diff --git a/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md b/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
index 9f0a8ca6d..a3a5a3396 100644
--- a/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
+++ b/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
@@ -30,10 +30,10 @@
 | 3 | CONCELIER-POLICY-23-001 | DONE (2025-11-28) | Implemented migration `20251128_policy_lookup_indexes` with alias multikey, confidence, and severity indexes. Query patterns documented in migration XML docs. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Secondary indexes/materialized views (alias, provider severity, confidence) to keep policy lookups fast without cached verdicts; document query patterns. |
 | 4 | CONCELIER-POLICY-23-002 | DONE (2025-11-28) | Enhanced `AdvisoryLinksetUpdatedEvent` with `IdempotencyKey` (SHA256), `ConfidenceSummary` (tier/factors), and `TenantMetadata`. | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Ensure `advisory.linkset.updated` events carry idempotent IDs, confidence summaries, tenant metadata for safe policy replay. |
 | 5 | CONCELIER-RISK-66-001 | DONE (2025-11-28) | Created `VendorRiskSignal`, `VendorCvssScore`, `VendorKevStatus`, `VendorFixAvailability` models with provenance. Extractor parses OSV/NVD formats. | Concelier Core Guild · Risk Engine Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Surface vendor-provided CVSS/KEV/fix data exactly as published with provenance anchors via provider APIs. |
-| 6 | CONCELIER-RISK-66-002 | TODO | Upstream 66-001 DONE. Ready to emit fix-availability metadata. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. |
-| 7 | CONCELIER-RISK-67-001 | TODO | Upstream 66-001 DONE. Ready to publish coverage/conflict metrics. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers cite which upstream statements exist; no weighting applied. |
+| 6 | CONCELIER-RISK-66-002 | DONE (2025-11-28) | Implemented `FixAvailabilityMetadata`, `FixRelease`, `FixAdvisoryLink` models + `IFixAvailabilityEmitter` interface + `FixAvailabilityEmitter` implementation in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`. DI registration via `AddConcelierRiskServices()`. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. |
+| 7 | CONCELIER-RISK-67-001 | DONE (2025-11-28) | Implemented `SourceCoverageMetrics`, `SourceContribution`, `SourceConflict` models + `ISourceCoverageMetricsPublisher` interface + `SourceCoverageMetricsPublisher` implementation + `InMemorySourceCoverageMetricsStore` in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`. DI registration via `AddConcelierRiskServices()`. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers cite which upstream statements exist; no weighting applied. |
 | 8 | CONCELIER-RISK-68-001 | BLOCKED | Blocked on POLICY-RISK-68-001. | Concelier Core Guild · Policy Studio Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Wire advisory signal pickers into Policy Studio; validate selected fields are provenance-backed. |
-| 9 | CONCELIER-RISK-69-001 | BLOCKED | Blocked on 66-002. | Concelier Core Guild · Notifications Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit notifications on upstream advisory field changes (e.g., fix availability) with observation IDs + provenance; no severity inference. |
+| 9 | CONCELIER-RISK-69-001 | DONE (2025-11-28) | Implemented `AdvisoryFieldChangeNotification`, `AdvisoryFieldChange` models + `IAdvisoryFieldChangeEmitter` interface + `AdvisoryFieldChangeEmitter` implementation + `InMemoryAdvisoryFieldChangeNotificationPublisher` in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`. Detects fix availability, KEV status, severity changes with provenance. | Concelier Core Guild · Notifications Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit notifications on upstream advisory field changes (e.g., fix availability) with observation IDs + provenance; no severity inference. |
 | 10 | CONCELIER-SIG-26-001 | BLOCKED | Blocked on SIGNALS-24-002. | Concelier Core Guild · Signals Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expose upstream-provided affected symbol/function lists via APIs for reachability scoring; maintain provenance, no exploitability inference. |
 | 11 | CONCELIER-STORE-AOC-19-005-DEV | BLOCKED (2025-11-04) | Waiting on staging dataset hash + rollback rehearsal using prep doc | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo reflects Link-Not-Merge data; rehearse rollback (dev/staging). |
 | 12 | CONCELIER-TEN-48-001 | DONE (2025-11-28) | Created Tenancy module with `TenantScope`, `TenantCapabilities`, `TenantCapabilitiesResponse`, `ITenantCapabilitiesProvider`, and `TenantScopeNormalizer` per AUTH-TEN-47-001. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. |
@@ -42,6 +42,9 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-11-28 | Completed CONCELIER-RISK-69-001: implemented `AdvisoryFieldChangeNotification`, `AdvisoryFieldChange`, `AdvisoryFieldChangeProvenance` models + `IAdvisoryFieldChangeEmitter` interface + `AdvisoryFieldChangeEmitter` implementation + `IAdvisoryFieldChangeNotificationPublisher` interface + `InMemoryAdvisoryFieldChangeNotificationPublisher`. Detects changes in fix availability, KEV status, severity, CVSS score, and observation status with full provenance. DI registration via `AddConcelierRiskServices()`. Sprint 0115 RISK tasks now complete (66-001, 66-002, 67-001, 69-001 DONE; 68-001 BLOCKED on POLICY-RISK-68-001). | Implementer |
+| 2025-11-28 | Completed CONCELIER-RISK-66-002: implemented `FixAvailabilityMetadata`, `FixRelease`, `FixAdvisoryLink` models with provenance anchors + `IFixAvailabilityEmitter` interface + `FixAvailabilityEmitter` implementation for emitting structured fix-availability metadata per observation/linkset. DI registration via `AddConcelierRiskServices()`. Unblocked CONCELIER-RISK-69-001. | Implementer |
+| 2025-11-28 | Completed CONCELIER-RISK-67-001: implemented `SourceCoverageMetrics`, `SourceContribution`, `SourceCoverageDetail`, `SourceAgreementSummary`, `SourceConflict` models + `ISourceCoverageMetricsPublisher` interface + `SourceCoverageMetricsPublisher` implementation + `InMemorySourceCoverageMetricsStore` for per-source coverage/conflict metrics. No weighting applied; fact-only counts and disagreements. DI registration via `AddConcelierRiskServices()`. | Implementer |
 | 2025-11-28 | Completed CONCELIER-TEN-48-001: created Tenancy module with `TenantScope`, `TenantCapabilities`, `TenantCapabilitiesResponse`, `ITenantCapabilitiesProvider`, `LinkNotMergeTenantCapabilitiesProvider`, and `TenantScopeNormalizer`. Implements AUTH-TEN-47-001 contract with capabilities endpoint response and tenant ID normalization. Build green. | Implementer |
 | 2025-11-28 | Completed CONCELIER-RISK-66-001: created Risk module with `VendorRiskSignal`, `VendorCvssScore`, `VendorKevStatus`, `VendorFixAvailability` models + `IVendorRiskSignalProvider` interface + `VendorRiskSignalExtractor` for OSV/NVD parsing. All with provenance anchors. Build green. Tasks 6 and 7 now TODO. | Implementer |
 | 2025-11-28 | Unblocked CONCELIER-RISK-66-001 and CONCELIER-TEN-48-001 after POLICY chain completion. Tasks 5 and 12 moved to TODO. | Implementer |
diff --git a/docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md b/docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md
index 5179aa45e..bf2c1359f 100644
--- a/docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md
+++ b/docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md
@@ -24,9 +24,9 @@
 ## Delivery Tracker
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 1 | CVSS-MODEL-190-001 | TODO | None; foundational. | Policy Guild · Signals Guild (`src/Policy/StellaOps.Policy.Scoring`) | Design and implement CVSS v4.0 data model: `CvssScoreReceipt`, `BaseMetrics`, `ThreatMetrics`, `EnvironmentalMetrics`, `SupplementalMetrics`, `EvidenceItem`, `CvssPolicy`, `ReceiptHistoryEntry`. Include EF Core mappings and MongoDB schema. |
-| 2 | CVSS-ENGINE-190-002 | TODO | Depends on 190-001 for types. | Policy Guild (`src/Policy/StellaOps.Policy.Scoring/Engine`) | Implement `CvssV4Engine` with: `ParseVector()`, `ComputeBaseScore()`, `ComputeThreatAdjustedScore()`, `ComputeEnvironmentalAdjustedScore()`, `BuildVector()`. Follow FIRST spec v4.0 exactly for math/rounding. |
-| 3 | CVSS-TESTS-190-003 | TODO | Depends on 190-002. | Policy Guild · QA Guild (`src/Policy/__Tests/StellaOps.Policy.Scoring.Tests`) | Unit tests for CVSS v4.0 engine using official FIRST sample vectors; edge cases for missing threat/env; determinism tests (same input → same output). |
+| 1 | CVSS-MODEL-190-001 | DONE (2025-11-28) | None; foundational. | Policy Guild · Signals Guild (`src/Policy/StellaOps.Policy.Scoring`) | Design and implement CVSS v4.0 data model: `CvssScoreReceipt`, `BaseMetrics`, `ThreatMetrics`, `EnvironmentalMetrics`, `SupplementalMetrics`, `EvidenceItem`, `CvssPolicy`, `ReceiptHistoryEntry`. Include EF Core mappings and MongoDB schema. Evidence: Created `StellaOps.Policy.Scoring` project with `CvssMetrics.cs` (all CVSS v4.0 metric enums/records), `CvssScoreReceipt.cs` (receipt model with scores, evidence, history), `CvssPolicy.cs` (policy configuration), JSON schemas `cvss-policy-schema@1.json` and `cvss-receipt-schema@1.json`, and `AGENTS.md`. |
+| 2 | CVSS-ENGINE-190-002 | DONE (2025-11-28) | Depends on 190-001 for types. | Policy Guild (`src/Policy/StellaOps.Policy.Scoring/Engine`) | Implement `CvssV4Engine` with: `ParseVector()`, `ComputeBaseScore()`, `ComputeThreatAdjustedScore()`, `ComputeEnvironmentalAdjustedScore()`, `BuildVector()`. Follow FIRST spec v4.0 exactly for math/rounding. Evidence: `ICvssV4Engine.cs` interface, `CvssV4Engine.cs` implementation with MacroVector computation (EQ1-EQ6), threat/environmental modifiers, vector string building/parsing, `MacroVectorLookup.cs` with score tables. |
+| 3 | CVSS-TESTS-190-003 | DONE (2025-11-28) | Depends on 190-002. | Policy Guild · QA Guild (`src/Policy/__Tests/StellaOps.Policy.Scoring.Tests`) | Unit tests for CVSS v4.0 engine using official FIRST sample vectors; edge cases for missing threat/env; determinism tests (same input → same output). Evidence: Created `StellaOps.Policy.Scoring.Tests` project with `CvssV4EngineTests.cs` containing tests for base/threat/environmental/full scores, vector string building/parsing, severity thresholds, determinism, and FIRST sample vectors. |
 | 4 | CVSS-POLICY-190-004 | TODO | Depends on 190-002. | Policy Guild (`src/Policy/StellaOps.Policy.Scoring/Policies`) | Implement `CvssPolicy` loader and validator: JSON schema for policy files, policy versioning, hash computation for determinism tracking. |
 | 5 | CVSS-RECEIPT-190-005 | TODO | Depends on 190-002, 190-004. | Policy Guild (`src/Policy/StellaOps.Policy.Scoring/Receipts`) | Implement `ReceiptBuilder` service: `CreateReceipt(vulnId, input, policyId, userId)` that computes scores, builds vector, hashes inputs, and persists receipt with evidence links. |
 | 6 | CVSS-DSSE-190-006 | TODO | Depends on 190-005; uses Attestor primitives. | Policy Guild · Attestor Guild (`src/Policy/StellaOps.Policy.Scoring`, `src/Attestor/StellaOps.Attestor.Envelope`) | Attach DSSE attestations to score receipts: create `stella.ops/cvssReceipt@v1` predicate type, sign receipts, store envelope references. |
@@ -72,3 +72,7 @@
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
 | 2025-11-27 | Sprint created from product advisory `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md`; 12 tasks defined across 4 waves. | Product Mgmt |
+| 2025-11-28 | CVSS-MODEL-190-001 DONE: Created `StellaOps.Policy.Scoring` project with complete CVSS v4.0 data model per FIRST spec. Includes `CvssMetrics.cs` (Base/Threat/Environmental/Supplemental metrics with all enum values), `CvssScoreReceipt.cs` (receipt with scores, evidence, history, DSSE refs), `CvssPolicy.cs` (policy configuration with overrides, thresholds, attestation requirements), JSON schemas for validation, and `AGENTS.md`. | Implementer |
+| 2025-11-28 | Started CVSS-ENGINE-190-002: Implementing scoring engine with MacroVector lookup tables per FIRST CVSS v4.0 specification. | Implementer |
+| 2025-11-28 | CVSS-ENGINE-190-002 DONE: Implemented `ICvssV4Engine` interface and `CvssV4Engine` class with full scoring logic. EQ1-EQ6 equivalence class computation, MacroVector lookup table with score interpolation, threat/environmental score modifiers, round-up per FIRST spec, vector string building/parsing with regex. Started CVSS-TESTS-190-003. | Implementer |
+| 2025-11-28 | CVSS-TESTS-190-003 DONE: Created test project `StellaOps.Policy.Scoring.Tests` with `CvssV4EngineTests.cs`. Comprehensive test suite covers: base/threat/environmental/full score computation, vector string building and parsing, severity thresholds (default and custom), determinism verification, FIRST sample vectors, roundtrip preservation. Wave 1 (Foundation) complete - all 4 tasks DONE. | Implementer |
diff --git a/docs/implplan/SPRINT_174_telemetry.md b/docs/implplan/SPRINT_174_telemetry.md
index beda9136a..0e72a63dc 100644
--- a/docs/implplan/SPRINT_174_telemetry.md
+++ b/docs/implplan/SPRINT_174_telemetry.md
@@ -11,16 +11,17 @@ TELEMETRY-OBS-50-001 | DONE (2025-11-19) | `StellaOps.Telemetry.Core` bootstrap
 TELEMETRY-OBS-50-002 | DONE (2025-11-27) | Implement context propagation middleware/adapters for HTTP, gRPC, background jobs, and CLI invocations, carrying `trace_id`, `tenant_id`, `actor`, and imposed-rule metadata. Provide test harness covering async resume scenarios. Dependencies: TELEMETRY-OBS-50-001. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
 TELEMETRY-OBS-51-001 | DONE (2025-11-27) | Ship metrics helpers for golden signals (histograms, counters, gauges) with exemplar support and cardinality guards. Provide Roslyn analyzer preventing unsanitised labels. Dependencies: TELEMETRY-OBS-50-002. Evidence: `GoldenSignalMetrics.cs` + `StellaOps.Telemetry.Analyzers` project with `MetricLabelAnalyzer` (TELEM001/002/003 diagnostics). | Telemetry Core Guild, Observability Guild (src/Telemetry/StellaOps.Telemetry.Core)
 TELEMETRY-OBS-51-002 | DONE (2025-11-27) | Implement redaction/scrubbing filters for secrets/PII enforced at logger sink, configurable per-tenant with TTL, including audit of overrides. Add determinism tests verifying stable field order and timestamp normalization. Dependencies: TELEMETRY-OBS-51-001. Evidence: `LogRedactor`, `LogRedactionOptions`, `RedactingLogProcessor`, `DeterministicLogFormatter` + test suites. | Telemetry Core Guild, Security Guild (src/Telemetry/StellaOps.Telemetry.Core)
-TELEMETRY-OBS-55-001 | TODO | Provide incident mode toggle API that adjusts sampling, enables extended retention tags, and records activation trail for services. Ensure toggle honored by all hosting templates and integrates with Config/FeatureFlag providers. Dependencies: TELEMETRY-OBS-51-002. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
-TELEMETRY-OBS-56-001 | TODO | Add sealed-mode telemetry helpers (drift metrics, seal/unseal spans, offline exporters) and ensure hosts can disable external exporters when sealed. Dependencies: TELEMETRY-OBS-55-001. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
+TELEMETRY-OBS-55-001 | DONE (2025-11-28) | Provide incident mode toggle API that adjusts sampling, enables extended retention tags, and records activation trail for services. Ensure toggle honored by all hosting templates and integrates with Config/FeatureFlag providers. Dependencies: TELEMETRY-OBS-51-002. Evidence: `IIncidentModeService`/`IncidentModeService` with full state management, TTL handling, events, persistence; `IncidentModeOptions` for configuration; `AddIncidentMode()` DI extension; comprehensive test suite in `IncidentModeServiceTests`. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
+TELEMETRY-OBS-56-001 | DONE (2025-11-28) | Add sealed-mode telemetry helpers (drift metrics, seal/unseal spans, offline exporters) and ensure hosts can disable external exporters when sealed. Dependencies: TELEMETRY-OBS-55-001. Evidence: `ISealedModeTelemetryService`/`SealedModeTelemetryService` with metrics counters (`sealEventsCounter`, `unsealEventsCounter`, `driftEventsCounter`, `blockedExportsCounter`), `SealedModeFileExporter` for offline export, `TelemetryExporterGuard` for blocking external exporters; `AddSealedModeTelemetry()` DI extension; test suite in `SealedModeTelemetryServiceTests`. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core)
 
-## Status notes (2025-11-19 UTC)
+## Status notes (2025-11-28 UTC)
 
 - **TELEMETRY-OBS-50-001** – DONE. Library merged with deterministic bootstrap helpers; sample host + test harness published in `docs/observability/telemetry-bootstrap.md`.
-- **TELEMETRY-OBS-50-002** – Awaiting adoption of published bootstrap before wiring propagation adapters; design still covers HTTP/gRPC/job/CLI interceptors plus tenant/actor propagation tests.
-- **TELEMETRY-OBS-51-001** – DONE. Golden signal metrics (`GoldenSignalMetrics.cs`) with exemplar support and cardinality guards already existed. Added Roslyn analyzer project (`StellaOps.Telemetry.Analyzers`) with `MetricLabelAnalyzer` enforcing TELEM001 (high-cardinality patterns), TELEM002 (invalid key format), TELEM003 (dynamic labels).
-- **TELEMETRY-OBS-51-002** – DONE. Implemented `ILogRedactor`/`LogRedactor` with pattern-based and field-name redaction. Per-tenant overrides with TTL and audit logging. `DeterministicLogFormatter` ensures stable field ordering and UTC timestamp normalization.
-- **TELEMETRY-OBS-55-001/56-001** – Incident/sealed-mode APIs remain blocked on CLI toggle contract (CLI-OBS-12-001) and Notify incident payload spec (NOTIFY-OBS-55-001); coordination with Notifier team continues.
+- **TELEMETRY-OBS-50-002** – DONE. Context propagation middleware for HTTP, gRPC, CLI, and background jobs; includes async resume test harness.
+- **TELEMETRY-OBS-51-001** – DONE. Golden signal metrics (`GoldenSignalMetrics.cs`) with exemplar support and cardinality guards. Roslyn analyzer project (`StellaOps.Telemetry.Analyzers`) with `MetricLabelAnalyzer` enforcing TELEM001/002/003 diagnostics.
+- **TELEMETRY-OBS-51-002** – DONE. `ILogRedactor`/`LogRedactor` with pattern-based and field-name redaction. Per-tenant overrides with TTL and audit logging. `DeterministicLogFormatter` ensures stable field ordering and UTC timestamp normalization.
+- **TELEMETRY-OBS-55-001** – DONE. Incident mode toggle API implemented with `IIncidentModeService`/`IncidentModeService` providing: sampling adjustment, extended retention tags, activation trail recording, state persistence, events, TTL management with extension support, CLI/API/config activation sources. DI registration via `AddIncidentMode()`. Full test suite.
+- **TELEMETRY-OBS-56-001** – DONE. Sealed-mode telemetry helpers implemented with `ISealedModeTelemetryService`/`SealedModeTelemetryService` providing: drift metrics counters, seal/unseal spans, offline file exporter (`SealedModeFileExporter`), external exporter blocking via `TelemetryExporterGuard`. DI registration via `AddSealedModeTelemetry()`. Full test suite.
 
 ## Milestones & dependencies
 
@@ -40,3 +41,5 @@ TELEMETRY-OBS-56-001 | TODO | Add sealed-mode telemetry helpers (drift metrics,
 | 2025-11-27 | Marked TELEMETRY-OBS-50-002 DONE; added gRPC interceptors, CLI context, and async resume test harness. | Implementer |
 | 2025-11-27 | Marked TELEMETRY-OBS-51-001 DONE; created `StellaOps.Telemetry.Analyzers` project with `MetricLabelAnalyzer` (TELEM001/002/003) and test suite. | Implementer |
 | 2025-11-27 | Marked TELEMETRY-OBS-51-002 DONE; implemented `LogRedactor`, `LogRedactionOptions`, `RedactingLogProcessor`, `DeterministicLogFormatter` with comprehensive test suites. | Implementer |
+| 2025-11-28 | Marked TELEMETRY-OBS-55-001 DONE; verified existing implementation of `IIncidentModeService`/`IncidentModeService` with state management, TTL handling, events, persistence, and comprehensive test suite. | Implementer |
+| 2025-11-28 | Marked TELEMETRY-OBS-56-001 DONE; verified existing implementation of `ISealedModeTelemetryService`/`SealedModeTelemetryService` with metrics, spans, offline exporter, and exporter guard. Sprint 174 Telemetry complete. | Implementer |
diff --git a/docs/implplan/SPRINT_202_cli_ii.md b/docs/implplan/SPRINT_202_cli_ii.md
index 764730fe2..4f932b2c6 100644
--- a/docs/implplan/SPRINT_202_cli_ii.md
+++ b/docs/implplan/SPRINT_202_cli_ii.md
@@ -7,20 +7,20 @@ Depends on: Sprint 180.A - Cli.I
 Summary: Experience & SDKs focus on Cli (phase II).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
-CLI-CORE-41-001 | TODO | Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-EXC-25-001 | TODO | Implement `stella exceptions list | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-EXC-25-002 | TODO | Extend `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. Dependencies: CLI-EXC-25-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-CORE-41-001 | DONE (2025-11-28) | Implemented CLI core features: `OutputRenderer` (json/yaml/table), `CliProfile`/`CliProfileManager` (profiles/contexts), `CliError`/`CliErrorCodes` (error mapping), `GlobalOptions` (global flags with --profile, --output, --verbose, --quiet, --no-color, --dry-run). Config precedence already exists in `CliBootstrapper`. Auth flows already exist via `StellaOps.Auth.Client`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-EXC-25-001 | DONE (2025-11-28) | Implemented `stella exceptions list/show/create/promote/revoke/import/export` commands for exception governance. Created `ExceptionModels.cs` with full models for exception instances, scopes, effects, evidence refs, lifecycle states (draft/staged/active/expired/revoked), and request/response types. Created `IExceptionClient.cs` interface and `ExceptionClient.cs` HTTP client with token caching for all CRUD operations plus import/export. Added command handlers with JSON/table output, status-colored rendering, verbose mode with evidence/approval details, and `ERR_EXC_*` error codes (exit code 16). | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-EXC-25-002 | DONE (2025-11-28) | Extended `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. Added repeatable options for exception IDs, validation to prevent overlapping IDs in both lists, verbose logging of exception preview mode, and OpenTelemetry tracing of exception counts. Updated `PolicySimulationInput` record with optional `WithExceptions`/`WithoutExceptions` fields. Dependencies: CLI-EXC-25-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 CLI-EXPORT-35-001 | BLOCKED (2025-10-29) | Implement `stella export profiles | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 CLI-EXPORT-36-001 | TODO | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. Dependencies: CLI-EXPORT-35-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 CLI-EXPORT-37-001 | TODO | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. Dependencies: CLI-EXPORT-36-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-FORENSICS-53-001 | TODO | Implement `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli)
-CLI-FORENSICS-54-001 | TODO | Provide `stella forensic verify <bundle>` command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. Dependencies: CLI-FORENSICS-53-001. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
-CLI-FORENSICS-54-002 | TODO | Implement `stella forensic attest show <artifact>` listing attestation details (signer, timestamp, subjects) and verifying signatures. Dependencies: CLI-FORENSICS-54-001. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
-CLI-PROMO-70-001 | TODO | Add `stella promotion assemble` command that resolves image digests, hashes SBOM/VEX artifacts, fetches Rekor proofs from Attestor, and emits the `stella.ops/promotion@v1` JSON payload (see `docs/release/promotion-attestations.md`). | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
-CLI-DETER-70-003 | TODO | Provide `stella detscore run` that executes the determinism harness locally (fixed clock, seeded RNG, canonical hashes) and writes `determinism.json`, supporting CI/non-zero threshold exit codes (`docs/modules/scanner/determinism-score.md`). | DevEx/CLI Guild, Scanner Guild (src/Cli/StellaOps.Cli)
-CLI-LNM-22-001 | TODO | Implement `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, and conflict display; ensure `ERR_AGG_*` mapping. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-LNM-22-002 | TODO | Implement `stella vex obs get/linkset show` commands with product filters, status filters, and JSON output for CI usage. Dependencies: CLI-LNM-22-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-FORENSICS-53-001 | DONE (2025-11-28) | Implemented `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs. Created `ForensicSnapshotModels.cs` with full document/manifest/artifact models, `IForensicSnapshotClient.cs` interface, `ForensicSnapshotClient.cs` HTTP client with token caching, and command handlers in `CommandHandlers.cs` with JSON/table output. | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli)
+CLI-FORENSICS-54-001 | DONE (2025-11-28) | Implemented `stella forensic verify <bundle>` command validating checksums, DSSE signatures, and timeline chain-of-custody. Created `ForensicVerificationModels.cs` with verification result models, `IForensicVerifier.cs` interface, `ForensicVerifier.cs` with SHA256/384/512 checksum verification, RSA-PSS signature verification, and chain-of-custody timeline validation. Added `ERR_FORENSIC_*` error codes (exit code 12), JSON/pretty output, and verbose mode with detailed tables. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
+CLI-FORENSICS-54-002 | DONE (2025-11-28) | Implemented `stella forensic attest show <artifact>` listing attestation details (signer, timestamp, subjects) and verifying signatures. Created `AttestationModels.cs` with DSSE/in-toto models, `IAttestationReader.cs` interface, `AttestationReader.cs` with PAE encoding, RSA-PSS verification, predicate parsing (SLSA/VEX), and rich console output with subject/signature tables. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
+CLI-PROMO-70-001 | DONE (2025-11-28) | Implemented `stella promotion assemble` command that resolves image digests (via crane/cosign), hashes SBOM/VEX artifacts with format detection (CycloneDX/SPDX, OpenVEX/CSAF), and emits the `stella.ops/promotion@v1` JSON payload. Created `PromotionModels.cs` with full predicate/subject/material/metadata models, `IPromotionAssembler.cs` interface, `PromotionAssembler.cs` with image digest resolution, SHA256 file hashing, SBOM/VEX format detection, and JSON output. Command supports `--image`, `--sbom`, `--vex`, `--from/--to` environment, `--actor`, `--ticket`, `--notes`, `--skip-rekor`, and `--output` options. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
+CLI-DETER-70-003 | DONE (2025-11-28) | Implemented `stella detscore run` command that executes the determinism harness locally with fixed clock, seeded RNG, and canonical hashes. Created `DeterminismModels.cs` with manifest/request/result models per SCAN-DETER-186-010 schema, `IDeterminismHarness.cs` interface, `DeterminismHarness.cs` with Docker container execution, SHA256 artifact hashing, score calculation, and threshold verification. Command supports `--image`, `--scanner`, `--policy-bundle`, `--feeds-bundle`, `--runs`, `--fixed-clock`, `--rng-seed`, `--max-concurrency`, `--memory`, `--cpuset`, `--platform`, `--image-threshold`, `--overall-threshold`, `--output-dir`, `--release`, and `--json` options. Added `ERR_DETER_*` error codes (exit code 13). | DevEx/CLI Guild, Scanner Guild (src/Cli/StellaOps.Cli)
+CLI-LNM-22-001 | DONE (2025-11-28) | Implemented `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, conflict display, and `ERR_AGG_*` error code mapping. Added `AdvisoryLinksetModels.cs` with OSV format support, extended `IConcelierObservationsClient` with `GetLinksetAsync`/`GetObservationByIdAsync`, and added command handlers for all three subcommands. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-LNM-22-002 | DONE (2025-11-28) | Implemented `stella vex obs get/linkset show` commands with product/status/provider filters, pagination, and JSON output for CI usage. Created `VexObservationModels.cs` with query/response/linkset models, `IVexObservationsClient.cs` interface, `VexObservationsClient.cs` HTTP client with VexRead scope, and command handlers with rich table output, conflict detection, and aggregate summaries. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 CLI-NOTIFY-38-001 | BLOCKED (2025-10-29) | Implement `stella notify rules | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 CLI-NOTIFY-39-001 | BLOCKED (2025-10-29) | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. Dependencies: CLI-NOTIFY-38-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 CLI-NOTIFY-40-001 | TODO | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. Dependencies: CLI-NOTIFY-39-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-OBS-50-001 | TODO | Ensure CLI HTTP client propagates `traceparent` headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-OBS-50-001 | DONE (2025-11-28) | Implemented `TraceparentHttpMessageHandler` that propagates W3C Trace Context headers for all HTTP requests, logs correlation IDs on failure, records trace IDs in verbose logs (scrubbed), and includes `AddTraceparentPropagation()` extension method for IHttpClientBuilder. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
diff --git a/docs/implplan/SPRINT_203_cli_iii.md b/docs/implplan/SPRINT_203_cli_iii.md
index db09e2609..5e1fc11f4 100644
--- a/docs/implplan/SPRINT_203_cli_iii.md
+++ b/docs/implplan/SPRINT_203_cli_iii.md
@@ -7,22 +7,22 @@ Depends on: Sprint 180.A - Cli.II
 Summary: Experience & SDKs focus on Cli (phase III).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
-CLI-OBS-51-001 | TODO | Implement `stella obs top` command streaming service health metrics, SLO status, and burn-rate alerts with TUI view and JSON output. Dependencies: CLI-OBS-50-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-OBS-52-001 | TODO | Add `stella obs trace <trace_id>` and `stella obs logs --from/--to` commands that correlate timeline events, logs, and evidence links with pagination + guardrails. Dependencies: CLI-OBS-51-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-OBS-55-001 | TODO | Add `stella obs incident-mode enable. Dependencies: CLI-OBS-52-001. | DevEx/CLI Guild, DevOps Guild (src/Cli/StellaOps.Cli)
-CLI-ORCH-32-001 | TODO | Implement `stella orch sources | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-ORCH-33-001 | TODO | Add action verbs (`sources test. Dependencies: CLI-ORCH-32-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-ORCH-34-001 | TODO | Provide backfill wizard (`--from/--to --dry-run`), quota management (`quotas get. Dependencies: CLI-ORCH-33-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-PACKS-42-001 | TODO | Implement Task Pack commands (`pack plan/run/push/pull/verify`) with schema validation, expression sandbox, plan/simulate engine, remote execution. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-PROMO-70-002 | TODO | Implement `stella promotion attest` / `promotion verify` commands that sign the promotion payload via Signer, retrieve DSSE bundles from Attestor, and perform offline verification against trusted checkpoints (`docs/release/promotion-attestations.md`). Dependencies: CLI-PROMO-70-001. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
-CLI-DETER-70-004 | TODO | Add `stella detscore report` to summarise published `determinism.json` files (overall score, per-image matrix) and integrate with release notes/air-gap kits (`docs/modules/scanner/determinism-score.md`). Dependencies: CLI-DETER-70-003. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-PACKS-43-001 | TODO | Deliver advanced pack features (approvals pause/resume, secret injection, localization, man pages, offline cache). Dependencies: CLI-PACKS-42-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-PARITY-41-001 | TODO | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with `--explain`, deterministic outputs, and parity matrix entries. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-PARITY-41-002 | TODO | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, shell completions, config docs, and parity matrix export tooling. Dependencies: CLI-PARITY-41-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-SBOM-60-001 | TODO | Ship `stella sbomer layer`/`compose` verbs that capture per-layer fragments, run canonicalization, verify fragment DSSE, and emit `_composition.json` + Merkle diagnostics (ref `docs/modules/scanner/deterministic-sbom-compose.md`). Dependencies: CLI-PARITY-41-001, SCANNER-SURFACE-04. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-SBOM-60-002 | TODO | Add `stella sbomer drift --explain` + `verify` commands that rerun composition locally, highlight which arrays/keys broke determinism, and integrate with Offline Kit bundles. Dependencies: CLI-SBOM-60-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-POLICY-20-001 | TODO | Add `stella policy new | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-POLICY-23-004 | TODO | Add `stella policy lint` command validating SPL files with compiler diagnostics; support JSON output. Dependencies: CLI-POLICY-20-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-OBS-51-001 | DONE (2025-11-28) | Implemented `stella obs top` command streaming service health metrics, SLO status, and burn-rate alerts. Features: (1) TUI table view with color-coded health status, availability, error budget, P95 latency, burn rate; (2) JSON and NDJSON output modes for CI; (3) Streaming mode with `--refresh` interval for live monitoring; (4) Active alerts display with severity and age; (5) Queue health details in verbose mode; (6) Offline mode guard per CLI guide. Created `ObservabilityModels.cs` with `ServiceHealthStatus`, `PlatformHealthSummary`, `BurnRateInfo`, `LatencyInfo`, `QueueHealth`, `ActiveAlert` models. Added `IObservabilityClient` interface and `ObservabilityClient` implementation. Extended `CliErrorCodes` with ERR_OBS_* codes (exit 14). Registered client in `Program.cs`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-OBS-52-001 | DONE (2025-11-28) | Implemented `stella obs trace <trace_id>` and `stella obs logs --from/--to` commands. Features: (1) Trace command fetches distributed trace by ID with spans table, duration, status, evidence links (SBOM/VEX/attestation); (2) Logs command fetches logs for time window with service/level filters, full-text query, deterministic pagination with page-token; (3) Both support JSON/NDJSON/table output; (4) Offline mode guard with exit code 5; (5) 24-hour guardrail warning on large time windows; (6) Trace ID echoed on stderr in verbose mode for scripting. Extended `ObservabilityModels.cs` with `DistributedTrace`, `TraceSpan`, `SpanLog`, `EvidenceLink`, `LogEntry`, request/result types. Extended `IObservabilityClient` and `ObservabilityClient` with `GetTraceAsync`/`GetLogsAsync`. Added handlers to `CommandHandlers.cs`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-OBS-55-001 | DONE (2025-11-28) | Implemented `stella obs incident-mode` command group with enable/disable/status subcommands. Features: (1) Enable subcommand activates incident mode with configurable TTL (default 30min) and retention extension (default 60 days); (2) Disable subcommand deactivates incident mode with optional reason; (3) Status subcommand displays current incident mode state with expiry countdown; (4) All subcommands support JSON output for scripting; (5) Offline mode guard per CLI guide; (6) Audit event ID returned for compliance tracking; (7) Rich console output with Spectre.Console panels showing actor, source, timestamps. Extended `ObservabilityModels.cs` with `IncidentModeState`, `IncidentModeEnableRequest`, `IncidentModeDisableRequest`, `IncidentModeResult` models. Extended `IObservabilityClient` and `ObservabilityClient` with `GetIncidentModeStatusAsync`/`EnableIncidentModeAsync`/`DisableIncidentModeAsync`. Added handlers to `CommandHandlers.cs`. | DevEx/CLI Guild, DevOps Guild (src/Cli/StellaOps.Cli)
+CLI-ORCH-32-001 | DONE (2025-11-28) | Implemented `stella orch sources list/show` commands for orchestrator source management. Created `OrchestratorModels.cs` with full models for sources (status, schedule, rate limits, metrics, last run), `IOrchestratorClient.cs` interface, `OrchestratorClient.cs` HTTP client with OrchRead scope. Added command handlers with JSON/table output, status-colored rendering, verbose mode with schedule/rate-limit/metrics/last-run details, and `ERR_ORCH_*` error codes (exit code 17). | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-ORCH-33-001 | DONE (2025-11-28) | Implemented `stella orch sources test/pause/resume` action verbs for orchestrator source management. Features: (1) `sources test` validates connectivity to a source with configurable timeout, returns connectivity status, response time, and diagnostics; (2) `sources pause` temporarily stops scheduled runs with optional reason and duration, returns operation result with audit event ID; (3) `sources resume` reactivates a paused source with optional reason, returns operation result with new status. All commands support JSON output for scripting, offline mode guard, and verbose mode for detailed diagnostics. Extended `OrchestratorModels.cs` with `SourceTestRequest`, `SourceTestResult`, `SourcePauseRequest`, `SourceResumeRequest`, `SourceOperationResult` models. Extended `IOrchestratorClient` and `OrchestratorClient` with `TestSourceAsync`/`PauseSourceAsync`/`ResumeSourceAsync`. Added handlers to `CommandHandlers.cs`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-ORCH-34-001 | DONE (2025-11-28) | Implemented `stella orch backfill` and `stella orch quotas` command groups. Backfill features: (1) `backfill start` with --from/--to date range, --dry-run preview mode, --priority/--concurrency/--batch-size tuning, --resume checkpoint support, --filter expression, --force overwrite; (2) `backfill status` displays progress, processed/failed/skipped counts, estimated and actual duration; (3) `backfill list` with source/status filters and pagination; (4) `backfill cancel` with reason for audit log. Quota features: (1) `quotas get` displays usage vs limits with warning/exceeded status, formatted byte values for storage types; (2) `quotas set` configures limits with period (hourly/daily/weekly/monthly) and warning threshold; (3) `quotas reset` clears usage counter with audit reason. All commands support JSON output, verbose mode, and offline mode guard. Extended `OrchestratorModels.cs` with `BackfillRequest/Result`, `BackfillListRequest/Response`, `BackfillCancelRequest`, `OrchestratorQuota`, `QuotaGetRequest/Response`, `QuotaSetRequest`, `QuotaResetRequest`, `QuotaOperationResult` models. Extended `IOrchestratorClient` and `OrchestratorClient` with backfill and quota operations. Added handlers to `CommandHandlers.cs` with Spectre.Console rich output for backfill panels and quota tables. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-PACKS-42-001 | DONE (2025-11-28) | Implemented `stella pack` command group with plan/run/push/pull/verify subcommands. Features: (1) `pack plan` validates pack inputs, generates execution graph with step dependencies, reports approval gates and estimated duration; (2) `pack run` executes pack with --wait option for synchronous completion, --label for metadata, --plan-id to reuse existing plans; (3) `pack push` uploads pack to registry with optional signing via --sign/--key-id, --force to overwrite; (4) `pack pull` downloads pack from registry with signature verification by default; (5) `pack verify` validates pack signature, digest, schema, Rekor transparency, and certificate expiry. Created `PackModels.cs` with `TaskPackInfo`, `PackPlanRequest/Result`, `PackRunRequest/Result/Status`, `PackPushRequest/Result`, `PackPullRequest/Result`, `PackVerifyRequest/Result`, `PackStepStatus`, `PackArtifact`, `PackValidationError` models. Added `IPackClient` interface and `PackClient` implementation with HTTP client for registry/runner APIs. Extended `CliErrorCodes` with ERR_PACK_* codes (exit 15). Registered client in `Program.cs`. Added handlers to `CommandHandlers.cs` with Spectre.Console rich output for plan tables, run status, and verify panels. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-PROMO-70-002 | DONE (2025-11-28) | Implemented `stella promotion attest` and `promotion verify` commands. Attest signs promotion predicates via cosign/Signer API, produces DSSE bundles, and uploads to Rekor. Verify performs offline verification of DSSE signatures (ECDSA/RSA-PKCS1), material digest comparison (SBOM/VEX), and Rekor inclusion proof validation against trusted checkpoints. Extended `PromotionModels.cs` with request/result types for attest/verify, added DsseEnvelope/DsseSignature models, implemented `AttestAsync`/`VerifyAsync` in `PromotionAssembler.cs` with PAE encoding, certificate chain verification, and Merkle inclusion proof validation. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli)
+CLI-DETER-70-004 | DONE (2025-11-28) | Implemented `stella detscore report` command to summarise published `determinism.json` files. Features: (1) Aggregates multiple manifests into unified report with overall/per-image score matrix, (2) Supports markdown/JSON/CSV output formats, (3) Computes summary statistics (average, min/max scores, pass/fail counts), (4) Tracks non-deterministic artifacts across releases, (5) Integrates with release notes and air-gap kits via `--output` flag. Extended `DeterminismModels.cs` with `DeterminismReportRequest`, `DeterminismReport`, `DeterminismReportSummary`, `DeterminismReleaseEntry`, `DeterminismImageMatrixEntry`, and `DeterminismReportResult`. Added `GenerateReportAsync` to `IDeterminismHarness` interface and implemented in `DeterminismHarness.cs` with markdown table generation, CSV export, and JSON serialization. Added `detscore report` command to `CommandFactory.cs` and `HandleDetscoreReportAsync` handler to `CommandHandlers.cs` with Spectre.Console rich output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-PACKS-43-001 | DONE (2025-11-28) | Implemented advanced pack features for `stella pack` command group. Features: (1) `pack runs list` lists pack runs with status/actor/pack-id filters, pagination, and deterministic ordering; (2) `pack runs show` displays detailed run status with step progress, artifacts, and timing; (3) `pack runs cancel` cancels running pack with reason for audit; (4) `pack runs pause` pauses run at approval gate with optional step targeting; (5) `pack runs resume` resumes paused run with approve/reject decision and optional comment; (6) `pack runs logs` retrieves run logs with step/level filters, --tail for last N lines, --since timestamp; (7) `pack secrets inject` injects secrets from vault/aws-ssm/azure-keyvault/k8s-secret providers with env-var or file path targeting per step; (8) `pack cache list` displays offline pack cache with size/age/source info; (9) `pack cache add` pre-fetches pack to local cache for offline execution; (10) `pack cache prune` cleans cache with --max-age/--max-size/--all options. Extended `PackModels.cs` with `PackRunListRequest/Response`, `PackCancelRequest`, `PackApprovalPauseRequest`, `PackApprovalResumeRequest`, `PackApprovalResult`, `PackLogsRequest`, `PackLogEntry`, `PackLogsResult`, `PackSecretInjectRequest/Result`, `PackArtifactDownloadRequest/Result`, `PackCacheEntry`, `PackCacheRequest/Result` models. Extended `IPackClient` and `PackClient` with 8 new operations. Added handlers to `CommandHandlers.cs` with Spectre.Console rich output for runs tables, log streaming, and cache management. Dependencies: CLI-PACKS-42-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-PARITY-41-001 | DONE (2025-11-28) | Implemented `stella sbom` command group with full SBOM explorer and parity matrix features. Commands: (1) `sbom list` lists SBOMs with filters for image-ref, digest, format (spdx/cyclonedx), creation date range, vulnerability presence, with pagination and determinism score display; (2) `sbom show` displays detailed SBOM info with --components, --vulnerabilities, --licenses, and --explain options for determinism factors and composition path debugging; (3) `sbom compare` compares two SBOMs showing component/vulnerability/license diffs with added/removed/modified change tracking; (4) `sbom export` exports SBOM in SPDX or CycloneDX format with --format-version, --signed attestation, --include-vex options, supports stdout or file output; (5) `sbom parity-matrix` displays CLI command coverage matrix with deterministic, --explain, and offline capability tracking. Created `SbomModels.cs` with comprehensive models for SBOM summary/detail, components, vulnerabilities, licenses, attestation, determinism factors, composition path, comparison, export, and parity matrix. Added `ISbomClient` interface and `SbomClient` implementation with HTTP client for SBOM APIs. Extended `CliError` with ERR_SBOM_* codes (exit 18). Registered client in `Program.cs`. Added handlers to `CommandHandlers.cs` with Spectre.Console rich output for SBOM tables, detail panels, comparison summaries, and parity matrix display. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-PARITY-41-002 | DONE (2025-11-28) | Implemented `notify` command group with comprehensive notification management capabilities. Commands: (1) `notify channels list` lists notification channels with type/enabled filters, pagination, failure rate display; (2) `notify channels show` displays detailed channel info with config, stats, health, and labels; (3) `notify channels test` sends test message to channel with latency and success reporting; (4) `notify rules list` lists routing rules with event-type/channel/enabled filters; (5) `notify deliveries list` lists deliveries with status/event-type/channel/date-range filters and pagination; (6) `notify deliveries show` displays detailed delivery info with attempt history; (7) `notify deliveries retry` retries failed delivery with idempotency key support; (8) `notify send` sends notification via rules or direct channel with event-type, subject, severity, metadata, and idempotency key. Created `NotifyModels.cs` with `NotifyChannelListRequest/Response`, `NotifyChannelSummary/Detail`, `NotifyChannelConfigInfo/Limits/Stats/Health`, `NotifyChannelTestRequest/Result`, `NotifyRuleListRequest/Response/Summary`, `NotifyDeliveryListRequest/Response`, `NotifyDeliverySummary/Detail/Attempt`, `NotifyRetryRequest/Result`, `NotifySendRequest/Result` models. Added `INotifyClient` interface and `NotifyClient` implementation with HTTP client supporting Idempotency-Key headers for mutation operations. Extended `CliError` with ERR_NOTIFY_* codes (exit 19). Registered client in `Program.cs`. Added handlers to `CommandHandlers.cs` with Spectre.Console rich output for channel tables, delivery status, health indicators, and attempt history. Note: `aoc` and `auth` commands already exist in the CLI. Dependencies: CLI-PARITY-41-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-SBOM-60-001 | DONE (2025-11-28) | Implemented `stella sbomer` command group for deterministic SBOM composition. Commands: (1) `sbomer layer list` lists layer fragments for a scan with DSSE signature status; (2) `sbomer layer show` displays fragment details with --components and --dsse options for components list and DSSE envelope/signature info; (3) `sbomer layer verify` verifies fragment DSSE signature and content hash with offline mode support; (4) `sbomer compose` composes SBOM from layer fragments with canonical ordering, emits _composition.json manifest and Merkle diagnostics, supports --verify for fragment verification before compose; (5) `sbomer composition show` displays composition manifest with fragment canonical order and properties; (6) `sbomer composition verify` verifies composition against manifest, recomputes Merkle root, and validates all fragment signatures with --recompose option; (7) `sbomer composition merkle` shows Merkle tree diagnostics with leaves and intermediate nodes. Created `SbomerModels.cs` with `SbomFragment`, `SbomFragmentComponent`, `DsseEnvelopeInfo`, `DsseSignatureInfo`, `MerkleProofInfo`, `CompositionManifest`, `CompositionFragmentEntry`, `MerkleDiagnostics`, `MerkleLeafInfo`, `MerkleNodeInfo`, request/response/result types. Added `ISbomerClient` interface and `SbomerClient` implementation. Extended `CliError` with ERR_SBOMER_* codes (exit 20). Registered client in `Program.cs`. Added handlers to `CommandHandlers.cs` with Spectre.Console rich output for layer tables, DSSE signatures, Merkle trees, and composition manifests. Dependencies: CLI-PARITY-41-001, SCANNER-SURFACE-04. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-SBOM-60-002 | DONE (2025-11-28) | Implemented `stella sbomer drift` command group with analyze and verify subcommands for drift detection and explanation. Commands: (1) `sbomer drift analyze` (alias: `diff`) compares current SBOM against baseline, detects component/ordering/timestamp/key/whitespace drifts, reports determinism-breaking changes with severity levels, supports `--explain` for detailed root cause analysis with remediation suggestions; (2) `sbomer drift verify` performs local recomposition from offline kit bundles, validates fragment DSSE signatures (`--validate-fragments`), checks Merkle proofs (`--check-merkle`), compares recomposed hash against stored hash, displays offline kit metadata. Extended `SbomerModels.cs` with `SbomerDriftRequest`, `SbomerDriftResult`, `DriftSummary`, `DriftDetail`, `DriftExplanation`, `SbomerDriftVerifyRequest`, `SbomerDriftVerifyResult`, `OfflineKitInfo` models. Extended `ISbomerClient` and `SbomerClient` with `AnalyzeDriftAsync`/`VerifyDriftAsync`. Added drift subcommands to `CommandFactory.cs` and handlers to `CommandHandlers.cs` with Spectre.Console rich output for drift tables, explanation panels, verification status, and offline kit info. Dependencies: CLI-SBOM-60-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-POLICY-20-001 | DONE (2025-11-28) | Implemented `stella policy new` command for scaffolding new policy files from templates. Features: (1) Creates policy DSL files with metadata, settings, and template-specific rules; (2) Six templates available: minimal (stub), baseline (severity normalization), vex-precedence (VEX handling), reachability (telemetry-aware), secret-leak (secret detection), full (comprehensive); (3) Options: --template/-t for template selection, --description/-d for metadata, --tag for tags, --shadow to enable shadow mode (default), --fixtures to create test fixtures directory, --git-init to initialize Git repository; (4) JSON output support for scripting. Created `PolicyWorkspaceModels.cs` with `PolicyNewRequest`, `PolicyNewResult`, `PolicyTemplate` enum. Added `policy new` command to `CommandFactory.cs` and `HandlePolicyNewAsync` handler to `CommandHandlers.cs` with Spectre.Console rich output and next-steps guidance. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-POLICY-23-004 | DONE (prior) | The `stella policy lint` command already exists, validating policy DSL files with compiler diagnostics and JSON output support. No additional implementation needed. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
 > 2025-11-06: CLI enforces `--version` as mandatory and adds scheduled activation timestamp normalization tests while keeping exit codes intact.
-CLI-POLICY-23-006 | TODO | Provide `stella policy history` and `stella policy explain` commands to pull run history and explanation trees. Dependencies: CLI-POLICY-23-005. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-POLICY-27-001 | TODO | Implement policy workspace commands (`stella policy init`, `edit`, `lint`, `compile`, `test`) with template selection, local cache, JSON output, and deterministic temp directories. Dependencies: CLI-POLICY-23-006. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-POLICY-23-006 | DONE (2025-11-28) | Implemented `stella policy history` and `stella policy explain` commands. History features: (1) Lists policy runs with run ID, version, status, start time, duration, SBOM count, findings generated/changed; (2) Filters: --tenant, --from/--to date range, --status; (3) Pagination with --limit and --cursor; (4) Color-coded status display. Explain features: (1) Shows policy decision tree for component+advisory tuple; (2) Displays subject info (PURL, component, advisory); (3) Shows decision outcome with status, severity, winning rule, rationale; (4) Rule evaluation trace with priority ordering, predicate evaluation details (verbose mode), action execution results, because clauses; (5) Color-coded matched/evaluated/skipped indicators. Extended `PolicyWorkspaceModels.cs` with `PolicyHistoryRequest`, `PolicyHistoryResponse`, `PolicyRunSummary`, `PolicyExplainRequest`, `PolicyExplainResult`, `PolicyExplainSubject`, `PolicyDecision`, `PolicyRuleTraceEntry`, `PolicyPredicateEvaluation`, `PolicyActionResult`, `PolicyInputContext`. Extended `IBackendOperationsClient` and `BackendOperationsClient` with `GetPolicyHistoryAsync`/`GetPolicyExplainAsync`. Added commands to `CommandFactory.cs` and handlers to `CommandHandlers.cs`. Dependencies: CLI-POLICY-23-005. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-POLICY-27-001 | DONE (2025-11-28) | Implemented policy workspace commands. Commands: (1) `stella policy init [path]` initializes a policy workspace directory with policy file, test fixtures, README, .gitignore, and optional Git init; (2) `stella policy compile <file>` compiles policy DSL to IR JSON with digest output, supports --no-ir for validation only, --no-digest, --optimize, --strict (warnings as errors). Init options: --name for policy name, --template for template selection, --no-git/--no-readme/--no-fixtures to skip components. Compile options: --output for IR path, format selection. Edit, lint, and test commands already existed. Created workspace models in `PolicyWorkspaceModels.cs`: `PolicyWorkspaceInitRequest`, `PolicyWorkspaceInitResult`, `PolicyCompileRequest`, `PolicyCompileResult`, `PolicyDiagnostic`. Added commands to `CommandFactory.cs` and handlers `HandlePolicyInitAsync`/`HandlePolicyCompileAsync` to `CommandHandlers.cs`. Dependencies: CLI-POLICY-23-006. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
diff --git a/docs/implplan/SPRINT_204_cli_iv.md b/docs/implplan/SPRINT_204_cli_iv.md
index d6cea45cc..c2be47791 100644
--- a/docs/implplan/SPRINT_204_cli_iv.md
+++ b/docs/implplan/SPRINT_204_cli_iv.md
@@ -7,18 +7,18 @@ Depends on: Sprint 180.A - Cli.III
 Summary: Experience & SDKs focus on Cli (phase IV).
 Task ID | State | Task description | Owners (Source)
 --- | --- | --- | ---
-CLI-POLICY-27-002 | TODO | Add submission/review workflow commands (`stella policy version bump`, `submit`, `review comment`, `approve`, `reject`) supporting reviewer assignment, changelog capture, and exit codes. Dependencies: CLI-POLICY-27-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-POLICY-27-003 | TODO | Implement `stella policy simulate` enhancements (quick vs batch, SBOM selectors, heatmap summary, manifest download) with `--json` and Markdown report output for CI. Dependencies: CLI-POLICY-27-002. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-POLICY-27-004 | TODO | Add lifecycle commands for publish/promote/rollback/sign (`stella policy publish --sign`, `promote --env`, `rollback`) with attestation verification and canary arguments. Dependencies: CLI-POLICY-27-003. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-POLICY-27-005 | TODO | Update CLI reference and samples for Policy Studio including JSON schemas, exit codes, and CI snippets. Dependencies: CLI-POLICY-27-004. | DevEx/CLI Guild, Docs Guild (src/Cli/StellaOps.Cli)
-CLI-POLICY-27-006 | TODO | Update CLI policy profiles/help text to request the new Policy Studio scope family, surface ProblemDetails guidance for `invalid_scope`, and adjust regression tests for scope failures. Dependencies: CLI-POLICY-27-005. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-RISK-66-001 | TODO | Implement `stella risk profile list | DevEx/CLI Guild, Policy Guild (src/Cli/StellaOps.Cli)
-CLI-RISK-66-002 | TODO | Ship `stella risk simulate` supporting SBOM/asset inputs, diff mode, and export to JSON/CSV. Dependencies: CLI-RISK-66-001. | DevEx/CLI Guild, Risk Engine Guild (src/Cli/StellaOps.Cli)
-CLI-RISK-67-001 | TODO | Provide `stella risk results` with filtering, severity thresholds, explainability fetch. Dependencies: CLI-RISK-66-002. | DevEx/CLI Guild, Findings Ledger Guild (src/Cli/StellaOps.Cli)
-CLI-RISK-68-001 | TODO | Add `stella risk bundle verify` and integrate with offline risk bundles. Dependencies: CLI-RISK-67-001. | DevEx/CLI Guild, Export Guild (src/Cli/StellaOps.Cli)
-CLI-SDK-62-001 | TODO | Replace bespoke HTTP clients with official SDK (TS/Go) for all CLI commands; ensure modular transport for air-gapped mode. | DevEx/CLI Guild, SDK Generator Guild (src/Cli/StellaOps.Cli)
-CLI-SDK-62-002 | TODO | Update CLI error handling to surface standardized API error envelope with `error.code` and `trace_id`. Dependencies: CLI-SDK-62-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-SDK-63-001 | TODO | Expose `stella api spec download` command retrieving aggregate OAS and verifying checksum/ETag. Dependencies: CLI-SDK-62-002. | DevEx/CLI Guild, API Governance Guild (src/Cli/StellaOps.Cli)
-CLI-SDK-64-001 | TODO | Add CLI subcommand `stella sdk update` to fetch latest SDK manifests/changelogs; integrate with Notifications for deprecations. Dependencies: CLI-SDK-63-001. | DevEx/CLI Guild, SDK Release Guild (src/Cli/StellaOps.Cli)
-CLI-SIG-26-001 | TODO | Implement `stella reachability upload-callgraph` and `stella reachability list/explain` commands with streaming upload, pagination, and exit codes. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
-CLI-SIG-26-002 | TODO | Extend `stella policy simulate` with reachability override flags (`--reachability-state`, `--reachability-score`). Dependencies: CLI-SIG-26-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
\ No newline at end of file
+CLI-POLICY-27-002 | DONE | Add submission/review workflow commands (`stella policy version bump`, `submit`, `review comment`, `approve`, `reject`) supporting reviewer assignment, changelog capture, and exit codes. Dependencies: CLI-POLICY-27-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-POLICY-27-003 | DONE | Implement `stella policy simulate` enhancements (quick vs batch, SBOM selectors, heatmap summary, manifest download) with `--json` and Markdown report output for CI. Dependencies: CLI-POLICY-27-002. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-POLICY-27-004 | DONE | Add lifecycle commands for publish/promote/rollback/sign (`stella policy publish --sign`, `promote --env`, `rollback`) with attestation verification and canary arguments. Dependencies: CLI-POLICY-27-003. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-POLICY-27-005 | DONE | Update CLI reference and samples for Policy Studio including JSON schemas, exit codes, and CI snippets. Dependencies: CLI-POLICY-27-004. | DevEx/CLI Guild, Docs Guild (src/Cli/StellaOps.Cli)
+CLI-POLICY-27-006 | DONE | Update CLI policy profiles/help text to request the new Policy Studio scope family, surface ProblemDetails guidance for `invalid_scope`, and adjust regression tests for scope failures. Dependencies: CLI-POLICY-27-005. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-RISK-66-001 | DONE | Implement `stella risk profile list` with category filtering, pagination, and JSON output. | DevEx/CLI Guild, Policy Guild (src/Cli/StellaOps.Cli)
+CLI-RISK-66-002 | DONE | Ship `stella risk simulate` supporting SBOM/asset inputs, diff mode, and export to JSON/CSV. Dependencies: CLI-RISK-66-001. | DevEx/CLI Guild, Risk Engine Guild (src/Cli/StellaOps.Cli)
+CLI-RISK-67-001 | DONE | Provide `stella risk results` with filtering, severity thresholds, explainability fetch. Dependencies: CLI-RISK-66-002. | DevEx/CLI Guild, Findings Ledger Guild (src/Cli/StellaOps.Cli)
+CLI-RISK-68-001 | DONE | Add `stella risk bundle verify` and integrate with offline risk bundles. Dependencies: CLI-RISK-67-001. | DevEx/CLI Guild, Export Guild (src/Cli/StellaOps.Cli)
+CLI-SDK-62-001 | DONE | Replace bespoke HTTP clients with official SDK (TS/Go) for all CLI commands; ensure modular transport for air-gapped mode. | DevEx/CLI Guild, SDK Generator Guild (src/Cli/StellaOps.Cli)
+CLI-SDK-62-002 | DONE | Update CLI error handling to surface standardized API error envelope with `error.code` and `trace_id`. Dependencies: CLI-SDK-62-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-SDK-63-001 | DONE | Expose `stella api spec download` command retrieving aggregate OAS and verifying checksum/ETag. Dependencies: CLI-SDK-62-002. | DevEx/CLI Guild, API Governance Guild (src/Cli/StellaOps.Cli)
+CLI-SDK-64-001 | DONE | Add CLI subcommand `stella sdk update` to fetch latest SDK manifests/changelogs; integrate with Notifications for deprecations. Dependencies: CLI-SDK-63-001. | DevEx/CLI Guild, SDK Release Guild (src/Cli/StellaOps.Cli)
+CLI-SIG-26-001 | DONE | Implement `stella reachability upload-callgraph` and `stella reachability list/explain` commands with streaming upload, pagination, and exit codes. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
+CLI-SIG-26-002 | DONE | Extend `stella policy simulate` with reachability override flags (`--reachability-state`, `--reachability-score`). Dependencies: CLI-SIG-26-001. | DevEx/CLI Guild (src/Cli/StellaOps.Cli)
\ No newline at end of file
diff --git a/docs/modules/cli/guides/commands/api.md b/docs/modules/cli/guides/commands/api.md
new file mode 100644
index 000000000..a11be3de5
--- /dev/null
+++ b/docs/modules/cli/guides/commands/api.md
@@ -0,0 +1,183 @@
+# stella api — Command Guide
+
+## Overview
+
+The `stella api` command group provides API management capabilities including specification download and listing.
+
+## Commands
+
+### List API Specifications (CLI-SDK-63-001)
+
+```bash
+# List available API specifications
+stella api spec list \
+  [--tenant <id>] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--tenant` / `-t` | Tenant context for the operation |
+| `--json` | Output in JSON format |
+
+**Output:**
+- Aggregate API specification details (version, OpenAPI version, ETag, SHA-256)
+- Service-level specifications with version and format information
+
+### Download API Specification (CLI-SDK-63-001)
+
+```bash
+# Download API specification
+stella api spec download \
+  --output <path> \
+  [--tenant <id>] \
+  [--service <name>] \
+  [--format openapi-json|openapi-yaml] \
+  [--overwrite] \
+  [--etag <etag>] \
+  [--checksum <checksum>] \
+  [--checksum-algorithm sha256|sha384|sha512] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--output` / `-o` | Output path for the downloaded spec (file or directory) (required) |
+| `--service` / `-s` | Service to download spec for (e.g., concelier, scanner, policy). Omit for aggregate spec |
+| `--format` / `-f` | Output format: `openapi-json` (default) or `openapi-yaml` |
+| `--overwrite` | Overwrite existing file if present |
+| `--etag` | Expected ETag for conditional download (If-None-Match) |
+| `--checksum` | Expected checksum for verification after download |
+| `--checksum-algorithm` | Checksum algorithm: `sha256` (default), `sha384`, `sha512` |
+
+**Output:**
+- Downloaded file path
+- File size
+- API version (extracted from spec)
+- ETag for future conditional downloads
+- Checksum with verification status
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Success |
+| 1 | Error or download failure |
+| 130 | Operation cancelled by user |
+
+## JSON Schema: ApiSpecDownloadResult
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "success": { "type": "boolean" },
+    "path": { "type": "string" },
+    "sizeBytes": { "type": "integer" },
+    "fromCache": { "type": "boolean" },
+    "etag": { "type": "string" },
+    "checksum": { "type": "string" },
+    "checksumAlgorithm": { "type": "string" },
+    "checksumVerified": { "type": "boolean" },
+    "apiVersion": { "type": "string" },
+    "generatedAt": { "type": "string", "format": "date-time" },
+    "error": { "type": "string" },
+    "errorCode": { "type": "string" }
+  }
+}
+```
+
+## Examples
+
+### List available API specifications
+
+```bash
+# List all specs
+stella api spec list
+
+# List specs as JSON
+stella api spec list --json
+```
+
+### Download aggregate specification
+
+```bash
+# Download aggregate OpenAPI spec to current directory
+stella api spec download --output ./
+
+# Download with checksum verification
+stella api spec download \
+  --output ./stellaops-api.json \
+  --checksum abc123def456... \
+  --checksum-algorithm sha256
+```
+
+### Download service-specific specification
+
+```bash
+# Download Scanner API spec
+stella api spec download \
+  --output ./scanner-api.yaml \
+  --service scanner \
+  --format openapi-yaml
+```
+
+### Conditional download with ETag
+
+```bash
+# First download captures ETag
+stella api spec download --output ./api.json --json > download-result.json
+
+# Subsequent downloads use ETag for cache validation
+ETAG=$(jq -r '.etag' download-result.json)
+stella api spec download \
+  --output ./api.json \
+  --etag "$ETAG"
+```
+
+### CI/CD Integration
+
+```bash
+#!/bin/bash
+# Download and validate API spec in CI
+
+stella api spec download \
+  --output ./openapi.json \
+  --checksum "$EXPECTED_CHECKSUM" \
+  --json > result.json
+
+if [ "$(jq -r '.checksumVerified' result.json)" != "true" ]; then
+  echo "API spec checksum verification failed!"
+  exit 1
+fi
+
+# Generate client code from spec
+npx openapi-generator-cli generate \
+  -i ./openapi.json \
+  -g typescript-fetch \
+  -o ./generated-client
+```
+
+## Available Services
+
+| Service | Description |
+|---------|-------------|
+| `aggregate` | Combined specification from all services (default) |
+| `concelier` | Vulnerability advisory and VEX management |
+| `scanner` | Container scanning and SBOM generation |
+| `policy` | Policy engine and evaluation |
+| `authority` | Authentication and authorization |
+| `attestor` | Attestation generation and verification |
+| `notify` | Notification delivery |
+| `scheduler` | Job scheduling |
+
+## Best Practices
+
+1. **Use ETag for conditional downloads** to minimize bandwidth and improve CI performance
+2. **Verify checksums** when downloading specs for code generation in production pipelines
+3. **Download aggregate spec** for general client generation; service-specific specs for targeted APIs
+4. **Store ETags** in CI cache to enable incremental downloads
+5. **Use YAML format** for human readability; JSON for programmatic processing
diff --git a/docs/modules/cli/guides/commands/policy.md b/docs/modules/cli/guides/commands/policy.md
index 7f37d192c..df668bfc9 100644
--- a/docs/modules/cli/guides/commands/policy.md
+++ b/docs/modules/cli/guides/commands/policy.md
@@ -1,25 +1,332 @@
 # stella policy — Command Guide
 
+## Overview
+
+The `stella policy` command group provides comprehensive policy management capabilities for Policy Studio, including creation, simulation, workflow management, and lifecycle operations.
+
 ## Commands
-- `stella policy eval --input <bundle> --subject <sbom|vex|vuln> [--offline] [--output json|ndjson|table]`
-- `stella policy simulate --from <bundleA> --to <bundleB> [--budget <ms>] [--offline]`
-- `stella policy publish --input <bundle> --sign --attest`
 
-## Flags (common)
-- `--offline` / `STELLA_OFFLINE=1`: forbid network calls; use cached bundles only.
-- `--tenant <id>`: scope evaluation to tenant; RLS enforcement required on the server.
-- `--rationale`: include rationale IDs in responses.
-- `--output`: `json` (default), `ndjson`, or `table`.
+### Policy Creation & Scaffolding
 
-## Inputs/outputs
-- Inputs: policy bundles (signed), subject artifacts (SBOM/VEX/Vuln snapshots).
-- Outputs: deterministic JSON/NDJSON or tables; includes `correlationId`, `policyVersion`, `rationaleIds` when requested.
-- Exit codes follow `output-and-exit-codes.md`.
+```bash
+# Create a new policy from a template
+stella policy new <name> [--template <template>] [--output <path>] [--description <desc>] [--tags <tag1,tag2>] [--shadow-mode] [--create-fixtures] [--git-init]
+```
 
-## Determinism rules
-- Sort evaluation results by subject key; timestamps UTC ISO-8601.
-- No inferred verdicts beyond Policy Engine response.
+**Templates:** `basic`, `sbom-gate`, `vex-precedence`, `reachability`, `secret-detection`, `license-compliance`, `supply-chain`
 
