 @@
 | C: Release & offline | 2025-12-08 → 2025-12-29 | SDKREL-63-001..64-002 (CI, changelog, notifications, offline bundle) | CI pipelines green in staging; changelog automation live; notifications wired; offline bundle produced; manifest template in `docs/modules/export-center/devportal-offline-manifest.md` adopted. | SDK Release Guild · Export Center Guild | Planned |
 
 ## Interlocks
-- API governance: APIG0101 outputs for stable schemas; required before Wave A exit.
-- Portal contracts: DEVL0101 (auth/session) inform shared post-processing; consume before Wave A design review.
-- Devportal/offline: SPRINT_0206_0001_0001_devportal must expose bundle manifest format for SDKREL-64-002.
-- CLI adoption: SPRINT_0201_0001_0001_cli_i aligns surfaces for SDKGEN-64-001; needs Wave B artifacts.
-- Console data providers: SPRINT_0209_0001_0001_ui_i depends on SDKGEN-64-002; needs parity matrix from Wave B.
-- Notifications/Export: Notifications Studio and Export Center pipelines must be live before Wave C release window (tasks 11–12).
+- API governance: APIG0101 outputs for stable schemas; required before Wave A exit.
+- Portal contracts: DEVL0101 (auth/session) inform shared post-processing; consume before Wave A design review.
+- Devportal/offline: SPRINT_0206_0001_0001_devportal must expose bundle manifest format for SDKREL-64-002.
+- CLI adoption: SPRINT_0201_0001_0001_cli_i aligns surfaces for SDKGEN-64-001; needs Wave B artifacts.
+- Console data providers: SPRINT_0209_0001_0001_ui_i depends on SDKGEN-64-002; needs parity matrix from Wave B.
+- Notifications/Export: Notifications Studio and Export Center pipelines must be live before Wave C release window (tasks 11–12).
+- Aggregate OAS freeze: APIG0101 must publish tagged snapshot + SHA (Action #6) to unblock SDKGEN-63-001..004 generation.
+- Signing keys: Sovereign crypto key provisioning for npm/PyPI/Maven/Go (Action #7) gates SDKREL-63-001 staging runs.
 
 ## Upcoming Checkpoints
 - 2025-12-05: TS alpha staging drop (SDKGEN-63-001) — verify packaging and typed errors (BLOCKED until aggregate OAS freeze).
@@ -58,13 +60,15 @@
 - 2025-12-22: Release automation demo (SDKREL-63/64) — staging publishes with signatures and offline bundle (BLOCKED until SDKREL-63-001/002 advance).
 
 ## Action Tracker
-| # | Action | Owner | Due (UTC) | Status |
-| --- | --- | --- | --- | --- |
+| # | Action | Owner | Due (UTC) | Status |
+| --- | --- | --- | --- | --- |
 | 1 | Confirm registry signing keys and provenance workflow per language | SDK Release Guild | 2025-11-29 | BLOCKED (awaiting sovereign crypto key provisioning; overdue) |
-| 2 | Publish SDK language support matrix to CLI/UI guilds. Evidence: `docs/modules/sdk/language-support-matrix.md`. | SDK Generator Guild | 2025-12-03 | DONE (2025-11-26) |
-| 3 | Align CLI adoption scope with SPRINT_0201_0001_0001_cli_i and schedule SDK drop integration | SDK Generator Guild · CLI Guild | 2025-12-10 | Open |
-| 4 | Define devportal offline bundle manifest with Export Center per SPRINT_0206_0001_0001_devportal. Evidence: `docs/modules/export-center/devportal-offline-manifest.md`. | SDK Release Guild · Export Center Guild | 2025-12-12 | DONE (2025-11-26) |
-| 5 | Deliver parity matrix and SDK drop to UI data providers per SPRINT_0209_0001_0001_ui_i | SDK Generator Guild · UI Guild | 2025-12-16 | Open |
+| 2 | Publish SDK language support matrix to CLI/UI guilds. Evidence: `docs/modules/sdk/language-support-matrix.md`. | SDK Generator Guild | 2025-12-03 | DONE (2025-11-26) |
+| 3 | Align CLI adoption scope with SPRINT_0201_0001_0001_cli_i and schedule SDK drop integration | SDK Generator Guild · CLI Guild | 2025-12-10 | Open |
+| 4 | Define devportal offline bundle manifest with Export Center per SPRINT_0206_0001_0001_devportal. Evidence: `docs/modules/export-center/devportal-offline-manifest.md`. | SDK Release Guild · Export Center Guild | 2025-12-12 | DONE (2025-11-26) |
+| 5 | Deliver parity matrix and SDK drop to UI data providers per SPRINT_0209_0001_0001_ui_i | SDK Generator Guild · UI Guild | 2025-12-16 | Open |
+| 6 | Request tagged aggregate OpenAPI snapshot + SHA from APIG0101 to unblock Wave B generation | API Governance Guild · SDK Generator Guild | 2025-12-02 | Open |
+| 7 | Escalate sovereign crypto key provisioning for npm/PyPI/Maven/Go signing to unblock SDKREL-63-001 | SDK Release Guild · Platform Security | 2025-12-02 | Open |
 
 ## Decisions & Risks
 - Toolchain pinned (OpenAPI Generator 7.4.0, JDK 21) and recorded in repo (`TOOLCHAIN.md`, `toolchain.lock.yaml`); downstream tracks must honor lock file for determinism.
@@ -72,14 +76,16 @@
 - Release automation requires registry credentials and signing infra; keys still pending (Action Tracker #1 overdue). Mitigation: reuse sovereign crypto enablement (SPRINT_0514_0001_0001_sovereign_crypto_enablement.md) practices, escalate key provisioning by 2025-12-02, and block releases until keys are validated.
 - Offline bundle job (SDKREL-64-002) depends on Export Center artifacts; track alongside Export Center sprints; remains BLOCKED until SDKGEN-64-001 completes.
 - Shared postprocess helpers copy only when CI sets `STELLA_POSTPROCESS_ROOT` and `STELLA_POSTPROCESS_LANG`; ensure generation jobs export these to keep helpers present in artifacts.
+- Aggregate OAS freeze now on critical path for Wave B; request tagged snapshot with SHA (Action #6) by 2025-12-02 to unblock SDKGEN-63-001..004.
+- Sprint currently fully blocked: all Delivery Tracker items depend on Actions #6–#7 (OAS snapshot and signing keys). If unresolved by 2025-12-02, push Wave B and downstream checkpoints by ≥1 week.
 
 ### Risk Register
 | Risk | Impact | Mitigation | Owner | Status |
 | --- | --- | --- | --- | --- |
 | Upstream APIs change after generator pin | Rework across four SDKs | Freeze spec version before SDKGEN-63-x; gate via API governance sign-off | SDK Generator Guild | Open |
 | Aggregate OpenAPI freeze delayed | Wave B and downstream adoption blocked | Track APIG0101 schedule; request interim tagged snapshot with SHA; re-run hash guard once frozen | SDK Generator Guild | Open |
-| Registry signing not provisioned | Cannot ship to npm/PyPI/Maven/Go | Coordinate with sovereign crypto enablement; dry-run staging before prod | SDK Release Guild | Open |
-| Offline bundle inputs unavailable | Air-gapped delivery slips | Pull docs/specs from devportal cache; coordinate with Export Center | SDK Release Guild | Open |
+| Registry signing not provisioned | Cannot ship to npm/PyPI/Maven/Go | Coordinate with sovereign crypto enablement; dry-run staging before prod; Action #7 escalation due 2025-12-02 | SDK Release Guild | Open |
+| Offline bundle inputs unavailable | Air-gapped delivery slips | Pull docs/specs from devportal cache; coordinate with Export Center; tied to SDKREL-64-002 blocker | SDK Release Guild | Open |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -104,6 +110,9 @@
 | 2025-11-27 | Marked SDKGEN-63-001/002 BLOCKED pending frozen aggregate OAS digest; scaffolds and smokes remain ready. | SDK Generator Guild |
 | 2025-11-30 | Marked SDKGEN-64-001 and SDKGEN-64-002 BLOCKED pending Wave B (SDKGEN-63-004) OAS freeze/Java alpha; CLI/UI adoption cannot proceed without generated SDK artifacts. | Project Mgmt |
 | 2025-11-30 | Status audit: set SDKGEN-63-001..004 to BLOCKED per aggregate OAS freeze; flagged registry signing key action overdue; added OAS-freeze risk entry. | PM |
+| 2025-11-30 | Added Actions #6–#7 to chase aggregate OAS snapshot (APIG0101) and sovereign signing key provisioning by 2025-12-02. | PM |
+| 2025-11-30 | Set SDKREL-63-001..64-002 to BLOCKED pending signing keys and downstream artifacts; clarified blockers in Delivery Tracker. | PM |
+| 2025-12-01 | Sprint-wide pause: all Delivery Tracker items blocked on OAS snapshot + signing keys; Wave B checkpoints will slip if Actions #6–#7 miss 2025-12-02. | PM |
 | 2025-11-24 | Added fixture OpenAPI (`ts/fixtures/ping.yaml`) and smoke test (`ts/test_generate_ts.sh`) to validate TypeScript pipeline locally; skips if generator jar absent. | SDK Generator Guild |
 | 2025-11-24 | Vendored `tools/openapi-generator-cli-7.4.0.jar` and `tools/jdk-21.0.1.tar.gz` with SHA recorded in `toolchain.lock.yaml`; adjusted TS script to ensure helper copy post-run and verified generation against fixture. | SDK Generator Guild |
 | 2025-11-24 | Ran `ts/test_generate_ts.sh` with vendored JDK/JAR and fixture spec; smoke test passes (helpers present). | SDK Generator Guild |

docs/implplan/SPRINT_0212_0001_0001_web_i.md

@@ -25,11 +25,11 @@
 | 2 | WEB-AIAI-31-002 | BLOCKED (2025-11-22) | Blocked by WEB-AIAI-31-001; batching/streaming cannot start until gateway contract exists. | BE-Base Platform Guild | Streaming responses for CLI automation with job orchestration. |
 | 3 | WEB-AIAI-31-003 | BLOCKED (2025-11-22) | Blocked by WEB-AIAI-31-002; telemetry targets depend on routing/batching contract. | BE-Base Platform Guild; Observability Guild | Telemetry + audit for advisory AI, guardrail block visibility. |
 | 4 | WEB-AOC-19-002 | DONE (2025-11-30) | Depends on WEB-AOC-19-001; align DSSE/CMS helper APIs. | BE-Base Platform Guild | Ship `ProvenanceBuilder`, checksum utilities, signature verification helper with tests. |
-| 5 | WEB-AOC-19-003 | TODO | Depends on WEB-AOC-19-002; confirm Roslyn analyzer rules. | QA Guild; BE-Base Platform Guild | Analyzer to prevent forbidden key writes; shared guard-validation fixtures. |
+| 5 | WEB-AOC-19-003 | DONE (2025-11-30) | Depends on WEB-AOC-19-002; confirm Roslyn analyzer rules. | QA Guild; BE-Base Platform Guild | Analyzer to prevent forbidden key writes; shared guard-validation fixtures. |
 | 6 | WEB-CONSOLE-23-001 | DONE (2025-11-28) | `/console/dashboard` and `/console/filters` endpoints implemented with tenant-scoped aggregates. | BE-Base Platform Guild; Product Analytics Guild | Tenant-scoped aggregates for findings, VEX overrides, advisory deltas, run health, policy change log. |
 | 7 | CONSOLE-VULN-29-001 | BLOCKED (2025-11-19) | Blocked on WEB-CONSOLE-23-001 contract and Concelier graph schema freeze. | Console Guild; BE-Base Platform Guild | `/console/vuln/*` workspace endpoints with filters/reachability badges and DTOs once schemas stabilize. |
 | 8 | CONSOLE-VEX-30-001 | BLOCKED (2025-11-19) | Blocked on WEB-CONSOLE-23-001 and Excititor console contract (SSE payload validation). | Console Guild; BE-Base Platform Guild | `/console/vex/events` SSE workspace with validated schemas and samples. |
-| 9 | WEB-CONSOLE-23-002 | TODO | Depends on WEB-CONSOLE-23-001; design heartbeat/backoff + auth scopes. | BE-Base Platform Guild; Scheduler Guild | `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with queue lag metrics. |
+| 9 | WEB-CONSOLE-23-002 | DOING (2025-12-01) | Implementing frontend polling + SSE proxy; unit tests added. Remaining: wire route + verify against contract once backend snapshot lands. | BE-Base Platform Guild; Scheduler Guild | `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with queue lag metrics. |
 | 10 | WEB-CONSOLE-23-003 | TODO | Depends on WEB-CONSOLE-23-002; confirm bundle orchestration flow. | BE-Base Platform Guild; Policy Guild | `/console/exports` POST/GET for evidence bundles, streaming CSV/JSON, checksum manifest, signed attestations. |
 | 11 | WEB-CONSOLE-23-004 | TODO | Depends on WEB-CONSOLE-23-003; set caching and tie-break order. | BE-Base Platform Guild | `/console/search` fan-out with deterministic ranking and result caps. |
 | 12 | WEB-CONSOLE-23-005 | TODO | Depends on WEB-CONSOLE-23-004; populate manifest source from signed registry metadata. | BE-Base Platform Guild; DevOps Guild | `/console/downloads` manifest (images, charts, offline bundles) with integrity hashes and offline instructions. |
@@ -57,6 +57,7 @@
 - Concelier graph schema freeze outcome + published snapshot (owner: Console Guild; due: 2025-12-02; status: follow-up for missed 2025-11-25 review).
 - Excititor SSE payload validation and topic alignment session rebooked (owner: BE-Base Platform; due: 2025-12-04; status: rescheduled from 2025-11-27).
 - Advisory AI gateway policy/contract snapshot for `/advisory/ai/*` routes (owner: BE-Base Platform; due: 2025-12-05; status: new action to unblock WEB-AIAI-31-001/002/003).
+- Restore workspace disk/PTY availability so Web console implementation can proceed (owner: DevOps Guild; due: 2025-12-02; status: in progress 2025-12-01).
 
 ## Decisions & Risks
 | Risk | Impact | Mitigation | Owner | Status |
@@ -64,10 +65,12 @@
 | Console contract freeze slips past 2025-11-25 | Blocks CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001, delays console workspaces | Rescheduled review to 2025-12-03; publish schema snapshot to `docs/api/console/workspaces.md`; keep blockers logged | Console Guild | Open (rescheduled 2025-11-30) |
 | SSE topic alignment delayed | WEB-CONSOLE-23-002/003/004 latency and reliability uncertain | Rescheduled alignment with Scheduler/Signals to 2025-12-04; add heartbeat/backoff defaults; capture examples in samples directory | BE-Base Platform Guild | Open (rescheduled 2025-11-30) |
 | Advisory AI gateway contract missing | WEB-AIAI-31-001/002/003 cannot start without gateway location, RBAC/ABAC rules, and rate-limit policy spec | Request gateway contract snapshot + policy doc; replan once provided | BE-Base Platform Guild | Open |
+| Workspace storage exhausted (no PTY/commands) | WEB-CONSOLE-23-002 tests/builds blocked locally; implementation via patches only | Free disk/rotate logs; rerun after capacity restored | DevOps Guild | Open (2025-12-01) |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-01 | Started WEB-CONSOLE-23-002: added console status client (polling) + SSE run stream, store/service, and UI component; unit specs added. Commands/tests not executed locally due to PTY/disk constraint. | BE-Base Platform Guild |
 | 2025-11-07 | Enforced unknown-field detection, added shared `AocError` payload (HTTP + CLI), refreshed guard docs, and extended tests/endpoint helpers. | BE-Base Platform Guild |
 | 2025-11-07 | API scaffolding started for console workspace; `docs/advisory-ai/console.md` using placeholder responses while endpoints wire up. | Console Guild |
 | 2025-11-08 | Built filters + reachability badge wiring and `/console/vuln/search` DTOs; aligned Scheduler/Signals dependencies. | Console Guild |
@@ -83,3 +86,5 @@
 | 2025-11-28 | Completed WEB-CONSOLE-23-001: Implemented `/console/dashboard` and `/console/filters` endpoints in Authority module. Dashboard returns tenant-scoped aggregates (findings summary, VEX overrides, advisory deltas, run health, policy change log) with 30-day trend data. Filters endpoint returns deterministic filter categories with counts and cache-validation hash. Added 8 unit tests for dashboard/filters endpoints. Implementation in `src/Authority/StellaOps.Authority/StellaOps.Authority/Console/`. | Policy Guild |
 | 2025-11-30 | Rescheduled missed 2025-11-25/27 checkpoints to 2025-12-03/04, added follow-up actions (schema snapshot, SSE alignment, advisory AI gateway contract) and noted reschedule in risk statuses. | Planning |
 | 2025-11-30 | Completed WEB-AOC-19-002: added deterministic provenance builder, checksum utilities, and DSSE/CMS signature verification helpers with unit tests under `src/Web/StellaOps.Web/src/app/core/aoc`. Added Web TASKS board and marked task DONE. | BE-Base Platform Guild |
+| 2025-12-01 | WEB-CONSOLE-23-002 blocked: local workspace lacks free storage/PTY; cannot run commands/tests. Resume after DevOps clears space. | BE-Base Platform Guild |
+| 2025-11-30 | Completed WEB-AOC-19-003: implemented key write guard/analyzer with fixtures and unit tests in `src/Web/StellaOps.Web/src/app/core/aoc`. | BE-Base Platform Guild |

