Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

docs/12_PERFORMANCE_WORKBOOK.md

@@ -167,4 +167,4 @@ _Plot generated weekly by `scripts/update‑trend.py`; shows last 12 weeks P95 p
 | 2025‑07‑14 | Added Δ‑SBOM & Policy Eval phases; updated targets & current results.   |
 | 2025‑07‑12 | First public workbook (SBOM‑first, image‑unpack, feed merge).           |
 
----
+---

docs/events/orchestrator-scanner-events.md

@@ -120,4 +120,4 @@ Keys are ASCII lowercase; components should be trimmed and validated before conc
 
 ---
 
-**Imposed rule reminder:** work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
+**Imposed rule reminder:** work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

docs/implplan/SPRINTS.md

@@ -1054,8 +1054,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. |
 | Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. |
 | Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. |
+| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. |
 | Sprint 72 | Attestor Console Phase 1 – Foundations | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. |
 | Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. |
 | Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. |

docs/ingestion/aggregation-only-contract.md

@@ -178,4 +178,4 @@ Consumers should map these codes to CLI exit codes and structured log events so
 
 ---
 
-*Last updated: 2025-10-27 (Sprint 19).*
+*Last updated: 2025-10-27 (Sprint 19).*

docs/modules/authority/operations/backup-restore.md

@@ -94,4 +94,4 @@
 - [ ] `PluginRegistrationSummary` logs expected providers on startup.
 - [ ] Revocation manifest export (`dotnet run --project src/Authority/StellaOps.Authority`) succeeds.
 - [ ] Monitoring dashboards show metrics resuming (see OPS5 deliverables).
-
+

docs/modules/cli/guides/cli-reference.md

@@ -313,4 +313,4 @@ Additional notes:
 | `StellaOps:Authority:OperatorTicket` | Change/incident ticket reference paired with orchestrator control actions. | CLI flag `--Authority:OperatorTicket=...` or env `STELLAOPS_ORCH_TICKET`. |
 
 > Tokens requesting `orch:operate` will fail with `invalid_request` unless both values are present. Choose concise strings (≤256 chars for reason, ≤128 chars for ticket) and avoid sensitive data.
-
+

docs/modules/platform/architecture-overview.md

@@ -165,4 +165,4 @@ sequenceDiagram
 
 ---
 
-*Last updated: 2025-10-26 (Sprint 19).*
+*Last updated: 2025-10-26 (Sprint 19).*

docs/modules/telemetry/operations/collector.md

@@ -110,4 +110,4 @@ Distribute the bundle alongside certificates generated by your PKI. For air-gapp
 - `deploy/telemetry/README.md` – source configuration and local workflow.
 - `ops/devops/telemetry/smoke_otel_collector.py` – OTLP smoke test.
 - `docs/observability/observability.md` – metrics/traces/logs taxonomy.
-- `docs/13_RELEASE_ENGINEERING_PLAYBOOK.md` – release checklist for telemetry assets.
+- `docs/13_RELEASE_ENGINEERING_PLAYBOOK.md` – release checklist for telemetry assets.

docs/notifications/overview.md

@@ -73,4 +73,4 @@ Action: coordinate with the Notifications Service Guild when `NOTIFY-SVC-39-001.
 
 ---
 
-> **Imposed rule reminder:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
+> **Imposed rule reminder:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

docs/observability/observability.md

@@ -139,4 +139,4 @@ Update `docs/assets/dashboards/` with screenshots when Grafana capture pipeline
 
 ---
 
-*Last updated: 2025-10-26 (Sprint 19).* 
+*Last updated: 2025-10-26 (Sprint 19).* 

docs/security/authority-scopes.md

@@ -258,4 +258,4 @@ clients:
 
 ---
 
-*Last updated: 2025-10-27 (Sprint 19).* 
+*Last updated: 2025-10-27 (Sprint 19).* 

src/Authority/StellaOps.Api.OpenApi/authority/openapi.yaml

@@ -686,4 +686,4 @@ paths:
                         crv: P-384
                         x: hjdKc0r8jvVHJ7S9mP0y0mU9bqN7v5PxS21SwclTzfc
                         y: yk6J3pz4TUpymN4mG-6th3dYvJ5N1lQvDK0PLuFv3Pg
-                        status: retiring
+                        status: retiring