-## Offline/air-gap notes
-- When `--offline`, evaluation must use locally cached bundles and subject artifacts; fail with exit code 5 if network would be needed.
-- Trust roots loaded from `STELLA_TRUST_ROOTS` when verifying signed bundles.
+### Policy Simulation (CLI-POLICY-27-003)
+
+```bash
+# Simulate policy changes with enhanced options
+stella policy simulate <policy-id> \
+  [--base <version>] \
+  [--candidate <version>] \
+  [--sbom <id1,id2,...>] \
+  [--env key=value] \
+  [--mode quick|batch] \
+  [--sbom-selector <pattern>] \
+  [--heatmap] \
+  [--manifest-download] \
+  [--reachability-state <id:state>] \
+  [--reachability-score <id:score>] \
+  [--with-exception <exc-id>] \
+  [--without-exception <exc-id>] \
+  [--explain] \
+  [--fail-on-diff] \
+  [--format json|table|markdown] \
+  [--output <path>]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--mode quick\|batch` | Simulation mode: `quick` samples SBOMs, `batch` evaluates all matching |
+| `--sbom-selector` | SBOM selector pattern (e.g., `registry:docker.io/*`, `tag:production`). Repeatable |
+| `--heatmap` | Include severity heatmap summary in output |
+| `--manifest-download` | Request manifest download URI for offline analysis |
+| `--reachability-state` | Override reachability state (format: `CVE-XXXX:reachable`). Repeatable |
+| `--reachability-score` | Override reachability score (format: `CVE-XXXX:0.85`). Repeatable |
+| `--format markdown` | Generate CI-friendly markdown report |
+
+### Policy Workflow (CLI-POLICY-27-002)
+
+```bash
+# Bump policy version
+stella policy version bump <policy-id> [--changelog <message>] [--major|--minor|--patch]
+
+# Submit policy for review
+stella policy submit <policy-id> [--version <ver>] [--reviewers <user1,user2>] [--changelog <message>]
+
+# Add review comment
+stella policy review comment <policy-id> [--version <ver>] --comment <text> [--line <num>] [--file <path>]
+
+# Approve policy review
+stella policy approve <policy-id> [--version <ver>] [--comment <text>]
+
+# Reject policy review
+stella policy reject <policy-id> [--version <ver>] --reason <text>
+
+# Get review status
+stella policy review status <policy-id> [--version <ver>]
+```
+
+### Policy Lifecycle (CLI-POLICY-27-004)
+
+```bash
+# Publish policy
+stella policy publish <policy-id> [--version <ver>] [--sign] [--attestation-type <type>] [--dry-run]
+
+# Promote policy to environment
+stella policy promote <policy-id> [--version <ver>] --env <environment> [--canary <percentage>] [--dry-run]
+
+# Rollback policy
+stella policy rollback <policy-id> [--to-version <ver>] [--reason <text>] [--force]
+
+# Sign policy
+stella policy sign <policy-id> [--version <ver>] [--key-id <key>] [--attestation-type <type>]
+
+# Verify policy signature
+stella policy verify-signature <policy-id> [--version <ver>] [--check-rekor]
+```
+
+### Policy History & Explain (CLI-POLICY-23-006)
+
+```bash
+# Get policy history
+stella policy history <policy-id> [--limit <num>] [--since <date>] [--until <date>]
+
+# Explain policy decision
+stella policy explain <policy-id> [--version <ver>] [--finding-id <id>] [--verbose]
+```
+
+### Policy Activation
+
+```bash
+# Activate an approved policy revision
+stella policy activate <policy-id> --version <ver> [--environment <env>] [--force] [--dry-run]
+```
+
+## Common Flags
+
+| Flag | Description |
+|------|-------------|
+| `--tenant` / `-t` | Tenant context for the operation |
+| `--json` | Output as JSON |
+| `--verbose` / `-v` | Enable verbose logging |
+| `--offline` | Forbid network calls; use cached bundles only |
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Success |
+| 1 | General error |
+| 4 | Input validation error |
+| 5 | Network required but offline mode enabled |
+| 20 | Differences detected with `--fail-on-diff` |
+| 130 | Operation cancelled by user |
+
+## JSON Schemas
+
+### PolicySimulationResult
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "diff": {
+      "type": "object",
+      "properties": {
+        "schemaVersion": { "type": "string" },
+        "added": { "type": "integer" },
+        "removed": { "type": "integer" },
+        "unchanged": { "type": "integer" },
+        "bySeverity": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "object",
+            "properties": {
+              "up": { "type": "integer" },
+              "down": { "type": "integer" }
+            }
+          }
+        },
+        "ruleHits": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "ruleId": { "type": "string" },
+              "ruleName": { "type": "string" },
+              "up": { "type": "integer" },
+              "down": { "type": "integer" }
+            }
+          }
+        }
+      }
+    },
+    "explainUri": { "type": "string" },
+    "heatmap": {
+      "type": "object",
+      "properties": {
+        "buckets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "severity": { "type": "string" },
+              "count": { "type": "integer" },
+              "percentage": { "type": "number" }
+            }
+          }
+        },
+        "total": { "type": "integer" }
+      }
+    },
+    "manifestDownloadUri": { "type": "string" },
+    "manifestDigest": { "type": "string" }
+  }
+}
+```
+
+### PolicyReviewSummary
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "policyId": { "type": "string" },
+    "version": { "type": "integer" },
+    "status": { "type": "string", "enum": ["pending", "approved", "rejected", "changes_requested"] },
+    "submittedBy": { "type": "string" },
+    "submittedAt": { "type": "string", "format": "date-time" },
+    "reviewers": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "userId": { "type": "string" },
+          "status": { "type": "string" },
+          "reviewedAt": { "type": "string", "format": "date-time" }
+        }
+      }
+    },
+    "comments": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "commentId": { "type": "string" },
+          "author": { "type": "string" },
+          "text": { "type": "string" },
+          "createdAt": { "type": "string", "format": "date-time" },
+          "line": { "type": "integer" },
+          "file": { "type": "string" }
+        }
+      }
+    }
+  }
+}
+```
+
+## CI/CD Integration Examples
+
+### GitHub Actions
+
+```yaml
+name: Policy Simulation
+on:
+  pull_request:
+    paths:
+      - 'policies/**'
+
+jobs:
+  simulate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Stella CLI
+        run: |
+          curl -sSL https://get.stellaops.io | bash
+
+      - name: Simulate Policy Changes
+        run: |
+          stella policy simulate P-7 \
+            --base $(git merge-base HEAD origin/main) \
+            --candidate HEAD \
+            --mode batch \
+            --heatmap \
+            --format markdown \
+            --output simulation-report.md \
+            --fail-on-diff
+
+      - name: Upload Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: policy-simulation-report
+          path: simulation-report.md
+```
+
+### GitLab CI
+
+```yaml
+policy-simulate:
+  stage: test
+  script:
+    - stella policy simulate P-7 --mode quick --heatmap --json > simulation.json
+    - |
+      if [ $(jq '.diff.added + .diff.removed' simulation.json) -gt 0 ]; then
+        echo "Policy changes detected"
+        stella policy simulate P-7 --format markdown --output report.md
+        exit 20
+      fi
+  artifacts:
+    paths:
+      - simulation.json
+      - report.md
+    when: always
+```
+
+### Azure DevOps
+
+```yaml
+- task: Bash@3
+  displayName: 'Policy Simulation'
+  inputs:
+    targetType: 'inline'
+    script: |
+      stella policy simulate P-7 \
+        --mode batch \
+        --sbom-selector "registry:$(ACR_REGISTRY)/*" \
+        --heatmap \
+        --json \
+        --output $(Build.ArtifactStagingDirectory)/simulation.json
+```
+
+## Determinism Rules
+
+- Sort evaluation results by subject key
+- Timestamps use UTC ISO-8601 format
+- No inferred verdicts beyond Policy Engine response
+- Hashes computed with SHA-256
+
+## Offline/Air-Gap Notes
+
+- When `--offline` is set, evaluation uses locally cached bundles and subject artifacts
+- Fails with exit code 5 if network would be needed
+- Trust roots loaded from `STELLA_TRUST_ROOTS` environment variable when verifying signed bundles
+- Signature verification can use local Rekor mirror via `STELLA_REKOR_MIRROR`
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `STELLAOPS_BACKEND_URL` | Backend API URL |
+| `STELLA_OFFLINE` | Set to `1` to enable offline mode |
+| `STELLA_TRUST_ROOTS` | Path to trust roots for signature verification |
+| `STELLA_REKOR_MIRROR` | Local Rekor transparency log mirror URL |
+| `STELLAOPS_TENANT` | Default tenant context |
diff --git a/docs/modules/cli/guides/commands/reachability.md b/docs/modules/cli/guides/commands/reachability.md
new file mode 100644
index 000000000..92f290e5a
--- /dev/null
+++ b/docs/modules/cli/guides/commands/reachability.md
@@ -0,0 +1,265 @@
+# stella reachability — Command Guide
+
+## Overview
+
+The `stella reachability` command group provides reachability analysis capabilities for vulnerability exploitability assessment. It supports call graph upload, analysis listing, and detailed reachability explanations.
+
+## Commands
+
+### Upload Call Graph (CLI-SIG-26-001)
+
+```bash
+# Upload a call graph for reachability analysis
+stella reachability upload-callgraph \
+  --path <call-graph-file> \
+  [--tenant <id>] \
+  [--scan-id <id>] \
+  [--asset-id <id>] \
+  [--format auto|json|proto|dot] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--path` / `-p` | Path to the call graph file (required) |
+| `--scan-id` | Scan identifier to associate with the call graph |
+| `--asset-id` / `-a` | Asset identifier to associate with the call graph |
+| `--format` / `-f` | Call graph format: `auto` (default), `json`, `proto`, `dot` |
+
+**Required:** At least one of `--scan-id` or `--asset-id`.
+
+**Supported Call Graph Formats:**
+- JSON (native format)
+- Protocol Buffers (proto)
+- DOT/GraphViz format
+
+### List Reachability Analyses (CLI-SIG-26-001)
+
+```bash
+# List reachability analyses
+stella reachability list \
+  [--tenant <id>] \
+  [--scan-id <id>] \
+  [--asset-id <id>] \
+  [--status pending|processing|completed|failed] \
+  [--limit <num>] \
+  [--offset <num>] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--scan-id` | Filter by scan identifier |
+| `--asset-id` / `-a` | Filter by asset identifier |
+| `--status` | Filter by analysis status |
+| `--limit` / `-l` | Maximum number of results (default 100) |
+| `--offset` / `-o` | Pagination offset |
+
+**Output Columns:**
+- Analysis ID
+- Asset name/ID
+- Status (pending, processing, completed, failed)
+- Reachable count
+- Unreachable count
+- Unknown count
+- Created timestamp
+
+### Explain Reachability (CLI-SIG-26-001)
+
+```bash
+# Explain reachability for a vulnerability or package
+stella reachability explain \
+  --analysis-id <id> \
+  [--tenant <id>] \
+  [--vuln-id <cve-id>] \
+  [--purl <package-url>] \
+  [--call-paths] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--analysis-id` / `-i` | Analysis identifier (required) |
+| `--vuln-id` / `-v` | Vulnerability identifier to explain |
+| `--purl` | Package URL to explain |
+| `--call-paths` | Include detailed call paths in the explanation |
+
+**Required:** At least one of `--vuln-id` or `--purl`.
+
+**Output:**
+- Reachability state (reachable, unreachable, unknown)
+- Reachability score (0-1)
+- Confidence level
+- Reasoning explanation
+- Affected functions list
+- Call paths (when `--call-paths` is used)
+
+## Integration with Policy Simulation (CLI-SIG-26-002)
+
+Reachability overrides can be applied during policy simulation:
+
+```bash
+stella policy simulate P-7 \
+  --reachability-state "CVE-2024-1234:unreachable" \
+  --reachability-state "pkg:npm/lodash@4.17.0:reachable" \
+  --reachability-score "CVE-2024-5678:0.25"
+```
+
+**Override Format:**
+- State: `<identifier>:<state>` where state is `reachable`, `unreachable`, `unknown`, or `indeterminate`
+- Score: `<identifier>:<score>` where score is a decimal between 0 and 1
+
+**Identifier Types:**
+- Vulnerability ID: `CVE-XXXX-XXXX`, `GHSA-xxxx-xxxx-xxxx`
+- Package URL: `pkg:npm/package@version`, `pkg:maven/group/artifact@version`
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Success |
+| 1 | Error or upload failure |
+| 4 | Input validation error |
+| 130 | Operation cancelled by user |
+
+## JSON Schema: ReachabilityExplainResult
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "analysisId": { "type": "string" },
+    "vulnerabilityId": { "type": "string" },
+    "packagePurl": { "type": "string" },
+    "reachabilityState": {
+      "type": "string",
+      "enum": ["reachable", "unreachable", "unknown", "indeterminate"]
+    },
+    "reachabilityScore": { "type": "number", "minimum": 0, "maximum": 1 },
+    "confidence": { "type": "string" },
+    "reasoning": { "type": "string" },
+    "callPaths": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "pathId": { "type": "string" },
+          "depth": { "type": "integer" },
+          "entryPoint": { "$ref": "#/$defs/function" },
+          "frames": { "type": "array", "items": { "$ref": "#/$defs/function" } },
+          "vulnerableFunction": { "$ref": "#/$defs/function" }
+        }
+      }
+    },
+    "affectedFunctions": {
+      "type": "array",
+      "items": { "$ref": "#/$defs/function" }
+    }
+  },
+  "$defs": {
+    "function": {
+      "type": "object",
+      "properties": {
+        "name": { "type": "string" },
+        "signature": { "type": "string" },
+        "className": { "type": "string" },
+        "packageName": { "type": "string" },
+        "filePath": { "type": "string" },
+        "lineNumber": { "type": "integer" }
+      }
+    }
+  }
+}
+```
+
+## Examples
+
+### Upload a call graph
+
+```bash
+# Upload call graph for a specific scan
+stella reachability upload-callgraph \
+  --path ./callgraph.json \
+  --scan-id scan-12345 \
+  --format json
+
+# Upload with auto-detection
+stella reachability upload-callgraph \
+  --path ./app-callgraph.dot \
+  --asset-id my-application
+```
+
+### List recent analyses
+
+```bash
+# List all completed analyses for an asset
+stella reachability list \
+  --asset-id my-application \
+  --status completed \
+  --json
+
+# List analyses with pagination
+stella reachability list \
+  --limit 20 \
+  --offset 40
+```
+
+### Explain vulnerability reachability
+
+```bash
+# Explain with call paths
+stella reachability explain \
+  --analysis-id RA-abc123 \
+  --vuln-id CVE-2024-1234 \
+  --call-paths
+
+# Explain package reachability
+stella reachability explain \
+  --analysis-id RA-abc123 \
+  --purl "pkg:npm/lodash@4.17.21" \
+  --json
+```
+
+### Policy simulation with reachability overrides
+
+```bash
+# Mark specific vulnerability as unreachable
+stella policy simulate P-7 \
+  --reachability-state "CVE-2024-1234:unreachable" \
+  --explain
+
+# Set low reachability score
+stella policy simulate P-7 \
+  --reachability-score "pkg:npm/axios@0.21.0:0.1"
+```
+
+## Reachability States
+
+| State | Description |
+|-------|-------------|
+| `reachable` | Vulnerable code is reachable from application entry points |
+| `unreachable` | Vulnerable code cannot be reached during execution |
+| `unknown` | Reachability cannot be determined with available information |
+| `indeterminate` | Analysis inconclusive due to dynamic dispatch or reflection |
+
+## Call Graph Generation
+
+Call graphs can be generated using various tools:
+
+- **Java:** [WALA](https://github.com/wala/WALA), [Soot](https://github.com/soot-oss/soot)
+- **JavaScript/Node.js:** [callgraph](https://www.npmjs.com/package/callgraph)
+- **Python:** [pycg](https://github.com/vitsalis/pycg)
+- **Go:** `go build -gcflags="-m"` + static analysis
+- **C/C++:** [LLVM](https://llvm.org/) call graph pass
+
+## Best Practices
+
+1. **Upload call graphs after each build** to maintain accurate reachability data
+2. **Use asset IDs** for long-lived applications to track reachability changes over time
+3. **Include call paths** when debugging unexpected reachability results
+4. **Apply reachability overrides** in policy simulation to model remediation scenarios
+5. **Monitor unreachable counts** as a metric for dependency hygiene
diff --git a/docs/modules/cli/guides/commands/risk.md b/docs/modules/cli/guides/commands/risk.md
new file mode 100644
index 000000000..93795564b
--- /dev/null
+++ b/docs/modules/cli/guides/commands/risk.md
@@ -0,0 +1,248 @@
+# stella risk — Command Guide
+
+## Overview
+
+The `stella risk` command group provides risk profile management, risk scoring simulation, and risk bundle verification capabilities.
+
+## Commands
+
+### Risk Profile Management (CLI-RISK-66-001)
+
+```bash
+# List risk profiles
+stella risk profile list \
+  [--tenant <id>] \
+  [--include-disabled] \
+  [--category <category>] \
+  [--limit <num>] \
+  [--offset <num>] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--include-disabled` | Include disabled profiles in listing |
+| `--category` | Filter by profile category |
+| `--limit` | Maximum number of results (default 100) |
+| `--offset` | Pagination offset |
+
+**Output Columns:**
+- Profile ID
+- Name
+- Category
+- Version
+- Rules count
+- Enabled status
+- Built-in indicator
+
+### Risk Simulation (CLI-RISK-66-002)
+
+```bash
+# Simulate risk scoring
+stella risk simulate \
+  [--tenant <id>] \
+  [--profile-id <id>] \
+  [--sbom-id <id>] \
+  [--sbom-path <path>] \
+  [--asset-id <id>] \
+  [--diff] \
+  [--baseline-profile-id <id>] \
+  [--json] \
+  [--csv] \
+  [--output <path>]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--profile-id` | Risk profile to use for simulation |
+| `--sbom-id` | SBOM identifier for risk evaluation |
+| `--sbom-path` | Local path to SBOM file |
+| `--asset-id` | Asset identifier for risk evaluation |
+| `--diff` | Enable diff mode to compare with baseline |
+| `--baseline-profile-id` | Baseline profile for diff comparison |
+
+**Required:** At least one of `--sbom-id`, `--sbom-path`, or `--asset-id`.
+
+**Output:**
+- Overall score and grade (A+ to F)
+- Findings summary by severity (critical, high, medium, low, info)
+- Component-level scores
+- Diff information when `--diff` is enabled
+
+### Risk Results (CLI-RISK-67-001)
+
+```bash
+# Get risk evaluation results
+stella risk results \
+  [--tenant <id>] \
+  [--asset-id <id>] \
+  [--sbom-id <id>] \
+  [--profile-id <id>] \
+  [--min-severity <severity>] \
+  [--max-score <score>] \
+  [--explain] \
+  [--limit <num>] \
+  [--offset <num>] \
+  [--json] \
+  [--csv]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--min-severity` | Minimum severity threshold (critical, high, medium, low, info) |
+| `--max-score` | Maximum score threshold (0-100) |
+| `--explain` | Include explainability information |
+
+**Output:**
+- Summary statistics (average, min, max score, asset count)
+- Results table with score, grade, severity, finding count
+- Explanation factors and recommendations when `--explain` is used
+
+### Risk Bundle Verification (CLI-RISK-68-001)
+
+```bash
+# Verify a risk bundle
+stella risk bundle verify \
+  [--tenant <id>] \
+  --bundle-path <path> \
+  [--signature-path <path>] \
+  [--check-rekor] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--bundle-path` | Path to the risk bundle file (required) |
+| `--signature-path` | Path to detached signature file |
+| `--check-rekor` | Verify transparency log entry in Sigstore Rekor |
+
+**Output:**
+- Bundle validation status (VALID/INVALID)
+- Bundle information (ID, version, profile count, rule count)
+- Signature verification status
+- Rekor transparency log verification status
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Success (for verify: bundle is valid) |
+| 1 | Error or invalid bundle |
+| 4 | Input validation error |
+| 130 | Operation cancelled by user |
+
+## JSON Schema: RiskSimulateResult
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "success": { "type": "boolean" },
+    "profileId": { "type": "string" },
+    "profileName": { "type": "string" },
+    "overallScore": { "type": "number" },
+    "grade": { "type": "string" },
+    "findings": {
+      "type": "object",
+      "properties": {
+        "critical": { "type": "integer" },
+        "high": { "type": "integer" },
+        "medium": { "type": "integer" },
+        "low": { "type": "integer" },
+        "info": { "type": "integer" },
+        "total": { "type": "integer" }
+      }
+    },
+    "componentScores": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "componentId": { "type": "string" },
+          "componentName": { "type": "string" },
+          "score": { "type": "number" },
+          "grade": { "type": "string" },
+          "findingCount": { "type": "integer" }
+        }
+      }
+    },
+    "diff": {
+      "type": "object",
+      "properties": {
+        "baselineScore": { "type": "number" },
+        "candidateScore": { "type": "number" },
+        "delta": { "type": "number" },
+        "improved": { "type": "boolean" },
+        "findingsAdded": { "type": "integer" },
+        "findingsRemoved": { "type": "integer" }
+      }
+    },
+    "simulatedAt": { "type": "string", "format": "date-time" },
+    "errors": { "type": "array", "items": { "type": "string" } }
+  }
+}
+```
+
+## Examples
+
+### List all enabled risk profiles
+
+```bash
+stella risk profile list --json
+```
+
+### Simulate risk for a local SBOM
+
+```bash
+stella risk simulate \
+  --sbom-path ./my-sbom.json \
+  --profile-id RP-security-baseline \
+  --json
+```
+
+### Compare risk between profiles
+
+```bash
+stella risk simulate \
+  --asset-id my-app \
+  --profile-id RP-strict \
+  --diff \
+  --baseline-profile-id RP-permissive
+```
+
+### Get high-severity results with explanations
+
+```bash
+stella risk results \
+  --asset-id my-app \
+  --min-severity high \
+  --explain
+```
+
+### Verify a signed risk bundle
+
+```bash
+stella risk bundle verify \
+  --bundle-path ./risk-bundle.tar.gz \
+  --signature-path ./risk-bundle.sig \
+  --check-rekor
+```
+
+## Risk Grading Scale
+
+| Grade | Score Range | Description |
+|-------|-------------|-------------|
+| A+ | 95-100 | Excellent |
+| A | 90-94 | Very Good |
+| B+ | 85-89 | Good |
+| B | 80-84 | Above Average |
+| C+ | 75-79 | Average |
+| C | 70-74 | Below Average |
+| D+ | 65-69 | Poor |
+| D | 60-64 | Very Poor |
+| F | 0-59 | Failing |
diff --git a/docs/modules/cli/guides/commands/sdk.md b/docs/modules/cli/guides/commands/sdk.md
new file mode 100644
index 000000000..596345ad7
--- /dev/null
+++ b/docs/modules/cli/guides/commands/sdk.md
@@ -0,0 +1,249 @@
+# stella sdk — Command Guide
+
+## Overview
+
+The `stella sdk` command group provides SDK management capabilities including update checking, changelog viewing, and deprecation notices.
+
+## Commands
+
+### Check for SDK Updates (CLI-SDK-64-001)
+
+```bash
+# Check for SDK updates
+stella sdk update \
+  [--tenant <id>] \
+  [--language <lang>] \
+  [--check-only] \
+  [--changelog] \
+  [--deprecations] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--tenant` / `-t` | Tenant context for the operation |
+| `--language` / `-l` | SDK language filter (typescript, go, csharp, python, java). Omit for all |
+| `--check-only` | Only check for updates, don't download |
+| `--changelog` | Show changelog for available updates |
+| `--deprecations` | Show deprecation notices |
+| `--json` | Output in JSON format |
+
+**Output:**
+- Available SDK updates with version comparison
+- Changelog entries for each update (when `--changelog` is used)
+- Deprecation notices with migration guidance (when `--deprecations` is used)
+
+### List Installed SDKs (CLI-SDK-64-001)
+
+```bash
+# List installed SDK versions
+stella sdk list \
+  [--tenant <id>] \
+  [--language <lang>] \
+  [--json]
+```
+
+**Options:**
+| Flag | Description |
+|------|-------------|
+| `--tenant` / `-t` | Tenant context for the operation |
+| `--language` / `-l` | SDK language filter |
+| `--json` | Output in JSON format |
+
+**Output:**
+- Language/platform
+- Package name
+- Installed version
+- Latest available version
+- API version compatibility range
+- Update status
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Success |
+| 1 | Error |
+| 130 | Operation cancelled by user |
+
+## JSON Schema: SdkUpdateResponse
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "success": { "type": "boolean" },
+    "updates": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "language": { "type": "string" },
+          "displayName": { "type": "string" },
+          "packageName": { "type": "string" },
+          "installedVersion": { "type": "string" },
+          "latestVersion": { "type": "string" },
+          "updateAvailable": { "type": "boolean" },
+          "minApiVersion": { "type": "string" },
+          "maxApiVersion": { "type": "string" },
+          "releaseDate": { "type": "string", "format": "date-time" },
+          "changelog": {
+            "type": "array",
+            "items": {
+              "type": "object",
+              "properties": {
+                "version": { "type": "string" },
+                "releaseDate": { "type": "string", "format": "date-time" },
+                "type": { "type": "string" },
+                "description": { "type": "string" },
+                "isBreaking": { "type": "boolean" },
+                "link": { "type": "string" }
+              }
+            }
+          },
+          "downloadUrl": { "type": "string" },
+          "registryUrl": { "type": "string" },
+          "docsUrl": { "type": "string" }
+        }
+      }
+    },
+    "deprecations": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "language": { "type": "string" },
+          "feature": { "type": "string" },
+          "message": { "type": "string" },
+          "deprecatedInVersion": { "type": "string" },
+          "removedInVersion": { "type": "string" },
+          "replacement": { "type": "string" },
+          "migrationGuide": { "type": "string" },
+          "severity": { "type": "string", "enum": ["info", "warning", "critical"] }
+        }
+      }
+    },
+    "checkedAt": { "type": "string", "format": "date-time" },
+    "error": { "type": "string" }
+  }
+}
+```
+
+## Examples
+
+### Check for all SDK updates
+
+```bash
+# Check all SDKs
+stella sdk update
+
+# Check with changelog
+stella sdk update --changelog
+
+# Check with deprecation notices
+stella sdk update --deprecations
+
+# Full check with all details
+stella sdk update --changelog --deprecations
+```
+
+### Check specific language SDK
+
+```bash
+# Check TypeScript SDK only
+stella sdk update --language typescript
+
+# Check Go SDK with changelog
+stella sdk update --language go --changelog
+```
+
+### List installed SDKs
+
+```bash
+# List all installed SDKs
+stella sdk list
+
+# List specific language
+stella sdk list --language python
+
+# Output as JSON for CI
+stella sdk list --json
+```
+
+### CI/CD Integration
+
+```bash
+#!/bin/bash
+# Check for SDK updates in CI and fail on breaking changes
+
+stella sdk update --changelog --json > sdk-updates.json
+
+# Check for breaking changes
+BREAKING=$(jq '[.updates[].changelog[]? | select(.isBreaking == true)] | length' sdk-updates.json)
+if [ "$BREAKING" -gt 0 ]; then
+  echo "WARNING: $BREAKING breaking changes detected in available SDK updates"
+  jq '.updates[].changelog[] | select(.isBreaking == true)' sdk-updates.json
+fi
+
+# Check for critical deprecations
+CRITICAL=$(jq '[.deprecations[] | select(.severity == "critical")] | length' sdk-updates.json)
+if [ "$CRITICAL" -gt 0 ]; then
+  echo "ERROR: $CRITICAL critical deprecations require immediate attention"
+  jq '.deprecations[] | select(.severity == "critical")' sdk-updates.json
+  exit 1
+fi
+```
+
+### Automated notification script
+
+```bash
+#!/bin/bash
+# Send Slack notification when SDK updates are available
+
+UPDATES=$(stella sdk update --json)
+UPDATE_COUNT=$(echo "$UPDATES" | jq '[.updates[] | select(.updateAvailable == true)] | length')
+
+if [ "$UPDATE_COUNT" -gt 0 ]; then
+  curl -X POST -H 'Content-type: application/json' \
+    --data "{\"text\": \"StellaOps SDK Updates Available: $UPDATE_COUNT updates\"}" \
+    "$SLACK_WEBHOOK_URL"
+fi
+```
+
+## Supported SDKs
+
+| Language | Package Name | Registry |
+|----------|-------------|----------|
+| TypeScript | `@stellaops/sdk` | npm |
+| Go | `github.com/stellaops/sdk-go` | Go modules |
+| C# | `StellaOps.Sdk` | NuGet |
+| Python | `stellaops-sdk` | PyPI |
+| Java | `com.stellaops:sdk` | Maven Central |
+
+## Changelog Entry Types
+
+| Type | Icon | Description |
+|------|------|-------------|
+| `feature` | + | New feature or capability |
+| `fix` | ~ | Bug fix |
+| `breaking` | ! | Breaking change (major version) |
+| `deprecation` | ? | Deprecation notice |
+
+## Deprecation Severity Levels
+
+| Severity | Description |
+|----------|-------------|
+| `info` | Informational notice, no immediate action required |
+| `warning` | Feature will be removed in future version, plan migration |
+| `critical` | Feature removed or will be removed imminently, immediate action required |
+
+## Best Practices
+
+1. **Check for updates regularly** in CI to stay informed about new SDK versions
+2. **Review changelogs** before upgrading to understand new features and breaking changes
+3. **Monitor deprecations** to plan migrations before features are removed
+4. **Use `--check-only`** in automated pipelines to avoid unintended downloads
+5. **Filter by language** when working on specific platform integrations
+6. **Integrate with notifications** to alert teams about available updates
diff --git a/src/Cli/StellaOps.Cli/Commands/CommandFactory.cs b/src/Cli/StellaOps.Cli/Commands/CommandFactory.cs
index 51ca2ce91..ddfc5d9ff 100644
--- a/src/Cli/StellaOps.Cli/Commands/CommandFactory.cs
+++ b/src/Cli/StellaOps.Cli/Commands/CommandFactory.cs
@@ -57,6 +57,21 @@ internal static class CommandFactory
         root.Add(BuildCryptoCommand(services, verboseOption, cancellationToken));
         root.Add(BuildAttestCommand(services, verboseOption, cancellationToken));
         root.Add(BuildRiskProfileCommand(verboseOption, cancellationToken));
+        root.Add(BuildAdvisoryCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildForensicCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildPromotionCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildDetscoreCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildObsCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildPackCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildExceptionsCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildOrchCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildSbomCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildNotifyCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildSbomerCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildRiskCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildReachabilityCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildApiCommand(services, verboseOption, cancellationToken));
+        root.Add(BuildSdkCommand(services, verboseOption, cancellationToken));
 
         var pluginLogger = loggerFactory.CreateLogger<CliCommandModuleLoader>();
         var pluginLoader = new CliCommandModuleLoader(services, options, pluginLogger);
@@ -1038,11 +1053,11 @@ internal static class CommandFactory
 
         var formatOption = new Option<string?>("--format")
         {
-            Description = "Output format: table or json."
+            Description = "Output format: table, json, or markdown."
         };
         var outputOption = new Option<string?>("--output")
         {
-            Description = "Write JSON output to the specified file."
+            Description = "Write output to the specified file."
         };
         var explainOption = new Option<bool>("--explain")
         {
@@ -1053,6 +1068,57 @@ internal static class CommandFactory
             Description = "Exit with code 20 when findings are added or removed."
         };
 
+        // CLI-EXC-25-002: Exception preview flags
+        var withExceptionOption = new Option<string[]>("--with-exception")
+        {
+            Description = "Include exception ID in simulation (repeatable). Shows what-if the exception were applied.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        withExceptionOption.AllowMultipleArgumentsPerToken = true;
+
+        var withoutExceptionOption = new Option<string[]>("--without-exception")
+        {
+            Description = "Exclude exception ID from simulation (repeatable). Shows what-if the exception were removed.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        withoutExceptionOption.AllowMultipleArgumentsPerToken = true;
+
+        // CLI-POLICY-27-003: Enhanced simulation options
+        var modeOption = new Option<string?>("--mode")
+        {
+            Description = "Simulation mode: quick (sample SBOMs) or batch (all matching SBOMs)."
+        };
+        var sbomSelectorOption = new Option<string[]>("--sbom-selector")
+        {
+            Description = "SBOM selector pattern (e.g. 'registry:docker.io/*', 'tag:production'). Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        sbomSelectorOption.AllowMultipleArgumentsPerToken = true;
+
+        var heatmapOption = new Option<bool>("--heatmap")
+        {
+            Description = "Include severity heatmap summary in output."
+        };
+        var manifestDownloadOption = new Option<bool>("--manifest-download")
+        {
+            Description = "Request manifest download URI for offline analysis."
+        };
+
+        // CLI-SIG-26-002: Reachability override options
+        var reachabilityStateOption = new Option<string[]>("--reachability-state")
+        {
+            Description = "Override reachability state for vuln/package (format: 'CVE-XXXX:reachable' or 'pkg:npm/lodash@4.17.0:unreachable'). Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        reachabilityStateOption.AllowMultipleArgumentsPerToken = true;
+
+        var reachabilityScoreOption = new Option<string[]>("--reachability-score")
+        {
+            Description = "Override reachability score for vuln/package (format: 'CVE-XXXX:0.85' or 'pkg:npm/lodash@4.17.0:0.5'). Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        reachabilityScoreOption.AllowMultipleArgumentsPerToken = true;
+
         simulate.Add(baseOption);
         simulate.Add(candidateOption);
         simulate.Add(sbomOption);
@@ -1061,6 +1127,14 @@ internal static class CommandFactory
         simulate.Add(outputOption);
         simulate.Add(explainOption);
         simulate.Add(failOnDiffOption);
+        simulate.Add(withExceptionOption);
+        simulate.Add(withoutExceptionOption);
+        simulate.Add(modeOption);
+        simulate.Add(sbomSelectorOption);
+        simulate.Add(heatmapOption);
+        simulate.Add(manifestDownloadOption);
+        simulate.Add(reachabilityStateOption);
+        simulate.Add(reachabilityScoreOption);
 
         simulate.SetAction((parseResult, _) =>
         {
@@ -1073,6 +1147,14 @@ internal static class CommandFactory
             var output = parseResult.GetValue(outputOption);
             var explain = parseResult.GetValue(explainOption);
             var failOnDiff = parseResult.GetValue(failOnDiffOption);
+            var withExceptions = parseResult.GetValue(withExceptionOption) ?? Array.Empty<string>();
+            var withoutExceptions = parseResult.GetValue(withoutExceptionOption) ?? Array.Empty<string>();
+            var mode = parseResult.GetValue(modeOption);
+            var sbomSelectors = parseResult.GetValue(sbomSelectorOption) ?? Array.Empty<string>();
+            var heatmap = parseResult.GetValue(heatmapOption);
+            var manifestDownload = parseResult.GetValue(manifestDownloadOption);
+            var reachabilityStates = parseResult.GetValue(reachabilityStateOption) ?? Array.Empty<string>();
+            var reachabilityScores = parseResult.GetValue(reachabilityScoreOption) ?? Array.Empty<string>();
             var verbose = parseResult.GetValue(verboseOption);
 
             return CommandHandlers.HandlePolicySimulateAsync(
@@ -1086,6 +1168,14 @@ internal static class CommandFactory
                 output,
                 explain,
                 failOnDiff,
+                withExceptions,
+                withoutExceptions,
+                mode,
+                sbomSelectors,
+                heatmap,
+                manifestDownload,
+                reachabilityStates,
+                reachabilityScores,
                 verbose,
                 cancellationToken);
         });
@@ -1294,6 +1384,1076 @@ internal static class CommandFactory
 
         policy.Add(test);
 
+        // CLI-POLICY-20-001: policy new - scaffold new policy from template
+        var newCmd = new Command("new", "Create a new policy file from a template.");
+        var newNameArgument = new Argument<string>("name")
+        {
+            Description = "Name for the new policy (e.g. 'my-org-policy')."
+        };
+        var newTemplateOption = new Option<string?>("--template", new[] { "-t" })
+        {
+            Description = "Template to use: minimal (default), baseline, vex-precedence, reachability, secret-leak, full."
+        };
+        var newOutputOption = new Option<string?>("--output", new[] { "-o" })
+        {
+            Description = "Output path for the policy file. Defaults to ./<name>.stella"
+        };
+        var newDescriptionOption = new Option<string?>("--description", new[] { "-d" })
+        {
+            Description = "Policy description for metadata block."
+        };
+        var newTagsOption = new Option<string[]>("--tag")
+        {
+            Description = "Policy tag for metadata block (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        newTagsOption.AllowMultipleArgumentsPerToken = true;
+        var newShadowOption = new Option<bool>("--shadow")
+        {
+            Description = "Enable shadow mode in settings (default: true)."
+        };
+        newShadowOption.SetDefaultValue(true);
+        var newFixturesOption = new Option<bool>("--fixtures")
+        {
+            Description = "Create test fixtures directory alongside the policy file."
+        };
+        var newGitInitOption = new Option<bool>("--git-init")
+        {
+            Description = "Initialize a Git repository in the output directory."
+        };
+        var newFormatOption = new Option<string?>("--format", new[] { "-f" })
+        {
+            Description = "Output format: table (default), json."
+        };
+
+        newCmd.Add(newNameArgument);
+        newCmd.Add(newTemplateOption);
+        newCmd.Add(newOutputOption);
+        newCmd.Add(newDescriptionOption);
+        newCmd.Add(newTagsOption);
+        newCmd.Add(newShadowOption);
+        newCmd.Add(newFixturesOption);
+        newCmd.Add(newGitInitOption);
+        newCmd.Add(newFormatOption);
+        newCmd.Add(verboseOption);
+
+        newCmd.SetAction((parseResult, _) =>
+        {
+            var name = parseResult.GetValue(newNameArgument) ?? string.Empty;
+            var template = parseResult.GetValue(newTemplateOption);
+            var output = parseResult.GetValue(newOutputOption);
+            var description = parseResult.GetValue(newDescriptionOption);
+            var tags = parseResult.GetValue(newTagsOption) ?? Array.Empty<string>();
+            var shadow = parseResult.GetValue(newShadowOption);
+            var fixtures = parseResult.GetValue(newFixturesOption);
+            var gitInit = parseResult.GetValue(newGitInitOption);
+            var format = parseResult.GetValue(newFormatOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyNewAsync(
+                name,
+                template,
+                output,
+                description,
+                tags,
+                shadow,
+                fixtures,
+                gitInit,
+                format,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(newCmd);
+
+        // CLI-POLICY-23-006: policy history - view policy run history
+        var history = new Command("history", "View policy run history.");
+        var historyPolicyIdArgument = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier (e.g. P-7)."
+        };
+        var historyTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Filter by tenant."
+        };
+        var historyFromOption = new Option<string?>("--from")
+        {
+            Description = "Filter runs from this timestamp (ISO-8601)."
+        };
+        var historyToOption = new Option<string?>("--to")
+        {
+            Description = "Filter runs to this timestamp (ISO-8601)."
+        };
+        var historyStatusOption = new Option<string?>("--status")
+        {
+            Description = "Filter by run status (completed, failed, running)."
+        };
+        var historyLimitOption = new Option<int?>("--limit", new[] { "-l" })
+        {
+            Description = "Maximum number of runs to return."
+        };
+        var historyCursorOption = new Option<string?>("--cursor")
+        {
+            Description = "Pagination cursor for next page."
+        };
+        var historyFormatOption = new Option<string?>("--format", new[] { "-f" })
+        {
+            Description = "Output format: table (default), json."
+        };
+
+        history.Add(historyPolicyIdArgument);
+        history.Add(historyTenantOption);
+        history.Add(historyFromOption);
+        history.Add(historyToOption);
+        history.Add(historyStatusOption);
+        history.Add(historyLimitOption);
+        history.Add(historyCursorOption);
+        history.Add(historyFormatOption);
+        history.Add(verboseOption);
+
+        history.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(historyPolicyIdArgument) ?? string.Empty;
+            var tenant = parseResult.GetValue(historyTenantOption);
+            var from = parseResult.GetValue(historyFromOption);
+            var to = parseResult.GetValue(historyToOption);
+            var status = parseResult.GetValue(historyStatusOption);
+            var limit = parseResult.GetValue(historyLimitOption);
+            var cursor = parseResult.GetValue(historyCursorOption);
+            var format = parseResult.GetValue(historyFormatOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyHistoryAsync(
+                services,
+                policyId,
+                tenant,
+                from,
+                to,
+                status,
+                limit,
+                cursor,
+                format,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(history);
+
+        // CLI-POLICY-23-006: policy explain - show explanation tree for a decision
+        var explain = new Command("explain", "Show explanation tree for a policy decision.");
+        var explainPolicyIdOption = new Option<string>("--policy", new[] { "-p" })
+        {
+            Description = "Policy identifier (e.g. P-7).",
+            Required = true
+        };
+        var explainRunIdOption = new Option<string?>("--run-id")
+        {
+            Description = "Specific run ID to explain from."
+        };
+        var explainFindingIdOption = new Option<string?>("--finding-id")
+        {
+            Description = "Finding ID to explain."
+        };
+        var explainSbomIdOption = new Option<string?>("--sbom-id")
+        {
+            Description = "SBOM ID for context."
+        };
+        var explainPurlOption = new Option<string?>("--purl")
+        {
+            Description = "Component PURL to explain."
+        };
+        var explainAdvisoryOption = new Option<string?>("--advisory")
+        {
+            Description = "Advisory ID to explain."
+        };
+        var explainTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var explainDepthOption = new Option<int?>("--depth")
+        {
+            Description = "Maximum depth of explanation tree."
+        };
+        var explainFormatOption = new Option<string?>("--format", new[] { "-f" })
+        {
+            Description = "Output format: table (default), json."
+        };
+
+        explain.Add(explainPolicyIdOption);
+        explain.Add(explainRunIdOption);
+        explain.Add(explainFindingIdOption);
+        explain.Add(explainSbomIdOption);
+        explain.Add(explainPurlOption);
+        explain.Add(explainAdvisoryOption);
+        explain.Add(explainTenantOption);
+        explain.Add(explainDepthOption);
+        explain.Add(explainFormatOption);
+        explain.Add(verboseOption);
+
+        explain.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(explainPolicyIdOption) ?? string.Empty;
+            var runId = parseResult.GetValue(explainRunIdOption);
+            var findingId = parseResult.GetValue(explainFindingIdOption);
+            var sbomId = parseResult.GetValue(explainSbomIdOption);
+            var purl = parseResult.GetValue(explainPurlOption);
+            var advisory = parseResult.GetValue(explainAdvisoryOption);
+            var tenant = parseResult.GetValue(explainTenantOption);
+            var depth = parseResult.GetValue(explainDepthOption);
+            var format = parseResult.GetValue(explainFormatOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyExplainTreeAsync(
+                services,
+                policyId,
+                runId,
+                findingId,
+                sbomId,
+                purl,
+                advisory,
+                tenant,
+                depth,
+                format,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(explain);
+
+        // CLI-POLICY-27-001: policy init - initialize policy workspace
+        var init = new Command("init", "Initialize a policy workspace directory.");
+        var initPathArgument = new Argument<string?>("path")
+        {
+            Description = "Directory path for the workspace (defaults to current directory).",
+            Arity = ArgumentArity.ZeroOrOne
+        };
+        var initNameOption = new Option<string?>("--name", new[] { "-n" })
+        {
+            Description = "Policy name (defaults to directory name)."
+        };
+        var initTemplateOption = new Option<string?>("--template", new[] { "-t" })
+        {
+            Description = "Template to use: minimal (default), baseline, vex-precedence, reachability, secret-leak, full."
+        };
+        var initNoGitOption = new Option<bool>("--no-git")
+        {
+            Description = "Skip Git repository initialization."
+        };
+        var initNoReadmeOption = new Option<bool>("--no-readme")
+        {
+            Description = "Skip README.md creation."
+        };
+        var initNoFixturesOption = new Option<bool>("--no-fixtures")
+        {
+            Description = "Skip test fixtures directory creation."
+        };
+        var initFormatOption = new Option<string?>("--format", new[] { "-f" })
+        {
+            Description = "Output format: table (default), json."
+        };
+
+        init.Add(initPathArgument);
+        init.Add(initNameOption);
+        init.Add(initTemplateOption);
+        init.Add(initNoGitOption);
+        init.Add(initNoReadmeOption);
+        init.Add(initNoFixturesOption);
+        init.Add(initFormatOption);
+        init.Add(verboseOption);
+
+        init.SetAction((parseResult, _) =>
+        {
+            var path = parseResult.GetValue(initPathArgument);
+            var name = parseResult.GetValue(initNameOption);
+            var template = parseResult.GetValue(initTemplateOption);
+            var noGit = parseResult.GetValue(initNoGitOption);
+            var noReadme = parseResult.GetValue(initNoReadmeOption);
+            var noFixtures = parseResult.GetValue(initNoFixturesOption);
+            var format = parseResult.GetValue(initFormatOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyInitAsync(
+                path,
+                name,
+                template,
+                noGit,
+                noReadme,
+                noFixtures,
+                format,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(init);
+
+        // CLI-POLICY-27-001: policy compile - compile DSL to IR
+        var compile = new Command("compile", "Compile a policy DSL file to IR.");
+        var compileFileArgument = new Argument<string>("file")
+        {
+            Description = "Path to the policy DSL file to compile."
+        };
+        var compileOutputOption = new Option<string?>("--output", new[] { "-o" })
+        {
+            Description = "Output path for the compiled IR file."
+        };
+        var compileNoIrOption = new Option<bool>("--no-ir")
+        {
+            Description = "Skip IR file generation (validation only)."
+        };
+        var compileNoDigestOption = new Option<bool>("--no-digest")
+        {
+            Description = "Skip SHA-256 digest output."
+        };
+        var compileOptimizeOption = new Option<bool>("--optimize")
+        {
+            Description = "Enable optimization passes on the IR."
+        };
+        var compileStrictOption = new Option<bool>("--strict")
+        {
+            Description = "Treat warnings as errors."
+        };
+        var compileFormatOption = new Option<string?>("--format", new[] { "-f" })
+        {
+            Description = "Output format: table (default), json."
+        };
+
+        compile.Add(compileFileArgument);
+        compile.Add(compileOutputOption);
+        compile.Add(compileNoIrOption);
+        compile.Add(compileNoDigestOption);
+        compile.Add(compileOptimizeOption);
+        compile.Add(compileStrictOption);
+        compile.Add(compileFormatOption);
+        compile.Add(verboseOption);
+
+        compile.SetAction((parseResult, _) =>
+        {
+            var file = parseResult.GetValue(compileFileArgument) ?? string.Empty;
+            var output = parseResult.GetValue(compileOutputOption);
+            var noIr = parseResult.GetValue(compileNoIrOption);
+            var noDigest = parseResult.GetValue(compileNoDigestOption);
+            var optimize = parseResult.GetValue(compileOptimizeOption);
+            var strict = parseResult.GetValue(compileStrictOption);
+            var format = parseResult.GetValue(compileFormatOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyCompileAsync(
+                file,
+                output,
+                noIr,
+                noDigest,
+                optimize,
+                strict,
+                format,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(compile);
+
+        // CLI-POLICY-27-002: policy version bump
+        var versionCmd = new Command("version", "Manage policy versions.");
+        var versionBump = new Command("bump", "Bump the policy version (patch, minor, major).");
+        var bumpPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier (e.g. P-7)."
+        };
+        var bumpTypeOption = new Option<string?>("--type", new[] { "-t" })
+        {
+            Description = "Bump type: patch (default), minor, major."
+        };
+        var bumpChangelogOption = new Option<string?>("--changelog", new[] { "-m" })
+        {
+            Description = "Changelog message for this version."
+        };
+        var bumpFileOption = new Option<string?>("--file", new[] { "-f" })
+        {
+            Description = "Path to policy DSL file to upload."
+        };
+        var bumpTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var bumpJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        versionBump.Add(bumpPolicyIdArg);
+        versionBump.Add(bumpTypeOption);
+        versionBump.Add(bumpChangelogOption);
+        versionBump.Add(bumpFileOption);
+        versionBump.Add(bumpTenantOption);
+        versionBump.Add(bumpJsonOption);
+        versionBump.Add(verboseOption);
+
+        versionBump.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(bumpPolicyIdArg) ?? string.Empty;
+            var bumpType = parseResult.GetValue(bumpTypeOption);
+            var changelog = parseResult.GetValue(bumpChangelogOption);
+            var filePath = parseResult.GetValue(bumpFileOption);
+            var tenant = parseResult.GetValue(bumpTenantOption);
+            var json = parseResult.GetValue(bumpJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyVersionBumpAsync(
+                services,
+                policyId,
+                bumpType,
+                changelog,
+                filePath,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        versionCmd.Add(versionBump);
+        policy.Add(versionCmd);
+
+        // CLI-POLICY-27-002: policy submit
+        var submit = new Command("submit", "Submit policy for review.");
+        var submitPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier (e.g. P-7)."
+        };
+        var submitVersionOption = new Option<int?>("--version", new[] { "-v" })
+        {
+            Description = "Specific version to submit (defaults to latest)."
+        };
+        var submitReviewersOption = new Option<string[]>("--reviewer", new[] { "-r" })
+        {
+            Description = "Reviewer username(s) (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        submitReviewersOption.AllowMultipleArgumentsPerToken = true;
+        var submitMessageOption = new Option<string?>("--message", new[] { "-m" })
+        {
+            Description = "Submission message."
+        };
+        var submitUrgentOption = new Option<bool>("--urgent")
+        {
+            Description = "Mark submission as urgent."
+        };
+        var submitTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var submitJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        submit.Add(submitPolicyIdArg);
+        submit.Add(submitVersionOption);
+        submit.Add(submitReviewersOption);
+        submit.Add(submitMessageOption);
+        submit.Add(submitUrgentOption);
+        submit.Add(submitTenantOption);
+        submit.Add(submitJsonOption);
+        submit.Add(verboseOption);
+
+        submit.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(submitPolicyIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(submitVersionOption);
+            var reviewers = parseResult.GetValue(submitReviewersOption) ?? Array.Empty<string>();
+            var message = parseResult.GetValue(submitMessageOption);
+            var urgent = parseResult.GetValue(submitUrgentOption);
+            var tenant = parseResult.GetValue(submitTenantOption);
+            var json = parseResult.GetValue(submitJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicySubmitAsync(
+                services,
+                policyId,
+                version,
+                reviewers,
+                message,
+                urgent,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(submit);
+
+        // CLI-POLICY-27-002: policy review command group
+        var review = new Command("review", "Manage policy reviews.");
+
+        // review status
+        var reviewStatus = new Command("status", "Get current review status.");
+        var reviewStatusPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var reviewStatusIdOption = new Option<string?>("--review-id")
+        {
+            Description = "Specific review ID (defaults to latest)."
+        };
+        var reviewStatusTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var reviewStatusJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        reviewStatus.Add(reviewStatusPolicyIdArg);
+        reviewStatus.Add(reviewStatusIdOption);
+        reviewStatus.Add(reviewStatusTenantOption);
+        reviewStatus.Add(reviewStatusJsonOption);
+        reviewStatus.Add(verboseOption);
+
+        reviewStatus.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(reviewStatusPolicyIdArg) ?? string.Empty;
+            var reviewId = parseResult.GetValue(reviewStatusIdOption);
+            var tenant = parseResult.GetValue(reviewStatusTenantOption);
+            var json = parseResult.GetValue(reviewStatusJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyReviewStatusAsync(
+                services,
+                policyId,
+                reviewId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        review.Add(reviewStatus);
+
+        // review comment
+        var reviewComment = new Command("comment", "Add a review comment.");
+        var commentPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var commentReviewIdOption = new Option<string>("--review-id")
+        {
+            Description = "Review ID to comment on.",
+            Required = true
+        };
+        var commentTextOption = new Option<string>("--comment", new[] { "-c" })
+        {
+            Description = "Comment text.",
+            Required = true
+        };
+        var commentLineOption = new Option<int?>("--line")
+        {
+            Description = "Line number in the policy file."
+        };
+        var commentRuleOption = new Option<string?>("--rule")
+        {
+            Description = "Rule name reference."
+        };
+        var commentBlockingOption = new Option<bool>("--blocking")
+        {
+            Description = "Mark comment as blocking (must be addressed before approval)."
+        };
+        var commentTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var commentJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        reviewComment.Add(commentPolicyIdArg);
+        reviewComment.Add(commentReviewIdOption);
+        reviewComment.Add(commentTextOption);
+        reviewComment.Add(commentLineOption);
+        reviewComment.Add(commentRuleOption);
+        reviewComment.Add(commentBlockingOption);
+        reviewComment.Add(commentTenantOption);
+        reviewComment.Add(commentJsonOption);
+        reviewComment.Add(verboseOption);
+
+        reviewComment.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(commentPolicyIdArg) ?? string.Empty;
+            var reviewId = parseResult.GetValue(commentReviewIdOption) ?? string.Empty;
+            var comment = parseResult.GetValue(commentTextOption) ?? string.Empty;
+            var line = parseResult.GetValue(commentLineOption);
+            var rule = parseResult.GetValue(commentRuleOption);
+            var blocking = parseResult.GetValue(commentBlockingOption);
+            var tenant = parseResult.GetValue(commentTenantOption);
+            var json = parseResult.GetValue(commentJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyReviewCommentAsync(
+                services,
+                policyId,
+                reviewId,
+                comment,
+                line,
+                rule,
+                blocking,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        review.Add(reviewComment);
+
+        // review approve
+        var reviewApprove = new Command("approve", "Approve a policy review.");
+        var approvePolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var approveReviewIdOption = new Option<string>("--review-id")
+        {
+            Description = "Review ID to approve.",
+            Required = true
+        };
+        var approveCommentOption = new Option<string?>("--comment", new[] { "-c" })
+        {
+            Description = "Approval comment."
+        };
+        var approveTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var approveJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        reviewApprove.Add(approvePolicyIdArg);
+        reviewApprove.Add(approveReviewIdOption);
+        reviewApprove.Add(approveCommentOption);
+        reviewApprove.Add(approveTenantOption);
+        reviewApprove.Add(approveJsonOption);
+        reviewApprove.Add(verboseOption);
+
+        reviewApprove.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(approvePolicyIdArg) ?? string.Empty;
+            var reviewId = parseResult.GetValue(approveReviewIdOption) ?? string.Empty;
+            var comment = parseResult.GetValue(approveCommentOption);
+            var tenant = parseResult.GetValue(approveTenantOption);
+            var json = parseResult.GetValue(approveJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyReviewApproveAsync(
+                services,
+                policyId,
+                reviewId,
+                comment,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        review.Add(reviewApprove);
+
+        // review reject
+        var reviewReject = new Command("reject", "Reject a policy review.");
+        var rejectPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var rejectReviewIdOption = new Option<string>("--review-id")
+        {
+            Description = "Review ID to reject.",
+            Required = true
+        };
+        var rejectReasonOption = new Option<string>("--reason", new[] { "-r" })
+        {
+            Description = "Rejection reason.",
+            Required = true
+        };
+        var rejectTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var rejectJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        reviewReject.Add(rejectPolicyIdArg);
+        reviewReject.Add(rejectReviewIdOption);
+        reviewReject.Add(rejectReasonOption);
+        reviewReject.Add(rejectTenantOption);
+        reviewReject.Add(rejectJsonOption);
+        reviewReject.Add(verboseOption);
+
+        reviewReject.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(rejectPolicyIdArg) ?? string.Empty;
+            var reviewId = parseResult.GetValue(rejectReviewIdOption) ?? string.Empty;
+            var reason = parseResult.GetValue(rejectReasonOption) ?? string.Empty;
+            var tenant = parseResult.GetValue(rejectTenantOption);
+            var json = parseResult.GetValue(rejectJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyReviewRejectAsync(
+                services,
+                policyId,
+                reviewId,
+                reason,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        review.Add(reviewReject);
+
+        policy.Add(review);
+
+        // CLI-POLICY-27-004: publish command
+        var publish = new Command("publish", "Publish an approved policy revision.");
+        var publishPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var publishVersionOption = new Option<int>("--version")
+        {
+            Description = "Version to publish.",
+            Required = true
+        };
+        var publishSignOption = new Option<bool>("--sign")
+        {
+            Description = "Sign the policy during publish."
+        };
+        var publishAlgorithmOption = new Option<string?>("--algorithm")
+        {
+            Description = "Signature algorithm (e.g. ecdsa-sha256, ed25519)."
+        };
+        var publishKeyIdOption = new Option<string?>("--key-id")
+        {
+            Description = "Key identifier for signing."
+        };
+        var publishNoteOption = new Option<string?>("--note")
+        {
+            Description = "Publish note."
+        };
+        var publishTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var publishJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        publish.Add(publishPolicyIdArg);
+        publish.Add(publishVersionOption);
+        publish.Add(publishSignOption);
+        publish.Add(publishAlgorithmOption);
+        publish.Add(publishKeyIdOption);
+        publish.Add(publishNoteOption);
+        publish.Add(publishTenantOption);
+        publish.Add(publishJsonOption);
+        publish.Add(verboseOption);
+
+        publish.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(publishPolicyIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(publishVersionOption);
+            var sign = parseResult.GetValue(publishSignOption);
+            var algorithm = parseResult.GetValue(publishAlgorithmOption);
+            var keyId = parseResult.GetValue(publishKeyIdOption);
+            var note = parseResult.GetValue(publishNoteOption);
+            var tenant = parseResult.GetValue(publishTenantOption);
+            var json = parseResult.GetValue(publishJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyPublishAsync(
+                services,
+                policyId,
+                version,
+                sign,
+                algorithm,
+                keyId,
+                note,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(publish);
+
+        // CLI-POLICY-27-004: promote command
+        var promote = new Command("promote", "Promote a policy to a target environment.");
+        var promotePolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var promoteVersionOption = new Option<int>("--version")
+        {
+            Description = "Version to promote.",
+            Required = true
+        };
+        var promoteEnvOption = new Option<string>("--env")
+        {
+            Description = "Target environment (e.g. staging, production).",
+            Required = true
+        };
+        var promoteCanaryOption = new Option<bool>("--canary")
+        {
+            Description = "Enable canary deployment."
+        };
+        var promoteCanaryPercentOption = new Option<int?>("--canary-percent")
+        {
+            Description = "Canary traffic percentage (1-99)."
+        };
+        var promoteNoteOption = new Option<string?>("--note")
+        {
+            Description = "Promotion note."
+        };
+        var promoteTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var promoteJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        promote.Add(promotePolicyIdArg);
+        promote.Add(promoteVersionOption);
+        promote.Add(promoteEnvOption);
+        promote.Add(promoteCanaryOption);
+        promote.Add(promoteCanaryPercentOption);
+        promote.Add(promoteNoteOption);
+        promote.Add(promoteTenantOption);
+        promote.Add(promoteJsonOption);
+        promote.Add(verboseOption);
+
+        promote.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(promotePolicyIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(promoteVersionOption);
+            var env = parseResult.GetValue(promoteEnvOption) ?? string.Empty;
+            var canary = parseResult.GetValue(promoteCanaryOption);
+            var canaryPercent = parseResult.GetValue(promoteCanaryPercentOption);
+            var note = parseResult.GetValue(promoteNoteOption);
+            var tenant = parseResult.GetValue(promoteTenantOption);
+            var json = parseResult.GetValue(promoteJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyPromoteAsync(
+                services,
+                policyId,
+                version,
+                env,
+                canary,
+                canaryPercent,
+                note,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(promote);
+
+        // CLI-POLICY-27-004: rollback command
+        var rollback = new Command("rollback", "Rollback a policy to a previous version.");
+        var rollbackPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var rollbackTargetVersionOption = new Option<int?>("--target-version")
+        {
+            Description = "Target version to rollback to. Defaults to previous version."
+        };
+        var rollbackEnvOption = new Option<string?>("--env")
+        {
+            Description = "Environment scope for rollback."
+        };
+        var rollbackReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for rollback."
+        };
+        var rollbackIncidentOption = new Option<string?>("--incident")
+        {
+            Description = "Associated incident ID."
+        };
+        var rollbackTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var rollbackJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        rollback.Add(rollbackPolicyIdArg);
+        rollback.Add(rollbackTargetVersionOption);
+        rollback.Add(rollbackEnvOption);
+        rollback.Add(rollbackReasonOption);
+        rollback.Add(rollbackIncidentOption);
+        rollback.Add(rollbackTenantOption);
+        rollback.Add(rollbackJsonOption);
+        rollback.Add(verboseOption);
+
+        rollback.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(rollbackPolicyIdArg) ?? string.Empty;
+            var targetVersion = parseResult.GetValue(rollbackTargetVersionOption);
+            var env = parseResult.GetValue(rollbackEnvOption);
+            var reason = parseResult.GetValue(rollbackReasonOption);
+            var incident = parseResult.GetValue(rollbackIncidentOption);
+            var tenant = parseResult.GetValue(rollbackTenantOption);
+            var json = parseResult.GetValue(rollbackJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyRollbackAsync(
+                services,
+                policyId,
+                targetVersion,
+                env,
+                reason,
+                incident,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(rollback);
+
+        // CLI-POLICY-27-004: sign command
+        var sign = new Command("sign", "Sign a policy revision.");
+        var signPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var signVersionOption = new Option<int>("--version")
+        {
+            Description = "Version to sign.",
+            Required = true
+        };
+        var signKeyIdOption = new Option<string?>("--key-id")
+        {
+            Description = "Key identifier for signing."
+        };
+        var signAlgorithmOption = new Option<string?>("--algorithm")
+        {
+            Description = "Signature algorithm (e.g. ecdsa-sha256, ed25519)."
+        };
+        var signRekorOption = new Option<bool>("--rekor")
+        {
+            Description = "Upload signature to Sigstore Rekor transparency log."
+        };
+        var signTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var signJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        sign.Add(signPolicyIdArg);
+        sign.Add(signVersionOption);
+        sign.Add(signKeyIdOption);
+        sign.Add(signAlgorithmOption);
+        sign.Add(signRekorOption);
+        sign.Add(signTenantOption);
+        sign.Add(signJsonOption);
+        sign.Add(verboseOption);
+
+        sign.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(signPolicyIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(signVersionOption);
+            var keyId = parseResult.GetValue(signKeyIdOption);
+            var algorithm = parseResult.GetValue(signAlgorithmOption);
+            var rekor = parseResult.GetValue(signRekorOption);
+            var tenant = parseResult.GetValue(signTenantOption);
+            var json = parseResult.GetValue(signJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicySignAsync(
+                services,
+                policyId,
+                version,
+                keyId,
+                algorithm,
+                rekor,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(sign);
+
+        // CLI-POLICY-27-004: verify-signature command
+        var verifySignature = new Command("verify-signature", "Verify a policy signature.");
+        var verifyPolicyIdArg = new Argument<string>("policy-id")
+        {
+            Description = "Policy identifier."
+        };
+        var verifyVersionOption = new Option<int>("--version")
+        {
+            Description = "Version to verify.",
+            Required = true
+        };
+        var verifySignatureIdOption = new Option<string?>("--signature-id")
+        {
+            Description = "Signature ID to verify. Defaults to latest."
+        };
+        var verifyCheckRekorOption = new Option<bool>("--check-rekor")
+        {
+            Description = "Verify against Sigstore Rekor transparency log."
+        };
+        var verifyTenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant context."
+        };
+        var verifyJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        verifySignature.Add(verifyPolicyIdArg);
+        verifySignature.Add(verifyVersionOption);
+        verifySignature.Add(verifySignatureIdOption);
+        verifySignature.Add(verifyCheckRekorOption);
+        verifySignature.Add(verifyTenantOption);
+        verifySignature.Add(verifyJsonOption);
+        verifySignature.Add(verboseOption);
+
+        verifySignature.SetAction((parseResult, _) =>
+        {
+            var policyId = parseResult.GetValue(verifyPolicyIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(verifyVersionOption);
+            var signatureId = parseResult.GetValue(verifySignatureIdOption);
+            var checkRekor = parseResult.GetValue(verifyCheckRekorOption);
+            var tenant = parseResult.GetValue(verifyTenantOption);
+            var json = parseResult.GetValue(verifyJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePolicyVerifySignatureAsync(
+                services,
+                policyId,
+                version,
+                signatureId,
+                checkRekor,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        policy.Add(verifySignature);
+
         return policy;
     }
 
@@ -2799,6 +3959,168 @@ internal static class CommandFactory
 
         export.Add(verify);
         vex.Add(export);
+
+        // CLI-LNM-22-002: VEX observation commands
+        var obs = new Command("obs", "Query VEX observations (Link-Not-Merge architecture).");
+
+        // vex obs get
+        var obsGet = new Command("get", "Get VEX observations with filters.");
+        var obsGetTenantOption = new Option<string>("--tenant", new[] { "-t" })
+        {
+            Description = "Tenant identifier.",
+            Required = true
+        };
+        var obsGetVulnIdOption = new Option<string[]>("--vuln-id")
+        {
+            Description = "Filter by vulnerability IDs (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var obsGetProductKeyOption = new Option<string[]>("--product-key")
+        {
+            Description = "Filter by product keys (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var obsGetPurlOption = new Option<string[]>("--purl")
+        {
+            Description = "Filter by Package URLs (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var obsGetCpeOption = new Option<string[]>("--cpe")
+        {
+            Description = "Filter by CPEs (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var obsGetStatusOption = new Option<string[]>("--status")
+        {
+            Description = "Filter by status (affected, not_affected, fixed, under_investigation). Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var obsGetProviderOption = new Option<string[]>("--provider")
+        {
+            Description = "Filter by provider IDs (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var obsGetLimitOption = new Option<int?>("--limit", "-l")
+        {
+            Description = "Maximum number of results (default 50)."
+        };
+        var obsGetCursorOption = new Option<string?>("--cursor")
+        {
+            Description = "Pagination cursor from previous response."
+        };
+        var obsGetJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+
+        obsGet.Add(obsGetTenantOption);
+        obsGet.Add(obsGetVulnIdOption);
+        obsGet.Add(obsGetProductKeyOption);
+        obsGet.Add(obsGetPurlOption);
+        obsGet.Add(obsGetCpeOption);
+        obsGet.Add(obsGetStatusOption);
+        obsGet.Add(obsGetProviderOption);
+        obsGet.Add(obsGetLimitOption);
+        obsGet.Add(obsGetCursorOption);
+        obsGet.Add(obsGetJsonOption);
+
+        obsGet.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(obsGetTenantOption) ?? string.Empty;
+            var vulnIds = parseResult.GetValue(obsGetVulnIdOption) ?? Array.Empty<string>();
+            var productKeys = parseResult.GetValue(obsGetProductKeyOption) ?? Array.Empty<string>();
+            var purls = parseResult.GetValue(obsGetPurlOption) ?? Array.Empty<string>();
+            var cpes = parseResult.GetValue(obsGetCpeOption) ?? Array.Empty<string>();
+            var statuses = parseResult.GetValue(obsGetStatusOption) ?? Array.Empty<string>();
+            var providers = parseResult.GetValue(obsGetProviderOption) ?? Array.Empty<string>();
+            var limit = parseResult.GetValue(obsGetLimitOption);
+            var cursor = parseResult.GetValue(obsGetCursorOption);
+            var emitJson = parseResult.GetValue(obsGetJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleVexObsGetAsync(
+                services,
+                tenant,
+                vulnIds,
+                productKeys,
+                purls,
+                cpes,
+                statuses,
+                providers,
+                limit,
+                cursor,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        obs.Add(obsGet);
+
+        // vex linkset show
+        var linkset = new Command("linkset", "Explore VEX observation linksets.");
+        var linksetShow = new Command("show", "Show linked observations for a vulnerability.");
+        var linksetShowVulnIdArg = new Argument<string>("vulnerability-id")
+        {
+            Description = "Vulnerability identifier (e.g., CVE-2024-1234)."
+        };
+        var linksetShowTenantOption = new Option<string>("--tenant", new[] { "-t" })
+        {
+            Description = "Tenant identifier.",
+            Required = true
+        };
+        var linksetShowProductKeyOption = new Option<string[]>("--product-key")
+        {
+            Description = "Filter by product keys (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var linksetShowPurlOption = new Option<string[]>("--purl")
+        {
+            Description = "Filter by Package URLs (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var linksetShowStatusOption = new Option<string[]>("--status")
+        {
+            Description = "Filter by status (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var linksetShowJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+
+        linksetShow.Add(linksetShowVulnIdArg);
+        linksetShow.Add(linksetShowTenantOption);
+        linksetShow.Add(linksetShowProductKeyOption);
+        linksetShow.Add(linksetShowPurlOption);
+        linksetShow.Add(linksetShowStatusOption);
+        linksetShow.Add(linksetShowJsonOption);
+
+        linksetShow.SetAction((parseResult, _) =>
+        {
+            var vulnId = parseResult.GetValue(linksetShowVulnIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(linksetShowTenantOption) ?? string.Empty;
+            var productKeys = parseResult.GetValue(linksetShowProductKeyOption) ?? Array.Empty<string>();
+            var purls = parseResult.GetValue(linksetShowPurlOption) ?? Array.Empty<string>();
+            var statuses = parseResult.GetValue(linksetShowStatusOption) ?? Array.Empty<string>();
+            var emitJson = parseResult.GetValue(linksetShowJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleVexLinksetShowAsync(
+                services,
+                tenant,
+                vulnId,
+                productKeys,
+                purls,
+                statuses,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        linkset.Add(linksetShow);
+        obs.Add(linkset);
+        vex.Add(obs);
+
         return vex;
     }
 