docs/implplan/SPRINT_0213_0001_0002_web_ii.md

@@ -23,7 +23,7 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | WEB-EXC-25-002 | TODO | Depends on WEB-EXC-25-001; align exception metadata schema for `/policy/*`. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/policy/simulate` to include exception metadata and allow simulation overrides; audit logging + pagination limits preserved. |
+| 1 | WEB-EXC-25-002 | BLOCKED (2025-11-30) | Infra: dev host PTY exhaustion; shell access required to modify gateway code and tests. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/policy/simulate` to include exception metadata and allow simulation overrides; audit logging + pagination limits preserved. |
 | 2 | WEB-EXC-25-003 | TODO | Wait for WEB-EXC-25-002 output and notification hook contracts. | BE-Base Platform Guild; Platform Events Guild (`src/Web/StellaOps.Web`) | Publish `exception.*` events, integrate notification hooks, enforce rate limits. |
 | 3 | WEB-EXPORT-35-001 | TODO | Need Export Center profile/run/download contracts confirmed. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface Export Center APIs with tenant scoping, streaming support, viewer/operator scope checks. |
 | 4 | WEB-EXPORT-36-001 | TODO | Depends on WEB-EXPORT-35-001 and storage signer inputs. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add distribution routes (OCI/object storage), manifest/provenance proxies, signed URL generation. |
@@ -34,9 +34,9 @@
 | 9 | WEB-GRAPH-21-003 | TODO | Start once WEB-GRAPH-21-002 unblocks. | BE-Base Platform Guild; QA Guild (`src/Web/StellaOps.Web`) | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, document rate limits. |
 | 10 | WEB-GRAPH-21-004 | TODO | Requires WEB-GRAPH-21-003 outputs. | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Overlay pass-through; maintain streaming budgets while gateway stays stateless. |
 | 11 | WEB-GRAPH-24-001 | TODO | WEB-GRAPH-21-004; cache/pagination strategy confirmation. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Gateway proxy refresh for Graph API + Policy overlays with RBAC, caching, pagination, ETags, streaming; zero business logic. |
-| 12 | WEB-GRAPH-24-001 (Graph endpoints) | TODO | Depends on WEB-GRAPH-24-001; clarify duplicate ID scope. | BE-Base Platform Guild; SBOM Service Guild (`src/Web/StellaOps.Web`) | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, tenant scoping as pure proxy. |
-| 13 | WEB-GRAPH-24-004 | TODO | Needs WEB-GRAPH-24-001 responses; overlay service AOC feed. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Embed AOC summaries from overlay services; gateway does not compute derived severity/hints. |
-| 14 | WEB-GRAPH-24-004 (Telemetry) | TODO | Depends on WEB-GRAPH-24-004; pick sampling strategy. | BE-Base Platform Guild; Observability Guild (`src/Web/StellaOps.Web`) | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling. |
+| 12 | WEB-GRAPH-24-002 | TODO | Depends on WEB-GRAPH-24-001. | BE-Base Platform Guild; SBOM Service Guild (`src/Web/StellaOps.Web`) | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, tenant scoping as pure proxy. |
+| 13 | WEB-GRAPH-24-003 | TODO | Needs WEB-GRAPH-24-002 responses; overlay service AOC feed. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Embed AOC summaries from overlay services; gateway does not compute derived severity/hints. |
+| 14 | WEB-GRAPH-24-004 | TODO | Depends on WEB-GRAPH-24-003; pick sampling strategy. | BE-Base Platform Guild; Observability Guild (`src/Web/StellaOps.Web`) | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling. |
 | 15 | WEB-LNM-21-001 | TODO | Need advisory service schema; confirm RBAC scopes. | BE-Base Platform Guild; Concelier WebService Guild (`src/Web/StellaOps.Web`) | Surface `/advisories/*` APIs via gateway with caching, pagination, RBAC enforcement (`advisory:read`). |
 | 16 | WEB-LNM-21-002 | TODO | Depends on WEB-LNM-21-001 contract. | BE-Base Platform Guild; Excititor WebService Guild (`src/Web/StellaOps.Web`) | Expose `/vex/*` read APIs with evidence routes/export handlers; map `ERR_AGG_*` codes. |
 
@@ -50,7 +50,6 @@
 - Graph overlay schema ratification required before tasks 6–12 can progress.
 - Export Center contract (profiles/runs/download/distribution) must freeze before tasks 3–5 advance.
 - Notification hooks/rate-limit policy needed for WEB-EXC-25-003; coordinate with Platform Events Guild.
-- Duplicate IDs in Graph chain (24-001, 24-004 variants) risk status drift; needs resolution.
 
 ## Upcoming Checkpoints
 - 2025-12-02 (UTC): Graph Platform review to ratify overlay/cache schema for WEB-GRAPH-SPEC-21-000.
@@ -60,15 +59,14 @@
 ## Action Tracker
 | Item | Owner | Due (UTC) | Status / Notes |
 | --- | --- | --- | --- |
+| Clear PTY exhaustion on dev host to restore shell access | DevOps Guild | 2025-11-30 | Blocked: `openpty: No space left on device` when starting shells; required before implementation proceeds. |
 | Publish ratified Graph overlay/cache schema snapshot to sprint attachments | Graph Platform Guild | 2025-12-02 | Open |
 | Confirm Export Center streaming/range limits and signed URL policy for gateway | Export Center Guild | 2025-12-03 | Open |
-| Clarify duplicate task IDs (WEB-GRAPH-24-001 variants and WEB-GRAPH-24-004 variants) and assign distinct IDs | Planning | 2025-12-01 | Open |
 
 ## Decisions & Risks
 | Risk | Impact | Mitigation | Owner | Status |
 | --- | --- | --- | --- | --- |
 | Graph overlay schema not ratified (WEB-GRAPH-SPEC-21-000) | Blocks tasks 6–12; prevents gateway proxy wiring | Schedule 2025-12-02 ratification; publish schema snapshot; keep tasks 7–12 BLOCKED until done | Graph Platform Guild | Open |
-| Duplicate task IDs in Graph chain (24-001, 24-004) | Tracking ambiguity; risk of parallel conflicting changes | Planning to assign distinct IDs and update sprint + tasks-all once clarified (Action Tracker item) | Planning | Open |
 | Export Center contract churn | Rework for tasks 3–5; risk of incompatible scopes/streaming limits | Freeze contract on 2025-12-03 checkpoint; capture signed URL + retention params in API doc | Export Center Guild | Open |
 | Notification/rate-limit policy gaps for exception events | Could block WEB-EXC-25-003 or cause unsafe fan-out | Align with Platform Events Guild on 2025-12-04; codify rate-limit + event schema in docs | BE-Base Platform Guild | Open |
 
@@ -77,3 +75,5 @@
 | --- | --- | --- |
 | 2025-11-30 | Normalized sprint to standard template, expanded dependencies/checkpoints, and carried over all tasks from prior list. | Project Mgmt |
 | 2025-11-30 | Renamed file from `SPRINT_213_web_ii.md` to `SPRINT_0213_0001_0002_web_ii.md`; pending cross-references updated. | Project Mgmt |
+| 2025-11-30 | Resolved duplicate Graph task IDs: `WEB-GRAPH-24-002` (assets endpoints), `WEB-GRAPH-24-003` (AOC summaries), `WEB-GRAPH-24-004` (telemetry). Synced tasks-all entries accordingly. | Project Mgmt |
+| 2025-11-30 | Marked WEB-EXC-25-002 BLOCKED due to host PTY exhaustion (`openpty: No space left on device`); need shell access restored to continue implementation. | Implementer |

docs/implplan/SPRINT_0214_0001_0001_web_iii.md

@@ -21,32 +21,37 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | WEB-LNM-21-003 | TODO | WEB-LNM-21-002 | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Provide combined endpoint for Console to fetch policy result plus advisory/VEX evidence linksets for a component. |
-| 2 | WEB-NOTIFY-38-001 | TODO | Align notifier gateway routes and tenant scopes | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. |
-| 3 | WEB-NOTIFY-39-001 | TODO | WEB-NOTIFY-38-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. |
-| 4 | WEB-NOTIFY-40-001 | TODO | WEB-NOTIFY-39-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. |
-| 5 | WEB-OAS-61-001 | TODO | Finalize gateway spec metadata | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. |
-| 6 | WEB-OAS-61-002 | TODO | WEB-OAS-61-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include `error.code`. |
-| 7 | WEB-OAS-62-001 | TODO | WEB-OAS-61-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Normalize endpoints to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. |
-| 8 | WEB-OAS-63-001 | TODO | WEB-OAS-62-001 | BE-Base Platform Guild · API Governance Guild (`src/Web/StellaOps.Web`) | Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes. |
-| 9 | WEB-OBS-50-001 | TODO | Integrate StellaOps.Telemetry.Core into gateway host | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Replace ad-hoc logging; ensure routes emit trace/span IDs, tenant context, and scrubbed payload previews. |
-| 10 | WEB-OBS-51-001 | TODO | WEB-OBS-50-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement `/obs/health` and `/obs/slo` aggregations pulling Prometheus/collector metrics with burn-rate signals and exemplar links for Console widgets. |
-| 11 | WEB-OBS-52-001 | TODO | WEB-OBS-51-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. |
-| 12 | WEB-OBS-54-001 | TODO | WEB-OBS-52-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. |
-| 13 | WEB-OBS-55-001 | TODO | WEB-OBS-54-001 | BE-Base Platform Guild · Ops Guild (`src/Web/StellaOps.Web`) | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. |
-| 14 | WEB-OBS-56-001 | TODO | WEB-OBS-55-001 | BE-Base Platform Guild · AirGap Guild (`src/Web/StellaOps.Web`) | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. |
-| 15 | WEB-ORCH-32-001 | TODO | Confirm orchestrator read-only API contract | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose read-only orchestrator APIs (e.g., `/orchestrator/sources`) via gateway with tenant scoping, caching headers, and rate limits. |
+| 1 | WEB-LNM-21-003 | BLOCKED (2025-11-30) | Environment cannot spawn shells (openpty: “No space left on device”); cannot wire or test gateway. | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Provide combined endpoint for Console to fetch policy result plus advisory/VEX evidence linksets for a component. |
+| 2 | WEB-NOTIFY-38-001 | BLOCKED (2025-11-30) | Environment cannot spawn shells (openpty: “No space left on device”); regain shell capacity before wiring routes. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. |
+| 3 | WEB-NOTIFY-39-001 | BLOCKED (2025-11-30) | WEB-NOTIFY-38-001 + environment openpty failure. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. |
+| 4 | WEB-NOTIFY-40-001 | BLOCKED (2025-11-30) | WEB-NOTIFY-39-001 + environment openpty failure. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. |
+| 5 | WEB-OAS-61-001 | BLOCKED (2025-11-30) | Environment cannot spawn shells; cannot implement gateway spec endpoint. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. |
+| 6 | WEB-OAS-61-002 | BLOCKED (2025-11-30) | WEB-OAS-61-001 + environment openpty failure. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include `error.code`. |
+| 7 | WEB-OAS-62-001 | BLOCKED (2025-11-30) | WEB-OAS-61-002 + environment openpty failure. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Normalize endpoints to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. |
+| 8 | WEB-OAS-63-001 | BLOCKED (2025-11-30) | WEB-OAS-62-001 + environment openpty failure. | BE-Base Platform Guild · API Governance Guild (`src/Web/StellaOps.Web`) | Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes. |
+| 9 | WEB-OBS-50-001 | BLOCKED (2025-11-30) | Environment cannot spawn shells; telemetry core integration cannot start. | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Replace ad-hoc logging; ensure routes emit trace/span IDs, tenant context, and scrubbed payload previews. |
+| 10 | WEB-OBS-51-001 | BLOCKED (2025-11-30) | WEB-OBS-50-001 + environment openpty failure. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement `/obs/health` and `/obs/slo` aggregations pulling Prometheus/collector metrics with burn-rate signals and exemplar links for Console widgets. |
+| 11 | WEB-OBS-52-001 | BLOCKED (2025-11-30) | WEB-OBS-51-001 + environment openpty failure. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. |
+| 12 | WEB-OBS-54-001 | BLOCKED (2025-11-30) | WEB-OBS-52-001 + environment openpty failure. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. |
+| 13 | WEB-OBS-55-001 | BLOCKED (2025-11-30) | WEB-OBS-54-001 + environment openpty failure. | BE-Base Platform Guild · Ops Guild (`src/Web/StellaOps.Web`) | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. |
+| 14 | WEB-OBS-56-001 | BLOCKED (2025-11-30) | WEB-OBS-55-001 + environment openpty failure. | BE-Base Platform Guild · AirGap Guild (`src/Web/StellaOps.Web`) | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. |
+| 15 | WEB-ORCH-32-001 | BLOCKED (2025-11-30) | Environment cannot spawn shells; need orchestrator contracts + shell access to proxy/read-only routes. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose read-only orchestrator APIs (e.g., `/orchestrator/sources`) via gateway with tenant scoping, caching headers, and rate limits. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-30 | Normalized sprint to standard template and renamed from `SPRINT_214_web_iii.md`; preserved existing task list. | Project Mgmt |
+| 2025-11-30 | Unable to start WEB-NOTIFY-38-001: local shell cannot spawn (openpty “No space left on device”); routing work blocked until environment recovers. | Implementer |
+| 2025-11-30 | Marked all sprint tasks BLOCKED because local environment cannot spawn shells (openpty “No space left on device”); cannot run builds/tests or edit via CLI. | Implementer |
+| 2025-12-01 | Could not update `docs/implplan/tasks-all.md` references due to same PTY failure; needs shell access to complete renames. | Implementer |
 
 ## Decisions & Risks
 - Notify, OAS, and Observability tracks are strictly sequential; later tasks should not start until predecessors complete to avoid schema drift.
 - WEB-LNM-21-003 remains gated on WEB-LNM-21-002 delivering stable policy/VEX observation contracts.
 - WEB-ORCH-32-001 depends on orchestrator API clarity; block if contracts are not published to avoid misaligned caching/rate-limit behavior.
 - Ensure telemetry/error envelope updates are synchronized with downstream Console/CLI consumers to prevent breaking dashboards.
+- Local execution environment currently cannot spawn shells (openpty error “No space left on device”); gateway implementation work paused until shell capacity restored.
+- All sprint tasks are BLOCKED pending restoration of shell/PTY capacity; no code changes can be executed or validated in current state.
 
 ## Next Checkpoints
 - Schedule dependency sync once WEB-LNM-21-002 contract drops (target week of 2025-12-02).

docs/implplan/SPRINT_0215_0001_0001_web_iv.md

@@ -21,8 +21,8 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | WEB-ORCH-33-001 | TODO | WEB-ORCH-32-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
-| 2 | WEB-ORCH-34-001 | TODO | WEB-ORCH-33-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
+| 1 | WEB-ORCH-33-001 | BLOCKED (2025-11-30) | Orchestrator gateway REST contract + RBAC/audit checklist missing | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
+| 2 | WEB-ORCH-34-001 | BLOCKED (2025-11-30) | WEB-ORCH-33-001 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
 | 3 | WEB-POLICY-20-001 | BLOCKED (2025-11-25) | Await Policy Engine REST contract + tenant/RBAC spec | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
 | 4 | WEB-POLICY-20-002 | BLOCKED (2025-11-30) | WEB-POLICY-20-001 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
 | 5 | WEB-POLICY-20-003 | BLOCKED (2025-11-30) | WEB-POLICY-20-002 (blocked) | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
@@ -46,7 +46,7 @@
 ## Wave Detail Snapshots
 | Wave | Covered tasks | Current state | Exit criteria | Blockers |
 | --- | --- | --- | --- | --- |
-| 1 | WEB-ORCH-33-001, WEB-ORCH-34-001 | TODO | POST run-control routes plus quotas/backfill metrics deployed with RBAC + audit logging | WEB-ORCH-32-001 readiness |
+| 1 | WEB-ORCH-33-001, WEB-ORCH-34-001 | BLOCKED | POST run-control routes plus quotas/backfill metrics deployed with RBAC + audit logging | Orchestrator REST contract + audit/RBAC checklist |
 | 2 | WEB-POLICY-20-001…004 | BLOCKED | Policy CRUD/simulate endpoints with rate limits and error mapping published in OpenAPI | Policy Engine REST contract + tenant/RBAC spec; rate-limit design approval |
 | 3 | WEB-POLICY-23-001…004 | BLOCKED | Policy pack CRUD/activation/simulate/evaluate with streaming responses and explain history | WEB-POLICY-20-004 completion and approval workflow design |
 | 4 | WEB-POLICY-27-001…005 | BLOCKED | Registry proxy with reviews, publish/promote/rollback, and Studio observability dashboards | Wave 3 exit + shared registry schema/versioning plan |
@@ -56,6 +56,7 @@
 - Platform Reliability must approve adaptive rate-limit design for simulations before publishing retry headers and CLI docs.
 - Policy Registry schema/versioning alignment is needed to avoid rework in WEB-POLICY-27-001…005.
 - Security Guild audit/RBAC checklist must be applied to orchestrator control routes prior to release.
+- Orchestrator run-control REST contract and RBAC/audit acceptance checklist are required to proceed with WEB-ORCH-33-001/34-001.
 