src/Concelier/StellaOps.Concelier.WebService/TASKS.md

@@ -1,94 +1,94 @@
-# TASKS — Epic 1: Aggregation-Only Contract
+# TASKS — Epic 1: Aggregation-Only Contract
-> **AOC Reminder:** service links and exposes raw data only—no precedence, severity, or hint computation inside Concelier APIs.
+> **AOC Reminder:** service links and exposes raw data only—no precedence, severity, or hint computation inside Concelier APIs.
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|---|---|---|---|---|
+|---|---|---|---|---|
-> Docs alignment (2025-10-26): Endpoint expectations + scope requirements detailed in `docs/ingestion/aggregation-only-contract.md` and `docs/security/authority-scopes.md`.
+> Docs alignment (2025-10-26): Endpoint expectations + scope requirements detailed in `docs/ingestion/aggregation-only-contract.md` and `docs/security/authority-scopes.md`.
-> 2025-10-28: Added coverage for pagination, tenancy enforcement, and ingestion/verification metrics; verified guard handling paths end-to-end.
+> 2025-10-28: Added coverage for pagination, tenancy enforcement, and ingestion/verification metrics; verified guard handling paths end-to-end.
-| CONCELIER-WEB-AOC-19-002 `AOC observability` | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-001 | Emit `ingestion_write_total`, `aoc_violation_total`, latency histograms, and tracing spans (`ingest.fetch/transform/write`, `aoc.guard`). Wire structured logging to include tenant, source vendor, upstream id, and content hash. |
+| CONCELIER-WEB-AOC-19-002 `AOC observability` | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-001 | Emit `ingestion_write_total`, `aoc_violation_total`, latency histograms, and tracing spans (`ingest.fetch/transform/write`, `aoc.guard`). Wire structured logging to include tenant, source vendor, upstream id, and content hash. |
-> Docs alignment (2025-10-26): Metrics/traces/log schema in `docs/observability/observability.md`.
+> Docs alignment (2025-10-26): Metrics/traces/log schema in `docs/observability/observability.md`.
-| CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | QA Guild | CONCELIER-WEB-AOC-19-001 | Add unit tests covering schema validation failures, forbidden field rejections (`ERR_AOC_001/002/006/007`), idempotent upserts, and supersedes chains using deterministic fixtures. |
+| CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | QA Guild | CONCELIER-WEB-AOC-19-001 | Add unit tests covering schema validation failures, forbidden field rejections (`ERR_AOC_001/002/006/007`), idempotent upserts, and supersedes chains using deterministic fixtures. |
-> Docs alignment (2025-10-26): Guard rules + error codes documented in AOC reference §5 and CLI guide.
+> Docs alignment (2025-10-26): Guard rules + error codes documented in AOC reference §5 and CLI guide.
-| CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-003, CONCELIER-CORE-AOC-19-002 | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. |
+| CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-003, CONCELIER-CORE-AOC-19-002 | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. |
-> Docs alignment (2025-10-26): Offline verification workflow referenced in `docs/deploy/containers.md` §5.
+> Docs alignment (2025-10-26): Offline verification workflow referenced in `docs/deploy/containers.md` §5.
-
+
-## Policy Engine v2
+## Policy Engine v2
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Concelier WebService Guild | WEB-POLICY-20-001, CONCELIER-CORE-AOC-19-004 | Add batch advisory lookup APIs (`/policy/select/advisories`, `/policy/select/vex`) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. |
+| CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Concelier WebService Guild | WEB-POLICY-20-001, CONCELIER-CORE-AOC-19-004 | Add batch advisory lookup APIs (`/policy/select/advisories`, `/policy/select/vex`) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. |
-
+
-## StellaOps Console (Sprint 23)
+## StellaOps Console (Sprint 23)
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
 |----|--------|----------|------------|-------|
 | CONCELIER-CONSOLE-23-001 `Advisory aggregation views` | TODO | Concelier WebService Guild, BE-Base Platform Guild | CONCELIER-LNM-21-201, CONCELIER-LNM-21-202 | Expose `/console/advisories` endpoints returning aggregation groups (per linkset) with source chips, provider-reported severity columns (no local consensus), and provenance metadata for Console list + dashboard cards. Support filters by source, ecosystem, published/modified window, tenant enforcement. |
-| CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001, CONCELIER-LNM-21-203 | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. |
+| CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001, CONCELIER-LNM-21-203 | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. |
-| CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. |
+| CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. |
-
+
-## Graph Explorer v1
+## Graph Explorer v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-
+
-## Link-Not-Merge v1
+## Link-Not-Merge v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-LNM-21-201 `Observation APIs` | TODO | Concelier WebService Guild, BE-Base Platform Guild | CONCELIER-LNM-21-001 | Add REST endpoints for advisory observations (`GET /advisories/observations`) with filters (alias, purl, source), pagination, and tenancy enforcement. |
+| CONCELIER-LNM-21-201 `Observation APIs` | TODO | Concelier WebService Guild, BE-Base Platform Guild | CONCELIER-LNM-21-001 | Add REST endpoints for advisory observations (`GET /advisories/observations`) with filters (alias, purl, source), pagination, and tenancy enforcement. |
-| CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Concelier WebService Guild | CONCELIER-LNM-21-002, CONCELIER-LNM-21-003 | Implement linkset read/export endpoints (`/advisories/linksets/{id}`, `/advisories/by-purl/{purl}`, `/advisories/linksets/{id}/export`, `/evidence`) with correlation/conflict payloads and `ERR_AGG_*` mapping. |
+| CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Concelier WebService Guild | CONCELIER-LNM-21-002, CONCELIER-LNM-21-003 | Implement linkset read/export endpoints (`/advisories/linksets/{id}`, `/advisories/by-purl/{purl}`, `/advisories/linksets/{id}/export`, `/evidence`) with correlation/conflict payloads and `ERR_AGG_*` mapping. |
-| CONCELIER-LNM-21-203 `Ingest events` | TODO | Concelier WebService Guild, Platform Events Guild | CONCELIER-LNM-21-005 | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. |
+| CONCELIER-LNM-21-203 `Ingest events` | TODO | Concelier WebService Guild, Platform Events Guild | CONCELIER-LNM-21-005 | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. |
-
+
-## Graph & Vuln Explorer v1
+## Graph & Vuln Explorer v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-001 | Expose `/advisories/summary` returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. |
+| CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-001 | Expose `/advisories/summary` returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. |
-| CONCELIER-GRAPH-28-102 `Evidence batch API` | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. |
+| CONCELIER-GRAPH-28-102 `Evidence batch API` | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. |
-
+
-## VEX Lens (Sprint 30)
+## VEX Lens (Sprint 30)
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-VEXLENS-30-001 `Advisory rationale bridges` | TODO | Concelier WebService Guild, VEX Lens Guild | CONCELIER-VULN-29-001, VEXLENS-30-005 | Guarantee advisory key consistency and cross-links for consensus rationale; Label: VEX-Lens. |
+| CONCELIER-VEXLENS-30-001 `Advisory rationale bridges` | TODO | Concelier WebService Guild, VEX Lens Guild | CONCELIER-VULN-29-001, VEXLENS-30-005 | Guarantee advisory key consistency and cross-links for consensus rationale; Label: VEX-Lens. |
-
+
-## Vulnerability Explorer (Sprint 29)
+## Vulnerability Explorer (Sprint 29)
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-VULN-29-001 `Advisory key canonicalization` | TODO | Concelier WebService Guild, Data Integrity Guild | CONCELIER-LNM-21-001 | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into `advisory_key`, persist `links[]`, expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no merge, no derived fields, no suppression. Include migration/backfill scripts. |
+| CONCELIER-VULN-29-001 `Advisory key canonicalization` | TODO | Concelier WebService Guild, Data Integrity Guild | CONCELIER-LNM-21-001 | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into `advisory_key`, persist `links[]`, expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no merge, no derived fields, no suppression. Include migration/backfill scripts. |
-| CONCELIER-VULN-29-002 `Evidence retrieval API` | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001, VULN-API-29-003 | Provide `/vuln/evidence/advisories/{advisory_key}` returning raw advisory docs with provenance, filtering by tenant and source. | 
+| CONCELIER-VULN-29-002 `Evidence retrieval API` | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001, VULN-API-29-003 | Provide `/vuln/evidence/advisories/{advisory_key}` returning raw advisory docs with provenance, filtering by tenant and source. | 
 | CONCELIER-VULN-29-004 `Observability enhancements` | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-VULN-29-001 | Instrument metrics/logs for observation + linkset pipelines (identifier collisions, withdrawn flags) and emit events consumed by Vuln Explorer resolver. |
-
+
-## Advisory AI (Sprint 31)
+## Advisory AI (Sprint 31)
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-AIAI-31-001 `Paragraph anchors` | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. |
+| CONCELIER-AIAI-31-001 `Paragraph anchors` | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. |
 | CONCELIER-AIAI-31-002 `Structured fields` | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Ensure observation APIs expose upstream workaround/fix/CVSS fields with provenance; add caching for summary queries. |
-| CONCELIER-AIAI-31-003 `Advisory AI telemetry` | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-AIAI-31-001 | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. |
+| CONCELIER-AIAI-31-003 `Advisory AI telemetry` | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-AIAI-31-001 | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. |
-
+
-## Observability & Forensics (Epic 15)
+## Observability & Forensics (Epic 15)
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-WEB-OBS-50-001 `Telemetry adoption` | TODO | Concelier WebService Guild | TELEMETRY-OBS-50-001, CONCELIER-OBS-50-001 | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (`tenant_id`, `route`, `decision_effect`), and add correlation IDs to responses. |
+| CONCELIER-WEB-OBS-50-001 `Telemetry adoption` | TODO | Concelier WebService Guild | TELEMETRY-OBS-50-001, CONCELIER-OBS-50-001 | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (`tenant_id`, `route`, `decision_effect`), and add correlation IDs to responses. |
-| CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001, WEB-OBS-51-001 | Surface ingest health metrics, queue depth, and SLO status via `/obs/concelier/health` endpoint for Console widgets, with caching and tenant partitioning. |
+| CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001, WEB-OBS-51-001 | Surface ingest health metrics, queue depth, and SLO status via `/obs/concelier/health` endpoint for Console widgets, with caching and tenant partitioning. |
-| CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001, TIMELINE-OBS-52-003 | Provide SSE stream `/obs/concelier/timeline` bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. |
+| CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001, TIMELINE-OBS-52-003 | Provide SSE stream `/obs/concelier/timeline` bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. |
-| CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Concelier WebService Guild, Evidence Locker Guild | CONCELIER-OBS-53-001, EVID-OBS-53-003 | Add `/evidence/advisories/*` routes invoking evidence locker snapshots, verifying tenant scopes (`evidence:read`), and returning signed manifest metadata. |
+| CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Concelier WebService Guild, Evidence Locker Guild | CONCELIER-OBS-53-001, EVID-OBS-53-003 | Add `/evidence/advisories/*` routes invoking evidence locker snapshots, verifying tenant scopes (`evidence:read`), and returning signed manifest metadata. |
-| CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Concelier WebService Guild | CONCELIER-OBS-54-001, PROV-OBS-54-001 | Provide `/attestations/advisories/*` read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. |
+| CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Concelier WebService Guild | CONCELIER-OBS-54-001, PROV-OBS-54-001 | Provide `/attestations/advisories/*` read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. |
-| CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Concelier WebService Guild, DevOps Guild | CONCELIER-OBS-55-001, WEB-OBS-55-001 | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. |
+| CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Concelier WebService Guild, DevOps Guild | CONCELIER-OBS-55-001, WEB-OBS-55-001 | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. |
-
+
-## Air-Gapped Mode (Epic 16)
+## Air-Gapped Mode (Epic 16)
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Concelier WebService Guild | AIRGAP-IMP-58-001, CONCELIER-AIRGAP-56-001 | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. |
+| CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Concelier WebService Guild | AIRGAP-IMP-58-001, CONCELIER-AIRGAP-56-001 | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. |
-| CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Concelier WebService Guild | CONCELIER-AIRGAP-57-002, AIRGAP-CTL-56-002 | Add staleness metadata and bundle provenance to advisory APIs (`/advisories/observations`, `/advisories/linksets`). |
+| CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Concelier WebService Guild | CONCELIER-AIRGAP-57-002, AIRGAP-CTL-56-002 | Add staleness metadata and bundle provenance to advisory APIs (`/advisories/observations`, `/advisories/linksets`). |
-| CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Concelier WebService Guild, AirGap Policy Guild | AIRGAP-POL-56-001 | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` responses with user guidance. |
+| CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Concelier WebService Guild, AirGap Policy Guild | AIRGAP-POL-56-001 | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` responses with user guidance. |
-| CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Concelier WebService Guild, AirGap Importer Guild | CONCELIER-WEB-AIRGAP-56-001, TIMELINE-OBS-53-001 | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. |
+| CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Concelier WebService Guild, AirGap Importer Guild | CONCELIER-WEB-AIRGAP-56-001, TIMELINE-OBS-53-001 | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. |
-
+
-## SDKs & OpenAPI (Epic 17)
+## SDKs & OpenAPI (Epic 17)
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-WEB-OAS-61-001 `/.well-known/openapi` | TODO | Concelier WebService Guild | OAS-61-001 | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. |
+| CONCELIER-WEB-OAS-61-001 `/.well-known/openapi` | TODO | Concelier WebService Guild | OAS-61-001 | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. |
-| CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Concelier WebService Guild | APIGOV-61-001 | Ensure all API responses use standardized error envelope; update controllers/tests. |
+| CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Concelier WebService Guild | APIGOV-61-001 | Ensure all API responses use standardized error envelope; update controllers/tests. |
-| CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Concelier WebService Guild | CONCELIER-OAS-61-002 | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. |
+| CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Concelier WebService Guild | CONCELIER-OAS-61-002 | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. |
-| CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Concelier WebService Guild, API Governance Guild | APIGOV-63-001 | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. |
+| CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Concelier WebService Guild, API Governance Guild | APIGOV-63-001 | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. |