@@ -3033,4 +4355,5374 @@ internal static class CommandFactory
         riskProfile.Add(schema);
         return riskProfile;
     }
+
+    // CLI-LNM-22-001: Advisory command group
+    private static Command BuildAdvisoryCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var advisory = new Command("advisory", "Explore advisory observations, linksets, and exports (Link-Not-Merge).");
+
+        // Common options
+        var tenantOption = new Option<string>("--tenant", "-t")
+        {
+            Description = "Tenant identifier.",
+            Required = true
+        };
+        var aliasOption = new Option<string[]>("--alias", "-a")
+        {
+            Description = "Filter by vulnerability alias (CVE, GHSA, etc.). Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var purlOption = new Option<string[]>("--purl")
+        {
+            Description = "Filter by Package URL. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var cpeOption = new Option<string[]>("--cpe")
+        {
+            Description = "Filter by CPE value. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var sourceOption = new Option<string[]>("--source", "-s")
+        {
+            Description = "Filter by source vendor (e.g., nvd, redhat, ubuntu). Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var severityOption = new Option<string?>("--severity")
+        {
+            Description = "Filter by severity (critical, high, medium, low)."
+        };
+        var kevOption = new Option<bool>("--kev-only")
+        {
+            Description = "Only show advisories listed in KEV (Known Exploited Vulnerabilities)."
+        };
+        var hasFixOption = new Option<bool?>("--has-fix")
+        {
+            Description = "Filter by fix availability (true/false)."
+        };
+        var limitOption = new Option<int?>("--limit", "-l")
+        {
+            Description = "Maximum number of results (default 200, max 500)."
+        };
+        var cursorOption = new Option<string?>("--cursor")
+        {
+            Description = "Pagination cursor from previous response."
+        };
+
+        // stella advisory obs get
+        var obsGet = new Command("obs", "Get raw advisory observations.");
+        var obsIdOption = new Option<string[]>("--observation-id", "-i")
+        {
+            Description = "Filter by observation identifier. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var obsJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+        var obsOsvOption = new Option<bool>("--osv")
+        {
+            Description = "Output in OSV (Open Source Vulnerability) format."
+        };
+        var obsShowConflictsOption = new Option<bool>("--show-conflicts")
+        {
+            Description = "Include conflict information in output."
+        };
+
+        obsGet.Add(tenantOption);
+        obsGet.Add(obsIdOption);
+        obsGet.Add(aliasOption);
+        obsGet.Add(purlOption);
+        obsGet.Add(cpeOption);
+        obsGet.Add(sourceOption);
+        obsGet.Add(severityOption);
+        obsGet.Add(kevOption);
+        obsGet.Add(hasFixOption);
+        obsGet.Add(limitOption);
+        obsGet.Add(cursorOption);
+        obsGet.Add(obsJsonOption);
+        obsGet.Add(obsOsvOption);
+        obsGet.Add(obsShowConflictsOption);
+
+        obsGet.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption) ?? string.Empty;
+            var observationIds = parseResult.GetValue(obsIdOption) ?? Array.Empty<string>();
+            var aliases = parseResult.GetValue(aliasOption) ?? Array.Empty<string>();
+            var purls = parseResult.GetValue(purlOption) ?? Array.Empty<string>();
+            var cpes = parseResult.GetValue(cpeOption) ?? Array.Empty<string>();
+            var sources = parseResult.GetValue(sourceOption) ?? Array.Empty<string>();
+            var severity = parseResult.GetValue(severityOption);
+            var kevOnly = parseResult.GetValue(kevOption);
+            var hasFix = parseResult.GetValue(hasFixOption);
+            var limit = parseResult.GetValue(limitOption);
+            var cursor = parseResult.GetValue(cursorOption);
+            var emitJson = parseResult.GetValue(obsJsonOption);
+            var emitOsv = parseResult.GetValue(obsOsvOption);
+            var showConflicts = parseResult.GetValue(obsShowConflictsOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleAdvisoryObsGetAsync(
+                services,
+                tenant,
+                observationIds,
+                aliases,
+                purls,
+                cpes,
+                sources,
+                severity,
+                kevOnly,
+                hasFix,
+                limit,
+                cursor,
+                emitJson,
+                emitOsv,
+                showConflicts,
+                verbose,
+                cancellationToken);
+        });
+
+        advisory.Add(obsGet);
+
+        // stella advisory linkset show
+        var linksetShow = new Command("linkset", "Show aggregated linkset with conflict summary.");
+        var linksetJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        linksetShow.Add(tenantOption);
+        linksetShow.Add(aliasOption);
+        linksetShow.Add(purlOption);
+        linksetShow.Add(cpeOption);
+        linksetShow.Add(sourceOption);
+        linksetShow.Add(linksetJsonOption);
+
+        linksetShow.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption) ?? string.Empty;
+            var aliases = parseResult.GetValue(aliasOption) ?? Array.Empty<string>();
+            var purls = parseResult.GetValue(purlOption) ?? Array.Empty<string>();
+            var cpes = parseResult.GetValue(cpeOption) ?? Array.Empty<string>();
+            var sources = parseResult.GetValue(sourceOption) ?? Array.Empty<string>();
+            var emitJson = parseResult.GetValue(linksetJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleAdvisoryLinksetShowAsync(
+                services,
+                tenant,
+                aliases,
+                purls,
+                cpes,
+                sources,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        advisory.Add(linksetShow);
+
+        // stella advisory export
+        var export = new Command("export", "Export advisory observations to various formats.");
+        var exportFormatOption = new Option<string>("--format", "-f")
+        {
+            Description = "Export format (json, osv, ndjson, csv). Default: json."
+        };
+        var exportOutputOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Output file path. If not specified, writes to stdout."
+        };
+        var exportSignedOption = new Option<bool>("--signed")
+        {
+            Description = "Request signed export (if supported by backend)."
+        };
+
+        export.Add(tenantOption);
+        export.Add(aliasOption);
+        export.Add(purlOption);
+        export.Add(cpeOption);
+        export.Add(sourceOption);
+        export.Add(severityOption);
+        export.Add(kevOption);
+        export.Add(hasFixOption);
+        export.Add(limitOption);
+        export.Add(exportFormatOption);
+        export.Add(exportOutputOption);
+        export.Add(exportSignedOption);
+
+        export.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption) ?? string.Empty;
+            var aliases = parseResult.GetValue(aliasOption) ?? Array.Empty<string>();
+            var purls = parseResult.GetValue(purlOption) ?? Array.Empty<string>();
+            var cpes = parseResult.GetValue(cpeOption) ?? Array.Empty<string>();
+            var sources = parseResult.GetValue(sourceOption) ?? Array.Empty<string>();
+            var severity = parseResult.GetValue(severityOption);
+            var kevOnly = parseResult.GetValue(kevOption);
+            var hasFix = parseResult.GetValue(hasFixOption);
+            var limit = parseResult.GetValue(limitOption);
+            var format = parseResult.GetValue(exportFormatOption) ?? "json";
+            var output = parseResult.GetValue(exportOutputOption);
+            var signed = parseResult.GetValue(exportSignedOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleAdvisoryExportAsync(
+                services,
+                tenant,
+                aliases,
+                purls,
+                cpes,
+                sources,
+                severity,
+                kevOnly,
+                hasFix,
+                limit,
+                format,
+                output,
+                signed,
+                verbose,
+                cancellationToken);
+        });
+
+        advisory.Add(export);
+
+        return advisory;
+    }
+
+    // CLI-FORENSICS-53-001: Forensic snapshot command group
+    private static Command BuildForensicCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var forensic = new Command("forensic", "Manage forensic snapshots and evidence locker operations.");
+
+        // Common options
+        var tenantOption = new Option<string>("--tenant", "-t")
+        {
+            Description = "Tenant identifier.",
+            Required = true
+        };
+
+        // stella forensic snapshot create --case
+        var snapshotCreate = new Command("snapshot", "Create a forensic snapshot for evidence preservation.");
+        var createCaseOption = new Option<string>("--case", "-c")
+        {
+            Description = "Case identifier to associate with the snapshot.",
+            Required = true
+        };
+        var createDescOption = new Option<string?>("--description", "-d")
+        {
+            Description = "Description of the snapshot purpose."
+        };
+        var createTagsOption = new Option<string[]>("--tag")
+        {
+            Description = "Tags to attach to the snapshot. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var createSbomOption = new Option<string[]>("--sbom-id")
+        {
+            Description = "SBOM IDs to include in the snapshot scope. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var createScanOption = new Option<string[]>("--scan-id")
+        {
+            Description = "Scan IDs to include in the snapshot scope. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var createPolicyOption = new Option<string[]>("--policy-id")
+        {
+            Description = "Policy IDs to include in the snapshot scope. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var createVulnOption = new Option<string[]>("--vuln-id")
+        {
+            Description = "Vulnerability IDs to include in the snapshot scope. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var createRetentionOption = new Option<int?>("--retention-days")
+        {
+            Description = "Retention period in days (default: per tenant policy)."
+        };
+        var createJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        snapshotCreate.Add(tenantOption);
+        snapshotCreate.Add(createCaseOption);
+        snapshotCreate.Add(createDescOption);
+        snapshotCreate.Add(createTagsOption);
+        snapshotCreate.Add(createSbomOption);
+        snapshotCreate.Add(createScanOption);
+        snapshotCreate.Add(createPolicyOption);
+        snapshotCreate.Add(createVulnOption);
+        snapshotCreate.Add(createRetentionOption);
+        snapshotCreate.Add(createJsonOption);
+
+        snapshotCreate.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption) ?? string.Empty;
+            var caseId = parseResult.GetValue(createCaseOption) ?? string.Empty;
+            var description = parseResult.GetValue(createDescOption);
+            var tags = parseResult.GetValue(createTagsOption) ?? Array.Empty<string>();
+            var sbomIds = parseResult.GetValue(createSbomOption) ?? Array.Empty<string>();
+            var scanIds = parseResult.GetValue(createScanOption) ?? Array.Empty<string>();
+            var policyIds = parseResult.GetValue(createPolicyOption) ?? Array.Empty<string>();
+            var vulnIds = parseResult.GetValue(createVulnOption) ?? Array.Empty<string>();
+            var retentionDays = parseResult.GetValue(createRetentionOption);
+            var emitJson = parseResult.GetValue(createJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleForensicSnapshotCreateAsync(
+                services,
+                tenant,
+                caseId,
+                description,
+                tags,
+                sbomIds,
+                scanIds,
+                policyIds,
+                vulnIds,
+                retentionDays,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        forensic.Add(snapshotCreate);
+
+        // stella forensic list
+        var snapshotList = new Command("list", "List forensic snapshots.");
+        var listCaseOption = new Option<string?>("--case", "-c")
+        {
+            Description = "Filter by case identifier."
+        };
+        var listStatusOption = new Option<string?>("--status")
+        {
+            Description = "Filter by status (pending, creating, ready, failed, expired, archived)."
+        };
+        var listTagsOption = new Option<string[]>("--tag")
+        {
+            Description = "Filter by tags. Repeatable.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        var listLimitOption = new Option<int?>("--limit", "-l")
+        {
+            Description = "Maximum number of results (default 50)."
+        };
+        var listOffsetOption = new Option<int?>("--offset")
+        {
+            Description = "Number of results to skip for pagination."
+        };
+        var listJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        snapshotList.Add(tenantOption);
+        snapshotList.Add(listCaseOption);
+        snapshotList.Add(listStatusOption);
+        snapshotList.Add(listTagsOption);
+        snapshotList.Add(listLimitOption);
+        snapshotList.Add(listOffsetOption);
+        snapshotList.Add(listJsonOption);
+
+        snapshotList.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption) ?? string.Empty;
+            var caseId = parseResult.GetValue(listCaseOption);
+            var status = parseResult.GetValue(listStatusOption);
+            var tags = parseResult.GetValue(listTagsOption) ?? Array.Empty<string>();
+            var limit = parseResult.GetValue(listLimitOption);
+            var offset = parseResult.GetValue(listOffsetOption);
+            var emitJson = parseResult.GetValue(listJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleForensicSnapshotListAsync(
+                services,
+                tenant,
+                caseId,
+                status,
+                tags,
+                limit,
+                offset,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        forensic.Add(snapshotList);
+
+        // stella forensic show
+        var snapshotShow = new Command("show", "Show forensic snapshot details including manifest digests.");
+        var showSnapshotIdArg = new Argument<string>("snapshot-id")
+        {
+            Description = "Snapshot identifier to show."
+        };
+        var showJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+        var showManifestOption = new Option<bool>("--manifest")
+        {
+            Description = "Include full manifest with artifact digests."
+        };
+
+        snapshotShow.Add(showSnapshotIdArg);
+        snapshotShow.Add(tenantOption);
+        snapshotShow.Add(showJsonOption);
+        snapshotShow.Add(showManifestOption);
+
+        snapshotShow.SetAction((parseResult, _) =>
+        {
+            var snapshotId = parseResult.GetValue(showSnapshotIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption) ?? string.Empty;
+            var emitJson = parseResult.GetValue(showJsonOption);
+            var includeManifest = parseResult.GetValue(showManifestOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleForensicSnapshotShowAsync(
+                services,
+                tenant,
+                snapshotId,
+                emitJson,
+                includeManifest,
+                verbose,
+                cancellationToken);
+        });
+
+        forensic.Add(snapshotShow);
+
+        // CLI-FORENSICS-54-001: stella forensic verify <bundle>
+        var verifyCommand = new Command("verify", "Verify forensic bundle integrity, signatures, and chain-of-custody.");
+        var verifyBundleArg = new Argument<string>("bundle")
+        {
+            Description = "Path to forensic bundle directory or manifest file."
+        };
+        var verifyJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+        var verifyTrustRootOption = new Option<string?>("--trust-root", "-r")
+        {
+            Description = "Path to trust root JSON file containing public keys."
+        };
+        var verifySkipChecksumsOption = new Option<bool>("--skip-checksums")
+        {
+            Description = "Skip artifact checksum verification."
+        };
+        var verifySkipSignaturesOption = new Option<bool>("--skip-signatures")
+        {
+            Description = "Skip DSSE signature verification."
+        };
+        var verifySkipChainOption = new Option<bool>("--skip-chain")
+        {
+            Description = "Skip chain-of-custody verification."
+        };
+        var verifyStrictTimelineOption = new Option<bool>("--strict-timeline")
+        {
+            Description = "Enforce strict timeline continuity (fail on gaps > 24h)."
+        };
+
+        verifyCommand.Add(verifyBundleArg);
+        verifyCommand.Add(verifyJsonOption);
+        verifyCommand.Add(verifyTrustRootOption);
+        verifyCommand.Add(verifySkipChecksumsOption);
+        verifyCommand.Add(verifySkipSignaturesOption);
+        verifyCommand.Add(verifySkipChainOption);
+        verifyCommand.Add(verifyStrictTimelineOption);
+
+        verifyCommand.SetAction((parseResult, _) =>
+        {
+            var bundlePath = parseResult.GetValue(verifyBundleArg) ?? string.Empty;
+            var emitJson = parseResult.GetValue(verifyJsonOption);
+            var trustRootPath = parseResult.GetValue(verifyTrustRootOption);
+            var skipChecksums = parseResult.GetValue(verifySkipChecksumsOption);
+            var skipSignatures = parseResult.GetValue(verifySkipSignaturesOption);
+            var skipChain = parseResult.GetValue(verifySkipChainOption);
+            var strictTimeline = parseResult.GetValue(verifyStrictTimelineOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleForensicVerifyAsync(
+                services,
+                bundlePath,
+                emitJson,
+                trustRootPath,
+                !skipChecksums,
+                !skipSignatures,
+                !skipChain,
+                strictTimeline,
+                verbose,
+                cancellationToken);
+        });
+
+        forensic.Add(verifyCommand);
+
+        // CLI-FORENSICS-54-002: stella forensic attest show <artifact>
+        var attestCommand = new Command("attest", "Attestation operations for forensic artifacts.");
+
+        var attestShowCommand = new Command("show", "Show attestation details including signer, timestamp, and subjects.");
+        var attestArtifactArg = new Argument<string>("artifact")
+        {
+            Description = "Path to attestation file (DSSE envelope)."
+        };
+        var attestJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+        var attestTrustRootOption = new Option<string?>("--trust-root", "-r")
+        {
+            Description = "Path to trust root JSON file for signature verification."
+        };
+        var attestVerifyOption = new Option<bool>("--verify")
+        {
+            Description = "Verify signatures against trust roots."
+        };
+
+        attestShowCommand.Add(attestArtifactArg);
+        attestShowCommand.Add(attestJsonOption);
+        attestShowCommand.Add(attestTrustRootOption);
+        attestShowCommand.Add(attestVerifyOption);
+
+        attestShowCommand.SetAction((parseResult, _) =>
+        {
+            var artifactPath = parseResult.GetValue(attestArtifactArg) ?? string.Empty;
+            var emitJson = parseResult.GetValue(attestJsonOption);
+            var trustRootPath = parseResult.GetValue(attestTrustRootOption);
+            var verify = parseResult.GetValue(attestVerifyOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleForensicAttestShowAsync(
+                services,
+                artifactPath,
+                emitJson,
+                trustRootPath,
+                verify,
+                verbose,
+                cancellationToken);
+        });
+
+        attestCommand.Add(attestShowCommand);
+        forensic.Add(attestCommand);
+
+        return forensic;
+    }
+
+    // CLI-PROMO-70-001: Promotion commands
+    private static Command BuildPromotionCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var promotion = new Command("promotion", "Build and manage promotion attestations.");
+
+        // promotion assemble
+        var assemble = new Command("assemble", "Assemble promotion attestation resolving image digests, hashing SBOM/VEX, and emitting stella.ops/promotion@v1 JSON.");
+
+        var imageArg = new Argument<string>("image")
+        {
+            Description = "Container image reference (e.g., registry.example.com/app:v1.0)."
+        };
+        var sbomOption = new Option<string?>("--sbom", "-s")
+        {
+            Description = "Path to SBOM file (CycloneDX or SPDX)."
+        };
+        var vexOption = new Option<string?>("--vex", "-v")
+        {
+            Description = "Path to VEX file (OpenVEX or CSAF)."
+        };
+        var fromOption = new Option<string>("--from")
+        {
+            Description = "Source environment (default: staging)."
+        };
+        fromOption.SetDefaultValue("staging");
+        var toOption = new Option<string>("--to")
+        {
+            Description = "Target environment (default: prod)."
+        };
+        toOption.SetDefaultValue("prod");
+        var actorOption = new Option<string?>("--actor")
+        {
+            Description = "Actor performing the promotion (default: current user)."
+        };
+        var pipelineOption = new Option<string?>("--pipeline")
+        {
+            Description = "CI/CD pipeline URL."
+        };
+        var ticketOption = new Option<string?>("--ticket")
+        {
+            Description = "Issue tracker ticket reference (e.g., JIRA-1234)."
+        };
+        var notesOption = new Option<string?>("--notes")
+        {
+            Description = "Additional notes about the promotion."
+        };
+        var skipRekorOption = new Option<bool>("--skip-rekor")
+        {
+            Description = "Skip Rekor transparency log integration."
+        };
+        var outputOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Output path for the attestation JSON file."
+        };
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant identifier."
+        };
+
+        assemble.Add(imageArg);
+        assemble.Add(sbomOption);
+        assemble.Add(vexOption);
+        assemble.Add(fromOption);
+        assemble.Add(toOption);
+        assemble.Add(actorOption);
+        assemble.Add(pipelineOption);
+        assemble.Add(ticketOption);
+        assemble.Add(notesOption);
+        assemble.Add(skipRekorOption);
+        assemble.Add(outputOption);
+        assemble.Add(jsonOption);
+        assemble.Add(tenantOption);
+
+        assemble.SetAction((parseResult, _) =>
+        {
+            var image = parseResult.GetValue(imageArg) ?? string.Empty;
+            var sbom = parseResult.GetValue(sbomOption);
+            var vex = parseResult.GetValue(vexOption);
+            var from = parseResult.GetValue(fromOption) ?? "staging";
+            var to = parseResult.GetValue(toOption) ?? "prod";
+            var actor = parseResult.GetValue(actorOption);
+            var pipeline = parseResult.GetValue(pipelineOption);
+            var ticket = parseResult.GetValue(ticketOption);
+            var notes = parseResult.GetValue(notesOption);
+            var skipRekor = parseResult.GetValue(skipRekorOption);
+            var output = parseResult.GetValue(outputOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePromotionAssembleAsync(
+                services,
+                image,
+                sbom,
+                vex,
+                from,
+                to,
+                actor,
+                pipeline,
+                ticket,
+                notes,
+                skipRekor,
+                output,
+                emitJson,
+                tenant,
+                verbose,
+                cancellationToken);
+        });
+
+        promotion.Add(assemble);
+
+        // CLI-PROMO-70-002: promotion attest
+        var attest = new Command("attest", "Sign a promotion predicate and produce a DSSE bundle via Signer or cosign.");
+
+        var attestPredicateArg = new Argument<string>("predicate")
+        {
+            Description = "Path to the promotion predicate JSON file (output of 'promotion assemble')."
+        };
+        var attestKeyOption = new Option<string?>("--key", "-k")
+        {
+            Description = "Signing key path or KMS key ID."
+        };
+        var attestKeylessOption = new Option<bool>("--keyless")
+        {
+            Description = "Use keyless signing (Fulcio-based)."
+        };
+        var attestNoRekorOption = new Option<bool>("--no-rekor")
+        {
+            Description = "Skip uploading to Rekor transparency log."
+        };
+        var attestOutputOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Output path for the DSSE bundle."
+        };
+        var attestJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+        var attestTenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant identifier for Signer API."
+        };
+
+        attest.Add(attestPredicateArg);
+        attest.Add(attestKeyOption);
+        attest.Add(attestKeylessOption);
+        attest.Add(attestNoRekorOption);
+        attest.Add(attestOutputOption);
+        attest.Add(attestJsonOption);
+        attest.Add(attestTenantOption);
+
+        attest.SetAction((parseResult, _) =>
+        {
+            var predicatePath = parseResult.GetValue(attestPredicateArg) ?? string.Empty;
+            var keyId = parseResult.GetValue(attestKeyOption);
+            var useKeyless = parseResult.GetValue(attestKeylessOption);
+            var noRekor = parseResult.GetValue(attestNoRekorOption);
+            var output = parseResult.GetValue(attestOutputOption);
+            var emitJson = parseResult.GetValue(attestJsonOption);
+            var tenant = parseResult.GetValue(attestTenantOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePromotionAttestAsync(
+                services,
+                predicatePath,
+                keyId,
+                useKeyless,
+                !noRekor,
+                output,
+                emitJson,
+                tenant,
+                verbose,
+                cancellationToken);
+        });
+
+        promotion.Add(attest);
+
+        // CLI-PROMO-70-002: promotion verify
+        var verify = new Command("verify", "Verify a promotion attestation bundle offline against trusted checkpoints.");
+
+        var verifyBundleArg = new Argument<string>("bundle")
+        {
+            Description = "Path to the DSSE bundle file."
+        };
+        var verifySbomOption = new Option<string?>("--sbom")
+        {
+            Description = "Path to SBOM file for material verification."
+        };
+        var verifyVexOption = new Option<string?>("--vex")
+        {
+            Description = "Path to VEX file for material verification."
+        };
+        var verifyTrustRootOption = new Option<string?>("--trust-root")
+        {
+            Description = "Path to trusted certificate chain."
+        };
+        var verifyCheckpointOption = new Option<string?>("--checkpoint")
+        {
+            Description = "Path to Rekor checkpoint for verification."
+        };
+        var verifySkipSigOption = new Option<bool>("--skip-signature")
+        {
+            Description = "Skip signature verification."
+        };
+        var verifySkipRekorOption = new Option<bool>("--skip-rekor")
+        {
+            Description = "Skip Rekor inclusion proof verification."
+        };
+        var verifyJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+        var verifyTenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant identifier."
+        };
+
+        verify.Add(verifyBundleArg);
+        verify.Add(verifySbomOption);
+        verify.Add(verifyVexOption);
+        verify.Add(verifyTrustRootOption);
+        verify.Add(verifyCheckpointOption);
+        verify.Add(verifySkipSigOption);
+        verify.Add(verifySkipRekorOption);
+        verify.Add(verifyJsonOption);
+        verify.Add(verifyTenantOption);
+
+        verify.SetAction((parseResult, _) =>
+        {
+            var bundlePath = parseResult.GetValue(verifyBundleArg) ?? string.Empty;
+            var sbom = parseResult.GetValue(verifySbomOption);
+            var vex = parseResult.GetValue(verifyVexOption);
+            var trustRoot = parseResult.GetValue(verifyTrustRootOption);
+            var checkpoint = parseResult.GetValue(verifyCheckpointOption);
+            var skipSig = parseResult.GetValue(verifySkipSigOption);
+            var skipRekor = parseResult.GetValue(verifySkipRekorOption);
+            var emitJson = parseResult.GetValue(verifyJsonOption);
+            var tenant = parseResult.GetValue(verifyTenantOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePromotionVerifyAsync(
+                services,
+                bundlePath,
+                sbom,
+                vex,
+                trustRoot,
+                checkpoint,
+                skipSig,
+                skipRekor,
+                emitJson,
+                tenant,
+                verbose,
+                cancellationToken);
+        });
+
+        promotion.Add(verify);
+
+        return promotion;
+    }
+
+    // CLI-DETER-70-003: Determinism score commands
+    private static Command BuildDetscoreCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var detscore = new Command("detscore", "Scanner determinism scoring harness for reproducibility testing.");
+
+        // detscore run
+        var run = new Command("run", "Run determinism harness with frozen clock, seeded RNG, and canonical hashes. Exits non-zero if score falls below threshold.");
+
+        var imagesOption = new Option<string[]>("--image", "-i")
+        {
+            Description = "Image digests to test (can be specified multiple times).",
+            AllowMultipleArgumentsPerToken = true
+        };
+        imagesOption.IsRequired = true;
+
+        var scannerOption = new Option<string>("--scanner", "-s")
+        {
+            Description = "Scanner container image reference."
+        };
+        scannerOption.IsRequired = true;
+
+        var policyBundleOption = new Option<string?>("--policy-bundle")
+        {
+            Description = "Path to policy bundle tarball."
+        };
+
+        var feedsBundleOption = new Option<string?>("--feeds-bundle")
+        {
+            Description = "Path to feeds bundle tarball."
+        };
+
+        var runsOption = new Option<int>("--runs", "-n")
+        {
+            Description = "Number of runs per image (default: 10)."
+        };
+        runsOption.SetDefaultValue(10);
+
+        var fixedClockOption = new Option<DateTimeOffset?>("--fixed-clock")
+        {
+            Description = "Fixed clock timestamp for deterministic execution (default: current UTC)."
+        };
+
+        var rngSeedOption = new Option<int>("--rng-seed")
+        {
+            Description = "RNG seed for deterministic execution (default: 1337)."
+        };
+        rngSeedOption.SetDefaultValue(1337);
+
+        var maxConcurrencyOption = new Option<int>("--max-concurrency")
+        {
+            Description = "Maximum concurrency for scanner (default: 1 for determinism)."
+        };
+        maxConcurrencyOption.SetDefaultValue(1);
+
+        var memoryLimitOption = new Option<string>("--memory")
+        {
+            Description = "Memory limit for container (default: 2G)."
+        };
+        memoryLimitOption.SetDefaultValue("2G");
+
+        var cpuSetOption = new Option<string>("--cpuset")
+        {
+            Description = "CPU set for container (default: 0)."
+        };
+        cpuSetOption.SetDefaultValue("0");
+
+        var platformOption = new Option<string>("--platform")
+        {
+            Description = "Platform (default: linux/amd64)."
+        };
+        platformOption.SetDefaultValue("linux/amd64");
+
+        var imageThresholdOption = new Option<double>("--image-threshold")
+        {
+            Description = "Minimum threshold for individual image scores (default: 0.90)."
+        };
+        imageThresholdOption.SetDefaultValue(0.90);
+
+        var overallThresholdOption = new Option<double>("--overall-threshold")
+        {
+            Description = "Minimum threshold for overall score (default: 0.95)."
+        };
+        overallThresholdOption.SetDefaultValue(0.95);
+
+        var outputDirOption = new Option<string?>("--output-dir", "-o")
+        {
+            Description = "Output directory for determinism.json and run artifacts."
+        };
+
+        var releaseOption = new Option<string?>("--release")
+        {
+            Description = "Release version string for the manifest."
+        };
+
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+
+        run.Add(imagesOption);
+        run.Add(scannerOption);
+        run.Add(policyBundleOption);
+        run.Add(feedsBundleOption);
+        run.Add(runsOption);
+        run.Add(fixedClockOption);
+        run.Add(rngSeedOption);
+        run.Add(maxConcurrencyOption);
+        run.Add(memoryLimitOption);
+        run.Add(cpuSetOption);
+        run.Add(platformOption);
+        run.Add(imageThresholdOption);
+        run.Add(overallThresholdOption);
+        run.Add(outputDirOption);
+        run.Add(releaseOption);
+        run.Add(jsonOption);
+        run.Add(verboseOption);
+
+        run.SetAction((parseResult, _) =>
+        {
+            var images = parseResult.GetValue(imagesOption) ?? Array.Empty<string>();
+            var scanner = parseResult.GetValue(scannerOption) ?? string.Empty;
+            var policyBundle = parseResult.GetValue(policyBundleOption);
+            var feedsBundle = parseResult.GetValue(feedsBundleOption);
+            var runs = parseResult.GetValue(runsOption);
+            var fixedClock = parseResult.GetValue(fixedClockOption);
+            var rngSeed = parseResult.GetValue(rngSeedOption);
+            var maxConcurrency = parseResult.GetValue(maxConcurrencyOption);
+            var memoryLimit = parseResult.GetValue(memoryLimitOption) ?? "2G";
+            var cpuSet = parseResult.GetValue(cpuSetOption) ?? "0";
+            var platform = parseResult.GetValue(platformOption) ?? "linux/amd64";
+            var imageThreshold = parseResult.GetValue(imageThresholdOption);
+            var overallThreshold = parseResult.GetValue(overallThresholdOption);
+            var outputDir = parseResult.GetValue(outputDirOption);
+            var release = parseResult.GetValue(releaseOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleDetscoreRunAsync(
+                services,
+                images,
+                scanner,
+                policyBundle,
+                feedsBundle,
+                runs,
+                fixedClock,
+                rngSeed,
+                maxConcurrency,
+                memoryLimit,
+                cpuSet,
+                platform,
+                imageThreshold,
+                overallThreshold,
+                outputDir,
+                release,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        detscore.Add(run);
+
+        // CLI-DETER-70-004: detscore report
+        var report = new Command("report", "Generate determinism score report from published determinism.json manifests for release notes and air-gap kits.");
+
+        var manifestsArg = new Argument<string[]>("manifests")
+        {
+            Description = "Paths to determinism.json manifest files.",
+            Arity = ArgumentArity.OneOrMore
+        };
+
+        var formatOption = new Option<string>("--format", "-f")
+        {
+            Description = "Output format: markdown, json, csv (default: markdown)."
+        };
+        formatOption.SetDefaultValue("markdown");
+        formatOption.FromAmong("markdown", "json", "csv");
+
+        var outputOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Output file path. If omitted, writes to stdout."
+        };
+
+        var detailsOption = new Option<bool>("--details")
+        {
+            Description = "Include per-image matrix and run details in output."
+        };
+
+        var titleOption = new Option<string?>("--title")
+        {
+            Description = "Title for the report."
+        };
+
+        var reportJsonOption = new Option<bool>("--json")
+        {
+            Description = "Equivalent to --format json for CI integration."
+        };
+
+        report.Add(manifestsArg);
+        report.Add(formatOption);
+        report.Add(outputOption);
+        report.Add(detailsOption);
+        report.Add(titleOption);
+        report.Add(reportJsonOption);
+        report.Add(verboseOption);
+
+        report.SetAction((parseResult, _) =>
+        {
+            var manifests = parseResult.GetValue(manifestsArg) ?? Array.Empty<string>();
+            var format = parseResult.GetValue(formatOption) ?? "markdown";
+            var output = parseResult.GetValue(outputOption);
+            var details = parseResult.GetValue(detailsOption);
+            var title = parseResult.GetValue(titleOption);
+            var json = parseResult.GetValue(reportJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            // --json is shorthand for --format json
+            if (json)
+            {
+                format = "json";
+            }
+
+            return CommandHandlers.HandleDetscoreReportAsync(
+                services,
+                manifests,
+                format,
+                output,
+                details,
+                title,
+                verbose,
+                cancellationToken);
+        });
+
+        detscore.Add(report);
+
+        return detscore;
+    }
+
+    // CLI-OBS-51-001: Observability commands
+    private static Command BuildObsCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var obs = new Command("obs", "Platform observability: service health, SLOs, burn-rate alerts, and metrics.");
+
+        // obs top
+        var top = new Command("top", "Stream service health metrics, SLO status, and burn-rate alerts (like 'top' for your platform).");
+
+        var servicesOption = new Option<string[]>("--service", "-s")
+        {
+            Description = "Filter by service name (repeatable).",
+            AllowMultipleArgumentsPerToken = true
+        };
+
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Filter by tenant."
+        };
+
+        var refreshOption = new Option<int>("--refresh", "-r")
+        {
+            Description = "Refresh interval in seconds (0 = single fetch, default: 0)."
+        };
+        refreshOption.SetDefaultValue(0);
+
+        var includeQueuesOption = new Option<bool>("--queues")
+        {
+            Description = "Include queue health details (default: true)."
+        };
+        includeQueuesOption.SetDefaultValue(true);
+
+        var maxAlertsOption = new Option<int>("--max-alerts")
+        {
+            Description = "Maximum number of alerts to display (default: 20)."
+        };
+        maxAlertsOption.SetDefaultValue(20);
+
+        var outputOption = new Option<string>("--output", "-o")
+        {
+            Description = "Output format: table, json, ndjson (default: table)."
+        };
+        outputOption.SetDefaultValue("table");
+        outputOption.FromAmong("table", "json", "ndjson");
+
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Equivalent to --output json for CI integration."
+        };
+
+        var offlineOption = new Option<bool>("--offline")
+        {
+            Description = "Operate on cached data only; exit with code 5 if network access required."
+        };
+
+        top.Add(servicesOption);
+        top.Add(tenantOption);
+        top.Add(refreshOption);
+        top.Add(includeQueuesOption);
+        top.Add(maxAlertsOption);
+        top.Add(outputOption);
+        top.Add(jsonOption);
+        top.Add(offlineOption);
+        top.Add(verboseOption);
+
+        top.SetAction((parseResult, _) =>
+        {
+            var serviceNames = parseResult.GetValue(servicesOption) ?? Array.Empty<string>();
+            var tenant = parseResult.GetValue(tenantOption);
+            var refresh = parseResult.GetValue(refreshOption);
+            var includeQueues = parseResult.GetValue(includeQueuesOption);
+            var maxAlerts = parseResult.GetValue(maxAlertsOption);
+            var output = parseResult.GetValue(outputOption) ?? "table";
+            var json = parseResult.GetValue(jsonOption);
+            var offline = parseResult.GetValue(offlineOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            // --json is shorthand for --output json
+            if (json)
+            {
+                output = "json";
+            }
+
+            return CommandHandlers.HandleObsTopAsync(
+                services,
+                serviceNames,
+                tenant,
+                refresh,
+                includeQueues,
+                maxAlerts,
+                output,
+                offline,
+                verbose,
+                cancellationToken);
+        });
+
+        obs.Add(top);
+
+        // CLI-OBS-52-001: obs trace
+        var trace = new Command("trace", "Fetch a distributed trace by ID with correlated spans and evidence links.");
+
+        var traceIdArg = new Argument<string>("trace_id")
+        {
+            Description = "The trace ID to fetch."
+        };
+
+        var traceTenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Filter by tenant."
+        };
+
+        var includeEvidenceOption = new Option<bool>("--evidence")
+        {
+            Description = "Include evidence links (SBOM, VEX, attestations). Default: true."
+        };
+        includeEvidenceOption.SetDefaultValue(true);
+
+        var traceOutputOption = new Option<string>("--output", "-o")
+        {
+            Description = "Output format: table, json (default: table)."
+        };
+        traceOutputOption.SetDefaultValue("table");
+        traceOutputOption.FromAmong("table", "json");
+
+        var traceJsonOption = new Option<bool>("--json")
+        {
+            Description = "Equivalent to --output json."
+        };
+
+        var traceOfflineOption = new Option<bool>("--offline")
+        {
+            Description = "Operate on cached data only; exit with code 5 if network access required."
+        };
+
+        trace.Add(traceIdArg);
+        trace.Add(traceTenantOption);
+        trace.Add(includeEvidenceOption);
+        trace.Add(traceOutputOption);
+        trace.Add(traceJsonOption);
+        trace.Add(traceOfflineOption);
+        trace.Add(verboseOption);
+
+        trace.SetAction((parseResult, _) =>
+        {
+            var traceId = parseResult.GetValue(traceIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(traceTenantOption);
+            var includeEvidence = parseResult.GetValue(includeEvidenceOption);
+            var output = parseResult.GetValue(traceOutputOption) ?? "table";
+            var json = parseResult.GetValue(traceJsonOption);
+            var offline = parseResult.GetValue(traceOfflineOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            if (json)
+            {
+                output = "json";
+            }
+
+            return CommandHandlers.HandleObsTraceAsync(
+                services,
+                traceId,
+                tenant,
+                includeEvidence,
+                output,
+                offline,
+                verbose,
+                cancellationToken);
+        });
+
+        obs.Add(trace);
+
+        // CLI-OBS-52-001: obs logs
+        var logs = new Command("logs", "Fetch platform logs for a time window with pagination and filters.");
+
+        var fromOption = new Option<DateTimeOffset>("--from")
+        {
+            Description = "Start timestamp (ISO-8601). Required."
+        };
+        fromOption.IsRequired = true;
+
+        var toOption = new Option<DateTimeOffset>("--to")
+        {
+            Description = "End timestamp (ISO-8601). Required."
+        };
+        toOption.IsRequired = true;
+
+        var logsTenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Filter by tenant."
+        };
+
+        var logsServicesOption = new Option<string[]>("--service", "-s")
+        {
+            Description = "Filter by service name (repeatable).",
+            AllowMultipleArgumentsPerToken = true
+        };
+
+        var logsLevelsOption = new Option<string[]>("--level", "-l")
+        {
+            Description = "Filter by log level: debug, info, warn, error (repeatable).",
+            AllowMultipleArgumentsPerToken = true
+        };
+
+        var logsQueryOption = new Option<string?>("--query", "-q")
+        {
+            Description = "Full-text search query."
+        };
+
+        var logsPageSizeOption = new Option<int>("--page-size")
+        {
+            Description = "Number of logs per page (default: 100, max: 500)."
+        };
+        logsPageSizeOption.SetDefaultValue(100);
+
+        var logsPageTokenOption = new Option<string?>("--page-token")
+        {
+            Description = "Pagination token for fetching next page."
+        };
+
+        var logsOutputOption = new Option<string>("--output", "-o")
+        {
+            Description = "Output format: table, json, ndjson (default: table)."
+        };
+        logsOutputOption.SetDefaultValue("table");
+        logsOutputOption.FromAmong("table", "json", "ndjson");
+
+        var logsJsonOption = new Option<bool>("--json")
+        {
+            Description = "Equivalent to --output json."
+        };
+
+        var logsOfflineOption = new Option<bool>("--offline")
+        {
+            Description = "Operate on cached data only; exit with code 5 if network access required."
+        };
+
+        logs.Add(fromOption);
+        logs.Add(toOption);
+        logs.Add(logsTenantOption);
+        logs.Add(logsServicesOption);
+        logs.Add(logsLevelsOption);
+        logs.Add(logsQueryOption);
+        logs.Add(logsPageSizeOption);
+        logs.Add(logsPageTokenOption);
+        logs.Add(logsOutputOption);
+        logs.Add(logsJsonOption);
+        logs.Add(logsOfflineOption);
+        logs.Add(verboseOption);
+
+        logs.SetAction((parseResult, _) =>
+        {
+            var from = parseResult.GetValue(fromOption);
+            var to = parseResult.GetValue(toOption);
+            var tenant = parseResult.GetValue(logsTenantOption);
+            var serviceNames = parseResult.GetValue(logsServicesOption) ?? Array.Empty<string>();
+            var levels = parseResult.GetValue(logsLevelsOption) ?? Array.Empty<string>();
+            var query = parseResult.GetValue(logsQueryOption);
+            var pageSize = parseResult.GetValue(logsPageSizeOption);
+            var pageToken = parseResult.GetValue(logsPageTokenOption);
+            var output = parseResult.GetValue(logsOutputOption) ?? "table";
+            var json = parseResult.GetValue(logsJsonOption);
+            var offline = parseResult.GetValue(logsOfflineOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            if (json)
+            {
+                output = "json";
+            }
+
+            return CommandHandlers.HandleObsLogsAsync(
+                services,
+                from,
+                to,
+                tenant,
+                serviceNames,
+                levels,
+                query,
+                pageSize,
+                pageToken,
+                output,
+                offline,
+                verbose,
+                cancellationToken);
+        });
+
+        obs.Add(logs);
+
+        // CLI-OBS-55-001: obs incident-mode
+        var incidentMode = new Command("incident-mode", "Manage incident mode for enhanced forensic fidelity and retention.");
+
+        // incident-mode enable
+        var incidentEnable = new Command("enable", "Enable incident mode with extended retention and debug artefacts.");
+
+        var enableTenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant scope for incident mode."
+        };
+
+        var enableTtlOption = new Option<int>("--ttl")
+        {
+            Description = "Time-to-live in minutes (default: 30). Mode auto-expires after TTL."
+        };
+        enableTtlOption.SetDefaultValue(30);
+
+        var enableRetentionOption = new Option<int>("--retention-days")
+        {
+            Description = "Extended retention period in days (default: 60)."
+        };
+        enableRetentionOption.SetDefaultValue(60);
+
+        var enableReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for enabling incident mode (appears in audit log)."
+        };
+
+        var enableJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        incidentEnable.Add(enableTenantOption);
+        incidentEnable.Add(enableTtlOption);
+        incidentEnable.Add(enableRetentionOption);
+        incidentEnable.Add(enableReasonOption);
+        incidentEnable.Add(enableJsonOption);
+        incidentEnable.Add(verboseOption);
+
+        incidentEnable.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(enableTenantOption);
+            var ttl = parseResult.GetValue(enableTtlOption);
+            var retention = parseResult.GetValue(enableRetentionOption);
+            var reason = parseResult.GetValue(enableReasonOption);
+            var json = parseResult.GetValue(enableJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleObsIncidentModeEnableAsync(
+                services,
+                tenant,
+                ttl,
+                retention,
+                reason,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        incidentMode.Add(incidentEnable);
+
+        // incident-mode disable
+        var incidentDisable = new Command("disable", "Disable incident mode and return to normal operation.");
+
+        var disableTenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant scope for incident mode."
+        };
+
+        var disableReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for disabling incident mode (appears in audit log)."
+        };
+
+        var disableJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        incidentDisable.Add(disableTenantOption);
+        incidentDisable.Add(disableReasonOption);
+        incidentDisable.Add(disableJsonOption);
+        incidentDisable.Add(verboseOption);
+
+        incidentDisable.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(disableTenantOption);
+            var reason = parseResult.GetValue(disableReasonOption);
+            var json = parseResult.GetValue(disableJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleObsIncidentModeDisableAsync(
+                services,
+                tenant,
+                reason,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        incidentMode.Add(incidentDisable);
+
+        // incident-mode status
+        var incidentStatus = new Command("status", "Show current incident mode status.");
+
+        var statusTenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant scope for incident mode."
+        };
+
+        var statusJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        incidentStatus.Add(statusTenantOption);
+        incidentStatus.Add(statusJsonOption);
+        incidentStatus.Add(verboseOption);
+
+        incidentStatus.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(statusTenantOption);
+            var json = parseResult.GetValue(statusJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleObsIncidentModeStatusAsync(
+                services,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        incidentMode.Add(incidentStatus);
+
+        obs.Add(incidentMode);
+
+        return obs;
+    }
+
+    // CLI-PACKS-42-001: Task Pack commands
+    private static Command BuildPackCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var pack = new Command("pack", "Task Pack operations: plan, run, push, pull, verify.");
+
+        // Common options
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant scope for the operation."
+        };
+
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        var offlineOption = new Option<bool>("--offline")
+        {
+            Description = "Offline mode - only use local cache (fails if not available)."
+        };
+
+        // pack plan
+        var plan = new Command("plan", "Plan a pack execution and validate inputs.");
+
+        var planPackIdArg = new Argument<string>("pack-id")
+        {
+            Description = "Pack identifier (e.g., stellaops/scanner-audit)."
+        };
+
+        var planVersionOption = new Option<string?>("--version", "-v")
+        {
+            Description = "Pack version (defaults to latest)."
+        };
+
+        var planInputsOption = new Option<string?>("--inputs", "-i")
+        {
+            Description = "Path to JSON file containing input values."
+        };
+
+        var planDryRunOption = new Option<bool>("--dry-run")
+        {
+            Description = "Validate only, do not prepare for execution."
+        };
+
+        var planOutputOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Write plan to file."
+        };
+
+        plan.Add(planPackIdArg);
+        plan.Add(planVersionOption);
+        plan.Add(planInputsOption);
+        plan.Add(planDryRunOption);
+        plan.Add(planOutputOption);
+        plan.Add(tenantOption);
+        plan.Add(jsonOption);
+        plan.Add(offlineOption);
+        plan.Add(verboseOption);
+
+        plan.SetAction((parseResult, _) =>
+        {
+            var packId = parseResult.GetValue(planPackIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(planVersionOption);
+            var inputsPath = parseResult.GetValue(planInputsOption);
+            var dryRun = parseResult.GetValue(planDryRunOption);
+            var output = parseResult.GetValue(planOutputOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var offline = parseResult.GetValue(offlineOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackPlanAsync(
+                services,
+                packId,
+                version,
+                inputsPath,
+                dryRun,
+                output,
+                tenant,
+                json,
+                offline,
+                verbose,
+                cancellationToken);
+        });
+
+        pack.Add(plan);
+
+        // pack run
+        var run = new Command("run", "Execute a pack with the specified inputs.");
+
+        var runPackIdArg = new Argument<string>("pack-id")
+        {
+            Description = "Pack identifier (e.g., stellaops/scanner-audit)."
+        };
+
+        var runVersionOption = new Option<string?>("--version", "-v")
+        {
+            Description = "Pack version (defaults to latest)."
+        };
+
+        var runInputsOption = new Option<string?>("--inputs", "-i")
+        {
+            Description = "Path to JSON file containing input values."
+        };
+
+        var runPlanIdOption = new Option<string?>("--plan-id")
+        {
+            Description = "Use a previously created plan instead of inputs."
+        };
+
+        var runWaitOption = new Option<bool>("--wait", "-w")
+        {
+            Description = "Wait for pack execution to complete."
+        };
+
+        var runTimeoutOption = new Option<int>("--timeout")
+        {
+            Description = "Timeout in minutes when waiting for completion (default: 60)."
+        };
+        runTimeoutOption.SetDefaultValue(60);
+
+        var runLabelsOption = new Option<string[]>("--label", "-l")
+        {
+            Description = "Labels to attach to the run (key=value format, repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        runLabelsOption.AllowMultipleArgumentsPerToken = true;
+
+        var runOutputOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Write run result to file."
+        };
+
+        run.Add(runPackIdArg);
+        run.Add(runVersionOption);
+        run.Add(runInputsOption);
+        run.Add(runPlanIdOption);
+        run.Add(runWaitOption);
+        run.Add(runTimeoutOption);
+        run.Add(runLabelsOption);
+        run.Add(runOutputOption);
+        run.Add(tenantOption);
+        run.Add(jsonOption);
+        run.Add(offlineOption);
+        run.Add(verboseOption);
+
+        run.SetAction((parseResult, _) =>
+        {
+            var packId = parseResult.GetValue(runPackIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(runVersionOption);
+            var inputsPath = parseResult.GetValue(runInputsOption);
+            var planId = parseResult.GetValue(runPlanIdOption);
+            var wait = parseResult.GetValue(runWaitOption);
+            var timeout = parseResult.GetValue(runTimeoutOption);
+            var labels = parseResult.GetValue(runLabelsOption) ?? Array.Empty<string>();
+            var output = parseResult.GetValue(runOutputOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var offline = parseResult.GetValue(offlineOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackRunAsync(
+                services,
+                packId,
+                version,
+                inputsPath,
+                planId,
+                wait,
+                timeout,
+                labels,
+                output,
+                tenant,
+                json,
+                offline,
+                verbose,
+                cancellationToken);
+        });
+
+        pack.Add(run);
+
+        // pack push
+        var push = new Command("push", "Push a pack to the registry.");
+
+        var pushPathArg = new Argument<string>("path")
+        {
+            Description = "Path to pack file (.tar.gz) or directory."
+        };
+
+        var pushNameOption = new Option<string?>("--name", "-n")
+        {
+            Description = "Pack name (overrides manifest)."
+        };
+
+        var pushVersionOption = new Option<string?>("--version", "-v")
+        {
+            Description = "Pack version (overrides manifest)."
+        };
+
+        var pushSignOption = new Option<bool>("--sign")
+        {
+            Description = "Sign the pack before pushing."
+        };
+
+        var pushKeyIdOption = new Option<string?>("--key-id")
+        {
+            Description = "Key ID to use for signing."
+        };
+
+        var pushForceOption = new Option<bool>("--force", "-f")
+        {
+            Description = "Overwrite existing version."
+        };
+
+        push.Add(pushPathArg);
+        push.Add(pushNameOption);
+        push.Add(pushVersionOption);
+        push.Add(pushSignOption);
+        push.Add(pushKeyIdOption);
+        push.Add(pushForceOption);
+        push.Add(tenantOption);
+        push.Add(jsonOption);
+        push.Add(verboseOption);
+
+        push.SetAction((parseResult, _) =>
+        {
+            var path = parseResult.GetValue(pushPathArg) ?? string.Empty;
+            var name = parseResult.GetValue(pushNameOption);
+            var version = parseResult.GetValue(pushVersionOption);
+            var sign = parseResult.GetValue(pushSignOption);
+            var keyId = parseResult.GetValue(pushKeyIdOption);
+            var force = parseResult.GetValue(pushForceOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackPushAsync(
+                services,
+                path,
+                name,
+                version,
+                sign,
+                keyId,
+                force,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        pack.Add(push);
+
+        // pack pull
+        var pull = new Command("pull", "Pull a pack from the registry.");
+
+        var pullPackIdArg = new Argument<string>("pack-id")
+        {
+            Description = "Pack identifier (e.g., stellaops/scanner-audit)."
+        };
+
+        var pullVersionOption = new Option<string?>("--version", "-v")
+        {
+            Description = "Pack version (defaults to latest)."
+        };
+
+        var pullOutputOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Output path for downloaded pack."
+        };
+
+        var pullNoVerifyOption = new Option<bool>("--no-verify")
+        {
+            Description = "Skip signature verification."
+        };
+
+        pull.Add(pullPackIdArg);
+        pull.Add(pullVersionOption);
+        pull.Add(pullOutputOption);
+        pull.Add(pullNoVerifyOption);
+        pull.Add(tenantOption);
+        pull.Add(jsonOption);
+        pull.Add(verboseOption);
+
+        pull.SetAction((parseResult, _) =>
+        {
+            var packId = parseResult.GetValue(pullPackIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(pullVersionOption);
+            var output = parseResult.GetValue(pullOutputOption);
+            var noVerify = parseResult.GetValue(pullNoVerifyOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackPullAsync(
+                services,
+                packId,
+                version,
+                output,
+                noVerify,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        pack.Add(pull);
+
+        // pack verify
+        var verify = new Command("verify", "Verify a pack's signature, digest, and schema.");
+
+        var verifyPathOption = new Option<string?>("--path", "-p")
+        {
+            Description = "Path to local pack file to verify."
+        };
+
+        var verifyPackIdOption = new Option<string?>("--pack-id")
+        {
+            Description = "Pack ID to verify from registry."
+        };
+
+        var verifyVersionOption = new Option<string?>("--version", "-v")
+        {
+            Description = "Pack version to verify."
+        };
+
+        var verifyDigestOption = new Option<string?>("--digest")
+        {
+            Description = "Expected digest to verify against."
+        };
+
+        var verifyNoRekorOption = new Option<bool>("--no-rekor")
+        {
+            Description = "Skip Rekor transparency log verification."
+        };
+
+        var verifyNoExpiryOption = new Option<bool>("--no-expiry")
+        {
+            Description = "Skip certificate expiry check."
+        };
+
+        verify.Add(verifyPathOption);
+        verify.Add(verifyPackIdOption);
+        verify.Add(verifyVersionOption);
+        verify.Add(verifyDigestOption);
+        verify.Add(verifyNoRekorOption);
+        verify.Add(verifyNoExpiryOption);
+        verify.Add(tenantOption);
+        verify.Add(jsonOption);
+        verify.Add(verboseOption);
+
+        verify.SetAction((parseResult, _) =>
+        {
+            var path = parseResult.GetValue(verifyPathOption);
+            var packId = parseResult.GetValue(verifyPackIdOption);
+            var version = parseResult.GetValue(verifyVersionOption);
+            var digest = parseResult.GetValue(verifyDigestOption);
+            var noRekor = parseResult.GetValue(verifyNoRekorOption);
+            var noExpiry = parseResult.GetValue(verifyNoExpiryOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackVerifyAsync(
+                services,
+                path,
+                packId,
+                version,
+                digest,
+                noRekor,
+                noExpiry,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        pack.Add(verify);
+
+        // CLI-PACKS-43-001: Advanced pack features
+
+        // pack runs list
+        var runs = new Command("runs", "Manage pack runs.");
+
+        var runsList = new Command("list", "List pack runs.");
+
+        var runsListPackOption = new Option<string?>("--pack")
+        {
+            Description = "Filter by pack ID."
+        };
+
+        var runsListStatusOption = new Option<string?>("--status", "-s")
+        {
+            Description = "Filter by status: pending, running, succeeded, failed, cancelled, waiting_approval."
+        };
+
+        var runsListActorOption = new Option<string?>("--actor")
+        {
+            Description = "Filter by actor (who started the run)."
+        };
+
+        var runsListSinceOption = new Option<DateTimeOffset?>("--since")
+        {
+            Description = "Filter by start time (ISO-8601)."
+        };
+
+        var runsListUntilOption = new Option<DateTimeOffset?>("--until")
+        {
+            Description = "Filter by end time (ISO-8601)."
+        };
+
+        var runsListPageSizeOption = new Option<int>("--page-size")
+        {
+            Description = "Page size (default: 20)."
+        };
+        runsListPageSizeOption.SetDefaultValue(20);
+
+        var runsListPageTokenOption = new Option<string?>("--page-token")
+        {
+            Description = "Page token for pagination."
+        };
+
+        runsList.Add(runsListPackOption);
+        runsList.Add(runsListStatusOption);
+        runsList.Add(runsListActorOption);
+        runsList.Add(runsListSinceOption);
+        runsList.Add(runsListUntilOption);
+        runsList.Add(runsListPageSizeOption);
+        runsList.Add(runsListPageTokenOption);
+        runsList.Add(tenantOption);
+        runsList.Add(jsonOption);
+        runsList.Add(verboseOption);
+
+        runsList.SetAction((parseResult, _) =>
+        {
+            var packId = parseResult.GetValue(runsListPackOption);
+            var status = parseResult.GetValue(runsListStatusOption);
+            var actor = parseResult.GetValue(runsListActorOption);
+            var since = parseResult.GetValue(runsListSinceOption);
+            var until = parseResult.GetValue(runsListUntilOption);
+            var pageSize = parseResult.GetValue(runsListPageSizeOption);
+            var pageToken = parseResult.GetValue(runsListPageTokenOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackRunsListAsync(
+                services,
+                packId,
+                status,
+                actor,
+                since,
+                until,
+                pageSize,
+                pageToken,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        runs.Add(runsList);
+
+        // pack runs show
+        var runsShow = new Command("show", "Show details of a pack run.");
+
+        var runsShowIdArg = new Argument<string>("run-id")
+        {
+            Description = "Run ID to show."
+        };
+
+        runsShow.Add(runsShowIdArg);
+        runsShow.Add(tenantOption);
+        runsShow.Add(jsonOption);
+        runsShow.Add(verboseOption);
+
+        runsShow.SetAction((parseResult, _) =>
+        {
+            var runId = parseResult.GetValue(runsShowIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackRunsShowAsync(
+                services,
+                runId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        runs.Add(runsShow);
+
+        // pack runs cancel
+        var runsCancel = new Command("cancel", "Cancel a running pack.");
+
+        var runsCancelIdArg = new Argument<string>("run-id")
+        {
+            Description = "Run ID to cancel."
+        };
+
+        var runsCancelReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for cancellation (appears in audit log)."
+        };
+
+        var runsCancelForceOption = new Option<bool>("--force")
+        {
+            Description = "Force cancel even if steps are running."
+        };
+
+        runsCancel.Add(runsCancelIdArg);
+        runsCancel.Add(runsCancelReasonOption);
+        runsCancel.Add(runsCancelForceOption);
+        runsCancel.Add(tenantOption);
+        runsCancel.Add(jsonOption);
+        runsCancel.Add(verboseOption);
+
+        runsCancel.SetAction((parseResult, _) =>
+        {
+            var runId = parseResult.GetValue(runsCancelIdArg) ?? string.Empty;
+            var reason = parseResult.GetValue(runsCancelReasonOption);
+            var force = parseResult.GetValue(runsCancelForceOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackRunsCancelAsync(
+                services,
+                runId,
+                reason,
+                force,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        runs.Add(runsCancel);
+
+        // pack runs pause
+        var runsPause = new Command("pause", "Pause a pack run for approval.");
+
+        var runsPauseIdArg = new Argument<string>("run-id")
+        {
+            Description = "Run ID to pause."
+        };
+
+        var runsPauseReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for pause (appears in audit log)."
+        };
+
+        var runsPauseStepOption = new Option<string?>("--step")
+        {
+            Description = "Specific step to pause at (next step if not specified)."
+        };
+
+        runsPause.Add(runsPauseIdArg);
+        runsPause.Add(runsPauseReasonOption);
+        runsPause.Add(runsPauseStepOption);
+        runsPause.Add(tenantOption);
+        runsPause.Add(jsonOption);
+        runsPause.Add(verboseOption);
+
+        runsPause.SetAction((parseResult, _) =>
+        {
+            var runId = parseResult.GetValue(runsPauseIdArg) ?? string.Empty;
+            var reason = parseResult.GetValue(runsPauseReasonOption);
+            var stepId = parseResult.GetValue(runsPauseStepOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackRunsPauseAsync(
+                services,
+                runId,
+                reason,
+                stepId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        runs.Add(runsPause);
+
+        // pack runs resume
+        var runsResume = new Command("resume", "Resume a paused pack run.");
+
+        var runsResumeIdArg = new Argument<string>("run-id")
+        {
+            Description = "Run ID to resume."
+        };
+
+        var runsResumeApproveOption = new Option<bool>("--approve")
+        {
+            Description = "Approve the pending step (default: true)."
+        };
+        runsResumeApproveOption.SetDefaultValue(true);
+
+        var runsResumeReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for approval decision (appears in audit log)."
+        };
+
+        var runsResumeStepOption = new Option<string?>("--step")
+        {
+            Description = "Specific step to approve (current pending step if not specified)."
+        };
+
+        runsResume.Add(runsResumeIdArg);
+        runsResume.Add(runsResumeApproveOption);
+        runsResume.Add(runsResumeReasonOption);
+        runsResume.Add(runsResumeStepOption);
+        runsResume.Add(tenantOption);
+        runsResume.Add(jsonOption);
+        runsResume.Add(verboseOption);
+
+        runsResume.SetAction((parseResult, _) =>
+        {
+            var runId = parseResult.GetValue(runsResumeIdArg) ?? string.Empty;
+            var approve = parseResult.GetValue(runsResumeApproveOption);
+            var reason = parseResult.GetValue(runsResumeReasonOption);
+            var stepId = parseResult.GetValue(runsResumeStepOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackRunsResumeAsync(
+                services,
+                runId,
+                approve,
+                reason,
+                stepId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        runs.Add(runsResume);
+
+        // pack runs logs
+        var runsLogs = new Command("logs", "Get logs for a pack run.");
+
+        var runsLogsIdArg = new Argument<string>("run-id")
+        {
+            Description = "Run ID to get logs for."
+        };
+
+        var runsLogsStepOption = new Option<string?>("--step")
+        {
+            Description = "Filter logs by step ID."
+        };
+
+        var runsLogsTailOption = new Option<int?>("--tail")
+        {
+            Description = "Show only the last N lines."
+        };
+
+        var runsLogsSinceOption = new Option<DateTimeOffset?>("--since")
+        {
+            Description = "Show logs since timestamp (ISO-8601)."
+        };
+
+        runsLogs.Add(runsLogsIdArg);
+        runsLogs.Add(runsLogsStepOption);
+        runsLogs.Add(runsLogsTailOption);
+        runsLogs.Add(runsLogsSinceOption);
+        runsLogs.Add(tenantOption);
+        runsLogs.Add(jsonOption);
+        runsLogs.Add(verboseOption);
+
+        runsLogs.SetAction((parseResult, _) =>
+        {
+            var runId = parseResult.GetValue(runsLogsIdArg) ?? string.Empty;
+            var stepId = parseResult.GetValue(runsLogsStepOption);
+            var tail = parseResult.GetValue(runsLogsTailOption);
+            var since = parseResult.GetValue(runsLogsSinceOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackRunsLogsAsync(
+                services,
+                runId,
+                stepId,
+                tail,
+                since,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        runs.Add(runsLogs);
+
+        pack.Add(runs);
+
+        // pack secrets inject
+        var secrets = new Command("secrets", "Secret injection for pack runs.");
+
+        var secretsInject = new Command("inject", "Inject a secret into a pack run.");
+
+        var secretsInjectRunIdArg = new Argument<string>("run-id")
+        {
+            Description = "Run ID to inject secret into."
+        };
+
+        var secretsInjectRefOption = new Option<string>("--secret-ref")
+        {
+            Description = "Secret reference (provider-specific path).",
+            IsRequired = true
+        };
+
+        var secretsInjectProviderOption = new Option<string>("--provider")
+        {
+            Description = "Secret provider: vault, aws-ssm, azure-keyvault, k8s-secret."
+        };
+        secretsInjectProviderOption.SetDefaultValue("vault");
+
+        var secretsInjectEnvVarOption = new Option<string?>("--env-var")
+        {
+            Description = "Target environment variable name."
+        };
+
+        var secretsInjectPathOption = new Option<string?>("--path")
+        {
+            Description = "Target file path within the run container."
+        };
+
+        var secretsInjectStepOption = new Option<string?>("--step")
+        {
+            Description = "Inject for specific step only."
+        };
+
+        secretsInject.Add(secretsInjectRunIdArg);
+        secretsInject.Add(secretsInjectRefOption);
+        secretsInject.Add(secretsInjectProviderOption);
+        secretsInject.Add(secretsInjectEnvVarOption);
+        secretsInject.Add(secretsInjectPathOption);
+        secretsInject.Add(secretsInjectStepOption);
+        secretsInject.Add(tenantOption);
+        secretsInject.Add(jsonOption);
+        secretsInject.Add(verboseOption);
+
+        secretsInject.SetAction((parseResult, _) =>
+        {
+            var runId = parseResult.GetValue(secretsInjectRunIdArg) ?? string.Empty;
+            var secretRef = parseResult.GetValue(secretsInjectRefOption) ?? string.Empty;
+            var provider = parseResult.GetValue(secretsInjectProviderOption) ?? "vault";
+            var envVar = parseResult.GetValue(secretsInjectEnvVarOption);
+            var path = parseResult.GetValue(secretsInjectPathOption);
+            var stepId = parseResult.GetValue(secretsInjectStepOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackSecretsInjectAsync(
+                services,
+                runId,
+                secretRef,
+                provider,
+                envVar,
+                path,
+                stepId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        secrets.Add(secretsInject);
+
+        pack.Add(secrets);
+
+        // pack cache
+        var cache = new Command("cache", "Manage offline pack cache.");
+
+        // pack cache list
+        var cacheList = new Command("list", "List cached packs.");
+
+        var cacheDirOption = new Option<string?>("--cache-dir")
+        {
+            Description = "Cache directory path (uses default if not specified)."
+        };
+
+        cacheList.Add(cacheDirOption);
+        cacheList.Add(jsonOption);
+        cacheList.Add(verboseOption);
+
+        cacheList.SetAction((parseResult, _) =>
+        {
+            var cacheDir = parseResult.GetValue(cacheDirOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackCacheListAsync(
+                services,
+                cacheDir,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        cache.Add(cacheList);
+
+        // pack cache add
+        var cacheAdd = new Command("add", "Add a pack to the cache.");
+
+        var cacheAddPackIdArg = new Argument<string>("pack-id")
+        {
+            Description = "Pack ID to cache."
+        };
+
+        var cacheAddVersionOption = new Option<string?>("--version", "-v")
+        {
+            Description = "Pack version (defaults to latest)."
+        };
+
+        cacheAdd.Add(cacheAddPackIdArg);
+        cacheAdd.Add(cacheAddVersionOption);
+        cacheAdd.Add(cacheDirOption);
+        cacheAdd.Add(tenantOption);
+        cacheAdd.Add(jsonOption);
+        cacheAdd.Add(verboseOption);
+
+        cacheAdd.SetAction((parseResult, _) =>
+        {
+            var packId = parseResult.GetValue(cacheAddPackIdArg) ?? string.Empty;
+            var version = parseResult.GetValue(cacheAddVersionOption);
+            var cacheDir = parseResult.GetValue(cacheDirOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackCacheAddAsync(
+                services,
+                packId,
+                version,
+                cacheDir,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        cache.Add(cacheAdd);
+
+        // pack cache prune
+        var cachePrune = new Command("prune", "Remove old or unused packs from cache.");
+
+        var cachePruneMaxAgeOption = new Option<int?>("--max-age-days")
+        {
+            Description = "Remove packs older than N days."
+        };
+
+        var cachePruneMaxSizeOption = new Option<long?>("--max-size-mb")
+        {
+            Description = "Prune to keep cache under N megabytes."
+        };
+
+        var cachePruneDryRunOption = new Option<bool>("--dry-run")
+        {
+            Description = "Preview what would be removed without actually pruning."
+        };
+
+        cachePrune.Add(cachePruneMaxAgeOption);
+        cachePrune.Add(cachePruneMaxSizeOption);
+        cachePrune.Add(cachePruneDryRunOption);
+        cachePrune.Add(cacheDirOption);
+        cachePrune.Add(jsonOption);
+        cachePrune.Add(verboseOption);
+
+        cachePrune.SetAction((parseResult, _) =>
+        {
+            var maxAgeDays = parseResult.GetValue(cachePruneMaxAgeOption);
+            var maxSizeMb = parseResult.GetValue(cachePruneMaxSizeOption);
+            var dryRun = parseResult.GetValue(cachePruneDryRunOption);
+            var cacheDir = parseResult.GetValue(cacheDirOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandlePackCachePruneAsync(
+                services,
+                maxAgeDays,
+                maxSizeMb,
+                dryRun,
+                cacheDir,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        cache.Add(cachePrune);
+
+        pack.Add(cache);
+
+        return pack;
+    }
+
+    // CLI-EXC-25-001: Exception governance commands
+    private static Command BuildExceptionsCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var exceptions = new Command("exceptions", "Exception governance: list, show, create, promote, revoke, import, export.");
+
+        // Common options
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant scope for the operation."
+        };
+
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        // exceptions list
+        var list = new Command("list", "List exceptions with filters.");
+
+        var listVulnOption = new Option<string?>("--vuln")
+        {
+            Description = "Filter by vulnerability ID (CVE or alias)."
+        };
+
+        var listScopeTypeOption = new Option<string?>("--scope-type")
+        {
+            Description = "Filter by scope type: purl, image, component, tenant."
+        };
+
+        var listScopeValueOption = new Option<string?>("--scope-value")
+        {
+            Description = "Filter by scope value (e.g., purl string, image ref)."
+        };
+
+        var listStatusOption = new Option<string[]>("--status", "-s")
+        {
+            Description = "Filter by status (repeatable): draft, staged, active, expired, revoked.",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        listStatusOption.AllowMultipleArgumentsPerToken = true;
+
+        var listOwnerOption = new Option<string?>("--owner")
+        {
+            Description = "Filter by owner."
+        };
+
+        var listEffectOption = new Option<string?>("--effect")
+        {
+            Description = "Filter by effect type: suppress, defer, downgrade, requireControl."
+        };
+
+        var listExpiringOption = new Option<int?>("--expiring-within-days")
+        {
+            Description = "Show exceptions expiring within N days."
+        };
+
+        var listIncludeExpiredOption = new Option<bool>("--include-expired")
+        {
+            Description = "Include expired exceptions in results."
+        };
+
+        var listPageSizeOption = new Option<int>("--page-size")
+        {
+            Description = "Results per page (default: 50)."
+        };
+        listPageSizeOption.SetDefaultValue(50);
+
+        var listPageTokenOption = new Option<string?>("--page-token")
+        {
+            Description = "Pagination token for next page."
+        };
+
+        var listCsvOption = new Option<bool>("--csv")
+        {
+            Description = "Output as CSV."
+        };
+
+        list.Add(listVulnOption);
+        list.Add(listScopeTypeOption);
+        list.Add(listScopeValueOption);
+        list.Add(listStatusOption);
+        list.Add(listOwnerOption);
+        list.Add(listEffectOption);
+        list.Add(listExpiringOption);
+        list.Add(listIncludeExpiredOption);
+        list.Add(listPageSizeOption);
+        list.Add(listPageTokenOption);
+        list.Add(tenantOption);
+        list.Add(jsonOption);
+        list.Add(listCsvOption);
+        list.Add(verboseOption);
+
+        list.SetAction((parseResult, _) =>
+        {
+            var vuln = parseResult.GetValue(listVulnOption);
+            var scopeType = parseResult.GetValue(listScopeTypeOption);
+            var scopeValue = parseResult.GetValue(listScopeValueOption);
+            var statuses = parseResult.GetValue(listStatusOption) ?? Array.Empty<string>();
+            var owner = parseResult.GetValue(listOwnerOption);
+            var effect = parseResult.GetValue(listEffectOption);
+            var expiringDays = parseResult.GetValue(listExpiringOption);
+            var includeExpired = parseResult.GetValue(listIncludeExpiredOption);
+            var pageSize = parseResult.GetValue(listPageSizeOption);
+            var pageToken = parseResult.GetValue(listPageTokenOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var csv = parseResult.GetValue(listCsvOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExceptionsListAsync(
+                services,
+                vuln,
+                scopeType,
+                scopeValue,
+                statuses,
+                owner,
+                effect,
+                expiringDays,
+                includeExpired,
+                pageSize,
+                pageToken,
+                tenant,
+                json,
+                csv,
+                verbose,
+                cancellationToken);
+        });
+
+        exceptions.Add(list);
+
+        // exceptions show
+        var show = new Command("show", "Show exception details.");
+
+        var showIdArg = new Argument<string>("exception-id")
+        {
+            Description = "Exception ID to show."
+        };
+
+        show.Add(showIdArg);
+        show.Add(tenantOption);
+        show.Add(jsonOption);
+        show.Add(verboseOption);
+
+        show.SetAction((parseResult, _) =>
+        {
+            var exceptionId = parseResult.GetValue(showIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExceptionsShowAsync(
+                services,
+                exceptionId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        exceptions.Add(show);
+
+        // exceptions create
+        var create = new Command("create", "Create a new exception.");
+
+        var createVulnOption = new Option<string>("--vuln")
+        {
+            Description = "Vulnerability ID (CVE or alias).",
+            Required = true
+        };
+
+        var createScopeTypeOption = new Option<string>("--scope-type")
+        {
+            Description = "Scope type: purl, image, component, tenant.",
+            Required = true
+        };
+
+        var createScopeValueOption = new Option<string>("--scope-value")
+        {
+            Description = "Scope value (e.g., purl string, image ref).",
+            Required = true
+        };
+
+        var createEffectOption = new Option<string>("--effect")
+        {
+            Description = "Effect ID to apply.",
+            Required = true
+        };
+
+        var createJustificationOption = new Option<string>("--justification")
+        {
+            Description = "Justification for the exception.",
+            Required = true
+        };
+
+        var createOwnerOption = new Option<string>("--owner")
+        {
+            Description = "Owner of the exception.",
+            Required = true
+        };
+
+        var createExpirationOption = new Option<string?>("--expiration")
+        {
+            Description = "Expiration date (ISO-8601) or relative (e.g., +30d, +90d)."
+        };
+
+        var createEvidenceOption = new Option<string[]>("--evidence")
+        {
+            Description = "Evidence reference (type:uri format, repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        createEvidenceOption.AllowMultipleArgumentsPerToken = true;
+
+        var createPolicyOption = new Option<string?>("--policy")
+        {
+            Description = "Policy binding (policy ID or version)."
+        };
+
+        var createStageOption = new Option<bool>("--stage")
+        {
+            Description = "Create as staged (skip draft status)."
+        };
+
+        create.Add(createVulnOption);
+        create.Add(createScopeTypeOption);
+        create.Add(createScopeValueOption);
+        create.Add(createEffectOption);
+        create.Add(createJustificationOption);
+        create.Add(createOwnerOption);
+        create.Add(createExpirationOption);
+        create.Add(createEvidenceOption);
+        create.Add(createPolicyOption);
+        create.Add(createStageOption);
+        create.Add(tenantOption);
+        create.Add(jsonOption);
+        create.Add(verboseOption);
+
+        create.SetAction((parseResult, _) =>
+        {
+            var vuln = parseResult.GetValue(createVulnOption) ?? string.Empty;
+            var scopeType = parseResult.GetValue(createScopeTypeOption) ?? string.Empty;
+            var scopeValue = parseResult.GetValue(createScopeValueOption) ?? string.Empty;
+            var effect = parseResult.GetValue(createEffectOption) ?? string.Empty;
+            var justification = parseResult.GetValue(createJustificationOption) ?? string.Empty;
+            var owner = parseResult.GetValue(createOwnerOption) ?? string.Empty;
+            var expiration = parseResult.GetValue(createExpirationOption);
+            var evidence = parseResult.GetValue(createEvidenceOption) ?? Array.Empty<string>();
+            var policy = parseResult.GetValue(createPolicyOption);
+            var stage = parseResult.GetValue(createStageOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExceptionsCreateAsync(
+                services,
+                vuln,
+                scopeType,
+                scopeValue,
+                effect,
+                justification,
+                owner,
+                expiration,
+                evidence,
+                policy,
+                stage,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        exceptions.Add(create);
+
+        // exceptions promote
+        var promote = new Command("promote", "Promote exception to next lifecycle stage.");
+
+        var promoteIdArg = new Argument<string>("exception-id")
+        {
+            Description = "Exception ID to promote."
+        };
+
+        var promoteTargetOption = new Option<string?>("--target")
+        {
+            Description = "Target status: staged or active (defaults to next stage)."
+        };
+
+        var promoteCommentOption = new Option<string?>("--comment")
+        {
+            Description = "Comment for the promotion (appears in audit log)."
+        };
+
+        promote.Add(promoteIdArg);
+        promote.Add(promoteTargetOption);
+        promote.Add(promoteCommentOption);