 ## Upcoming Checkpoints
 - 2025-12-02 · Receive Policy Engine REST contract + tenant/RBAC spec (Policy Guild) to unblock WEB-POLICY-20-001…004.
@@ -70,6 +71,7 @@
 | 2 | Confirm adaptive rate-limit design for simulations | Platform Reliability Guild | 2025-12-03 | OPEN | Gates WEB-POLICY-20-004 retry headers and quotas. |
 | 3 | Publish RBAC/tenant alignment note for web gateway once contract lands | BE-Base Platform Guild | 2025-12-05 | PENDING | Follows Action #1; must precede policy pack work. |
 | 4 | Lock Policy Registry schema/versioning plan for Studio proxy | Policy Registry Guild | 2025-12-09 | OPEN | Required before WEB-POLICY-27-001 streaming proxy. |
+| 5 | Provide orchestrator run-control REST contract + audit/RBAC checklist | Platform Reliability Guild · Security Guild | 2025-12-03 | OPEN | Needed to unblock WEB-ORCH-33-001/34-001 routes and ensure operator metadata handling. |
 
 ## Decisions & Risks
 - Policy pack CRUD/activation (WEB-POLICY-23-001/002) remain BLOCKED until WEB-POLICY-20-004 rate-limit work lands.
@@ -83,10 +85,12 @@
 | R2 | Rate-limit design review delayed past 2025-12-03 | Simulation endpoints cannot expose quotas/headers; CLI docs drift | Track Action #2; freeze public docs until design approved; backfill metrics before enablement | Platform Reliability Guild | OPEN |
 | R3 | Registry schema/versioning diverges from web proxy | Rework for WEB-POLICY-27-001…005; potential outage on streaming downloads | Track Action #4; pin schema versions and add contract tests before merge | Policy Registry Guild | OPEN |
 | R4 | Orchestrator run-control released without audit/RBAC alignment | Post-release security gap and incomplete audit trail | Apply Security Guild checklist; add acceptance tests for RBAC + audit logging before Wave 1 exit | BE-Base Platform Guild | OPEN |
+| R5 | Missing orchestrator gateway REST contract for run-control/metrics | Blocks WEB-ORCH-33-001/34-001 and delays Wave 1 start | Track Action #5; obtain contract + header requirements; wire OperatorMetadata interceptor once contract is defined | Platform Reliability Guild | OPEN |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-30 | Marked WEB-ORCH-33-001/34-001 BLOCKED pending orchestrator REST contract + RBAC/audit checklist; no backend surface present in web workspace. | Implementer |
 | 2025-11-30 | Normalized to docs/implplan template (added waves, interlocks, action tracker); propagated BLOCKED statuses to downstream tasks and refreshed checkpoints. | Project Mgmt |
 | 2025-11-25 | Marked WEB-POLICY-20-001 BLOCKED: need Policy Engine REST contract + tenant/RBAC spec before wiring Angular/Web gateway endpoints. | Implementer |
 | 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |

docs/implplan/SPRINT_0216_0001_0001_web_v.md

@@ -21,7 +21,7 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | WEB-RISK-66-001 | TODO | Baseline gateway routing contract | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. |
+| 1 | WEB-RISK-66-001 | BLOCKED (2025-12-01) | Workspace storage exhausted; command runner failing (`No space left on device`) | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. |
 | 2 | WEB-RISK-66-002 | TODO | WEB-RISK-66-001 | BE-Base Platform Guild; Risk Engine Guild (`src/Web/StellaOps.Web`) | Add signed URL handling for explanation blobs and enforce scope checks. |
 | 3 | WEB-RISK-67-001 | TODO | WEB-RISK-66-002 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). |
 | 4 | WEB-RISK-68-001 | TODO | WEB-RISK-67-001; notifier bus schema | BE-Base Platform Guild; Notifications Guild (`src/Web/StellaOps.Web`) | Emit events on severity transitions via gateway to notifier bus with trace metadata. |
@@ -36,6 +36,9 @@
 | 13 | WEB-VULN-29-002 | TODO | WEB-VULN-29-001; Findings Ledger idempotency headers | BE-Base Platform Guild; Findings Ledger Guild (`src/Web/StellaOps.Web`) | Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff. |
 | 14 | WEB-VULN-29-003 | TODO | WEB-VULN-29-002; export/simulation orchestrator | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide simulation and export orchestration routes with SSE/progress headers, signed download links, and request budgeting. |
 | 15 | WEB-VULN-29-004 | TODO | WEB-VULN-29-003; observability dashboard specs | BE-Base Platform Guild; Observability Guild (`src/Web/StellaOps.Web`) | Emit gateway metrics/logs (latency, error rates, export duration), propagate query hashes for analytics dashboards. |
+| 16 | WEB-TEN-47-CONTRACT | DOING (2025-12-01) | 2025-12-02 tenant header/ABAC checkpoint | BE-Base Platform Guild (`docs/api/gateway/tenant-auth.md`) | Publish gateway routing + tenant header/ABAC contract (headers, scopes, samples, audit notes). |
+| 17 | WEB-VULN-29-LEDGER-DOC | DOING (2025-12-01) | 2025-12-04 Findings Ledger checkpoint | Findings Ledger Guild; BE-Base Platform Guild (`docs/api/gateway/findings-ledger-proxy.md`) | Capture idempotency + correlation header contract for Findings Ledger proxy and retries/backoff defaults. |
+| 18 | WEB-RISK-68-NOTIFY-DOC | DOING (2025-12-01) | 2025-12-06 Notifications schema checkpoint | Notifications Guild; BE-Base Platform Guild (`docs/api/gateway/notifications-severity.md`) | Document severity transition event schema (fields, trace metadata) for notifier bus integration. |
 
 ## Wave Coordination
 - Single wave (Web V gateway + tenant hardening). Keep task order per dependency chains above; no parallel merges that alter schema/telemetry without shared reviews.
@@ -54,9 +57,7 @@
 - 2025-12-06 (UTC) · Notifications event schema review for severity transitions (BE-Base Platform Guild · Notifications Guild).
 
 ## Action Tracker
-- Publish gateway routing/tenant header contract for WEB-TEN-47-001 (owner: BE-Base Platform Guild; due: 2025-12-02).
-- Deliver Findings Ledger contract note (idempotency + correlation headers) for WEB-VULN-29-002 (owner: Findings Ledger Guild; due: 2025-12-04).
-- Confirm notifier bus event schema for WEB-RISK-68-001 (owner: Notifications Guild; due: 2025-12-06).
+- Covered by Delivery Tracker rows 16–18 (contract docs for tenant headers/ABAC, Findings Ledger proxy, and notifier schema); keep due dates aligned with checkpoints.
 
 ## Decisions & Risks
 | Risk | Impact | Mitigation | Owner | Status |
@@ -64,8 +65,12 @@
 | Tenant header/ABAC contract slips | Blocks WEB-TEN-47-001/48-001/49-001 and delays RBAC enforcement across routes | Lock contract by 2025-12-02; record in `docs/api/gateway/tenant-auth.md`; add blocking status if slip persists | BE-Base Platform Guild | Open |
 | Findings Ledger idempotency headers unclear | WEB-VULN-29-002/003 cannot forward workflow actions safely | Obtain contract on 2025-12-04 checkpoint; add retries/backoff defaults once confirmed | Findings Ledger Guild | Open |
 | Notifications event schema not finalized | WEB-RISK-68-001 cannot emit severity transition events with trace metadata | Schema review on 2025-12-06; use placeholder event name only after review | Notifications Guild | Open |
+| Workspace storage exhaustion prevents command execution | Blocks code inspection and implementation for WEB-RISK-66-001 and subsequent tasks | Free space (e.g., clean `node_modules` caches) and re-run gateway scaffolding; retry once ≥2 GB available | Platform Ops | Open |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-01 | Blocked WEB-RISK-66-001: workspace reports `No space left on device` when starting gateway scaffolding; requires freeing disk (e.g., clean `node_modules`/tmp) before proceeding. | Implementer |
+| 2025-12-01 | Drafted contract docs for tenant auth/ABAC, Findings Ledger proxy, and notifier severity events; set tasks 16–18 to DOING. | Project Mgmt |
+| 2025-11-30 | Added contract/doc tasks (rows 16–18) for tenant headers/ABAC, Findings Ledger proxy headers, and notifier severity events; aligned Action Tracker with Delivery Tracker; no status changes to feature tracks. | Project Mgmt |
 | 2025-11-30 | Normalized sprint to standard template and renamed file from `SPRINT_216_web_v.md` to `SPRINT_0216_0001_0001_web_v.md`; no task status changes. | Project Mgmt |

docs/implplan/SPRINT_0400_0001_0001_reachability_runtime_static_union.md

@@ -27,7 +27,7 @@
 | 5 | REPLAY-REACH-201-005 | DONE (2025-11-26) | Schema v0.1 available; update replay manifest/bundle to include CAS namespace + hashes per spec. | BE-Base Platform Guild | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. |
 | 6 | DOCS-REACH-201-006 | DONE (2025-11-26) | Requires outputs from 1–5 | Docs Guild | Author the reachability doc set (`docs/reachability/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operator workflows. |
 | 7 | QA-REACH-201-007 | DONE (2025-11-25) | Move fixtures + create evaluator harness | QA Guild | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/fixtures/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. |
-| 8 | GAP-SCAN-001 | BLOCKED (2025-11-27) | Richgraph-v1 schema not final; Scanner workspace currently dirty, unsafe to land symbolizer changes. | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
+| 8 | GAP-SCAN-001 | DOING (2025-11-30) | Richgraph-v1 writer/publisher added; Node/.NET lifters emit code_id + purl; richgraph CAS publish wired into worker. Binary lifters still pending. | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
 | 9 | GAP-ZAS-002 | DONE (2025-11-26) | Runtime NDJSON emitter merged; config enables callgraph-linked facts | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint 0401 lands ingestion. |
 | 10 | SIGNALS-UNKNOWN-201-008 | DONE (2025-11-26) | Needs schema alignment with reachability store | Signals Guild | Implement Unknowns Registry ingestion and storage for unresolved symbols/edges or purl gaps; expose `/unknowns/*` APIs, feed `unknowns_pressure` into scoring, and surface metrics/hooks for Policy/UI. |
 | 11 | GRAPH-PURL-201-009 | BLOCKED (2025-11-27) | Depends on GAP-SCAN-001 and final richgraph-v1; pending stable symbolizer outputs. | Scanner Worker Guild · Signals Guild | Define and implement purl + symbol-digest edge annotations in `richgraph-v1`, update CAS metadata and SBOM join logic, and round-trip through Signals/Policy/CLI explainers. |
@@ -36,6 +36,7 @@
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-30 | Normalised Delivery Tracker numbering, removed duplicate GAP-ZAS-002 row, and aligned statuses with Execution Log. | Project Mgmt |
+| 2025-11-30 | Implemented richgraph writer/publisher (SHA-256 hashed) plus CAS publishing hook in Scanner worker; Node and .NET lifters now emit code_id/purl metadata; GAP-SCAN-001 moved to DOING. Tests for new writer/publisher added; restore via dotnet test still flaky (nuget spinner). | Scanner Worker |
 | 2025-11-26 | Validated runtime facts builder: `dotnet test src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/StellaOps.Zastava.Observer.Tests.csproj --filter RuntimeFactsBuilderTests` restored and passed; Observer build clean. | Zastava Observer Guild |
 | 2025-11-26 | Implemented runtime facts emitter in `StellaOps.Zastava.Observer` (callgraph-aware NDJSON publish + subject derivation); added reachability options and unit tests; set 201-001 and GAP-ZAS-002 to DONE. | Zastava Observer Guild |
 | 2025-11-26 | Drafted runtime sampler runbook updates (config knobs, sampler rules, CAS trace pointers) in `docs/runbooks/reachability-runtime.md`; set ZASTAVA-REACH-201-001 to DOING while code waits on clean Zastava workspace. | Zastava Observer Guild |
@@ -66,6 +67,8 @@
 - Unknowns Registry shipped (201-008): unknowns pressure applied to scoring; monitor schema adjustments from policy team for purl/digest merge (201-009) to avoid churn.
 - purl + symbol-digest edge schema (201-009) depends on `richgraph-v1` finalization; may require updates to SBOM resolver and CLI explain flows.
 - Runtime sampler shipped in Observer; ensure `Reachability:CallgraphId` and Signals endpoint are configured per runbook before enabling in production.
+- Richgraph writer currently uses SHA-256 graph hash (placeholder) until BLAKE3 dependency is approved; CAS publishes still deterministic but may need hash swap later.
+- dotnet test for new reachability writer/publisher intermittently stalls on NuGet restore spinner; rerun on CI once feeds are stable.
 