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/TASKS.md

@@ -1,4 +1,4 @@
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |FEEDCONN-CCCS-02-009 Version range provenance (Oct 2025)|BE-Conn-CCCS|CONCELIER-LNM-21-001|**TODO (due 2025-10-21)** – Map CCCS advisories into the new `advisory_observations.affected.versions[]` structure, preserving each upstream range with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. Update mapper tests/fixtures for the Link-Not-Merge schema and verify linkset builders consume the ranges without relying on legacy merge counters.<br>2025-10-29: `docs/dev/normalized-rule-recipes.md` now documents helper snippets for building observation version entries—use them instead of merge-specific builders and refresh fixtures with `UPDATE_CCCS_FIXTURES=1`.|

src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/TASKS.md

@@ -1,4 +1,4 @@
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |FEEDCONN-CERTBUND-02-010 Version range provenance|BE-Conn-CERTBUND|CONCELIER-LNM-21-001|**TODO (due 2025-10-22)** – Translate `product.Versions` phrases (e.g., `2023.1 bis 2024.2`, `alle`) into comparison helpers for `advisory_observations.affected.versions[]`, capturing provenance (`certbund:{advisoryId}:{vendor}`) and localisation notes. Update mapper/tests for the Link-Not-Merge schema and refresh documentation accordingly.|

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md

@@ -1,4 +1,4 @@
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |FEEDCONN-ICSCISA-02-012 Version range provenance|BE-Conn-ICS-CISA|CONCELIER-LNM-21-001|**TODO (due 2025-10-23)** – Promote existing firmware/semver data into `advisory_observations.affected.versions[]` entries with deterministic comparison keys and provenance identifiers (`ics-cisa:{advisoryId}:{product}`). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.<br>2025-10-29: Follow `docs/dev/normalized-rule-recipes.md` §2 to build observation version entries and log failures without invoking the retired merge helpers.|

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/TASKS.md

@@ -1,4 +1,4 @@
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |FEEDCONN-KISA-02-008 Firmware range provenance|BE-Conn-KISA, Models|CONCELIER-LNM-21-001|**TODO (due 2025-10-24)** – Define comparison helpers for Hangul-labelled firmware ranges (`XFU 1.0.1.0084 ~ 2.0.1.0034`) and map them into `advisory_observations.affected.versions[]` with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema.|

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md

@@ -1,4 +1,4 @@
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |FEEDCONN-CISCO-02-009 SemVer range provenance|BE-Conn-Cisco|CONCELIER-LNM-21-001|**TODO (due 2025-10-21)** – Emit Cisco SemVer ranges into `advisory_observations.affected.versions[]` with provenance identifiers (`cisco:{productId}`) and deterministic comparison keys. Update mapper/tests for the Link-Not-Merge schema and replace legacy merge counter checks with observation/linkset validation.|