+        promote.Add(tenantOption);
+        promote.Add(jsonOption);
+        promote.Add(verboseOption);
+
+        promote.SetAction((parseResult, _) =>
+        {
+            var exceptionId = parseResult.GetValue(promoteIdArg) ?? string.Empty;
+            var target = parseResult.GetValue(promoteTargetOption);
+            var comment = parseResult.GetValue(promoteCommentOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExceptionsPromoteAsync(
+                services,
+                exceptionId,
+                target,
+                comment,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        exceptions.Add(promote);
+
+        // exceptions revoke
+        var revoke = new Command("revoke", "Revoke an active exception.");
+
+        var revokeIdArg = new Argument<string>("exception-id")
+        {
+            Description = "Exception ID to revoke."
+        };
+
+        var revokeReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for revocation (appears in audit log)."
+        };
+
+        revoke.Add(revokeIdArg);
+        revoke.Add(revokeReasonOption);
+        revoke.Add(tenantOption);
+        revoke.Add(jsonOption);
+        revoke.Add(verboseOption);
+
+        revoke.SetAction((parseResult, _) =>
+        {
+            var exceptionId = parseResult.GetValue(revokeIdArg) ?? string.Empty;
+            var reason = parseResult.GetValue(revokeReasonOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExceptionsRevokeAsync(
+                services,
+                exceptionId,
+                reason,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        exceptions.Add(revoke);
+
+        // exceptions import
+        var import = new Command("import", "Import exceptions from NDJSON file.");
+
+        var importFileArg = new Argument<string>("file")
+        {
+            Description = "Path to NDJSON file containing exceptions."
+        };
+
+        var importStageOption = new Option<bool>("--stage")
+        {
+            Description = "Import as staged (default: true)."
+        };
+        importStageOption.SetDefaultValue(true);
+
+        var importSourceOption = new Option<string?>("--source")
+        {
+            Description = "Source label for imported exceptions."
+        };
+
+        import.Add(importFileArg);
+        import.Add(importStageOption);
+        import.Add(importSourceOption);
+        import.Add(tenantOption);
+        import.Add(jsonOption);
+        import.Add(verboseOption);
+
+        import.SetAction((parseResult, _) =>
+        {
+            var file = parseResult.GetValue(importFileArg) ?? string.Empty;
+            var stage = parseResult.GetValue(importStageOption);
+            var source = parseResult.GetValue(importSourceOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExceptionsImportAsync(
+                services,
+                file,
+                stage,
+                source,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        exceptions.Add(import);
+
+        // exceptions export
+        var export = new Command("export", "Export exceptions to file.");
+
+        var exportOutputOption = new Option<string>("--output", "-o")
+        {
+            Description = "Output file path.",
+            Required = true
+        };
+
+        var exportStatusOption = new Option<string[]>("--status", "-s")
+        {
+            Description = "Filter by status (repeatable).",
+            Arity = ArgumentArity.ZeroOrMore
+        };
+        exportStatusOption.AllowMultipleArgumentsPerToken = true;
+
+        var exportFormatOption = new Option<string>("--format")
+        {
+            Description = "Output format: ndjson or json (default: ndjson)."
+        };
+        exportFormatOption.SetDefaultValue("ndjson");
+
+        var exportSignedOption = new Option<bool>("--signed")
+        {
+            Description = "Request signed export with attestation."
+        };
+
+        export.Add(exportOutputOption);
+        export.Add(exportStatusOption);
+        export.Add(exportFormatOption);
+        export.Add(exportSignedOption);
+        export.Add(tenantOption);
+        export.Add(verboseOption);
+
+        export.SetAction((parseResult, _) =>
+        {
+            var output = parseResult.GetValue(exportOutputOption) ?? string.Empty;
+            var statuses = parseResult.GetValue(exportStatusOption) ?? Array.Empty<string>();
+            var format = parseResult.GetValue(exportFormatOption) ?? "ndjson";
+            var signed = parseResult.GetValue(exportSignedOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleExceptionsExportAsync(
+                services,
+                output,
+                statuses,
+                format,
+                signed,
+                tenant,
+                verbose,
+                cancellationToken);
+        });
+
+        exceptions.Add(export);
+
+        return exceptions;
+    }
+
+    // CLI-ORCH-32-001: Orchestrator commands
+    private static Command BuildOrchCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var orch = new Command("orch", "Interact with Source & Job Orchestrator.");
+
+        // Common options
+        var tenantOption = new Option<string?>("--tenant")
+        {
+            Description = "Tenant ID to scope the operation."
+        };
+
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output results as JSON."
+        };
+
+        // sources subcommand group
+        var sources = new Command("sources", "Manage orchestrator data sources.");
+
+        // sources list
+        var sourcesList = new Command("list", "List orchestrator sources.");
+
+        var typeOption = new Option<string?>("--type")
+        {
+            Description = "Filter by source type (advisory, vex, sbom, package, registry, custom)."
+        };
+
+        var statusOption = new Option<string?>("--status")
+        {
+            Description = "Filter by status (active, paused, disabled, throttled, error)."
+        };
+
+        var enabledOption = new Option<bool?>("--enabled")
+        {
+            Description = "Filter by enabled state."
+        };
+
+        var hostOption = new Option<string?>("--host")
+        {
+            Description = "Filter by host name."
+        };
+
+        var tagOption = new Option<string?>("--tag")
+        {
+            Description = "Filter by tag."
+        };
+
+        var pageSizeOption = new Option<int>("--page-size")
+        {
+            Description = "Number of results per page (default 50)."
+        };
+        pageSizeOption.SetDefaultValue(50);
+
+        var pageTokenOption = new Option<string?>("--page-token")
+        {
+            Description = "Page token for pagination."
+        };
+
+        sourcesList.Add(tenantOption);
+        sourcesList.Add(typeOption);
+        sourcesList.Add(statusOption);
+        sourcesList.Add(enabledOption);
+        sourcesList.Add(hostOption);
+        sourcesList.Add(tagOption);
+        sourcesList.Add(pageSizeOption);
+        sourcesList.Add(pageTokenOption);
+        sourcesList.Add(jsonOption);
+        sourcesList.Add(verboseOption);
+
+        sourcesList.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var type = parseResult.GetValue(typeOption);
+            var status = parseResult.GetValue(statusOption);
+            var enabled = parseResult.GetValue(enabledOption);
+            var host = parseResult.GetValue(hostOption);
+            var tag = parseResult.GetValue(tagOption);
+            var pageSize = parseResult.GetValue(pageSizeOption);
+            var pageToken = parseResult.GetValue(pageTokenOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchSourcesListAsync(
+                services,
+                tenant,
+                type,
+                status,
+                enabled,
+                host,
+                tag,
+                pageSize,
+                pageToken,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sources.Add(sourcesList);
+
+        // sources show
+        var sourcesShow = new Command("show", "Show details for a specific source.");
+
+        var sourceIdArg = new Argument<string>("source-id")
+        {
+            Description = "Source ID to show."
+        };
+
+        sourcesShow.Add(sourceIdArg);
+        sourcesShow.Add(tenantOption);
+        sourcesShow.Add(jsonOption);
+        sourcesShow.Add(verboseOption);
+
+        sourcesShow.SetAction((parseResult, _) =>
+        {
+            var sourceId = parseResult.GetValue(sourceIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchSourcesShowAsync(
+                services,
+                sourceId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sources.Add(sourcesShow);
+
+        // CLI-ORCH-33-001: sources test
+        var sourcesTest = new Command("test", "Test connectivity to a source.");
+
+        var testSourceIdArg = new Argument<string>("source-id")
+        {
+            Description = "Source ID to test."
+        };
+
+        var testTimeoutOption = new Option<int>("--timeout")
+        {
+            Description = "Timeout in seconds (default 30)."
+        };
+        testTimeoutOption.SetDefaultValue(30);
+
+        sourcesTest.Add(testSourceIdArg);
+        sourcesTest.Add(tenantOption);
+        sourcesTest.Add(testTimeoutOption);
+        sourcesTest.Add(jsonOption);
+        sourcesTest.Add(verboseOption);
+
+        sourcesTest.SetAction((parseResult, _) =>
+        {
+            var sourceId = parseResult.GetValue(testSourceIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var timeout = parseResult.GetValue(testTimeoutOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchSourcesTestAsync(
+                services,
+                sourceId,
+                tenant,
+                timeout,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sources.Add(sourcesTest);
+
+        // CLI-ORCH-33-001: sources pause
+        var sourcesPause = new Command("pause", "Pause a source (stops scheduled runs).");
+
+        var pauseSourceIdArg = new Argument<string>("source-id")
+        {
+            Description = "Source ID to pause."
+        };
+
+        var pauseReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for pausing (appears in audit log)."
+        };
+
+        var pauseDurationOption = new Option<int?>("--duration")
+        {
+            Description = "Duration in minutes before auto-resume (optional)."
+        };
+
+        sourcesPause.Add(pauseSourceIdArg);
+        sourcesPause.Add(tenantOption);
+        sourcesPause.Add(pauseReasonOption);
+        sourcesPause.Add(pauseDurationOption);
+        sourcesPause.Add(jsonOption);
+        sourcesPause.Add(verboseOption);
+
+        sourcesPause.SetAction((parseResult, _) =>
+        {
+            var sourceId = parseResult.GetValue(pauseSourceIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var reason = parseResult.GetValue(pauseReasonOption);
+            var duration = parseResult.GetValue(pauseDurationOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchSourcesPauseAsync(
+                services,
+                sourceId,
+                tenant,
+                reason,
+                duration,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sources.Add(sourcesPause);
+
+        // CLI-ORCH-33-001: sources resume
+        var sourcesResume = new Command("resume", "Resume a paused source.");
+
+        var resumeSourceIdArg = new Argument<string>("source-id")
+        {
+            Description = "Source ID to resume."
+        };
+
+        var resumeReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for resuming (appears in audit log)."
+        };
+
+        sourcesResume.Add(resumeSourceIdArg);
+        sourcesResume.Add(tenantOption);
+        sourcesResume.Add(resumeReasonOption);
+        sourcesResume.Add(jsonOption);
+        sourcesResume.Add(verboseOption);
+
+        sourcesResume.SetAction((parseResult, _) =>
+        {
+            var sourceId = parseResult.GetValue(resumeSourceIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var reason = parseResult.GetValue(resumeReasonOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchSourcesResumeAsync(
+                services,
+                sourceId,
+                tenant,
+                reason,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sources.Add(sourcesResume);
+
+        orch.Add(sources);
+
+        // CLI-ORCH-34-001: backfill command group
+        var backfill = new Command("backfill", "Manage backfill operations for data sources.");
+
+        // backfill start (wizard)
+        var backfillStart = new Command("start", "Start a backfill operation for a source.");
+
+        var backfillSourceIdArg = new Argument<string>("source-id")
+        {
+            Description = "Source ID to backfill."
+        };
+
+        var backfillFromOption = new Option<DateTimeOffset>("--from")
+        {
+            Description = "Start date/time for backfill (ISO 8601 format).",
+            IsRequired = true
+        };
+
+        var backfillToOption = new Option<DateTimeOffset>("--to")
+        {
+            Description = "End date/time for backfill (ISO 8601 format).",
+            IsRequired = true
+        };
+
+        var backfillDryRunOption = new Option<bool>("--dry-run")
+        {
+            Description = "Preview what would be backfilled without executing."
+        };
+
+        var backfillPriorityOption = new Option<int>("--priority")
+        {
+            Description = "Priority level 1-10 (default 5, higher = more resources)."
+        };
+        backfillPriorityOption.SetDefaultValue(5);
+
+        var backfillConcurrencyOption = new Option<int>("--concurrency")
+        {
+            Description = "Number of concurrent workers (default 1)."
+        };
+        backfillConcurrencyOption.SetDefaultValue(1);
+
+        var backfillBatchSizeOption = new Option<int>("--batch-size")
+        {
+            Description = "Items per batch (default 100)."
+        };
+        backfillBatchSizeOption.SetDefaultValue(100);
+
+        var backfillResumeOption = new Option<bool>("--resume")
+        {
+            Description = "Resume from last checkpoint if a previous backfill was interrupted."
+        };
+
+        var backfillFilterOption = new Option<string?>("--filter")
+        {
+            Description = "Filter expression to limit items (source-specific syntax)."
+        };
+
+        var backfillForceOption = new Option<bool>("--force")
+        {
+            Description = "Force backfill even if data already exists (overwrites)."
+        };
+
+        backfillStart.Add(backfillSourceIdArg);
+        backfillStart.Add(tenantOption);
+        backfillStart.Add(backfillFromOption);
+        backfillStart.Add(backfillToOption);
+        backfillStart.Add(backfillDryRunOption);
+        backfillStart.Add(backfillPriorityOption);
+        backfillStart.Add(backfillConcurrencyOption);
+        backfillStart.Add(backfillBatchSizeOption);
+        backfillStart.Add(backfillResumeOption);
+        backfillStart.Add(backfillFilterOption);
+        backfillStart.Add(backfillForceOption);
+        backfillStart.Add(jsonOption);
+        backfillStart.Add(verboseOption);
+
+        backfillStart.SetAction((parseResult, _) =>
+        {
+            var sourceId = parseResult.GetValue(backfillSourceIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var from = parseResult.GetValue(backfillFromOption);
+            var to = parseResult.GetValue(backfillToOption);
+            var dryRun = parseResult.GetValue(backfillDryRunOption);
+            var priority = parseResult.GetValue(backfillPriorityOption);
+            var concurrency = parseResult.GetValue(backfillConcurrencyOption);
+            var batchSize = parseResult.GetValue(backfillBatchSizeOption);
+            var resume = parseResult.GetValue(backfillResumeOption);
+            var filter = parseResult.GetValue(backfillFilterOption);
+            var force = parseResult.GetValue(backfillForceOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchBackfillStartAsync(
+                services,
+                sourceId,
+                tenant,
+                from,
+                to,
+                dryRun,
+                priority,
+                concurrency,
+                batchSize,
+                resume,
+                filter,
+                force,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        backfill.Add(backfillStart);
+
+        // backfill status
+        var backfillStatus = new Command("status", "Show status of a backfill operation.");
+
+        var backfillIdArg = new Argument<string>("backfill-id")
+        {
+            Description = "Backfill operation ID."
+        };
+
+        backfillStatus.Add(backfillIdArg);
+        backfillStatus.Add(tenantOption);
+        backfillStatus.Add(jsonOption);
+        backfillStatus.Add(verboseOption);
+
+        backfillStatus.SetAction((parseResult, _) =>
+        {
+            var backfillId = parseResult.GetValue(backfillIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchBackfillStatusAsync(
+                services,
+                backfillId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        backfill.Add(backfillStatus);
+
+        // backfill list
+        var backfillList = new Command("list", "List backfill operations.");
+
+        var backfillSourceFilterOption = new Option<string?>("--source")
+        {
+            Description = "Filter by source ID."
+        };
+
+        var backfillStatusFilterOption = new Option<string?>("--status")
+        {
+            Description = "Filter by status (pending, running, completed, failed, cancelled)."
+        };
+
+        backfillList.Add(backfillSourceFilterOption);
+        backfillList.Add(backfillStatusFilterOption);
+        backfillList.Add(tenantOption);
+        backfillList.Add(pageSizeOption);
+        backfillList.Add(pageTokenOption);
+        backfillList.Add(jsonOption);
+        backfillList.Add(verboseOption);
+
+        backfillList.SetAction((parseResult, _) =>
+        {
+            var sourceId = parseResult.GetValue(backfillSourceFilterOption);
+            var status = parseResult.GetValue(backfillStatusFilterOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var pageSize = parseResult.GetValue(pageSizeOption);
+            var pageToken = parseResult.GetValue(pageTokenOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchBackfillListAsync(
+                services,
+                sourceId,
+                status,
+                tenant,
+                pageSize,
+                pageToken,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        backfill.Add(backfillList);
+
+        // backfill cancel
+        var backfillCancel = new Command("cancel", "Cancel a running backfill operation.");
+
+        var cancelBackfillIdArg = new Argument<string>("backfill-id")
+        {
+            Description = "Backfill operation ID to cancel."
+        };
+
+        var cancelReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for cancellation (appears in audit log)."
+        };
+
+        backfillCancel.Add(cancelBackfillIdArg);
+        backfillCancel.Add(tenantOption);
+        backfillCancel.Add(cancelReasonOption);
+        backfillCancel.Add(jsonOption);
+        backfillCancel.Add(verboseOption);
+
+        backfillCancel.SetAction((parseResult, _) =>
+        {
+            var backfillId = parseResult.GetValue(cancelBackfillIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var reason = parseResult.GetValue(cancelReasonOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchBackfillCancelAsync(
+                services,
+                backfillId,
+                tenant,
+                reason,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        backfill.Add(backfillCancel);
+
+        orch.Add(backfill);
+
+        // CLI-ORCH-34-001: quotas command group
+        var quotas = new Command("quotas", "Manage resource quotas.");
+
+        // quotas get
+        var quotasGet = new Command("get", "Get current quota usage.");
+
+        var quotaSourceOption = new Option<string?>("--source")
+        {
+            Description = "Filter by source ID."
+        };
+
+        var quotaResourceTypeOption = new Option<string?>("--resource-type")
+        {
+            Description = "Filter by resource type (api_calls, data_ingested_bytes, items_processed, backfills, concurrent_jobs, storage_bytes)."
+        };
+
+        quotasGet.Add(tenantOption);
+        quotasGet.Add(quotaSourceOption);
+        quotasGet.Add(quotaResourceTypeOption);
+        quotasGet.Add(jsonOption);
+        quotasGet.Add(verboseOption);
+
+        quotasGet.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var sourceId = parseResult.GetValue(quotaSourceOption);
+            var resourceType = parseResult.GetValue(quotaResourceTypeOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchQuotasGetAsync(
+                services,
+                tenant,
+                sourceId,
+                resourceType,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        quotas.Add(quotasGet);
+
+        // quotas set
+        var quotasSet = new Command("set", "Set a quota limit.");
+
+        var quotaSetTenantOption = new Option<string>("--tenant")
+        {
+            Description = "Tenant ID.",
+            IsRequired = true
+        };
+
+        var quotaSetResourceTypeOption = new Option<string>("--resource-type")
+        {
+            Description = "Resource type (api_calls, data_ingested_bytes, items_processed, backfills, concurrent_jobs, storage_bytes).",
+            IsRequired = true
+        };
+
+        var quotaSetLimitOption = new Option<long>("--limit")
+        {
+            Description = "Quota limit value.",
+            IsRequired = true
+        };
+
+        var quotaSetPeriodOption = new Option<string>("--period")
+        {
+            Description = "Quota period (hourly, daily, weekly, monthly). Default: monthly."
+        };
+        quotaSetPeriodOption.SetDefaultValue("monthly");
+
+        var quotaSetWarningThresholdOption = new Option<double>("--warning-threshold")
+        {
+            Description = "Warning threshold as percentage (0.0-1.0). Default: 0.8."
+        };
+        quotaSetWarningThresholdOption.SetDefaultValue(0.8);
+
+        quotasSet.Add(quotaSetTenantOption);
+        quotasSet.Add(quotaSourceOption);
+        quotasSet.Add(quotaSetResourceTypeOption);
+        quotasSet.Add(quotaSetLimitOption);
+        quotasSet.Add(quotaSetPeriodOption);
+        quotasSet.Add(quotaSetWarningThresholdOption);
+        quotasSet.Add(jsonOption);
+        quotasSet.Add(verboseOption);
+
+        quotasSet.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(quotaSetTenantOption) ?? string.Empty;
+            var sourceId = parseResult.GetValue(quotaSourceOption);
+            var resourceType = parseResult.GetValue(quotaSetResourceTypeOption) ?? string.Empty;
+            var limit = parseResult.GetValue(quotaSetLimitOption);
+            var period = parseResult.GetValue(quotaSetPeriodOption) ?? "monthly";
+            var warningThreshold = parseResult.GetValue(quotaSetWarningThresholdOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchQuotasSetAsync(
+                services,
+                tenant,
+                sourceId,
+                resourceType,
+                limit,
+                period,
+                warningThreshold,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        quotas.Add(quotasSet);
+
+        // quotas reset
+        var quotasReset = new Command("reset", "Reset a quota's usage counter.");
+
+        var quotaResetTenantOption = new Option<string>("--tenant")
+        {
+            Description = "Tenant ID.",
+            IsRequired = true
+        };
+
+        var quotaResetResourceTypeOption = new Option<string>("--resource-type")
+        {
+            Description = "Resource type to reset.",
+            IsRequired = true
+        };
+
+        var quotaResetReasonOption = new Option<string?>("--reason")
+        {
+            Description = "Reason for reset (appears in audit log)."
+        };
+
+        quotasReset.Add(quotaResetTenantOption);
+        quotasReset.Add(quotaSourceOption);
+        quotasReset.Add(quotaResetResourceTypeOption);
+        quotasReset.Add(quotaResetReasonOption);
+        quotasReset.Add(jsonOption);
+        quotasReset.Add(verboseOption);
+
+        quotasReset.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(quotaResetTenantOption) ?? string.Empty;
+            var sourceId = parseResult.GetValue(quotaSourceOption);
+            var resourceType = parseResult.GetValue(quotaResetResourceTypeOption) ?? string.Empty;
+            var reason = parseResult.GetValue(quotaResetReasonOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleOrchQuotasResetAsync(
+                services,
+                tenant,
+                sourceId,
+                resourceType,
+                reason,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        quotas.Add(quotasReset);
+
+        orch.Add(quotas);
+
+        return orch;
+    }
+
+    // CLI-PARITY-41-001: SBOM command group
+    private static Command BuildSbomCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var sbom = new Command("sbom", "Explore and manage Software Bill of Materials (SBOM) documents.");
+
+        // Common options
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant identifier (overrides profile/environment)."
+        };
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON for CI integration."
+        };
+
+        // sbom list
+        var list = new Command("list", "List SBOMs with filters and pagination.");
+
+        var listImageRefOption = new Option<string?>("--image")
+        {
+            Description = "Filter by image reference (e.g., myregistry.io/app:v1)."
+        };
+        var listDigestOption = new Option<string?>("--digest")
+        {
+            Description = "Filter by image digest (sha256:...)."
+        };
+        var listFormatOption = new Option<string?>("--format")
+        {
+            Description = "Filter by SBOM format (spdx, cyclonedx)."
+        };
+        var listCreatedAfterOption = new Option<DateTimeOffset?>("--created-after")
+        {
+            Description = "Filter by creation date (ISO 8601)."
+        };
+        var listCreatedBeforeOption = new Option<DateTimeOffset?>("--created-before")
+        {
+            Description = "Filter by creation date (ISO 8601)."
+        };
+        var listHasVulnsOption = new Option<bool?>("--has-vulnerabilities")
+        {
+            Description = "Filter by vulnerability presence."
+        };
+        var listLimitOption = new Option<int>("--limit")
+        {
+            Description = "Maximum results (default 50)."
+        };
+        listLimitOption.SetDefaultValue(50);
+        var listOffsetOption = new Option<int?>("--offset")
+        {
+            Description = "Skip N results for pagination."
+        };
+        var listCursorOption = new Option<string?>("--cursor")
+        {
+            Description = "Pagination cursor from previous response."
+        };
+
+        list.Add(tenantOption);
+        list.Add(listImageRefOption);
+        list.Add(listDigestOption);
+        list.Add(listFormatOption);
+        list.Add(listCreatedAfterOption);
+        list.Add(listCreatedBeforeOption);
+        list.Add(listHasVulnsOption);
+        list.Add(listLimitOption);
+        list.Add(listOffsetOption);
+        list.Add(listCursorOption);
+        list.Add(jsonOption);
+        list.Add(verboseOption);
+
+        list.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var imageRef = parseResult.GetValue(listImageRefOption);
+            var digest = parseResult.GetValue(listDigestOption);
+            var format = parseResult.GetValue(listFormatOption);
+            var createdAfter = parseResult.GetValue(listCreatedAfterOption);
+            var createdBefore = parseResult.GetValue(listCreatedBeforeOption);
+            var hasVulns = parseResult.GetValue(listHasVulnsOption);
+            var limit = parseResult.GetValue(listLimitOption);
+            var offset = parseResult.GetValue(listOffsetOption);
+            var cursor = parseResult.GetValue(listCursorOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomListAsync(
+                services,
+                tenant,
+                imageRef,
+                digest,
+                format,
+                createdAfter,
+                createdBefore,
+                hasVulns,
+                limit,
+                offset,
+                cursor,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sbom.Add(list);
+
+        // sbom show
+        var show = new Command("show", "Display detailed SBOM information including components, vulnerabilities, and licenses.");
+
+        var showSbomIdArg = new Argument<string>("sbom-id")
+        {
+            Description = "SBOM identifier."
+        };
+        var showComponentsOption = new Option<bool>("--components")
+        {
+            Description = "Include component list."
+        };
+        var showVulnsOption = new Option<bool>("--vulnerabilities")
+        {
+            Description = "Include vulnerability list."
+        };
+        var showLicensesOption = new Option<bool>("--licenses")
+        {
+            Description = "Include license breakdown."
+        };
+        var showExplainOption = new Option<bool>("--explain")
+        {
+            Description = "Include determinism factors and composition path."
+        };
+
+        show.Add(showSbomIdArg);
+        show.Add(tenantOption);
+        show.Add(showComponentsOption);
+        show.Add(showVulnsOption);
+        show.Add(showLicensesOption);
+        show.Add(showExplainOption);
+        show.Add(jsonOption);
+        show.Add(verboseOption);
+
+        show.SetAction((parseResult, _) =>
+        {
+            var sbomId = parseResult.GetValue(showSbomIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var includeComponents = parseResult.GetValue(showComponentsOption);
+            var includeVulns = parseResult.GetValue(showVulnsOption);
+            var includeLicenses = parseResult.GetValue(showLicensesOption);
+            var explain = parseResult.GetValue(showExplainOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomShowAsync(
+                services,
+                sbomId,
+                tenant,
+                includeComponents,
+                includeVulns,
+                includeLicenses,
+                explain,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sbom.Add(show);
+
+        // sbom compare
+        var compare = new Command("compare", "Compare two SBOMs to show component, vulnerability, and license differences.");
+
+        var compareBaseArg = new Argument<string>("base-sbom-id")
+        {
+            Description = "Base SBOM identifier (before)."
+        };
+        var compareTargetArg = new Argument<string>("target-sbom-id")
+        {
+            Description = "Target SBOM identifier (after)."
+        };
+        var compareUnchangedOption = new Option<bool>("--include-unchanged")
+        {
+            Description = "Include unchanged items in output."
+        };
+
+        compare.Add(compareBaseArg);
+        compare.Add(compareTargetArg);
+        compare.Add(tenantOption);
+        compare.Add(compareUnchangedOption);
+        compare.Add(jsonOption);
+        compare.Add(verboseOption);
+
+        compare.SetAction((parseResult, _) =>
+        {
+            var baseSbomId = parseResult.GetValue(compareBaseArg) ?? string.Empty;
+            var targetSbomId = parseResult.GetValue(compareTargetArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var includeUnchanged = parseResult.GetValue(compareUnchangedOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomCompareAsync(
+                services,
+                baseSbomId,
+                targetSbomId,
+                tenant,
+                includeUnchanged,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sbom.Add(compare);
+
+        // sbom export
+        var export = new Command("export", "Export an SBOM in SPDX or CycloneDX format.");
+
+        var exportSbomIdArg = new Argument<string>("sbom-id")
+        {
+            Description = "SBOM identifier to export."
+        };
+        var exportFormatOption = new Option<string>("--format")
+        {
+            Description = "Export format (spdx, cyclonedx). Default: spdx."
+        };
+        exportFormatOption.SetDefaultValue("spdx");
+        var exportVersionOption = new Option<string?>("--format-version")
+        {
+            Description = "Format version (e.g., 3.0.1 for SPDX, 1.6 for CycloneDX)."
+        };
+        var exportOutputOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Output file path. If not specified, writes to stdout."
+        };
+        var exportSignedOption = new Option<bool>("--signed")
+        {
+            Description = "Request signed export with attestation."
+        };
+        var exportVexOption = new Option<bool>("--include-vex")
+        {
+            Description = "Embed VEX information in the export."
+        };
+
+        export.Add(exportSbomIdArg);
+        export.Add(tenantOption);
+        export.Add(exportFormatOption);
+        export.Add(exportVersionOption);
+        export.Add(exportOutputOption);
+        export.Add(exportSignedOption);
+        export.Add(exportVexOption);
+        export.Add(verboseOption);
+
+        export.SetAction((parseResult, _) =>
+        {
+            var sbomId = parseResult.GetValue(exportSbomIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var format = parseResult.GetValue(exportFormatOption) ?? "spdx";
+            var formatVersion = parseResult.GetValue(exportVersionOption);
+            var output = parseResult.GetValue(exportOutputOption);
+            var signed = parseResult.GetValue(exportSignedOption);
+            var includeVex = parseResult.GetValue(exportVexOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomExportAsync(
+                services,
+                sbomId,
+                tenant,
+                format,
+                formatVersion,
+                output,
+                signed,
+                includeVex,
+                verbose,
+                cancellationToken);
+        });
+
+        sbom.Add(export);
+
+        // sbom parity-matrix
+        var parityMatrix = new Command("parity-matrix", "Show CLI command coverage and parity matrix.");
+
+        parityMatrix.Add(tenantOption);
+        parityMatrix.Add(jsonOption);
+        parityMatrix.Add(verboseOption);
+
+        parityMatrix.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomParityMatrixAsync(
+                services,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sbom.Add(parityMatrix);
+
+        return sbom;
+    }
+
+    // CLI-PARITY-41-002: Notify command group
+    private static Command BuildNotifyCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var notify = new Command("notify", "Manage notification channels, rules, and deliveries.");
+
+        // Common options
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant identifier."
+        };
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output in JSON format."
+        };
+        var limitOption = new Option<int?>("--limit", "-l")
+        {
+            Description = "Maximum number of items to return."
+        };
+        var cursorOption = new Option<string?>("--cursor")
+        {
+            Description = "Pagination cursor for next page."
+        };
+
+        // notify channels
+        var channels = new Command("channels", "Manage notification channels.");
+
+        // notify channels list
+        var channelsList = new Command("list", "List notification channels.");
+
+        var channelTypeOption = new Option<string?>("--type")
+        {
+            Description = "Filter by channel type (Slack, Teams, Email, Webhook, PagerDuty, OpsGenie)."
+        };
+        var channelEnabledOption = new Option<bool?>("--enabled")
+        {
+            Description = "Filter by enabled status."
+        };
+
+        channelsList.Add(tenantOption);
+        channelsList.Add(channelTypeOption);
+        channelsList.Add(channelEnabledOption);
+        channelsList.Add(limitOption);
+        channelsList.Add(cursorOption);
+        channelsList.Add(jsonOption);
+        channelsList.Add(verboseOption);
+
+        channelsList.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var channelType = parseResult.GetValue(channelTypeOption);
+            var enabled = parseResult.GetValue(channelEnabledOption);
+            var limit = parseResult.GetValue(limitOption);
+            var cursor = parseResult.GetValue(cursorOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleNotifyChannelsListAsync(
+                services,
+                tenant,
+                channelType,
+                enabled,
+                limit,
+                cursor,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        channels.Add(channelsList);
+
+        // notify channels show
+        var channelsShow = new Command("show", "Show notification channel details.");
+
+        var channelIdArg = new Argument<string>("channel-id")
+        {
+            Description = "Channel identifier."
+        };
+
+        channelsShow.Add(channelIdArg);
+        channelsShow.Add(tenantOption);
+        channelsShow.Add(jsonOption);
+        channelsShow.Add(verboseOption);
+
+        channelsShow.SetAction((parseResult, _) =>
+        {
+            var channelId = parseResult.GetValue(channelIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleNotifyChannelsShowAsync(
+                services,
+                channelId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        channels.Add(channelsShow);
+
+        // notify channels test
+        var channelsTest = new Command("test", "Test a notification channel by sending a test message.");
+
+        var testMessageOption = new Option<string?>("--message", "-m")
+        {
+            Description = "Custom test message."
+        };
+
+        channelsTest.Add(channelIdArg);
+        channelsTest.Add(tenantOption);
+        channelsTest.Add(testMessageOption);
+        channelsTest.Add(jsonOption);
+        channelsTest.Add(verboseOption);
+
+        channelsTest.SetAction((parseResult, _) =>
+        {
+            var channelId = parseResult.GetValue(channelIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var message = parseResult.GetValue(testMessageOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleNotifyChannelsTestAsync(
+                services,
+                channelId,
+                tenant,
+                message,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        channels.Add(channelsTest);
+
+        notify.Add(channels);
+
+        // notify rules
+        var rules = new Command("rules", "Manage notification routing rules.");
+
+        // notify rules list
+        var rulesList = new Command("list", "List notification rules.");
+
+        var ruleEnabledOption = new Option<bool?>("--enabled")
+        {
+            Description = "Filter by enabled status."
+        };
+        var ruleEventTypeOption = new Option<string?>("--event-type")
+        {
+            Description = "Filter by event type."
+        };
+        var ruleChannelIdOption = new Option<string?>("--channel-id")
+        {
+            Description = "Filter by channel ID."
+        };
+
+        rulesList.Add(tenantOption);
+        rulesList.Add(ruleEnabledOption);
+        rulesList.Add(ruleEventTypeOption);
+        rulesList.Add(ruleChannelIdOption);
+        rulesList.Add(limitOption);
+        rulesList.Add(jsonOption);
+        rulesList.Add(verboseOption);
+
+        rulesList.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var enabled = parseResult.GetValue(ruleEnabledOption);
+            var eventType = parseResult.GetValue(ruleEventTypeOption);
+            var channelId = parseResult.GetValue(ruleChannelIdOption);
+            var limit = parseResult.GetValue(limitOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleNotifyRulesListAsync(
+                services,
+                tenant,
+                enabled,
+                eventType,
+                channelId,
+                limit,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        rules.Add(rulesList);
+
+        notify.Add(rules);
+
+        // notify deliveries
+        var deliveries = new Command("deliveries", "View and manage notification deliveries.");
+
+        // notify deliveries list
+        var deliveriesList = new Command("list", "List notification deliveries.");
+
+        var deliveryStatusOption = new Option<string?>("--status")
+        {
+            Description = "Filter by status (Pending, Sent, Failed, Throttled, Digested, Dropped)."
+        };
+        var deliveryEventTypeOption = new Option<string?>("--event-type")
+        {
+            Description = "Filter by event type."
+        };
+        var deliveryChannelIdOption = new Option<string?>("--channel-id")
+        {
+            Description = "Filter by channel ID."
+        };
+        var deliverySinceOption = new Option<DateTimeOffset?>("--since")
+        {
+            Description = "Filter deliveries since this time (ISO 8601 format)."
+        };
+        var deliveryUntilOption = new Option<DateTimeOffset?>("--until")
+        {
+            Description = "Filter deliveries until this time (ISO 8601 format)."
+        };
+
+        deliveriesList.Add(tenantOption);
+        deliveriesList.Add(deliveryStatusOption);
+        deliveriesList.Add(deliveryEventTypeOption);
+        deliveriesList.Add(deliveryChannelIdOption);
+        deliveriesList.Add(deliverySinceOption);
+        deliveriesList.Add(deliveryUntilOption);
+        deliveriesList.Add(limitOption);
+        deliveriesList.Add(cursorOption);
+        deliveriesList.Add(jsonOption);
+        deliveriesList.Add(verboseOption);
+
+        deliveriesList.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var status = parseResult.GetValue(deliveryStatusOption);
+            var eventType = parseResult.GetValue(deliveryEventTypeOption);
+            var channelId = parseResult.GetValue(deliveryChannelIdOption);
+            var since = parseResult.GetValue(deliverySinceOption);
+            var until = parseResult.GetValue(deliveryUntilOption);
+            var limit = parseResult.GetValue(limitOption);
+            var cursor = parseResult.GetValue(cursorOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleNotifyDeliveriesListAsync(
+                services,
+                tenant,
+                status,
+                eventType,
+                channelId,
+                since,
+                until,
+                limit,
+                cursor,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        deliveries.Add(deliveriesList);
+
+        // notify deliveries show
+        var deliveriesShow = new Command("show", "Show notification delivery details.");
+
+        var deliveryIdArg = new Argument<string>("delivery-id")
+        {
+            Description = "Delivery identifier."
+        };
+
+        deliveriesShow.Add(deliveryIdArg);
+        deliveriesShow.Add(tenantOption);
+        deliveriesShow.Add(jsonOption);
+        deliveriesShow.Add(verboseOption);
+
+        deliveriesShow.SetAction((parseResult, _) =>
+        {
+            var deliveryId = parseResult.GetValue(deliveryIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleNotifyDeliveriesShowAsync(
+                services,
+                deliveryId,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        deliveries.Add(deliveriesShow);
+
+        // notify deliveries retry
+        var deliveriesRetry = new Command("retry", "Retry a failed notification delivery.");
+
+        var idempotencyKeyOption = new Option<string?>("--idempotency-key")
+        {
+            Description = "Idempotency key to ensure retry is processed exactly once."
+        };
+
+        deliveriesRetry.Add(deliveryIdArg);
+        deliveriesRetry.Add(tenantOption);
+        deliveriesRetry.Add(idempotencyKeyOption);
+        deliveriesRetry.Add(jsonOption);
+        deliveriesRetry.Add(verboseOption);
+
+        deliveriesRetry.SetAction((parseResult, _) =>
+        {
+            var deliveryId = parseResult.GetValue(deliveryIdArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var idempotencyKey = parseResult.GetValue(idempotencyKeyOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleNotifyDeliveriesRetryAsync(
+                services,
+                deliveryId,
+                tenant,
+                idempotencyKey,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        deliveries.Add(deliveriesRetry);
+
+        notify.Add(deliveries);
+
+        // notify send
+        var send = new Command("send", "Send a notification.");
+
+        var eventTypeArg = new Argument<string>("event-type")
+        {
+            Description = "Event type for the notification."
+        };
+        var bodyArg = new Argument<string>("body")
+        {
+            Description = "Notification body/message."
+        };
+        var sendChannelIdOption = new Option<string?>("--channel-id")
+        {
+            Description = "Target channel ID (if not using routing rules)."
+        };
+        var sendSubjectOption = new Option<string?>("--subject", "-s")
+        {
+            Description = "Notification subject."
+        };
+        var sendSeverityOption = new Option<string?>("--severity")
+        {
+            Description = "Severity level (info, warning, error, critical)."
+        };
+        var sendMetadataOption = new Option<string[]?>("--metadata", "-m")
+        {
+            Description = "Additional metadata as key=value pairs.",
+            AllowMultipleArgumentsPerToken = true
+        };
+        var sendIdempotencyKeyOption = new Option<string?>("--idempotency-key")
+        {
+            Description = "Idempotency key to ensure notification is sent exactly once."
+        };
+
+        send.Add(eventTypeArg);
+        send.Add(bodyArg);
+        send.Add(tenantOption);
+        send.Add(sendChannelIdOption);
+        send.Add(sendSubjectOption);
+        send.Add(sendSeverityOption);
+        send.Add(sendMetadataOption);
+        send.Add(sendIdempotencyKeyOption);
+        send.Add(jsonOption);
+        send.Add(verboseOption);
+
+        send.SetAction((parseResult, _) =>
+        {
+            var eventType = parseResult.GetValue(eventTypeArg) ?? string.Empty;
+            var body = parseResult.GetValue(bodyArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var channelId = parseResult.GetValue(sendChannelIdOption);
+            var subject = parseResult.GetValue(sendSubjectOption);
+            var severity = parseResult.GetValue(sendSeverityOption);
+            var metadata = parseResult.GetValue(sendMetadataOption);
+            var idempotencyKey = parseResult.GetValue(sendIdempotencyKeyOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleNotifySendAsync(
+                services,
+                eventType,
+                body,
+                tenant,
+                channelId,
+                subject,
+                severity,
+                metadata,
+                idempotencyKey,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        notify.Add(send);
+
+        return notify;
+    }
+
+    // CLI-SBOM-60-001: Sbomer command group for layer/compose operations
+    private static Command BuildSbomerCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var sbomer = new Command("sbomer", "SBOM composition: layer fragments, canonical merge, and Merkle verification.");
+
+        // Common options
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant identifier."
+        };
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output in JSON format."
+        };
+        var scanIdOption = new Option<string?>("--scan-id")
+        {
+            Description = "Scan identifier."
+        };
+        var imageRefOption = new Option<string?>("--image-ref")
+        {
+            Description = "Container image reference."
+        };
+        var digestOption = new Option<string?>("--digest")
+        {
+            Description = "Container image digest."
+        };
+        var offlineOption = new Option<bool>("--offline")
+        {
+            Description = "Run in offline mode using local files only."
+        };
+        var verifiersPathOption = new Option<string?>("--verifiers-path")
+        {
+            Description = "Path to verifiers.json for DSSE signature verification."
+        };
+
+        // sbomer layer
+        var layer = new Command("layer", "Manage SBOM layer fragments.");
+
+        // sbomer layer list
+        var layerList = new Command("list", "List layer fragments for a scan.");
+
+        var limitOption = new Option<int?>("--limit", "-l")
+        {
+            Description = "Maximum number of items to return."
+        };
+        var cursorOption = new Option<string?>("--cursor")
+        {
+            Description = "Pagination cursor for next page."
+        };
+
+        layerList.Add(tenantOption);
+        layerList.Add(scanIdOption);
+        layerList.Add(imageRefOption);
+        layerList.Add(digestOption);
+        layerList.Add(limitOption);
+        layerList.Add(cursorOption);
+        layerList.Add(jsonOption);
+        layerList.Add(verboseOption);
+
+        layerList.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(scanIdOption);
+            var imageRef = parseResult.GetValue(imageRefOption);
+            var digest = parseResult.GetValue(digestOption);
+            var limit = parseResult.GetValue(limitOption);
+            var cursor = parseResult.GetValue(cursorOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerLayerListAsync(
+                services,
+                tenant,
+                scanId,
+                imageRef,
+                digest,
+                limit,
+                cursor,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        layer.Add(layerList);
+
+        // sbomer layer show
+        var layerShow = new Command("show", "Show layer fragment details.");
+
+        var layerDigestArg = new Argument<string>("layer-digest")
+        {
+            Description = "Layer digest (sha256:...)."
+        };
+        var includeComponentsOption = new Option<bool>("--components")
+        {
+            Description = "Include component list."
+        };
+        var includeDsseOption = new Option<bool>("--dsse")
+        {
+            Description = "Include DSSE envelope details."
+        };
+
+        layerShow.Add(layerDigestArg);
+        layerShow.Add(tenantOption);
+        layerShow.Add(scanIdOption);
+        layerShow.Add(includeComponentsOption);
+        layerShow.Add(includeDsseOption);
+        layerShow.Add(jsonOption);
+        layerShow.Add(verboseOption);
+
+        layerShow.SetAction((parseResult, _) =>
+        {
+            var layerDigest = parseResult.GetValue(layerDigestArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(scanIdOption);
+            var includeComponents = parseResult.GetValue(includeComponentsOption);
+            var includeDsse = parseResult.GetValue(includeDsseOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerLayerShowAsync(
+                services,
+                layerDigest,
+                tenant,
+                scanId,
+                includeComponents,
+                includeDsse,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        layer.Add(layerShow);
+
+        // sbomer layer verify
+        var layerVerify = new Command("verify", "Verify layer fragment DSSE signature and content hash.");
+
+        layerVerify.Add(layerDigestArg);
+        layerVerify.Add(tenantOption);
+        layerVerify.Add(scanIdOption);
+        layerVerify.Add(verifiersPathOption);
+        layerVerify.Add(offlineOption);
+        layerVerify.Add(jsonOption);
+        layerVerify.Add(verboseOption);
+
+        layerVerify.SetAction((parseResult, _) =>
+        {
+            var layerDigest = parseResult.GetValue(layerDigestArg) ?? string.Empty;
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(scanIdOption);
+            var verifiersPath = parseResult.GetValue(verifiersPathOption);
+            var offline = parseResult.GetValue(offlineOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerLayerVerifyAsync(
+                services,
+                layerDigest,
+                tenant,
+                scanId,
+                verifiersPath,
+                offline,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        layer.Add(layerVerify);
+
+        sbomer.Add(layer);
+
+        // sbomer compose
+        var compose = new Command("compose", "Compose SBOM from layer fragments with canonical ordering.");
+
+        var outputPathOption = new Option<string?>("--output", "-o")
+        {
+            Description = "Output file path for composed SBOM."
+        };
+        var formatOption = new Option<string?>("--format")
+        {
+            Description = "Output format (cyclonedx, spdx). Default: cyclonedx."
+        };
+        var verifyFragmentsOption = new Option<bool>("--verify")
+        {
+            Description = "Verify all fragment DSSE signatures before composing."
+        };
+        var emitManifestOption = new Option<bool>("--emit-manifest")
+        {
+            Description = "Emit _composition.json manifest. Default: true."
+        };
+        emitManifestOption.SetDefaultValue(true);
+        var emitMerkleOption = new Option<bool>("--emit-merkle")
+        {
+            Description = "Emit Merkle diagnostics file."
+        };
+
+        compose.Add(tenantOption);
+        compose.Add(scanIdOption);
+        compose.Add(imageRefOption);
+        compose.Add(digestOption);
+        compose.Add(outputPathOption);
+        compose.Add(formatOption);
+        compose.Add(verifyFragmentsOption);
+        compose.Add(verifiersPathOption);
+        compose.Add(offlineOption);
+        compose.Add(emitManifestOption);
+        compose.Add(emitMerkleOption);
+        compose.Add(jsonOption);
+        compose.Add(verboseOption);
+
+        compose.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(scanIdOption);
+            var imageRef = parseResult.GetValue(imageRefOption);
+            var digest = parseResult.GetValue(digestOption);
+            var outputPath = parseResult.GetValue(outputPathOption);
+            var format = parseResult.GetValue(formatOption);
+            var verifyFragments = parseResult.GetValue(verifyFragmentsOption);
+            var verifiersPath = parseResult.GetValue(verifiersPathOption);
+            var offline = parseResult.GetValue(offlineOption);
+            var emitManifest = parseResult.GetValue(emitManifestOption);
+            var emitMerkle = parseResult.GetValue(emitMerkleOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerComposeAsync(
+                services,
+                tenant,
+                scanId,
+                imageRef,
+                digest,
+                outputPath,
+                format,
+                verifyFragments,
+                verifiersPath,
+                offline,
+                emitManifest,
+                emitMerkle,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        sbomer.Add(compose);
+
+        // sbomer composition
+        var composition = new Command("composition", "View and verify composition manifests.");
+
+        // sbomer composition show
+        var compositionShow = new Command("show", "Show composition manifest details.");
+
+        var compositionPathOption = new Option<string?>("--path")
+        {
+            Description = "Path to local _composition.json file."
+        };
+
+        compositionShow.Add(tenantOption);
+        compositionShow.Add(scanIdOption);
+        compositionShow.Add(compositionPathOption);
+        compositionShow.Add(jsonOption);
+        compositionShow.Add(verboseOption);
+
+        compositionShow.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(scanIdOption);
+            var compositionPath = parseResult.GetValue(compositionPathOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerCompositionShowAsync(
+                services,
+                tenant,
+                scanId,
+                compositionPath,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        composition.Add(compositionShow);
+
+        // sbomer composition verify
+        var compositionVerify = new Command("verify", "Verify composition against manifest and recompute Merkle root.");
+
+        var sbomPathOption = new Option<string?>("--sbom-path")
+        {
+            Description = "Path to composed SBOM file to verify."
+        };
+        var recomposeOption = new Option<bool>("--recompose")
+        {
+            Description = "Re-run composition locally and compare hashes."
+        };
+
+        compositionVerify.Add(tenantOption);
+        compositionVerify.Add(scanIdOption);
+        compositionVerify.Add(compositionPathOption);
+        compositionVerify.Add(sbomPathOption);
+        compositionVerify.Add(verifiersPathOption);
+        compositionVerify.Add(offlineOption);
+        compositionVerify.Add(recomposeOption);
+        compositionVerify.Add(jsonOption);
+        compositionVerify.Add(verboseOption);
+
+        compositionVerify.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(scanIdOption);
+            var compositionPath = parseResult.GetValue(compositionPathOption);
+            var sbomPath = parseResult.GetValue(sbomPathOption);
+            var verifiersPath = parseResult.GetValue(verifiersPathOption);
+            var offline = parseResult.GetValue(offlineOption);
+            var recompose = parseResult.GetValue(recomposeOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerCompositionVerifyAsync(
+                services,
+                tenant,
+                scanId,
+                compositionPath,
+                sbomPath,
+                verifiersPath,
+                offline,
+                recompose,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        composition.Add(compositionVerify);
+
+        // sbomer composition merkle
+        var compositionMerkle = new Command("merkle", "Show Merkle tree diagnostics for a composition.");
+
+        compositionMerkle.Add(scanIdOption);
+        compositionMerkle.Add(tenantOption);
+        compositionMerkle.Add(jsonOption);
+        compositionMerkle.Add(verboseOption);
+
+        compositionMerkle.SetAction((parseResult, _) =>
+        {
+            var scanId = parseResult.GetValue(scanIdOption);
+            var tenant = parseResult.GetValue(tenantOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerCompositionMerkleAsync(
+                services,
+                scanId ?? string.Empty,
+                tenant,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        composition.Add(compositionMerkle);
+
+        sbomer.Add(composition);
+
+        // CLI-SBOM-60-002: sbomer drift
+        var drift = new Command("drift", "Detect and explain determinism drift in SBOM composition.");
+
+        // sbomer drift (analyze)
+        var driftAnalyze = new Command("analyze", "Analyze drift between current SBOM and baseline, highlighting determinism breaks.")
+        {
+            Aliases = { "diff" }
+        };
+
+        var baselineScanIdOption = new Option<string?>("--baseline-scan-id")
+        {
+            Description = "Baseline scan ID to compare against."
+        };
+        var baselinePathOption = new Option<string?>("--baseline-path")
+        {
+            Description = "Path to baseline SBOM file."
+        };
+        var sbomPathOptionDrift = new Option<string?>("--sbom-path")
+        {
+            Description = "Path to current SBOM file."
+        };
+        var explainOption = new Option<bool>("--explain")
+        {
+            Description = "Provide detailed explanations for each drift, including root cause and remediation."
+        };
+        var offlineKitPathOption = new Option<string?>("--offline-kit")
+        {
+            Description = "Path to offline kit bundle for air-gapped verification."
+        };
+
+        driftAnalyze.Add(tenantOption);
+        driftAnalyze.Add(scanIdOption);
+        driftAnalyze.Add(baselineScanIdOption);
+        driftAnalyze.Add(sbomPathOptionDrift);
+        driftAnalyze.Add(baselinePathOption);
+        driftAnalyze.Add(compositionPathOption);
+        driftAnalyze.Add(explainOption);
+        driftAnalyze.Add(offlineOption);
+        driftAnalyze.Add(offlineKitPathOption);
+        driftAnalyze.Add(jsonOption);
+        driftAnalyze.Add(verboseOption);
+
+        driftAnalyze.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(scanIdOption);
+            var baselineScanId = parseResult.GetValue(baselineScanIdOption);
+            var sbomPath = parseResult.GetValue(sbomPathOptionDrift);
+            var baselinePath = parseResult.GetValue(baselinePathOption);
+            var compositionPath = parseResult.GetValue(compositionPathOption);
+            var explain = parseResult.GetValue(explainOption);
+            var offline = parseResult.GetValue(offlineOption);
+            var offlineKitPath = parseResult.GetValue(offlineKitPathOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerDriftAnalyzeAsync(
+                services,
+                tenant,
+                scanId,
+                baselineScanId,
+                sbomPath,
+                baselinePath,
+                compositionPath,
+                explain,
+                offline,
+                offlineKitPath,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        drift.Add(driftAnalyze);
+
+        // sbomer drift verify
+        var driftVerify = new Command("verify", "Verify SBOM with local recomposition and drift detection from offline kit.");
+
+        var recomposeLocallyOption = new Option<bool>("--recompose")
+        {
+            Description = "Re-run composition locally and compare hashes."
+        };
+        var validateFragmentsOption = new Option<bool>("--validate-fragments")
+        {
+            Description = "Validate all fragment DSSE signatures."
+        };
+        validateFragmentsOption.SetDefaultValue(true);
+        var checkMerkleOption = new Option<bool>("--check-merkle")
+        {
+            Description = "Verify Merkle proofs for all fragments."
+        };
+        checkMerkleOption.SetDefaultValue(true);
+
+        driftVerify.Add(tenantOption);
+        driftVerify.Add(scanIdOption);
+        driftVerify.Add(sbomPathOptionDrift);
+        driftVerify.Add(compositionPathOption);
+        driftVerify.Add(verifiersPathOption);
+        driftVerify.Add(offlineKitPathOption);
+        driftVerify.Add(recomposeLocallyOption);
+        driftVerify.Add(validateFragmentsOption);
+        driftVerify.Add(checkMerkleOption);
+        driftVerify.Add(jsonOption);
+        driftVerify.Add(verboseOption);
+
+        driftVerify.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(scanIdOption);
+            var sbomPath = parseResult.GetValue(sbomPathOptionDrift);
+            var compositionPath = parseResult.GetValue(compositionPathOption);
+            var verifiersPath = parseResult.GetValue(verifiersPathOption);
+            var offlineKitPath = parseResult.GetValue(offlineKitPathOption);
+            var recomposeLocally = parseResult.GetValue(recomposeLocallyOption);
+            var validateFragments = parseResult.GetValue(validateFragmentsOption);
+            var checkMerkle = parseResult.GetValue(checkMerkleOption);
+            var json = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleSbomerDriftVerifyAsync(
+                services,
+                tenant,
+                scanId,
+                sbomPath,
+                compositionPath,
+                verifiersPath,
+                offlineKitPath,
+                recomposeLocally,
+                validateFragments,
+                checkMerkle,
+                json,
+                verbose,
+                cancellationToken);
+        });
+
+        drift.Add(driftVerify);
+
+        sbomer.Add(drift);
+
+        return sbomer;
+    }
+
+    // CLI-RISK-66-001 through CLI-RISK-68-001: Risk command group
+    private static Command BuildRiskCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var risk = new Command("risk", "Manage risk profiles, scoring, and bundle verification.");
+
+        // Common options
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant identifier."
+        };
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        // CLI-RISK-66-001: stella risk profile list
+        var profile = new Command("profile", "Manage risk profiles.");
+
+        var profileList = new Command("list", "List available risk profiles.");
+        var includeDisabledOption = new Option<bool>("--include-disabled")
+        {
+            Description = "Include disabled profiles in the listing."
+        };
+        var categoryOption = new Option<string?>("--category", "-c")
+        {
+            Description = "Filter by profile category."
+        };
+        var limitOption = new Option<int?>("--limit", "-l")
+        {
+            Description = "Maximum number of results (default 100)."
+        };
+        var offsetOption = new Option<int?>("--offset", "-o")
+        {
+            Description = "Pagination offset."
+        };
+
+        profileList.Add(tenantOption);
+        profileList.Add(includeDisabledOption);
+        profileList.Add(categoryOption);
+        profileList.Add(limitOption);
+        profileList.Add(offsetOption);
+        profileList.Add(jsonOption);
+        profileList.Add(verboseOption);
+
+        profileList.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var includeDisabled = parseResult.GetValue(includeDisabledOption);
+            var category = parseResult.GetValue(categoryOption);
+            var limit = parseResult.GetValue(limitOption);
+            var offset = parseResult.GetValue(offsetOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleRiskProfileListAsync(
+                services,
+                tenant,
+                includeDisabled,
+                category,
+                limit,
+                offset,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        profile.Add(profileList);
+        risk.Add(profile);
+
+        // CLI-RISK-66-002: stella risk simulate
+        var simulate = new Command("simulate", "Simulate risk scoring against an SBOM or asset.");
+        var profileIdOption = new Option<string?>("--profile-id", "-p")
+        {
+            Description = "Risk profile identifier to use for simulation."
+        };
+        var sbomIdOption = new Option<string?>("--sbom-id")
+        {
+            Description = "SBOM identifier for risk evaluation."
+        };
+        var sbomPathOption = new Option<string?>("--sbom-path")
+        {
+            Description = "Local path to SBOM file for risk evaluation."
+        };
+        var assetIdOption = new Option<string?>("--asset-id", "-a")
+        {
+            Description = "Asset identifier for risk evaluation."
+        };
+        var diffModeOption = new Option<bool>("--diff")
+        {
+            Description = "Enable diff mode to compare with baseline."
+        };
+        var baselineProfileIdOption = new Option<string?>("--baseline-profile-id")
+        {
+            Description = "Baseline profile identifier for diff comparison."
+        };
+        var csvOption = new Option<bool>("--csv")
+        {
+            Description = "Output as CSV."
+        };
+        var outputOption = new Option<string?>("--output")
+        {
+            Description = "Write output to specified file path."
+        };
+
+        simulate.Add(tenantOption);
+        simulate.Add(profileIdOption);
+        simulate.Add(sbomIdOption);
+        simulate.Add(sbomPathOption);
+        simulate.Add(assetIdOption);
+        simulate.Add(diffModeOption);
+        simulate.Add(baselineProfileIdOption);
+        simulate.Add(jsonOption);
+        simulate.Add(csvOption);
+        simulate.Add(outputOption);
+        simulate.Add(verboseOption);
+
+        simulate.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var profileId = parseResult.GetValue(profileIdOption);
+            var sbomId = parseResult.GetValue(sbomIdOption);
+            var sbomPath = parseResult.GetValue(sbomPathOption);
+            var assetId = parseResult.GetValue(assetIdOption);
+            var diffMode = parseResult.GetValue(diffModeOption);
+            var baselineProfileId = parseResult.GetValue(baselineProfileIdOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var emitCsv = parseResult.GetValue(csvOption);
+            var output = parseResult.GetValue(outputOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleRiskSimulateAsync(
+                services,
+                tenant,
+                profileId,
+                sbomId,
+                sbomPath,
+                assetId,
+                diffMode,
+                baselineProfileId,
+                emitJson,
+                emitCsv,
+                output,
+                verbose,
+                cancellationToken);
+        });
+
+        risk.Add(simulate);
+
+        // CLI-RISK-67-001: stella risk results
+        var results = new Command("results", "Get risk evaluation results.");
+        var resultsAssetIdOption = new Option<string?>("--asset-id", "-a")
+        {
+            Description = "Filter by asset identifier."
+        };
+        var resultsSbomIdOption = new Option<string?>("--sbom-id")
+        {
+            Description = "Filter by SBOM identifier."
+        };
+        var resultsProfileIdOption = new Option<string?>("--profile-id", "-p")
+        {
+            Description = "Filter by risk profile identifier."
+        };
+        var minSeverityOption = new Option<string?>("--min-severity")
+        {
+            Description = "Minimum severity threshold (critical, high, medium, low, info)."
+        };
+        var maxScoreOption = new Option<double?>("--max-score")
+        {
+            Description = "Maximum score threshold (0-100)."
+        };
+        var includeExplainOption = new Option<bool>("--explain")
+        {
+            Description = "Include explainability information in results."
+        };
+
+        results.Add(tenantOption);
+        results.Add(resultsAssetIdOption);
+        results.Add(resultsSbomIdOption);
+        results.Add(resultsProfileIdOption);
+        results.Add(minSeverityOption);
+        results.Add(maxScoreOption);
+        results.Add(includeExplainOption);
+        results.Add(limitOption);
+        results.Add(offsetOption);
+        results.Add(jsonOption);
+        results.Add(csvOption);
+        results.Add(verboseOption);
+
+        results.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var assetId = parseResult.GetValue(resultsAssetIdOption);
+            var sbomId = parseResult.GetValue(resultsSbomIdOption);
+            var profileId = parseResult.GetValue(resultsProfileIdOption);
+            var minSeverity = parseResult.GetValue(minSeverityOption);
+            var maxScore = parseResult.GetValue(maxScoreOption);
+            var includeExplain = parseResult.GetValue(includeExplainOption);
+            var limit = parseResult.GetValue(limitOption);
+            var offset = parseResult.GetValue(offsetOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var emitCsv = parseResult.GetValue(csvOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleRiskResultsAsync(
+                services,
+                tenant,
+                assetId,
+                sbomId,
+                profileId,
+                minSeverity,
+                maxScore,
+                includeExplain,
+                limit,
+                offset,
+                emitJson,
+                emitCsv,
+                verbose,
+                cancellationToken);
+        });
+
+        risk.Add(results);
+
+        // CLI-RISK-68-001: stella risk bundle verify
+        var bundle = new Command("bundle", "Risk bundle operations.");
+        var bundleVerify = new Command("verify", "Verify a risk bundle for integrity and signatures.");
+        var bundlePathOption = new Option<string>("--bundle-path", "-b")
+        {
+            Description = "Path to the risk bundle file.",
+            Required = true
+        };
+        var signaturePathOption = new Option<string?>("--signature-path", "-s")
+        {
+            Description = "Path to detached signature file."
+        };
+        var checkRekorOption = new Option<bool>("--check-rekor")
+        {
+            Description = "Verify transparency log entry in Sigstore Rekor."
+        };
+
+        bundleVerify.Add(tenantOption);
+        bundleVerify.Add(bundlePathOption);
+        bundleVerify.Add(signaturePathOption);
+        bundleVerify.Add(checkRekorOption);
+        bundleVerify.Add(jsonOption);
+        bundleVerify.Add(verboseOption);
+
+        bundleVerify.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var bundlePath = parseResult.GetValue(bundlePathOption) ?? string.Empty;
+            var signaturePath = parseResult.GetValue(signaturePathOption);
+            var checkRekor = parseResult.GetValue(checkRekorOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleRiskBundleVerifyAsync(
+                services,
+                tenant,
+                bundlePath,
+                signaturePath,
+                checkRekor,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        bundle.Add(bundleVerify);
+        risk.Add(bundle);
+
+        return risk;
+    }
+
+    // CLI-SIG-26-001: Reachability command group
+    private static Command BuildReachabilityCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var reachability = new Command("reachability", "Reachability analysis for vulnerability exploitability.");
+
+        // Common options
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant identifier."
+        };
+        var jsonOption = new Option<bool>("--json")
+        {
+            Description = "Output as JSON."
+        };
+
+        // stella reachability upload-callgraph
+        var uploadCallGraph = new Command("upload-callgraph", "Upload a call graph for reachability analysis.");
+        var callGraphPathOption = new Option<string>("--path", "-p")
+        {
+            Description = "Path to the call graph file.",
+            Required = true
+        };
+        var scanIdOption = new Option<string?>("--scan-id")
+        {
+            Description = "Scan identifier to associate with the call graph."
+        };
+        var assetIdOption = new Option<string?>("--asset-id", "-a")
+        {
+            Description = "Asset identifier to associate with the call graph."
+        };
+        var formatOption = new Option<string?>("--format", "-f")
+        {
+            Description = "Call graph format (auto, json, proto, dot). Default: auto-detect."
+        };
+
+        uploadCallGraph.Add(tenantOption);
+        uploadCallGraph.Add(callGraphPathOption);
+        uploadCallGraph.Add(scanIdOption);
+        uploadCallGraph.Add(assetIdOption);
+        uploadCallGraph.Add(formatOption);
+        uploadCallGraph.Add(jsonOption);
+        uploadCallGraph.Add(verboseOption);
+
+        uploadCallGraph.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var callGraphPath = parseResult.GetValue(callGraphPathOption) ?? string.Empty;
+            var scanId = parseResult.GetValue(scanIdOption);
+            var assetId = parseResult.GetValue(assetIdOption);
+            var format = parseResult.GetValue(formatOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleReachabilityUploadCallGraphAsync(
+                services,
+                tenant,
+                callGraphPath,
+                scanId,
+                assetId,
+                format,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        reachability.Add(uploadCallGraph);
+
+        // stella reachability list
+        var list = new Command("list", "List reachability analyses.");
+        var listScanIdOption = new Option<string?>("--scan-id")
+        {
+            Description = "Filter by scan identifier."
+        };
+        var listAssetIdOption = new Option<string?>("--asset-id", "-a")
+        {
+            Description = "Filter by asset identifier."
+        };
+        var statusOption = new Option<string?>("--status")
+        {
+            Description = "Filter by status (pending, processing, completed, failed)."
+        };
+        var limitOption = new Option<int?>("--limit", "-l")
+        {
+            Description = "Maximum number of results (default 100)."
+        };
+        var offsetOption = new Option<int?>("--offset", "-o")
+        {
+            Description = "Pagination offset."
+        };
+
+        list.Add(tenantOption);
+        list.Add(listScanIdOption);
+        list.Add(listAssetIdOption);
+        list.Add(statusOption);
+        list.Add(limitOption);
+        list.Add(offsetOption);
+        list.Add(jsonOption);
+        list.Add(verboseOption);
+
+        list.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var scanId = parseResult.GetValue(listScanIdOption);
+            var assetId = parseResult.GetValue(listAssetIdOption);
+            var status = parseResult.GetValue(statusOption);
+            var limit = parseResult.GetValue(limitOption);
+            var offset = parseResult.GetValue(offsetOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleReachabilityListAsync(
+                services,
+                tenant,
+                scanId,
+                assetId,
+                status,
+                limit,
+                offset,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        reachability.Add(list);
+
+        // stella reachability explain
+        var explain = new Command("explain", "Explain reachability for a vulnerability or package.");
+        var analysisIdOption = new Option<string>("--analysis-id", "-i")
+        {
+            Description = "Analysis identifier.",
+            Required = true
+        };
+        var vulnerabilityIdOption = new Option<string?>("--vuln-id", "-v")
+        {
+            Description = "Vulnerability identifier to explain."
+        };
+        var packagePurlOption = new Option<string?>("--purl")
+        {
+            Description = "Package URL to explain."
+        };
+        var includeCallPathsOption = new Option<bool>("--call-paths")
+        {
+            Description = "Include detailed call paths in the explanation."
+        };
+
+        explain.Add(tenantOption);
+        explain.Add(analysisIdOption);
+        explain.Add(vulnerabilityIdOption);
+        explain.Add(packagePurlOption);
+        explain.Add(includeCallPathsOption);
+        explain.Add(jsonOption);
+        explain.Add(verboseOption);
+
+        explain.SetAction((parseResult, _) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var analysisId = parseResult.GetValue(analysisIdOption) ?? string.Empty;
+            var vulnerabilityId = parseResult.GetValue(vulnerabilityIdOption);
+            var packagePurl = parseResult.GetValue(packagePurlOption);
+            var includeCallPaths = parseResult.GetValue(includeCallPathsOption);
+            var emitJson = parseResult.GetValue(jsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            return CommandHandlers.HandleReachabilityExplainAsync(
+                services,
+                tenant,
+                analysisId,
+                vulnerabilityId,
+                packagePurl,
+                includeCallPaths,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        reachability.Add(explain);
+
+        return reachability;
+    }
+
+    // CLI-SDK-63-001: stella api command
+    private static Command BuildApiCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var api = new Command("api", "API management commands.");
+
+        // stella api spec
+        var spec = new Command("spec", "API specification operations.");
+
+        // stella api spec list
+        var list = new Command("list", "List available API specifications.");
+
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant context for the operation."
+        };
+
+        var emitJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output in JSON format."
+        };
+
+        list.Add(tenantOption);
+        list.Add(emitJsonOption);
+        list.Add(verboseOption);
+
+        list.SetAction(async (parseResult, ct) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var emitJson = parseResult.GetValue(emitJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            await CommandHandlers.HandleApiSpecListAsync(
+                services,
+                tenant,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        spec.Add(list);
+
+        // stella api spec download
+        var download = new Command("download", "Download API specification.");
+
+        var outputOption = new Option<string>("--output", "-o")
+        {
+            Description = "Output path for the downloaded spec (file or directory).",
+            IsRequired = true
+        };
+
+        var serviceOption = new Option<string?>("--service", "-s")
+        {
+            Description = "Service to download spec for (e.g., concelier, scanner, policy). Omit for aggregate spec."
+        };
+
+        var formatOption = new Option<string>("--format", "-f")
+        {
+            Description = "Output format: openapi-json (default) or openapi-yaml."
+        };
+        formatOption.SetDefaultValue("openapi-json");
+
+        var overwriteOption = new Option<bool>("--overwrite")
+        {
+            Description = "Overwrite existing file if present."
+        };
+
+        var etagOption = new Option<string?>("--etag")
+        {
+            Description = "Expected ETag for conditional download (If-None-Match)."
+        };
+
+        var checksumOption = new Option<string?>("--checksum")
+        {
+            Description = "Expected checksum for verification after download."
+        };
+
+        var checksumAlgoOption = new Option<string>("--checksum-algorithm")
+        {
+            Description = "Checksum algorithm: sha256 (default), sha384, sha512."
+        };
+        checksumAlgoOption.SetDefaultValue("sha256");
+
+        download.Add(tenantOption);
+        download.Add(outputOption);
+        download.Add(serviceOption);
+        download.Add(formatOption);
+        download.Add(overwriteOption);
+        download.Add(etagOption);
+        download.Add(checksumOption);
+        download.Add(checksumAlgoOption);
+        download.Add(emitJsonOption);
+        download.Add(verboseOption);
+
+        download.SetAction(async (parseResult, ct) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var output = parseResult.GetValue(outputOption)!;
+            var service = parseResult.GetValue(serviceOption);
+            var format = parseResult.GetValue(formatOption)!;
+            var overwrite = parseResult.GetValue(overwriteOption);
+            var etag = parseResult.GetValue(etagOption);
+            var checksum = parseResult.GetValue(checksumOption);
+            var checksumAlgo = parseResult.GetValue(checksumAlgoOption)!;
+            var emitJson = parseResult.GetValue(emitJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            await CommandHandlers.HandleApiSpecDownloadAsync(
+                services,
+                tenant,
+                output,
+                service,
+                format,
+                overwrite,
+                etag,
+                checksum,
+                checksumAlgo,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        spec.Add(download);
+
+        api.Add(spec);
+        return api;
+    }
+
+    // CLI-SDK-64-001: stella sdk command
+    private static Command BuildSdkCommand(IServiceProvider services, Option<bool> verboseOption, CancellationToken cancellationToken)
+    {
+        var sdk = new Command("sdk", "SDK management commands.");
+
+        // stella sdk update
+        var update = new Command("update", "Check for SDK updates and fetch latest manifests/changelogs.");
+
+        var tenantOption = new Option<string?>("--tenant", "-t")
+        {
+            Description = "Tenant context for the operation."
+        };
+
+        var languageOption = new Option<string?>("--language", "-l")
+        {
+            Description = "SDK language filter (typescript, go, csharp, python, java). Omit for all."
+        };
+
+        var checkOnlyOption = new Option<bool>("--check-only")
+        {
+            Description = "Only check for updates, don't download."
+        };
+
+        var showChangelogOption = new Option<bool>("--changelog")
+        {
+            Description = "Show changelog for available updates."
+        };
+
+        var showDeprecationsOption = new Option<bool>("--deprecations")
+        {
+            Description = "Show deprecation notices."
+        };
+
+        var emitJsonOption = new Option<bool>("--json")
+        {
+            Description = "Output in JSON format."
+        };
+
+        update.Add(tenantOption);
+        update.Add(languageOption);
+        update.Add(checkOnlyOption);
+        update.Add(showChangelogOption);
+        update.Add(showDeprecationsOption);
+        update.Add(emitJsonOption);
+        update.Add(verboseOption);
+
+        update.SetAction(async (parseResult, ct) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var language = parseResult.GetValue(languageOption);
+            var checkOnly = parseResult.GetValue(checkOnlyOption);
+            var showChangelog = parseResult.GetValue(showChangelogOption);
+            var showDeprecations = parseResult.GetValue(showDeprecationsOption);
+            var emitJson = parseResult.GetValue(emitJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            await CommandHandlers.HandleSdkUpdateAsync(
+                services,
+                tenant,
+                language,
+                checkOnly,
+                showChangelog,
+                showDeprecations,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        sdk.Add(update);
+
+        // stella sdk list
+        var list = new Command("list", "List installed SDK versions.");
+
+        list.Add(tenantOption);
+        list.Add(languageOption);
+        list.Add(emitJsonOption);
+        list.Add(verboseOption);
+
+        list.SetAction(async (parseResult, ct) =>
+        {
+            var tenant = parseResult.GetValue(tenantOption);
+            var language = parseResult.GetValue(languageOption);
+            var emitJson = parseResult.GetValue(emitJsonOption);
+            var verbose = parseResult.GetValue(verboseOption);
+
+            await CommandHandlers.HandleSdkListAsync(
+                services,
+                tenant,
+                language,
+                emitJson,
+                verbose,
+                cancellationToken);
+        });
+
+        sdk.Add(list);
+
+        return sdk;
+    }
 }
diff --git a/src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs b/src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs
index 7e20d6411..da606a5c7 100644
--- a/src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs
+++ b/src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs
@@ -24,6 +24,7 @@ using Spectre.Console;
 using Spectre.Console.Rendering;
 using StellaOps.Auth.Client;
 using StellaOps.Cli.Configuration;
+using StellaOps.Cli.Output;
 using StellaOps.Cli.Prompts;
 using StellaOps.Cli.Services;
 using StellaOps.Cli.Services.Models;
@@ -3343,6 +3344,14 @@ internal static class CommandHandlers
         string? outputPath,
         bool explain,
         bool failOnDiff,
+        IReadOnlyList<string> withExceptions,
+        IReadOnlyList<string> withoutExceptions,
+        string? mode,
+        IReadOnlyList<string> sbomSelectors,
+        bool includeHeatmap,
+        bool manifestDownload,
+        IReadOnlyList<string> reachabilityStates,
+        IReadOnlyList<string> reachabilityScores,
         bool verbose,
         CancellationToken cancellationToken)
     {
@@ -3363,6 +3372,15 @@ internal static class CommandHandlers
         {
             activity?.SetTag("stellaops.cli.candidate_version", candidateVersion.Value);
         }
+        // CLI-EXC-25-002: Track exception preview usage
+        if (withExceptions.Count > 0)
+        {
+            activity?.SetTag("stellaops.cli.with_exceptions_count", withExceptions.Count);
+        }
+        if (withoutExceptions.Count > 0)
+        {
+            activity?.SetTag("stellaops.cli.without_exceptions_count", withoutExceptions.Count);
+        }
         using var duration = CliMetrics.MeasureCommandDuration("policy simulate");
 