 ## Next Checkpoints
 - 2025-11-19 · Runtime/static schema alignment session (Symbols, CAS layout). Owner: Signals Guild.

docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md

@@ -37,29 +37,29 @@
 | 2 | GAP-SYM-007 | BLOCKED (2025-11-27) | Waiting on GRAPH-CAS-401-001 schema/hash decisions. | Scanner Worker Guild · Docs Guild (`src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md`) | Extend evidence schema with demangled hints, `symbol.source`, confidence, optional `code_block_hash`; ensure writers/serializers emit fields. |
 | 3 | SCAN-REACH-401-009 | BLOCKED (2025-11-27) | Needs symbolizer adapters from tasks 1/4; add golden fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) | Ship .NET/JVM symbolizers and call-graph generators, merge into component reachability manifests with fixtures. |
 | 4 | SCANNER-NATIVE-401-015 | BLOCKED (2025-11-27) | Stand up native readers/demanglers; awaiting Symbols Server contract. | Scanner Worker Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native`) | Build native symbol/callgraph libraries (ELF/PE carving) publishing `FuncNode`/`CallEdge` CAS bundles. |
-| 5 | SYMS-SERVER-401-011 | TODO | Blocked on DSSE predicate catalog + storage layout confirmation. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Server`) | Deliver Symbols Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, deterministic debugId indexing, health/manifest APIs. |
-| 6 | SYMS-CLIENT-401-012 | TODO | Depends on server readiness; integrate with Scanner Symbolizer. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. |
-| 7 | SYMS-INGEST-401-013 | TODO | Follow SYMBOL_MANIFEST spec final; document pipelines. | Symbols Guild · DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. |
-| 8 | SIGNALS-RUNTIME-401-002 | TODO | Wait for Signals ingestion contract from upstream runtime work. | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
-| 9 | RUNTIME-PROBE-401-010 | TODO | Depends on probe collectors; align with ingestion endpoint. | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | Implement lightweight runtime probes (EventPipe/JFR) emitting CAS traces feeding Signals ingestion. |
-| 10 | SIGNALS-SCORING-401-003 | TODO | Needs runtime hit feeds from 8/9; confirm scoring weights. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
+| 5 | SYMS-SERVER-401-011 | BLOCKED (2025-11-30) | Await richgraph schema/hash + storage layout confirmation; Wave 0401 blocked. | Symbols Guild (`src/Symbols/StellaOps.Symbols.Server`) | Deliver Symbols Server (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, deterministic debugId indexing, health/manifest APIs. |
+| 6 | SYMS-CLIENT-401-012 | BLOCKED (2025-11-30) | Blocked on 5 (server readiness) and schema/hash alignment (2025-12-02). | Symbols Guild (`src/Symbols/StellaOps.Symbols.Client`, `src/Scanner/StellaOps.Scanner.Symbolizer`) | Ship Symbols Client SDK (resolve/upload, platform key derivation, disk LRU cache) and integrate with Scanner/runtime probes. |
+| 7 | SYMS-INGEST-401-013 | BLOCKED (2025-11-30) | Hold for SYMBOL_MANIFEST + graph schema freeze (2025-12-02 checkpoint). | Symbols Guild · DevOps Guild (`src/Symbols/StellaOps.Symbols.Ingestor.Cli`, `docs/specs/SYMBOL_MANIFEST_v1.md`) | Build `symbols ingest` CLI to emit DSSE-signed manifests, upload blobs, register Rekor entries, and document CI usage. |
+| 8 | SIGNALS-RUNTIME-401-002 | BLOCKED (2025-11-30) | Waiting on Signals ingestion contract and graph schema freeze (tasks 1/19). | Signals Guild (`src/Signals/StellaOps.Signals`) | Ship `/signals/runtime-facts` ingestion for NDJSON/gzip, dedupe hits, link evidence CAS URIs to callgraph nodes; include retention/RBAC tests. |
+| 9 | RUNTIME-PROBE-401-010 | BLOCKED (2025-11-30) | Blocked on runtime probe collectors + ingestion endpoint readiness. | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | Implement lightweight runtime probes (EventPipe/JFR) emitting CAS traces feeding Signals ingestion. |
+| 10 | SIGNALS-SCORING-401-003 | BLOCKED (2025-11-30) | Needs runtime hit feeds from 8/9; hold until ingestion/probes unblocked. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
 | 11 | REPLAY-401-004 | BLOCKED | Requires CAS registration policy from GAP-REP-004. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
 | 12 | AUTH-REACH-401-005 | DONE (2025-11-27) | Predicate types exist; DSSE signer service added. | Authority & Signer Guilds (`src/Authority/StellaOps.Authority`, `src/Signer/StellaOps.Signer`) | Introduce DSSE predicate types for SBOM/Graph/VEX/Replay, plumb signing, mirror statements to Rekor (incl. PQ variants). |
-| 13 | POLICY-VEX-401-006 | TODO | Needs reachability facts from Signals and thresholds confirmation. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
-| 14 | POLICY-VEX-401-010 | TODO | Depends on 13 and DSSE path; follow bench playbook. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
-| 15 | UI-CLI-401-007 | TODO | Requires graph CAS outputs + policy evidence; sync CLI/UI. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
+| 13 | POLICY-VEX-401-006 | BLOCKED (2025-11-30) | Waiting on Signals reachability facts (tasks 8/10) and schema alignment (1/19). | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
+| 14 | POLICY-VEX-401-010 | BLOCKED (2025-11-30) | Blocked on 13 and DSSE path readiness; follow bench playbook once schema frozen. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
+| 15 | UI-CLI-401-007 | BLOCKED (2025-11-30) | Requires graph CAS outputs + policy evidence (1/13/14) post schema/hash checkpoint. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
 | 16 | QA-DOCS-401-008 | TODO | Needs reachbench fixtures (QA-CORPUS-401-031) and docs readiness. | QA & Docs Guilds (`docs`, `tests/README.md`) | Wire reachbench fixtures into CI, document CAS layouts + replay steps, publish operator runbook for runtime ingestion. |
-| 17 | GAP-SIG-003 | TODO | Depends on Signals runtime ingestion (8) completion. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
-| 18 | SIG-STORE-401-016 | TODO | Needs schema from graph tasks; align indexes. | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | Introduce shared reachability store collections/indexes and repository APIs for canonical function data. |
-| 19 | GAP-REP-004 | TODO | Requires BLAKE3 hashing agreement; tie to replay manifest v2. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | Enforce BLAKE3 hashing + CAS registration for graphs/traces, upgrade replay manifest v2, add deterministic tests. |
-| 20 | GAP-POL-005 | TODO | Consumes reach facts from Signals; update SPL schema. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
-| 21 | GAP-VEX-006 | TODO | Follows GAP-POL-005 plus UI/CLI surfaces. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
-| 22 | GAP-DOC-008 | TODO | After evidence schema stabilises; publish samples. | Docs Guild (`docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md`) | Publish cross-module function-level evidence guide, update API/CLI references with `code_id`, add OpenVEX/replay samples. |
-| 23 | CLI-VEX-401-011 | TODO | Needs Policy/Signer APIs from 13–14. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
+| 17 | GAP-SIG-003 | BLOCKED (2025-11-30) | Blocked on Signals runtime ingestion (8) and schema/hash checkpoint (2025-12-02). | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
+| 18 | SIG-STORE-401-016 | BLOCKED (2025-11-30) | Needs graph schema from tasks 1/19; hold until alignment meeting. | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | Introduce shared reachability store collections/indexes and repository APIs for canonical function data. |
+| 19 | GAP-REP-004 | BLOCKED (2025-11-30) | Requires BLAKE3 hashing agreement; waiting on 2025-12-02 schema/hash alignment. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | Enforce BLAKE3 hashing + CAS registration for graphs/traces, upgrade replay manifest v2, add deterministic tests. |
+| 20 | GAP-POL-005 | BLOCKED (2025-11-30) | Consumes reach facts from Signals; waiting on 8/10/17 plus schema freeze. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
+| 21 | GAP-VEX-006 | BLOCKED (2025-11-30) | Follows 20 plus UI/CLI surfaces; hold until reach facts + schema ready. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
+| 22 | GAP-DOC-008 | BLOCKED (2025-11-30) | After evidence schema stabilises; hold until 2025-12-02 schema/hash alignment. | Docs Guild (`docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md`) | Publish cross-module function-level evidence guide, update API/CLI references with `code_id`, add OpenVEX/replay samples. |
+| 23 | CLI-VEX-401-011 | BLOCKED (2025-11-30) | Needs Policy outputs from 13/14 and schema/hash checkpoint. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
 | 24 | SIGN-VEX-401-018 | DONE (2025-11-26) | Predicate types added with tests. | Signing Guild (`src/Signer/StellaOps.Signer`, `docs/modules/signer/architecture.md`) | Extend Signer predicate catalog with `stella.ops/vexDecision@v1`, enforce payload policy, plumb DSSE/Rekor integration. |
-| 25 | BENCH-AUTO-401-019 | TODO | Depends on data sets and baseline scanner setup. | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
-| 26 | DOCS-VEX-401-012 | TODO | Align with GAP-DOC-008 and bench playbook. | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
-| 27 | SYMS-BUNDLE-401-014 | TODO | Depends on SYMBOL_MANIFEST spec and ingest pipeline. | Symbols Guild · Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
+| 25 | BENCH-AUTO-401-019 | BLOCKED (2025-11-30) | Hold until dataset schema/feed hashes published (tasks 1/55/58). | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
+| 26 | DOCS-VEX-401-012 | BLOCKED (2025-11-30) | Align with GAP-DOC-008 and bench playbook; hold until schema/hash freeze. | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
+| 27 | SYMS-BUNDLE-401-014 | BLOCKED (2025-11-30) | Depends on SYMBOL_MANIFEST spec and ingest pipeline; wait for 2025-12-02 schema/hash checkpoint. | Symbols Guild · Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
 | 28 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild · Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. |
 | 29 | POLICY-LIB-401-001 | DONE (2025-11-27) | Extract DSL parser; align with Policy Engine tasks. | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | Extract policy DSL parser/compiler into `StellaOps.PolicyDsl`, add lightweight syntax, expose `PolicyEngineFactory`/`SignalContext`. |
 | 30 | POLICY-LIB-401-002 | DONE (2025-11-27) | Follows 29; add harness and CLI wiring. | Policy Guild · CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. |
@@ -69,36 +69,36 @@
 | 34 | DSSE-LIB-401-020 | DONE (2025-11-27) | Transitive dependency exposes Envelope types; extensions added. | Attestor Guild · Platform Guild (`src/Attestor/StellaOps.Attestation`, `src/Attestor/StellaOps.Attestor.Envelope`) | Package `StellaOps.Attestor.Envelope` primitives into reusable `StellaOps.Attestation` library with InToto/DSSE helpers. |
 | 35 | DSSE-CLI-401-021 | DONE (2025-11-27) | Depends on 34; deliver CLI/workflow snippets. | CLI Guild · DevOps Guild (`src/Cli/StellaOps.Cli`, `scripts/ci/attest-*`, `docs/modules/attestor/architecture.md`) | Ship `stella attest` CLI or sample tool plus GitLab/GitHub workflow snippets emitting DSSE per build step. |
 | 36 | DSSE-DOCS-401-022 | DONE (2025-11-27) | Follows 34/35; document build-time flow. | Docs Guild · Attestor Guild (`docs/ci/dsse-build-flow.md`, `docs/modules/attestor/architecture.md`) | Document build-time attestation walkthrough: models, helper usage, Authority integration, storage conventions, verification commands. |
-| 37 | REACH-LATTICE-401-023 | TODO | Align Scanner + Policy schemas; tie to evidence joins. | Scanner Guild · Policy Guild (`docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService`) | Define reachability lattice model and ensure joins write to event graph schema. |
-| 38 | UNCERTAINTY-SCHEMA-401-024 | TODO | Schema changes rely on Signals ingestion work. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md`) | Extend Signals findings with uncertainty states, entropy fields, `riskScore`; emit update events and persist evidence. |
-| 39 | UNCERTAINTY-SCORER-401-025 | TODO | Scorer depends on 38 outputs. | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | Implement entropy-aware risk scorer and wire into finding writes. |
-| 40 | UNCERTAINTY-POLICY-401-026 | TODO | Guidance depends on 38/39. | Policy Guild · Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | Update policy guidance with uncertainty gates (U1/U2/U3), sample YAML rules, remediation actions. |
-| 41 | UNCERTAINTY-UI-401-027 | TODO | UI/CLI depends on 38/39 outputs. | UI Guild · CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
+| 37 | REACH-LATTICE-401-023 | BLOCKED (2025-11-30) | Align Scanner + Policy schemas; waiting on 2025-12-02 schema/hash decisions. | Scanner Guild · Policy Guild (`docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService`) | Define reachability lattice model and ensure joins write to event graph schema. |
+| 38 | UNCERTAINTY-SCHEMA-401-024 | BLOCKED (2025-11-30) | Schema changes rely on Signals ingestion work and graph schema freeze. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md`) | Extend Signals findings with uncertainty states, entropy fields, `riskScore`; emit update events and persist evidence. |
+| 39 | UNCERTAINTY-SCORER-401-025 | BLOCKED (2025-11-30) | Depends on 38 outputs; hold until schema freeze. | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | Implement entropy-aware risk scorer and wire into finding writes. |
+| 40 | UNCERTAINTY-POLICY-401-026 | BLOCKED (2025-11-30) | Guidance depends on 38/39; wait for schema decisions. | Policy Guild · Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | Update policy guidance with uncertainty gates (U1/U2/U3), sample YAML rules, remediation actions. |
+| 41 | UNCERTAINTY-UI-401-027 | BLOCKED (2025-11-30) | UI/CLI depends on 38/39 outputs; hold pending schema alignment. | UI Guild · CLI Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/uncertainty/README.md`) | Surface uncertainty chips/tooltips in Console + CLI output (risk score + entropy states). |
 | 42 | PROV-INLINE-401-028 | DONE | Completed inline DSSE hooks per docs. | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | Extend event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event. |
 | 43 | PROV-BACKFILL-INPUTS-401-029A | DONE | Inventory/map drafted 2025-11-18. | Evidence Locker Guild · Platform Guild (`docs/provenance/inline-dsse.md`) | Attestation inventory and subject→Rekor map drafted. |
 | 44 | PROV-BACKFILL-401-029 | DONE (2025-11-27) | Use inventory+map; depends on 42/43 readiness. | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | Resolve historical events and backfill provenance. |
 | 45 | PROV-INDEX-401-030 | DONE (2025-11-27) | Blocked until 44 defines data model. | Platform Guild · Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | Deploy provenance indexes and expose compliance/replay queries. |
-| 46 | QA-CORPUS-401-031 | TODO | Needs reachbench corpus creation; align with QA harness. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
-| 47 | UI-VEX-401-032 | TODO | Depends on policy/CLI evidence chain (13–15,21). | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI “Explain/Verify” surfaces on VEX decisions with call paths, runtime hits, attestation verify button. |
-| 48 | POLICY-GATE-401-033 | TODO | Gate depends on Signals/Scanner reach evidence. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
-| 49 | GRAPH-PURL-401-034 | TODO | Needs graph schema from 1 and signals store alignment. | Scanner Worker Guild · Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
-| 50 | SCANNER-BUILDID-401-035 | TODO | Depends on scanner symbol work and fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
-| 51 | SCANNER-INITROOT-401-036 | TODO | Requires graph writer updates from 1. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
-| 52 | QA-PORACLE-401-037 | TODO | Depends on reachability graph fixtures; add CI harness. | QA Guild · Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
-| 53 | GRAPH-HYBRID-401-053 | TODO | Await graph schema (task 1) final hash; align with Attestor. | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering → BLAKE3 graph hash → DSSE envelope → Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
-| 54 | EDGE-BUNDLE-401-054 | TODO | Depends on 53 and init/root handling (51). | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (≤512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked?` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
-| 55 | SIG-POL-HYBRID-401-055 | TODO | Needs edge-bundle schema from 54 and Unknowns rules. | Signals Guild · Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
-| 56 | DOCS-HYBRID-401-056 | TODO | Dependent on 53–55 delivery; interim draft exists. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
+| 46 | QA-CORPUS-401-031 | BLOCKED (2025-11-30) | Hold until schema/feed hashes freeze (tasks 1/55/58) post 2025-12-02 checkpoint. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
+| 47 | UI-VEX-401-032 | BLOCKED (2025-11-30) | Depends on policy/CLI evidence chain (13–15,21) and schema/hash alignment. | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI “Explain/Verify” surfaces on VEX decisions with call paths, runtime hits, attestation verify button. |
+| 48 | POLICY-GATE-401-033 | BLOCKED (2025-11-30) | Gate depends on Signals/Scanner reach evidence; wait for 2025-12-02 schema/hash decisions. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
+| 49 | GRAPH-PURL-401-034 | BLOCKED (2025-11-30) | Needs graph schema from 1 and signals store alignment; hold for 2025-12-02 checkpoint. | Scanner Worker Guild · Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
+| 50 | SCANNER-BUILDID-401-035 | BLOCKED (2025-11-30) | Depends on scanner symbol work and fixtures; blocked until schema/symbol server decisions. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
+| 51 | SCANNER-INITROOT-401-036 | BLOCKED (2025-11-30) | Requires graph writer updates from 1; wait for schema/hash alignment. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Model init sections as synthetic graph roots (phase=load) including `DT_NEEDED` deps; persist in evidence. |
+| 52 | QA-PORACLE-401-037 | BLOCKED (2025-11-30) | Depends on reachability graph fixtures; wait for tasks 1/53 schema freeze. | QA Guild · Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
+| 53 | GRAPH-HYBRID-401-053 | BLOCKED (2025-11-30) | Await graph schema (task 1) final hash; alignment meeting 2025-12-02. | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering → BLAKE3 graph hash → DSSE envelope → Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
+| 54 | EDGE-BUNDLE-401-054 | BLOCKED (2025-11-30) | Depends on 53 + init/root handling (51); waiting on schema/hash alignment. | Scanner Worker Guild · Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (≤512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked?` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
+| 55 | SIG-POL-HYBRID-401-055 | BLOCKED (2025-11-30) | Needs edge-bundle schema from 54 and Unknowns rules; wait for 2025-12-02 checkpoint. | Signals Guild · Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
+| 56 | DOCS-HYBRID-401-056 | BLOCKED (2025-11-30) | Dependent on 53–55 delivery; hold until schema/hash alignment completes. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
 | 57 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | Harness + mock scanner shipped; inputs/manifest at `src/Bench/StellaOps.Bench/Determinism/results`. | Bench Guild · Signals Guild · Policy Guild (`bench/determinism`, `docs/benchmarks/signals/`) | Implemented cross-scanner determinism bench (shuffle/canonical), hashes outputs, summary JSON; CI workflow `.gitea/workflows/bench-determinism.yml` runs `scripts/bench/determinism-run.sh`; manifests generated. |
-| 58 | DATASET-REACH-PUB-401-058 | TODO | Needs schema alignment from tasks 1/17/55. | QA Guild · Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
-| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | TODO | Depends on 1 and native symbolizer readiness. | Scanner Guild (`src/Scanner/StellaOps.Scanner.CallGraph.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
-| 60 | CORPUS-MERGE-401-060 | TODO | After 58 schema settled; tie to QA-CORPUS-401-031. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT → Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
+| 58 | DATASET-REACH-PUB-401-058 | BLOCKED (2025-11-30) | Needs schema alignment from tasks 1/17/55; wait for 2025-12-02 freeze. | QA Guild · Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
+| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | BLOCKED (2025-11-30) | Depends on task 1 graph schema + native symbolizer readiness; hold until 2025-12-02 checkpoint. | Scanner Guild (`src/Scanner/StellaOps.Scanner.CallGraph.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
+| 60 | CORPUS-MERGE-401-060 | BLOCKED (2025-11-30) | After 58 schema settled; blocked until dataset freeze post 2025-12-02 checkpoint. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT → Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
 | 61 | DOCS-BENCH-401-061 | DONE (2025-11-26) | Blocks on outputs from 57–60. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
 
 ## Wave Coordination
 | Wave | Guild owners | Shared prerequisites | Status | Notes |
 | --- | --- | --- | --- | --- |
-| 0401 Reachability Evidence Chain | Scanner Guild · Signals Guild · BE-Base Platform Guild · Policy Guild · UI/CLI Guilds · Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | TODO | Foundation work (Sprint 0400) in flight; advance after Scanner record mode emits replay manifests and Evidence Locker APIs exist. |
+| 0401 Reachability Evidence Chain | Scanner Guild · Signals Guild · BE-Base Platform Guild · Policy Guild · UI/CLI Guilds · Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | BLOCKED (2025-11-30) | Foundation work (Sprint 0400) and richgraph schema decisions outstanding; unblock after record mode emits replay manifests and Evidence Locker APIs exist. |
 