src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md

@@ -1,111 +1,111 @@
-# TASKS — Epic 1: Aggregation-Only Contract
+# TASKS — Epic 1: Aggregation-Only Contract
-> **AOC Reminder:** ingestion aggregates and links only—no precedence, normalization, or severity computation. Derived data lives in Policy/overlay services.
+> **AOC Reminder:** ingestion aggregates and links only—no precedence, normalization, or severity computation. Derived data lives in Policy/overlay services.
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|---|---|---|---|---|
+|---|---|---|---|---|
-> Docs alignment (2025-10-26): Behaviour/spec captured in `docs/ingestion/aggregation-only-contract.md` and architecture overview §2.
+> Docs alignment (2025-10-26): Behaviour/spec captured in `docs/ingestion/aggregation-only-contract.md` and architecture overview §2.
-> Implementation (2025-10-29): Added `AdvisoryRawWriteGuard` + DI extensions wrapping `AocWriteGuard`, throwing domain-specific `ConcelierAocGuardException` with `ERR_AOC_00x` mappings. Unit tests cover valid/missing-tenant/signature cases.
+> Implementation (2025-10-29): Added `AdvisoryRawWriteGuard` + DI extensions wrapping `AocWriteGuard`, throwing domain-specific `ConcelierAocGuardException` with `ERR_AOC_00x` mappings. Unit tests cover valid/missing-tenant/signature cases.
-> Coordination (2025-10-27): Authority `dotnet test` run is currently blocked because `AdvisoryObservationQueryService.BuildAliasLookup` returns `ImmutableHashSet<string?>`; please normalise these lookups to `ImmutableHashSet<string>` (trim nulls) so downstream builds succeed.
+> Coordination (2025-10-27): Authority `dotnet test` run is currently blocked because `AdvisoryObservationQueryService.BuildAliasLookup` returns `ImmutableHashSet<string?>`; please normalise these lookups to `ImmutableHashSet<string>` (trim nulls) so downstream builds succeed.
-> 2025-10-31: Added advisory linkset mapper + DI registration, normalized PURL/CPE canonicalization, persisted `reconciled_from` pointers, and refreshed observation factory/tests for new raw linkset shape.
+> 2025-10-31: Added advisory linkset mapper + DI registration, normalized PURL/CPE canonicalization, persisted `reconciled_from` pointers, and refreshed observation factory/tests for new raw linkset shape.
-> Docs alignment (2025-10-26): Linkset expectations detailed in AOC reference §4 and policy-engine architecture §2.1.
+> Docs alignment (2025-10-26): Linkset expectations detailed in AOC reference §4 and policy-engine architecture §2.1.
-> 2025-10-28: Advisory raw ingestion now strips client-supplied supersedes hints, logs ignored pointers, and surfaces repository-supplied supersedes identifiers; service tests cover duplicate handling and append-only semantics.
+> 2025-10-28: Advisory raw ingestion now strips client-supplied supersedes hints, logs ignored pointers, and surfaces repository-supplied supersedes identifiers; service tests cover duplicate handling and append-only semantics.
 > Docs alignment (2025-10-26): Deployment guide + observability guide describe supersedes metrics; ensure implementation emits `aoc_violation_total` on failure.
 | CONCELIER-CORE-AOC-19-004 `Remove ingestion normalization` | DOING (2025-10-28) | Concelier Core Guild | CONCELIER-CORE-AOC-19-002, POLICY-AOC-19-003 | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only.<br>2025-10-29 19:05Z: Audit completed for `AdvisoryRawService`/Mongo repo to confirm alias order/dedup removal persists; identified remaining normalization in observation/linkset factory that will be revised to surface raw duplicates for Policy ingestion. Change sketch + regression matrix drafted under `docs/dev/aoc-normalization-removal-notes.md` (pending commit).<br>2025-10-31 20:45Z: Added raw linkset projection to observations/storage, exposing canonical+raw views, refreshed fixtures/tests, and documented behaviour in models/doc factory.<br>2025-10-31 21:10Z: Coordinated with Policy Engine (POLICY-ENGINE-20-003) on adoption timeline; backfill + consumer readiness tracked in `docs/dev/raw-linkset-backfill-plan.md`. |
-> Docs alignment (2025-10-26): Architecture overview emphasises policy-only derivation; coordinate with Policy Engine guild for rollout.
+> Docs alignment (2025-10-26): Architecture overview emphasises policy-only derivation; coordinate with Policy Engine guild for rollout.
-> 2025-10-29: `AdvisoryRawService` now preserves upstream alias/linkset ordering (trim-only) and updated AOC documentation reflects the behaviour; follow-up to ensure policy consumers handle duplicates remains open.
+> 2025-10-29: `AdvisoryRawService` now preserves upstream alias/linkset ordering (trim-only) and updated AOC documentation reflects the behaviour; follow-up to ensure policy consumers handle duplicates remains open.
-| CONCELIER-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Concelier Core Guild | AUTH-AOC-19-002 | Extend Concelier smoke/e2e fixtures to configure `requiredTenants` and assert cross-tenant rejection with updated Authority tokens. | Coordinate deliverable so Authority docs (`AUTH-AOC-19-003`) can close once tests are in place. |
+| CONCELIER-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Concelier Core Guild | AUTH-AOC-19-002 | Extend Concelier smoke/e2e fixtures to configure `requiredTenants` and assert cross-tenant rejection with updated Authority tokens. | Coordinate deliverable so Authority docs (`AUTH-AOC-19-003`) can close once tests are in place. |
-
+
-## Policy Engine v2
+## Policy Engine v2
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Concelier Core Guild, Policy Guild | CONCELIER-CORE-AOC-19-002, POLICY-ENGINE-20-001 | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. |
+| CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Concelier Core Guild, Policy Guild | CONCELIER-CORE-AOC-19-002, POLICY-ENGINE-20-001 | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. |
-> 2025-10-31: Base advisory linkset mapper landed under `CONCELIER-CORE-AOC-19-002`; policy enrichment work can now proceed with mapper outputs and observation schema fixtures.
+> 2025-10-31: Base advisory linkset mapper landed under `CONCELIER-CORE-AOC-19-002`; policy enrichment work can now proceed with mapper outputs and observation schema fixtures.
-
+
-## Graph Explorer v1
+## Graph Explorer v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | BLOCKED (2025-10-27) | Concelier Core Guild, Cartographer Guild | CONCELIER-POLICY-20-002, CARTO-GRAPH-21-002 | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. |
+| CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | BLOCKED (2025-10-27) | Concelier Core Guild, Cartographer Guild | CONCELIER-POLICY-20-002, CARTO-GRAPH-21-002 | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. |
-> 2025-10-27: Waiting on policy-driven linkset enrichment (`CONCELIER-POLICY-20-002`) and Cartographer API contract (`CARTO-GRAPH-21-002`) to define required relationship payloads. Without those schemas the projection changes cannot be implemented deterministically.
+> 2025-10-27: Waiting on policy-driven linkset enrichment (`CONCELIER-POLICY-20-002`) and Cartographer API contract (`CARTO-GRAPH-21-002`) to define required relationship payloads. Without those schemas the projection changes cannot be implemented deterministically.
-> 2025-10-29: Cross-guild handshake captured in `docs/dev/cartographer-graph-handshake.md`; begin drafting enrichment plan once Cartographer ships the inspector schema/query patterns.
+> 2025-10-29: Cross-guild handshake captured in `docs/dev/cartographer-graph-handshake.md`; begin drafting enrichment plan once Cartographer ships the inspector schema/query patterns.
-| CONCELIER-GRAPH-21-002 `Change events` | BLOCKED (2025-10-27) | Concelier Core Guild, Scheduler Guild | CONCELIER-GRAPH-21-001 | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. |
+| CONCELIER-GRAPH-21-002 `Change events` | BLOCKED (2025-10-27) | Concelier Core Guild, Scheduler Guild | CONCELIER-GRAPH-21-001 | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. |
-> 2025-10-27: Depends on `CONCELIER-GRAPH-21-001`; event schema hinges on finalized projection output and Cartographer webhook contract, both pending.
+> 2025-10-27: Depends on `CONCELIER-GRAPH-21-001`; event schema hinges on finalized projection output and Cartographer webhook contract, both pending.
-> 2025-10-29: Action item from handshake doc — prepare sample `sbom.relationship.changed` payload + replay notes once schema lands; coordinate with Scheduler for queue semantics.
+> 2025-10-29: Action item from handshake doc — prepare sample `sbom.relationship.changed` payload + replay notes once schema lands; coordinate with Scheduler for queue semantics.
-
+
-## Link-Not-Merge v1
+## Link-Not-Merge v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
 |----|--------|----------|------------|-------|
 | CONCELIER-LNM-21-001 `Advisory observation schema` | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Introduce immutable `advisory_observations` model with AOC metadata, raw payload pointers, structured per-source fields (version ranges, severity, CVSS), and tenancy guardrails; publish schema definition. `DOCS-LNM-22-001` blocked pending this deliverable. |
-| CONCELIER-LNM-21-002 `Linkset builder` | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-001 | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces `advisory_linksets` with confidence + conflict annotations. Docs note: unblock `DOCS-LNM-22-001` once builder lands. |
+| CONCELIER-LNM-21-002 `Linkset builder` | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-001 | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces `advisory_linksets` with confidence + conflict annotations. Docs note: unblock `DOCS-LNM-22-001` once builder lands. |
-| CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Concelier Core Guild | CONCELIER-LNM-21-002 | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads. |
+| CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Concelier Core Guild | CONCELIER-LNM-21-002 | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads. |
-| CONCELIER-LNM-21-004 `Merge code removal` | TODO | Concelier Core Guild | CONCELIER-LNM-21-002 | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. |
+| CONCELIER-LNM-21-004 `Merge code removal` | TODO | Concelier Core Guild | CONCELIER-LNM-21-002 | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. |
-| CONCELIER-LNM-21-005 `Event emission` | TODO | Concelier Core Guild, Platform Events Guild | CONCELIER-LNM-21-002 | Emit `advisory.linkset.updated` events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. |
+| CONCELIER-LNM-21-005 `Event emission` | TODO | Concelier Core Guild, Platform Events Guild | CONCELIER-LNM-21-002 | Emit `advisory.linkset.updated` events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. |
-
+
-## Policy Engine + Editor v1
+## Policy Engine + Editor v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
 |----|--------|----------|------------|-------|
 | CONCELIER-POLICY-23-001 `Evidence indexes` | TODO | Concelier Core Guild | CONCELIER-LNM-21-002 | Add secondary indexes/materialized views to accelerate policy lookups (alias, provider severity per observation, correlation confidence). Document query contracts for runtime. |
-| CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Concelier Core Guild, Platform Events Guild | CONCELIER-LNM-21-005 | Ensure `advisory.linkset.updated` emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). |
+| CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Concelier Core Guild, Platform Events Guild | CONCELIER-LNM-21-005 | Ensure `advisory.linkset.updated` emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). |
-
+
-## Graph & Vuln Explorer v1
+## Graph & Vuln Explorer v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-> 2025-10-29: Filter-aware lookup path and /concelier/observations coverage landed; overlay services can consume raw advisory feeds deterministically.
+> 2025-10-29: Filter-aware lookup path and /concelier/observations coverage landed; overlay services can consume raw advisory feeds deterministically.
-
+
-## Reachability v1
+## Reachability v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Concelier Core Guild, Signals Guild | SIGNALS-24-002 | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. |
+| CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Concelier Core Guild, Signals Guild | SIGNALS-24-002 | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. |
-
+
-## Orchestrator Dashboard
+## Orchestrator Dashboard
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Concelier Core Guild | ORCH-SVC-32-001, AUTH-ORCH-32-001 | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. |
+| CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Concelier Core Guild | ORCH-SVC-32-001, AUTH-ORCH-32-001 | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. |
-| CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001, WORKER-GO-32-001, WORKER-PY-32-001 | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. |
+| CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001, WORKER-GO-32-001, WORKER-PY-32-001 | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. |
-| CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002, ORCH-SVC-33-001, ORCH-SVC-33-002 | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. |
+| CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002, ORCH-SVC-33-001, ORCH-SVC-33-002 | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. |
-| CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. |
+| CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. |
-
+
-## Authority-Backed Scopes & Tenancy (Epic 14)
+## Authority-Backed Scopes & Tenancy (Epic 14)
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Concelier Core Guild | AUTH-TEN-47-001 | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting `merge=false`; update events with tenant context. |
+| CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Concelier Core Guild | AUTH-TEN-47-001 | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting `merge=false`; update events with tenant context. |
-
+
-## Observability & Forensics (Epic 15)
+## Observability & Forensics (Epic 15)
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-OBS-50-001 `Telemetry adoption` | TODO | Concelier Core Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. |
+| CONCELIER-OBS-50-001 `Telemetry adoption` | TODO | Concelier Core Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. |
-| CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Concelier Core Guild, DevOps Guild | CONCELIER-OBS-50-001, TELEMETRY-OBS-51-001 | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. |
+| CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Concelier Core Guild, DevOps Guild | CONCELIER-OBS-50-001, TELEMETRY-OBS-51-001 | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. |
-| CONCELIER-OBS-52-001 `Timeline events` | TODO | Concelier Core Guild | CONCELIER-OBS-50-001, TIMELINE-OBS-52-002 | Emit `timeline_event` records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. |
+| CONCELIER-OBS-52-001 `Timeline events` | TODO | Concelier Core Guild | CONCELIER-OBS-50-001, TIMELINE-OBS-52-002 | Emit `timeline_event` records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. |
-| CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Concelier Core Guild, Evidence Locker Guild | CONCELIER-OBS-52-001, EVID-OBS-53-002 | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. |
+| CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Concelier Core Guild, Evidence Locker Guild | CONCELIER-OBS-52-001, EVID-OBS-53-002 | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. |
-| CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Concelier Core Guild, Provenance Guild | CONCELIER-OBS-53-001, PROV-OBS-54-001 | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. |
+| CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Concelier Core Guild, Provenance Guild | CONCELIER-OBS-53-001, PROV-OBS-54-001 | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. |
-| CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Concelier Core Guild, DevOps Guild | CONCELIER-OBS-51-001, DEVOPS-OBS-55-001 | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. |
+| CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Concelier Core Guild, DevOps Guild | CONCELIER-OBS-51-001, DEVOPS-OBS-55-001 | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. |
-
+
-## Air-Gapped Mode (Epic 16)
+## Air-Gapped Mode (Epic 16)
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Concelier Core Guild | AIRGAP-IMP-57-002, MIRROR-CRT-56-001 | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. |
+| CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Concelier Core Guild | AIRGAP-IMP-57-002, MIRROR-CRT-56-001 | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. |
-| CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Concelier Core Guild, AirGap Importer Guild | CONCELIER-AIRGAP-56-001, AIRGAP-IMP-57-001 | Persist `bundle_id`, `merkle_root`, and time anchor references on observations/linksets for provenance. |
+| CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Concelier Core Guild, AirGap Importer Guild | CONCELIER-AIRGAP-56-001, AIRGAP-IMP-57-001 | Persist `bundle_id`, `merkle_root`, and time anchor references on observations/linksets for provenance. |
-| CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Concelier Core Guild, AirGap Policy Guild | CONCELIER-AIRGAP-56-001, AIRGAP-POL-56-001 | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. |
+| CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Concelier Core Guild, AirGap Policy Guild | CONCELIER-AIRGAP-56-001, AIRGAP-POL-56-001 | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. |
-| CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Concelier Core Guild, AirGap Time Guild | CONCELIER-AIRGAP-56-002, AIRGAP-TIME-58-001 | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. |
+| CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Concelier Core Guild, AirGap Time Guild | CONCELIER-AIRGAP-56-002, AIRGAP-TIME-58-001 | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. |
-| CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Concelier Core Guild, Evidence Locker Guild | CONCELIER-OBS-53-001, EVID-OBS-54-001 | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. |
+| CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Concelier Core Guild, Evidence Locker Guild | CONCELIER-OBS-53-001, EVID-OBS-54-001 | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. |
-
+
-## SDKs & OpenAPI (Epic 17)
+## SDKs & OpenAPI (Epic 17)
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-OAS-61-001 `Spec coverage` | TODO | Concelier Core Guild, API Contracts Guild | OAS-61-001 | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. |
+| CONCELIER-OAS-61-001 `Spec coverage` | TODO | Concelier Core Guild, API Contracts Guild | OAS-61-001 | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. |
-| CONCELIER-OAS-61-002 `Examples library` | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. |
+| CONCELIER-OAS-61-002 `Examples library` | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. |
-| CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Concelier Core Guild, SDK Generator Guild | CONCELIER-OAS-61-001, SDKGEN-63-001 | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. |
+| CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Concelier Core Guild, SDK Generator Guild | CONCELIER-OAS-61-001, SDKGEN-63-001 | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. |
-| CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Concelier Core Guild, API Governance Guild | APIGOV-63-001 | Implement deprecation header support and timeline events for retiring endpoints. |
+| CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Concelier Core Guild, API Governance Guild | APIGOV-63-001 | Implement deprecation header support and timeline events for retiring endpoints. |
-
+
-## Risk Profiles (Epic 18)
+## Risk Profiles (Epic 18)
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Concelier Core Guild, Risk Engine Guild | RISK-ENGINE-67-001 | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. |
+| CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Concelier Core Guild, Risk Engine Guild | RISK-ENGINE-67-001 | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. |
 | CONCELIER-RISK-66-002 `Fix availability signals` | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Provide structured fix availability and release metadata consumable by risk engine; document provenance. |
 | CONCELIER-RISK-67-001 `Source coverage metrics` | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Add per-source coverage metrics for linked advisories (observation counts, conflicting statuses) without computing consensus scores; ensure explainability includes source digests. |
 | CONCELIER-RISK-68-001 `Policy Studio integration` | TODO | Concelier Core Guild, Policy Studio Guild | POLICY-RISK-68-001 | Surface advisory fields in Policy Studio profile editor (signal pickers, reducers). |