         try
@@ -3376,12 +3394,85 @@ internal static class CommandHandlers
             var sbomSet = NormalizePolicySbomSet(sbomArguments);
             var environment = ParsePolicyEnvironment(environmentArguments);
 
+            // CLI-EXC-25-002: Normalize exception IDs and validate no overlap
+            var normalizedWithExceptions = withExceptions.Select(e => e.Trim()).Where(e => !string.IsNullOrEmpty(e)).ToList();
+            var normalizedWithoutExceptions = withoutExceptions.Select(e => e.Trim()).Where(e => !string.IsNullOrEmpty(e)).ToList();
+            var overlap = normalizedWithExceptions.Intersect(normalizedWithoutExceptions).ToList();
+            if (overlap.Count > 0)
+            {
+                throw new ArgumentException($"Exception IDs cannot appear in both --with-exception and --without-exception: {string.Join(", ", overlap)}");
+            }
+
+            if (verbose && (normalizedWithExceptions.Count > 0 || normalizedWithoutExceptions.Count > 0))
+            {
+                if (normalizedWithExceptions.Count > 0)
+                {
+                    logger.LogInformation("Simulating WITH exceptions: {Exceptions}", string.Join(", ", normalizedWithExceptions));
+                }
+                if (normalizedWithoutExceptions.Count > 0)
+                {
+                    logger.LogInformation("Simulating WITHOUT exceptions: {Exceptions}", string.Join(", ", normalizedWithoutExceptions));
+                }
+            }
+
+            // CLI-POLICY-27-003: Parse simulation mode
+            PolicySimulationMode? simulationMode = null;
+            if (!string.IsNullOrWhiteSpace(mode))
+            {
+                simulationMode = mode.Trim().ToLowerInvariant() switch
+                {
+                    "quick" => PolicySimulationMode.Quick,
+                    "batch" => PolicySimulationMode.Batch,
+                    _ => throw new ArgumentException($"Invalid mode '{mode}'. Use 'quick' or 'batch'.")
+                };
+                if (verbose)
+                {
+                    logger.LogInformation("Simulation mode: {Mode}", mode);
+                }
+            }
+
+            // CLI-POLICY-27-003: Normalize SBOM selectors
+            var normalizedSbomSelectors = sbomSelectors
+                .Select(s => s.Trim())
+                .Where(s => !string.IsNullOrEmpty(s))
+                .ToList();
+            if (verbose && normalizedSbomSelectors.Count > 0)
+            {
+                logger.LogInformation("SBOM selectors: {Selectors}", string.Join(", ", normalizedSbomSelectors));
+            }
+
+            // CLI-SIG-26-002: Parse reachability overrides
+            var reachabilityOverrides = ParseReachabilityOverrides(reachabilityStates, reachabilityScores);
+            if (verbose && reachabilityOverrides.Count > 0)
+            {
+                logger.LogInformation("Reachability overrides: {Count} items", reachabilityOverrides.Count);
+                foreach (var ro in reachabilityOverrides)
+                {
+                    var target = ro.VulnerabilityId ?? ro.PackagePurl ?? "unknown";
+                    if (!string.IsNullOrWhiteSpace(ro.State))
+                    {
+                        logger.LogDebug("  {Target}: state={State}", target, ro.State);
+                    }
+                    if (ro.Score.HasValue)
+                    {
+                        logger.LogDebug("  {Target}: score={Score}", target, ro.Score);
+                    }
+                }
+            }
+
             var input = new PolicySimulationInput(
                 baseVersion,
                 candidateVersion,
                 sbomSet,
                 environment,
-                explain);
+                explain,
+                normalizedWithExceptions.Count > 0 ? normalizedWithExceptions : null,
+                normalizedWithoutExceptions.Count > 0 ? normalizedWithoutExceptions : null,
+                simulationMode,
+                normalizedSbomSelectors.Count > 0 ? normalizedSbomSelectors : null,
+                includeHeatmap,
+                manifestDownload,
+                reachabilityOverrides.Count > 0 ? reachabilityOverrides : null);
 
             var result = await client.SimulatePolicyAsync(normalizedPolicyId, input, cancellationToken).ConfigureAwait(false);
 
@@ -3391,13 +3482,28 @@ internal static class CommandHandlers
             {
                 activity?.SetTag("stellaops.cli.severity_buckets", result.Diff.BySeverity.Count);
             }
+            if (result.Heatmap is not null)
+            {
+                activity?.SetTag("stellaops.cli.heatmap_present", true);
+            }
+            if (!string.IsNullOrWhiteSpace(result.ManifestDownloadUri))
+            {
+                activity?.SetTag("stellaops.cli.manifest_download_available", true);
+            }
 
             var outputFormat = DeterminePolicySimulationFormat(format, outputPath);
             var payload = BuildPolicySimulationPayload(normalizedPolicyId, baseVersion, candidateVersion, sbomSet, environment, result);
 
             if (!string.IsNullOrWhiteSpace(outputPath))
             {
-                await WriteSimulationOutputAsync(outputPath!, payload, cancellationToken).ConfigureAwait(false);
+                if (outputFormat == PolicySimulationOutputFormat.Markdown)
+                {
+                    await WriteMarkdownSimulationOutputAsync(outputPath!, normalizedPolicyId, result, cancellationToken).ConfigureAwait(false);
+                }
+                else
+                {
+                    await WriteSimulationOutputAsync(outputPath!, payload, cancellationToken).ConfigureAwait(false);
+                }
                 logger.LogInformation("Simulation results written to {Path}.", Path.GetFullPath(outputPath!));
             }
 
@@ -3420,6 +3526,16 @@ internal static class CommandHandlers
             {
                 activity?.SetTag("stellaops.cli.explain_uri", result.ExplainUri);
             }
+
+            // CLI-POLICY-27-003: Show manifest download info if available
+            if (!string.IsNullOrWhiteSpace(result.ManifestDownloadUri))
+            {
+                logger.LogInformation("Manifest download available at: {Uri}", result.ManifestDownloadUri);
+                if (!string.IsNullOrWhiteSpace(result.ManifestDigest))
+                {
+                    logger.LogInformation("Manifest digest: {Digest}", result.ManifestDigest);
+                }
+            }
         }
         catch (ArgumentException ex)
         {
@@ -4995,11 +5111,24 @@ internal static class CommandHandlers
             {
                 "table" => PolicySimulationOutputFormat.Table,
                 "json" => PolicySimulationOutputFormat.Json,
-                _ => throw new ArgumentException("Invalid format. Use 'table' or 'json'.")
+                "markdown" or "md" => PolicySimulationOutputFormat.Markdown,
+                _ => throw new ArgumentException("Invalid format. Use 'table', 'json', or 'markdown'.")
             };
         }
 
-        if (!string.IsNullOrWhiteSpace(outputPath) || Console.IsOutputRedirected)
+        // CLI-POLICY-27-003: Infer format from output file extension
+        if (!string.IsNullOrWhiteSpace(outputPath))
+        {
+            var extension = Path.GetExtension(outputPath).ToLowerInvariant();
+            return extension switch
+            {
+                ".md" or ".markdown" => PolicySimulationOutputFormat.Markdown,
+                ".json" => PolicySimulationOutputFormat.Json,
+                _ => PolicySimulationOutputFormat.Json
+            };
+        }
+
+        if (Console.IsOutputRedirected)
         {
             return PolicySimulationOutputFormat.Json;
         }
@@ -5038,12 +5167,25 @@ internal static class CommandHandlers
             return;
         }
 
+        // CLI-POLICY-27-003: Handle markdown console output
+        if (format == PolicySimulationOutputFormat.Markdown)
+        {
+            RenderPolicySimulationMarkdown(result);
+            return;
+        }
+
         logger.LogInformation(
             "Policy diff summary — Added: {Added}, Removed: {Removed}, Unchanged: {Unchanged}.",
             result.Diff.Added,
             result.Diff.Removed,
             result.Diff.Unchanged);
 
+        // CLI-POLICY-27-003: Render heatmap summary if present
+        if (result.Heatmap is not null)
+        {
+            RenderPolicySimulationHeatmap(result.Heatmap);
+        }
+
         if (result.Diff.BySeverity.Count > 0)
         {
             if (AnsiConsole.Profile.Capabilities.Interactive)
@@ -5098,6 +5240,109 @@ internal static class CommandHandlers
         }
     }
 
+    // CLI-POLICY-27-003: Render heatmap severity visualization
+    private static void RenderPolicySimulationHeatmap(PolicySimulationHeatmap heatmap)
+    {
+        if (!AnsiConsole.Profile.Capabilities.Interactive)
+        {
+            Console.WriteLine($"Heatmap: Critical={heatmap.Critical}, High={heatmap.High}, Medium={heatmap.Medium}, Low={heatmap.Low}, Info={heatmap.Info}");
+            return;
+        }
+
+        var grid = new Grid();
+        grid.AddColumn(new GridColumn().NoWrap());
+        grid.AddColumn(new GridColumn().NoWrap());
+        grid.AddColumn(new GridColumn().NoWrap());
+        grid.AddColumn(new GridColumn().NoWrap());
+        grid.AddColumn(new GridColumn().NoWrap());
+
+        grid.AddRow(
+            new Markup($"[bold red]Critical: {heatmap.Critical}[/]"),
+            new Markup($"[bold orange1]High: {heatmap.High}[/]"),
+            new Markup($"[bold yellow]Medium: {heatmap.Medium}[/]"),
+            new Markup($"[bold blue]Low: {heatmap.Low}[/]"),
+            new Markup($"[bold grey]Info: {heatmap.Info}[/]"));
+
+        var panel = new Panel(grid)
+            .Header("[bold]Severity Heatmap[/]")
+            .Border(BoxBorder.Rounded);
+
+        AnsiConsole.Write(panel);
+    }
+
+    // CLI-POLICY-27-003: Render markdown output to console
+    private static void RenderPolicySimulationMarkdown(PolicySimulationResult result)
+    {
+        Console.WriteLine("# Policy Simulation Report");
+        Console.WriteLine();
+        Console.WriteLine("## Summary");
+        Console.WriteLine();
+        Console.WriteLine("| Metric | Count |");
+        Console.WriteLine("|--------|-------|");
+        Console.WriteLine($"| Added | {result.Diff.Added} |");
+        Console.WriteLine($"| Removed | {result.Diff.Removed} |");
+        Console.WriteLine($"| Unchanged | {result.Diff.Unchanged} |");
+        Console.WriteLine();
+
+        if (result.Heatmap is not null)
+        {
+            Console.WriteLine("## Severity Heatmap");
+            Console.WriteLine();
+            Console.WriteLine("| Severity | Count |");
+            Console.WriteLine("|----------|-------|");
+            Console.WriteLine($"| Critical | {result.Heatmap.Critical} |");
+            Console.WriteLine($"| High | {result.Heatmap.High} |");
+            Console.WriteLine($"| Medium | {result.Heatmap.Medium} |");
+            Console.WriteLine($"| Low | {result.Heatmap.Low} |");
+            Console.WriteLine($"| Info | {result.Heatmap.Info} |");
+            Console.WriteLine();
+        }
+
+        if (result.Diff.BySeverity.Count > 0)
+        {
+            Console.WriteLine("## Changes by Severity");
+            Console.WriteLine();
+            Console.WriteLine("| Severity | Up | Down |");
+            Console.WriteLine("|----------|-----|------|");
+            foreach (var entry in result.Diff.BySeverity.OrderBy(kvp => kvp.Key, StringComparer.Ordinal))
+            {
+                Console.WriteLine($"| {entry.Key} | {entry.Value.Up ?? 0} | {entry.Value.Down ?? 0} |");
+            }
+            Console.WriteLine();
+        }
+
+        if (result.Diff.RuleHits.Count > 0)
+        {
+            Console.WriteLine("## Rule Impacts");
+            Console.WriteLine();
+            Console.WriteLine("| Rule | Up | Down |");
+            Console.WriteLine("|------|-----|------|");
+            foreach (var hit in result.Diff.RuleHits)
+            {
+                var ruleName = string.IsNullOrWhiteSpace(hit.RuleName) ? hit.RuleId : $"{hit.RuleName} ({hit.RuleId})";
+                Console.WriteLine($"| {ruleName} | {hit.Up ?? 0} | {hit.Down ?? 0} |");
+            }
+            Console.WriteLine();
+        }
+
+        if (!string.IsNullOrWhiteSpace(result.ExplainUri))
+        {
+            Console.WriteLine("## Resources");
+            Console.WriteLine();
+            Console.WriteLine($"- [Explain Trace]({result.ExplainUri})");
+        }
+
+        if (!string.IsNullOrWhiteSpace(result.ManifestDownloadUri))
+        {
+            if (string.IsNullOrWhiteSpace(result.ExplainUri))
+            {
+                Console.WriteLine("## Resources");
+                Console.WriteLine();
+            }
+            Console.WriteLine($"- [Manifest Download]({result.ManifestDownloadUri})");
+        }
+    }
+
     private static IReadOnlyList<string> NormalizePolicySbomSet(IReadOnlyList<string> arguments)
     {
         if (arguments is null || arguments.Count == 0)
@@ -5201,9 +5446,214 @@ internal static class CommandHandlers
         return value;
     }
 
+    // CLI-SIG-26-002: Parse reachability overrides from CLI arguments
+    private static IReadOnlyList<ReachabilityOverride> ParseReachabilityOverrides(
+        IReadOnlyList<string> stateOverrides,
+        IReadOnlyList<string> scoreOverrides)
+    {
+        var overrides = new Dictionary<string, ReachabilityOverride>(StringComparer.OrdinalIgnoreCase);
+
+        // Parse state overrides (format: "CVE-XXXX:reachable" or "pkg:npm/lodash@4.17.0:unreachable")
+        foreach (var raw in stateOverrides)
+        {
+            if (string.IsNullOrWhiteSpace(raw))
+                continue;
+
+            var (target, value) = ParseOverrideValue(raw, "state");
+            if (string.IsNullOrWhiteSpace(target) || string.IsNullOrWhiteSpace(value))
+                continue;
+
+            var state = value.ToLowerInvariant() switch
+            {
+                "reachable" => "reachable",
+                "unreachable" => "unreachable",
+                "unknown" => "unknown",
+                "indeterminate" => "indeterminate",
+                _ => throw new ArgumentException($"Invalid reachability state '{value}'. Use 'reachable', 'unreachable', 'unknown', or 'indeterminate'.")
+            };
+
+            if (!overrides.TryGetValue(target, out var existing))
+            {
+                existing = CreateReachabilityOverride(target);
+            }
+
+            overrides[target] = existing with { State = state };
+        }
+
+        // Parse score overrides (format: "CVE-XXXX:0.85" or "pkg:npm/lodash@4.17.0:0.5")
+        foreach (var raw in scoreOverrides)
+        {
+            if (string.IsNullOrWhiteSpace(raw))
+                continue;
+
+            var (target, value) = ParseOverrideValue(raw, "score");
+            if (string.IsNullOrWhiteSpace(target) || string.IsNullOrWhiteSpace(value))
+                continue;
+
+            if (!double.TryParse(value, NumberStyles.Float, CultureInfo.InvariantCulture, out var score))
+            {
+                throw new ArgumentException($"Invalid reachability score '{value}'. Expected a decimal number between 0 and 1.");
+            }
+
+            if (score < 0 || score > 1)
+            {
+                throw new ArgumentException($"Reachability score '{score}' out of range. Expected a value between 0 and 1.");
+            }
+
+            if (!overrides.TryGetValue(target, out var existing))
+            {
+                existing = CreateReachabilityOverride(target);
+            }
+
+            overrides[target] = existing with { Score = score };
+        }
+
+        return overrides.Values.ToList();
+    }
+
+    private static (string Target, string Value) ParseOverrideValue(string raw, string overrideType)
+    {
+        var trimmed = raw.Trim();
+
+        // Handle PURL format which contains colons (pkg:type/name@version)
+        int separatorIndex;
+        if (trimmed.StartsWith("pkg:", StringComparison.OrdinalIgnoreCase))
+        {
+            // Find the last colon which separates the value
+            separatorIndex = trimmed.LastIndexOf(':');
+            if (separatorIndex <= 4) // "pkg:" is 4 chars
+            {
+                throw new ArgumentException($"Invalid {overrideType} override format '{raw}'. Expected 'pkg:type/name@version:{overrideType}'.");
+            }
+        }
+        else
+        {
+            // CVE or other identifier format
+            separatorIndex = trimmed.LastIndexOf(':');
+        }
+
+        if (separatorIndex < 0 || separatorIndex == trimmed.Length - 1)
+        {
+            throw new ArgumentException($"Invalid {overrideType} override format '{raw}'. Expected 'identifier:{overrideType}'.");
+        }
+
+        var target = trimmed[..separatorIndex].Trim();
+        var value = trimmed[(separatorIndex + 1)..].Trim();
+
+        return (target, value);
+    }
+
+    private static ReachabilityOverride CreateReachabilityOverride(string target)
+    {
+        // Determine if target is a vulnerability ID or package PURL
+        if (target.StartsWith("pkg:", StringComparison.OrdinalIgnoreCase))
+        {
+            return new ReachabilityOverride { PackagePurl = target, State = string.Empty };
+        }
+        else
+        {
+            return new ReachabilityOverride { VulnerabilityId = target, State = string.Empty };
+        }
+    }
+
     private static Task WriteSimulationOutputAsync(string outputPath, object payload, CancellationToken cancellationToken)
         => WriteJsonPayloadAsync(outputPath, payload, cancellationToken);
 
+    // CLI-POLICY-27-003: Write markdown report for CI integration
+    private static async Task WriteMarkdownSimulationOutputAsync(
+        string outputPath,
+        string policyId,
+        PolicySimulationResult result,
+        CancellationToken cancellationToken)
+    {
+        var fullPath = Path.GetFullPath(outputPath);
+        var directory = Path.GetDirectoryName(fullPath);
+        if (!string.IsNullOrWhiteSpace(directory))
+        {
+            Directory.CreateDirectory(directory);
+        }
+
+        var sb = new StringBuilder();
+        sb.AppendLine("# Policy Simulation Report");
+        sb.AppendLine();
+        sb.AppendLine($"**Policy:** `{policyId}`  ");
+        sb.AppendLine($"**Generated:** {DateTimeOffset.UtcNow:yyyy-MM-dd HH:mm:ss} UTC");
+        sb.AppendLine();
+
+        sb.AppendLine("## Summary");
+        sb.AppendLine();
+        sb.AppendLine("| Metric | Count |");
+        sb.AppendLine("|--------|-------|");
+        sb.AppendLine($"| Added | {result.Diff.Added} |");
+        sb.AppendLine($"| Removed | {result.Diff.Removed} |");
+        sb.AppendLine($"| Unchanged | {result.Diff.Unchanged} |");
+        sb.AppendLine();
+
+        if (result.Heatmap is not null)
+        {
+            sb.AppendLine("## Severity Heatmap");
+            sb.AppendLine();
+            sb.AppendLine("| Severity | Count |");
+            sb.AppendLine("|----------|-------|");
+            sb.AppendLine($"| Critical | {result.Heatmap.Critical} |");
+            sb.AppendLine($"| High | {result.Heatmap.High} |");
+            sb.AppendLine($"| Medium | {result.Heatmap.Medium} |");
+            sb.AppendLine($"| Low | {result.Heatmap.Low} |");
+            sb.AppendLine($"| Info | {result.Heatmap.Info} |");
+            sb.AppendLine();
+        }
+
+        if (result.Diff.BySeverity.Count > 0)
+        {
+            sb.AppendLine("## Changes by Severity");
+            sb.AppendLine();
+            sb.AppendLine("| Severity | Up | Down |");
+            sb.AppendLine("|----------|-----|------|");
+            foreach (var entry in result.Diff.BySeverity.OrderBy(kvp => kvp.Key, StringComparer.Ordinal))
+            {
+                sb.AppendLine($"| {entry.Key} | {entry.Value.Up ?? 0} | {entry.Value.Down ?? 0} |");
+            }
+            sb.AppendLine();
+        }
+
+        if (result.Diff.RuleHits.Count > 0)
+        {
+            sb.AppendLine("## Rule Impacts");
+            sb.AppendLine();
+            sb.AppendLine("| Rule | Up | Down |");
+            sb.AppendLine("|------|-----|------|");
+            foreach (var hit in result.Diff.RuleHits)
+            {
+                var ruleName = string.IsNullOrWhiteSpace(hit.RuleName) ? hit.RuleId : $"{hit.RuleName} ({hit.RuleId})";
+                sb.AppendLine($"| {ruleName} | {hit.Up ?? 0} | {hit.Down ?? 0} |");
+            }
+            sb.AppendLine();
+        }
+
+        if (!string.IsNullOrWhiteSpace(result.ExplainUri))
+        {
+            sb.AppendLine("## Additional Resources");
+            sb.AppendLine();
+            sb.AppendLine($"- [Explain Trace]({result.ExplainUri})");
+        }
+
+        if (!string.IsNullOrWhiteSpace(result.ManifestDownloadUri))
+        {
+            if (string.IsNullOrWhiteSpace(result.ExplainUri))
+            {
+                sb.AppendLine("## Additional Resources");
+                sb.AppendLine();
+            }
+            sb.AppendLine($"- [Manifest Download]({result.ManifestDownloadUri})");
+            if (!string.IsNullOrWhiteSpace(result.ManifestDigest))
+            {
+                sb.AppendLine($"  - Digest: `{result.ManifestDigest}`");
+            }
+        }
+
+        await File.WriteAllTextAsync(fullPath, sb.ToString(), cancellationToken).ConfigureAwait(false);
+    }
+
     private static async Task WriteJsonPayloadAsync(string outputPath, object payload, CancellationToken cancellationToken)
     {
         var fullPath = Path.GetFullPath(outputPath);
@@ -5915,7 +6365,8 @@ internal static class CommandHandlers
     private enum PolicySimulationOutputFormat
     {
         Table,
-        Json
+        Json,
+        Markdown
     }
 
     private enum PolicyFindingsOutputFormat
@@ -9590,6 +10041,1877 @@ internal static class CommandHandlers
 
     private sealed record RiskProfileValidationIssue(string Path, string Error, string Message);
 
+    // CLI-POLICY-20-001: policy new handler
+
+    public static async Task<int> HandlePolicyNewAsync(
+        string name,
+        string? templateName,
+        string? outputPath,
+        string? description,
+        string[] tags,
+        bool shadowMode,
+        bool createFixtures,
+        bool gitInit,
+        string? format,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        const int ExitSuccess = 0;
+        const int ExitInputError = 4;
+
+        if (string.IsNullOrWhiteSpace(name))
+        {
+            AnsiConsole.MarkupLine("[red]Error:[/] Policy name is required.");
+            return ExitInputError;
+        }
+
+        // Sanitize name for file
+        var safeName = string.Join("_", name.Split(Path.GetInvalidFileNameChars()));
+        var template = ParsePolicyTemplate(templateName);
+        var finalPath = outputPath ?? $"./{safeName}.stella";
+        finalPath = Path.GetFullPath(finalPath);
+
+        if (File.Exists(finalPath))
+        {
+            AnsiConsole.MarkupLine($"[red]Error:[/] File already exists: {Markup.Escape(finalPath)}");
+            return ExitInputError;
+        }
+
+        // Generate policy content
+        var policyContent = GeneratePolicyFromTemplate(name, template, description, tags, shadowMode);
+
+        // Write the policy file
+        var directory = Path.GetDirectoryName(finalPath);
+        if (!string.IsNullOrEmpty(directory) && !Directory.Exists(directory))
+        {
+            Directory.CreateDirectory(directory);
+        }
+
+        await File.WriteAllTextAsync(finalPath, policyContent, cancellationToken).ConfigureAwait(false);
+
+        string? fixturesDir = null;
+        if (createFixtures)
+        {
+            fixturesDir = Path.Combine(directory ?? ".", "tests", "policy", safeName, "cases");
+            Directory.CreateDirectory(fixturesDir);
+
+            // Create a sample fixture
+            var sampleFixture = GenerateSampleFixture(safeName);
+            var fixturePath = Path.Combine(fixturesDir, "sample_test.json");
+            await File.WriteAllTextAsync(fixturePath, sampleFixture, cancellationToken).ConfigureAwait(false);
+        }
+
+        if (gitInit && !string.IsNullOrEmpty(directory))
+        {
+            var gitDir = Path.Combine(directory, ".git");
+            if (!Directory.Exists(gitDir))
+            {
+                await RunGitCommandAsync(directory, "init", cancellationToken).ConfigureAwait(false);
+                if (verbose)
+                {
+                    AnsiConsole.MarkupLine("[grey]Initialized Git repository[/]");
+                }
+            }
+        }
+
+        // Build result
+        var result = new PolicyNewResult
+        {
+            Success = true,
+            PolicyPath = finalPath,
+            FixturesPath = fixturesDir,
+            Template = template.ToString(),
+            SyntaxVersion = "stella-dsl@1"
+        };
+
+        // Output
+        var outputFormat = string.Equals(format, "json", StringComparison.OrdinalIgnoreCase) ? "json" : "table";
+
+        if (outputFormat == "json")
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+        }
+        else
+        {
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy Created[/]", "[green]Success[/]")
+                .AddRow("[bold]Path[/]", Markup.Escape(finalPath))
+                .AddRow("[bold]Template[/]", Markup.Escape(template.ToString()))
+                .AddRow("[bold]Syntax[/]", "stella-dsl@1")
+                .AddRow("[bold]Shadow Mode[/]", shadowMode ? "[yellow]Enabled[/]" : "[dim]Disabled[/]");
+
+            if (!string.IsNullOrEmpty(fixturesDir))
+            {
+                grid.AddRow("[bold]Fixtures[/]", Markup.Escape(fixturesDir));
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("New Policy") });
+
+            AnsiConsole.WriteLine();
+            AnsiConsole.MarkupLine("[grey]Next steps:[/]");
+            AnsiConsole.MarkupLine($"  1. Edit policy: [cyan]stella policy edit {Markup.Escape(finalPath)}[/]");
+            AnsiConsole.MarkupLine($"  2. Validate: [cyan]stella policy lint {Markup.Escape(finalPath)}[/]");
+            if (createFixtures)
+            {
+                AnsiConsole.MarkupLine($"  3. Run tests: [cyan]stella policy test {Markup.Escape(finalPath)}[/]");
+            }
+        }
+
+        return ExitSuccess;
+    }
+
+    private static PolicyTemplate ParsePolicyTemplate(string? name)
+    {
+        if (string.IsNullOrWhiteSpace(name))
+            return PolicyTemplate.Minimal;
+
+        return name.ToLowerInvariant() switch
+        {
+            "minimal" => PolicyTemplate.Minimal,
+            "baseline" => PolicyTemplate.Baseline,
+            "vex-precedence" or "vex" => PolicyTemplate.VexPrecedence,
+            "reachability" => PolicyTemplate.Reachability,
+            "secret-leak" or "secrets" => PolicyTemplate.SecretLeak,
+            "full" => PolicyTemplate.Full,
+            _ => PolicyTemplate.Minimal
+        };
+    }
+
+    private static string GeneratePolicyFromTemplate(string name, PolicyTemplate template, string? description, string[] tags, bool shadowMode)
+    {
+        var sb = new StringBuilder();
+        var desc = description ?? $"Policy for {name}";
+        var tagList = tags.Length > 0 ? string.Join(", ", tags.Select(t => $"\"{t}\"")) : "\"custom\"";
+
+        sb.AppendLine($"policy \"{name}\" syntax \"stella-dsl@1\" {{");
+        sb.AppendLine("  metadata {");
+        sb.AppendLine($"    description = \"{desc}\"");
+        sb.AppendLine($"    tags = [{tagList}]");
+        sb.AppendLine("  }");
+        sb.AppendLine();
+
+        if (shadowMode)
+        {
+            sb.AppendLine("  settings {");
+            sb.AppendLine("    shadow = true;");
+            sb.AppendLine("  }");
+            sb.AppendLine();
+        }
+
+        switch (template)
+        {
+            case PolicyTemplate.Baseline:
+                sb.AppendLine("  profile severity {");
+                sb.AppendLine("    map vendor_weight {");
+                sb.AppendLine("      source \"GHSA\" => +0.5;");
+                sb.AppendLine("      source \"OSV\"  => +0.0;");
+                sb.AppendLine("    }");
+                sb.AppendLine("  }");
+                sb.AppendLine();
+                sb.AppendLine("  rule advisory_normalization {");
+                sb.AppendLine("    when advisory.source in [\"GHSA\", \"OSV\"]");
+                sb.AppendLine("    then severity := normalize_cvss(advisory)");
+                sb.AppendLine("    because \"Align vendor severity to CVSS baseline\";");
+                sb.AppendLine("  }");
+                break;
+
+            case PolicyTemplate.VexPrecedence:
+                sb.AppendLine("  rule vex_strong_claim priority 5 {");
+                sb.AppendLine("    when vex.any(status == \"not_affected\")");
+                sb.AppendLine("         and vex.justification in [\"component_not_present\", \"vulnerable_code_not_present\"]");
+                sb.AppendLine("    then status := vex.status");
+                sb.AppendLine("         annotate winning_statement := vex.latest().statementId");
+                sb.AppendLine("    because \"Strong VEX justification\";");
+                sb.AppendLine("  }");
+                sb.AppendLine();
+                sb.AppendLine("  rule vex_fixed priority 10 {");
+                sb.AppendLine("    when vex.any(status == \"fixed\")");
+                sb.AppendLine("    then status := \"fixed\"");
+                sb.AppendLine("    because \"Vendor confirms fix available\";");
+                sb.AppendLine("  }");
+                break;
+
+            case PolicyTemplate.Reachability:
+                sb.AppendLine("  rule reachability_gate priority 20 {");
+                sb.AppendLine("    when exists(telemetry.reachability)");
+                sb.AppendLine("         and telemetry.reachability.state == \"reachable\"");
+                sb.AppendLine("         and telemetry.reachability.score >= 0.6");
+                sb.AppendLine("    then status := \"affected\"");
+                sb.AppendLine("    because \"Runtime/graph evidence shows reachable code path\";");
+                sb.AppendLine("  }");
+                sb.AppendLine();
+                sb.AppendLine("  rule unreachable_downgrade priority 25 {");
+                sb.AppendLine("    when exists(telemetry.reachability)");
+                sb.AppendLine("         and telemetry.reachability.state == \"unreachable\"");
+                sb.AppendLine("    then severity := severity - 1.0");
+                sb.AppendLine("         annotate reason := \"Unreachable code path\"");
+                sb.AppendLine("    because \"Reduce severity for unreachable vulnerabilities\";");
+                sb.AppendLine("  }");
+                break;
+
+            case PolicyTemplate.SecretLeak:
+                sb.AppendLine("  rule secret_detection priority 1 {");
+                sb.AppendLine("    when secret.hasFinding()");
+                sb.AppendLine("    then status := \"affected\"");
+                sb.AppendLine("         escalate to severity_band(\"critical\")");
+                sb.AppendLine("    because \"Secret leak detected in codebase\";");
+                sb.AppendLine("  }");
+                sb.AppendLine();
+                sb.AppendLine("  rule secret_allowlist priority 2 {");
+                sb.AppendLine("    when secret.hasFinding()");
+                sb.AppendLine("         and secret.path.allowlist([\"**/test/**\", \"**/fixtures/**\"])");
+                sb.AppendLine("    then ignore until \"2099-12-31T23:59:59Z\"");
+                sb.AppendLine("    because \"Test fixtures may contain example secrets\";");
+                sb.AppendLine("  }");
+                break;
+
+            case PolicyTemplate.Full:
+                sb.AppendLine("  profile severity {");
+                sb.AppendLine("    map vendor_weight {");
+                sb.AppendLine("      source \"GHSA\" => +0.5;");
+                sb.AppendLine("      source \"OSV\"  => +0.0;");
+                sb.AppendLine("      source \"VendorX\" => -0.2;");
+                sb.AppendLine("    }");
+                sb.AppendLine("    env exposure_adjustments {");
+                sb.AppendLine("      if env.runtime == \"serverless\" then -0.5;");
+                sb.AppendLine("      if env.exposure == \"internal-only\" then -1.0;");
+                sb.AppendLine("    }");
+                sb.AppendLine("  }");
+                sb.AppendLine();
+                sb.AppendLine("  rule vex_precedence priority 10 {");
+                sb.AppendLine("    when vex.any(status in [\"not_affected\", \"fixed\"])");
+                sb.AppendLine("         and vex.justification in [\"component_not_present\", \"vulnerable_code_not_present\"]");
+                sb.AppendLine("    then status := vex.status");
+                sb.AppendLine("    because \"Strong vendor justification prevails\";");
+                sb.AppendLine("  }");
+                sb.AppendLine();
+                sb.AppendLine("  rule reachability_gate priority 20 {");
+                sb.AppendLine("    when exists(telemetry.reachability)");
+                sb.AppendLine("         and telemetry.reachability.state == \"reachable\"");
+                sb.AppendLine("         and telemetry.reachability.score >= 0.6");
+                sb.AppendLine("    then status := \"affected\"");
+                sb.AppendLine("    because \"Runtime/graph evidence shows reachable code path\";");
+                sb.AppendLine("  }");
+                sb.AppendLine();
+                sb.AppendLine("  rule trust_penalty priority 30 {");
+                sb.AppendLine("    when signals.trust_score < 0.4 or signals.entropy_penalty > 0.2");
+                sb.AppendLine("    then severity := severity_band(\"critical\")");
+                sb.AppendLine("    because \"Low trust score or high entropy\";");
+                sb.AppendLine("  }");
+                break;
+
+            case PolicyTemplate.Minimal:
+            default:
+                sb.AppendLine("  // Add your rules here");
+                sb.AppendLine("  // Example:");
+                sb.AppendLine("  // rule example_rule priority 10 {");
+                sb.AppendLine("  //   when advisory.severity >= \"High\"");
+                sb.AppendLine("  //   then status := \"affected\"");
+                sb.AppendLine("  //   because \"High severity findings require attention\";");
+                sb.AppendLine("  // }");
+                break;
+        }
+
+        sb.AppendLine("}");
+        return sb.ToString();
+    }
+
+    private static string GenerateSampleFixture(string policyName)
+    {
+        return JsonSerializer.Serialize(new
+        {
+            description = $"Sample test case for {policyName}",
+            expected_outcome = "pass",
+            input = new
+            {
+                sbom = new { purl = "pkg:npm/lodash@4.17.21", name = "lodash", version = "4.17.21" },
+                advisory = new { id = "GHSA-test-1234", source = "GHSA", severity = "High" },
+                vex = Array.Empty<object>(),
+                env = new { runtime = "nodejs", exposure = "internet" }
+            },
+            expected_findings = new[]
+            {
+                new { status = "affected", severity = "High" }
+            }
+        }, new JsonSerializerOptions { WriteIndented = true });
+    }
+
+    // CLI-POLICY-23-006: policy history handler
+
+    public static async Task<int> HandlePolicyHistoryAsync(
+        IServiceProvider services,
+        string policyId,
+        string? tenant,
+        string? from,
+        string? to,
+        string? status,
+        int? limit,
+        string? cursor,
+        string? format,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy history"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            DateTimeOffset? fromDate = null;
+            DateTimeOffset? toDate = null;
+
+            if (!string.IsNullOrWhiteSpace(from) && DateTimeOffset.TryParse(from, out var parsedFrom))
+            {
+                fromDate = parsedFrom;
+            }
+            if (!string.IsNullOrWhiteSpace(to) && DateTimeOffset.TryParse(to, out var parsedTo))
+            {
+                toDate = parsedTo;
+            }
+
+            var request = new PolicyHistoryRequest
+            {
+                PolicyId = policyId,
+                Tenant = tenant,
+                From = fromDate,
+                To = toDate,
+                Status = status,
+                Limit = limit,
+                Cursor = cursor
+            };
+
+            var response = await client.GetPolicyHistoryAsync(request, cancellationToken).ConfigureAwait(false);
+
+            var outputFormat = string.Equals(format, "json", StringComparison.OrdinalIgnoreCase) ? "json" : "table";
+
+            if (outputFormat == "json")
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOptions));
+                return 0;
+            }
+
+            if (response.Items.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No policy runs found matching the criteria.[/]");
+                return 0;
+            }
+
+            var table = new Table();
+            table.AddColumn("Run ID");
+            table.AddColumn("Version");
+            table.AddColumn("Status");
+            table.AddColumn("Started");
+            table.AddColumn("Duration");
+            table.AddColumn("SBOMs");
+            table.AddColumn("Findings");
+            table.AddColumn("Changed");
+
+            foreach (var run in response.Items)
+            {
+                var statusColor = run.Status.ToLowerInvariant() switch
+                {
+                    "completed" => "green",
+                    "failed" => "red",
+                    "running" => "yellow",
+                    _ => "dim"
+                };
+
+                var durationStr = run.Duration.HasValue
+                    ? $"{run.Duration.Value.TotalSeconds:F1}s"
+                    : "-";
+
+                table.AddRow(
+                    Markup.Escape(run.RunId.Length > 12 ? run.RunId[..12] + "..." : run.RunId),
+                    $"v{run.PolicyVersion}",
+                    $"[{statusColor}]{Markup.Escape(run.Status)}[/]",
+                    run.StartedAt.ToString("yyyy-MM-dd HH:mm"),
+                    durationStr,
+                    run.SbomCount.ToString(),
+                    run.FindingsGenerated.ToString(),
+                    run.FindingsChanged > 0 ? $"[yellow]{run.FindingsChanged}[/]" : "0");
+            }
+
+            AnsiConsole.Write(new Panel(table) { Header = new PanelHeader($"Policy Runs: {policyId}") });
+
+            if (response.HasMore && !string.IsNullOrWhiteSpace(response.NextCursor))
+            {
+                AnsiConsole.MarkupLine($"[grey]More results available. Use --cursor {Markup.Escape(response.NextCursor)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    // CLI-POLICY-23-006: policy explain tree handler
+
+    public static async Task<int> HandlePolicyExplainTreeAsync(
+        IServiceProvider services,
+        string policyId,
+        string? runId,
+        string? findingId,
+        string? sbomId,
+        string? purl,
+        string? advisory,
+        string? tenant,
+        int? depth,
+        string? format,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy explain"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyExplainRequest
+            {
+                PolicyId = policyId,
+                RunId = runId,
+                FindingId = findingId,
+                SbomId = sbomId,
+                ComponentPurl = purl,
+                AdvisoryId = advisory,
+                Tenant = tenant,
+                Depth = depth
+            };
+
+            var result = await client.GetPolicyExplainAsync(request, cancellationToken).ConfigureAwait(false);
+
+            var outputFormat = string.Equals(format, "json", StringComparison.OrdinalIgnoreCase) ? "json" : "table";
+
+            if (outputFormat == "json")
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return 0;
+            }
+
+            if (result.Errors is { Count: > 0 })
+            {
+                foreach (var err in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(err)}[/]");
+                }
+                return 1;
+            }
+
+            // Header panel
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", $"{Markup.Escape(result.PolicyId)} v{result.PolicyVersion}")
+                .AddRow("[bold]Timestamp[/]", result.Timestamp.ToString("yyyy-MM-dd HH:mm:ss"));
+
+            if (!string.IsNullOrWhiteSpace(result.RunId))
+            {
+                grid.AddRow("[bold]Run ID[/]", Markup.Escape(result.RunId));
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("Policy Explain") });
+
+            // Subject
+            if (result.Subject != null)
+            {
+                var subjectGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn();
+
+                if (!string.IsNullOrWhiteSpace(result.Subject.ComponentPurl))
+                    subjectGrid.AddRow("[bold]PURL[/]", Markup.Escape(result.Subject.ComponentPurl));
+                if (!string.IsNullOrWhiteSpace(result.Subject.ComponentName))
+                    subjectGrid.AddRow("[bold]Component[/]", $"{Markup.Escape(result.Subject.ComponentName)}@{Markup.Escape(result.Subject.ComponentVersion ?? "?")}");
+                if (!string.IsNullOrWhiteSpace(result.Subject.AdvisoryId))
+                    subjectGrid.AddRow("[bold]Advisory[/]", $"{Markup.Escape(result.Subject.AdvisoryId)} ({Markup.Escape(result.Subject.AdvisorySource ?? "unknown")})");
+
+                AnsiConsole.Write(new Panel(subjectGrid) { Header = new PanelHeader("Subject") });
+            }
+
+            // Decision
+            if (result.Decision != null)
+            {
+                var decisionColor = result.Decision.Status.ToLowerInvariant() switch
+                {
+                    "affected" => "red",
+                    "not_affected" or "fixed" => "green",
+                    "under_investigation" => "yellow",
+                    _ => "dim"
+                };
+
+                var decisionGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Status[/]", $"[{decisionColor}]{Markup.Escape(result.Decision.Status)}[/]");
+
+                if (!string.IsNullOrWhiteSpace(result.Decision.Severity))
+                {
+                    decisionGrid.AddRow("[bold]Severity[/]", Markup.Escape(result.Decision.Severity));
+                }
+                if (!string.IsNullOrWhiteSpace(result.Decision.WinningRule))
+                {
+                    decisionGrid.AddRow("[bold]Winning Rule[/]", Markup.Escape(result.Decision.WinningRule));
+                }
+                if (!string.IsNullOrWhiteSpace(result.Decision.Rationale))
+                {
+                    decisionGrid.AddRow("[bold]Rationale[/]", $"[italic]{Markup.Escape(result.Decision.Rationale)}[/]");
+                }
+
+                AnsiConsole.Write(new Panel(decisionGrid) { Header = new PanelHeader("Decision") });
+            }
+
+            // Rule trace
+            if (result.RuleTrace is { Count: > 0 })
+            {
+                AnsiConsole.MarkupLine("\n[bold blue]Rule Evaluation Trace[/]");
+                AnsiConsole.WriteLine();
+
+                foreach (var entry in result.RuleTrace.OrderBy(e => e.Priority))
+                {
+                    var icon = entry.Matched ? "[green]✓[/]" : (entry.Evaluated ? "[red]✗[/]" : "[dim]○[/]");
+                    var ruleColor = entry.Matched ? "green" : (entry.Evaluated ? "dim" : "grey");
+
+                    AnsiConsole.MarkupLine($"{icon} [{ruleColor}]Rule: {Markup.Escape(entry.RuleName)}[/] (priority {entry.Priority})");
+
+                    if (entry.Predicates is { Count: > 0 } && verbose)
+                    {
+                        foreach (var pred in entry.Predicates)
+                        {
+                            var predIcon = pred.Result ? "[green]✓[/]" : "[red]✗[/]";
+                            AnsiConsole.MarkupLine($"    {predIcon} {Markup.Escape(pred.Expression)}");
+                            if (!string.IsNullOrWhiteSpace(pred.LeftValue) || !string.IsNullOrWhiteSpace(pred.RightValue))
+                            {
+                                AnsiConsole.MarkupLine($"       [grey]left={Markup.Escape(pred.LeftValue ?? "null")} right={Markup.Escape(pred.RightValue ?? "null")}[/]");
+                            }
+                        }
+                    }
+
+                    if (entry.Matched && entry.Actions is { Count: > 0 })
+                    {
+                        foreach (var action in entry.Actions.Where(a => a.Executed))
+                        {
+                            AnsiConsole.MarkupLine($"    [cyan]→ {Markup.Escape(action.Action)}: {Markup.Escape(action.Target ?? "")} = {Markup.Escape(action.Value ?? "")}[/]");
+                        }
+                    }
+
+                    if (!string.IsNullOrWhiteSpace(entry.Because) && entry.Matched)
+                    {
+                        AnsiConsole.MarkupLine($"    [italic grey]because: {Markup.Escape(entry.Because)}[/]");
+                    }
+
+                    if (!string.IsNullOrWhiteSpace(entry.SkippedReason))
+                    {
+                        AnsiConsole.MarkupLine($"    [dim]skipped: {Markup.Escape(entry.SkippedReason)}[/]");
+                    }
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    // CLI-POLICY-27-001: policy init handler
+
+    public static async Task<int> HandlePolicyInitAsync(
+        string? path,
+        string? name,
+        string? templateName,
+        bool noGit,
+        bool noReadme,
+        bool noFixtures,
+        string? format,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        const int ExitSuccess = 0;
+        const int ExitInputError = 4;
+
+        var workspacePath = Path.GetFullPath(path ?? ".");
+        var policyName = name ?? Path.GetFileName(workspacePath);
+
+        if (string.IsNullOrWhiteSpace(policyName))
+        {
+            policyName = "my-policy";
+        }
+
+        // Create workspace directory
+        Directory.CreateDirectory(workspacePath);
+
+        var template = ParsePolicyTemplate(templateName);
+        var policyPath = Path.Combine(workspacePath, $"{policyName}.stella");
+        string? fixturesPath = null;
+        var gitInitialized = false;
+        var warnings = new List<string>();
+
+        // Create policy file
+        if (!File.Exists(policyPath))
+        {
+            var policyContent = GeneratePolicyFromTemplate(policyName, template, null, Array.Empty<string>(), true);
+            await File.WriteAllTextAsync(policyPath, policyContent, cancellationToken).ConfigureAwait(false);
+        }
+        else
+        {
+            warnings.Add($"Policy file already exists: {policyPath}");
+        }
+
+        // Create fixtures directory
+        if (!noFixtures)
+        {
+            fixturesPath = Path.Combine(workspacePath, "tests", "policy", policyName, "cases");
+            Directory.CreateDirectory(fixturesPath);
+
+            var sampleFixturePath = Path.Combine(fixturesPath, "sample_test.json");
+            if (!File.Exists(sampleFixturePath))
+            {
+                var sampleFixture = GenerateSampleFixture(policyName);
+                await File.WriteAllTextAsync(sampleFixturePath, sampleFixture, cancellationToken).ConfigureAwait(false);
+            }
+        }
+
+        // Create README
+        if (!noReadme)
+        {
+            var readmePath = Path.Combine(workspacePath, "README.md");
+            if (!File.Exists(readmePath))
+            {
+                var readme = GeneratePolicyReadme(policyName);
+                await File.WriteAllTextAsync(readmePath, readme, cancellationToken).ConfigureAwait(false);
+            }
+        }
+
+        // Initialize Git
+        if (!noGit)
+        {
+            var gitDir = Path.Combine(workspacePath, ".git");
+            if (!Directory.Exists(gitDir))
+            {
+                var (exitCode, _) = await RunGitCommandAsync(workspacePath, "init", cancellationToken).ConfigureAwait(false);
+                gitInitialized = exitCode == 0;
+
+                if (gitInitialized)
+                {
+                    // Create .gitignore
+                    var gitignorePath = Path.Combine(workspacePath, ".gitignore");
+                    if (!File.Exists(gitignorePath))
+                    {
+                        await File.WriteAllTextAsync(gitignorePath, "*.ir.json\n.stella-cache/\n", cancellationToken).ConfigureAwait(false);
+                    }
+                }
+            }
+            else
+            {
+                gitInitialized = true;
+            }
+        }
+
+        var result = new PolicyWorkspaceInitResult
+        {
+            Success = true,
+            WorkspacePath = workspacePath,
+            PolicyPath = policyPath,
+            FixturesPath = fixturesPath,
+            GitInitialized = gitInitialized,
+            Warnings = warnings.Count > 0 ? warnings : null
+        };
+
+        var outputFormat = string.Equals(format, "json", StringComparison.OrdinalIgnoreCase) ? "json" : "table";
+
+        if (outputFormat == "json")
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+        }
+        else
+        {
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Workspace[/]", Markup.Escape(workspacePath))
+                .AddRow("[bold]Policy[/]", Markup.Escape(policyPath))
+                .AddRow("[bold]Template[/]", Markup.Escape(template.ToString()))
+                .AddRow("[bold]Git[/]", gitInitialized ? "[green]Initialized[/]" : "[dim]Skipped[/]");
+
+            if (!string.IsNullOrEmpty(fixturesPath))
+            {
+                grid.AddRow("[bold]Fixtures[/]", Markup.Escape(fixturesPath));
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("Policy Workspace Initialized") });
+
+            foreach (var warning in warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            AnsiConsole.WriteLine();
+            AnsiConsole.MarkupLine("[grey]Quick start:[/]");
+            AnsiConsole.MarkupLine($"  cd {Markup.Escape(workspacePath)}");
+            AnsiConsole.MarkupLine($"  stella policy edit {policyName}.stella");
+            AnsiConsole.MarkupLine($"  stella policy lint {policyName}.stella");
+            AnsiConsole.MarkupLine($"  stella policy test {policyName}.stella");
+        }
+
+        return ExitSuccess;
+    }
+
+    private static string GeneratePolicyReadme(string policyName)
+    {
+        return $@"# {policyName}
+
+This is a StellaOps policy workspace.
+
+## Files
+
+- `{policyName}.stella` - Policy DSL file
+- `tests/policy/{policyName}/cases/` - Test fixtures
+
+## Commands
+
+```bash
+# Edit the policy
+stella policy edit {policyName}.stella
+
+# Validate syntax
+stella policy lint {policyName}.stella
+
+# Compile to IR
+stella policy compile {policyName}.stella
+
+# Run tests
+stella policy test {policyName}.stella
+```
+
+## Workflow
+
+1. Edit the policy with shadow mode enabled
+2. Run `stella policy lint` to validate syntax
+3. Add test fixtures in `tests/policy/{policyName}/cases/`
+4. Run `stella policy test` to verify behavior
+5. Disable shadow mode and promote to production
+";
+    }
+
+    // CLI-POLICY-27-001: policy compile handler
+
+    public static async Task<int> HandlePolicyCompileAsync(
+        string filePath,
+        string? outputPath,
+        bool noIr,
+        bool noDigest,
+        bool optimize,
+        bool strict,
+        string? format,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        const int ExitSuccess = 0;
+        const int ExitCompileError = 1;
+        const int ExitInputError = 4;
+
+        if (string.IsNullOrWhiteSpace(filePath))
+        {
+            AnsiConsole.MarkupLine("[red]Error:[/] Policy file path is required.");
+            return ExitInputError;
+        }
+
+        var fullPath = Path.GetFullPath(filePath);
+        if (!File.Exists(fullPath))
+        {
+            AnsiConsole.MarkupLine($"[red]Error:[/] Policy file not found: {Markup.Escape(fullPath)}");
+            return ExitInputError;
+        }
+
+        var source = await File.ReadAllTextAsync(fullPath, cancellationToken).ConfigureAwait(false);
+        var compiler = new PolicyDsl.PolicyCompiler();
+        var compileResult = compiler.Compile(source);
+
+        var errors = new List<PolicyDiagnostic>();
+        var warnings = new List<PolicyDiagnostic>();
+
+        foreach (var diag in compileResult.Diagnostics)
+        {
+            var diagnostic = new PolicyDiagnostic
+            {
+                Code = diag.Code,
+                Message = diag.Message,
+                Severity = diag.Severity.ToString().ToLowerInvariant(),
+                Line = diag.Line,
+                Column = diag.Column,
+                Span = diag.Span,
+                Suggestion = diag.Suggestion
+            };
+
+            if (diag.Severity == PolicyDsl.DiagnosticSeverity.Error)
+            {
+                errors.Add(diagnostic);
+            }
+            else
+            {
+                warnings.Add(diagnostic);
+            }
+        }
+
+        // In strict mode, treat warnings as errors
+        if (strict && warnings.Count > 0)
+        {
+            errors.AddRange(warnings);
+            warnings.Clear();
+        }
+
+        string? irPath = null;
+        string? digest = null;
+
+        if (compileResult.Success && !noIr)
+        {
+            irPath = outputPath ?? Path.ChangeExtension(fullPath, ".stella.ir.json");
+            var ir = JsonSerializer.Serialize(compileResult.Document, new JsonSerializerOptions { WriteIndented = true });
+            await File.WriteAllTextAsync(irPath, ir, cancellationToken).ConfigureAwait(false);
+        }
+
+        if (compileResult.Success && !noDigest)
+        {
+            digest = compileResult.Checksum;
+        }
+
+        var result = new PolicyCompileResult
+        {
+            Success = compileResult.Success && errors.Count == 0,
+            InputPath = fullPath,
+            IrPath = irPath,
+            Digest = digest,
+            SyntaxVersion = compileResult.Document?.SyntaxVersion,
+            PolicyName = compileResult.Document?.Name,
+            RuleCount = compileResult.Document?.Rules.Length ?? 0,
+            ProfileCount = compileResult.Document?.Profiles.Length ?? 0,
+            Errors = errors.Count > 0 ? errors : null,
+            Warnings = warnings.Count > 0 ? warnings : null
+        };
+
+        var outputFormat = string.Equals(format, "json", StringComparison.OrdinalIgnoreCase) ? "json" : "table";
+
+        if (outputFormat == "json")
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+        }
+        else
+        {
+            if (result.Success)
+            {
+                var grid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Status[/]", "[green]Compiled[/]")
+                    .AddRow("[bold]Policy[/]", Markup.Escape(result.PolicyName ?? "-"))
+                    .AddRow("[bold]Syntax[/]", Markup.Escape(result.SyntaxVersion ?? "-"))
+                    .AddRow("[bold]Rules[/]", result.RuleCount.ToString())
+                    .AddRow("[bold]Profiles[/]", result.ProfileCount.ToString());
+
+                if (!string.IsNullOrEmpty(digest))
+                {
+                    grid.AddRow("[bold]Digest[/]", Markup.Escape(digest.Length > 32 ? digest[..32] + "..." : digest));
+                }
+
+                if (!string.IsNullOrEmpty(irPath))
+                {
+                    grid.AddRow("[bold]IR Output[/]", Markup.Escape(irPath));
+                }
+
+                AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("Compilation Result") });
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[red]Compilation Failed[/]\n");
+            }
+
+            foreach (var err in errors)
+            {
+                var location = err.Line.HasValue ? $":{err.Line}" : "";
+                if (err.Column.HasValue) location += $":{err.Column}";
+                AnsiConsole.MarkupLine($"[red]error[{Markup.Escape(err.Code)}]{location}: {Markup.Escape(err.Message)}[/]");
+                if (!string.IsNullOrWhiteSpace(err.Suggestion))
+                {
+                    AnsiConsole.MarkupLine($"  [cyan]suggestion: {Markup.Escape(err.Suggestion)}[/]");
+                }
+            }
+
+            foreach (var warn in warnings)
+            {
+                var location = warn.Line.HasValue ? $":{warn.Line}" : "";
+                if (warn.Column.HasValue) location += $":{warn.Column}";
+                AnsiConsole.MarkupLine($"[yellow]warning[{Markup.Escape(warn.Code)}]{location}: {Markup.Escape(warn.Message)}[/]");
+                if (!string.IsNullOrWhiteSpace(warn.Suggestion))
+                {
+                    AnsiConsole.MarkupLine($"  [cyan]suggestion: {Markup.Escape(warn.Suggestion)}[/]");
+                }
+            }
+        }
+
+        return result.Success ? ExitSuccess : ExitCompileError;
+    }
+
+    // CLI-POLICY-27-002: Policy workflow handlers
+
+    public static async Task<int> HandlePolicyVersionBumpAsync(
+        IServiceProvider services,
+        string policyId,
+        string? bumpType,
+        string? changelog,
+        string? filePath,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy version bump"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var bump = bumpType?.ToLowerInvariant() switch
+            {
+                "major" => PolicyBumpType.Major,
+                "minor" => PolicyBumpType.Minor,
+                _ => PolicyBumpType.Patch
+            };
+
+            var request = new PolicyVersionBumpRequest
+            {
+                PolicyId = policyId,
+                BumpType = bump,
+                Changelog = changelog,
+                FilePath = filePath,
+                Tenant = tenant
+            };
+
+            var result = await client.BumpPolicyVersionAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", Markup.Escape(result.PolicyId))
+                .AddRow("[bold]Previous Version[/]", $"v{result.PreviousVersion}")
+                .AddRow("[bold]New Version[/]", $"[green]v{result.NewVersion}[/]");
+
+            if (!string.IsNullOrWhiteSpace(result.Changelog))
+            {
+                grid.AddRow("[bold]Changelog[/]", Markup.Escape(result.Changelog));
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.Digest))
+            {
+                var digestShort = result.Digest.Length > 16 ? result.Digest[..16] + "..." : result.Digest;
+                grid.AddRow("[bold]Digest[/]", Markup.Escape(digestShort));
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("Version Bumped") });
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicySubmitAsync(
+        IServiceProvider services,
+        string policyId,
+        int? version,
+        string[] reviewers,
+        string? message,
+        bool urgent,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy submit"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicySubmitRequest
+            {
+                PolicyId = policyId,
+                Version = version,
+                Reviewers = reviewers.Length > 0 ? reviewers : null,
+                Message = message,
+                Urgent = urgent,
+                Tenant = tenant
+            };
+
+            var result = await client.SubmitPolicyForReviewAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", Markup.Escape(result.PolicyId))
+                .AddRow("[bold]Version[/]", $"v{result.Version}")
+                .AddRow("[bold]Review ID[/]", Markup.Escape(result.ReviewId))
+                .AddRow("[bold]State[/]", $"[yellow]{Markup.Escape(result.State)}[/]")
+                .AddRow("[bold]Submitted At[/]", result.SubmittedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Submitted By[/]", Markup.Escape(result.SubmittedBy ?? "unknown"));
+
+            if (result.Reviewers is { Count: > 0 })
+            {
+                grid.AddRow("[bold]Reviewers[/]", Markup.Escape(string.Join(", ", result.Reviewers)));
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("Policy Submitted for Review") });
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicyReviewStatusAsync(
+        IServiceProvider services,
+        string policyId,
+        string? reviewId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy review status"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyReviewStatusRequest
+            {
+                PolicyId = policyId,
+                ReviewId = reviewId,
+                Tenant = tenant
+            };
+
+            var result = await client.GetPolicyReviewStatusAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (result == null)
+            {
+                AnsiConsole.MarkupLine("[yellow]No review found for this policy.[/]");
+                return 0;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return 0;
+            }
+
+            var stateColor = result.State.ToLowerInvariant() switch
+            {
+                "approved" => "green",
+                "rejected" => "red",
+                "submitted" or "inreview" => "yellow",
+                _ => "dim"
+            };
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Review ID[/]", Markup.Escape(result.ReviewId))
+                .AddRow("[bold]Policy[/]", $"{Markup.Escape(result.PolicyId)} v{result.Version}")
+                .AddRow("[bold]State[/]", $"[{stateColor}]{Markup.Escape(result.State)}[/]")
+                .AddRow("[bold]Submitted At[/]", result.SubmittedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Submitted By[/]", Markup.Escape(result.SubmittedBy ?? "unknown"));
+
+            if (result.Reviewers is { Count: > 0 })
+            {
+                grid.AddRow("[bold]Reviewers[/]", Markup.Escape(string.Join(", ", result.Reviewers)));
+            }
+
+            grid.AddRow("[bold]Blocking Comments[/]", result.BlockingComments > 0 ? $"[red]{result.BlockingComments}[/]" : "0");
+            grid.AddRow("[bold]Resolved Comments[/]", result.ResolvedComments.ToString());
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("Review Status") });
+
+            // Show approvals
+            if (result.Approvals is { Count: > 0 })
+            {
+                AnsiConsole.MarkupLine("\n[bold green]Approvals[/]");
+                foreach (var approval in result.Approvals)
+                {
+                    AnsiConsole.MarkupLine($"  [green]✓[/] {Markup.Escape(approval.Approver)} at {approval.ApprovedAt:yyyy-MM-dd HH:mm}");
+                    if (!string.IsNullOrWhiteSpace(approval.Comment))
+                    {
+                        AnsiConsole.MarkupLine($"    [grey]{Markup.Escape(approval.Comment)}[/]");
+                    }
+                }
+            }
+
+            // Show comments (verbose mode)
+            if (verbose && result.Comments is { Count: > 0 })
+            {
+                AnsiConsole.MarkupLine("\n[bold]Comments[/]");
+                foreach (var comment in result.Comments)
+                {
+                    var icon = comment.Blocking ? "[red]![/]" : "[dim]○[/]";
+                    var resolved = comment.Resolved ? " [green](resolved)[/]" : "";
+                    AnsiConsole.MarkupLine($"  {icon} {Markup.Escape(comment.Author)} at {comment.CreatedAt:yyyy-MM-dd HH:mm}{resolved}");
+                    if (comment.Line.HasValue)
+                    {
+                        AnsiConsole.MarkupLine($"    [dim]Line {comment.Line}[/]");
+                    }
+                    AnsiConsole.MarkupLine($"    {Markup.Escape(comment.Comment)}");
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicyReviewCommentAsync(
+        IServiceProvider services,
+        string policyId,
+        string reviewId,
+        string comment,
+        int? line,
+        string? ruleName,
+        bool blocking,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy review comment"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyReviewCommentRequest
+            {
+                PolicyId = policyId,
+                ReviewId = reviewId,
+                Comment = comment,
+                Line = line,
+                RuleName = ruleName,
+                Blocking = blocking,
+                Tenant = tenant
+            };
+
+            var result = await client.AddPolicyReviewCommentAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var blockingStr = blocking ? "[red]blocking[/]" : "[dim]non-blocking[/]";
+            AnsiConsole.MarkupLine($"[green]Comment added[/] ({blockingStr})");
+            AnsiConsole.MarkupLine($"  Comment ID: {Markup.Escape(result.CommentId)}");
+            AnsiConsole.MarkupLine($"  Author: {Markup.Escape(result.Author ?? "unknown")}");
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicyReviewApproveAsync(
+        IServiceProvider services,
+        string policyId,
+        string reviewId,
+        string? comment,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy review approve"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyApproveRequest
+            {
+                PolicyId = policyId,
+                ReviewId = reviewId,
+                Comment = comment,
+                Tenant = tenant
+            };
+
+            var result = await client.ApprovePolicyReviewAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", $"{Markup.Escape(result.PolicyId)} v{result.Version}")
+                .AddRow("[bold]Review ID[/]", Markup.Escape(result.ReviewId))
+                .AddRow("[bold]State[/]", $"[green]{Markup.Escape(result.State)}[/]")
+                .AddRow("[bold]Approved At[/]", result.ApprovedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Approved By[/]", Markup.Escape(result.ApprovedBy ?? "unknown"))
+                .AddRow("[bold]Approvals[/]", $"{result.CurrentApprovals}/{result.RequiredApprovals}");
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("[green]Policy Approved[/]") });
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicyReviewRejectAsync(
+        IServiceProvider services,
+        string policyId,
+        string reviewId,
+        string reason,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy review reject"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyRejectRequest
+            {
+                PolicyId = policyId,
+                ReviewId = reviewId,
+                Reason = reason,
+                Tenant = tenant
+            };
+
+            var result = await client.RejectPolicyReviewAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", $"{Markup.Escape(result.PolicyId)} v{result.Version}")
+                .AddRow("[bold]Review ID[/]", Markup.Escape(result.ReviewId))
+                .AddRow("[bold]State[/]", $"[red]{Markup.Escape(result.State)}[/]")
+                .AddRow("[bold]Rejected At[/]", result.RejectedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Rejected By[/]", Markup.Escape(result.RejectedBy ?? "unknown"))
+                .AddRow("[bold]Reason[/]", Markup.Escape(result.Reason ?? reason));
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("[red]Policy Rejected[/]") });
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    // CLI-POLICY-27-004: Policy lifecycle handlers
+
+    public static async Task<int> HandlePolicyPublishAsync(
+        IServiceProvider services,
+        string policyId,
+        int version,
+        bool sign,
+        string? algorithm,
+        string? keyId,
+        string? note,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy publish"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyPublishRequest
+            {
+                PolicyId = policyId,
+                Version = version,
+                Sign = sign,
+                SignatureAlgorithm = algorithm,
+                KeyId = keyId,
+                Note = note,
+                Tenant = tenant
+            };
+
+            var result = await client.PublishPolicyAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", $"{Markup.Escape(result.PolicyId)} v{result.Version}")
+                .AddRow("[bold]Published At[/]", result.PublishedAt.ToString("yyyy-MM-dd HH:mm:ss"));
+
+            if (!string.IsNullOrWhiteSpace(result.SignatureId))
+            {
+                grid.AddRow("[bold]Signature ID[/]", Markup.Escape(result.SignatureId));
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.RekorLogIndex))
+            {
+                grid.AddRow("[bold]Rekor Log Index[/]", Markup.Escape(result.RekorLogIndex));
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("[green]Policy Published[/]") });
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicyPromoteAsync(
+        IServiceProvider services,
+        string policyId,
+        int version,
+        string targetEnvironment,
+        bool canary,
+        int? canaryPercent,
+        string? note,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy promote"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyPromoteRequest
+            {
+                PolicyId = policyId,
+                Version = version,
+                TargetEnvironment = targetEnvironment,
+                Canary = canary,
+                CanaryPercentage = canaryPercent,
+                Note = note,
+                Tenant = tenant
+            };
+
+            var result = await client.PromotePolicyAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", $"{Markup.Escape(result.PolicyId)} v{result.Version}")
+                .AddRow("[bold]Target Environment[/]", Markup.Escape(result.TargetEnvironment))
+                .AddRow("[bold]Promoted At[/]", result.PromotedAt.ToString("yyyy-MM-dd HH:mm:ss"));
+
+            if (result.PreviousVersion.HasValue)
+            {
+                grid.AddRow("[bold]Previous Version[/]", $"v{result.PreviousVersion}");
+            }
+
+            if (result.CanaryActive)
+            {
+                grid.AddRow("[bold]Canary[/]", $"[yellow]Active ({result.CanaryPercentage}%)[/]");
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("[green]Policy Promoted[/]") });
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicyRollbackAsync(
+        IServiceProvider services,
+        string policyId,
+        int? targetVersion,
+        string? environment,
+        string? reason,
+        string? incidentId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy rollback"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyRollbackRequest
+            {
+                PolicyId = policyId,
+                TargetVersion = targetVersion,
+                Environment = environment,
+                Reason = reason,
+                IncidentId = incidentId,
+                Tenant = tenant
+            };
+
+            var result = await client.RollbackPolicyAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", Markup.Escape(result.PolicyId))
+                .AddRow("[bold]Rolled Back From[/]", $"v{result.PreviousVersion}")
+                .AddRow("[bold]Rolled Back To[/]", $"v{result.RolledBackToVersion}")
+                .AddRow("[bold]Rolled Back At[/]", result.RolledBackAt.ToString("yyyy-MM-dd HH:mm:ss"));
+
+            if (!string.IsNullOrWhiteSpace(result.Environment))
+            {
+                grid.AddRow("[bold]Environment[/]", Markup.Escape(result.Environment));
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.IncidentId))
+            {
+                grid.AddRow("[bold]Incident ID[/]", Markup.Escape(result.IncidentId));
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("[yellow]Policy Rolled Back[/]") });
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicySignAsync(
+        IServiceProvider services,
+        string policyId,
+        int version,
+        string? keyId,
+        string? algorithm,
+        bool rekorUpload,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy sign"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicySignRequest
+            {
+                PolicyId = policyId,
+                Version = version,
+                KeyId = keyId,
+                SignatureAlgorithm = algorithm,
+                RekorUpload = rekorUpload,
+                Tenant = tenant
+            };
+
+            var result = await client.SignPolicyAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (!result.Success)
+            {
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", $"{Markup.Escape(result.PolicyId)} v{result.Version}")
+                .AddRow("[bold]Signature ID[/]", Markup.Escape(result.SignatureId))
+                .AddRow("[bold]Algorithm[/]", Markup.Escape(result.SignatureAlgorithm))
+                .AddRow("[bold]Signed At[/]", result.SignedAt.ToString("yyyy-MM-dd HH:mm:ss"));
+
+            if (!string.IsNullOrWhiteSpace(result.KeyId))
+            {
+                grid.AddRow("[bold]Key ID[/]", Markup.Escape(result.KeyId));
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.RekorLogIndex))
+            {
+                grid.AddRow("[bold]Rekor Log Index[/]", Markup.Escape(result.RekorLogIndex));
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.RekorEntryUuid))
+            {
+                grid.AddRow("[bold]Rekor Entry UUID[/]", Markup.Escape(result.RekorEntryUuid));
+            }
+
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("[green]Policy Signed[/]") });
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    public static async Task<int> HandlePolicyVerifySignatureAsync(
+        IServiceProvider services,
+        string policyId,
+        int version,
+        string? signatureId,
+        bool checkRekor,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!OfflineModeGuard.IsNetworkAllowed(options, "policy verify-signature"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<IBackendOperationsClient>();
+
+        try
+        {
+            var request = new PolicyVerifySignatureRequest
+            {
+                PolicyId = policyId,
+                Version = version,
+                SignatureId = signatureId,
+                CheckRekor = checkRekor,
+                Tenant = tenant
+            };
+
+            var result = await client.VerifyPolicySignatureAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Valid ? 0 : 1;
+            }
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Policy[/]", $"{Markup.Escape(result.PolicyId)} v{result.Version}")
+                .AddRow("[bold]Signature ID[/]", Markup.Escape(result.SignatureId))
+                .AddRow("[bold]Algorithm[/]", Markup.Escape(result.SignatureAlgorithm))
+                .AddRow("[bold]Signed At[/]", result.SignedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Valid[/]", result.Valid ? "[green]Yes[/]" : "[red]No[/]");
+
+            if (!string.IsNullOrWhiteSpace(result.SignedBy))
+            {
+                grid.AddRow("[bold]Signed By[/]", Markup.Escape(result.SignedBy));
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.KeyId))
+            {
+                grid.AddRow("[bold]Key ID[/]", Markup.Escape(result.KeyId));
+            }
+
+            if (result.RekorVerified.HasValue)
+            {
+                grid.AddRow("[bold]Rekor Verified[/]", result.RekorVerified.Value ? "[green]Yes[/]" : "[red]No[/]");
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.RekorLogIndex))
+            {
+                grid.AddRow("[bold]Rekor Log Index[/]", Markup.Escape(result.RekorLogIndex));
+            }
+
+            if (result.Warnings is { Count: > 0 })
+            {
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+                }
+            }
+
+            if (result.Errors is { Count: > 0 })
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                }
+            }
+
+            var headerColor = result.Valid ? "green" : "red";
+            var headerText = result.Valid ? "Signature Valid" : "Signature Invalid";
+            AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader($"[{headerColor}]{headerText}[/]") });
+
+            return result.Valid ? 0 : 1;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
     #endregion
 