 ## Wave Detail Snapshots
 - Single wave covering end-to-end reachability evidence; proceed once Sprint 0400 + upstream runtime/replay prerequisites land.
@@ -139,6 +139,9 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-01 | Extended BLOCKED status to tasks 19, 22, 26–27, 37–41, 48–51 pending 2025-12-02 schema/hash alignment and upstream Signals readiness. | Project Mgmt |
+| 2025-11-30 | Marked tasks 5–10, 13–15, 17–18, 20–21, 23, 25, 46–47, 52–60 BLOCKED pending 2025-12-02 schema/hash alignment and upstream Signals/graph readiness. | Project Mgmt |
+| 2025-11-30 | Marked Wave 0401 as BLOCKED pending Sprint 0400 readiness and richgraph schema decisions. | Project Mgmt |
 | 2025-11-30 | Added R7 for elapsed sprint window, scheduled 2025-12-02 schema/hash alignment checkpoint, and logged Action Tracker item 3; no task status changes. | Project Mgmt |
 | 2025-11-27 | Marked GRAPH-CAS-401-001, GAP-SYM-007, SCAN-REACH-401-009, and SCANNER-NATIVE-401-015 BLOCKED pending richgraph schema + Symbols Server contracts. | Project Mgmt |
 | 2025-11-27 | Completed AUTH-REACH-401-005: added `StellaOps.Attestation` reference to Authority project; created `AuthoritySignerAdapter` to wrap ICryptoSigner as IAuthoritySigner; created `IAuthorityDsseStatementSigner` interface and `AuthorityDsseStatementSigner` service for signing In-toto statements with Authority's signing keys; service reuses existing DsseHelper.WrapAsync for DSSE envelope creation; fixed null-reference issue in DsseHelper.cs. Rekor mirroring leverages existing Attestor `IRekorClient` infrastructure. | Authority Guild |

docs/implplan/SPRINT_0513_0001_0001_public_reachability_benchmark.md

@@ -32,10 +32,10 @@
 | 4 | BENCH-CASES-PY-513-004 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild · Python Track (`bench/reachability-benchmark/cases/py`) | Create 5-8 Python cases: Flask, Django, FastAPI. Include requirements.txt pinned, pytest oracles, coverage.py output. Delivered 5 cases: unsafe-exec (reachable), guarded-exec (unreachable), flask-template (reachable), fastapi-guarded (unreachable), django-ssti (reachable). |
 | 5 | BENCH-CASES-JAVA-513-005 | BLOCKED (2025-11-30) | Depends on 513-002. | Bench Guild · Java Track (`bench/reachability-benchmark/cases/java`) | Create 5-8 Java cases: Spring Boot, Micronaut. Include pom.xml locked, JUnit oracles, JaCoCo coverage. Progress: 2/5 seeded (`spring-deserialize` reachable, `spring-guarded` unreachable); build/test blocked by missing JDK (`javac` not available in runner). |
 | 6 | BENCH-CASES-C-513-006 | TODO | Depends on 513-002. | Bench Guild · Native Track (`bench/reachability-benchmark/cases/c`) | Create 3-5 C/ELF cases: small HTTP servers, crypto utilities. Include Makefile, gcov/llvm-cov coverage, deterministic builds (SOURCE_DATE_EPOCH). |
-| 7 | BENCH-BUILD-513-007 | DOING | Depends on 513-003 through 513-006. | Bench Guild · DevOps Guild | Implement `build_all.py` and `validate_builds.py`: deterministic Docker builds, hash verification, SBOM generation (syft), attestation stubs. Progress: added scripts (hash check, deterministic ordering) + README; added deterministic SBOM/attestation stubs; real syft/signing still pending. |
+| 7 | BENCH-BUILD-513-007 | DOING | Depends on 513-003 through 513-006. | Bench Guild · DevOps Guild | Implement `build_all.py` and `validate_builds.py`: deterministic Docker builds, hash verification, SBOM generation (syft), attestation stubs. Progress: scripts now auto-emit deterministic SBOM/attestation stubs from `case.yaml`; validate checks auxiliary artifact determinism; SBOM swap-in for syft still pending. |
 | 8 | BENCH-SCORER-513-008 | DONE (2025-11-30) | Depends on 513-002. | Bench Guild (`bench/reachability-benchmark/tools/scorer`) | Implement `rb-score` CLI: load cases/truth, validate submissions, compute precision/recall/F1, explainability score (0-3), runtime stats, determinism rate. |
 | 9 | BENCH-EXPLAIN-513-009 | DONE (2025-11-30) | Depends on 513-008. | Bench Guild | Implement explainability scoring rules: 0=no context, 1=path with ≥2 nodes, 2=entry+≥3 nodes, 3=guards/constraints included. Unit tests for each level. |
-| 10 | BENCH-BASELINE-SEMGREP-513-010 | TODO | Depends on 513-008 and cases. | Bench Guild | Semgrep baseline runner: `baselines/semgrep/run_case.sh`, rule config, output normalization to submission format. |
+| 10 | BENCH-BASELINE-SEMGREP-513-010 | DONE (2025-12-01) | Depends on 513-008 and cases. | Bench Guild | Semgrep baseline runner: added `baselines/semgrep/run_case.sh`, `run_all.sh`, rules, and `normalize.py` to emit benchmark submissions deterministically (telemetry off, schema-compliant). |
 | 11 | BENCH-BASELINE-CODEQL-513-011 | TODO | Depends on 513-008 and cases. | Bench Guild | CodeQL baseline runner: database creation, reachability queries, output normalization. Document CodeQL license requirements. |
 | 12 | BENCH-BASELINE-STELLA-513-012 | TODO | Depends on 513-008 and Sprint 0401 reachability. | Bench Guild · Scanner Guild | Stella Ops baseline runner: invoke `stella scan` with reachability, normalize output, demonstrate determinism advantage. |
 | 13 | BENCH-CI-513-013 | TODO | Depends on 513-007, 513-008. | Bench Guild · DevOps Guild | GitHub Actions workflow: lint, test scorer, build cases, run smoke baselines, upload artifacts. |
@@ -48,16 +48,16 @@
 | Wave | Guild owners | Shared prerequisites | Status | Notes |
 | --- | --- | --- | --- | --- |
 | W1 Foundation | Bench Guild · DevOps Guild | None | DONE (2025-11-29) | Tasks 1-2 shipped: repo + schemas. |
-| W2 Dataset | Bench Guild (per language track) | W1 complete | DOING | JS/PY cases DONE; Java BLOCKED (JDK); C TODO; builds DOING (SBOM stubs pending). |
+| W2 Dataset | Bench Guild (per language track) | W1 complete | DOING | JS/PY cases DONE; Java BLOCKED (JDK); C TODO; builds DOING (SBOM stubs automated; syft swap pending). |
 | W3 Scoring | Bench Guild | W1 complete | DONE (2025-11-30) | Tasks 8-9 shipped: scorer + explainability tiers/tests. |
 | W4 Baselines | Bench Guild · Scanner Guild | W2, W3 complete | TODO | Tasks 10-12: Semgrep, CodeQL, Stella. |
 | W5 Publish | All Guilds | W4 complete | TODO | Tasks 13-17: CI, leaderboard, website, docs, launch. |
 
 ## Wave Detail Snapshots
 - **W1 Foundation (DONE 2025-11-29):** Repo skeleton, licensing, schemas, validators landed; prerequisites satisfied for downstream tracks.
-- **W2 Dataset (DOING):** JS/PY tracks complete; Java blocked on JDK>=17 in runner/CI; C track not started; build pipeline scripts exist but need SBOM/attestation stubs.
+- **W2 Dataset (DOING):** JS/PY tracks complete; Java blocked on JDK>=17 in runner/CI; C track not started; build pipeline scripts now emit deterministic SBOM/attestation stubs; syft/real attestations still pending.
 - **W3 Scoring (DONE 2025-11-30):** `rb-score` CLI, explainability tiers, and tests complete; ready to support baselines.
-- **W4 Baselines (TODO):** Semgrep, CodeQL, and Stella runners not started; waiting on dataset/build stability and Sprint 0401 reachability for Stella.
+- **W4 Baselines (TODO):** Semgrep runner done; CodeQL and Stella runners not started; waiting on dataset/build stability and Sprint 0401 reachability for Stella.
 - **W5 Publish (TODO):** CI, leaderboard, website, docs, and launch materials pending completion of baselines and build hardening.
 
 ## Interlocks
@@ -107,3 +107,5 @@
 | 2025-11-30 | BENCH-BUILD-513-007 DOING: added `tools/build/build_all.py` and `tools/build/validate_builds.py` for deterministic builds and hash checks; SBOM/attestation stubs still pending. | Implementer |
 | 2025-11-30 | Normalised sprint doc to template: updated wave statuses to reflect task reality and added Wave Detail Snapshots. | PM |
 | 2025-11-30 | BENCH-BUILD-513-007: build_all/validate_builds run; all JS/PY cases deterministic, Java cases fail due to missing `javac` (same blocker as task 5). | Implementer |
+| 2025-12-01 | BENCH-BUILD-513-007: build tools now auto-write deterministic SBOM/attestation stubs from `case.yaml`; validate checks auxiliary artifact determinism; README updated. | Implementer |
+| 2025-12-01 | BENCH-BASELINE-SEMGREP-513-010 DONE: added semgrep baseline runner (run_case/run_all, rules, normalize) with deterministic outputs and schema-compliant submission. | Implementer |

docs/implplan/SPRINT_187_evidence_locker_cli_integration.md

@@ -44,6 +44,14 @@
 | 3 | Align CLI command surface with replay API/manifest sample; note offline behaviors. | DevEx/CLI Guild | 2025-12-05 | OPEN |
 | 4 | Add validation harness outline with DSSE/Rekor/SBOM/policy checks tied to replay bundle sample. | QA Guild | 2025-12-05 | OPEN |
 
+## Upcoming Checkpoints
+| Date (UTC) | Session / Owner | Target outcome | Fallback / Escalation |
+| --- | --- | --- | --- |
+| 2025-12-02 | Scanner → EvidenceLocker schema handoff (0186 → 0161) | Deliver replay manifest/bundle sample + field list to unblock tasks 1–3. | Escalate to Replay Core (0185) leads; keep tasks BLOCKED if sample absent. |
+| 2025-12-03 | EvidenceLocker replay API review | Freeze endpoints/payloads and publish draft; unblock Actions 2–3. | If schema still unstable, log slip and extend due dates in Action Tracker. |
+| 2025-12-04 | CLI/Attestor alignment call | Confirm CLI verbs and anchoring flow based on frozen schema; set go/no-go for validation harness scope. | If schema not frozen, reschedule and keep tasks BLOCKED. |
+| 2025-12-05 | Validation harness scoping review | Finalize validation checks and script layout for VALIDATE-BUNDLE-187-005. | Defer harness start until schema + CLI verbs are fixed. |
+
 ## Decisions & Risks
 | Risk / Decision | Impact | Mitigation / Next Step | Status |
 | --- | --- | --- | --- |
@@ -55,6 +63,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-30 | Reconfirmed dependencies remain unmet (Scanner replay payload, EvidenceLocker schema, orchestrator capsules); tasks stay BLOCKED. | Implementer |
+| 2025-11-30 | Added checkpoint schedule to drive schema/API delivery and validation scope decisions; tasks remain BLOCKED. | Project Mgmt |
 | 2025-11-30 | Normalized sprint to standard template; set all tasks to BLOCKED pending Scanner/EvidenceLocker schema and crypto readiness; added interlocks/actions/risks. | Implementer |
 | 2025-11-03 | `/docs/runbooks/replay_ops.md` created — teams may start ops rehearsal once schemas land. | Ops Guild |
-

docs/implplan/SPRINT_200_experience_sdks.md

@@ -1,71 +1,5 @@
-# Sprint 0200-0001-0001 · Experience & SDKs Snapshot
+# Redirect Notice · Sprint 200
 
-## Topic & Scope
-- Snapshot of Experience & SDKs stream (waves 180.A–F); active backlog now lives in later sprints (201+).
-- Maintain visibility of wave readiness while upstream dependencies land.
-- **Working directory:** `docs/implplan` (coordination only).
+This sprint was normalized and renamed to `docs/implplan/SPRINT_0200_0001_0001_experience_sdks.md` (2025-11-30).
 
-## Dependencies & Concurrency
-- Upstream gating sprints: 120.A (AirGap), 130.A (Scanner), 150.A (Orchestrator), 170.A (Notifier), 141 (Graph Indexer for 180.C).
-- All waves remain TODO until upstream APIs/contracts finalize; no concurrent execution planned.
-
-## Documentation Prerequisites
-- docs/README.md
-- docs/07_HIGH_LEVEL_ARCHITECTURE.md
-- docs/modules/platform/architecture-overview.md
-- docs/implplan/AGENTS.md
-
-## Delivery Tracker
-| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
-| --- | --- | --- | --- | --- | --- |
-| 1 | EXP-SNAPSHOT-200 | TODO | Keep wave readiness current; migrate active items to sprint 201+. | Project Mgmt · Experience Guild | Maintain Experience & SDKs status snapshot; no implementation tracked here. |
-
-## Wave Coordination
-| Wave | Guild owners | Shared prerequisites | Status | Notes |
-| --- | --- | --- | --- | --- |
-| 180.A CLI | DevEx/CLI Guild · Advisory AI Guild · Evidence Locker Guild | Sprint 120.A – AirGap; 130.A – Scanner; 150.A – Orchestrator; 170.A – Notifier | TODO | Commands blocked on orchestrator + notifier scopes; finalize auth/output scaffolding to flip to DOING. |
-| 180.B DevPortal | Developer Portal Guild · SDK Generator Guild · Platform Guild | Same as above | TODO | Static site generator selection pending; align examples with CLI/SDK teams. |
-| 180.C Graph Experiences (CLI/SDK) | Graph Guild · SDK Generator Guild · Policy Guild | Same as above + Sprint 141 Graph Indexer APIs | TODO | Wait on Graph Indexer APIs before wiring SDK quickstarts. |
-| 180.D SDK | SDK Generator Guild · Service Guilds providing OpenAPI | Same as above | TODO | Downstream of orchestrator/export OAS consolidation; keep templates updated. |
-| 180.E UI | UI Guild · Console Guild · Notifications Guild | Same as above | TODO | Exception center & graph canvas rely on policy/graph APIs; hold until upstream signals stabilize. |
-| 180.F Web | BE-Base Platform Guild · Platform Events Guild · Notifications Guild | Same as above | TODO | Gateway routing can start once AdvisoryAI/Export endpoints finalize; prepare guard helpers now. |
-
-## Wave Detail Snapshots
-| Wave | Entry criteria | Exit evidence | Notes |
-| --- | --- | --- | --- |
-| 180.A CLI | Orchestrator + Notifier scopes finalized; auth/output scaffolding approved. | CLI verbs implemented for new scopes; determinism tests passing; docs synced. | Track in Sprint 201+. |
-| 180.B DevPortal | Static site generator chosen; shared examples sourced; platform routing approved. | DevPortal sections published with examples; CI build green. | Track in Sprint 201+. |
-| 180.C Graph Exp | Graph Indexer APIs (Sprint 141) stable; policy contracts approved. | SDK/CLI quickstarts for graph queries published; regression tests passing. | Track in Sprint 201+. |
-| 180.D SDK | Consolidated OAS from services published; SDK templates refreshed. | SDKs generated with pinned versions and offline bundles; smoke tests pass. | Track in Sprint 201+. |
-| 180.E UI | Policy/graph APIs stable; notifier integration contract signed. | Exception center & graph canvas shipped behind feature flag; UX docs updated. | Track in Sprint 201+. |
-| 180.F Web | AdvisoryAI/Export endpoints finalized; gateway guard helpers ready. | Web gateway routing committed with guards; incident/webhook paths tested. | Track in Sprint 201+. |
-
-## Interlocks
-- Orchestrator + Notifier scopes for CLI verbs.
-- Graph Indexer API availability (Sprint 141) for 180.C.
-- OAS consolidation for SDK generation (180.D).
-- Platform routing/guards for Web/UI experiences (180.E/F).
-
-## Upcoming Checkpoints
-- 2025-12-07 · Review upstream sprint signals (141/150/170) and decide which waves move to Sprint 201.
-
-## Action Tracker
-| ID | Action | Owner | Due (UTC) | Status | Notes |
-| --- | --- | --- | --- | --- | --- |
-| AT-01 | Collect upstream readiness signals (141/150/170) and propose Sprint 201 wave starts. | Project Mgmt | 2025-12-07 | TODO | Source signals from sprint execution logs. |
-| AT-02 | Confirm static site generator choice for DevPortal wave. | DevPortal Guild | 2025-12-07 | TODO | Needed before moving wave 180.B to DOING. |
-
-## Decisions & Risks
-- Experience waves remain paused pending upstream API/contracts; track readiness rather than implementation here.
-
-| Risk | Impact | Mitigation | Owner | Status |
-| --- | --- | --- | --- | --- |
-| Upstream Orchestrator/Notifier scopes slip. | Delays CLI/Web experience delivery. | Pull scope signals weekly; shift to Sprint 201 once stable. | Project Mgmt | OPEN |
-| Graph Indexer APIs unstable. | SDK/CLI graph quickstarts would rework. | Gate 180.C until Sprint 141 publishes stable APIs. | Project Mgmt | OPEN |
-| DevPortal generator choice stalls content. | Docs/SDK examples miss deadlines. | AT-02 to choose generator; reuse CLI/SDK examples for consistency. | DevPortal Guild | OPEN |
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2025-11-30 | Normalized to docs/implplan template; added delivery tracker placeholder, wave details, interlocks, actions, risks. | Project Mgmt |
-| 2025-11-08 | Archived completed items to `docs/implplan/archived/tasks.md`; file now tracks status snapshot only. | Project Mgmt |
+Please edit the canonical file only. This legacy filename is retained to prevent divergent updates.

docs/implplan/SPRINT_3401_0001_0001_postgres_authority.md

@@ -39,27 +39,27 @@
 | 16 | PG-T1.6.2 | DONE | Completed 2025-11-29 | Authority Guild | Implement `IAuditRepository` |
 | 17 | PG-T1.7 | DONE | Completed 2025-11-29 | Authority Guild | Add configuration switch in `ServiceCollectionExtensions` |
 | 18 | PG-T1.8.1 | DONE | Completed 2025-11-29 | Authority Guild | Write integration tests for all repositories |
-| 19 | PG-T1.8.2 | TODO | Depends on PG-T1.8.1; blocked pending AGENTS for working dir | Authority Guild | Write determinism tests for token generation |
-| 20 | PG-T1.9 | TODO | Depends on PG-T1.8; blocked pending AGENTS for working dir | Authority Guild | Optional: Implement dual-write wrapper for Tier A verification |
-| 21 | PG-T1.10 | TODO | Depends on PG-T1.8; blocked pending AGENTS for working dir | Authority Guild | Run backfill from MongoDB to PostgreSQL |
-| 22 | PG-T1.11 | TODO | Depends on PG-T1.10; blocked pending AGENTS for working dir | Authority Guild | Verify data integrity: row counts, checksums |
-| 23 | PG-T1.12 | TODO | Depends on PG-T1.11; blocked pending AGENTS for working dir | Authority Guild | Switch Authority to PostgreSQL-only |
+| 19 | PG-T1.8.2 | DONE | Completed 2025-12-01 | Authority Guild | Write determinism tests for token generation |
+| 20 | PG-T1.9 | TODO | Depends on PG-T1.8 | Authority Guild | Optional: Implement dual-write wrapper for Tier A verification |
+| 21 | PG-T1.10 | TODO | Depends on PG-T1.8 | Authority Guild | Run backfill from MongoDB to PostgreSQL |
+| 22 | PG-T1.11 | TODO | Depends on PG-T1.10 | Authority Guild | Verify data integrity: row counts, checksums |
+| 23 | PG-T1.12 | TODO | Depends on PG-T1.11 | Authority Guild | Switch Authority to PostgreSQL-only |
 
 ## Wave Coordination
 - Single-wave sprint (Phase 1). Downstream phases 2–4 proceed independently once Phase 0 foundations verified.
 