src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md

@@ -1,14 +1,14 @@
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |Link-Not-Merge version provenance coordination|BE-Merge|CONCELIER-LNM-21-001|**DOING** – Coordinate remaining connectors (`Acsc`, `Cccs`, `CertBund`, `CertCc`, `Cve`, `Ghsa`, `Ics.Cisa`, `Kisa`, `Ru.Bdu`, `Ru.Nkcki`, `Vndr.Apple`, `Vndr.Cisco`, `Vndr.Msrc`) so they emit `advisory_observations.affected.versions[]` entries with provenance tags and deterministic comparison keys. Track rollout status in `docs/dev/normalized-rule-recipes.md` (now updated for Link-Not-Merge) and retire the legacy merge counters as coverage transitions to linkset validation metrics.<br>2025-10-29: Added new guidance in the doc for recording observation version metadata and logging gaps via `LinksetVersionCoverage` warnings to replace prior `concelier.merge.normalized_rules*` alerts.|
 |FEEDMERGE-COORD-02-901 Connector deadline check-ins|BE-Merge|FEEDMERGE-COORD-02-900|**TODO (due 2025-10-21)** – Confirm Cccs/Cisco version-provenance updates land, capture `LinksetVersionCoverage` dashboard snapshots (expect zero missing-range warnings), and update coordination docs with the results.<br>2025-10-29: Observation metrics now surface `version_entries_total`/`missing_version_entries_total`; include screenshots for both when closing this task.|
 |FEEDMERGE-COORD-02-902 ICS-CISA version comparison support|BE-Merge, Models|FEEDMERGE-COORD-02-900|**TODO (due 2025-10-23)** – Review ICS-CISA sample advisories, validate reuse of existing comparison helpers, and pre-stage Models ticket template only if a new firmware comparator is required. Document the outcome and observation coverage logs in coordination docs + tracker files.<br>2025-10-29: `docs/dev/normalized-rule-recipes.md` (§2–§3) now covers observation entries; attach decision summary + log sample when handing off to Models.|
 |FEEDMERGE-COORD-02-903 KISA firmware scheme review|BE-Merge, Models|FEEDMERGE-COORD-02-900|**TODO (due 2025-10-24)** – Pair with KISA team on proposed firmware comparison helper (`kisa.build` or variant), ensure observation mapper alignment, and open Models ticket only if a new comparator is required. Log the final helper signature and observation coverage metrics in coordination docs + tracker files.|
-
+
-## Link-Not-Merge v1 Transition
+## Link-Not-Merge v1 Transition
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
-|---|---|---|---|
+|---|---|---|---|
-|MERGE-LNM-21-001 Migration plan authoring|BE-Merge, Architecture Guild|CONCELIER-LNM-21-101|Draft `no-merge` migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation.|
+|MERGE-LNM-21-001 Migration plan authoring|BE-Merge, Architecture Guild|CONCELIER-LNM-21-101|Draft `no-merge` migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation.|
-|MERGE-LNM-21-002 Merge service deprecation|BE-Merge|MERGE-LNM-21-001|Refactor or retire `AdvisoryMergeService` and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage.|
+|MERGE-LNM-21-002 Merge service deprecation|BE-Merge|MERGE-LNM-21-001|Refactor or retire `AdvisoryMergeService` and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage.|
-|MERGE-LNM-21-003 Determinism/test updates|QA Guild, BE-Merge|MERGE-LNM-21-002|Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible.|
+|MERGE-LNM-21-003 Determinism/test updates|QA Guild, BE-Merge|MERGE-LNM-21-002|Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible.|