     #region VEX Consensus (CLI-VEX-30-001)
@@ -10554,6 +12876,353 @@ internal static class CommandHandlers
         }
     }
 
+    // CLI-LNM-22-002: Handle vex obs get command
+    public static async Task HandleVexObsGetAsync(
+        IServiceProvider services,
+        string tenant,
+        string[] vulnIds,
+        string[] productKeys,
+        string[] purls,
+        string[] cpes,
+        string[] statuses,
+        string[] providers,
+        int? limit,
+        string? cursor,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IVexObservationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("vex-obs");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.vex.obs.get", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "vex obs get");
+        activity?.SetTag("stellaops.cli.tenant", tenant);
+        using var duration = CliMetrics.MeasureCommandDuration("vex obs get");
+
+        try
+        {
+            tenant = tenant?.Trim().ToLowerInvariant() ?? string.Empty;
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new InvalidOperationException("Tenant must be provided.");
+            }
+
+            var query = new VexObservationQuery
+            {
+                Tenant = tenant,
+                VulnerabilityIds = vulnIds,
+                ProductKeys = productKeys,
+                Purls = purls,
+                Cpes = cpes,
+                Statuses = statuses,
+                ProviderIds = providers,
+                Limit = limit,
+                Cursor = cursor
+            };
+
+            var response = await client.GetObservationsAsync(query, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(response, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            RenderVexObservations(response, verbose);
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch VEX observations.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderVexObservations(VexObservationResponse response, bool verbose)
+        {
+            if (response.Observations.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No VEX observations found matching the query.[/]");
+                return;
+            }
+
+            AnsiConsole.MarkupLine($"[bold]VEX Observations[/] ({response.Observations.Count} result(s))");
+            AnsiConsole.MarkupLine("");
+
+            var table = new Table()
+                .Border(TableBorder.Rounded);
+
+            table.AddColumn("Obs ID");
+            table.AddColumn("Vuln ID");
+            table.AddColumn("Product");
+            table.AddColumn("Status");
+            table.AddColumn("Provider");
+            table.AddColumn("Last Seen");
+
+            foreach (var obs in response.Observations)
+            {
+                var obsId = obs.ObservationId.Length > 12 ? obs.ObservationId[..12] + "..." : obs.ObservationId;
+                var productName = obs.Product?.Name ?? obs.Product?.Key ?? "(unknown)";
+                if (productName.Length > 25) productName = productName[..22] + "...";
+                var statusMarkup = GetVexStatusMarkup(obs.Status);
+
+                table.AddRow(
+                    Markup.Escape(obsId),
+                    $"[cyan]{Markup.Escape(obs.VulnerabilityId)}[/]",
+                    Markup.Escape(productName),
+                    statusMarkup,
+                    Markup.Escape(obs.ProviderId),
+                    obs.LastSeen.ToString("yyyy-MM-dd", CultureInfo.InvariantCulture));
+            }
+
+            AnsiConsole.Write(table);
+
+            if (response.HasMore && !string.IsNullOrWhiteSpace(response.NextCursor))
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine($"[grey]More results available. Use --cursor \"{Markup.Escape(response.NextCursor)}\" to continue.[/]");
+            }
+
+            if (verbose && response.Aggregate is { } agg)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold]Aggregate:[/]");
+                AnsiConsole.MarkupLine($"  [grey]Vulnerabilities:[/] {agg.VulnerabilityIds.Count}");
+                AnsiConsole.MarkupLine($"  [grey]Products:[/] {agg.ProductKeys.Count}");
+                AnsiConsole.MarkupLine($"  [grey]Providers:[/] {string.Join(", ", agg.ProviderIds)}");
+                if (agg.StatusCounts.Count > 0)
+                {
+                    AnsiConsole.MarkupLine($"  [grey]Status Counts:[/]");
+                    foreach (var (status, count) in agg.StatusCounts)
+                    {
+                        AnsiConsole.MarkupLine($"    {GetVexStatusMarkup(status)}: {count}");
+                    }
+                }
+            }
+        }
+    }
+
+    // CLI-LNM-22-002: Handle vex linkset show command
+    public static async Task HandleVexLinksetShowAsync(
+        IServiceProvider services,
+        string tenant,
+        string vulnId,
+        string[] productKeys,
+        string[] purls,
+        string[] statuses,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IVexObservationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("vex-linkset");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.vex.linkset.show", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "vex linkset show");
+        activity?.SetTag("stellaops.cli.tenant", tenant);
+        activity?.SetTag("stellaops.cli.vuln_id", vulnId);
+        using var duration = CliMetrics.MeasureCommandDuration("vex linkset show");
+
+        try
+        {
+            tenant = tenant?.Trim().ToLowerInvariant() ?? string.Empty;
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new InvalidOperationException("Tenant must be provided.");
+            }
+
+            if (string.IsNullOrWhiteSpace(vulnId))
+            {
+                throw new InvalidOperationException("Vulnerability ID must be provided.");
+            }
+
+            var query = new VexLinksetQuery
+            {
+                Tenant = tenant,
+                VulnerabilityId = vulnId.Trim(),
+                ProductKeys = productKeys,
+                Purls = purls,
+                Statuses = statuses
+            };
+
+            var response = await client.GetLinksetAsync(query, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(response, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = response.Conflicts.Count > 0 ? 9 : 0;
+                return;
+            }
+
+            RenderVexLinkset(response, verbose);
+            Environment.ExitCode = response.Conflicts.Count > 0 ? 9 : 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch VEX linkset.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderVexLinkset(VexLinksetResponse response, bool verbose)
+        {
+            AnsiConsole.MarkupLine($"[bold]VEX Linkset for[/] [cyan]{Markup.Escape(response.VulnerabilityId)}[/]");
+            AnsiConsole.MarkupLine("");
+
+            // Summary
+            if (response.Summary is { } summary)
+            {
+                var grid = new Grid();
+                grid.AddColumn();
+                grid.AddColumn();
+
+                grid.AddRow("[grey]Total Observations:[/]", summary.TotalObservations.ToString(CultureInfo.InvariantCulture));
+                grid.AddRow("[grey]Providers:[/]", string.Join(", ", summary.Providers));
+                grid.AddRow("[grey]Products:[/]", summary.Products.Count.ToString(CultureInfo.InvariantCulture));
+                grid.AddRow("[grey]Has Conflicts:[/]", summary.HasConflicts ? "[red]YES[/]" : "[green]NO[/]");
+
+                if (summary.StatusCounts.Count > 0)
+                {
+                    var statusStr = string.Join(", ", summary.StatusCounts.Select(kv => $"{kv.Key}:{kv.Value}"));
+                    grid.AddRow("[grey]Status Distribution:[/]", statusStr);
+                }
+
+                var panel = new Panel(grid)
+                {
+                    Border = BoxBorder.Rounded,
+                    Header = new PanelHeader("[bold]Summary[/]")
+                };
+
+                AnsiConsole.Write(panel);
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Observations
+            if (response.Observations.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold]Linked Observations:[/]");
+
+                var table = new Table()
+                    .Border(TableBorder.Rounded);
+
+                table.AddColumn("Product");
+                table.AddColumn("Status");
+                table.AddColumn("Provider");
+                table.AddColumn("Justification");
+                table.AddColumn("Last Seen");
+
+                foreach (var obs in response.Observations)
+                {
+                    var productName = obs.Product?.Name ?? obs.Product?.Key ?? "(unknown)";
+                    if (productName.Length > 30) productName = productName[..27] + "...";
+                    var justification = obs.Justification ?? "-";
+                    if (justification.Length > 20) justification = justification[..17] + "...";
+
+                    table.AddRow(
+                        Markup.Escape(productName),
+                        GetVexStatusMarkup(obs.Status),
+                        Markup.Escape(obs.ProviderId),
+                        Markup.Escape(justification),
+                        obs.LastSeen.ToString("yyyy-MM-dd", CultureInfo.InvariantCulture));
+                }
+
+                AnsiConsole.Write(table);
+                AnsiConsole.MarkupLine("");
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[yellow]No observations found for this vulnerability.[/]");
+                return;
+            }
+
+            // Conflicts
+            if (response.Conflicts.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold red]Conflicts Detected:[/]");
+
+                var conflictTable = new Table()
+                    .Border(TableBorder.Simple);
+
+                conflictTable.AddColumn("Product");
+                conflictTable.AddColumn("Conflicting Statuses");
+                conflictTable.AddColumn("Description");
+
+                foreach (var conflict in response.Conflicts)
+                {
+                    conflictTable.AddRow(
+                        Markup.Escape(conflict.ProductKey),
+                        string.Join(", ", conflict.ConflictingStatuses.Select(s => GetVexStatusMarkup(s))),
+                        Markup.Escape(conflict.Description));
+                }
+
+                AnsiConsole.Write(conflictTable);
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[yellow]Conflicts indicate multiple providers disagree on the status.[/]");
+            }
+
+            // Verbose: show observation details
+            if (verbose && response.Observations.Count > 0)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold]Observation Details:[/]");
+                foreach (var obs in response.Observations)
+                {
+                    AnsiConsole.MarkupLine($"  [grey]{Markup.Escape(obs.ObservationId)}[/]");
+                    if (!string.IsNullOrWhiteSpace(obs.Detail))
+                    {
+                        var detail = obs.Detail.Length > 80 ? obs.Detail[..77] + "..." : obs.Detail;
+                        AnsiConsole.MarkupLine($"    [grey]Detail:[/] {Markup.Escape(detail)}");
+                    }
+                    if (obs.Document is { } doc)
+                    {
+                        AnsiConsole.MarkupLine($"    [grey]Format:[/] {Markup.Escape(doc.Format)}");
+                        AnsiConsole.MarkupLine($"    [grey]Digest:[/] {Markup.Escape(doc.Digest[..Math.Min(16, doc.Digest.Length)])}...");
+                    }
+                }
+            }
+        }
+    }
+
+    private static string GetVexStatusMarkup(string status)
+    {
+        return status?.ToLowerInvariant() switch
+        {
+            "affected" => "[red]affected[/]",
+            "not_affected" => "[green]not_affected[/]",
+            "fixed" => "[blue]fixed[/]",
+            "under_investigation" => "[yellow]under_investigation[/]",
+            _ => Markup.Escape(status ?? "(unknown)")
+        };
+    }
+
     #endregion
 
     #region Vulnerability Explorer (CLI-VULN-29-001)
@@ -11672,4 +14341,11300 @@ internal static class CommandHandlers
     }
 