 ## Wave Detail Snapshots
-- **Phase 1 (current):** Storage project, schema, repositories, and integration tests completed; determinism tests and cutover steps remain.
+- **Phase 1 (current):** Storage project, schema, repositories, integration + determinism tests completed; dual-write, backfill, and cutover steps remain.
 
 ## Interlocks
 - Alignment with Scheduler (Phase 2) for shared tenant/user references before cutover.
 - Requires Phase 0 foundations artifacts for migrations and shared abstractions.
-- AGENTS file missing for `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres`; implementers should not start new work until created.
+- AGENTS charter published 2025-11-30 for `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres`; implementers may proceed with Phase 1 tasks.
 
 ## Action Tracker
 | Item | Status | Owner | Next step |
 | --- | --- | --- | --- |
-| Create AGENTS.md for `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres` | TODO | Authority PM | Draft minimal charter (roles, prerequisites, test rules) so remaining tasks can move to DOING |
+| Create AGENTS.md for `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres` | DONE | Codex | Published AGENTS charter (see working directory); link sprint and unblock PG-T1.8.2+ |
 | Plan dual-write verification harness for Tier A data | TODO | Authority Guild | Define wrapper and metrics for PG-T1.9; capture in docs/db/tasks/PHASE_1_AUTHORITY.md |
 
 ## Decisions & Risks
@@ -72,8 +72,7 @@
 | Risk | Impact | Mitigation |
 | --- | --- | --- |
 | Audit log growth without partitioning | Large tables degrade query latency | Add time-based partitioning before production cutover (post Phase 1 hardening) |
-| Missing AGENTS for working directory | Implementers cannot start PG-T1.8.2+ per charter rules | Create AGENTS.md (see Action Tracker) and link from sprint once published |
-| Cutover without determinism tests | Token issuance non-deterministic across dual-write | Complete PG-T1.8.2 determinism tests before PG-T1.9–PG-T1.12 |
+| Dual-write wrapper not defined | Tier A verification may slip schedule | Define wrapper/metrics in PG-T1.9; capture in docs/db/tasks/PHASE_1_AUTHORITY.md |
 
 ## Exit Criteria
 - [ ] All 12+ repository interfaces implemented
@@ -93,6 +92,8 @@
 | 2025-11-29 | ServiceCollectionExtensions updated with all repository registrations (PG-T1.7) | Claude |
 | 2025-11-29 | Integration tests created for all repositories (PG-T1.8.1) | Claude |
 | 2025-11-30 | Normalised sprint to docs/implplan template; added interlocks/action tracker; flagged missing AGENTS for working dir | Codex |
+| 2025-11-30 | Created AGENTS charter for storage working dir; unblocked PG-T1.8.2+ | Codex |
+| 2025-12-01 | Added deterministic ordering tests for token and refresh repositories (PG-T1.8.2) | Codex |
 
 ---
 *Reference: docs/db/tasks/PHASE_1_AUTHORITY.md*

docs/implplan/SPRINT_3402_0001_0001_postgres_scheduler.md

@@ -52,6 +52,7 @@
 | 2025-11-29 | Integration tests created for Trigger, DistributedLock, Worker repositories (PG-T2.8.1) | Claude |
 | 2025-11-30 | Added deterministic due-trigger ordering and determinism + concurrency test coverage (PG-T2.8.2, PG-T2.8.3) | StellaOps Agent |
 | 2025-11-30 | Postgres integration test run failed locally: Docker daemon unavailable (Testcontainers) | StellaOps Agent |
+| 2025-12-01 | Added local Postgres 17 docker-compose + usage doc (`docs/db/local-postgres.md`) | StellaOps Agent |
 
 ## Decisions & Risks
 - PostgreSQL advisory locks replace MongoDB distributed locks.
@@ -60,7 +61,7 @@
 - Job payload stored as JSONB for flexibility.
 - Risk: advisory lock key collision; use tenant-scoped hash values.
 - Due trigger retrieval is now ordered by `next_fire_at`, `tenant_id`, then `id` to keep scheduling deterministic under ties.
-- Risk: Local test runs require Docker for Testcontainers; ensure Docker daemon is available before CI/local execution.
+- Risk: Local test runs require Docker for Testcontainers; ensure Docker daemon is available before CI/local execution. Fallback local Postgres compose provided.
 
 ## Exit Criteria
 - [ ] All repository interfaces implemented

docs/implplan/SPRINT_3403_0001_0001_postgres_notify.md

@@ -48,9 +48,9 @@
 | 23 | PG-T3.8.3 | DONE | Completed 2025-11-29 | Notify Guild | Implement `IAuditRepository` |
 | 24 | PG-T3.9 | DONE | Completed 2025-11-29 | Notify Guild | Add configuration switch in `ServiceCollectionExtensions` |
 | 25 | PG-T3.10.1 | DONE | Completed 2025-11-29 | Notify Guild | Write integration tests for all repositories |
-| 26 | PG-T3.10.2 | TODO | Depends on PG-T3.10.1 | Notify Guild | Test notification delivery flow end-to-end |
-| 27 | PG-T3.10.3 | TODO | Depends on PG-T3.10.1 | Notify Guild | Test escalation handling |
-| 28 | PG-T3.10.4 | TODO | Depends on PG-T3.10.1 | Notify Guild | Test digest aggregation |
+| 26 | PG-T3.10.2 | BLOCKED | Await PG-T3.10.1 verified evidence | Notify Guild | Test notification delivery flow end-to-end |
+| 27 | PG-T3.10.3 | BLOCKED | Await PG-T3.10.1 verified evidence | Notify Guild | Test escalation handling |
+| 28 | PG-T3.10.4 | BLOCKED | Await PG-T3.10.1 verified evidence | Notify Guild | Test digest aggregation |
 | 29 | PG-T3.11 | TODO | Depends on PG-T3.10.x verification | Notify Guild | Switch Notify to PostgreSQL-only |
 
 ## Wave Coordination
@@ -77,6 +77,7 @@ Risks:
 | Escalation state churn can create hot partitions | Elevated write contention and vacuum churn | Index on tenant + escalation key; monitor autovacuum settings and add partial indexes if needed | Notify Guild | Open |
 | Digest aggregation queries may be complex/heavy | Slow digest generation or stale digests | Evaluate materialized views with refresh-on-commit for high-volume tenants; add explain plans in PG-T3.10.4 | Notify Guild | Open |
 | Cutover depends on successful PG-T3.10.x end-to-end tests | PostgreSQL-only switch (PG-T3.11) blocked | Run end-to-end suites immediately after PG-T3.10.1 evidence; keep Mongo fallback toggles until PG-T3.11 sign-off | Notify Guild | Open |
+| Test rig resource limits (PTY exhaustion) during PG-T3.10.1 rerun | Blocks evidence capture; delays PG-T3.10.x | Retry on fresh shell; trim parallel execs; consider running headless logger instead of TTY; clear duplicate PackageReference warnings before rerun | Notify Guild | Open |
 
 ## Exit Criteria
 - [ ] All 15 repository interfaces implemented
@@ -93,7 +94,9 @@ Risks:
 | # | Action | Owner | Status | Notes |
 | --- | --- | --- | --- | --- |
 | 1 | Add AGENTS.md for `StellaOps.Notify.Storage.Postgres` working directory | Planning | DONE | Added 2025-11-30 and linked in Documentation Prerequisites |
-| 2 | Capture PG-T3.10.1 evidence in repo tests report | Notify Guild | TODO | Needed before starting PG-T3.10.2–PG-T3.10.4 |
+| 2 | Capture PG-T3.10.1 evidence in repo tests report | Notify Guild | BLOCKED | Restore/build stalled (duplicate PackageReference warnings) and host PTY quota hit; re-run needed once environment stable |
+| 3 | Resolve duplicate PackageReference items in `StellaOps.Notify.Storage.Postgres.Tests.csproj` | Notify Guild | TODO | Clean references before next test run to avoid NU1504 noise |
+| 4 | Run PG-T3.10.x end-to-end suites (delivery, escalation, digest) | Notify Guild | BLOCKED | Pending PG-T3.10.1 evidence |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -104,6 +107,8 @@ Risks:
 | 2025-11-29 | Integration tests created for Channel, Delivery, Rule, Template, Inbox, Digest, NotifyAudit repositories (PG-T3.10.1) | Claude |
 | 2025-11-30 | Normalised sprint to docs/implplan template; added coordination/interlock/action sections | Planning |
 | 2025-11-30 | Added AGENTS.md for Postgres storage working directory and linked in prerequisites | Planning |
+| 2025-11-30 | Attempted PG-T3.10.1 re-run; build stalled on restore (duplicate PackageReference warnings) and host PTY limit; evidence not captured | Notify Guild |
+| 2025-11-30 | PG-T3.10.1 rerun blocked by repeated PTY allocation failures (“No space left on device”) while invoking `dotnet test`; requires environment cleanup and csproj dedupe | Notify Guild |
 
 ---
 *Reference: docs/db/tasks/PHASE_3_NOTIFY.md*

docs/implplan/SPRINT_3405_0001_0001_postgres_vulnerabilities.md

@@ -23,26 +23,26 @@
 ### Sprint 5a: Schema & Repositories
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | PG-T5a.1 | TODO | Depends on PG-T0.7 | Concelier Guild | Create `StellaOps.Concelier.Storage.Postgres` project structure |
-| 2 | PG-T5a.2.1 | TODO | Depends on PG-T5a.1 | Concelier Guild | Create schema migration for `vuln` schema |
-| 3 | PG-T5a.2.2 | TODO | Depends on PG-T5a.2.1 | Concelier Guild | Create `sources`, `feed_snapshots` tables |
-| 4 | PG-T5a.2.3 | TODO | Depends on PG-T5a.2.1 | Concelier Guild | Create `advisories`, `advisory_snapshots` tables |
-| 5 | PG-T5a.2.4 | TODO | Depends on PG-T5a.2.1 | Concelier Guild | Create `advisory_aliases`, `advisory_cvss` tables |
-| 6 | PG-T5a.2.5 | TODO | Depends on PG-T5a.2.1 | Concelier Guild | Create `advisory_affected` with PURL matching indexes |
-| 7 | PG-T5a.2.6 | TODO | Depends on PG-T5a.2.1 | Concelier Guild | Create `advisory_references`, `advisory_credits`, `advisory_weaknesses` tables |
-| 8 | PG-T5a.2.7 | TODO | Depends on PG-T5a.2.1 | Concelier Guild | Create `kev_flags`, `source_states`, `merge_events` tables |
-| 9 | PG-T5a.2.8 | TODO | Depends on PG-T5a.2.1 | Concelier Guild | Add full-text search index on advisories |
-| 10 | PG-T5a.3 | TODO | Depends on PG-T5a.2 | Concelier Guild | Implement `ConcelierDataSource` class |
-| 11 | PG-T5a.4.1 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement `ISourceRepository` |
-| 12 | PG-T5a.4.2 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.GetByKeyAsync` |
-| 13 | PG-T5a.4.3 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.GetByAliasAsync` (CVE lookup) |
-| 14 | PG-T5a.4.4 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.SearchAsync` with full-text search |
-| 15 | PG-T5a.4.5 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.UpsertAsync` with all child tables |
-| 16 | PG-T5a.4.6 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.GetAffectingPackageAsync` (PURL match) |
-| 17 | PG-T5a.4.7 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.GetAffectingPackageNameAsync` |
-| 18 | PG-T5a.5.1 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement child table repositories (Alias, CVSS, Affected) |
-| 19 | PG-T5a.5.2 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement child table repositories (Reference, Credit, Weakness) |
-| 20 | PG-T5a.5.3 | TODO | Depends on PG-T5a.3 | Concelier Guild | Implement KEV and SourceState repositories |
+| 1 | PG-T5a.1 | DONE | Depends on PG-T0.7 | Concelier Guild | Create `StellaOps.Concelier.Storage.Postgres` project structure |
+| 2 | PG-T5a.2.1 | DONE | Depends on PG-T5a.1 | Concelier Guild | Create schema migration for `vuln` schema |
+| 3 | PG-T5a.2.2 | DONE | Depends on PG-T5a.2.1 | Concelier Guild | Create `sources`, `feed_snapshots` tables |
+| 4 | PG-T5a.2.3 | DONE | Depends on PG-T5a.2.1 | Concelier Guild | Create `advisories`, `advisory_snapshots` tables |
+| 5 | PG-T5a.2.4 | DONE | Depends on PG-T5a.2.1 | Concelier Guild | Create `advisory_aliases`, `advisory_cvss` tables |
+| 6 | PG-T5a.2.5 | DONE | Depends on PG-T5a.2.1 | Concelier Guild | Create `advisory_affected` with PURL matching indexes |
+| 7 | PG-T5a.2.6 | DONE | Depends on PG-T5a.2.1 | Concelier Guild | Create `advisory_references`, `advisory_credits`, `advisory_weaknesses` tables |
+| 8 | PG-T5a.2.7 | DONE | Depends on PG-T5a.2.1 | Concelier Guild | Create `kev_flags`, `source_states`, `merge_events` tables |
+| 9 | PG-T5a.2.8 | DONE | Depends on PG-T5a.2.1 | Concelier Guild | Add full-text search index on advisories |
+| 10 | PG-T5a.3 | DONE | Depends on PG-T5a.2 | Concelier Guild | Implement `ConcelierDataSource` class |
+| 11 | PG-T5a.4.1 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement `ISourceRepository` |
+| 12 | PG-T5a.4.2 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.GetByKeyAsync` |
+| 13 | PG-T5a.4.3 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.GetByAliasAsync` (CVE lookup) |
+| 14 | PG-T5a.4.4 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.SearchAsync` with full-text search |
+| 15 | PG-T5a.4.5 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.UpsertAsync` with all child tables |
+| 16 | PG-T5a.4.6 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.GetAffectingPackageAsync` (PURL match) |
+| 17 | PG-T5a.4.7 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement `IAdvisoryRepository.GetAffectingPackageNameAsync` |
+| 18 | PG-T5a.5.1 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement child table repositories (Alias, CVSS, Affected) |
+| 19 | PG-T5a.5.2 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement child table repositories (Reference, Credit, Weakness) |
+| 20 | PG-T5a.5.3 | DONE | Depends on PG-T5a.3 | Concelier Guild | Implement KEV and SourceState repositories |
 | 21 | PG-T5a.6 | TODO | Depends on PG-T5a.5 | Concelier Guild | Write integration tests for all repositories |
 
 ### Sprint 5b: Conversion & Verification
@@ -69,7 +69,7 @@
 - Dual-import mode (PG-T5b.3.1) and parity checks (PG-T5b.4.x) gate the Excititor hand-off.
 
 ## Wave Detail Snapshots
-- **Wave 5a focus:** project creation, schema migrations, repositories, and integration tests; all tasks currently `TODO`.
+- **Wave 5a focus:** project creation, schema migrations, repositories, and integration tests; all tasks except PG-T5a.6 are DONE.
 - **Wave 5b focus:** converter, importer rewrites, parity runs, and performance tuning; blocked until Wave 5a completes integration tests.
 