src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md

@@ -1,27 +1,26 @@
-# TASKS — Epic 1: Aggregation-Only Contract
+# TASKS — Epic 1: Aggregation-Only Contract
-> **AOC Reminder:** storage enforces append-only raw documents; no precedence/severity/normalization in ingestion collections.
+> **AOC Reminder:** storage enforces append-only raw documents; no precedence/severity/normalization in ingestion collections.
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|---|---|---|---|---|
+|---|---|---|---|---|
-> 2025-10-28: Added configurable validator migration (`20251028_advisory_raw_validator`), bootstrapper collection registration, storage options toggle, and Mongo migration tests covering schema + enforcement levels.
+> 2025-10-28: Added configurable validator migration (`20251028_advisory_raw_validator`), bootstrapper collection registration, storage options toggle, and Mongo migration tests covering schema + enforcement levels.
-> Docs alignment (2025-10-26): Validator expectations + deployment steps documented in `docs/deploy/containers.md` §1.
+> Docs alignment (2025-10-26): Validator expectations + deployment steps documented in `docs/deploy/containers.md` §1.
-> 2025-10-28: Added `20251028_advisory_raw_idempotency_index` migration that detects duplicate raw advisories before creating the unique compound index, wired into DI, and extended migration tests to cover index shape + duplicate handling with supporting package updates.
+> 2025-10-28: Added `20251028_advisory_raw_idempotency_index` migration that detects duplicate raw advisories before creating the unique compound index, wired into DI, and extended migration tests to cover index shape + duplicate handling with supporting package updates.
-> Docs alignment (2025-10-26): Idempotency contract + supersedes metrics in `docs/ingestion/aggregation-only-contract.md` §7 and observability guide.
+> Docs alignment (2025-10-26): Idempotency contract + supersedes metrics in `docs/ingestion/aggregation-only-contract.md` §7 and observability guide.
-> 2025-10-28: Added supersedes backfill migration (`20251028_advisory_supersedes_backfill`) that renames `advisory` to a read-only view, snapshots data into `_backup_20251028`, and walks raw revisions to populate deterministic supersedes chains with integration coverage and operator scripts.
+> 2025-10-28: Added supersedes backfill migration (`20251028_advisory_supersedes_backfill`) that renames `advisory` to a read-only view, snapshots data into `_backup_20251028`, and walks raw revisions to populate deterministic supersedes chains with integration coverage and operator scripts.
-> Docs alignment (2025-10-26): Rollback guidance added to `docs/deploy/containers.md` §6.
+> Docs alignment (2025-10-26): Rollback guidance added to `docs/deploy/containers.md` §6.
-> 2025-10-28: Documented duplicate audit + migration workflow in `docs/deploy/containers.md`, Offline Kit guide, and `MIGRATIONS.md`; published `ops/devops/scripts/check-advisory-raw-duplicates.js` for staging/offline clusters.
+> 2025-10-28: Documented duplicate audit + migration workflow in `docs/deploy/containers.md`, Offline Kit guide, and `MIGRATIONS.md`; published `ops/devops/scripts/check-advisory-raw-duplicates.js` for staging/offline clusters.
-> Docs alignment (2025-10-26): Offline kit requirements documented in `docs/deploy/containers.md` §5.
+> Docs alignment (2025-10-26): Offline kit requirements documented in `docs/deploy/containers.md` §5.
-| CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Concelier Storage Guild, DevOps Guild | CONCELIER-CORE-AOC-19-004 | Plan and execute advisory_observations `rawLinkset` backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in `docs/dev/raw-linkset-backfill-plan.md`. |
+| CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Concelier Storage Guild, DevOps Guild | CONCELIER-CORE-AOC-19-004 | Plan and execute advisory_observations `rawLinkset` backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in `docs/dev/raw-linkset-backfill-plan.md`. |
-
+
-## Policy Engine v2
+## Policy Engine v2
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002, POLICY-ENGINE-20-003 | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. |
+| CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002, POLICY-ENGINE-20-003 | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. |
-
+
-## Link-Not-Merge v1
+## Link-Not-Merge v1
-
+
-| ID | Status | Owner(s) | Depends on | Notes |
+| ID | Status | Owner(s) | Depends on | Notes |
-|----|--------|----------|------------|-------|
+|----|--------|----------|------------|-------|
-| CONCELIER-LNM-21-101 `Observations collections` | TODO | Concelier Storage Guild | CONCELIER-LNM-21-001 | Provision `advisory_observations` and `advisory_linksets` collections with hashed shard keys, TTL for ingest metadata, and required indexes (`aliases`, `purls`, `observation_ids`). |
+| CONCELIER-LNM-21-101 `Observations collections` | TODO | Concelier Storage Guild | CONCELIER-LNM-21-001 | Provision `advisory_observations` and `advisory_linksets` collections with hashed shard keys, TTL for ingest metadata, and required indexes (`aliases`, `purls`, `observation_ids`). |
-| CONCELIER-LNM-21-102 `Migration tooling` | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-LNM-21-101 | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. |
+| CONCELIER-LNM-21-102 `Migration tooling` | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-LNM-21-101 | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. |
-| CONCELIER-LNM-21-103 `Blob/store wiring` | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Store large raw payloads in object storage with pointers from observations; update bootstrapper/offline kit to seed sample blobs. |

src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md

@@ -1,6 +1,6 @@
-# StellaOps Mirror VEX Connector Task Board (Sprint 7)
+# StellaOps Mirror VEX Connector Task Board (Sprint 7)
-
+
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|
 | EXCITITOR-CONN-STELLA-07-002 | TODO | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-001 | Parse mirror bundles into raw `VexClaim` batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. | Normalizer emits deterministic VexClaims with full provenance (no policy metadata), fixtures assert parity with source exports. |
 | EXCITITOR-CONN-STELLA-07-003 | TODO | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-002 | Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. | Connector resumes from last export digest, handles delta/export rotation, docs show configuration; integration test covers resume + raw ingest parity. |

src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md

@@ -1,7 +1,6 @@
-If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
+If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
-|---|---|---|---|
+|---|---|---|---|
-|EXCITITOR-ATTEST-01-003 – Verification suite & observability|Team Excititor Attestation|EXCITITOR-ATTEST-01-002|DOING (2025-10-22) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.<br>2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests.|
+|EXCITITOR-ATTEST-01-003 – Verification suite & observability|Team Excititor Attestation|EXCITITOR-ATTEST-01-002|DOING (2025-10-22) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.<br>2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests.|
-
+
-> Remark (2025-10-22): Added verifier implementation + metrics/tests; next steps include wiring into WebService/Worker flows and expanding negative-path coverage.

src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs

@@ -183,8 +183,7 @@ internal sealed class VexAttestationVerifier : IVexAttestationVerifier
         catch (Exception ex)
         {
             diagnostics["error"] = ex.GetType().Name;
-            diagnostics["error.message"] = ex.Message;
+            diagnostics["error.message"] = ex.Message;            resultLabel = "error";
-            resultLabel = "error";
             _logger.LogError(ex, "Unexpected exception verifying attestation for export {ExportId}", request.Attestation.ExportId);
             return BuildResult(false);
         }

src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md

@@ -1,5 +1,5 @@
-If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
+If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment|Team Excititor Connectors – Oracle|EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001|TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion.|

src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md

@@ -1,5 +1,5 @@
-If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
+If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance|Team Excititor Connectors – SUSE|EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001|TODO – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion.|

src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md

@@ -1,6 +1,6 @@
-If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
+If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
-# TASKS
+# TASKS
-| Task | Owner(s) | Depends on | Notes |
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment|Team Excititor Connectors – Ubuntu|EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001|TODO – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting.|
-> Remark (2025-10-29, EXCITITOR-CONN-UBUNTU-01-002): Offline + network regression pass validated resume tokens, dedupe skips, checksum enforcement, and ETag handling before closing the task.
+> Remark (2025-10-29, EXCITITOR-CONN-UBUNTU-01-002): Offline + network regression pass validated resume tokens, dedupe skips, checksum enforcement, and ETag handling before closing the task.