     #endregion
+
+    #region CLI-LNM-22-001: Advisory commands
+
+    // CLI-LNM-22-001: Handle advisory obs get
+    public static async Task HandleAdvisoryObsGetAsync(
+        IServiceProvider services,
+        string tenant,
+        IReadOnlyList<string> observationIds,
+        IReadOnlyList<string> aliases,
+        IReadOnlyList<string> purls,
+        IReadOnlyList<string> cpes,
+        IReadOnlyList<string> sources,
+        string? severity,
+        bool kevOnly,
+        bool? hasFix,
+        int? limit,
+        string? cursor,
+        bool emitJson,
+        bool emitOsv,
+        bool showConflicts,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IConcelierObservationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("advisory-obs");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.advisory.obs.get", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "advisory obs");
+        activity?.SetTag("stellaops.cli.tenant", tenant);
+        using var duration = CliMetrics.MeasureCommandDuration("advisory obs");
+
+        try
+        {
+            tenant = tenant?.Trim().ToLowerInvariant() ?? string.Empty;
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new InvalidOperationException("Tenant must be provided.");
+            }
+
+            var query = new AdvisoryLinksetQuery(
+                tenant,
+                NormalizeSet(observationIds, toLower: false),
+                NormalizeSet(aliases, toLower: true),
+                NormalizeSet(purls, toLower: false),
+                NormalizeSet(cpes, toLower: false),
+                NormalizeSet(sources, toLower: true),
+                severity,
+                kevOnly ? true : null,
+                hasFix,
+                limit,
+                cursor);
+
+            var response = await client.GetLinksetAsync(query, cancellationToken).ConfigureAwait(false);
+
+            if (response.Observations.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No observations matched the provided filters.[/]");
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            if (emitOsv)
+            {
+                var osvRecords = ConvertToOsv(response, tenant);
+                var osvJson = JsonSerializer.Serialize(osvRecords, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(osvJson);
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var jsonOutput = showConflicts
+                    ? JsonSerializer.Serialize(response, new JsonSerializerOptions { WriteIndented = true })
+                    : JsonSerializer.Serialize(new { response.Observations, response.Linkset, response.NextCursor, response.HasMore }, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(jsonOutput);
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            RenderAdvisoryObservationTable(response);
+
+            if (showConflicts && response.Conflicts.Count > 0)
+            {
+                RenderConflictsTable(response.Conflicts);
+            }
+
+            if (response.HasMore && !string.IsNullOrWhiteSpace(response.NextCursor))
+            {
+                var escapedCursor = Markup.Escape(response.NextCursor);
+                AnsiConsole.MarkupLine($"[yellow]More observations available. Continue with[/] [cyan]--cursor[/] [grey]{escapedCursor}[/]");
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch advisory observations.");
+            Environment.ExitCode = 9; // ERR_AGG_* exit code
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static IReadOnlyList<string> NormalizeSet(IReadOnlyList<string> values, bool toLower)
+        {
+            if (values is null || values.Count == 0)
+            {
+                return Array.Empty<string>();
+            }
+
+            var set = new HashSet<string>(StringComparer.Ordinal);
+            foreach (var raw in values)
+            {
+                if (string.IsNullOrWhiteSpace(raw))
+                {
+                    continue;
+                }
+
+                var normalized = raw.Trim();
+                if (toLower)
+                {
+                    normalized = normalized.ToLowerInvariant();
+                }
+
+                set.Add(normalized);
+            }
+
+            return set.Count == 0 ? Array.Empty<string>() : set.ToArray();
+        }
+
+        static void RenderAdvisoryObservationTable(AdvisoryLinksetResponse response)
+        {
+            var observations = response.Observations;
+
+            var table = new Table()
+                .Centered()
+                .Border(TableBorder.Rounded);
+
+            table.AddColumn("Observation");
+            table.AddColumn("Source");
+            table.AddColumn("Aliases");
+            table.AddColumn("Severity");
+            table.AddColumn("KEV");
+            table.AddColumn("Fix");
+            table.AddColumn("Created (UTC)");
+
+            foreach (var obs in observations)
+            {
+                var sourceVendor = obs.Source?.Vendor ?? "(unknown)";
+                var aliasesText = FormatList(obs.Linkset?.Aliases);
+                var severityText = obs.Severity?.Level ?? "(n/a)";
+                var kevText = obs.Kev?.Listed == true ? "[red]YES[/]" : "[grey]no[/]";
+                var fixText = obs.Fix?.Available == true ? "[green]available[/]" : "[grey]none[/]";
+
+                table.AddRow(
+                    Markup.Escape(obs.ObservationId),
+                    Markup.Escape(sourceVendor),
+                    Markup.Escape(aliasesText),
+                    Markup.Escape(severityText),
+                    new Markup(kevText),
+                    new Markup(fixText),
+                    obs.CreatedAt.ToUniversalTime().ToString("u", CultureInfo.InvariantCulture));
+            }
+
+            AnsiConsole.Write(table);
+
+            var linkset = response.Linkset;
+            var conflictCount = response.Conflicts?.Count ?? 0;
+
+            var summary = new StringBuilder();
+            summary.Append($"[green]{observations.Count}[/] observation(s). ");
+            summary.Append($"Aliases: [green]{linkset?.Aliases?.Count ?? 0}[/], ");
+            summary.Append($"PURLs: [green]{linkset?.Purls?.Count ?? 0}[/], ");
+            summary.Append($"CPEs: [green]{linkset?.Cpes?.Count ?? 0}[/]");
+
+            if (conflictCount > 0)
+            {
+                summary.Append($", [yellow]{conflictCount} conflict(s)[/]");
+            }
+
+            AnsiConsole.MarkupLine(summary.ToString());
+        }
+
+        static void RenderConflictsTable(IReadOnlyList<AdvisoryLinksetConflict> conflicts)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold yellow]Conflicts Detected:[/]");
+
+            var table = new Table()
+                .Centered()
+                .Border(TableBorder.Rounded);
+
+            table.AddColumn("Type");
+            table.AddColumn("Field");
+            table.AddColumn("Sources");
+            table.AddColumn("Resolution");
+
+            foreach (var conflict in conflicts)
+            {
+                var sourcesSummary = conflict.Sources.Count > 0
+                    ? string.Join(", ", conflict.Sources.Select(s => $"{s.Source}={s.Value}"))
+                    : "(none)";
+
+                table.AddRow(
+                    Markup.Escape(conflict.Type),
+                    Markup.Escape(conflict.Field),
+                    Markup.Escape(sourcesSummary.Length > 50 ? sourcesSummary[..47] + "..." : sourcesSummary),
+                    Markup.Escape(conflict.Resolution ?? "(none)"));
+            }
+
+            AnsiConsole.Write(table);
+        }
+
+        static string FormatList(IReadOnlyList<string>? values)
+        {
+            if (values is null || values.Count == 0)
+            {
+                return "(none)";
+            }
+
+            const int MaxItems = 3;
+            if (values.Count <= MaxItems)
+            {
+                return string.Join(", ", values);
+            }
+
+            var preview = values.Take(MaxItems);
+            return $"{string.Join(", ", preview)} (+{values.Count - MaxItems})";
+        }
+
+        static IReadOnlyList<OsvVulnerability> ConvertToOsv(AdvisoryLinksetResponse response, string tenant)
+        {
+            // Group observations by primary alias (CVE)
+            var groupedByAlias = new Dictionary<string, List<AdvisoryLinksetObservation>>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var obs in response.Observations)
+            {
+                var primaryAlias = obs.Linkset?.Aliases?.FirstOrDefault(a =>
+                    a.StartsWith("CVE-", StringComparison.OrdinalIgnoreCase)) ?? obs.ObservationId;
+
+                if (!groupedByAlias.TryGetValue(primaryAlias, out var list))
+                {
+                    list = new List<AdvisoryLinksetObservation>();
+                    groupedByAlias[primaryAlias] = list;
+                }
+                list.Add(obs);
+            }
+
+            var results = new List<OsvVulnerability>();
+
+            foreach (var kvp in groupedByAlias)
+            {
+                var primaryId = kvp.Key;
+                var observations = kvp.Value;
+                var representative = observations[0];
+
+                var allAliases = observations
+                    .SelectMany(o => o.Linkset?.Aliases ?? Array.Empty<string>())
+                    .Where(a => !string.Equals(a, primaryId, StringComparison.OrdinalIgnoreCase))
+                    .Distinct(StringComparer.OrdinalIgnoreCase)
+                    .ToList();
+
+                var allPurls = observations
+                    .SelectMany(o => o.Linkset?.Purls ?? Array.Empty<string>())
+                    .Distinct(StringComparer.OrdinalIgnoreCase)
+                    .ToList();
+
+                var allSources = observations
+                    .Select(o => o.Source?.Vendor)
+                    .Where(v => !string.IsNullOrWhiteSpace(v))
+                    .Distinct(StringComparer.OrdinalIgnoreCase)
+                    .ToList();
+
+                var severity = representative.Severity;
+                var severities = new List<OsvSeverity>();
+                if (severity?.CvssV3 is { } cvss3)
+                {
+                    severities.Add(new OsvSeverity
+                    {
+                        Type = "CVSS_V3",
+                        Score = cvss3.Vector ?? $"{cvss3.Score:F1}"
+                    });
+                }
+
+                var affected = new List<OsvAffected>();
+                foreach (var purl in allPurls)
+                {
+                    var (ecosystem, name) = ParsePurl(purl);
+                    affected.Add(new OsvAffected
+                    {
+                        Package = new OsvPackage
+                        {
+                            Ecosystem = ecosystem,
+                            Name = name,
+                            Purl = purl
+                        }
+                    });
+                }
+
+                var references = observations
+                    .SelectMany(o => o.Linkset?.References ?? Array.Empty<AdvisoryObservationReference>())
+                    .Select(r => new OsvReference { Type = r.Type, Url = r.Url })
+                    .DistinctBy(r => r.Url)
+                    .ToList();
+
+                var kevInfo = representative.Kev;
+
+                var osv = new OsvVulnerability
+                {
+                    Id = primaryId,
+                    Modified = (representative.UpdatedAt ?? representative.CreatedAt).ToString("O", CultureInfo.InvariantCulture),
+                    Published = representative.CreatedAt.ToString("O", CultureInfo.InvariantCulture),
+                    Aliases = allAliases,
+                    Severity = severities,
+                    Affected = affected,
+                    References = references,
+                    DatabaseSpecific = new OsvDatabaseSpecific
+                    {
+                        Source = "stellaops",
+                        Kev = kevInfo is not null ? new OsvKevInfo
+                        {
+                            Listed = kevInfo.Listed,
+                            AddedDate = kevInfo.AddedDate?.ToString("yyyy-MM-dd", CultureInfo.InvariantCulture),
+                            DueDate = kevInfo.DueDate?.ToString("yyyy-MM-dd", CultureInfo.InvariantCulture),
+                            Ransomware = kevInfo.KnownRansomwareCampaignUse
+                        } : null,
+                        StellaOps = new OsvStellaOpsInfo
+                        {
+                            ObservationIds = observations.Select(o => o.ObservationId).ToList(),
+                            Tenant = tenant,
+                            Sources = allSources!,
+                            HasConflicts = response.Conflicts?.Count > 0
+                        }
+                    }
+                };
+
+                results.Add(osv);
+            }
+
+            return results;
+        }
+
+        static (string ecosystem, string name) ParsePurl(string purl)
+        {
+            // Parse pkg:ecosystem/name@version format
+            if (!purl.StartsWith("pkg:", StringComparison.OrdinalIgnoreCase))
+            {
+                return ("unknown", purl);
+            }
+
+            var withoutPrefix = purl[4..];
+            var slashIndex = withoutPrefix.IndexOf('/');
+            if (slashIndex < 0)
+            {
+                return ("unknown", withoutPrefix);
+            }
+
+            var ecosystem = withoutPrefix[..slashIndex];
+            var rest = withoutPrefix[(slashIndex + 1)..];
+
+            var atIndex = rest.IndexOf('@');
+            var name = atIndex >= 0 ? rest[..atIndex] : rest;
+
+            return (ecosystem, name);
+        }
+    }
+
+    // CLI-LNM-22-001: Handle advisory linkset show
+    public static async Task HandleAdvisoryLinksetShowAsync(
+        IServiceProvider services,
+        string tenant,
+        IReadOnlyList<string> aliases,
+        IReadOnlyList<string> purls,
+        IReadOnlyList<string> cpes,
+        IReadOnlyList<string> sources,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IConcelierObservationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("advisory-linkset");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.advisory.linkset.show", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "advisory linkset");
+        activity?.SetTag("stellaops.cli.tenant", tenant);
+        using var duration = CliMetrics.MeasureCommandDuration("advisory linkset");
+
+        try
+        {
+            tenant = tenant?.Trim().ToLowerInvariant() ?? string.Empty;
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new InvalidOperationException("Tenant must be provided.");
+            }
+
+            var query = new AdvisoryLinksetQuery(
+                tenant,
+                Array.Empty<string>(),
+                NormalizeSet(aliases, toLower: true),
+                NormalizeSet(purls, toLower: false),
+                NormalizeSet(cpes, toLower: false),
+                NormalizeSet(sources, toLower: true),
+                Severity: null,
+                KevOnly: null,
+                HasFix: null,
+                Limit: null,
+                Cursor: null);
+
+            var response = await client.GetLinksetAsync(query, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var jsonOutput = JsonSerializer.Serialize(new
+                {
+                    response.Linkset,
+                    response.Conflicts,
+                    TotalObservations = response.Observations.Count
+                }, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(jsonOutput);
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            RenderLinksetSummary(response);
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch advisory linkset.");
+            Environment.ExitCode = 9;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static IReadOnlyList<string> NormalizeSet(IReadOnlyList<string> values, bool toLower)
+        {
+            if (values is null || values.Count == 0)
+            {
+                return Array.Empty<string>();
+            }
+
+            var set = new HashSet<string>(StringComparer.Ordinal);
+            foreach (var raw in values)
+            {
+                if (string.IsNullOrWhiteSpace(raw))
+                {
+                    continue;
+                }
+
+                var normalized = raw.Trim();
+                if (toLower)
+                {
+                    normalized = normalized.ToLowerInvariant();
+                }
+
+                set.Add(normalized);
+            }
+
+            return set.Count == 0 ? Array.Empty<string>() : set.ToArray();
+        }
+
+        static void RenderLinksetSummary(AdvisoryLinksetResponse response)
+        {
+            var linkset = response.Linkset;
+
+            var grid = new Grid();
+            grid.AddColumn();
+            grid.AddColumn();
+
+            grid.AddRow("[bold]Linkset Summary[/]", "");
+            grid.AddRow("[grey]Total Observations:[/]", $"[green]{response.Observations.Count}[/]");
+            grid.AddRow("[grey]Aliases:[/]", $"{linkset.Aliases.Count}");
+            grid.AddRow("[grey]PURLs:[/]", $"{linkset.Purls.Count}");
+            grid.AddRow("[grey]CPEs:[/]", $"{linkset.Cpes.Count}");
+            grid.AddRow("[grey]References:[/]", $"{linkset.References.Count}");
+
+            if (linkset.SourceCoverage is { } coverage)
+            {
+                grid.AddRow("[grey]Source Coverage:[/]", $"{coverage.CoveragePercent:F1}% ({coverage.TotalSources} sources)");
+            }
+
+            if (linkset.ConflictSummary is { } conflicts && conflicts.HasConflicts)
+            {
+                grid.AddRow("[yellow]Conflicts:[/]", $"[yellow]{conflicts.TotalConflicts} total[/]");
+                if (conflicts.SeverityConflicts > 0)
+                    grid.AddRow("", $"  Severity: {conflicts.SeverityConflicts}");
+                if (conflicts.KevConflicts > 0)
+                    grid.AddRow("", $"  KEV: {conflicts.KevConflicts}");
+                if (conflicts.FixConflicts > 0)
+                    grid.AddRow("", $"  Fix: {conflicts.FixConflicts}");
+            }
+            else
+            {
+                grid.AddRow("[grey]Conflicts:[/]", "[green]None[/]");
+            }
+
+            var panel = new Panel(grid)
+            {
+                Border = BoxBorder.Rounded,
+                Header = new PanelHeader("[bold]Advisory Linkset[/]")
+            };
+
+            AnsiConsole.Write(panel);
+
+            // Show aliases
+            if (linkset.Aliases.Count > 0)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold]Aliases:[/]");
+                foreach (var alias in linkset.Aliases.Take(20))
+                {
+                    AnsiConsole.MarkupLine($"  [cyan]{Markup.Escape(alias)}[/]");
+                }
+                if (linkset.Aliases.Count > 20)
+                {
+                    AnsiConsole.MarkupLine($"  [grey]... and {linkset.Aliases.Count - 20} more[/]");
+                }
+            }
+
+            // Show PURLs
+            if (linkset.Purls.Count > 0)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold]Package URLs:[/]");
+                foreach (var purl in linkset.Purls.Take(10))
+                {
+                    AnsiConsole.MarkupLine($"  [blue]{Markup.Escape(purl)}[/]");
+                }
+                if (linkset.Purls.Count > 10)
+                {
+                    AnsiConsole.MarkupLine($"  [grey]... and {linkset.Purls.Count - 10} more[/]");
+                }
+            }
+        }
+    }
+
+    // CLI-LNM-22-001: Handle advisory export
+    public static async Task HandleAdvisoryExportAsync(
+        IServiceProvider services,
+        string tenant,
+        IReadOnlyList<string> aliases,
+        IReadOnlyList<string> purls,
+        IReadOnlyList<string> cpes,
+        IReadOnlyList<string> sources,
+        string? severity,
+        bool kevOnly,
+        bool? hasFix,
+        int? limit,
+        string format,
+        string? outputPath,
+        bool signed,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IConcelierObservationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("advisory-export");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.advisory.export", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "advisory export");
+        activity?.SetTag("stellaops.cli.tenant", tenant);
+        activity?.SetTag("stellaops.cli.format", format);
+        using var duration = CliMetrics.MeasureCommandDuration("advisory export");
+
+        try
+        {
+            tenant = tenant?.Trim().ToLowerInvariant() ?? string.Empty;
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new InvalidOperationException("Tenant must be provided.");
+            }
+
+            var exportFormat = format?.ToLowerInvariant() switch
+            {
+                "osv" => AdvisoryExportFormat.Osv,
+                "ndjson" => AdvisoryExportFormat.Ndjson,
+                "csv" => AdvisoryExportFormat.Csv,
+                _ => AdvisoryExportFormat.Json
+            };
+
+            var query = new AdvisoryLinksetQuery(
+                tenant,
+                Array.Empty<string>(),
+                NormalizeSet(aliases, toLower: true),
+                NormalizeSet(purls, toLower: false),
+                NormalizeSet(cpes, toLower: false),
+                NormalizeSet(sources, toLower: true),
+                severity,
+                kevOnly ? true : null,
+                hasFix,
+                limit ?? 500,
+                Cursor: null);
+
+            var response = await client.GetLinksetAsync(query, cancellationToken).ConfigureAwait(false);
+
+            if (response.Observations.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No observations matched the provided filters. Nothing to export.[/]");
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            var output = exportFormat switch
+            {
+                AdvisoryExportFormat.Osv => GenerateOsvExport(response, tenant),
+                AdvisoryExportFormat.Ndjson => GenerateNdjsonExport(response),
+                AdvisoryExportFormat.Csv => GenerateCsvExport(response),
+                _ => GenerateJsonExport(response)
+            };
+
+            if (!string.IsNullOrWhiteSpace(outputPath))
+            {
+                var fullPath = Path.GetFullPath(outputPath);
+                await File.WriteAllTextAsync(fullPath, output, cancellationToken).ConfigureAwait(false);
+                logger.LogInformation("Exported {Count} observations to {Path} ({Format})", response.Observations.Count, fullPath, format);
+                AnsiConsole.MarkupLine($"[green]Exported[/] {response.Observations.Count} observations to [cyan]{Markup.Escape(fullPath)}[/]");
+            }
+            else
+            {
+                Console.WriteLine(output);
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to export advisory observations.");
+            Environment.ExitCode = 9;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static IReadOnlyList<string> NormalizeSet(IReadOnlyList<string> values, bool toLower)
+        {
+            if (values is null || values.Count == 0)
+            {
+                return Array.Empty<string>();
+            }
+
+            var set = new HashSet<string>(StringComparer.Ordinal);
+            foreach (var raw in values)
+            {
+                if (string.IsNullOrWhiteSpace(raw))
+                {
+                    continue;
+                }
+
+                var normalized = raw.Trim();
+                if (toLower)
+                {
+                    normalized = normalized.ToLowerInvariant();
+                }
+
+                set.Add(normalized);
+            }
+
+            return set.Count == 0 ? Array.Empty<string>() : set.ToArray();
+        }
+
+        static string GenerateJsonExport(AdvisoryLinksetResponse response)
+        {
+            return JsonSerializer.Serialize(new
+            {
+                exportedAt = DateTimeOffset.UtcNow.ToString("O", CultureInfo.InvariantCulture),
+                count = response.Observations.Count,
+                observations = response.Observations,
+                linkset = response.Linkset,
+                conflicts = response.Conflicts
+            }, new JsonSerializerOptions { WriteIndented = true });
+        }
+
+        static string GenerateOsvExport(AdvisoryLinksetResponse response, string tenant)
+        {
+            var osvRecords = ConvertToOsvInternal(response, tenant);
+            return JsonSerializer.Serialize(osvRecords, new JsonSerializerOptions { WriteIndented = true });
+        }
+
+        static string GenerateNdjsonExport(AdvisoryLinksetResponse response)
+        {
+            var sb = new StringBuilder();
+            foreach (var obs in response.Observations)
+            {
+                sb.AppendLine(JsonSerializer.Serialize(obs));
+            }
+            return sb.ToString();
+        }
+
+        static string GenerateCsvExport(AdvisoryLinksetResponse response)
+        {
+            var sb = new StringBuilder();
+            sb.AppendLine("observation_id,tenant,source,upstream_id,aliases,severity,kev,has_fix,created_at");
+
+            foreach (var obs in response.Observations)
+            {
+                var aliases = obs.Linkset?.Aliases is { Count: > 0 } a ? string.Join(";", a) : "";
+                var severity = obs.Severity?.Level ?? "";
+                var kev = obs.Kev?.Listed == true ? "true" : "false";
+                var hasFix = obs.Fix?.Available == true ? "true" : "false";
+
+                sb.AppendLine($"\"{obs.ObservationId}\",\"{obs.Tenant}\",\"{obs.Source?.Vendor}\",\"{obs.Upstream?.UpstreamId}\",\"{aliases}\",\"{severity}\",{kev},{hasFix},{obs.CreatedAt:O}");
+            }
+
+            return sb.ToString();
+        }
+
+        static IReadOnlyList<OsvVulnerability> ConvertToOsvInternal(AdvisoryLinksetResponse response, string tenant)
+        {
+            var groupedByAlias = new Dictionary<string, List<AdvisoryLinksetObservation>>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var obs in response.Observations)
+            {
+                var primaryAlias = obs.Linkset?.Aliases?.FirstOrDefault(a =>
+                    a.StartsWith("CVE-", StringComparison.OrdinalIgnoreCase)) ?? obs.ObservationId;
+
+                if (!groupedByAlias.TryGetValue(primaryAlias, out var list))
+                {
+                    list = new List<AdvisoryLinksetObservation>();
+                    groupedByAlias[primaryAlias] = list;
+                }
+                list.Add(obs);
+            }
+
+            var results = new List<OsvVulnerability>();
+
+            foreach (var kvp in groupedByAlias)
+            {
+                var primaryId = kvp.Key;
+                var observations = kvp.Value;
+                var representative = observations[0];
+
+                var allAliases = observations
+                    .SelectMany(o => o.Linkset?.Aliases ?? Array.Empty<string>())
+                    .Where(a => !string.Equals(a, primaryId, StringComparison.OrdinalIgnoreCase))
+                    .Distinct(StringComparer.OrdinalIgnoreCase)
+                    .ToList();
+
+                var osv = new OsvVulnerability
+                {
+                    Id = primaryId,
+                    Modified = (representative.UpdatedAt ?? representative.CreatedAt).ToString("O", CultureInfo.InvariantCulture),
+                    Published = representative.CreatedAt.ToString("O", CultureInfo.InvariantCulture),
+                    Aliases = allAliases,
+                    DatabaseSpecific = new OsvDatabaseSpecific
+                    {
+                        Source = "stellaops",
+                        StellaOps = new OsvStellaOpsInfo
+                        {
+                            ObservationIds = observations.Select(o => o.ObservationId).ToList(),
+                            Tenant = tenant,
+                            HasConflicts = response.Conflicts?.Count > 0
+                        }
+                    }
+                };
+
+                results.Add(osv);
+            }
+
+            return results;
+        }
+    }
+
+    #endregion
+
+    #region CLI-FORENSICS-53-001: Forensic snapshot commands
+
+    // CLI-FORENSICS-53-001: Handle forensic snapshot create
+    public static async Task HandleForensicSnapshotCreateAsync(
+        IServiceProvider services,
+        string tenant,
+        string caseId,
+        string? description,
+        IReadOnlyList<string> tags,
+        IReadOnlyList<string> sbomIds,
+        IReadOnlyList<string> scanIds,
+        IReadOnlyList<string> policyIds,
+        IReadOnlyList<string> vulnIds,
+        int? retentionDays,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IForensicSnapshotClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("forensic-snapshot");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.forensic.snapshot.create", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "forensic snapshot create");
+        activity?.SetTag("stellaops.cli.tenant", tenant);
+        activity?.SetTag("stellaops.cli.case_id", caseId);
+        using var duration = CliMetrics.MeasureCommandDuration("forensic snapshot create");
+
+        try
+        {
+            tenant = tenant?.Trim().ToLowerInvariant() ?? string.Empty;
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new InvalidOperationException("Tenant must be provided.");
+            }
+
+            if (string.IsNullOrWhiteSpace(caseId))
+            {
+                throw new InvalidOperationException("Case ID must be provided.");
+            }
+
+            var snapshotScope = new ForensicSnapshotScope(
+                SbomIds: sbomIds.Count > 0 ? sbomIds : null,
+                ScanIds: scanIds.Count > 0 ? scanIds : null,
+                PolicyIds: policyIds.Count > 0 ? policyIds : null,
+                VulnerabilityIds: vulnIds.Count > 0 ? vulnIds : null);
+
+            var request = new ForensicSnapshotCreateRequest(
+                caseId,
+                description,
+                tags.Count > 0 ? tags : null,
+                snapshotScope,
+                retentionDays);
+
+            logger.LogDebug("Creating forensic snapshot for case {CaseId} in tenant {Tenant}", caseId, tenant);
+
+            var snapshot = await client.CreateSnapshotAsync(tenant, request, cancellationToken).ConfigureAwait(false);
+
+            activity?.SetTag("stellaops.cli.snapshot_id", snapshot.SnapshotId);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(snapshot, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            RenderSnapshotCreated(snapshot);
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to create forensic snapshot.");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderSnapshotCreated(ForensicSnapshotDocument snapshot)
+        {
+            var grid = new Grid();
+            grid.AddColumn();
+            grid.AddColumn();
+
+            grid.AddRow("[bold green]Forensic Snapshot Created[/]", "");
+            grid.AddRow("[grey]Snapshot ID:[/]", $"[cyan]{Markup.Escape(snapshot.SnapshotId)}[/]");
+            grid.AddRow("[grey]Case ID:[/]", Markup.Escape(snapshot.CaseId));
+            grid.AddRow("[grey]Status:[/]", GetStatusMarkup(snapshot.Status));
+            grid.AddRow("[grey]Created At:[/]", snapshot.CreatedAt.ToString("u", CultureInfo.InvariantCulture));
+
+            if (snapshot.Manifest is { } manifest)
+            {
+                grid.AddRow("[grey]Manifest Digest:[/]", $"[yellow]{manifest.DigestAlgorithm}:{Markup.Escape(manifest.Digest)}[/]");
+            }
+
+            if (snapshot.ExpiresAt.HasValue)
+            {
+                grid.AddRow("[grey]Expires At:[/]", snapshot.ExpiresAt.Value.ToString("u", CultureInfo.InvariantCulture));
+            }
+
+            var panel = new Panel(grid)
+            {
+                Border = BoxBorder.Rounded
+            };
+
+            AnsiConsole.Write(panel);
+        }
+    }
+
+    // CLI-FORENSICS-53-001: Handle forensic snapshot list
+    public static async Task HandleForensicSnapshotListAsync(
+        IServiceProvider services,
+        string tenant,
+        string? caseId,
+        string? status,
+        IReadOnlyList<string> tags,
+        int? limit,
+        int? offset,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IForensicSnapshotClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("forensic-snapshot");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.forensic.snapshot.list", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "forensic list");
+        activity?.SetTag("stellaops.cli.tenant", tenant);
+        using var duration = CliMetrics.MeasureCommandDuration("forensic list");
+
+        try
+        {
+            tenant = tenant?.Trim().ToLowerInvariant() ?? string.Empty;
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new InvalidOperationException("Tenant must be provided.");
+            }
+
+            var query = new ForensicSnapshotListQuery(
+                tenant,
+                caseId,
+                status,
+                tags.Count > 0 ? tags : null,
+                CreatedAfter: null,
+                CreatedBefore: null,
+                limit,
+                offset);
+
+            var response = await client.ListSnapshotsAsync(query, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(response, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            if (response.Snapshots.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No forensic snapshots found matching the criteria.[/]");
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            RenderSnapshotTable(response);
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to list forensic snapshots.");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderSnapshotTable(ForensicSnapshotListResponse response)
+        {
+            var table = new Table()
+                .Centered()
+                .Border(TableBorder.Rounded);
+
+            table.AddColumn("Snapshot ID");
+            table.AddColumn("Case");
+            table.AddColumn("Status");
+            table.AddColumn("Artifacts");
+            table.AddColumn("Size");
+            table.AddColumn("Created (UTC)");
+
+            foreach (var snapshot in response.Snapshots)
+            {
+                var statusMarkup = GetStatusMarkup(snapshot.Status);
+                var artifactCount = snapshot.ArtifactCount?.ToString(CultureInfo.InvariantCulture) ?? "-";
+                var size = FormatSize(snapshot.SizeBytes);
+
+                table.AddRow(
+                    Markup.Escape(snapshot.SnapshotId.Length > 20 ? snapshot.SnapshotId[..17] + "..." : snapshot.SnapshotId),
+                    Markup.Escape(snapshot.CaseId),
+                    new Markup(statusMarkup),
+                    artifactCount,
+                    size,
+                    snapshot.CreatedAt.ToUniversalTime().ToString("u", CultureInfo.InvariantCulture));
+            }
+
+            AnsiConsole.Write(table);
+            AnsiConsole.MarkupLine($"[green]{response.Snapshots.Count}[/] of [green]{response.Total}[/] snapshot(s).");
+
+            if (response.HasMore)
+            {
+                AnsiConsole.MarkupLine("[yellow]More snapshots available. Use --limit and --offset to paginate.[/]");
+            }
+        }
+    }
+
+    // CLI-FORENSICS-53-001: Handle forensic snapshot show
+    public static async Task HandleForensicSnapshotShowAsync(
+        IServiceProvider services,
+        string tenant,
+        string snapshotId,
+        bool emitJson,
+        bool includeManifest,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IForensicSnapshotClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("forensic-snapshot");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.forensic.snapshot.show", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "forensic show");
+        activity?.SetTag("stellaops.cli.tenant", tenant);
+        activity?.SetTag("stellaops.cli.snapshot_id", snapshotId);
+        using var duration = CliMetrics.MeasureCommandDuration("forensic show");
+
+        try
+        {
+            tenant = tenant?.Trim().ToLowerInvariant() ?? string.Empty;
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new InvalidOperationException("Tenant must be provided.");
+            }
+
+            if (string.IsNullOrWhiteSpace(snapshotId))
+            {
+                throw new InvalidOperationException("Snapshot ID must be provided.");
+            }
+
+            var snapshot = await client.GetSnapshotAsync(tenant, snapshotId, cancellationToken).ConfigureAwait(false);
+
+            if (snapshot is null)
+            {
+                AnsiConsole.MarkupLine($"[red]Forensic snapshot not found:[/] {Markup.Escape(snapshotId)}");
+                Environment.ExitCode = 4; // NOT_FOUND
+                return;
+            }
+
+            ForensicSnapshotManifest? manifest = null;
+            if (includeManifest)
+            {
+                manifest = await client.GetSnapshotManifestAsync(tenant, snapshotId, cancellationToken).ConfigureAwait(false);
+            }
+
+            if (emitJson)
+            {
+                var output = includeManifest
+                    ? new { snapshot, manifest }
+                    : (object)snapshot;
+                var json = JsonSerializer.Serialize(output, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = 0;
+                return;
+            }
+
+            RenderSnapshotDetails(snapshot, manifest);
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to show forensic snapshot.");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderSnapshotDetails(ForensicSnapshotDocument snapshot, ForensicSnapshotManifest? manifest)
+        {
+            var grid = new Grid();
+            grid.AddColumn();
+            grid.AddColumn();
+
+            grid.AddRow("[bold]Forensic Snapshot Details[/]", "");
+            grid.AddRow("[grey]Snapshot ID:[/]", $"[cyan]{Markup.Escape(snapshot.SnapshotId)}[/]");
+            grid.AddRow("[grey]Case ID:[/]", Markup.Escape(snapshot.CaseId));
+            grid.AddRow("[grey]Tenant:[/]", Markup.Escape(snapshot.Tenant));
+            grid.AddRow("[grey]Status:[/]", GetStatusMarkup(snapshot.Status));
+
+            if (!string.IsNullOrWhiteSpace(snapshot.Description))
+            {
+                grid.AddRow("[grey]Description:[/]", Markup.Escape(snapshot.Description));
+            }
+
+            grid.AddRow("[grey]Created At:[/]", snapshot.CreatedAt.ToString("u", CultureInfo.InvariantCulture));
+
+            if (snapshot.CompletedAt.HasValue)
+            {
+                grid.AddRow("[grey]Completed At:[/]", snapshot.CompletedAt.Value.ToString("u", CultureInfo.InvariantCulture));
+            }
+
+            if (snapshot.ExpiresAt.HasValue)
+            {
+                grid.AddRow("[grey]Expires At:[/]", snapshot.ExpiresAt.Value.ToString("u", CultureInfo.InvariantCulture));
+            }
+
+            if (!string.IsNullOrWhiteSpace(snapshot.CreatedBy))
+            {
+                grid.AddRow("[grey]Created By:[/]", Markup.Escape(snapshot.CreatedBy));
+            }
+
+            if (snapshot.ArtifactCount.HasValue)
+            {
+                grid.AddRow("[grey]Artifact Count:[/]", snapshot.ArtifactCount.Value.ToString(CultureInfo.InvariantCulture));
+            }
+
+            if (snapshot.SizeBytes.HasValue)
+            {
+                grid.AddRow("[grey]Size:[/]", FormatSize(snapshot.SizeBytes));
+            }
+
+            if (snapshot.Tags.Count > 0)
+            {
+                grid.AddRow("[grey]Tags:[/]", string.Join(", ", snapshot.Tags.Select(t => $"[blue]{Markup.Escape(t)}[/]")));
+            }
+
+            var panel = new Panel(grid)
+            {
+                Border = BoxBorder.Rounded,
+                Header = new PanelHeader("[bold]Snapshot[/]")
+            };
+
+            AnsiConsole.Write(panel);
+
+            // Manifest details
+            var snapshotManifest = manifest ?? snapshot.Manifest;
+            if (snapshotManifest is not null)
+            {
+                RenderManifestDetails(snapshotManifest, manifest is not null);
+            }
+        }
+
+        static void RenderManifestDetails(ForensicSnapshotManifest manifest, bool includeArtifacts)
+        {
+            AnsiConsole.MarkupLine("");
+
+            var grid = new Grid();
+            grid.AddColumn();
+            grid.AddColumn();
+
+            grid.AddRow("[bold]Manifest[/]", "");
+            grid.AddRow("[grey]Manifest ID:[/]", Markup.Escape(manifest.ManifestId));
+            grid.AddRow("[grey]Version:[/]", Markup.Escape(manifest.Version));
+            grid.AddRow("[grey]Digest:[/]", $"[yellow]{manifest.DigestAlgorithm}:{Markup.Escape(manifest.Digest)}[/]");
+
+            if (manifest.Signature is { } sig)
+            {
+                grid.AddRow("[grey]Signed:[/]", "[green]YES[/]");
+                grid.AddRow("[grey]Algorithm:[/]", Markup.Escape(sig.Algorithm));
+                if (!string.IsNullOrWhiteSpace(sig.KeyId))
+                {
+                    grid.AddRow("[grey]Key ID:[/]", Markup.Escape(sig.KeyId));
+                }
+                if (sig.SignedAt.HasValue)
+                {
+                    grid.AddRow("[grey]Signed At:[/]", sig.SignedAt.Value.ToString("u", CultureInfo.InvariantCulture));
+                }
+            }
+            else
+            {
+                grid.AddRow("[grey]Signed:[/]", "[grey]NO[/]");
+            }
+
+            var panel = new Panel(grid)
+            {
+                Border = BoxBorder.Rounded
+            };
+
+            AnsiConsole.Write(panel);
+
+            // Artifacts table
+            if (includeArtifacts && manifest.Artifacts.Count > 0)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold]Artifacts:[/]");
+
+                var table = new Table()
+                    .Border(TableBorder.Rounded);
+
+                table.AddColumn("Type");
+                table.AddColumn("Path");
+                table.AddColumn("Digest");
+                table.AddColumn("Size");
+
+                foreach (var artifact in manifest.Artifacts)
+                {
+                    var path = artifact.Path.Length > 30 ? "..." + artifact.Path[^27..] : artifact.Path;
+                    var digest = artifact.Digest.Length > 16 ? artifact.Digest[..16] + "..." : artifact.Digest;
+
+                    table.AddRow(
+                        Markup.Escape(artifact.Type),
+                        Markup.Escape(path),
+                        $"[grey]{artifact.DigestAlgorithm}:[/]{Markup.Escape(digest)}",
+                        FormatSize(artifact.SizeBytes));
+                }
+
+                AnsiConsole.Write(table);
+            }
+
+            // Chain of custody
+            if (manifest.Metadata?.ChainOfCustody is { Count: > 0 } chain)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold]Chain of Custody:[/]");
+
+                var table = new Table()
+                    .Border(TableBorder.Simple);
+
+                table.AddColumn("Timestamp");
+                table.AddColumn("Action");
+                table.AddColumn("Actor");
+                table.AddColumn("Notes");
+
+                foreach (var entry in chain)
+                {
+                    table.AddRow(
+                        entry.Timestamp.ToString("u", CultureInfo.InvariantCulture),
+                        Markup.Escape(entry.Action),
+                        Markup.Escape(entry.Actor),
+                        Markup.Escape(entry.Notes ?? "-"));
+                }
+
+                AnsiConsole.Write(table);
+            }
+        }
+    }
+
+    private static string GetStatusMarkup(string status)
+    {
+        return status?.ToLowerInvariant() switch
+        {
+            "ready" => "[green]ready[/]",
+            "pending" => "[yellow]pending[/]",
+            "creating" => "[blue]creating[/]",
+            "failed" => "[red]failed[/]",
+            "expired" => "[grey]expired[/]",
+            "archived" => "[grey]archived[/]",
+            _ => Markup.Escape(status ?? "(unknown)")
+        };
+    }
+
+    private static string FormatSize(long? bytes)
+    {
+        if (!bytes.HasValue || bytes.Value == 0)
+        {
+            return "-";
+        }
+
+        var size = bytes.Value;
+        string[] suffixes = ["B", "KB", "MB", "GB", "TB"];
+        var index = 0;
+        var value = (double)size;
+
+        while (value >= 1024 && index < suffixes.Length - 1)
+        {
+            value /= 1024;
+            index++;
+        }
+
+        return $"{value:F1} {suffixes[index]}";
+    }
+
+    // CLI-FORENSICS-54-001: Handle forensic verify command
+    public static async Task HandleForensicVerifyAsync(
+        IServiceProvider services,
+        string bundlePath,
+        bool emitJson,
+        string? trustRootPath,
+        bool verifyChecksums,
+        bool verifySignatures,
+        bool verifyChain,
+        bool strictTimeline,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var verifier = scope.ServiceProvider.GetRequiredService<IForensicVerifier>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("forensic-verify");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.forensic.verify", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "forensic verify");
+        activity?.SetTag("stellaops.cli.bundle_path", bundlePath);
+        using var duration = CliMetrics.MeasureCommandDuration("forensic verify");
+
+        try
+        {
+            if (string.IsNullOrWhiteSpace(bundlePath))
+            {
+                throw new InvalidOperationException("Bundle path must be provided.");
+            }
+
+            var options = new ForensicVerificationOptions
+            {
+                VerifyChecksums = verifyChecksums,
+                VerifySignatures = verifySignatures,
+                VerifyChainOfCustody = verifyChain,
+                StrictTimeline = strictTimeline,
+                TrustRootPath = trustRootPath
+            };
+
+            var result = await verifier.VerifyBundleAsync(bundlePath, options, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = result.IsValid ? 0 : 12; // Exit code 12 for forensic verification errors
+                return;
+            }
+
+            RenderVerificationResult(result, verbose);
+            Environment.ExitCode = result.IsValid ? 0 : 12;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to verify forensic bundle.");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderVerificationResult(ForensicVerificationResult result, bool verbose)
+        {
+            var statusIcon = result.IsValid ? "[green]PASS[/]" : "[red]FAIL[/]";
+            AnsiConsole.MarkupLine($"\n[bold]Forensic Bundle Verification: {statusIcon}[/]");
+            AnsiConsole.MarkupLine($"[grey]Bundle:[/] {Markup.Escape(result.BundlePath)}");
+            AnsiConsole.MarkupLine($"[grey]Verified At:[/] {result.VerifiedAt:u}");
+            AnsiConsole.MarkupLine("");
+
+            // Manifest verification
+            if (result.ManifestVerification is { } manifest)
+            {
+                var manifestStatus = manifest.IsValid ? "[green]PASS[/]" : "[red]FAIL[/]";
+                AnsiConsole.MarkupLine($"[bold]Manifest Verification:[/] {manifestStatus}");
+                AnsiConsole.MarkupLine($"  [grey]ID:[/] {Markup.Escape(manifest.ManifestId)}");
+                AnsiConsole.MarkupLine($"  [grey]Version:[/] {Markup.Escape(manifest.Version)}");
+                AnsiConsole.MarkupLine($"  [grey]Digest ({manifest.DigestAlgorithm}):[/] {Markup.Escape(manifest.Digest)}");
+                if (!manifest.IsValid)
+                {
+                    AnsiConsole.MarkupLine($"  [grey]Computed:[/] [red]{Markup.Escape(manifest.ComputedDigest)}[/]");
+                }
+                AnsiConsole.MarkupLine($"  [grey]Artifacts:[/] {manifest.ArtifactCount}");
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Checksum verification
+            if (result.ChecksumVerification is { } checksums)
+            {
+                var checksumStatus = checksums.IsValid ? "[green]PASS[/]" : "[red]FAIL[/]";
+                AnsiConsole.MarkupLine($"[bold]Checksum Verification:[/] {checksumStatus}");
+                AnsiConsole.MarkupLine($"  [grey]Total:[/] {checksums.TotalArtifacts}");
+                AnsiConsole.MarkupLine($"  [grey]Verified:[/] [green]{checksums.VerifiedArtifacts}[/]");
+                if (checksums.FailedArtifacts.Count > 0)
+                {
+                    AnsiConsole.MarkupLine($"  [grey]Failed:[/] [red]{checksums.FailedArtifacts.Count}[/]");
+                    if (verbose)
+                    {
+                        foreach (var failure in checksums.FailedArtifacts)
+                        {
+                            AnsiConsole.MarkupLine($"    [red]- {Markup.Escape(failure.ArtifactId)}:[/] {Markup.Escape(failure.Reason)}");
+                        }
+                    }
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Signature verification
+            if (result.SignatureVerification is { } signatures)
+            {
+                var sigStatus = signatures.IsValid ? "[green]PASS[/]" : "[red]FAIL[/]";
+                AnsiConsole.MarkupLine($"[bold]Signature Verification:[/] {sigStatus}");
+                AnsiConsole.MarkupLine($"  [grey]Signatures:[/] {signatures.SignatureCount}");
+                AnsiConsole.MarkupLine($"  [grey]Verified:[/] [green]{signatures.VerifiedSignatures}[/]");
+                if (verbose && signatures.Signatures.Count > 0)
+                {
+                    foreach (var sig in signatures.Signatures)
+                    {
+                        var sigIcon = sig.IsTrusted ? "[green]TRUSTED[/]" :
+                                      sig.IsValid ? "[yellow]VALID (UNTRUSTED)[/]" :
+                                      "[red]INVALID[/]";
+                        AnsiConsole.MarkupLine($"    - Key: {Markup.Escape(sig.KeyId)} {sigIcon}");
+                        if (!string.IsNullOrWhiteSpace(sig.Reason))
+                        {
+                            AnsiConsole.MarkupLine($"      [grey]{Markup.Escape(sig.Reason)}[/]");
+                        }
+                    }
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Chain of custody verification
+            if (result.ChainOfCustodyVerification is { } chain)
+            {
+                var chainStatus = chain.IsValid ? "[green]PASS[/]" : "[red]FAIL[/]";
+                AnsiConsole.MarkupLine($"[bold]Chain of Custody Verification:[/] {chainStatus}");
+                AnsiConsole.MarkupLine($"  [grey]Entries:[/] {chain.EntryCount}");
+                AnsiConsole.MarkupLine($"  [grey]Timeline:[/] {(chain.TimelineValid ? "[green]VALID[/]" : "[red]INVALID[/]")}");
+                AnsiConsole.MarkupLine($"  [grey]Signatures:[/] {(chain.SignaturesValid ? "[green]VALID[/]" : "[red]INVALID[/]")}");
+                if (chain.Gaps.Count > 0)
+                {
+                    AnsiConsole.MarkupLine($"  [grey]Gaps:[/] [yellow]{chain.Gaps.Count}[/]");
+                    if (verbose)
+                    {
+                        foreach (var gap in chain.Gaps)
+                        {
+                            AnsiConsole.MarkupLine($"    [yellow]- {Markup.Escape(gap.Description)}[/]");
+                        }
+                    }
+                }
+                if (verbose && chain.Entries.Count > 0)
+                {
+                    AnsiConsole.MarkupLine("");
+                    var table = new Table()
+                        .Border(TableBorder.Simple);
+
+                    table.AddColumn("#");
+                    table.AddColumn("Timestamp");
+                    table.AddColumn("Action");
+                    table.AddColumn("Actor");
+                    table.AddColumn("Sig");
+
+                    foreach (var entry in chain.Entries)
+                    {
+                        var sigStatus = entry.SignatureValid switch
+                        {
+                            true => "[green]OK[/]",
+                            false => "[red]BAD[/]",
+                            null => "[grey]-[/]"
+                        };
+                        table.AddRow(
+                            entry.Index.ToString(CultureInfo.InvariantCulture),
+                            entry.Timestamp.ToString("u", CultureInfo.InvariantCulture),
+                            Markup.Escape(entry.Action),
+                            Markup.Escape(entry.Actor),
+                            sigStatus);
+                    }
+
+                    AnsiConsole.Write(table);
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Errors
+            if (result.Errors.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold red]Errors:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]- [{Markup.Escape(error.Code)}][/] {Markup.Escape(error.Message)}");
+                    if (!string.IsNullOrWhiteSpace(error.Detail))
+                    {
+                        AnsiConsole.MarkupLine($"    [grey]{Markup.Escape(error.Detail)}[/]");
+                    }
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Warnings
+            if (result.Warnings.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold yellow]Warnings:[/]");
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"  [yellow]- {Markup.Escape(warning)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Summary
+            AnsiConsole.MarkupLine(result.IsValid
+                ? "[bold green]All verification checks passed.[/]"
+                : "[bold red]Verification failed. See errors above.[/]");
+        }
+    }
+
+    // CLI-FORENSICS-54-002: Handle forensic attest show command
+    public static async Task HandleForensicAttestShowAsync(
+        IServiceProvider services,
+        string artifactPath,
+        bool emitJson,
+        string? trustRootPath,
+        bool verify,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var reader = scope.ServiceProvider.GetRequiredService<IAttestationReader>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("forensic-attest");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.forensic.attest.show", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "forensic attest show");
+        activity?.SetTag("stellaops.cli.artifact_path", artifactPath);
+        using var duration = CliMetrics.MeasureCommandDuration("forensic attest show");
+
+        try
+        {
+            if (string.IsNullOrWhiteSpace(artifactPath))
+            {
+                throw new InvalidOperationException("Artifact path must be provided.");
+            }
+
+            var options = new AttestationShowOptions
+            {
+                VerifySignatures = verify,
+                TrustRootPath = trustRootPath
+            };
+
+            var result = await reader.ReadAttestationAsync(artifactPath, options, cancellationToken)
+                .ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = (result.VerificationResult?.IsValid ?? true) ? 0 : 12;
+                return;
+            }
+
+            RenderAttestationResult(result, verbose);
+            Environment.ExitCode = (result.VerificationResult?.IsValid ?? true) ? 0 : 12;
+        }
+        catch (FileNotFoundException ex)
+        {
+            logger.LogError("Attestation file not found: {Path}", ex.FileName);
+            AnsiConsole.MarkupLine($"[red]Attestation file not found:[/] {Markup.Escape(ex.FileName ?? artifactPath)}");
+            Environment.ExitCode = 4;
+        }
+        catch (InvalidDataException ex)
+        {
+            logger.LogError(ex, "Invalid attestation format.");
+            AnsiConsole.MarkupLine($"[red]Invalid attestation format:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to read attestation.");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderAttestationResult(AttestationShowResult result, bool verbose)
+        {
+            AnsiConsole.MarkupLine($"\n[bold]Attestation Details[/]");
+            AnsiConsole.MarkupLine($"[grey]File:[/] {Markup.Escape(result.FilePath)}");
+            AnsiConsole.MarkupLine("");
+
+            // Basic info
+            var grid = new Grid();
+            grid.AddColumn();
+            grid.AddColumn();
+
+            grid.AddRow("[grey]Payload Type:[/]", Markup.Escape(result.PayloadType));
+            grid.AddRow("[grey]Statement Type:[/]", Markup.Escape(result.StatementType));
+            grid.AddRow("[grey]Predicate Type:[/]", $"[cyan]{Markup.Escape(result.PredicateType)}[/]");
+
+            var panel = new Panel(grid)
+            {
+                Border = BoxBorder.Rounded,
+                Header = new PanelHeader("[bold]Statement[/]")
+            };
+
+            AnsiConsole.Write(panel);
+            AnsiConsole.MarkupLine("");
+
+            // Subjects
+            if (result.Subjects.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold]Subjects:[/]");
+                var table = new Table()
+                    .Border(TableBorder.Rounded);
+
+                table.AddColumn("Name");
+                table.AddColumn("Algorithm");
+                table.AddColumn("Digest");
+
+                foreach (var subject in result.Subjects)
+                {
+                    var digest = subject.DigestValue.Length > 24
+                        ? subject.DigestValue[..24] + "..."
+                        : subject.DigestValue;
+                    table.AddRow(
+                        Markup.Escape(subject.Name),
+                        Markup.Escape(subject.DigestAlgorithm),
+                        $"[grey]{Markup.Escape(digest)}[/]");
+                }
+
+                AnsiConsole.Write(table);
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Signatures
+            if (result.Signatures.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold]Signatures:[/]");
+                var table = new Table()
+                    .Border(TableBorder.Rounded);
+
+                table.AddColumn("Key ID");
+                table.AddColumn("Algorithm");
+                table.AddColumn("Valid");
+                table.AddColumn("Trusted");
+
+                foreach (var sig in result.Signatures)
+                {
+                    var keyId = sig.KeyId.Length > 20 ? sig.KeyId[..20] + "..." : sig.KeyId;
+                    var validStatus = sig.IsValid switch
+                    {
+                        true => "[green]YES[/]",
+                        false => "[red]NO[/]",
+                        null => "[grey]-[/]"
+                    };
+                    var trustedStatus = sig.IsTrusted switch
+                    {
+                        true => "[green]YES[/]",
+                        false => "[red]NO[/]",
+                        null => "[grey]-[/]"
+                    };
+
+                    table.AddRow(
+                        Markup.Escape(keyId),
+                        Markup.Escape(sig.Algorithm),
+                        validStatus,
+                        trustedStatus);
+                }
+
+                AnsiConsole.Write(table);
+
+                if (verbose)
+                {
+                    foreach (var sig in result.Signatures.Where(s => !string.IsNullOrWhiteSpace(s.Reason)))
+                    {
+                        AnsiConsole.MarkupLine($"  [grey]{Markup.Escape(sig.KeyId)}:[/] {Markup.Escape(sig.Reason!)}");
+                    }
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Predicate summary
+            if (result.PredicateSummary is { } pred)
+            {
+                AnsiConsole.MarkupLine("[bold]Predicate Summary:[/]");
+                var predGrid = new Grid();
+                predGrid.AddColumn();
+                predGrid.AddColumn();
+
+                if (!string.IsNullOrWhiteSpace(pred.BuildType))
+                {
+                    predGrid.AddRow("[grey]Build Type:[/]", Markup.Escape(pred.BuildType));
+                }
+
+                if (!string.IsNullOrWhiteSpace(pred.Builder))
+                {
+                    predGrid.AddRow("[grey]Builder:[/]", Markup.Escape(pred.Builder));
+                }
+
+                if (pred.Timestamp.HasValue)
+                {
+                    predGrid.AddRow("[grey]Timestamp:[/]", pred.Timestamp.Value.ToString("u", CultureInfo.InvariantCulture));
+                }
+
+                if (!string.IsNullOrWhiteSpace(pred.InvocationId))
+                {
+                    predGrid.AddRow("[grey]Invocation ID:[/]", Markup.Escape(pred.InvocationId));
+                }
+
+                var predPanel = new Panel(predGrid)
+                {
+                    Border = BoxBorder.Rounded
+                };
+
+                AnsiConsole.Write(predPanel);
+
+                // Materials
+                if (verbose && pred.Materials is { Count: > 0 })
+                {
+                    AnsiConsole.MarkupLine("");
+                    AnsiConsole.MarkupLine("[bold]Materials:[/]");
+                    foreach (var mat in pred.Materials)
+                    {
+                        var uri = mat.Uri.Length > 60 ? "..." + mat.Uri[^57..] : mat.Uri;
+                        AnsiConsole.MarkupLine($"  [grey]- {Markup.Escape(uri)}[/]");
+                        if (mat.Digest is { Count: > 0 })
+                        {
+                            foreach (var (algo, digest) in mat.Digest)
+                            {
+                                var d = digest.Length > 16 ? digest[..16] + "..." : digest;
+                                AnsiConsole.MarkupLine($"    [grey]{algo}:[/] {d}");
+                            }
+                        }
+                    }
+                }
+
+                // Metadata
+                if (verbose && pred.Metadata is { Count: > 0 })
+                {
+                    AnsiConsole.MarkupLine("");
+                    AnsiConsole.MarkupLine("[bold]Metadata:[/]");
+                    foreach (var (key, value) in pred.Metadata)
+                    {
+                        AnsiConsole.MarkupLine($"  [grey]{Markup.Escape(key)}:[/] {Markup.Escape(value)}");
+                    }
+                }
+
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Verification result
+            if (result.VerificationResult is { } vr)
+            {
+                var vrStatus = vr.IsValid ? "[green]PASS[/]" : "[red]FAIL[/]";
+                AnsiConsole.MarkupLine($"[bold]Verification:[/] {vrStatus}");
+                AnsiConsole.MarkupLine($"  [grey]Signatures:[/] {vr.SignatureCount}");
+                AnsiConsole.MarkupLine($"  [grey]Valid:[/] [green]{vr.ValidSignatures}[/]");
+                AnsiConsole.MarkupLine($"  [grey]Trusted:[/] [green]{vr.TrustedSignatures}[/]");
+
+                if (vr.Errors.Count > 0)
+                {
+                    AnsiConsole.MarkupLine("");
+                    AnsiConsole.MarkupLine("[bold red]Errors:[/]");
+                    foreach (var error in vr.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"  [red]- {Markup.Escape(error)}[/]");
+                    }
+                }
+            }
+        }
+    }
+
+    #endregion
+
+    #region Promotion (CLI-PROMO-70-001)
+
+    // CLI-PROMO-70-001: Handle promotion assemble command
+    public static async Task HandlePromotionAssembleAsync(
+        IServiceProvider services,
+        string image,
+        string? sbomPath,
+        string? vexPath,
+        string fromEnvironment,
+        string toEnvironment,
+        string? actor,
+        string? pipeline,
+        string? ticket,
+        string? notes,
+        bool skipRekor,
+        string? outputPath,
+        bool emitJson,
+        string? tenant,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var assembler = scope.ServiceProvider.GetRequiredService<IPromotionAssembler>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("promotion-assemble");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.promotion.assemble", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "promotion assemble");
+        activity?.SetTag("stellaops.cli.image", image);
+        using var duration = CliMetrics.MeasureCommandDuration("promotion assemble");
+
+        try
+        {
+            if (string.IsNullOrWhiteSpace(image))
+            {
+                throw new InvalidOperationException("Image reference must be provided.");
+            }
+
+            var request = new PromotionAssembleRequest
+            {
+                Tenant = tenant ?? string.Empty,
+                Image = image,
+                SbomPath = sbomPath,
+                VexPath = vexPath,
+                FromEnvironment = fromEnvironment,
+                ToEnvironment = toEnvironment,
+                Actor = actor,
+                Pipeline = pipeline,
+                Ticket = ticket,
+                Notes = notes,
+                SkipRekor = skipRekor,
+                OutputPath = outputPath
+            };
+
+            var result = await assembler.AssembleAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = result.Success ? 0 : 1;
+                return;
+            }
+
+            RenderPromotionResult(result, verbose);
+            Environment.ExitCode = result.Success ? 0 : 1;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to assemble promotion attestation.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderPromotionResult(PromotionAssembleResult result, bool verbose)
+        {
+            var statusIcon = result.Success ? "[green]SUCCESS[/]" : "[red]FAILED[/]";
+            AnsiConsole.MarkupLine($"\n[bold]Promotion Attestation Assembly: {statusIcon}[/]");
+            AnsiConsole.MarkupLine("");
+
+            // Basic info
+            var grid = new Grid();
+            grid.AddColumn();
+            grid.AddColumn();
+
+            grid.AddRow("[grey]Image Digest:[/]", $"sha256:{Markup.Escape(result.ImageDigest)}");
+
+            if (result.Predicate is { } pred)
+            {
+                grid.AddRow("[grey]From:[/]", Markup.Escape(pred.Promotion.From));
+                grid.AddRow("[grey]To:[/]", Markup.Escape(pred.Promotion.To));
+                grid.AddRow("[grey]Actor:[/]", Markup.Escape(pred.Promotion.Actor ?? "(not specified)"));
+                grid.AddRow("[grey]Timestamp:[/]", pred.Promotion.Timestamp.ToString("u", CultureInfo.InvariantCulture));
+
+                if (!string.IsNullOrWhiteSpace(pred.Promotion.Pipeline))
+                {
+                    grid.AddRow("[grey]Pipeline:[/]", Markup.Escape(pred.Promotion.Pipeline));
+                }
+
+                if (!string.IsNullOrWhiteSpace(pred.Promotion.Ticket))
+                {
+                    grid.AddRow("[grey]Ticket:[/]", Markup.Escape(pred.Promotion.Ticket));
+                }
+            }
+
+            var panel = new Panel(grid)
+            {
+                Border = BoxBorder.Rounded,
+                Header = new PanelHeader("[bold]Promotion Details[/]")
+            };
+
+            AnsiConsole.Write(panel);
+            AnsiConsole.MarkupLine("");
+
+            // Materials
+            if (result.Materials.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold]Materials:[/]");
+                var table = new Table()
+                    .Border(TableBorder.Rounded);
+
+                table.AddColumn("Role");
+                table.AddColumn("Format");
+                table.AddColumn("Digest");
+
+                foreach (var mat in result.Materials)
+                {
+                    var digest = mat.Digest.Length > 16 ? mat.Digest[..16] + "..." : mat.Digest;
+                    table.AddRow(
+                        Markup.Escape(mat.Role),
+                        Markup.Escape(mat.Format ?? "unknown"),
+                        $"[grey]{Markup.Escape(digest)}[/]");
+                }
+
+                AnsiConsole.Write(table);
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Rekor
+            if (result.RekorEntry is { } rekor)
+            {
+                AnsiConsole.MarkupLine("[bold]Rekor Entry:[/]");
+                AnsiConsole.MarkupLine($"  [grey]UUID:[/] {Markup.Escape(rekor.Uuid)}");
+                AnsiConsole.MarkupLine($"  [grey]Log Index:[/] {rekor.LogIndex}");
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Output path
+            if (!string.IsNullOrWhiteSpace(result.OutputPath))
+            {
+                AnsiConsole.MarkupLine($"[bold]Output:[/] {Markup.Escape(result.OutputPath)}");
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Warnings
+            if (result.Warnings.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold yellow]Warnings:[/]");
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"  [yellow]- {Markup.Escape(warning)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Errors
+            if (result.Errors.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold red]Errors:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]- {Markup.Escape(error)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Summary
+            if (result.Success)
+            {
+                AnsiConsole.MarkupLine("[green]Promotion attestation assembled successfully.[/]");
+                AnsiConsole.MarkupLine("[grey]Use 'stella promotion attest' to sign and submit to Signer.[/]");
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[red]Promotion attestation assembly failed. See errors above.[/]");
+            }
+        }
+    }
+
+    // CLI-PROMO-70-002: Handle promotion attest command
+    public static async Task HandlePromotionAttestAsync(
+        IServiceProvider services,
+        string predicatePath,
+        string? keyId,
+        bool useKeyless,
+        bool uploadToRekor,
+        string? outputPath,
+        bool emitJson,
+        string? tenant,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var assembler = scope.ServiceProvider.GetRequiredService<IPromotionAssembler>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("promotion-attest");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.promotion.attest", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "promotion attest");
+        using var duration = CliMetrics.MeasureCommandDuration("promotion attest");
+
+        try
+        {
+            if (string.IsNullOrWhiteSpace(predicatePath))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Predicate file path is required.");
+                Environment.ExitCode = 1;
+                return;
+            }
+
+            var request = new PromotionAttestRequest
+            {
+                Tenant = tenant ?? string.Empty,
+                PredicatePath = predicatePath,
+                KeyId = keyId,
+                UseKeyless = useKeyless,
+                OutputPath = outputPath,
+                UploadToRekor = uploadToRekor
+            };
+
+            var result = await assembler.AttestAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = result.Success ? 0 : 1;
+                return;
+            }
+
+            RenderAttestResult(result, verbose);
+            Environment.ExitCode = result.Success ? 0 : 1;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to attest promotion.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderAttestResult(PromotionAttestResult result, bool verbose)
+        {
+            var statusIcon = result.Success ? "[green]SUCCESS[/]" : "[red]FAILED[/]";
+            AnsiConsole.MarkupLine($"\n[bold]Promotion Attestation: {statusIcon}[/]");
+            AnsiConsole.MarkupLine("");
+
+            if (result.Success)
+            {
+                var grid = new Grid();
+                grid.AddColumn();
+                grid.AddColumn();
+
+                if (!string.IsNullOrWhiteSpace(result.SignerKeyId))
+                {
+                    grid.AddRow("[grey]Key ID:[/]", Markup.Escape(result.SignerKeyId));
+                }
+
+                if (result.SignedAt.HasValue)
+                {
+                    grid.AddRow("[grey]Signed At:[/]", result.SignedAt.Value.ToString("u", CultureInfo.InvariantCulture));
+                }
+
+                if (!string.IsNullOrWhiteSpace(result.AuditId))
+                {
+                    grid.AddRow("[grey]Audit ID:[/]", Markup.Escape(result.AuditId));
+                }
+
+                if (result.RekorEntry is { } rekor)
+                {
+                    grid.AddRow("[grey]Rekor UUID:[/]", Markup.Escape(rekor.Uuid));
+                    grid.AddRow("[grey]Rekor Index:[/]", rekor.LogIndex.ToString());
+                }
+
+                var panel = new Panel(grid)
+                {
+                    Border = BoxBorder.Rounded,
+                    Header = new PanelHeader("[bold]Attestation Details[/]")
+                };
+
+                AnsiConsole.Write(panel);
+                AnsiConsole.MarkupLine("");
+
+                if (!string.IsNullOrWhiteSpace(result.BundlePath))
+                {
+                    AnsiConsole.MarkupLine($"[bold]Bundle:[/] {Markup.Escape(result.BundlePath)}");
+                    AnsiConsole.MarkupLine("");
+                }
+
+                AnsiConsole.MarkupLine("[green]Attestation signed successfully.[/]");
+                AnsiConsole.MarkupLine("[grey]Use 'stella promotion verify' to verify the bundle.[/]");
+            }
+
+            // Warnings
+            if (result.Warnings.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold yellow]Warnings:[/]");
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"  [yellow]- {Markup.Escape(warning)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Errors
+            if (result.Errors.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold red]Errors:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]- {Markup.Escape(error)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+        }
+    }
+
+    // CLI-PROMO-70-002: Handle promotion verify command
+    public static async Task HandlePromotionVerifyAsync(
+        IServiceProvider services,
+        string bundlePath,
+        string? sbomPath,
+        string? vexPath,
+        string? trustRootPath,
+        string? checkpointPath,
+        bool skipSignature,
+        bool skipRekor,
+        bool emitJson,
+        string? tenant,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var assembler = scope.ServiceProvider.GetRequiredService<IPromotionAssembler>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("promotion-verify");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.promotion.verify", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "promotion verify");
+        using var duration = CliMetrics.MeasureCommandDuration("promotion verify");
+
+        try
+        {
+            if (string.IsNullOrWhiteSpace(bundlePath))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Bundle file path is required.");
+                Environment.ExitCode = 1;
+                return;
+            }
+
+            var request = new PromotionVerifyRequest
+            {
+                Tenant = tenant ?? string.Empty,
+                BundlePath = bundlePath,
+                SbomPath = sbomPath,
+                VexPath = vexPath,
+                TrustRootPath = trustRootPath,
+                CheckpointPath = checkpointPath,
+                SkipSignatureVerification = skipSignature,
+                SkipRekorVerification = skipRekor
+            };
+
+            var result = await assembler.VerifyAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = result.Verified ? 0 : 1;
+                return;
+            }
+
+            RenderVerifyResult(result, verbose);
+            Environment.ExitCode = result.Verified ? 0 : 1;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to verify promotion attestation.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderVerifyResult(PromotionVerifyResult result, bool verbose)
+        {
+            var statusIcon = result.Verified ? "[green]VERIFIED[/]" : "[red]FAILED[/]";
+            AnsiConsole.MarkupLine($"\n[bold]Promotion Verification: {statusIcon}[/]");
+            AnsiConsole.MarkupLine("");
+
+            // Signature verification
+            if (result.SignatureVerification is { } sigV)
+            {
+                var sigStatus = sigV.Verified ? "[green]PASS[/]" : "[red]FAIL[/]";
+                AnsiConsole.MarkupLine($"[bold]Signature:[/] {sigStatus}");
+
+                if (verbose)
+                {
+                    var sigGrid = new Grid();
+                    sigGrid.AddColumn();
+                    sigGrid.AddColumn();
+
+                    if (!string.IsNullOrWhiteSpace(sigV.KeyId))
+                    {
+                        sigGrid.AddRow("[grey]Key ID:[/]", Markup.Escape(sigV.KeyId));
+                    }
+                    if (!string.IsNullOrWhiteSpace(sigV.Algorithm))
+                    {
+                        sigGrid.AddRow("[grey]Algorithm:[/]", Markup.Escape(sigV.Algorithm));
+                    }
+                    if (!string.IsNullOrWhiteSpace(sigV.CertSubject))
+                    {
+                        sigGrid.AddRow("[grey]Subject:[/]", Markup.Escape(sigV.CertSubject));
+                    }
+                    if (!string.IsNullOrWhiteSpace(sigV.CertIssuer))
+                    {
+                        sigGrid.AddRow("[grey]Issuer:[/]", Markup.Escape(sigV.CertIssuer));
+                    }
+                    if (sigV.ValidFrom.HasValue)
+                    {
+                        sigGrid.AddRow("[grey]Valid From:[/]", sigV.ValidFrom.Value.ToString("u", CultureInfo.InvariantCulture));
+                    }
+                    if (sigV.ValidTo.HasValue)
+                    {
+                        sigGrid.AddRow("[grey]Valid To:[/]", sigV.ValidTo.Value.ToString("u", CultureInfo.InvariantCulture));
+                    }
+
+                    AnsiConsole.Write(sigGrid);
+                }
+
+                if (!sigV.Verified && !string.IsNullOrWhiteSpace(sigV.Error))
+                {
+                    AnsiConsole.MarkupLine($"  [red]{Markup.Escape(sigV.Error)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Material verification
+            if (result.MaterialVerification is { } matV)
+            {
+                var matStatus = matV.Verified ? "[green]PASS[/]" : "[red]FAIL[/]";
+                AnsiConsole.MarkupLine($"[bold]Materials:[/] {matStatus}");
+
+                if (matV.Materials.Count > 0)
+                {
+                    var table = new Table()
+                        .Border(TableBorder.Rounded);
+
+                    table.AddColumn("Role");
+                    table.AddColumn("Status");
+                    table.AddColumn("Digest");
+
+                    foreach (var mat in matV.Materials)
+                    {
+                        var status = mat.Verified ? "[green]PASS[/]" : "[red]FAIL[/]";
+                        var digest = mat.ExpectedDigest.Length > 16 ? mat.ExpectedDigest[..16] + "..." : mat.ExpectedDigest;
+                        table.AddRow(
+                            Markup.Escape(mat.Role),
+                            status,
+                            $"[grey]{Markup.Escape(digest)}[/]");
+                    }
+
+                    AnsiConsole.Write(table);
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Rekor verification
+            if (result.RekorVerification is { } rekorV)
+            {
+                var rekorStatus = rekorV.Verified ? "[green]PASS[/]" : "[red]FAIL[/]";
+                AnsiConsole.MarkupLine($"[bold]Rekor:[/] {rekorStatus}");
+
+                if (verbose)
+                {
+                    var rekorGrid = new Grid();
+                    rekorGrid.AddColumn();
+                    rekorGrid.AddColumn();
+
+                    if (!string.IsNullOrWhiteSpace(rekorV.Uuid))
+                    {
+                        rekorGrid.AddRow("[grey]UUID:[/]", Markup.Escape(rekorV.Uuid));
+                    }
+                    if (rekorV.LogIndex.HasValue)
+                    {
+                        rekorGrid.AddRow("[grey]Log Index:[/]", rekorV.LogIndex.Value.ToString());
+                    }
+                    rekorGrid.AddRow("[grey]Inclusion Proof:[/]", rekorV.InclusionProofVerified ? "[green]PASS[/]" : "[red]FAIL[/]");
+                    rekorGrid.AddRow("[grey]Checkpoint:[/]", rekorV.CheckpointVerified ? "[green]PASS[/]" : "[red]FAIL[/]");
+
+                    AnsiConsole.Write(rekorGrid);
+                }
+
+                if (!rekorV.Verified && !string.IsNullOrWhiteSpace(rekorV.Error))
+                {
+                    AnsiConsole.MarkupLine($"  [red]{Markup.Escape(rekorV.Error)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Predicate summary
+            if (verbose && result.Predicate is { } pred)
+            {
+                AnsiConsole.MarkupLine("[bold]Predicate Summary:[/]");
+                var predGrid = new Grid();
+                predGrid.AddColumn();
+                predGrid.AddColumn();
+
+                predGrid.AddRow("[grey]Type:[/]", Markup.Escape(pred.Type));
+                predGrid.AddRow("[grey]From:[/]", Markup.Escape(pred.Promotion.From));
+                predGrid.AddRow("[grey]To:[/]", Markup.Escape(pred.Promotion.To));
+                predGrid.AddRow("[grey]Actor:[/]", Markup.Escape(pred.Promotion.Actor ?? "(not specified)"));
+                predGrid.AddRow("[grey]Timestamp:[/]", pred.Promotion.Timestamp.ToString("u", CultureInfo.InvariantCulture));
+
+                AnsiConsole.Write(predGrid);
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Warnings
+            if (result.Warnings.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold yellow]Warnings:[/]");
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"  [yellow]- {Markup.Escape(warning)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Errors
+            if (result.Errors.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold red]Errors:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]- {Markup.Escape(error)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Summary
+            if (result.Verified)
+            {
+                AnsiConsole.MarkupLine("[green]Promotion attestation verified successfully.[/]");
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[red]Promotion attestation verification failed. See details above.[/]");
+            }
+        }
+    }
+
+    // CLI-DETER-70-003: Handle detscore run command
+    public static async Task HandleDetscoreRunAsync(
+        IServiceProvider services,
+        string[] images,
+        string scanner,
+        string? policyBundle,
+        string? feedsBundle,
+        int runs,
+        DateTimeOffset? fixedClock,
+        int rngSeed,
+        int maxConcurrency,
+        string memoryLimit,
+        string cpuSet,
+        string platform,
+        double imageThreshold,
+        double overallThreshold,
+        string? outputDir,
+        string? release,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var harness = scope.ServiceProvider.GetRequiredService<IDeterminismHarness>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("detscore-run");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.detscore.run", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "detscore run");
+        activity?.SetTag("stellaops.cli.images", images.Length);
+        activity?.SetTag("stellaops.cli.runs", runs);
+        using var duration = CliMetrics.MeasureCommandDuration("detscore run");
+
+        try
+        {
+            if (images.Length == 0)
+            {
+                var error = new CliError(
+                    CliErrorCodes.DeterminismNoImages,
+                    "At least one image must be provided for determinism testing.");
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error.Message)}");
+                Environment.ExitCode = error.ExitCode;
+                return;
+            }
+
+            if (string.IsNullOrWhiteSpace(scanner))
+            {
+                var error = new CliError(
+                    CliErrorCodes.DeterminismScannerMissing,
+                    "Scanner image reference must be provided.");
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error.Message)}");
+                Environment.ExitCode = error.ExitCode;
+                return;
+            }
+
+            var request = new DeterminismRunRequest
+            {
+                Images = images,
+                Scanner = scanner,
+                PolicyBundle = policyBundle,
+                FeedsBundle = feedsBundle,
+                Runs = runs,
+                FixedClock = fixedClock,
+                RngSeed = rngSeed,
+                MaxConcurrency = maxConcurrency,
+                MemoryLimit = memoryLimit,
+                CpuSet = cpuSet,
+                Platform = platform,
+                ImageThreshold = imageThreshold,
+                OverallThreshold = overallThreshold,
+                OutputDir = outputDir,
+                Release = release
+            };
+
+            if (!emitJson)
+            {
+                AnsiConsole.MarkupLine("[bold]Starting Determinism Harness[/]");
+                AnsiConsole.MarkupLine($"  [grey]Images:[/] {images.Length}");
+                AnsiConsole.MarkupLine($"  [grey]Scanner:[/] {Markup.Escape(scanner)}");
+                AnsiConsole.MarkupLine($"  [grey]Runs per image:[/] {runs}");
+                AnsiConsole.MarkupLine($"  [grey]Thresholds:[/] image >= {imageThreshold:P0}, overall >= {overallThreshold:P0}");
+                AnsiConsole.MarkupLine("");
+            }
+
+            var result = await harness.RunAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                Environment.ExitCode = result.PassedThreshold ? 0 : 13;
+                return;
+            }
+
+            RenderDetscoreResult(result, verbose);
+
+            if (!result.PassedThreshold)
+            {
+                var error = new CliError(
+                    CliErrorCodes.DeterminismThresholdFailed,
+                    $"Determinism score {result.Manifest?.OverallScore:P0} below threshold {overallThreshold:P0}");
+                Environment.ExitCode = error.ExitCode;
+            }
+            else
+            {
+                Environment.ExitCode = 0;
+            }
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to run determinism harness.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            var error = new CliError(CliErrorCodes.DeterminismRunFailed, ex.Message);
+            Environment.ExitCode = error.ExitCode;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderDetscoreResult(DeterminismRunResult result, bool verbose)
+        {
+            var manifest = result.Manifest;
+            if (manifest == null)
+            {
+                AnsiConsole.MarkupLine("[red]No determinism manifest generated.[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]  - {Markup.Escape(error)}[/]");
+                }
+                return;
+            }
+
+            var statusIcon = result.PassedThreshold ? "[green]PASSED[/]" : "[red]FAILED[/]";
+            AnsiConsole.MarkupLine($"\n[bold]Determinism Score: {statusIcon}[/]");
+            AnsiConsole.MarkupLine("");
+
+            // Summary info
+            var grid = new Grid();
+            grid.AddColumn();
+            grid.AddColumn();
+
+            grid.AddRow("[grey]Release:[/]", Markup.Escape(manifest.Release));
+            grid.AddRow("[grey]Platform:[/]", Markup.Escape(manifest.Platform));
+            grid.AddRow("[grey]Overall Score:[/]", GetScoreMarkup(manifest.OverallScore, manifest.Thresholds.OverallMin));
+            grid.AddRow("[grey]Generated:[/]", manifest.GeneratedAt.ToString("u", CultureInfo.InvariantCulture));
+            grid.AddRow("[grey]Duration:[/]", $"{result.DurationMs / 1000.0:F1}s");
+
+            if (!string.IsNullOrWhiteSpace(manifest.ScannerSha))
+            {
+                var sha = manifest.ScannerSha.Length > 16 ? manifest.ScannerSha[..16] + "..." : manifest.ScannerSha;
+                grid.AddRow("[grey]Scanner SHA:[/]", $"[grey]{Markup.Escape(sha)}[/]");
+            }
+
+            var panel = new Panel(grid)
+            {
+                Border = BoxBorder.Rounded,
+                Header = new PanelHeader("[bold]Determinism Summary[/]")
+            };
+
+            AnsiConsole.Write(panel);
+            AnsiConsole.MarkupLine("");
+
+            // Per-image results
+            AnsiConsole.MarkupLine("[bold]Per-Image Results:[/]");
+            var table = new Table()
+                .Border(TableBorder.Rounded);
+
+            table.AddColumn("Image");
+            table.AddColumn("Runs");
+            table.AddColumn("Identical");
+            table.AddColumn("Score");
+            table.AddColumn("Status");
+
+            foreach (var img in manifest.Images)
+            {
+                var digest = img.Digest.Length > 24 ? img.Digest[..24] + "..." : img.Digest;
+                var status = img.Score >= manifest.Thresholds.ImageMin
+                    ? "[green]PASS[/]"
+                    : "[red]FAIL[/]";
+                var scoreColor = img.Score >= manifest.Thresholds.ImageMin ? "green" : "red";
+
+                table.AddRow(
+                    $"[grey]{Markup.Escape(digest)}[/]",
+                    img.Runs.ToString(),
+                    img.Identical.ToString(),
+                    $"[{scoreColor}]{img.Score:P0}[/{scoreColor}]",
+                    status);
+
+                if (verbose && img.NonDeterministic.Count > 0)
+                {
+                    table.AddRow(
+                        "",
+                        "[yellow]Non-det:[/]",
+                        $"[yellow]{string.Join(", ", img.NonDeterministic)}[/]",
+                        "",
+                        "");
+                }
+            }
+
+            AnsiConsole.Write(table);
+            AnsiConsole.MarkupLine("");
+
+            // Execution details
+            if (verbose && manifest.Execution is { } exec)
+            {
+                AnsiConsole.MarkupLine("[bold]Execution Parameters:[/]");
+                var execGrid = new Grid();
+                execGrid.AddColumn();
+                execGrid.AddColumn();
+
+                if (exec.FixedClock.HasValue)
+                {
+                    execGrid.AddRow("[grey]Fixed Clock:[/]", exec.FixedClock.Value.ToString("u", CultureInfo.InvariantCulture));
+                }
+                execGrid.AddRow("[grey]RNG Seed:[/]", exec.RngSeed.ToString());
+                execGrid.AddRow("[grey]Max Concurrency:[/]", exec.MaxConcurrency.ToString());
+                execGrid.AddRow("[grey]Memory Limit:[/]", exec.MemoryLimit);
+                execGrid.AddRow("[grey]CPU Set:[/]", exec.CpuSet);
+                execGrid.AddRow("[grey]Network Mode:[/]", exec.NetworkMode);
+
+                AnsiConsole.Write(execGrid);
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Output path
+            if (!string.IsNullOrWhiteSpace(result.OutputPath))
+            {
+                AnsiConsole.MarkupLine($"[bold]Output:[/] {Markup.Escape(result.OutputPath)}");
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Warnings
+            if (result.Warnings.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold yellow]Warnings:[/]");
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"  [yellow]- {Markup.Escape(warning)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Errors
+            if (result.Errors.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold red]Errors:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]- {Markup.Escape(error)}[/]");
+                }
+                AnsiConsole.MarkupLine("");
+            }
+
+            // Summary
+            if (result.PassedThreshold)
+            {
+                AnsiConsole.MarkupLine($"[green]Determinism score {manifest.OverallScore:P0} meets threshold {manifest.Thresholds.OverallMin:P0}[/]");
+            }
+            else
+            {
+                AnsiConsole.MarkupLine($"[red]Determinism score {manifest.OverallScore:P0} below threshold {manifest.Thresholds.OverallMin:P0}[/]");
+                if (result.FailedImages.Count > 0)
+                {
+                    AnsiConsole.MarkupLine($"[red]Failed images: {string.Join(", ", result.FailedImages.Select(i => i.Length > 16 ? i[..16] + "..." : i))}[/]");
+                }
+            }
+        }
+
+        static string GetScoreMarkup(double score, double threshold)
+        {
+            var color = score >= threshold ? "green" : "red";
+            return $"[{color}]{score:P0}[/{color}]";
+        }
+    }
+
+    // CLI-DETER-70-004: Handle detscore report command
+    public static async Task HandleDetscoreReportAsync(
+        IServiceProvider services,
+        string[] manifestPaths,
+        string format,
+        string? outputPath,
+        bool includeDetails,
+        string? title,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var harness = scope.ServiceProvider.GetRequiredService<IDeterminismHarness>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("detscore-report");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.detscore.report", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "detscore report");
+        activity?.SetTag("stellaops.cli.manifests", manifestPaths.Length);
+        activity?.SetTag("stellaops.cli.format", format);
+        using var duration = CliMetrics.MeasureCommandDuration("detscore report");
+
+        try
+        {
+            if (manifestPaths.Length == 0)
+            {
+                var error = new CliError(
+                    CliErrorCodes.DeterminismManifestInvalid,
+                    "At least one determinism.json manifest path must be provided.");
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error.Message)}");
+                Environment.ExitCode = error.ExitCode;
+                return;
+            }
+
+            // Verify all files exist
+            var missingFiles = manifestPaths.Where(p => !File.Exists(p)).ToList();
+            if (missingFiles.Count > 0)
+            {
+                var error = new CliError(
+                    CliErrorCodes.DeterminismManifestInvalid,
+                    $"Manifest files not found: {string.Join(", ", missingFiles)}");
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error.Message)}");
+                Environment.ExitCode = error.ExitCode;
+                return;
+            }
+
+            var request = new DeterminismReportRequest
+            {
+                ManifestPaths = manifestPaths,
+                Format = format,
+                OutputPath = outputPath,
+                IncludeDetails = includeDetails,
+                Title = title
+            };
+
+            if (format != "json" && string.IsNullOrEmpty(outputPath))
+            {
+                AnsiConsole.MarkupLine("[bold]Generating Determinism Report[/]");
+                AnsiConsole.MarkupLine($"  [grey]Manifests:[/] {manifestPaths.Length}");
+                AnsiConsole.MarkupLine($"  [grey]Format:[/] {format}");
+                AnsiConsole.MarkupLine("");
+            }
+
+            var result = await harness.GenerateReportAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = 13;
+                return;
+            }
+
+            // If output path specified, file was already written by harness
+            if (!string.IsNullOrWhiteSpace(result.OutputPath))
+            {
+                if (format != "json")
+                {
+                    AnsiConsole.MarkupLine($"[green]Report written to:[/] {Markup.Escape(result.OutputPath)}");
+                    RenderDetscoreReportSummary(result.Report!, verbose);
+                }
+                else
+                {
+                    // For JSON format to file, also output JSON to stdout for piping
+                    var json = JsonSerializer.Serialize(result.Report, new JsonSerializerOptions { WriteIndented = true });
+                    Console.WriteLine(json);
+                }
+            }
+            else
+            {
+                // No output path - content was written to stdout by harness for markdown/csv
+                // For JSON, we output the structured result
+                if (format == "json")
+                {
+                    var json = JsonSerializer.Serialize(result.Report, new JsonSerializerOptions { WriteIndented = true });
+                    Console.WriteLine(json);
+                }
+            }
+
+            // Show warnings
+            if (result.Warnings.Count > 0 && format != "json")
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold yellow]Warnings:[/]");
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"  [yellow]- {Markup.Escape(warning)}[/]");
+                }
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to generate determinism report.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 13;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+
+        static void RenderDetscoreReportSummary(DeterminismReport report, bool verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            var summary = report.Summary;
+
+            var grid = new Grid();
+            grid.AddColumn();
+            grid.AddColumn();
+
+            grid.AddRow("[grey]Total Releases:[/]", summary.TotalReleases.ToString());
+            grid.AddRow("[grey]Total Images:[/]", summary.TotalImages.ToString());
+            grid.AddRow("[grey]Average Score:[/]", $"{summary.AverageScore:P1}");
+            grid.AddRow("[grey]Score Range:[/]", $"{summary.MinScore:P1} - {summary.MaxScore:P1}");
+            grid.AddRow("[grey]Passed:[/]", $"[green]{summary.PassedCount}[/]");
+            grid.AddRow("[grey]Failed:[/]", summary.FailedCount > 0 ? $"[red]{summary.FailedCount}[/]" : "0");
+
+            var panel = new Panel(grid)
+            {
+                Border = BoxBorder.Rounded,
+                Header = new PanelHeader($"[bold]{Markup.Escape(report.Title)}[/]")
+            };
+
+            AnsiConsole.Write(panel);
+
+            if (summary.NonDeterministicArtifacts.Count > 0)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold yellow]Non-Deterministic Artifacts:[/]");
+                foreach (var artifact in summary.NonDeterministicArtifacts.Take(10))
+                {
+                    AnsiConsole.MarkupLine($"  [yellow]- {Markup.Escape(artifact)}[/]");
+                }
+                if (summary.NonDeterministicArtifacts.Count > 10)
+                {
+                    AnsiConsole.MarkupLine($"  [grey]... and {summary.NonDeterministicArtifacts.Count - 10} more[/]");
+                }
+            }
+
+            if (verbose && report.Releases.Count > 0)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine("[bold]Releases:[/]");
+
+                var table = new Table()
+                    .Border(TableBorder.Rounded);
+
+                table.AddColumn("Release");
+                table.AddColumn("Platform");
+                table.AddColumn("Score");
+                table.AddColumn("Images");
+                table.AddColumn("Status");
+
+                foreach (var release in report.Releases)
+                {
+                    var status = release.Passed ? "[green]PASS[/]" : "[red]FAIL[/]";
+                    var scoreColor = release.Passed ? "green" : "red";
+
+                    table.AddRow(
+                        Markup.Escape(release.Release),
+                        Markup.Escape(release.Platform),
+                        $"[{scoreColor}]{release.OverallScore:P1}[/{scoreColor}]",
+                        release.ImageCount.ToString(),
+                        status);
+                }
+
+                AnsiConsole.Write(table);
+            }
+        }
+    }
+
+    // CLI-OBS-51-001: Handle obs top command
+    public static async Task HandleObsTopAsync(
+        IServiceProvider services,
+        string[] serviceNames,
+        string? tenant,
+        int refreshInterval,
+        bool includeQueues,
+        int maxAlerts,
+        string outputFormat,
+        bool offline,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IObservabilityClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("obs-top");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.obs.top", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "obs top");
+        activity?.SetTag("stellaops.cli.refresh", refreshInterval);
+        using var duration = CliMetrics.MeasureCommandDuration("obs top");
+
+        try
+        {
+            // Offline mode check
+            if (offline)
+            {
+                var error = new CliError(
+                    CliErrorCodes.ObsOfflineViolation,
+                    "Offline mode specified but obs top requires network access to fetch metrics.");
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error.Message)}");
+                Environment.ExitCode = 5; // Per CLI guide: offline violation = 5
+                return;
+            }
+
+            var request = new ObsTopRequest
+            {
+                Services = serviceNames,
+                Tenant = tenant,
+                IncludeQueues = includeQueues,
+                RefreshInterval = refreshInterval,
+                MaxAlerts = maxAlerts
+            };
+
+            // Single fetch or streaming mode
+            if (refreshInterval <= 0)
+            {
+                await FetchAndRenderObsTop(client, request, outputFormat, verbose, cancellationToken).ConfigureAwait(false);
+            }
+            else
+            {
+                // Streaming mode with live updates
+                await StreamObsTop(client, request, outputFormat, verbose, refreshInterval, cancellationToken).ConfigureAwait(false);
+            }
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch observability data.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 14;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static async Task FetchAndRenderObsTop(
+        IObservabilityClient client,
+        ObsTopRequest request,
+        string outputFormat,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var result = await client.GetHealthSummaryAsync(request, cancellationToken).ConfigureAwait(false);
+
+        if (!result.Success)
+        {
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+            }
+            Environment.ExitCode = 14;
+            return;
+        }
+
+        var summary = result.Summary!;
+
+        switch (outputFormat)
+        {
+            case "json":
+                var json = JsonSerializer.Serialize(summary, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+                break;
+
+            case "ndjson":
+                // Output each service as a separate NDJSON line
+                foreach (var service in summary.Services)
+                {
+                    var line = JsonSerializer.Serialize(service);
+                    Console.WriteLine(line);
+                }
+                break;
+
+            default: // table
+                RenderObsTopTable(summary, verbose);
+                break;
+        }
+
+        Environment.ExitCode = 0;
+    }
+
+    private static async Task StreamObsTop(
+        IObservabilityClient client,
+        ObsTopRequest request,
+        string outputFormat,
+        bool verbose,
+        int intervalSeconds,
+        CancellationToken cancellationToken)
+    {
+        var isFirstRender = true;
+
+        while (!cancellationToken.IsCancellationRequested)
+        {
+            var result = await client.GetHealthSummaryAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                await Task.Delay(TimeSpan.FromSeconds(intervalSeconds), cancellationToken).ConfigureAwait(false);
+                continue;
+            }
+
+            var summary = result.Summary!;
+
+            if (outputFormat == "json" || outputFormat == "ndjson")
+            {
+                // For JSON streaming, output each fetch as a line
+                var json = JsonSerializer.Serialize(summary);
+                Console.WriteLine(json);
+            }
+            else
+            {
+                // Clear screen and render table
+                if (!isFirstRender)
+                {
+                    AnsiConsole.Clear();
+                }
+                isFirstRender = false;
+
+                RenderObsTopTable(summary, verbose);
+                AnsiConsole.MarkupLine($"\n[grey]Refreshing every {intervalSeconds}s. Press Ctrl+C to stop.[/]");
+            }
+
+            await Task.Delay(TimeSpan.FromSeconds(intervalSeconds), cancellationToken).ConfigureAwait(false);
+        }
+
+        Environment.ExitCode = 0;
+    }
+
+    private static void RenderObsTopTable(PlatformHealthSummary summary, bool verbose)
+    {
+        // Overall status header
+        var statusColor = summary.OverallStatus switch
+        {
+            "healthy" => "green",
+            "degraded" => "yellow",
+            "unhealthy" => "red",
+            _ => "grey"
+        };
+
+        AnsiConsole.MarkupLine($"[bold]Platform Health: [{statusColor}]{summary.OverallStatus.ToUpperInvariant()}[/{statusColor}][/]");
+        AnsiConsole.MarkupLine($"[grey]Updated: {summary.Timestamp.ToString("u", CultureInfo.InvariantCulture)}[/]");
+        AnsiConsole.MarkupLine($"[grey]Error Budget: {summary.GlobalErrorBudget:P1} remaining[/]");
+        AnsiConsole.MarkupLine("");
+
+        // Services table
+        if (summary.Services.Count > 0)
+        {
+            AnsiConsole.MarkupLine("[bold]Services:[/]");
+
+            var table = new Table()
+                .Border(TableBorder.Rounded);
+
+            table.AddColumn("Service");
+            table.AddColumn("Status");
+            table.AddColumn("Availability");
+            table.AddColumn("SLO Target");
+            table.AddColumn("Error Budget");
+            table.AddColumn("P95 Latency");
+            table.AddColumn("Burn Rate");
+
+            foreach (var service in summary.Services)
+            {
+                var svcStatusColor = service.Status switch
+                {
+                    "healthy" => "green",
+                    "degraded" => "yellow",
+                    "unhealthy" => "red",
+                    _ => "grey"
+                };
+
+                var availColor = service.Availability >= service.SloTarget ? "green" : "red";
+                var budgetColor = service.ErrorBudgetRemaining >= 0.5 ? "green" :
+                                  service.ErrorBudgetRemaining >= 0.2 ? "yellow" : "red";
+
+                var latency = service.Latency is not null
+                    ? $"{service.Latency.P95Ms:F0}ms"
+                    : "-";
+                var latencyColor = service.Latency is { Breaching: true } ? "red" : "green";
+
+                var burnRate = service.BurnRate is not null
+                    ? $"{service.BurnRate.Current:F1}x"
+                    : "-";
+                var burnColor = service.BurnRate?.AlertLevel switch
+                {
+                    "critical" => "red",
+                    "warning" => "yellow",
+                    _ => "green"
+                };
+
+                table.AddRow(
+                    Markup.Escape(service.Service),
+                    $"[{svcStatusColor}]{service.Status.ToUpperInvariant()}[/{svcStatusColor}]",
+                    $"[{availColor}]{service.Availability:P2}[/{availColor}]",
+                    $"{service.SloTarget:P2}",
+                    $"[{budgetColor}]{service.ErrorBudgetRemaining:P1}[/{budgetColor}]",
+                    $"[{latencyColor}]{latency}[/{latencyColor}]",
+                    $"[{burnColor}]{burnRate}[/{burnColor}]");
+            }
+
+            AnsiConsole.Write(table);
+            AnsiConsole.MarkupLine("");
+        }
+
+        // Active alerts
+        if (summary.ActiveAlerts.Count > 0)
+        {
+            AnsiConsole.MarkupLine("[bold]Active Alerts:[/]");
+
+            var alertTable = new Table()
+                .Border(TableBorder.Rounded);
+
+            alertTable.AddColumn("Severity");
+            alertTable.AddColumn("Service");
+            alertTable.AddColumn("Type");
+            alertTable.AddColumn("Message");
+            alertTable.AddColumn("Started");
+
+            foreach (var alert in summary.ActiveAlerts)
+            {
+                var severityColor = alert.Severity == "critical" ? "red" : "yellow";
+                var age = DateTimeOffset.UtcNow - alert.StartedAt;
+                var ageStr = age.TotalHours >= 1
+                    ? $"{age.TotalHours:F0}h ago"
+                    : $"{age.TotalMinutes:F0}m ago";
+
+                alertTable.AddRow(
+                    $"[{severityColor}]{alert.Severity.ToUpperInvariant()}[/{severityColor}]",
+                    Markup.Escape(alert.Service),
+                    Markup.Escape(alert.Type),
+                    Markup.Escape(alert.Message.Length > 50 ? alert.Message[..47] + "..." : alert.Message),
+                    ageStr);
+            }
+
+            AnsiConsole.Write(alertTable);
+            AnsiConsole.MarkupLine("");
+        }
+
+        // Queue health (verbose mode or if alerting)
+        if (verbose)
+        {
+            var allQueues = summary.Services
+                .SelectMany(s => s.Queues.Select(q => (Service: s.Service, Queue: q)))
+                .ToList();
+
+            if (allQueues.Count > 0)
+            {
+                AnsiConsole.MarkupLine("[bold]Queue Health:[/]");
+
+                var queueTable = new Table()
+                    .Border(TableBorder.Rounded);
+
+                queueTable.AddColumn("Service");
+                queueTable.AddColumn("Queue");
+                queueTable.AddColumn("Depth");
+                queueTable.AddColumn("Oldest");
+                queueTable.AddColumn("Throughput");
+                queueTable.AddColumn("Success");
+
+                foreach (var (svc, queue) in allQueues)
+                {
+                    var depthColor = queue.Alerting ? "red" :
+                                     queue.Depth > queue.DepthThreshold * 0.8 ? "yellow" : "green";
+
+                    queueTable.AddRow(
+                        Markup.Escape(svc),
+                        Markup.Escape(queue.Name),
+                        $"[{depthColor}]{queue.Depth}[/{depthColor}]",
+                        queue.OldestMessageAge.TotalMinutes > 0 ? $"{queue.OldestMessageAge.TotalMinutes:F0}m" : "-",
+                        $"{queue.Throughput:F1}/s",
+                        $"{queue.SuccessRate:P1}");
+                }
+
+                AnsiConsole.Write(queueTable);
+            }
+        }
+    }
+
+    // CLI-OBS-52-001: Handle obs trace command
+    public static async Task HandleObsTraceAsync(
+        IServiceProvider services,
+        string traceId,
+        string? tenant,
+        bool includeEvidence,
+        string outputFormat,
+        bool offline,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IObservabilityClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("obs-trace");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.obs.trace", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "obs trace");
+        activity?.SetTag("stellaops.cli.traceId", traceId);
+        using var duration = CliMetrics.MeasureCommandDuration("obs trace");
+
+        try
+        {
+            if (offline)
+            {
+                var error = new CliError(
+                    CliErrorCodes.ObsOfflineViolation,
+                    "Offline mode specified but obs trace requires network access.");
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error.Message)}");
+                Environment.ExitCode = 5;
+                return;
+            }
+
+            if (string.IsNullOrWhiteSpace(traceId))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Trace ID is required.");
+                Environment.ExitCode = 1;
+                return;
+            }
+
+            // Echo trace ID on stderr for scripting
+            if (verbose)
+            {
+                Console.Error.WriteLine($"trace_id={traceId}");
+            }
+
+            var request = new ObsTraceRequest