 ## Interlocks
@@ -93,7 +93,7 @@
 ## Action Tracker
 | # | Action | Owner | Due | Status | Notes |
 | --- | --- | --- | --- | --- | --- |
-| 1 | Confirm Sprint 3400 (Phase 0) completion and evidence link | Planning | TBD | TODO | Required before PG-T5a.1 starts |
+| 1 | Confirm Sprint 3400 (Phase 0) completion and evidence link | Planning | 2025-11-30 | DONE | PG-T0.7 marked DONE in `docs/implplan/SPRINT_3400_0001_0001_postgres_foundations.md`; dependency unblocked |
 | 2 | Assign owners and dates for parity verification checkpoints | Concelier Guild | TBD | TODO | Populate Upcoming Checkpoints with dates |
 
 ## Decisions & Risks
@@ -111,6 +111,8 @@
 | --- | --- | --- |
 | 2025-11-28 | Sprint file created | Planning |
 | 2025-11-30 | Normalised to docs/implplan template; added coordination, interlocks, risk table, and action tracker | Planning |
+| 2025-11-30 | Confirmed upstream dependency PG-T0.7 DONE (Sprint 3400 Phase 0); action tracker updated | Planning |
+| 2025-12-01 | Implemented Concelier PostgreSQL repositories, child tables, and advisory lookup methods; Wave 5a tasks 10-20 marked DONE | Concelier Guild |
 
 ---
 *Reference: docs/db/tasks/PHASE_5_VULNERABILITIES.md*

docs/implplan/SPRINT_3406_0001_0001_postgres_vex_graph.md

@@ -16,6 +16,8 @@
 - docs/db/README.md
 - docs/db/SPECIFICATION.md (Section 5.3 - VEX Schema)
 - docs/db/RULES.md
+- docs/modules/excititor/architecture.md
+- docs/modules/platform/architecture-overview.md
 - src/Excititor/AGENTS.md
 
 ## Wave Coordination
@@ -42,7 +44,7 @@
 ### Sprint 6a: Core Schema & Repositories
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | PG-T6a.1 | TODO | Depends on PG-T5b.6 | Excititor Guild | Create `StellaOps.Excititor.Storage.Postgres` project structure |
+| 1 | PG-T6a.1 | BLOCKED | Depends on PG-T5b.6 (Sprint 3405 still TODO) | Excititor Guild | Create `StellaOps.Excititor.Storage.Postgres` project structure |
 | 2 | PG-T6a.2.1 | TODO | Depends on PG-T6a.1 | Excititor Guild | Create schema migration for `vex` schema |
 | 3 | PG-T6a.2.2 | TODO | Depends on PG-T6a.2.1 | Excititor Guild | Create `projects`, `graph_revisions` tables |
 | 4 | PG-T6a.2.3 | TODO | Depends on PG-T6a.2.1 | Excititor Guild | Create `graph_nodes`, `graph_edges` tables (BIGSERIAL) |
@@ -96,7 +98,7 @@
 ## Action Tracker
 | # | Item | Status | Owner | Notes |
 | --- | --- | --- | --- | --- |
-| 1 | Confirm Sprints 3400 and 3405 are marked DONE before Wave 6a starts | TODO | Planning | Blocker gate for PG-T6a.1 |
+| 1 | Confirm Sprints 3400 and 3405 are marked DONE before Wave 6a starts | BLOCKED | Planning | Sprint 3405 tasks still TODO; gate remains closed |
 | 2 | Lock agreed revision_id algorithm in docs/db/SPECIFICATION.md addendum | TODO | Excititor Guild | Needed before tasks PG-T6b.4.1-4.4 |
 | 3 | Coordinate COPY settings (work_mem, statement_timeout) with DB ops | TODO | Excititor Guild | Required ahead of PG-T6b.2/PG-T6b.3 |
 
@@ -112,10 +114,13 @@
 | Revision_id instability | High: breaks reproducibility and cutover confidence | Document algorithm; deterministic ordering; 5x stability tests (PG-T6b.4.1-4.4) | Open |
 | COPY misconfiguration | Medium: bulk inserts fail or throttle | Pre-negotiate COPY settings with DB ops; reuse infra defaults from Sprint 3400 | Open |
 | Dual-run divergence | High: Mongo vs Postgres results mismatch | Use comparison tasks PG-T6c.3.1-3.5; capture deltas and block cutover until resolved | Open |
+| Upstream Sprint 3405 incomplete | High: Wave 6a cannot start | Keep PG-T6a.1 BLOCKED until PG-T5b.6 marked DONE; mirror status in Action Tracker | Open |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-30 | Marked PG-T6a.1 BLOCKED pending Sprint 3405 PG-T5b.6 completion; Action Tracker updated | Planning |
+| 2025-11-30 | Added module/platform docs to prerequisites | Planning |
 | 2025-11-30 | Normalised sprint to docs/implplan template (waves/interlocks/action tracker) | Planning |
 | 2025-11-28 | Sprint file created | Planning |
 

docs/implplan/SPRINT_503_ops_devops_i.md

@@ -70,6 +70,9 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
 | 2025-11-24 | Added DEVOPS-SCANNER-JAVA-21-011-REL (moved from SPRINT_0131_0001_0001_scanner_surface.md) to keep DevOps release packaging in ops track. | Project Mgmt |
 | 2025-11-24 | Added DEVOPS-SPANSINK-31-003 (Excititor span sink for 31-003 traces) moved from SPRINT_0119_0001_0001_excititor_i per ops-only directive. | Project Mgmt |
 | 2025-11-24 | Imported Concelier feed ops items FEED-REMEDIATION-1001 and FEEDCONN-ICSCISA/KISA from Sprint 110; keeping feed remediation in ops track. | Project Mgmt |
+| 2025-12-01 | Completed DEVOPS-AIRGAP-58-001: added syslog/SMTP compose stack (`ops/devops/airgap/compose-syslog-smtp.yaml`) and health script (`health_syslog_smtp.sh`); documented in airgap README for sealed environments. | DevOps |
+| 2025-12-01 | Completed DEVOPS-AIRGAP-58-002: added sealed-mode observability compose (Prometheus/Grafana/Tempo/Loki) with offline configs and `health_observability.sh`; updated airgap README. | DevOps |
+| 2025-12-01 | Marked DEVOPS-SPANSINK-31-003 to DOING; span sink/Signals pipeline setup underway. | DevOps |
 | 2025-11-30 | Completed DEVOPS-AIRGAP-58-001: added syslog/SMTP compose stack (`ops/devops/airgap/compose-syslog-smtp.yaml`) and health script (`health_syslog_smtp.sh`); documented in airgap README for sealed environments. | DevOps |
 | 2025-11-30 | DEVOPS-AIAI-31-001 DONE: added Advisory AI CI harness (`ops/devops/advisoryai-ci-runner/run-advisoryai-ci.sh`) producing binlog/TRX/summary; warmed local NuGet cache for offline runs; docs in runner README. | DevOps |
 