src/Scanner/docs/events/samples/scanner.event.report.ready@1.sample.json

@@ -1,101 +1,101 @@
-{
+{
-  "eventId": "6d2d1b77-f3c3-4f70-8a9d-6f2d0c8801ab",
+    "eventId": "6d2d1b77-f3c3-4f70-8a9d-6f2d0c8801ab",
-  "kind": "scanner.event.report.ready",
+    "kind": "scanner.event.report.ready",
-  "version": 1,
+    "version": 1,
-  "tenant": "tenant-alpha",
+    "tenant": "tenant-alpha",
-  "occurredAt": "2025-10-19T12:34:56Z",
+    "occurredAt": "2025-10-19T12:34:56Z",
-  "recordedAt": "2025-10-19T12:34:57Z",
+    "recordedAt": "2025-10-19T12:34:57Z",
-  "source": "scanner.webservice",
+    "source": "scanner.webservice",
-  "idempotencyKey": "scanner.event.report.ready:tenant-alpha:report-abc",
+    "idempotencyKey": "scanner.event.report.ready:tenant-alpha:report-abc",
-  "correlationId": "report-abc",
+    "correlationId": "report-abc",
-  "traceId": "0af7651916cd43dd8448eb211c80319c",
+    "traceId": "0af7651916cd43dd8448eb211c80319c",
-  "spanId": "b7ad6b7169203331",
+    "spanId": "b7ad6b7169203331",
-  "scope": {
+    "scope": {
-    "namespace": "acme/edge",
+        "namespace": "acme/edge",
-    "repo": "api",
+        "repo": "api",
-    "digest": "sha256:feedface"
+        "digest": "sha256:feedface"
-  },
-  "attributes": {
-    "reportId": "report-abc",
-    "policyRevisionId": "rev-42",
-    "policyDigest": "digest-123",
-    "verdict": "blocked"
-  },
-  "payload": {
-    "reportId": "report-abc",
-    "scanId": "report-abc",
-    "imageDigest": "sha256:feedface",
-    "generatedAt": "2025-10-19T12:34:56Z",
-    "verdict": "fail",
-    "summary": {
-      "total": 1,
-      "blocked": 1,
-      "warned": 0,
-      "ignored": 0,
-      "quieted": 0
-    },
-    "delta": {
-      "newCritical": 1,
-      "kev": [
-        "CVE-2024-9999"
-      ]
-    },
-    "quietedFindingCount": 0,
-    "policy": {
-      "digest": "digest-123",
-      "revisionId": "rev-42"
-    },
-  "links": {
-    "report": {
-      "ui": "https://scanner.example/ui/reports/report-abc",
-      "api": "https://scanner.example/api/v1/reports/report-abc"
     },
-    "policy": {
+    "attributes": {
-      "ui": "https://scanner.example/ui/policy/revisions/rev-42",
+        "reportId": "report-abc",
-      "api": "https://scanner.example/api/v1/policy/revisions/rev-42"
+        "policyRevisionId": "rev-42",
+        "policyDigest": "digest-123",
+        "verdict": "blocked"
     },
-    "attestation": {
+    "payload": {
-      "ui": "https://scanner.example/ui/attestations/report-abc",
+        "reportId": "report-abc",
-      "api": "https://scanner.example/api/v1/reports/report-abc/attestation"
+        "scanId": "report-abc",
+        "imageDigest": "sha256:feedface",
+        "generatedAt": "2025-10-19T12:34:56Z",
+        "verdict": "fail",
+        "summary": {
+            "total": 1,
+            "blocked": 1,
+            "warned": 0,
+            "ignored": 0,
+            "quieted": 0
+        },
+        "delta": {
+            "newCritical": 1,
+            "kev": [
+                "CVE-2024-9999"
+            ]
+        },
+        "quietedFindingCount": 0,
+        "policy": {
+            "digest": "digest-123",
+            "revisionId": "rev-42"
+        },
+        "links": {
+            "report": {
+                "ui": "https://scanner.example/ui/reports/report-abc",
+                "api": "https://scanner.example/api/v1/reports/report-abc"
+            },
+            "policy": {
+                "ui": "https://scanner.example/ui/policy/revisions/rev-42",
+                "api": "https://scanner.example/api/v1/policy/revisions/rev-42"
+            },
+            "attestation": {
+                "ui": "https://scanner.example/ui/attestations/report-abc",
+                "api": "https://scanner.example/api/v1/reports/report-abc/attestation"
+            }
+        },
+        "dsse": {
+            "payloadType": "application/vnd.stellaops.report+json",
+            "payload": "eyJyZXBvcnRJZCI6InJlcG9ydC1hYmMiLCJpbWFnZURpZ2VzdCI6InNoYTI1NjpmZWVkZmFjZSIsImdlbmVyYXRlZEF0IjoiMjAyNS0xMC0xOVQxMjozNDo1NiswMDowMCIsInZlcmRpY3QiOiJibG9ja2VkIiwicG9saWN5Ijp7InJldmlzaW9uSWQiOiJyZXYtNDIiLCJkaWdlc3QiOiJkaWdlc3QtMTIzIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MH0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwic2NvcmUiOjQ3LjUsInNvdXJjZVRydXN0IjoiTlZEIiwicmVhY2hhYmlsaXR5IjoicnVudGltZSJ9XSwiaXNzdWVzIjpbXX0=",
+            "signatures": [
+                {
+                    "keyId": "test-key",
+                    "algorithm": "hs256",
+                    "signature": "signature-value"
+                }
+            ]
+        },
+        "report": {
+            "reportId": "report-abc",
+            "generatedAt": "2025-10-19T12:34:56Z",
+            "imageDigest": "sha256:feedface",
+            "policy": {
+                "digest": "digest-123",
+                "revisionId": "rev-42"
+            },
+            "summary": {
+                "total": 1,
+                "blocked": 1,
+                "warned": 0,
+                "ignored": 0,
+                "quieted": 0
+            },
+            "verdict": "blocked",
+            "verdicts": [
+                {
+                    "findingId": "finding-1",
+                    "status": "Blocked",
+                    "score": 47.5,
+                    "sourceTrust": "NVD",
+                    "reachability": "runtime"
+                }
+            ],
+            "issues": []
+        }
     }
-  },
+}
-    "dsse": {
-      "payloadType": "application/vnd.stellaops.report+json",
-      "payload": "eyJyZXBvcnRJZCI6InJlcG9ydC1hYmMiLCJpbWFnZURpZ2VzdCI6InNoYTI1NjpmZWVkZmFjZSIsImdlbmVyYXRlZEF0IjoiMjAyNS0xMC0xOVQxMjozNDo1NiswMDowMCIsInZlcmRpY3QiOiJibG9ja2VkIiwicG9saWN5Ijp7InJldmlzaW9uSWQiOiJyZXYtNDIiLCJkaWdlc3QiOiJkaWdlc3QtMTIzIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MH0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwic2NvcmUiOjQ3LjUsInNvdXJjZVRydXN0IjoiTlZEIiwicmVhY2hhYmlsaXR5IjoicnVudGltZSJ9XSwiaXNzdWVzIjpbXX0=",
-      "signatures": [
-        {
-          "keyId": "test-key",
-          "algorithm": "hs256",
-          "signature": "signature-value"
-        }
-      ]
-    },
-    "report": {
-      "reportId": "report-abc",
-      "generatedAt": "2025-10-19T12:34:56Z",
-      "imageDigest": "sha256:feedface",
-      "policy": {
-        "digest": "digest-123",
-        "revisionId": "rev-42"
-      },
-      "summary": {
-        "total": 1,
-        "blocked": 1,
-        "warned": 0,
-        "ignored": 0,
-        "quieted": 0
-      },
-      "verdict": "blocked",
-      "verdicts": [
-        {
-          "findingId": "finding-1",
-          "status": "Blocked",
-          "score": 47.5,
-          "sourceTrust": "NVD",
-          "reachability": "runtime"
-        }
-      ],
-      "issues": []
-    }
-  }
-}

src/Scanner/docs/events/samples/scanner.event.scan.completed@1.sample.json

@@ -1,107 +1,107 @@
-{
+{
-  "eventId": "08a6de24-4a94-4d14-8432-9d14f36f6da3",
+    "eventId": "08a6de24-4a94-4d14-8432-9d14f36f6da3",
-  "kind": "scanner.event.scan.completed",
+    "kind": "scanner.event.scan.completed",
-  "version": 1,
+    "version": 1,
-  "tenant": "tenant-alpha",
+    "tenant": "tenant-alpha",
-  "occurredAt": "2025-10-19T12:34:56Z",
+    "occurredAt": "2025-10-19T12:34:56Z",
-  "recordedAt": "2025-10-19T12:34:57Z",
+    "recordedAt": "2025-10-19T12:34:57Z",
-  "source": "scanner.webservice",
+    "source": "scanner.webservice",
-  "idempotencyKey": "scanner.event.scan.completed:tenant-alpha:report-abc",
+    "idempotencyKey": "scanner.event.scan.completed:tenant-alpha:report-abc",
-  "correlationId": "report-abc",
+    "correlationId": "report-abc",
-  "traceId": "4bf92f3577b34da6a3ce929d0e0e4736",
+    "traceId": "4bf92f3577b34da6a3ce929d0e0e4736",
-  "scope": {
+    "scope": {
-    "namespace": "acme/edge",
+        "namespace": "acme/edge",
-    "repo": "api",
+        "repo": "api",
-    "digest": "sha256:feedface"
+        "digest": "sha256:feedface"
-  },
-  "attributes": {
-    "reportId": "report-abc",
-    "policyRevisionId": "rev-42",
-    "policyDigest": "digest-123",
-    "verdict": "blocked"
-  },
-  "payload": {
-    "reportId": "report-abc",
-    "scanId": "report-abc",
-    "imageDigest": "sha256:feedface",
-    "verdict": "fail",
-    "summary": {
-      "total": 1,
-      "blocked": 1,
-      "warned": 0,
-      "ignored": 0,
-      "quieted": 0
-    },
-    "delta": {
-      "newCritical": 1,
-      "kev": [
-        "CVE-2024-9999"
-      ]
-    },
-    "policy": {
-      "digest": "digest-123",
-      "revisionId": "rev-42"
-    },
-    "findings": [
-      {
-        "id": "finding-1",
-        "severity": "Critical",
-        "cve": "CVE-2024-9999",
-        "purl": "pkg:docker/acme/edge-api@sha256-feedface",
-        "reachability": "runtime"
-      }
-    ],
-    "links": {
-      "report": {
-        "ui": "https://scanner.example/ui/reports/report-abc",
-        "api": "https://scanner.example/api/v1/reports/report-abc"
-      },
-      "policy": {
-        "ui": "https://scanner.example/ui/policy/revisions/rev-42",
-        "api": "https://scanner.example/api/v1/policy/revisions/rev-42"
-      },
-      "attestation": {
-        "ui": "https://scanner.example/ui/attestations/report-abc",
-        "api": "https://scanner.example/api/v1/reports/report-abc/attestation"
-      }
     },
-    "dsse": {
+    "attributes": {
-      "payloadType": "application/vnd.stellaops.report+json",
+        "reportId": "report-abc",
-      "payload": "eyJyZXBvcnRJZCI6InJlcG9ydC1hYmMiLCJpbWFnZURpZ2VzdCI6InNoYTI1NjpmZWVkZmFjZSIsImdlbmVyYXRlZEF0IjoiMjAyNS0xMC0xOVQxMjozNDo1NiswMDowMCIsInZlcmRpY3QiOiJibG9ja2VkIiwicG9saWN5Ijp7InJldmlzaW9uSWQiOiJyZXYtNDIiLCJkaWdlc3QiOiJkaWdlc3QtMTIzIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MH0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwic2NvcmUiOjQ3LjUsInNvdXJjZVRydXN0IjoiTlZEIiwicmVhY2hhYmlsaXR5IjoicnVudGltZSJ9XSwiaXNzdWVzIjpbXX0=",
+        "policyRevisionId": "rev-42",
-      "signatures": [
+        "policyDigest": "digest-123",
-        {
+        "verdict": "blocked"
-          "keyId": "test-key",
+    },
-          "algorithm": "hs256",
+    "payload": {
-          "signature": "signature-value"
+        "reportId": "report-abc",
-        }
+        "scanId": "report-abc",
-      ]
+        "imageDigest": "sha256:feedface",
-    },
+        "verdict": "fail",
-    "report": {
+        "summary": {
-      "reportId": "report-abc",
+            "total": 1,
-      "generatedAt": "2025-10-19T12:34:56Z",
+            "blocked": 1,
-      "imageDigest": "sha256:feedface",
+            "warned": 0,
-      "policy": {
+            "ignored": 0,
-        "digest": "digest-123",
+            "quieted": 0
-        "revisionId": "rev-42"
+        },
-      },
+        "delta": {
-      "summary": {
+            "newCritical": 1,
-        "total": 1,
+            "kev": [
-        "blocked": 1,
+                "CVE-2024-9999"
-        "warned": 0,
+            ]
-        "ignored": 0,
+        },
-        "quieted": 0
+        "policy": {
-      },
+            "digest": "digest-123",
-      "verdict": "blocked",
+            "revisionId": "rev-42"
-      "verdicts": [
+        },
-        {
+        "findings": [
-          "findingId": "finding-1",
+            {
-          "status": "Blocked",
+                "id": "finding-1",
-          "score": 47.5,
+                "severity": "Critical",
-          "sourceTrust": "NVD",
+                "cve": "CVE-2024-9999",
-          "reachability": "runtime"
+                "purl": "pkg:docker/acme/edge-api@sha256-feedface",
-        }
+                "reachability": "runtime"
-      ],
+            }
-      "issues": []
+        ],
-    }
+        "links": {
-  }
+            "report": {
-}
+                "ui": "https://scanner.example/ui/reports/report-abc",
+                "api": "https://scanner.example/api/v1/reports/report-abc"
+            },
+            "policy": {
+                "ui": "https://scanner.example/ui/policy/revisions/rev-42",
+                "api": "https://scanner.example/api/v1/policy/revisions/rev-42"
+            },
+            "attestation": {
+                "ui": "https://scanner.example/ui/attestations/report-abc",
+                "api": "https://scanner.example/api/v1/reports/report-abc/attestation"
+            }
+        },
+        "dsse": {
+            "payloadType": "application/vnd.stellaops.report+json",
+            "payload": "eyJyZXBvcnRJZCI6InJlcG9ydC1hYmMiLCJpbWFnZURpZ2VzdCI6InNoYTI1NjpmZWVkZmFjZSIsImdlbmVyYXRlZEF0IjoiMjAyNS0xMC0xOVQxMjozNDo1NiswMDowMCIsInZlcmRpY3QiOiJibG9ja2VkIiwicG9saWN5Ijp7InJldmlzaW9uSWQiOiJyZXYtNDIiLCJkaWdlc3QiOiJkaWdlc3QtMTIzIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MH0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwic2NvcmUiOjQ3LjUsInNvdXJjZVRydXN0IjoiTlZEIiwicmVhY2hhYmlsaXR5IjoicnVudGltZSJ9XSwiaXNzdWVzIjpbXX0=",
+            "signatures": [
+                {
+                    "keyId": "test-key",
+                    "algorithm": "hs256",
+                    "signature": "signature-value"
+                }
+            ]
+        },
+        "report": {
+            "reportId": "report-abc",
+            "generatedAt": "2025-10-19T12:34:56Z",
+            "imageDigest": "sha256:feedface",
+            "policy": {
+                "digest": "digest-123",
+                "revisionId": "rev-42"
+            },
+            "summary": {
+                "total": 1,
+                "blocked": 1,
+                "warned": 0,
+                "ignored": 0,
+                "quieted": 0
+            },
+            "verdict": "blocked",
+            "verdicts": [
+                {
+                    "findingId": "finding-1",
+                    "status": "Blocked",
+                    "score": 47.5,
+                    "sourceTrust": "NVD",
+                    "reachability": "runtime"
+                }
+            ],
+            "issues": []
+        }
+    }
+}