docs/implplan/tasks-all.md

@@ -315,25 +315,25 @@
 | CLI-ATTEST-75-002 | TODO |  | SPRINT_0201_0001_0001_cli_i | CLI Attestor Guild | src/Cli/StellaOps.Cli | Add support for building/verifying attestation bundles in CLI. Dependencies: CLI-ATTEST-75-001. | Wait for ATEL0102 outputs | CLCI0109 |
 | CLI-CORE-41-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in. | — | CLCI0103 |
 | CLI-DET-01 | TODO |  | SPRINT_301_docs_tasks_md_i | Docs Guild · DevEx/CLI Guild |  | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLCI0103 |
-| CLI-DETER-70-003 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild, Scanner Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella detscore run` that executes the determinism harness locally (fixed clock, seeded RNG, canonical hashes) and writes `determinism.json`, supporting CI/non-zero threshold exit codes (`docs/modules/scanner/determinism-score.md`). | — | CLCI0103 |
+| CLI-DETER-70-003 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Scanner Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella detscore run` that executes the determinism harness locally (fixed clock, seeded RNG, canonical hashes) and writes `determinism.json`, supporting CI/non-zero threshold exit codes (`docs/modules/scanner/determinism-score.md`). | — | CLCI0103 |
 | CLI-DETER-70-004 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add `stella detscore report` to summarise published `determinism.json` files (overall score, per-image matrix) and integrate with release notes/air-gap kits (`docs/modules/scanner/determinism-score.md`). Dependencies: CLI-DETER-70-003. | — | CLCI0103 |
 | CLI-DOCS-0001 | TODO |  | SPRINT_316_docs_modules_cli | Docs Guild (docs/modules/cli) | docs/modules/cli | See ./AGENTS.md | — | CLCI0103 |
 | CLI-EDITOR-401-004 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md`) | `src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md` | Enhance `stella policy` CLI verbs (edit/lint/simulate) to edit Git-backed `.dsl` files, run local coverage tests, and commit SemVer metadata. | — | CLCI0103 |
 | CLI-ENG-0001 | TODO |  | SPRINT_316_docs_modules_cli | Module Team (docs/modules/cli) | docs/modules/cli | Update status via ./AGENTS.md workflow | — | CLCI0103 |
-| CLI-EXC-25-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella exceptions list | — | CLCI0103 |
-| CLI-EXC-25-002 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Extend `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. Dependencies: CLI-EXC-25-001. | — | CLCI0103 |
-| CLI-EXPORT-35-001 | BLOCKED | 2025-10-29 | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella export profiles | CLCI0103 | CLCI0104 |
-| CLI-EXPORT-36-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. Dependencies: CLI-EXPORT-35-001. | — | CLCI0104 |
-| CLI-EXPORT-37-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. Dependencies: CLI-EXPORT-36-001. | — | CLCI0104 |
-| CLI-FORENSICS-53-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. | — | CLCI0104 |
-| CLI-FORENSICS-54-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella forensic verify <bundle>` command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. Dependencies: CLI-FORENSICS-53-001. | — | CLCI0104 |
-| CLI-FORENSICS-54-002 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella forensic attest show <artifact>` listing attestation details (signer, timestamp, subjects) and verifying signatures. Dependencies: CLI-FORENSICS-54-001. | — | CLCI0104 |
-| CLI-LNM-22-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, and conflict display; ensure `ERR_AGG_*` mapping. | — | CLCI0103 |
-| CLI-LNM-22-002 | TODO |  | SPRINT_202_cli_ii | CLI Guild · Concelier Guild | src/Cli/StellaOps.Cli | Implement `stella vex obs get/linkset show` commands with product filters, status filters, and JSON output for CI usage. Dependencies: CLI-LNM-22-001. | Needs CCLN0102 API contract | CLCI0109 |
-| CLI-NOTIFY-38-001 | BLOCKED | 2025-10-29 | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella notify rules | CLCI0103 | CLCI0104 |
-| CLI-NOTIFY-39-001 | BLOCKED | 2025-10-29 | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. Dependencies: CLI-NOTIFY-38-001. | CLCI0103 | CLCI0104 |
-| CLI-NOTIFY-40-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. Dependencies: CLI-NOTIFY-39-001. | — | CLCI0104 |
-| CLI-OBS-50-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Ensure CLI HTTP client propagates `traceparent` headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). | — | CLCI0104 |
+| CLI-EXC-25-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella exceptions list | — | CLCI0103 |
+| CLI-EXC-25-002 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Extend `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. Dependencies: CLI-EXC-25-001. | — | CLCI0103 |
+| CLI-EXPORT-35-001 | BLOCKED | 2025-10-29 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella export profiles | CLCI0103 | CLCI0104 |
+| CLI-EXPORT-36-001 | BLOCKED | 2025-11-30 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. Dependencies: CLI-EXPORT-35-001. | — | CLCI0104 |
+| CLI-EXPORT-37-001 | BLOCKED | 2025-11-30 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. Dependencies: CLI-EXPORT-36-001. | — | CLCI0104 |
+| CLI-FORENSICS-53-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. | — | CLCI0104 |
+| CLI-FORENSICS-54-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella forensic verify <bundle>` command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. Dependencies: CLI-FORENSICS-53-001. | — | CLCI0104 |
+| CLI-FORENSICS-54-002 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella forensic attest show <artifact>` listing attestation details (signer, timestamp, subjects) and verifying signatures. Dependencies: CLI-FORENSICS-54-001. | — | CLCI0104 |
+| CLI-LNM-22-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, and conflict display; ensure `ERR_AGG_*` mapping. | — | CLCI0103 |
+| CLI-LNM-22-002 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | CLI Guild · Concelier Guild | src/Cli/StellaOps.Cli | Implement `stella vex obs get/linkset show` commands with product filters, status filters, and JSON output for CI usage. Dependencies: CLI-LNM-22-001. | Needs CCLN0102 API contract | CLCI0109 |
+| CLI-NOTIFY-38-001 | BLOCKED | 2025-10-29 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella notify rules | CLCI0103 | CLCI0104 |
+| CLI-NOTIFY-39-001 | BLOCKED | 2025-10-29 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. Dependencies: CLI-NOTIFY-38-001. | CLCI0103 | CLCI0104 |
+| CLI-NOTIFY-40-001 | BLOCKED | 2025-11-30 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. Dependencies: CLI-NOTIFY-39-001. | — | CLCI0104 |
+| CLI-OBS-50-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Ensure CLI HTTP client propagates `traceparent` headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). | — | CLCI0104 |
 | CLI-OBS-51-001 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella obs top` command streaming service health metrics, SLO status, and burn-rate alerts with TUI view and JSON output. Dependencies: CLI-OBS-50-001. | — | CLCI0105 |
 | CLI-OBS-52-001 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add `stella obs trace <trace_id>` and `stella obs logs --from/--to` commands that correlate timeline events, logs, and evidence links with pagination + guardrails. Dependencies: CLI-OBS-51-001. | — | CLCI0105 |
 | CLI-OBS-55-001 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild · DevOps Guild | src/Cli/StellaOps.Cli | Add `stella obs incident-mode enable. Dependencies: CLI-OBS-52-001. | — | CLCI0105 |
@@ -1199,8 +1199,8 @@
 | MIRROR-CRT-58-002 | TODO |  | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild |  | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
 | MTLS-11-002 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild | src/Authority/StellaOps.Authority | Refresh grants enforce original client cert, tokens persist `x5t#S256` metadata, docs updated. | AUTH-DPOP-11-001 | AUIN0102 |
 | NATIVE-401-015 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native` | Bootstrap Symbols.Native + CallGraph.Native scaffolding and coverage fixtures. | Needs replay requirements from DORR0101 | SCNA0101 |
-| NOTIFY-38-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route approval/rule APIs through Web gateway with tenant scopes. | Wait for NOTY0103 approval payload schema | NOWB0101 |
-| NOTIFY-39-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest/simulation/quiet-hour controls in Web tier. | Needs correlation outputs from NOTY0105 | NOWB0101 |
+| NOTIFY-38-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route approval/rule APIs through Web gateway with tenant scopes. | Wait for NOTY0103 approval payload schema | NOWB0101 |
+| NOTIFY-39-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest/simulation/quiet-hour controls in Web tier. | Needs correlation outputs from NOTY0105 | NOWB0101 |
 | NOTIFY-40-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement escalations + ack workflows, localization previews, and channel health checks. | NOTIFY-39-001 | NOWC0101 |
 | NOTIFY-AIRGAP-56-002 | DONE |  | SPRINT_170_notifications_telemetry | Notifications Service Guild · DevOps Guild | src/Notify/StellaOps.Notify | Ship AirGap-ready notifier bundles (Helm overlays, secrets templates, rollout guide). | MIRROR-CRT-56-001 | NOIA0101 |
 | NOTIFY-ATTEST-74-001 | DOING |  | SPRINT_170_notifications_telemetry | Notifications Service Guild · Attestor Service Guild | src/Notify/StellaOps.Notify | Create attestor-driven notification templates + schema docs; publish in `/docs/notifications/templates.md`. | ATEL0101 | NOIA0101 |
@@ -2101,6 +2101,7 @@
 | WEB-AIRGAP-57-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-AIRGAP-58-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-AOC-19-002 | DONE (2025-11-30) |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Ship `ProvenanceBuilder`, checksum utilities, and signature verification helper integrated with guard logging. Cover DSSE/CMS formats with unit tests. Dependencies: WEB-AOC-19-001. |  |  |
+| WEB-AOC-19-003 | DONE (2025-11-30) |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild; QA Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Analyzer/guard validation: block forbidden keys, unknown fields, missing provenance/signatures; add frontend fixtures/tests. Depends on WEB-AOC-19-002. |  |  |
 | WEB-AOC-19-003 | TODO |  | SPRINT_116_concelier_v | QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-AOC-19-004 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-AOC-19-005 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
@@ -2115,7 +2116,7 @@
 | WEB-CONTAINERS-45-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Ensure readiness endpoints reflect DB/queue readiness, add feature flag toggles via config map, and document NetworkPolicy ports. Dependencies: WEB-CONTAINERS-44-001. |  |  |
 | WEB-CONTAINERS-46-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide offline-friendly asset serving (no CDN), allow overriding object store endpoints via env, and document fallback behavior. Dependencies: WEB-CONTAINERS-45-001. |  |  |
 | WEB-EXC-25-001 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/exceptions` API (create, propose, approve, revoke, list, history) with validation, pagination, and audit logging. |  |  |
-| WEB-EXC-25-002 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. Dependencies: WEB-EXC-25-001. |  |  |
+| WEB-EXC-25-002 | BLOCKED | 2025-11-30 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. Dependencies: WEB-EXC-25-001. |  |  |
 | WEB-EXC-25-003 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Platform Events Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Publish `exception.*` events, integrate with notification hooks, enforce rate limits. Dependencies: WEB-EXC-25-002. |  |  |
 | WEB-EXPORT-35-001 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. |  |  |
 | WEB-EXPORT-36-001 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. Dependencies: WEB-EXPORT-35-001. |  |  |
@@ -2125,25 +2126,27 @@
 | WEB-GRAPH-21-003 | BLOCKED | 2025-10-27 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, and document rate limits. Dependencies: WEB-GRAPH-21-002. |  |  |
 | WEB-GRAPH-21-004 | BLOCKED | 2025-10-27 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Proxy Policy Engine overlay responses for graph endpoints while keeping gateway stateless; maintain streaming budgets and latency SLOs. Dependencies: WEB-GRAPH-21-003. |  |  |
 | WEB-GRAPH-24-001 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic. Dependencies: WEB-GRAPH-21-004. |  |  |
-| WEB-GRAPH-24-004 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Embed AOC summaries sourced from overlay services; ensure gateway does not compute derived severity or hints. Dependencies: WEB-GRAPH-24-001. |  |  |
+| WEB-GRAPH-24-002 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild; SBOM Service Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping as pure proxy. Dependencies: WEB-GRAPH-24-001. |  |  |
+| WEB-GRAPH-24-003 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Embed AOC summaries from overlay services; gateway does not compute derived severity or hints. Dependencies: WEB-GRAPH-24-002. |  |  |
+| WEB-GRAPH-24-004 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild; Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy. Dependencies: WEB-GRAPH-24-003. |  |  |
 | WEB-LNM-21-001 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Concelier WebService Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface new `/advisories/*` APIs through gateway with caching, pagination, and RBAC enforcement (`advisory:read`). |  |  |
 | WEB-LNM-21-002 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Excititor WebService Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/vex/*` read APIs with evidence routes and export handlers; map `ERR_AGG_*` codes. Dependencies: WEB-LNM-21-001. |  |  |
-| WEB-LNM-21-003 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. Dependencies: WEB-LNM-21-002. |  |  |
-| WEB-NOTIFY-38-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | Depends on #1 for signed ack spec | NOWB0101 |
-| WEB-NOTIFY-39-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. Dependencies: WEB-NOTIFY-38-001. | WEB-NOTIFY-38-001 | NOWB0101 |
-| WEB-NOTIFY-40-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. Dependencies: WEB-NOTIFY-39-001. |  |  |
+| WEB-LNM-21-003 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. Dependencies: WEB-LNM-21-002. |  |  |
+| WEB-NOTIFY-38-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | Depends on #1 for signed ack spec | NOWB0101 |
+| WEB-NOTIFY-39-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. Dependencies: WEB-NOTIFY-38-001. | WEB-NOTIFY-38-001 | NOWB0101 |
+| WEB-NOTIFY-40-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. Dependencies: WEB-NOTIFY-39-001. |  |  |
 | WEB-OAS-61-001 | TODO |  | SPRINT_124_excititor_vi | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService) | src/Excititor/StellaOps.Excititor.WebService |  |  |  |
 | WEB-OAS-61-002 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-OAS-62-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-OAS-63-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
-| WEB-OBS-50-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. |  |  |
+| WEB-OBS-50-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. |  |  |
 | WEB-OBS-51-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Paired with #1 for shared middleware | Paired with #1 for shared middleware | CNOB0102 |
 | WEB-OBS-52-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Dependent on CLI/VEX readiness (035_CLCI0105) for payload format | Dependent on CLI/VEX readiness (035_CLCI0105) for payload format | CNOB0102 |
 | WEB-OBS-53-001 | TODO |  | SPRINT_117_concelier_vi | Concelier WebService Guild · Evidence Locker Guild | src/Concelier/StellaOps.Concelier.WebService | Needs Evidence Locker API spec from 002_ATEL0101 | Needs Evidence Locker API spec from 002_ATEL0101 | CNOB0102 |
 | WEB-OBS-54-001 | TODO |  | SPRINT_117_concelier_vi | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Relies on shared exporter (1039_EXPORT-OBS-54-001) | Relies on shared exporter (1039_EXPORT-OBS-54-001) | CNOB0102 |
 | WEB-OBS-55-001 | TODO |  | SPRINT_117_concelier_vi | Concelier WebService Guild · DevOps Guild | src/Concelier/StellaOps.Concelier.WebService | Wait for DevOps alert profiles (045_DVDO0103) | Wait for DevOps alert profiles (045_DVDO0103) | CNOB0102 |
-| WEB-OBS-56-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. Dependencies: WEB-OBS-55-001. |  |  |
-| WEB-ORCH-32-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/orchestrator/sources |  |  |
+| WEB-OBS-56-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. Dependencies: WEB-OBS-55-001. |  |  |
+| WEB-ORCH-32-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/orchestrator/sources |  |  |
 | WEB-ORCH-33-001 | TODO |  | SPRINT_215_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add POST action routes (`pause. Dependencies: WEB-ORCH-32-001. |  |  |
 | WEB-ORCH-34-001 | TODO |  | SPRINT_215_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging. Dependencies: WEB-ORCH-33-001. |  |  |
 | WEB-POLICY-20-001 | TODO |  | SPRINT_215_web_iv | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement. |  |  |
@@ -2530,20 +2533,21 @@
 | CLI-DOCS-0001 | TODO |  | SPRINT_316_docs_modules_cli | Docs Guild (docs/modules/cli) | docs/modules/cli | See ./AGENTS.md | — | CLCI0103 |
 | CLI-EDITOR-401-004 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md`) | `src/Cli/StellaOps.Cli`, `docs/policy/lifecycle.md` | Enhance `stella policy` CLI verbs (edit/lint/simulate) to edit Git-backed `.dsl` files, run local coverage tests, and commit SemVer metadata. | — | CLCI0103 |
 | CLI-ENG-0001 | TODO |  | SPRINT_316_docs_modules_cli | Module Team (docs/modules/cli) | docs/modules/cli | Update status via ./AGENTS.md workflow | — | CLCI0103 |
-| CLI-EXC-25-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella exceptions list | — | CLCI0103 |
-| CLI-EXC-25-002 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Extend `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. Dependencies: CLI-EXC-25-001. | — | CLCI0103 |
-| CLI-EXPORT-35-001 | BLOCKED | 2025-10-29 | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella export profiles | CLCI0103 | CLCI0104 |
-| CLI-EXPORT-36-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. Dependencies: CLI-EXPORT-35-001. | — | CLCI0104 |
-| CLI-EXPORT-37-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. Dependencies: CLI-EXPORT-36-001. | — | CLCI0104 |
-| CLI-FORENSICS-53-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. | — | CLCI0104 |
-| CLI-FORENSICS-54-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella forensic verify <bundle>` command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. Dependencies: CLI-FORENSICS-53-001. | — | CLCI0104 |
-| CLI-FORENSICS-54-002 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella forensic attest show <artifact>` listing attestation details (signer, timestamp, subjects) and verifying signatures. Dependencies: CLI-FORENSICS-54-001. | — | CLCI0104 |
-| CLI-LNM-22-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, and conflict display; ensure `ERR_AGG_*` mapping. | — | CLCI0103 |
-| CLI-LNM-22-002 | TODO |  | SPRINT_202_cli_ii | CLI Guild · Concelier Guild | src/Cli/StellaOps.Cli | Implement `stella vex obs get/linkset show` commands with product filters, status filters, and JSON output for CI usage. Dependencies: CLI-LNM-22-001. | Needs CCLN0102 API contract | CLCI0109 |
-| CLI-NOTIFY-38-001 | BLOCKED | 2025-10-29 | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella notify rules | CLCI0103 | CLCI0104 |
-| CLI-NOTIFY-39-001 | BLOCKED | 2025-10-29 | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. Dependencies: CLI-NOTIFY-38-001. | CLCI0103 | CLCI0104 |
-| CLI-NOTIFY-40-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. Dependencies: CLI-NOTIFY-39-001. | — | CLCI0104 |
-| CLI-OBS-50-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Ensure CLI HTTP client propagates `traceparent` headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). | — | CLCI0104 |
+| CLI-DETER-70-003 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Scanner Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella detscore run` that executes the determinism harness locally (fixed clock, seeded RNG, canonical hashes) and writes `determinism.json`, supporting CI/non-zero threshold exit codes (`docs/modules/scanner/determinism-score.md`). | — | CLCI0103 |
+| CLI-EXC-25-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella exceptions list | — | CLCI0103 |
+| CLI-EXC-25-002 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Extend `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. Dependencies: CLI-EXC-25-001. | — | CLCI0103 |
+| CLI-EXPORT-35-001 | BLOCKED | 2025-10-29 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella export profiles | CLCI0103 | CLCI0104 |
+| CLI-EXPORT-36-001 | BLOCKED | 2025-11-30 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. Dependencies: CLI-EXPORT-35-001. | — | CLCI0104 |
+| CLI-EXPORT-37-001 | BLOCKED | 2025-11-30 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. Dependencies: CLI-EXPORT-36-001. | — | CLCI0104 |
+| CLI-FORENSICS-53-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. | — | CLCI0104 |
+| CLI-FORENSICS-54-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella forensic verify <bundle>` command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. Dependencies: CLI-FORENSICS-53-001. | — | CLCI0104 |
+| CLI-FORENSICS-54-002 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella forensic attest show <artifact>` listing attestation details (signer, timestamp, subjects) and verifying signatures. Dependencies: CLI-FORENSICS-54-001. | — | CLCI0104 |
+| CLI-LNM-22-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, and conflict display; ensure `ERR_AGG_*` mapping. | — | CLCI0103 |
+| CLI-LNM-22-002 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | CLI Guild · Concelier Guild | src/Cli/StellaOps.Cli | Implement `stella vex obs get/linkset show` commands with product filters, status filters, and JSON output for CI usage. Dependencies: CLI-LNM-22-001. | Needs CCLN0102 API contract | CLCI0109 |
+| CLI-NOTIFY-38-001 | BLOCKED | 2025-10-29 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella notify rules | CLCI0103 | CLCI0104 |
+| CLI-NOTIFY-39-001 | BLOCKED | 2025-10-29 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. Dependencies: CLI-NOTIFY-38-001. | CLCI0103 | CLCI0104 |
+| CLI-NOTIFY-40-001 | BLOCKED | 2025-11-30 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. Dependencies: CLI-NOTIFY-39-001. | — | CLCI0104 |
+| CLI-OBS-50-001 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Ensure CLI HTTP client propagates `traceparent` headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). | — | CLCI0104 |
 | CLI-OBS-51-001 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement `stella obs top` command streaming service health metrics, SLO status, and burn-rate alerts with TUI view and JSON output. Dependencies: CLI-OBS-50-001. | — | CLCI0105 |
 | CLI-OBS-52-001 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Add `stella obs trace <trace_id>` and `stella obs logs --from/--to` commands that correlate timeline events, logs, and evidence links with pagination + guardrails. Dependencies: CLI-OBS-51-001. | — | CLCI0105 |
 | CLI-OBS-55-001 | TODO |  | SPRINT_203_cli_iii | DevEx/CLI Guild · DevOps Guild | src/Cli/StellaOps.Cli | Add `stella obs incident-mode enable. Dependencies: CLI-OBS-52-001. | — | CLCI0105 |
@@ -3413,8 +3417,8 @@
 | MIRROR-CRT-58-002 | TODO |  | SPRINT_0506_ops_devops_iv | Mirror Creator Guild · CLI Guild · Exporter Guild |  | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | ATMI0101 |
 | MTLS-11-002 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild | src/Authority/StellaOps.Authority | Refresh grants enforce original client cert, tokens persist `x5t#S256` metadata, docs updated. | AUTH-DPOP-11-001 | AUIN0102 |
 | NATIVE-401-015 | TODO |  | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native` | Bootstrap Symbols.Native + CallGraph.Native scaffolding and coverage fixtures. | Needs replay requirements from DORR0101 | SCNA0101 |
-| NOTIFY-38-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route approval/rule APIs through Web gateway with tenant scopes. | Wait for NOTY0103 approval payload schema | NOWB0101 |
-| NOTIFY-39-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest/simulation/quiet-hour controls in Web tier. | Needs correlation outputs from NOTY0105 | NOWB0101 |
+| NOTIFY-38-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route approval/rule APIs through Web gateway with tenant scopes. | Wait for NOTY0103 approval payload schema | NOWB0101 |
+| NOTIFY-39-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest/simulation/quiet-hour controls in Web tier. | Needs correlation outputs from NOTY0105 | NOWB0101 |
 | NOTIFY-40-001 | TODO |  | SPRINT_202_cli_ii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement escalations + ack workflows, localization previews, and channel health checks. | NOTIFY-39-001 | NOWC0101 |
 | NOTIFY-AIRGAP-56-002 | DONE |  | SPRINT_170_notifications_telemetry | Notifications Service Guild · DevOps Guild | src/Notify/StellaOps.Notify | Ship AirGap-ready notifier bundles (Helm overlays, secrets templates, rollout guide). | MIRROR-CRT-56-001 | NOIA0101 |
 | NOTIFY-ATTEST-74-001 | DOING |  | SPRINT_170_notifications_telemetry | Notifications Service Guild · Attestor Service Guild | src/Notify/StellaOps.Notify | Create attestor-driven notification templates + schema docs; publish in `/docs/notifications/templates.md`. | ATEL0101 | NOIA0101 |
@@ -4305,7 +4309,7 @@
 | WEB-CONTAINERS-45-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Ensure readiness endpoints reflect DB/queue readiness, add feature flag toggles via config map, and document NetworkPolicy ports. Dependencies: WEB-CONTAINERS-44-001. |  |  |
 | WEB-CONTAINERS-46-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide offline-friendly asset serving (no CDN), allow overriding object store endpoints via env, and document fallback behavior. Dependencies: WEB-CONTAINERS-45-001. |  |  |
 | WEB-EXC-25-001 | TODO |  | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/exceptions` API (create, propose, approve, revoke, list, history) with validation, pagination, and audit logging. |  |  |
-| WEB-EXC-25-002 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. Dependencies: WEB-EXC-25-001. |  |  |
+| WEB-EXC-25-002 | BLOCKED | 2025-11-30 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. Dependencies: WEB-EXC-25-001. |  |  |
 | WEB-EXC-25-003 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Platform Events Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Publish `exception.*` events, integrate with notification hooks, enforce rate limits. Dependencies: WEB-EXC-25-002. |  |  |
 | WEB-EXPORT-35-001 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. |  |  |
 | WEB-EXPORT-36-001 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. Dependencies: WEB-EXPORT-35-001. |  |  |
@@ -4315,25 +4319,27 @@
 | WEB-GRAPH-21-003 | BLOCKED | 2025-10-27 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, and document rate limits. Dependencies: WEB-GRAPH-21-002. |  |  |
 | WEB-GRAPH-21-004 | BLOCKED | 2025-10-27 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Proxy Policy Engine overlay responses for graph endpoints while keeping gateway stateless; maintain streaming budgets and latency SLOs. Dependencies: WEB-GRAPH-21-003. |  |  |
 | WEB-GRAPH-24-001 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic. Dependencies: WEB-GRAPH-21-004. |  |  |
-| WEB-GRAPH-24-004 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Embed AOC summaries sourced from overlay services; ensure gateway does not compute derived severity or hints. Dependencies: WEB-GRAPH-24-001. |  |  |
+| WEB-GRAPH-24-002 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild; SBOM Service Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping as pure proxy. Dependencies: WEB-GRAPH-24-001. |  |  |
+| WEB-GRAPH-24-003 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Embed AOC summaries from overlay services; gateway does not compute derived severity or hints. Dependencies: WEB-GRAPH-24-002. |  |  |
+| WEB-GRAPH-24-004 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild; Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy. Dependencies: WEB-GRAPH-24-003. |  |  |
 | WEB-LNM-21-001 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Concelier WebService Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface new `/advisories/*` APIs through gateway with caching, pagination, and RBAC enforcement (`advisory:read`). |  |  |
 | WEB-LNM-21-002 | TODO |  | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Excititor WebService Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/vex/*` read APIs with evidence routes and export handlers; map `ERR_AGG_*` codes. Dependencies: WEB-LNM-21-001. |  |  |
-| WEB-LNM-21-003 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. Dependencies: WEB-LNM-21-002. |  |  |
-| WEB-NOTIFY-38-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | Depends on #1 for signed ack spec | NOWB0101 |
-| WEB-NOTIFY-39-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. Dependencies: WEB-NOTIFY-38-001. | WEB-NOTIFY-38-001 | NOWB0101 |
-| WEB-NOTIFY-40-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. Dependencies: WEB-NOTIFY-39-001. |  |  |
+| WEB-LNM-21-003 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. Dependencies: WEB-LNM-21-002. |  |  |
+| WEB-NOTIFY-38-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | Depends on #1 for signed ack spec | NOWB0101 |
+| WEB-NOTIFY-39-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. Dependencies: WEB-NOTIFY-38-001. | WEB-NOTIFY-38-001 | NOWB0101 |
+| WEB-NOTIFY-40-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. Dependencies: WEB-NOTIFY-39-001. |  |  |
 | WEB-OAS-61-001 | TODO |  | SPRINT_124_excititor_vi | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService) | src/Excititor/StellaOps.Excititor.WebService |  |  |  |
 | WEB-OAS-61-002 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-OAS-62-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
 | WEB-OAS-63-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService |  |  |  |
-| WEB-OBS-50-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. |  |  |
+| WEB-OBS-50-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. |  |  |
 | WEB-OBS-51-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Paired with #1 for shared middleware | Paired with #1 for shared middleware | CNOB0102 |
 | WEB-OBS-52-001 | TODO |  | SPRINT_116_concelier_v | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Dependent on CLI/VEX readiness (035_CLCI0105) for payload format | Dependent on CLI/VEX readiness (035_CLCI0105) for payload format | CNOB0102 |
 | WEB-OBS-53-001 | TODO |  | SPRINT_117_concelier_vi | Concelier WebService Guild · Evidence Locker Guild | src/Concelier/StellaOps.Concelier.WebService | Needs Evidence Locker API spec from 002_ATEL0101 | Needs Evidence Locker API spec from 002_ATEL0101 | CNOB0102 |
 | WEB-OBS-54-001 | TODO |  | SPRINT_117_concelier_vi | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Relies on shared exporter (1039_EXPORT-OBS-54-001) | Relies on shared exporter (1039_EXPORT-OBS-54-001) | CNOB0102 |
 | WEB-OBS-55-001 | TODO |  | SPRINT_117_concelier_vi | Concelier WebService Guild · DevOps Guild | src/Concelier/StellaOps.Concelier.WebService | Wait for DevOps alert profiles (045_DVDO0103) | Wait for DevOps alert profiles (045_DVDO0103) | CNOB0102 |
-| WEB-OBS-56-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. Dependencies: WEB-OBS-55-001. |  |  |
-| WEB-ORCH-32-001 | TODO |  | SPRINT_214_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/orchestrator/sources |  |  |
+| WEB-OBS-56-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. Dependencies: WEB-OBS-55-001. |  |  |
+| WEB-ORCH-32-001 | TODO |  | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/orchestrator/sources |  |  |
 | WEB-ORCH-33-001 | TODO |  | SPRINT_215_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add POST action routes (`pause. Dependencies: WEB-ORCH-32-001. |  |  |
 | WEB-ORCH-34-001 | TODO |  | SPRINT_215_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging. Dependencies: WEB-ORCH-33-001. |  |  |
 | WEB-POLICY-20-001 | TODO |  | SPRINT_215_web_iv | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement. |  |  |