+            {
+                TraceId = traceId,
+                Tenant = tenant,
+                IncludeEvidence = includeEvidence
+            };
+
+            var result = await client.GetTraceAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = result.Errors.Any(e => e.Contains("not found")) ? 4 : 14;
+                return;
+            }
+
+            var trace = result.Trace!;
+
+            if (outputFormat == "json")
+            {
+                var json = JsonSerializer.Serialize(trace, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                RenderTrace(trace, verbose);
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch trace.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 14;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderTrace(DistributedTrace trace, bool verbose)
+    {
+        var statusColor = trace.Status == "error" ? "red" : "green";
+
+        AnsiConsole.MarkupLine($"[bold]Trace: {Markup.Escape(trace.TraceId)}[/]");
+        AnsiConsole.MarkupLine($"[grey]Status:[/] [{statusColor}]{trace.Status.ToUpperInvariant()}[/{statusColor}]");
+        AnsiConsole.MarkupLine($"[grey]Duration:[/] {trace.Duration.TotalMilliseconds:F0}ms");
+        AnsiConsole.MarkupLine($"[grey]Started:[/] {trace.StartTime.ToString("u", CultureInfo.InvariantCulture)}");
+        AnsiConsole.MarkupLine($"[grey]Services:[/] {string.Join(", ", trace.Services)}");
+        AnsiConsole.MarkupLine("");
+
+        // Spans table
+        if (trace.Spans.Count > 0)
+        {
+            AnsiConsole.MarkupLine("[bold]Spans:[/]");
+
+            var table = new Table()
+                .Border(TableBorder.Rounded);
+
+            table.AddColumn("Service");
+            table.AddColumn("Operation");
+            table.AddColumn("Duration");
+            table.AddColumn("Status");
+
+            foreach (var span in trace.Spans.OrderBy(s => s.StartTime))
+            {
+                var spanStatusColor = span.Status == "error" ? "red" : "green";
+
+                table.AddRow(
+                    Markup.Escape(span.ServiceName),
+                    Markup.Escape(span.OperationName.Length > 40 ? span.OperationName[..37] + "..." : span.OperationName),
+                    $"{span.Duration.TotalMilliseconds:F0}ms",
+                    $"[{spanStatusColor}]{span.Status}[/{spanStatusColor}]");
+            }
+
+            AnsiConsole.Write(table);
+            AnsiConsole.MarkupLine("");
+        }
+
+        // Evidence links
+        if (trace.EvidenceLinks.Count > 0)
+        {
+            AnsiConsole.MarkupLine("[bold]Evidence Links:[/]");
+
+            var evidenceTable = new Table()
+                .Border(TableBorder.Rounded);
+
+            evidenceTable.AddColumn("Type");
+            evidenceTable.AddColumn("URI");
+            evidenceTable.AddColumn("Timestamp");
+
+            foreach (var link in trace.EvidenceLinks)
+            {
+                var uri = link.Uri.Length > 50 ? link.Uri[..47] + "..." : link.Uri;
+                evidenceTable.AddRow(
+                    Markup.Escape(link.Type),
+                    $"[link]{Markup.Escape(uri)}[/]",
+                    link.Timestamp.ToString("u", CultureInfo.InvariantCulture));
+            }
+
+            AnsiConsole.Write(evidenceTable);
+        }
+    }
+
+    // CLI-OBS-52-001: Handle obs logs command
+    public static async Task HandleObsLogsAsync(
+        IServiceProvider services,
+        DateTimeOffset from,
+        DateTimeOffset to,
+        string? tenant,
+        string[] serviceNames,
+        string[] levels,
+        string? query,
+        int pageSize,
+        string? pageToken,
+        string outputFormat,
+        bool offline,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IObservabilityClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("obs-logs");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.obs.logs", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "obs logs");
+        using var duration = CliMetrics.MeasureCommandDuration("obs logs");
+
+        try
+        {
+            if (offline)
+            {
+                var error = new CliError(
+                    CliErrorCodes.ObsOfflineViolation,
+                    "Offline mode specified but obs logs requires network access.");
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error.Message)}");
+                Environment.ExitCode = 5;
+                return;
+            }
+
+            // Validate time window (max 24h as guardrail)
+            var timeSpan = to - from;
+            if (timeSpan > TimeSpan.FromHours(24))
+            {
+                AnsiConsole.MarkupLine("[yellow]Warning:[/] Time window exceeds 24 hours. Results may be truncated.");
+            }
+
+            // Clamp page size
+            pageSize = Math.Clamp(pageSize, 1, 500);
+
+            var request = new ObsLogsRequest
+            {
+                From = from,
+                To = to,
+                Tenant = tenant,
+                Services = serviceNames,
+                Levels = levels,
+                Query = query,
+                PageSize = pageSize,
+                PageToken = pageToken
+            };
+
+            var result = await client.GetLogsAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = 14;
+                return;
+            }
+
+            switch (outputFormat)
+            {
+                case "json":
+                    var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                    Console.WriteLine(json);
+                    break;
+
+                case "ndjson":
+                    foreach (var log in result.Logs)
+                    {
+                        var line = JsonSerializer.Serialize(log);
+                        Console.WriteLine(line);
+                    }
+                    break;
+
+                default: // table
+                    RenderLogs(result, verbose);
+                    break;
+            }
+
+            // Show pagination token if available
+            if (!string.IsNullOrWhiteSpace(result.NextPageToken) && outputFormat == "table")
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine($"[grey]Next page: --page-token {Markup.Escape(result.NextPageToken)}[/]");
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to fetch logs.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 14;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderLogs(ObsLogsResult result, bool verbose)
+    {
+        if (result.Logs.Count == 0)
+        {
+            AnsiConsole.MarkupLine("[grey]No logs found for the specified time window.[/]");
+            return;
+        }
+
+        if (result.TotalCount.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[grey]Showing {result.Logs.Count} of {result.TotalCount} logs[/]");
+        }
+        else
+        {
+            AnsiConsole.MarkupLine($"[grey]Showing {result.Logs.Count} logs[/]");
+        }
+        AnsiConsole.MarkupLine("");
+
+        var table = new Table()
+            .Border(TableBorder.Rounded);
+
+        table.AddColumn("Timestamp");
+        table.AddColumn("Level");
+        table.AddColumn("Service");
+        table.AddColumn("Message");
+
+        if (verbose)
+        {
+            table.AddColumn("Trace ID");
+        }
+
+        foreach (var log in result.Logs)
+        {
+            var levelColor = log.Level switch
+            {
+                "error" => "red",
+                "warn" => "yellow",
+                "debug" => "grey",
+                _ => "white"
+            };
+
+            var message = log.Message.Length > 60 ? log.Message[..57] + "..." : log.Message;
+
+            if (verbose)
+            {
+                var traceId = log.TraceId ?? "-";
+                traceId = traceId.Length > 16 ? traceId[..16] + "..." : traceId;
+
+                table.AddRow(
+                    log.Timestamp.ToString("HH:mm:ss.fff"),
+                    $"[{levelColor}]{log.Level.ToUpperInvariant()}[/{levelColor}]",
+                    Markup.Escape(log.Service),
+                    Markup.Escape(message),
+                    $"[grey]{Markup.Escape(traceId)}[/]");
+            }
+            else
+            {
+                table.AddRow(
+                    log.Timestamp.ToString("HH:mm:ss.fff"),
+                    $"[{levelColor}]{log.Level.ToUpperInvariant()}[/{levelColor}]",
+                    Markup.Escape(log.Service),
+                    Markup.Escape(message));
+            }
+        }
+
+        AnsiConsole.Write(table);
+    }
+
+    // CLI-OBS-55-001: Handle obs incident-mode enable command
+    public static async Task HandleObsIncidentModeEnableAsync(
+        IServiceProvider services,
+        string? tenant,
+        int ttlMinutes,
+        int retentionDays,
+        string? reason,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IObservabilityClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("obs-incident-mode");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.obs.incident-mode.enable", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "obs incident-mode enable");
+        using var duration = CliMetrics.MeasureCommandDuration("obs incident-mode enable");
+
+        try
+        {
+            var request = new IncidentModeEnableRequest
+            {
+                Tenant = tenant,
+                TtlMinutes = ttlMinutes,
+                RetentionExtensionDays = retentionDays,
+                Reason = reason
+            };
+
+            if (!emitJson)
+            {
+                AnsiConsole.MarkupLine("[bold yellow]Enabling incident mode...[/]");
+            }
+
+            var result = await client.EnableIncidentModeAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = 14;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                RenderIncidentModeState(result.State!, "ENABLED", verbose);
+
+                if (!string.IsNullOrWhiteSpace(result.AuditEventId))
+                {
+                    AnsiConsole.MarkupLine($"\n[grey]Audit event: {Markup.Escape(result.AuditEventId)}[/]");
+                }
+
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(warning)}");
+                }
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to enable incident mode.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 14;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    // CLI-OBS-55-001: Handle obs incident-mode disable command
+    public static async Task HandleObsIncidentModeDisableAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? reason,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IObservabilityClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("obs-incident-mode");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.obs.incident-mode.disable", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "obs incident-mode disable");
+        using var duration = CliMetrics.MeasureCommandDuration("obs incident-mode disable");
+
+        try
+        {
+            var request = new IncidentModeDisableRequest
+            {
+                Tenant = tenant,
+                Reason = reason
+            };
+
+            if (!emitJson)
+            {
+                AnsiConsole.MarkupLine("[bold]Disabling incident mode...[/]");
+            }
+
+            var result = await client.DisableIncidentModeAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = 14;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[green]Incident mode disabled.[/]");
+
+                if (result.PreviousState is { } prev)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Was enabled since: {prev.SetAt?.ToString("u", CultureInfo.InvariantCulture) ?? "unknown"}[/]");
+                }
+
+                if (!string.IsNullOrWhiteSpace(result.AuditEventId))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Audit event: {Markup.Escape(result.AuditEventId)}[/]");
+                }
+
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(warning)}");
+                }
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to disable incident mode.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 14;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    // CLI-OBS-55-001: Handle obs incident-mode status command
+    public static async Task HandleObsIncidentModeStatusAsync(
+        IServiceProvider services,
+        string? tenant,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IObservabilityClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("obs-incident-mode");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.obs.incident-mode.status", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "obs incident-mode status");
+        using var duration = CliMetrics.MeasureCommandDuration("obs incident-mode status");
+
+        try
+        {
+            var result = await client.GetIncidentModeStatusAsync(tenant, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = 14;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result.State, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                var state = result.State!;
+                var statusLabel = state.Enabled ? "ENABLED" : "DISABLED";
+                RenderIncidentModeState(state, statusLabel, verbose);
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to get incident mode status.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 14;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderIncidentModeState(IncidentModeState state, string statusLabel, bool verbose)
+    {
+        var statusColor = state.Enabled ? "yellow" : "green";
+
+        AnsiConsole.MarkupLine($"[bold]Incident Mode: [{statusColor}]{statusLabel}[/{statusColor}][/]");
+        AnsiConsole.MarkupLine("");
+
+        var grid = new Grid();
+        grid.AddColumn();
+        grid.AddColumn();
+
+        if (!string.IsNullOrWhiteSpace(state.Tenant))
+        {
+            grid.AddRow("[grey]Tenant:[/]", Markup.Escape(state.Tenant));
+        }
+
+        if (state.SetAt.HasValue)
+        {
+            grid.AddRow("[grey]Enabled at:[/]", state.SetAt.Value.ToString("u", CultureInfo.InvariantCulture));
+        }
+
+        if (state.ExpiresAt.HasValue)
+        {
+            var remaining = state.ExpiresAt.Value - DateTimeOffset.UtcNow;
+            var expiresStr = remaining.TotalMinutes > 0
+                ? $"{state.ExpiresAt.Value:u} ({remaining.TotalMinutes:F0}m remaining)"
+                : $"{state.ExpiresAt.Value:u} (expired)";
+            grid.AddRow("[grey]Expires at:[/]", expiresStr);
+        }
+
+        if (state.Enabled)
+        {
+            grid.AddRow("[grey]Retention extension:[/]", $"{state.RetentionExtensionDays} days");
+        }
+
+        if (!string.IsNullOrWhiteSpace(state.Actor) && verbose)
+        {
+            grid.AddRow("[grey]Actor:[/]", Markup.Escape(state.Actor));
+        }
+
+        if (!string.IsNullOrWhiteSpace(state.Source) && verbose)
+        {
+            grid.AddRow("[grey]Source:[/]", Markup.Escape(state.Source));
+        }
+
+        var panel = new Panel(grid)
+        {
+            Border = BoxBorder.Rounded,
+            Header = new PanelHeader("[bold]Incident Mode Status[/]")
+        };
+
+        AnsiConsole.Write(panel);
+
+        if (state.Enabled)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[yellow]Effects while enabled:[/]");
+            AnsiConsole.MarkupLine("  - Extended retention for forensic bundles");
+            AnsiConsole.MarkupLine("  - Debug artefacts captured in evidence locker");
+            AnsiConsole.MarkupLine("  - 100% sampling rate for telemetry");
+            AnsiConsole.MarkupLine("  - `incident=true` tag on all logs/metrics/traces");
+        }
+    }
+
+    #endregion
+
+    #region Pack Commands (CLI-PACKS-42-001)
+
+    public static async Task HandlePackPlanAsync(
+        IServiceProvider services,
+        string packId,
+        string? version,
+        string? inputsPath,
+        bool dryRun,
+        string? outputPath,
+        string? tenant,
+        bool emitJson,
+        bool offline,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IPackClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("pack-plan");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.pack.plan", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "pack plan");
+        activity?.SetTag("stellaops.cli.pack_id", packId);
+        using var duration = CliMetrics.MeasureCommandDuration("pack plan");
+
+        try
+        {
+            if (offline)
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Pack plan requires network access.");
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            if (string.IsNullOrWhiteSpace(packId))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Pack ID is required.");
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            // Load inputs if provided
+            Dictionary<string, object>? inputs = null;
+            if (!string.IsNullOrWhiteSpace(inputsPath))
+            {
+                var inputsFullPath = Path.GetFullPath(inputsPath);
+                if (!File.Exists(inputsFullPath))
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] Inputs file not found: {Markup.Escape(inputsFullPath)}");
+                    Environment.ExitCode = 15;
+                    return;
+                }
+
+                var inputsJson = await File.ReadAllTextAsync(inputsFullPath, cancellationToken).ConfigureAwait(false);
+                inputs = JsonSerializer.Deserialize<Dictionary<string, object>>(inputsJson);
+            }
+
+            var request = new PackPlanRequest
+            {
+                PackId = packId,
+                Version = version,
+                Inputs = inputs,
+                Tenant = tenant,
+                DryRun = dryRun,
+                ValidateOnly = dryRun
+            };
+
+            var result = await client.PlanAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                foreach (var ve in result.ValidationErrors)
+                {
+                    var pathInfo = !string.IsNullOrWhiteSpace(ve.Path) ? $" at {ve.Path}" : "";
+                    AnsiConsole.MarkupLine($"[red]{Markup.Escape(ve.Code)}:[/] {Markup.Escape(ve.Message)}{pathInfo}");
+                }
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            // Write output if path specified
+            if (!string.IsNullOrWhiteSpace(outputPath))
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                await File.WriteAllTextAsync(Path.GetFullPath(outputPath), json, cancellationToken).ConfigureAwait(false);
+                logger.LogInformation("Plan written to {Path}.", Path.GetFullPath(outputPath));
+            }
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                RenderPackPlan(result, verbose);
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(warning)}");
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to plan pack.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 15;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    public static async Task HandlePackRunAsync(
+        IServiceProvider services,
+        string packId,
+        string? version,
+        string? inputsPath,
+        string? planId,
+        bool wait,
+        int timeoutMinutes,
+        string[] labels,
+        string? outputPath,
+        string? tenant,
+        bool emitJson,
+        bool offline,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IPackClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("pack-run");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.pack.run", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "pack run");
+        activity?.SetTag("stellaops.cli.pack_id", packId);
+        using var duration = CliMetrics.MeasureCommandDuration("pack run");
+
+        try
+        {
+            if (offline)
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Pack run requires network access.");
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            if (string.IsNullOrWhiteSpace(packId))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Pack ID is required.");
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            // Load inputs if provided
+            Dictionary<string, object>? inputs = null;
+            if (!string.IsNullOrWhiteSpace(inputsPath))
+            {
+                var inputsFullPath = Path.GetFullPath(inputsPath);
+                if (!File.Exists(inputsFullPath))
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] Inputs file not found: {Markup.Escape(inputsFullPath)}");
+                    Environment.ExitCode = 15;
+                    return;
+                }
+
+                var inputsJson = await File.ReadAllTextAsync(inputsFullPath, cancellationToken).ConfigureAwait(false);
+                inputs = JsonSerializer.Deserialize<Dictionary<string, object>>(inputsJson);
+            }
+
+            // Parse labels
+            var labelsDict = new Dictionary<string, string>();
+            foreach (var label in labels)
+            {
+                var parts = label.Split('=', 2);
+                if (parts.Length == 2)
+                {
+                    labelsDict[parts[0]] = parts[1];
+                }
+            }
+
+            var request = new PackRunRequest
+            {
+                PackId = packId,
+                Version = version,
+                PlanId = planId,
+                Inputs = inputs,
+                Tenant = tenant,
+                Labels = labelsDict.Count > 0 ? labelsDict : null,
+                WaitForCompletion = wait,
+                TimeoutMinutes = timeoutMinutes
+            };
+
+            var result = await client.RunAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            // Write output if path specified
+            if (!string.IsNullOrWhiteSpace(outputPath))
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                await File.WriteAllTextAsync(Path.GetFullPath(outputPath), json, cancellationToken).ConfigureAwait(false);
+                logger.LogInformation("Run result written to {Path}.", Path.GetFullPath(outputPath));
+            }
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                RenderPackRunStatus(result.Run!, verbose);
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(warning)}");
+            }
+
+            // Set exit code based on run status
+            var exitCode = result.Run?.Status switch
+            {
+                "succeeded" => 0,
+                "failed" => 15,
+                "waiting_approval" => 0, // Pending approval is not an error
+                _ => 0
+            };
+            Environment.ExitCode = exitCode;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to run pack.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 15;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    public static async Task HandlePackPushAsync(
+        IServiceProvider services,
+        string path,
+        string? name,
+        string? version,
+        bool sign,
+        string? keyId,
+        bool force,
+        string? tenant,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IPackClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("pack-push");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.pack.push", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "pack push");
+        using var duration = CliMetrics.MeasureCommandDuration("pack push");
+
+        try
+        {
+            if (string.IsNullOrWhiteSpace(path))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Pack path is required.");
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            var request = new PackPushRequest
+            {
+                PackPath = path,
+                Name = name,
+                Version = version,
+                Tenant = tenant,
+                Sign = sign,
+                KeyId = keyId,
+                Force = force
+            };
+
+            var result = await client.PushAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[green]Pack pushed successfully.[/]");
+                if (result.Pack is not null)
+                {
+                    AnsiConsole.MarkupLine($"  Pack: {Markup.Escape(result.Pack.Id)}");
+                    AnsiConsole.MarkupLine($"  Version: {Markup.Escape(result.Pack.Version)}");
+                }
+                if (!string.IsNullOrWhiteSpace(result.Digest))
+                {
+                    AnsiConsole.MarkupLine($"  Digest: {Markup.Escape(result.Digest)}");
+                }
+                if (!string.IsNullOrWhiteSpace(result.RekorLogId))
+                {
+                    AnsiConsole.MarkupLine($"  Rekor Log ID: {Markup.Escape(result.RekorLogId)}");
+                }
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(warning)}");
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to push pack.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 15;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    public static async Task HandlePackPullAsync(
+        IServiceProvider services,
+        string packId,
+        string? version,
+        string? outputPath,
+        bool noVerify,
+        string? tenant,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IPackClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("pack-pull");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.pack.pull", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "pack pull");
+        activity?.SetTag("stellaops.cli.pack_id", packId);
+        using var duration = CliMetrics.MeasureCommandDuration("pack pull");
+
+        try
+        {
+            if (string.IsNullOrWhiteSpace(packId))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Pack ID is required.");
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            var request = new PackPullRequest
+            {
+                PackId = packId,
+                Version = version,
+                OutputPath = outputPath,
+                Tenant = tenant,
+                Verify = !noVerify
+            };
+
+            var result = await client.PullAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[green]Pack pulled successfully.[/]");
+                AnsiConsole.MarkupLine($"  Output: {Markup.Escape(result.OutputPath ?? "unknown")}");
+                if (result.Verified)
+                {
+                    AnsiConsole.MarkupLine("  [green]Signature verified[/]");
+                }
+                else if (!noVerify)
+                {
+                    AnsiConsole.MarkupLine("  [yellow]Signature not verified[/]");
+                }
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(warning)}");
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to pull pack.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 15;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    public static async Task HandlePackVerifyAsync(
+        IServiceProvider services,
+        string? path,
+        string? packId,
+        string? version,
+        string? digest,
+        bool noRekor,
+        bool noExpiry,
+        string? tenant,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IPackClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("pack-verify");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.pack.verify", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "pack verify");
+        using var duration = CliMetrics.MeasureCommandDuration("pack verify");
+
+        try
+        {
+            if (string.IsNullOrWhiteSpace(path) && string.IsNullOrWhiteSpace(packId))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] Either --path or --pack-id is required.");
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            var request = new PackVerifyRequest
+            {
+                PackPath = path,
+                PackId = packId,
+                Version = version,
+                Digest = digest,
+                Tenant = tenant,
+                CheckRekor = !noRekor,
+                CheckExpiry = !noExpiry
+            };
+
+            var result = await client.VerifyAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+                }
+                foreach (var ve in result.ValidationErrors)
+                {
+                    var pathInfo = !string.IsNullOrWhiteSpace(ve.Path) ? $" at {ve.Path}" : "";
+                    AnsiConsole.MarkupLine($"[red]{Markup.Escape(ve.Code)}:[/] {Markup.Escape(ve.Message)}{pathInfo}");
+                }
+                Environment.ExitCode = 15;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var json = JsonSerializer.Serialize(result, new JsonSerializerOptions { WriteIndented = true });
+                Console.WriteLine(json);
+            }
+            else
+            {
+                RenderPackVerifyResult(result, verbose);
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(warning)}");
+            }
+
+            var allValid = result.SignatureValid && result.DigestMatch && result.SchemaValid
+                && (result.RekorVerified ?? true) && (result.CertificateValid ?? true);
+            Environment.ExitCode = allValid ? 0 : 15;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to verify pack.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 15;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderPackPlan(PackPlanResult result, bool verbose)
+    {
+        AnsiConsole.MarkupLine("[bold]Pack Execution Plan[/]");
+        AnsiConsole.MarkupLine("");
+
+        if (!string.IsNullOrWhiteSpace(result.PlanHash))
+        {
+            AnsiConsole.MarkupLine($"[grey]Plan Hash:[/] {Markup.Escape(result.PlanHash)}");
+        }
+        if (!string.IsNullOrWhiteSpace(result.PlanId))
+        {
+            AnsiConsole.MarkupLine($"[grey]Plan ID:[/] {Markup.Escape(result.PlanId)}");
+        }
+        if (result.EstimatedDuration.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[grey]Estimated Duration:[/] {result.EstimatedDuration.Value.TotalMinutes:F1} minutes");
+        }
+        AnsiConsole.MarkupLine("");
+
+        if (result.Steps.Count > 0)
+        {
+            var table = new Table();
+            table.AddColumn("Step");
+            table.AddColumn("Action");
+            table.AddColumn("Depends On");
+            if (verbose)
+            {
+                table.AddColumn("Condition");
+            }
+
+            foreach (var step in result.Steps)
+            {
+                var dependsOn = step.DependsOn.Count > 0 ? string.Join(", ", step.DependsOn) : "-";
+                var row = new List<string>
+                {
+                    Markup.Escape(step.Name),
+                    Markup.Escape(step.Action),
+                    Markup.Escape(dependsOn)
+                };
+
+                if (verbose)
+                {
+                    row.Add(Markup.Escape(step.Condition ?? "-"));
+                }
+
+                table.AddRow(row.ToArray());
+            }
+
+            AnsiConsole.Write(table);
+        }
+
+        if (result.RequiresApproval)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[yellow]This plan requires approval before execution.[/]");
+            if (result.ApprovalGates.Count > 0)
+            {
+                AnsiConsole.MarkupLine($"  Approval gates: {string.Join(", ", result.ApprovalGates)}");
+            }
+        }
+    }
+
+    private static void RenderPackRunStatus(PackRunStatus status, bool verbose)
+    {
+        var statusColor = status.Status switch
+        {
+            "succeeded" => "green",
+            "failed" => "red",
+            "running" => "blue",
+            "waiting_approval" => "yellow",
+            "cancelled" => "grey",
+            _ => "white"
+        };
+
+        AnsiConsole.MarkupLine($"[bold]Pack Run: [{statusColor}]{status.Status.ToUpperInvariant()}[/{statusColor}][/]");
+        AnsiConsole.MarkupLine("");
+
+        AnsiConsole.MarkupLine($"[grey]Run ID:[/] {Markup.Escape(status.RunId)}");
+        AnsiConsole.MarkupLine($"[grey]Pack:[/] {Markup.Escape(status.PackId)} v{Markup.Escape(status.Version)}");
+
+        if (status.StartedAt.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[grey]Started:[/] {status.StartedAt.Value:u}");
+        }
+        if (status.Duration.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[grey]Duration:[/] {status.Duration.Value.TotalSeconds:F1}s");
+        }
+        if (!string.IsNullOrWhiteSpace(status.Actor) && verbose)
+        {
+            AnsiConsole.MarkupLine($"[grey]Actor:[/] {Markup.Escape(status.Actor)}");
+        }
+        if (!string.IsNullOrWhiteSpace(status.AuditEventId) && verbose)
+        {
+            AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(status.AuditEventId)}");
+        }
+
+        if (!string.IsNullOrWhiteSpace(status.Error))
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(status.Error)}");
+        }
+
+        if (status.StepStatuses.Count > 0 && verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            var table = new Table();
+            table.AddColumn("Step");
+            table.AddColumn("Status");
+            table.AddColumn("Duration");
+
+            foreach (var step in status.StepStatuses)
+            {
+                var stepColor = step.Status switch
+                {
+                    "succeeded" => "green",
+                    "failed" => "red",
+                    "running" => "blue",
+                    "skipped" => "grey",
+                    _ => "white"
+                };
+
+                var durationStr = step.Duration.HasValue ? $"{step.Duration.Value.TotalSeconds:F1}s" : "-";
+                table.AddRow(
+                    Markup.Escape(step.Name),
+                    $"[{stepColor}]{Markup.Escape(step.Status)}[/{stepColor}]",
+                    durationStr);
+            }
+
+            AnsiConsole.Write(table);
+        }
+
+        if (status.Artifacts.Count > 0)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Artifacts:[/]");
+            foreach (var artifact in status.Artifacts)
+            {
+                AnsiConsole.MarkupLine($"  - {Markup.Escape(artifact.Name)} ({Markup.Escape(artifact.Type)})");
+            }
+        }
+    }
+
+    private static void RenderPackVerifyResult(PackVerifyResult result, bool verbose)
+    {
+        AnsiConsole.MarkupLine("[bold]Pack Verification Result[/]");
+        AnsiConsole.MarkupLine("");
+
+        var grid = new Grid();
+        grid.AddColumn();
+        grid.AddColumn();
+
+        grid.AddRow("[grey]Signature:[/]", result.SignatureValid ? "[green]Valid[/]" : "[red]Invalid[/]");
+        grid.AddRow("[grey]Digest Match:[/]", result.DigestMatch ? "[green]Yes[/]" : "[red]No[/]");
+        grid.AddRow("[grey]Schema:[/]", result.SchemaValid ? "[green]Valid[/]" : "[red]Invalid[/]");
+
+        if (result.RekorVerified.HasValue)
+        {
+            grid.AddRow("[grey]Rekor Verified:[/]", result.RekorVerified.Value ? "[green]Yes[/]" : "[red]No[/]");
+        }
+
+        if (result.CertificateValid.HasValue)
+        {
+            grid.AddRow("[grey]Certificate:[/]", result.CertificateValid.Value ? "[green]Valid[/]" : "[red]Invalid[/]");
+        }
+
+        if (result.CertificateExpiry.HasValue && verbose)
+        {
+            var remaining = result.CertificateExpiry.Value - DateTimeOffset.UtcNow;
+            var expiryColor = remaining.TotalDays > 30 ? "green" : remaining.TotalDays > 7 ? "yellow" : "red";
+            grid.AddRow("[grey]Cert Expires:[/]", $"[{expiryColor}]{result.CertificateExpiry.Value:u}[/{expiryColor}]");
+        }
+
+        var panel = new Panel(grid)
+        {
+            Border = BoxBorder.Rounded,
+            Header = new PanelHeader("[bold]Verification Summary[/]")
+        };
+
+        AnsiConsole.Write(panel);
+
+        if (result.Pack is not null && verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine($"[grey]Pack:[/] {Markup.Escape(result.Pack.Id)} v{Markup.Escape(result.Pack.Version)}");
+            if (!string.IsNullOrWhiteSpace(result.Pack.Author))
+            {
+                AnsiConsole.MarkupLine($"[grey]Author:[/] {Markup.Escape(result.Pack.Author)}");
+            }
+        }
+    }
+
+    // CLI-PACKS-43-001: Advanced pack features handlers
+
+    internal static async Task<int> HandlePackRunsListAsync(
+        IServiceProvider services,
+        string? packId,
+        string? status,
+        string? actor,
+        DateTimeOffset? since,
+        DateTimeOffset? until,
+        int pageSize,
+        string? pageToken,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackRunListRequest
+        {
+            PackId = packId,
+            Status = status,
+            Actor = actor,
+            Since = since,
+            Until = until,
+            PageSize = pageSize,
+            PageToken = pageToken,
+            Tenant = tenant
+        };
+
+        var result = await client.ListRunsAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return 0;
+        }
+
+        if (result.Runs.Count == 0)
+        {
+            AnsiConsole.MarkupLine("[grey]No pack runs found.[/]");
+            return 0;
+        }
+
+        var table = new Table();
+        table.AddColumn("Run ID");
+        table.AddColumn("Pack");
+        table.AddColumn("Status");
+        table.AddColumn("Started");
+        table.AddColumn("Duration");
+        if (verbose)
+        {
+            table.AddColumn("Actor");
+        }
+
+        foreach (var run in result.Runs)
+        {
+            var statusColor = GetPackRunStatusColor(run.Status);
+            var duration = run.Duration.HasValue ? $"{run.Duration.Value.TotalSeconds:F0}s" : "-";
+
+            var row = new List<string>
+            {
+                Markup.Escape(run.RunId),
+                $"{Markup.Escape(run.PackId)}:{Markup.Escape(run.Version)}",
+                statusColor,
+                run.StartedAt?.ToString("u") ?? "-",
+                duration
+            };
+
+            if (verbose)
+            {
+                row.Add(Markup.Escape(run.Actor ?? "-"));
+            }
+
+            table.AddRow(row.ToArray());
+        }
+
+        AnsiConsole.Write(table);
+
+        if (result.TotalCount.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[grey]Showing {result.Runs.Count} of {result.TotalCount} runs[/]");
+        }
+
+        if (!string.IsNullOrWhiteSpace(result.NextPageToken))
+        {
+            AnsiConsole.MarkupLine($"[grey]More results available. Use --page-token {Markup.Escape(result.NextPageToken)}[/]");
+        }
+
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackRunsShowAsync(
+        IServiceProvider services,
+        string runId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var result = await client.GetRunStatusAsync(runId, tenant, cancellationToken);
+
+        if (result is null)
+        {
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(new { error = "Run not found" }, JsonOutputOptions));
+            }
+            else
+            {
+                AnsiConsole.MarkupLine($"[red]Run '{Markup.Escape(runId)}' not found.[/]");
+            }
+            return 15;
+        }
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return 0;
+        }
+
+        RenderPackRunStatus(result, verbose);
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackRunsCancelAsync(
+        IServiceProvider services,
+        string runId,
+        string? reason,
+        bool force,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackCancelRequest
+        {
+            RunId = runId,
+            Tenant = tenant,
+            Reason = reason,
+            Force = force
+        };
+
+        var result = await client.CancelRunAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return result.Success ? 0 : 15;
+        }
+
+        if (!result.Success)
+        {
+            AnsiConsole.MarkupLine("[red]Failed to cancel run:[/]");
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+            }
+            return 15;
+        }
+
+        AnsiConsole.MarkupLine($"[green]Run '{Markup.Escape(runId)}' cancelled successfully.[/]");
+
+        if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+        {
+            AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+        }
+
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackRunsPauseAsync(
+        IServiceProvider services,
+        string runId,
+        string? reason,
+        string? stepId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackApprovalPauseRequest
+        {
+            RunId = runId,
+            Tenant = tenant,
+            Reason = reason,
+            StepId = stepId
+        };
+
+        var result = await client.PauseForApprovalAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return result.Success ? 0 : 15;
+        }
+
+        if (!result.Success)
+        {
+            AnsiConsole.MarkupLine("[red]Failed to pause run:[/]");
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+            }
+            return 15;
+        }
+
+        AnsiConsole.MarkupLine($"[yellow]Run '{Markup.Escape(runId)}' paused for approval.[/]");
+
+        if (result.Run is not null)
+        {
+            AnsiConsole.MarkupLine($"[grey]Status:[/] {GetPackRunStatusColor(result.Run.Status)}");
+            if (!string.IsNullOrWhiteSpace(result.Run.CurrentStep))
+            {
+                AnsiConsole.MarkupLine($"[grey]Paused at step:[/] {Markup.Escape(result.Run.CurrentStep)}");
+            }
+        }
+
+        if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+        {
+            AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+        }
+
+        AnsiConsole.MarkupLine("");
+        AnsiConsole.MarkupLine($"[grey]Resume with:[/] stella pack runs resume {Markup.Escape(runId)}");
+
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackRunsResumeAsync(
+        IServiceProvider services,
+        string runId,
+        bool approve,
+        string? reason,
+        string? stepId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackApprovalResumeRequest
+        {
+            RunId = runId,
+            Tenant = tenant,
+            Approved = approve,
+            Reason = reason,
+            StepId = stepId
+        };
+
+        var result = await client.ResumeWithApprovalAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return result.Success ? 0 : 15;
+        }
+
+        if (!result.Success)
+        {
+            AnsiConsole.MarkupLine("[red]Failed to resume run:[/]");
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+            }
+            return 15;
+        }
+
+        if (approve)
+        {
+            AnsiConsole.MarkupLine($"[green]Run '{Markup.Escape(runId)}' approved and resumed.[/]");
+        }
+        else
+        {
+            AnsiConsole.MarkupLine($"[yellow]Run '{Markup.Escape(runId)}' rejected.[/]");
+        }
+
+        if (result.Run is not null)
+        {
+            AnsiConsole.MarkupLine($"[grey]Status:[/] {GetPackRunStatusColor(result.Run.Status)}");
+        }
+
+        if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+        {
+            AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+        }
+
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackRunsLogsAsync(
+        IServiceProvider services,
+        string runId,
+        string? stepId,
+        int? tail,
+        DateTimeOffset? since,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackLogsRequest
+        {
+            RunId = runId,
+            Tenant = tenant,
+            StepId = stepId,
+            Tail = tail,
+            Since = since
+        };
+
+        var result = await client.GetLogsAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return result.Success ? 0 : 15;
+        }
+
+        if (!result.Success)
+        {
+            AnsiConsole.MarkupLine("[red]Failed to get logs:[/]");
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+            }
+            return 15;
+        }
+
+        if (result.Logs.Count == 0)
+        {
+            AnsiConsole.MarkupLine("[grey]No logs found.[/]");
+            return 0;
+        }
+
+        foreach (var log in result.Logs)
+        {
+            var levelColor = log.Level.ToLowerInvariant() switch
+            {
+                "error" => "red",
+                "warn" => "yellow",
+                "debug" => "grey",
+                _ => "white"
+            };
+
+            var stepInfo = verbose && !string.IsNullOrWhiteSpace(log.StepId) ? $"[{Markup.Escape(log.StepId)}] " : "";
+            var timestamp = verbose ? $"[grey]{log.Timestamp:HH:mm:ss}[/] " : "";
+
+            AnsiConsole.MarkupLine($"{timestamp}{stepInfo}[{levelColor}]{Markup.Escape(log.Message)}[/{levelColor}]");
+        }
+
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackSecretsInjectAsync(
+        IServiceProvider services,
+        string runId,
+        string secretRef,
+        string provider,
+        string? envVar,
+        string? path,
+        string? stepId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackSecretInjectRequest
+        {
+            RunId = runId,
+            Tenant = tenant,
+            SecretRef = secretRef,
+            SecretProvider = provider,
+            TargetEnvVar = envVar,
+            TargetPath = path,
+            StepId = stepId
+        };
+
+        var result = await client.InjectSecretAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return result.Success ? 0 : 15;
+        }
+
+        if (!result.Success)
+        {
+            AnsiConsole.MarkupLine("[red]Failed to inject secret:[/]");
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+            }
+            return 15;
+        }
+
+        AnsiConsole.MarkupLine($"[green]Secret injected successfully.[/]");
+        AnsiConsole.MarkupLine($"[grey]Secret Ref:[/] {Markup.Escape(secretRef)}");
+        AnsiConsole.MarkupLine($"[grey]Provider:[/] {Markup.Escape(provider)}");
+
+        if (!string.IsNullOrWhiteSpace(envVar))
+        {
+            AnsiConsole.MarkupLine($"[grey]Environment Variable:[/] {Markup.Escape(envVar)}");
+        }
+        if (!string.IsNullOrWhiteSpace(path))
+        {
+            AnsiConsole.MarkupLine($"[grey]File Path:[/] {Markup.Escape(path)}");
+        }
+
+        if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+        {
+            AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+        }
+
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackCacheListAsync(
+        IServiceProvider services,
+        string? cacheDir,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackCacheRequest
+        {
+            Action = "list",
+            CacheDir = cacheDir
+        };
+
+        var result = await client.ManageCacheAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return result.Success ? 0 : 15;
+        }
+
+        if (!result.Success)
+        {
+            AnsiConsole.MarkupLine("[red]Failed to list cache:[/]");
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+            }
+            return 15;
+        }
+
+        if (result.Entries.Count == 0)
+        {
+            AnsiConsole.MarkupLine("[grey]Cache is empty.[/]");
+            return 0;
+        }
+
+        var table = new Table();
+        table.AddColumn("Pack");
+        table.AddColumn("Version");
+        table.AddColumn("Size");
+        table.AddColumn("Cached At");
+        if (verbose)
+        {
+            table.AddColumn("Digest");
+            table.AddColumn("Verified");
+        }
+
+        foreach (var entry in result.Entries)
+        {
+            var row = new List<string>
+            {
+                Markup.Escape(entry.PackId),
+                Markup.Escape(entry.Version),
+                FormatBytes(entry.Size),
+                entry.CachedAt.ToString("u")
+            };
+
+            if (verbose)
+            {
+                row.Add(Markup.Escape(entry.Digest.Length > 12 ? entry.Digest[..12] + "..." : entry.Digest));
+                row.Add(entry.Verified ? "[green]Yes[/]" : "[yellow]No[/]");
+            }
+
+            table.AddRow(row.ToArray());
+        }
+
+        AnsiConsole.Write(table);
+        AnsiConsole.MarkupLine($"[grey]Total cache size:[/] {FormatBytes(result.TotalSize)}");
+
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackCacheAddAsync(
+        IServiceProvider services,
+        string packId,
+        string? version,
+        string? cacheDir,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackCacheRequest
+        {
+            Action = "add",
+            PackId = packId,
+            Version = version,
+            CacheDir = cacheDir
+        };
+
+        var result = await client.ManageCacheAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return result.Success ? 0 : 15;
+        }
+
+        if (!result.Success)
+        {
+            AnsiConsole.MarkupLine("[red]Failed to add to cache:[/]");
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+            }
+            return 15;
+        }
+
+        AnsiConsole.MarkupLine($"[green]Pack added to cache.[/]");
+        AnsiConsole.MarkupLine($"[grey]Pack:[/] {Markup.Escape(packId)}");
+        if (!string.IsNullOrWhiteSpace(version))
+        {
+            AnsiConsole.MarkupLine($"[grey]Version:[/] {Markup.Escape(version)}");
+        }
+
+        return 0;
+    }
+
+    internal static async Task<int> HandlePackCachePruneAsync(
+        IServiceProvider services,
+        int? maxAgeDays,
+        long? maxSizeMb,
+        bool dryRun,
+        string? cacheDir,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IPackClient>();
+
+        var request = new PackCacheRequest
+        {
+            Action = dryRun ? "prune_preview" : "prune",
+            CacheDir = cacheDir,
+            MaxAge = maxAgeDays.HasValue ? TimeSpan.FromDays(maxAgeDays.Value) : null,
+            MaxSize = maxSizeMb.HasValue ? maxSizeMb.Value * 1024 * 1024 : null
+        };
+
+        var result = await client.ManageCacheAsync(request, cancellationToken);
+
+        if (json)
+        {
+            AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+            return result.Success ? 0 : 15;
+        }
+
+        if (!result.Success)
+        {
+            AnsiConsole.MarkupLine("[red]Failed to prune cache:[/]");
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+            }
+            return 15;
+        }
+
+        if (dryRun)
+        {
+            AnsiConsole.MarkupLine("[yellow]DRY RUN - No changes made[/]");
+        }
+
+        if (result.PrunedCount == 0)
+        {
+            AnsiConsole.MarkupLine("[grey]No packs to prune.[/]");
+        }
+        else
+        {
+            AnsiConsole.MarkupLine($"[green]{(dryRun ? "Would prune" : "Pruned")} {result.PrunedCount} pack(s).[/]");
+            AnsiConsole.MarkupLine($"[grey]Space {(dryRun ? "to be " : "")}freed:[/] {FormatBytes(result.PrunedSize)}");
+        }
+
+        AnsiConsole.MarkupLine($"[grey]Cache size {(dryRun ? "after prune" : "now")}:[/] {FormatBytes(result.TotalSize)}");
+
+        return 0;
+    }
+
+    private static string GetPackRunStatusColor(string status)
+    {
+        return status.ToLowerInvariant() switch
+        {
+            "pending" => "[yellow]pending[/]",
+            "running" => "[blue]running[/]",
+            "succeeded" => "[green]succeeded[/]",
+            "failed" => "[red]failed[/]",
+            "cancelled" => "[grey]cancelled[/]",
+            "waiting_approval" => "[yellow]waiting_approval[/]",
+            _ => Markup.Escape(status)
+        };
+    }
+
+    #endregion
+
+    #region Exceptions Commands (CLI-EXC-25-001)
+
+    /// <summary>
+    /// Handles 'stella exceptions list' command.
+    /// </summary>
+    internal static async Task<int> HandleExceptionsListAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? vuln,
+        string? scopeType,
+        string? scopeValue,
+        string[]? status,
+        string? owner,
+        string? effectType,
+        DateTimeOffset? expiringBefore,
+        bool includeExpired,
+        int pageSize,
+        string? pageToken,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IExceptionClient>();
+
+        var request = new ExceptionListRequest
+        {
+            Tenant = tenant,
+            Vuln = vuln,
+            ScopeType = scopeType,
+            ScopeValue = scopeValue,
+            Statuses = status?.Length > 0 ? status : null,
+            Owner = owner,
+            EffectType = effectType,
+            ExpiringBefore = expiringBefore,
+            IncludeExpired = includeExpired,
+            PageSize = pageSize,
+            PageToken = pageToken
+        };
+
+        try
+        {
+            var response = await client.ListAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOutputOptions));
+                return 0;
+            }
+
+            if (response.Exceptions.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No exceptions found matching criteria.[/]");
+                return 0;
+            }
+
+            RenderExceptionList(response, verbose);
+
+            if (!string.IsNullOrWhiteSpace(response.NextPageToken))
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine($"[grey]Next page token: {Markup.Escape(response.NextPageToken)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error listing exceptions: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella exceptions show' command.
+    /// </summary>
+    internal static async Task<int> HandleExceptionsShowAsync(
+        IServiceProvider services,
+        string exceptionId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IExceptionClient>();
+
+        try
+        {
+            var exception = await client.GetAsync(exceptionId, tenant, cancellationToken);
+
+            if (exception is null)
+            {
+                var error = new CliError(CliErrorCodes.ExcNotFound, $"Exception '{exceptionId}' not found.");
+                AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Message)}[/]");
+                return error.ExitCode;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(exception, JsonOutputOptions));
+                return 0;
+            }
+
+            RenderExceptionDetail(exception, verbose);
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error fetching exception: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella exceptions create' command.
+    /// </summary>
+    internal static async Task<int> HandleExceptionsCreateAsync(
+        IServiceProvider services,
+        string tenant,
+        string vuln,
+        string scopeType,
+        string scopeValue,
+        string effectId,
+        string justification,
+        string owner,
+        DateTimeOffset? expiration,
+        string[]? evidence,
+        string? policyBinding,
+        bool stage,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IExceptionClient>();
+
+        var evidenceRefs = evidence?.Select(e =>
+        {
+            // Format: type:uri[:digest]
+            var parts = e.Split(':', 3);
+            return new ExceptionEvidenceRef
+            {
+                Type = parts.Length > 0 ? parts[0] : "ticket",
+                Uri = parts.Length > 1 ? parts[1] : e,
+                Digest = parts.Length > 2 ? parts[2] : null
+            };
+        }).ToList();
+
+        var request = new ExceptionCreateRequest
+        {
+            Tenant = tenant,
+            Vuln = vuln,
+            Scope = new ExceptionScope
+            {
+                Type = scopeType,
+                Value = scopeValue
+            },
+            EffectId = effectId,
+            Justification = justification,
+            Owner = owner,
+            Expiration = expiration,
+            EvidenceRefs = evidenceRefs,
+            PolicyBinding = policyBinding,
+            Stage = stage
+        };
+
+        try
+        {
+            var result = await client.CreateAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 16;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to create exception:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 16;
+            }
+
+            AnsiConsole.MarkupLine("[green]Exception created successfully.[/]");
+            if (result.Exception is not null)
+            {
+                AnsiConsole.MarkupLine($"[grey]ID:[/] {Markup.Escape(result.Exception.Id)}");
+                AnsiConsole.MarkupLine($"[grey]Status:[/] {GetStatusColor(result.Exception.Status)}");
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+            {
+                AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error creating exception: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella exceptions promote' command.
+    /// </summary>
+    internal static async Task<int> HandleExceptionsPromoteAsync(
+        IServiceProvider services,
+        string exceptionId,
+        string? tenant,
+        string targetStatus,
+        string? comment,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IExceptionClient>();
+
+        var request = new ExceptionPromoteRequest
+        {
+            ExceptionId = exceptionId,
+            Tenant = tenant,
+            TargetStatus = targetStatus,
+            Comment = comment
+        };
+
+        try
+        {
+            var result = await client.PromoteAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 16;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to promote exception:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 16;
+            }
+
+            AnsiConsole.MarkupLine("[green]Exception promoted successfully.[/]");
+            if (result.Exception is not null)
+            {
+                AnsiConsole.MarkupLine($"[grey]ID:[/] {Markup.Escape(result.Exception.Id)}");
+                AnsiConsole.MarkupLine($"[grey]New Status:[/] {GetStatusColor(result.Exception.Status)}");
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error promoting exception: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella exceptions revoke' command.
+    /// </summary>
+    internal static async Task<int> HandleExceptionsRevokeAsync(
+        IServiceProvider services,
+        string exceptionId,
+        string? tenant,
+        string? reason,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IExceptionClient>();
+
+        var request = new ExceptionRevokeRequest
+        {
+            ExceptionId = exceptionId,
+            Tenant = tenant,
+            Reason = reason
+        };
+
+        try
+        {
+            var result = await client.RevokeAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 16;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to revoke exception:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 16;
+            }
+
+            AnsiConsole.MarkupLine("[green]Exception revoked successfully.[/]");
+            if (result.Exception is not null)
+            {
+                AnsiConsole.MarkupLine($"[grey]ID:[/] {Markup.Escape(result.Exception.Id)}");
+                AnsiConsole.MarkupLine($"[grey]Status:[/] {GetStatusColor(result.Exception.Status)}");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error revoking exception: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella exceptions import' command.
+    /// </summary>
+    internal static async Task<int> HandleExceptionsImportAsync(
+        IServiceProvider services,
+        string tenant,
+        string file,
+        bool stage,
+        string? source,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IExceptionClient>();
+
+        if (!File.Exists(file))
+        {
+            var error = new CliError(CliErrorCodes.ExcImportFailed, $"File not found: {file}");
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+
+        var request = new ExceptionImportRequest
+        {
+            Tenant = tenant,
+            Stage = stage,
+            Source = source
+        };
+
+        try
+        {
+            await using var stream = File.OpenRead(file);
+            var result = await client.ImportAsync(request, stream, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 16;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Import failed:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]Line {error.Line}: {Markup.Escape(error.Message)}[/]");
+                    if (!string.IsNullOrWhiteSpace(error.Field))
+                    {
+                        AnsiConsole.MarkupLine($"    [grey]Field: {Markup.Escape(error.Field)}[/]");
+                    }
+                }
+                return 16;
+            }
+
+            AnsiConsole.MarkupLine("[green]Import completed successfully.[/]");
+            AnsiConsole.MarkupLine($"[grey]Imported:[/] {result.Imported}");
+            AnsiConsole.MarkupLine($"[grey]Skipped:[/] {result.Skipped}");
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error importing exceptions: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella exceptions export' command.
+    /// </summary>
+    internal static async Task<int> HandleExceptionsExportAsync(
+        IServiceProvider services,
+        string? tenant,
+        string[]? status,
+        string format,
+        string output,
+        bool includeManifest,
+        bool signed,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IExceptionClient>();
+
+        var request = new ExceptionExportRequest
+        {
+            Tenant = tenant,
+            Statuses = status?.Length > 0 ? status : null,
+            Format = format,
+            IncludeManifest = includeManifest,
+            Signed = signed
+        };
+
+        try
+        {
+            var (content, manifest) = await client.ExportAsync(request, cancellationToken);
+
+            // Write content to output file
+            await using (var fileStream = File.Create(output))
+            {
+                await content.CopyToAsync(fileStream, cancellationToken);
+            }
+
+            if (json && manifest is not null)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(manifest, JsonOutputOptions));
+                return 0;
+            }
+
+            AnsiConsole.MarkupLine("[green]Export completed successfully.[/]");
+            AnsiConsole.MarkupLine($"[grey]Output:[/] {Markup.Escape(output)}");
+
+            if (manifest is not null)
+            {
+                AnsiConsole.MarkupLine($"[grey]Count:[/] {manifest.Count}");
+                AnsiConsole.MarkupLine($"[grey]SHA256:[/] {Markup.Escape(manifest.Sha256)}");
+
+                if (verbose)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Generated:[/] {manifest.GeneratedAt:u}");
+                    if (!string.IsNullOrWhiteSpace(manifest.SignatureUri))
+                    {
+                        AnsiConsole.MarkupLine($"[grey]Signature:[/] {Markup.Escape(manifest.SignatureUri)}");
+                    }
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error exporting exceptions: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    private static void RenderExceptionList(ExceptionListResponse response, bool verbose)
+    {
+        var table = new Table();
+        table.Border = TableBorder.Rounded;
+
+        table.AddColumn("ID");
+        table.AddColumn("Vuln");
+        table.AddColumn("Scope");
+        table.AddColumn("Effect");
+        table.AddColumn("Status");
+        table.AddColumn("Owner");
+        table.AddColumn("Expires");
+
+        foreach (var exc in response.Exceptions)
+        {
+            var scopeText = $"{exc.Scope.Type}:{Truncate(exc.Scope.Value, 30)}";
+            var effectText = exc.Effect?.EffectType ?? exc.EffectId;
+            var expiresText = exc.Expiration?.ToString("yyyy-MM-dd") ?? "-";
+
+            table.AddRow(
+                Markup.Escape(Truncate(exc.Id, 12)),
+                Markup.Escape(exc.Vuln),
+                Markup.Escape(scopeText),
+                Markup.Escape(effectText),
+                GetStatusColor(exc.Status),
+                Markup.Escape(Truncate(exc.Owner, 20)),
+                expiresText
+            );
+        }
+
+        AnsiConsole.Write(table);
+
+        if (response.TotalCount.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[grey]Total: {response.TotalCount} exceptions[/]");
+        }
+    }
+
+    private static void RenderExceptionDetail(ExceptionInstance exc, bool verbose)
+    {
+        var panel = new Panel(new Grid()
+            .AddColumn()
+            .AddColumn()
+            .AddRow("[grey]ID:[/]", Markup.Escape(exc.Id))
+            .AddRow("[grey]Tenant:[/]", Markup.Escape(exc.Tenant))
+            .AddRow("[grey]Vulnerability:[/]", Markup.Escape(exc.Vuln))
+            .AddRow("[grey]Status:[/]", GetStatusColor(exc.Status))
+            .AddRow("[grey]Owner:[/]", Markup.Escape(exc.Owner))
+            .AddRow("[grey]Effect:[/]", Markup.Escape(exc.Effect?.EffectType ?? exc.EffectId))
+            .AddRow("[grey]Created:[/]", exc.CreatedAt.ToString("u"))
+            .AddRow("[grey]Updated:[/]", exc.UpdatedAt.ToString("u"))
+            .AddRow("[grey]Expires:[/]", exc.Expiration?.ToString("u") ?? "[grey]Never[/]"))
+        {
+            Border = BoxBorder.Rounded,
+            Header = new PanelHeader("[bold]Exception Details[/]")
+        };
+
+        AnsiConsole.Write(panel);
+
+        // Scope
+        AnsiConsole.MarkupLine("");
+        AnsiConsole.MarkupLine("[bold]Scope[/]");
+        AnsiConsole.MarkupLine($"  [grey]Type:[/] {Markup.Escape(exc.Scope.Type)}");
+        AnsiConsole.MarkupLine($"  [grey]Value:[/] {Markup.Escape(exc.Scope.Value)}");
+
+        if (exc.Scope.RuleNames?.Count > 0)
+        {
+            AnsiConsole.MarkupLine($"  [grey]Rules:[/] {string.Join(", ", exc.Scope.RuleNames.Select(Markup.Escape))}");
+        }
+
+        if (exc.Scope.Severities?.Count > 0)
+        {
+            AnsiConsole.MarkupLine($"  [grey]Severities:[/] {string.Join(", ", exc.Scope.Severities.Select(Markup.Escape))}");
+        }
+
+        // Justification
+        AnsiConsole.MarkupLine("");
+        AnsiConsole.MarkupLine("[bold]Justification[/]");
+        AnsiConsole.MarkupLine($"  {Markup.Escape(exc.Justification)}");
+
+        // Evidence
+        if (exc.EvidenceRefs.Count > 0)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Evidence[/]");
+            foreach (var ev in exc.EvidenceRefs)
+            {
+                AnsiConsole.MarkupLine($"  • [{Markup.Escape(ev.Type)}] {Markup.Escape(ev.Uri)}");
+                if (!string.IsNullOrWhiteSpace(ev.Digest) && verbose)
+                {
+                    AnsiConsole.MarkupLine($"    [grey]Digest: {Markup.Escape(ev.Digest)}[/]");
+                }
+            }
+        }
+
+        // Approval info
+        if (!string.IsNullOrWhiteSpace(exc.ApprovedBy) && verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Approval[/]");
+            AnsiConsole.MarkupLine($"  [grey]Approved By:[/] {Markup.Escape(exc.ApprovedBy)}");
+            if (exc.ApprovedAt.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Approved At:[/] {exc.ApprovedAt.Value:u}");
+            }
+        }
+
+        // Effect details
+        if (exc.Effect is not null && verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Effect Details[/]");
+            AnsiConsole.MarkupLine($"  [grey]ID:[/] {Markup.Escape(exc.Effect.Id)}");
+            AnsiConsole.MarkupLine($"  [grey]Type:[/] {Markup.Escape(exc.Effect.EffectType)}");
+            if (!string.IsNullOrWhiteSpace(exc.Effect.Name))
+            {
+                AnsiConsole.MarkupLine($"  [grey]Name:[/] {Markup.Escape(exc.Effect.Name)}");
+            }
+            if (!string.IsNullOrWhiteSpace(exc.Effect.DowngradeSeverity))
+            {
+                AnsiConsole.MarkupLine($"  [grey]Downgrade To:[/] {Markup.Escape(exc.Effect.DowngradeSeverity)}");
+            }
+            if (exc.Effect.MaxDurationDays.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Max Duration:[/] {exc.Effect.MaxDurationDays} days");
+            }
+        }
+
+        // Metadata
+        if (exc.Metadata?.Count > 0 && verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Metadata[/]");
+            foreach (var kvp in exc.Metadata)
+            {
+                AnsiConsole.MarkupLine($"  [grey]{Markup.Escape(kvp.Key)}:[/] {Markup.Escape(kvp.Value)}");
+            }
+        }
+    }
+
+    private static string GetStatusColor(string status)
+    {
+        return status.ToLowerInvariant() switch
+        {
+            "draft" => "[grey]draft[/]",
+            "staged" => "[blue]staged[/]",
+            "active" => "[green]active[/]",
+            "expired" => "[yellow]expired[/]",
+            "revoked" => "[red]revoked[/]",
+            _ => Markup.Escape(status)
+        };
+    }
+
+    private static string Truncate(string value, int maxLength)
+    {
+        if (string.IsNullOrEmpty(value) || value.Length <= maxLength)
+            return value;
+        return value[..(maxLength - 3)] + "...";
+    }
+
+    #endregion
+
+    #region Orchestrator Commands (CLI-ORCH-32-001)
+
+    /// <summary>
+    /// Handles 'stella orch sources list' command.
+    /// </summary>
+    internal static async Task<int> HandleOrchSourcesListAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? type,
+        string? status,
+        bool? enabled,
+        string? host,
+        string? tag,
+        int pageSize,
+        string? pageToken,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new SourceListRequest
+        {
+            Tenant = tenant,
+            Type = type,
+            Status = status,
+            Enabled = enabled,
+            Host = host,
+            Tag = tag,
+            PageSize = pageSize,
+            PageToken = pageToken
+        };
+
+        try
+        {
+            var response = await client.ListSourcesAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOutputOptions));
+                return 0;
+            }
+
+            if (response.Sources.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No sources found matching criteria.[/]");
+                return 0;
+            }
+
+            RenderSourceList(response, verbose);
+
+            if (!string.IsNullOrWhiteSpace(response.NextPageToken))
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine($"[grey]Next page token: {Markup.Escape(response.NextPageToken)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error listing sources: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella orch sources show' command.
+    /// </summary>
+    internal static async Task<int> HandleOrchSourcesShowAsync(
+        IServiceProvider services,
+        string sourceId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        try
+        {
+            var source = await client.GetSourceAsync(sourceId, tenant, cancellationToken);
+
+            if (source is null)
+            {
+                var error = new CliError(CliErrorCodes.OrchSourceNotFound, $"Source '{sourceId}' not found.");
+                AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Message)}[/]");
+                return error.ExitCode;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(source, JsonOutputOptions));
+                return 0;
+            }
+
+            RenderSourceDetail(source, verbose);
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error fetching source: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    private static void RenderSourceList(SourceListResponse response, bool verbose)
+    {
+        var table = new Table();
+        table.Border = TableBorder.Rounded;
+
+        table.AddColumn("ID");
+        table.AddColumn("Name");
+        table.AddColumn("Type");
+        table.AddColumn("Host");
+        table.AddColumn("Status");
+        table.AddColumn("Last Run");
+        if (verbose)
+        {
+            table.AddColumn("Priority");
+            table.AddColumn("Success Rate");
+        }
+
+        foreach (var src in response.Sources)
+        {
+            var lastRunText = src.LastRun?.CompletedAt?.ToString("yyyy-MM-dd HH:mm") ?? "-";
+            var statusMarkup = GetSourceStatusColor(src.Status);
+
+            if (verbose)
+            {
+                var successRate = src.Metrics is not null && src.Metrics.TotalRuns > 0
+                    ? $"{(double)src.Metrics.SuccessfulRuns / src.Metrics.TotalRuns * 100:F1}%"
+                    : "-";
+
+                table.AddRow(
+                    Markup.Escape(TruncateText(src.Id, 12)),
+                    Markup.Escape(TruncateText(src.Name, 20)),
+                    Markup.Escape(src.Type),
+                    Markup.Escape(TruncateText(src.Host, 25)),
+                    statusMarkup,
+                    lastRunText,
+                    src.Priority.ToString(),
+                    successRate
+                );
+            }
+            else
+            {
+                table.AddRow(
+                    Markup.Escape(TruncateText(src.Id, 12)),
+                    Markup.Escape(TruncateText(src.Name, 20)),
+                    Markup.Escape(src.Type),
+                    Markup.Escape(TruncateText(src.Host, 25)),
+                    statusMarkup,
+                    lastRunText
+                );
+            }
+        }
+
+        AnsiConsole.Write(table);
+
+        if (response.TotalCount.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[grey]Total: {response.TotalCount} sources[/]");
+        }
+    }
+
+    private static void RenderSourceDetail(OrchestratorSource src, bool verbose)
+    {
+        var panel = new Panel(new Grid()
+            .AddColumn()
+            .AddColumn()
+            .AddRow("[grey]ID:[/]", Markup.Escape(src.Id))
+            .AddRow("[grey]Name:[/]", Markup.Escape(src.Name))
+            .AddRow("[grey]Tenant:[/]", Markup.Escape(src.Tenant))
+            .AddRow("[grey]Type:[/]", Markup.Escape(src.Type))
+            .AddRow("[grey]Host:[/]", Markup.Escape(src.Host))
+            .AddRow("[grey]Status:[/]", GetSourceStatusColor(src.Status))
+            .AddRow("[grey]Enabled:[/]", src.Enabled ? "[green]Yes[/]" : "[red]No[/]")
+            .AddRow("[grey]Priority:[/]", src.Priority.ToString())
+            .AddRow("[grey]Created:[/]", src.CreatedAt.ToString("u"))
+            .AddRow("[grey]Updated:[/]", src.UpdatedAt.ToString("u")))
+        {
+            Border = BoxBorder.Rounded,
+            Header = new PanelHeader("[bold]Source Details[/]")
+        };
+
+        AnsiConsole.Write(panel);
+
+        // Pause info
+        if (!string.IsNullOrWhiteSpace(src.PausedBy) || src.PausedAt.HasValue)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold yellow]Pause Info[/]");
+            if (src.PausedAt.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Paused At:[/] {src.PausedAt.Value:u}");
+            }
+            if (!string.IsNullOrWhiteSpace(src.PausedBy))
+            {
+                AnsiConsole.MarkupLine($"  [grey]Paused By:[/] {Markup.Escape(src.PausedBy)}");
+            }
+            if (!string.IsNullOrWhiteSpace(src.PauseReason))
+            {
+                AnsiConsole.MarkupLine($"  [grey]Reason:[/] {Markup.Escape(src.PauseReason)}");
+            }
+        }
+
+        // Schedule
+        if (src.Schedule is not null)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Schedule[/]");
+            if (!string.IsNullOrWhiteSpace(src.Schedule.Cron))
+            {
+                AnsiConsole.MarkupLine($"  [grey]Cron:[/] {Markup.Escape(src.Schedule.Cron)}");
+            }
+            if (src.Schedule.IntervalMinutes.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Interval:[/] {src.Schedule.IntervalMinutes} minutes");
+            }
+            if (src.Schedule.NextRunAt.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Next Run:[/] {src.Schedule.NextRunAt.Value:u}");
+            }
+            AnsiConsole.MarkupLine($"  [grey]Timezone:[/] {Markup.Escape(src.Schedule.Timezone)}");
+        }
+
+        // Rate limit
+        if (src.RateLimit is not null)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Rate Limit[/]");
+            AnsiConsole.MarkupLine($"  [grey]Max/min:[/] {src.RateLimit.MaxRequestsPerMinute}");
+            if (src.RateLimit.MaxRequestsPerHour.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Max/hour:[/] {src.RateLimit.MaxRequestsPerHour}");
+            }
+            AnsiConsole.MarkupLine($"  [grey]Burst:[/] {src.RateLimit.BurstSize}");
+            if (src.RateLimit.CurrentTokens.HasValue && verbose)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Current Tokens:[/] {src.RateLimit.CurrentTokens:F2}");
+            }
+            if (src.RateLimit.ThrottledUntil.HasValue)
+            {
+                var remaining = src.RateLimit.ThrottledUntil.Value - DateTimeOffset.UtcNow;
+                var throttleColor = remaining.TotalMinutes > 5 ? "red" : "yellow";
+                AnsiConsole.MarkupLine($"  [grey]Throttled Until:[/] [{throttleColor}]{src.RateLimit.ThrottledUntil.Value:u}[/{throttleColor}]");
+            }
+        }
+
+        // Last run
+        if (src.LastRun is not null && verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Last Run[/]");
+            if (!string.IsNullOrWhiteSpace(src.LastRun.RunId))
+            {
+                AnsiConsole.MarkupLine($"  [grey]Run ID:[/] {Markup.Escape(src.LastRun.RunId)}");
+            }
+            if (src.LastRun.StartedAt.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Started:[/] {src.LastRun.StartedAt.Value:u}");
+            }
+            if (src.LastRun.CompletedAt.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Completed:[/] {src.LastRun.CompletedAt.Value:u}");
+            }
+            if (!string.IsNullOrWhiteSpace(src.LastRun.Status))
+            {
+                var runStatusColor = src.LastRun.Status.ToLowerInvariant() switch
+                {
+                    "succeeded" or "success" => "green",
+                    "failed" or "error" => "red",
+                    "running" => "blue",
+                    _ => "grey"
+                };
+                AnsiConsole.MarkupLine($"  [grey]Status:[/] [{runStatusColor}]{Markup.Escape(src.LastRun.Status)}[/{runStatusColor}]");
+            }
+            if (src.LastRun.ItemsProcessed.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Items Processed:[/] {src.LastRun.ItemsProcessed}");
+            }
+            if (src.LastRun.ItemsFailed.HasValue && src.LastRun.ItemsFailed > 0)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Items Failed:[/] [red]{src.LastRun.ItemsFailed}[/]");
+            }
+            if (src.LastRun.DurationMs.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Duration:[/] {src.LastRun.DurationMs}ms");
+            }
+            if (!string.IsNullOrWhiteSpace(src.LastRun.ErrorMessage))
+            {
+                AnsiConsole.MarkupLine($"  [grey]Error:[/] [red]{Markup.Escape(src.LastRun.ErrorMessage)}[/]");
+            }
+        }
+
+        // Metrics
+        if (src.Metrics is not null && verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Metrics[/]");
+            AnsiConsole.MarkupLine($"  [grey]Total Runs:[/] {src.Metrics.TotalRuns}");
+            AnsiConsole.MarkupLine($"  [grey]Successful:[/] [green]{src.Metrics.SuccessfulRuns}[/]");
+            AnsiConsole.MarkupLine($"  [grey]Failed:[/] [red]{src.Metrics.FailedRuns}[/]");
+            if (src.Metrics.TotalRuns > 0)
+            {
+                var successRate = (double)src.Metrics.SuccessfulRuns / src.Metrics.TotalRuns * 100;
+                var rateColor = successRate >= 95 ? "green" : successRate >= 80 ? "yellow" : "red";
+                AnsiConsole.MarkupLine($"  [grey]Success Rate:[/] [{rateColor}]{successRate:F1}%[/{rateColor}]");
+            }
+            if (src.Metrics.AverageDurationMs.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Avg Duration:[/] {src.Metrics.AverageDurationMs:F0}ms");
+            }
+            if (src.Metrics.UptimePercent.HasValue)
+            {
+                var uptimeColor = src.Metrics.UptimePercent >= 99 ? "green" : src.Metrics.UptimePercent >= 95 ? "yellow" : "red";
+                AnsiConsole.MarkupLine($"  [grey]Uptime:[/] [{uptimeColor}]{src.Metrics.UptimePercent:F2}%[/{uptimeColor}]");
+            }
+        }
+
+        // Tags
+        if (src.Tags.Count > 0)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Tags[/]");
+            AnsiConsole.MarkupLine($"  {string.Join(", ", src.Tags.Select(t => $"[blue]{Markup.Escape(t)}[/]"))}");
+        }
+
+        // Metadata
+        if (src.Metadata?.Count > 0 && verbose)
+        {
+            AnsiConsole.MarkupLine("");
+            AnsiConsole.MarkupLine("[bold]Metadata[/]");
+            foreach (var kvp in src.Metadata)
+            {
+                AnsiConsole.MarkupLine($"  [grey]{Markup.Escape(kvp.Key)}:[/] {Markup.Escape(kvp.Value)}");
+            }
+        }
+    }
+
+    private static string GetSourceStatusColor(string status)
+    {
+        return status.ToLowerInvariant() switch
+        {
+            "active" => "[green]active[/]",
+            "paused" => "[yellow]paused[/]",
+            "disabled" => "[grey]disabled[/]",
+            "throttled" => "[orange1]throttled[/]",
+            "error" => "[red]error[/]",
+            _ => Markup.Escape(status)
+        };
+    }
+
+    private static string TruncateText(string value, int maxLength)
+    {
+        if (string.IsNullOrEmpty(value) || value.Length <= maxLength)
+            return value;
+        return value[..(maxLength - 3)] + "...";
+    }
+
+    /// <summary>
+    /// Handles 'stella orch sources test' command.
+    /// CLI-ORCH-33-001
+    /// </summary>
+    internal static async Task<int> HandleOrchSourcesTestAsync(
+        IServiceProvider services,
+        string sourceId,
+        string? tenant,
+        int timeout,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new SourceTestRequest
+        {
+            SourceId = sourceId,
+            Tenant = tenant,
+            TimeoutSeconds = timeout
+        };
+
+        try
+        {
+            AnsiConsole.MarkupLine($"[grey]Testing source '{Markup.Escape(sourceId)}'...[/]");
+
+            var result = await client.TestSourceAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success && result.Reachable ? 0 : 17;
+            }
+
+            if (!result.Success || !result.Reachable)
+            {
+                AnsiConsole.MarkupLine($"[red]Test failed for source '{Markup.Escape(sourceId)}'[/]");
+                if (!string.IsNullOrWhiteSpace(result.ErrorMessage))
+                {
+                    AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(result.ErrorMessage)}[/]");
+                }
+                return 17;
+            }
+
+            var panel = new Panel(new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[grey]Source ID:[/]", Markup.Escape(result.SourceId))
+                .AddRow("[grey]Reachable:[/]", "[green]Yes[/]")
+                .AddRow("[grey]Latency:[/]", result.LatencyMs.HasValue ? $"{result.LatencyMs}ms" : "-")
+                .AddRow("[grey]Status Code:[/]", result.StatusCode.HasValue ? result.StatusCode.ToString()! : "-")
+                .AddRow("[grey]Tested At:[/]", result.TestedAt.ToString("u")))
+            {
+                Border = BoxBorder.Rounded,
+                Header = new PanelHeader("[bold green]Connection Test Passed[/]")
+            };
+
+            AnsiConsole.Write(panel);
+
+            if (verbose)
+            {
+                if (result.TlsValid.HasValue)
+                {
+                    AnsiConsole.MarkupLine("");
+                    AnsiConsole.MarkupLine("[bold]TLS Information[/]");
+                    AnsiConsole.MarkupLine($"  [grey]Valid:[/] {(result.TlsValid.Value ? "[green]Yes[/]" : "[red]No[/]")}");
+                    if (result.TlsExpiry.HasValue)
+                    {
+                        var remaining = result.TlsExpiry.Value - DateTimeOffset.UtcNow;
+                        var expiryColor = remaining.TotalDays > 30 ? "green" : remaining.TotalDays > 7 ? "yellow" : "red";
+                        AnsiConsole.MarkupLine($"  [grey]Expires:[/] [{expiryColor}]{result.TlsExpiry.Value:u}[/{expiryColor}] ({remaining.TotalDays:F0} days)");
+                    }
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error testing source: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella orch sources pause' command.
+    /// CLI-ORCH-33-001
+    /// </summary>
+    internal static async Task<int> HandleOrchSourcesPauseAsync(
+        IServiceProvider services,
+        string sourceId,
+        string? tenant,
+        string? reason,
+        int? durationMinutes,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new SourcePauseRequest
+        {
+            SourceId = sourceId,
+            Tenant = tenant,
+            Reason = reason,
+            DurationMinutes = durationMinutes
+        };
+
+        try
+        {
+            var result = await client.PauseSourceAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 17;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to pause source:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 17;
+            }
+
+            AnsiConsole.MarkupLine($"[green]Source '{Markup.Escape(sourceId)}' paused successfully.[/]");
+
+            if (result.Source is not null)
+            {
+                AnsiConsole.MarkupLine($"[grey]Status:[/] {GetSourceStatusColor(result.Source.Status)}");
+                if (result.Source.PausedAt.HasValue)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Paused At:[/] {result.Source.PausedAt.Value:u}");
+                }
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+            {
+                AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+            }
+
+            if (durationMinutes.HasValue)
+            {
+                var resumeAt = DateTimeOffset.UtcNow.AddMinutes(durationMinutes.Value);
+                AnsiConsole.MarkupLine($"[grey]Auto-resume at:[/] {resumeAt:u}");
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error pausing source: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella orch sources resume' command.
+    /// CLI-ORCH-33-001
+    /// </summary>
+    internal static async Task<int> HandleOrchSourcesResumeAsync(
+        IServiceProvider services,
+        string sourceId,
+        string? tenant,
+        string? reason,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new SourceResumeRequest
+        {
+            SourceId = sourceId,
+            Tenant = tenant,
+            Reason = reason
+        };
+
+        try
+        {
+            var result = await client.ResumeSourceAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 17;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to resume source:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 17;
+            }
+
+            AnsiConsole.MarkupLine($"[green]Source '{Markup.Escape(sourceId)}' resumed successfully.[/]");
+
+            if (result.Source is not null)
+            {
+                AnsiConsole.MarkupLine($"[grey]Status:[/] {GetSourceStatusColor(result.Source.Status)}");
+                if (result.Source.Schedule?.NextRunAt.HasValue == true)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Next Run:[/] {result.Source.Schedule.NextRunAt.Value:u}");
+                }
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+            {
+                AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error resuming source: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    // CLI-ORCH-34-001: Backfill handlers
+
+    /// <summary>
+    /// Handles 'stella orch backfill start' command.
+    /// CLI-ORCH-34-001
+    /// </summary>
+    internal static async Task<int> HandleOrchBackfillStartAsync(
+        IServiceProvider services,
+        string sourceId,
+        string? tenant,
+        DateTimeOffset from,
+        DateTimeOffset to,
+        bool dryRun,
+        int priority,
+        int concurrency,
+        int batchSize,
+        bool resume,
+        string? filter,
+        bool force,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new BackfillRequest
+        {
+            SourceId = sourceId,
+            Tenant = tenant,
+            From = from,
+            To = to,
+            DryRun = dryRun,
+            Priority = priority,
+            Concurrency = concurrency,
+            BatchSize = batchSize,
+            Resume = resume,
+            Filter = filter,
+            Force = force
+        };
+
+        try
+        {
+            var result = await client.StartBackfillAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 17;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to start backfill:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 17;
+            }
+
+            if (dryRun)
+            {
+                AnsiConsole.MarkupLine("[yellow]DRY RUN - No changes will be made[/]");
+                AnsiConsole.MarkupLine("");
+            }
+
+            var panel = new Panel(new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[grey]Backfill ID:[/]", Markup.Escape(result.BackfillId ?? "-"))
+                .AddRow("[grey]Source:[/]", Markup.Escape(sourceId))
+                .AddRow("[grey]Status:[/]", GetBackfillStatusColor(result.Status))
+                .AddRow("[grey]Period:[/]", $"{from:u} → {to:u}")
+                .AddRow("[grey]Estimated Items:[/]", result.EstimatedItems?.ToString("N0") ?? "Unknown")
+                .AddRow("[grey]Estimated Duration:[/]", FormatDuration(result.EstimatedDurationMs)))
+            {
+                Header = new PanelHeader(dryRun ? "[yellow]Backfill Preview[/]" : "[green]Backfill Started[/]"),
+                Border = BoxBorder.Rounded
+            };
+
+            AnsiConsole.Write(panel);
+
+            if (verbose)
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine($"[grey]Priority:[/] {priority}");
+                AnsiConsole.MarkupLine($"[grey]Concurrency:[/] {concurrency}");
+                AnsiConsole.MarkupLine($"[grey]Batch Size:[/] {batchSize}");
+                if (!string.IsNullOrWhiteSpace(filter))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Filter:[/] {Markup.Escape(filter)}");
+                }
+                if (force)
+                {
+                    AnsiConsole.MarkupLine("[yellow]Force mode: Existing data will be overwritten[/]");
+                }
+                if (!string.IsNullOrWhiteSpace(result.AuditEventId))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+                }
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            if (!dryRun && !string.IsNullOrWhiteSpace(result.BackfillId))
+            {
+                AnsiConsole.MarkupLine("");
+                AnsiConsole.MarkupLine($"[grey]Monitor progress with:[/] stella orch backfill status {Markup.Escape(result.BackfillId)}");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error starting backfill: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella orch backfill status' command.
+    /// CLI-ORCH-34-001
+    /// </summary>
+    internal static async Task<int> HandleOrchBackfillStatusAsync(
+        IServiceProvider services,
+        string backfillId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        try
+        {
+            var result = await client.GetBackfillAsync(backfillId, tenant, cancellationToken);
+
+            if (result is null)
+            {
+                if (json)
+                {
+                    AnsiConsole.WriteLine(JsonSerializer.Serialize(new { error = "Backfill not found" }, JsonOutputOptions));
+                }
+                else
+                {
+                    AnsiConsole.MarkupLine($"[red]Backfill '{Markup.Escape(backfillId)}' not found.[/]");
+                }
+                return 17;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return 0;
+            }
+
+            var progressPercent = result.EstimatedItems.HasValue && result.EstimatedItems > 0
+                ? (double)result.ProcessedItems / result.EstimatedItems.Value * 100
+                : 0;
+
+            var panel = new Panel(new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[grey]Backfill ID:[/]", Markup.Escape(result.BackfillId ?? backfillId))
+                .AddRow("[grey]Source:[/]", Markup.Escape(result.SourceId))
+                .AddRow("[grey]Status:[/]", GetBackfillStatusColor(result.Status))
+                .AddRow("[grey]Period:[/]", $"{result.From:u} → {result.To:u}")
+                .AddRow("[grey]Progress:[/]", $"{result.ProcessedItems:N0} / {(result.EstimatedItems?.ToString("N0") ?? "?")} ({progressPercent:F1}%)")
+                .AddRow("[grey]Failed:[/]", result.FailedItems > 0 ? $"[red]{result.FailedItems:N0}[/]" : "0")
+                .AddRow("[grey]Skipped:[/]", result.SkippedItems > 0 ? $"[yellow]{result.SkippedItems:N0}[/]" : "0"))
+            {
+                Header = new PanelHeader("[blue]Backfill Status[/]"),
+                Border = BoxBorder.Rounded
+            };
+
+            AnsiConsole.Write(panel);
+
+            if (verbose)
+            {
+                AnsiConsole.MarkupLine("");
+                if (result.StartedAt.HasValue)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Started:[/] {result.StartedAt.Value:u}");
+                }
+                if (result.CompletedAt.HasValue)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Completed:[/] {result.CompletedAt.Value:u}");
+                }
+                if (result.ActualDurationMs.HasValue)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Duration:[/] {FormatDuration(result.ActualDurationMs)}");
+                }
+                else if (result.StartedAt.HasValue)
+                {
+                    var elapsed = DateTimeOffset.UtcNow - result.StartedAt.Value;
+                    AnsiConsole.MarkupLine($"[grey]Elapsed:[/] {FormatDuration((long)elapsed.TotalMilliseconds)}");
+                }
+                if (!string.IsNullOrWhiteSpace(result.AuditEventId))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+                }
+            }
+
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error getting backfill status: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella orch backfill list' command.
+    /// CLI-ORCH-34-001
+    /// </summary>
+    internal static async Task<int> HandleOrchBackfillListAsync(
+        IServiceProvider services,
+        string? sourceId,
+        string? status,
+        string? tenant,
+        int pageSize,
+        string? pageToken,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new BackfillListRequest
+        {
+            SourceId = sourceId,
+            Status = status,
+            Tenant = tenant,
+            PageSize = pageSize,
+            PageToken = pageToken
+        };
+
+        try
+        {
+            var result = await client.ListBackfillsAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return 0;
+            }
+
+            if (result.Backfills.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[grey]No backfill operations found.[/]");
+                return 0;
+            }
+
+            var table = new Table();
+            table.AddColumn("ID");
+            table.AddColumn("Source");
+            table.AddColumn("Status");
+            table.AddColumn("Period");
+            table.AddColumn("Progress");
+            table.AddColumn("Started");
+
+            foreach (var backfill in result.Backfills)
+            {
+                var progressStr = backfill.EstimatedItems.HasValue && backfill.EstimatedItems > 0
+                    ? $"{(double)backfill.ProcessedItems / backfill.EstimatedItems.Value * 100:F0}%"
+                    : $"{backfill.ProcessedItems:N0}";
+
+                table.AddRow(
+                    Markup.Escape(backfill.BackfillId ?? "-"),
+                    Markup.Escape(backfill.SourceId),
+                    GetBackfillStatusColor(backfill.Status),
+                    $"{backfill.From:yyyy-MM-dd} → {backfill.To:yyyy-MM-dd}",
+                    progressStr,
+                    backfill.StartedAt?.ToString("u") ?? "-"
+                );
+            }
+
+            AnsiConsole.Write(table);
+
+            if (result.TotalCount.HasValue)
+            {
+                AnsiConsole.MarkupLine($"[grey]Showing {result.Backfills.Count} of {result.TotalCount} backfills[/]");
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.NextPageToken))
+            {
+                AnsiConsole.MarkupLine($"[grey]More results available. Use --page-token {Markup.Escape(result.NextPageToken)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error listing backfills: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella orch backfill cancel' command.
+    /// CLI-ORCH-34-001
+    /// </summary>
+    internal static async Task<int> HandleOrchBackfillCancelAsync(
+        IServiceProvider services,
+        string backfillId,
+        string? tenant,
+        string? reason,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new BackfillCancelRequest
+        {
+            BackfillId = backfillId,
+            Tenant = tenant,
+            Reason = reason
+        };
+
+        try
+        {
+            var result = await client.CancelBackfillAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 17;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to cancel backfill:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 17;
+            }
+
+            AnsiConsole.MarkupLine($"[green]Backfill '{Markup.Escape(backfillId)}' cancelled successfully.[/]");
+
+            if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+            {
+                AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+            }
+
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error cancelling backfill: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    // CLI-ORCH-34-001: Quota handlers
+
+    /// <summary>
+    /// Handles 'stella orch quotas get' command.
+    /// CLI-ORCH-34-001
+    /// </summary>
+    internal static async Task<int> HandleOrchQuotasGetAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? sourceId,
+        string? resourceType,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new QuotaGetRequest
+        {
+            Tenant = tenant,
+            SourceId = sourceId,
+            ResourceType = resourceType
+        };
+
+        try
+        {
+            var result = await client.GetQuotasAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return 0;
+            }
+
+            if (result.Quotas.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[grey]No quotas configured.[/]");
+                return 0;
+            }
+
+            var table = new Table();
+            table.AddColumn("Tenant");
+            table.AddColumn("Resource");
+            table.AddColumn("Used");
+            table.AddColumn("Limit");
+            table.AddColumn("Remaining");
+            table.AddColumn("Period");
+            table.AddColumn("Status");
+
+            foreach (var quota in result.Quotas)
+            {
+                var usagePercent = quota.Limit > 0 ? (double)quota.Used / quota.Limit * 100 : 0;
+                var statusColor = quota.IsExceeded ? "[red]EXCEEDED[/]"
+                    : quota.IsWarning ? "[yellow]WARNING[/]"
+                    : "[green]OK[/]";
+
+                var usedFormatted = FormatQuotaValue(quota.Used, quota.ResourceType);
+                var limitFormatted = FormatQuotaValue(quota.Limit, quota.ResourceType);
+                var remainingFormatted = FormatQuotaValue(quota.Remaining, quota.ResourceType);
+
+                table.AddRow(
+                    Markup.Escape(quota.Tenant),
+                    Markup.Escape(quota.ResourceType),
+                    $"{usedFormatted} ({usagePercent:F1}%)",
+                    limitFormatted,
+                    remainingFormatted,
+                    Markup.Escape(quota.Period),
+                    statusColor
+                );
+            }
+
+            AnsiConsole.Write(table);
+
+            if (verbose)
+            {
+                AnsiConsole.MarkupLine("");
+                foreach (var quota in result.Quotas.Where(q => q.IsWarning || q.IsExceeded))
+                {
+                    if (quota.IsExceeded)
+                    {
+                        AnsiConsole.MarkupLine($"[red]EXCEEDED:[/] {Markup.Escape(quota.ResourceType)} - Resets at {quota.ResetAt:u}");
+                    }
+                    else if (quota.IsWarning)
+                    {
+                        AnsiConsole.MarkupLine($"[yellow]WARNING:[/] {Markup.Escape(quota.ResourceType)} at {(double)quota.Used / quota.Limit * 100:F1}% of limit");
+                    }
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error getting quotas: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella orch quotas set' command.
+    /// CLI-ORCH-34-001
+    /// </summary>
+    internal static async Task<int> HandleOrchQuotasSetAsync(
+        IServiceProvider services,
+        string tenant,
+        string? sourceId,
+        string resourceType,
+        long limit,
+        string period,
+        double warningThreshold,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new QuotaSetRequest
+        {
+            Tenant = tenant,
+            SourceId = sourceId,
+            ResourceType = resourceType,
+            Limit = limit,
+            Period = period,
+            WarningThreshold = warningThreshold
+        };
+
+        try
+        {
+            var result = await client.SetQuotaAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 17;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to set quota:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 17;
+            }
+
+            AnsiConsole.MarkupLine($"[green]Quota set successfully.[/]");
+
+            if (result.Quota is not null)
+            {
+                AnsiConsole.MarkupLine($"[grey]Tenant:[/] {Markup.Escape(result.Quota.Tenant)}");
+                AnsiConsole.MarkupLine($"[grey]Resource:[/] {Markup.Escape(result.Quota.ResourceType)}");
+                AnsiConsole.MarkupLine($"[grey]Limit:[/] {FormatQuotaValue(result.Quota.Limit, result.Quota.ResourceType)}");
+                AnsiConsole.MarkupLine($"[grey]Period:[/] {Markup.Escape(result.Quota.Period)}");
+                AnsiConsole.MarkupLine($"[grey]Warning Threshold:[/] {result.Quota.WarningThreshold * 100:F0}%");
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+            {
+                AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error setting quota: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    /// <summary>
+    /// Handles 'stella orch quotas reset' command.
+    /// CLI-ORCH-34-001
+    /// </summary>
+    internal static async Task<int> HandleOrchQuotasResetAsync(
+        IServiceProvider services,
+        string tenant,
+        string? sourceId,
+        string resourceType,
+        string? reason,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<IOrchestratorClient>();
+
+        var request = new QuotaResetRequest
+        {
+            Tenant = tenant,
+            SourceId = sourceId,
+            ResourceType = resourceType,
+            Reason = reason
+        };
+
+        try
+        {
+            var result = await client.ResetQuotaAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return result.Success ? 0 : 17;
+            }
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to reset quota:[/]");
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                }
+                return 17;
+            }
+
+            AnsiConsole.MarkupLine($"[green]Quota usage reset successfully.[/]");
+
+            if (result.Quota is not null)
+            {
+                AnsiConsole.MarkupLine($"[grey]Tenant:[/] {Markup.Escape(result.Quota.Tenant)}");
+                AnsiConsole.MarkupLine($"[grey]Resource:[/] {Markup.Escape(result.Quota.ResourceType)}");
+                AnsiConsole.MarkupLine($"[grey]New Usage:[/] {FormatQuotaValue(result.Quota.Used, result.Quota.ResourceType)}");
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.AuditEventId) && verbose)
+            {
+                AnsiConsole.MarkupLine($"[grey]Audit Event:[/] {Markup.Escape(result.AuditEventId)}");
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error resetting quota: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    private static string GetBackfillStatusColor(string status)
+    {
+        return status.ToLowerInvariant() switch
+        {
+            "pending" => "[yellow]pending[/]",
+            "running" => "[blue]running[/]",
+            "completed" => "[green]completed[/]",
+            "failed" => "[red]failed[/]",
+            "cancelled" => "[grey]cancelled[/]",
+            "dry_run" => "[cyan]dry_run[/]",
+            _ => Markup.Escape(status)
+        };
+    }
+
+    private static string FormatDuration(long? milliseconds)
+    {
+        if (!milliseconds.HasValue)
+            return "Unknown";
+
+        var ts = TimeSpan.FromMilliseconds(milliseconds.Value);
+        if (ts.TotalDays >= 1)
+            return $"{ts.TotalDays:F1} days";
+        if (ts.TotalHours >= 1)
+            return $"{ts.TotalHours:F1} hours";
+        if (ts.TotalMinutes >= 1)
+            return $"{ts.TotalMinutes:F1} minutes";
+        return $"{ts.TotalSeconds:F1} seconds";
+    }
+
+    private static string FormatQuotaValue(long value, string resourceType)
+    {
+        return resourceType.ToLowerInvariant() switch
+        {
+            "data_ingested_bytes" or "storage_bytes" => FormatBytes(value),
+            _ => value.ToString("N0")
+        };
+    }
+
+    private static string FormatBytes(long bytes)
+    {
+        string[] sizes = { "B", "KB", "MB", "GB", "TB" };
+        double len = bytes;
+        int order = 0;
+        while (len >= 1024 && order < sizes.Length - 1)
+        {
+            order++;
+            len = len / 1024;
+        }
+        return $"{len:F1} {sizes[order]}";
+    }
+
+    #endregion
+
+    #region CLI-PARITY-41-001: SBOM Commands
+
+    internal static async Task<int> HandleSbomListAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? imageRef,
+        string? digest,
+        string? format,
+        DateTimeOffset? createdAfter,
+        DateTimeOffset? createdBefore,
+        bool? hasVulnerabilities,
+        int limit,
+        int? offset,
+        string? cursor,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<ISbomClient>();
+
+        var request = new SbomListRequest
+        {
+            Tenant = tenant,
+            ImageRef = imageRef,
+            Digest = digest,
+            Format = format,
+            CreatedAfter = createdAfter,
+            CreatedBefore = createdBefore,
+            HasVulnerabilities = hasVulnerabilities,
+            Limit = limit,
+            Offset = offset,
+            Cursor = cursor
+        };
+
+        try
+        {
+            var response = await client.ListAsync(request, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOutputOptions));
+                return 0;
+            }
+
+            if (response.Items.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No SBOMs found matching the criteria.[/]");
+                return 0;
+            }
+
+            var table = new Table()
+                .Border(TableBorder.Rounded)
+                .AddColumn("SBOM ID")
+                .AddColumn("Image")
+                .AddColumn("Format")
+                .AddColumn("Components")
+                .AddColumn("Vulns")
+                .AddColumn("Det. Score")
+                .AddColumn("Created");
+
+            foreach (var sbom in response.Items)
+            {
+                var detScore = sbom.DeterminismScore.HasValue
+                    ? $"{sbom.DeterminismScore.Value:P0}"
+                    : "-";
+                var detColor = sbom.DeterminismScore switch
+                {
+                    >= 0.95 => "green",
+                    >= 0.80 => "yellow",
+                    _ => "red"
+                };
+
+                table.AddRow(
+                    Markup.Escape(sbom.SbomId),
+                    Markup.Escape(sbom.ImageRef ?? "-"),
+                    Markup.Escape(sbom.Format),
+                    sbom.ComponentCount.ToString(),
+                    GetVulnCountMarkup(sbom.VulnerabilityCount),
+                    $"[{detColor}]{detScore}[/]",
+                    sbom.CreatedAt.ToString("yyyy-MM-dd HH:mm"));
+            }
+
+            AnsiConsole.Write(table);
+
+            if (verbose)
+            {
+                AnsiConsole.MarkupLine($"[grey]Total: {response.Total} | Showing: {response.Items.Count} | Has more: {response.HasMore}[/]");
+                if (!string.IsNullOrWhiteSpace(response.NextCursor))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Next cursor: {Markup.Escape(response.NextCursor)}[/]");
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error listing SBOMs: {Markup.Escape(error.Message)}[/]");
+            return 18;
+        }
+    }
+
+    internal static async Task<int> HandleSbomShowAsync(
+        IServiceProvider services,
+        string sbomId,
+        string? tenant,
+        bool includeComponents,
+        bool includeVulnerabilities,
+        bool includeLicenses,
+        bool explain,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<ISbomClient>();
+
+        try
+        {
+            var sbom = await client.GetAsync(
+                sbomId,
+                tenant,
+                includeComponents,
+                includeVulnerabilities,
+                includeLicenses,
+                explain,
+                cancellationToken);
+
+            if (sbom is null)
+            {
+                AnsiConsole.MarkupLine($"[red]SBOM '{Markup.Escape(sbomId)}' not found.[/]");
+                return 18;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(sbom, JsonOutputOptions));
+                return 0;
+            }
+
+            // Header panel
+            var headerGrid = new Grid()
+                .AddColumn()
+                .AddColumn();
+
+            headerGrid.AddRow("[grey]SBOM ID:[/]", Markup.Escape(sbom.SbomId));
+            if (!string.IsNullOrWhiteSpace(sbom.ImageRef))
+                headerGrid.AddRow("[grey]Image:[/]", Markup.Escape(sbom.ImageRef));
+            if (!string.IsNullOrWhiteSpace(sbom.Digest))
+                headerGrid.AddRow("[grey]Digest:[/]", Markup.Escape(sbom.Digest));
+            headerGrid.AddRow("[grey]Format:[/]", $"{Markup.Escape(sbom.Format)} {Markup.Escape(sbom.FormatVersion ?? "")}");
+            headerGrid.AddRow("[grey]Created:[/]", sbom.CreatedAt.ToString("yyyy-MM-dd HH:mm:ss") + " UTC");
+            headerGrid.AddRow("[grey]Components:[/]", sbom.ComponentCount.ToString());
+            headerGrid.AddRow("[grey]Vulnerabilities:[/]", GetVulnCountMarkup(sbom.VulnerabilityCount));
+            headerGrid.AddRow("[grey]Licenses:[/]", sbom.LicensesDetected.ToString());
+
+            if (sbom.DeterminismScore.HasValue)
+            {
+                var detColor = sbom.DeterminismScore.Value switch
+                {
+                    >= 0.95 => "green",
+                    >= 0.80 => "yellow",
+                    _ => "red"
+                };
+                headerGrid.AddRow("[grey]Determinism:[/]", $"[{detColor}]{sbom.DeterminismScore.Value:P1}[/]");
+            }
+
+            AnsiConsole.Write(new Panel(headerGrid).Header("SBOM Details").Border(BoxBorder.Rounded));
+
+            // Attestation info
+            if (sbom.Attestation is not null)
+            {
+                var attGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn();
+
+                attGrid.AddRow("[grey]Signed:[/]", sbom.Attestation.Signed ? "[green]Yes[/]" : "[yellow]No[/]");
+                if (!string.IsNullOrWhiteSpace(sbom.Attestation.SignatureAlgorithm))
+                    attGrid.AddRow("[grey]Algorithm:[/]", Markup.Escape(sbom.Attestation.SignatureAlgorithm));
+                if (sbom.Attestation.SignedAt.HasValue)
+                    attGrid.AddRow("[grey]Signed At:[/]", sbom.Attestation.SignedAt.Value.ToString("yyyy-MM-dd HH:mm:ss") + " UTC");
+                if (sbom.Attestation.RekorLogIndex.HasValue)
+                    attGrid.AddRow("[grey]Rekor Index:[/]", sbom.Attestation.RekorLogIndex.Value.ToString());
+                if (!string.IsNullOrWhiteSpace(sbom.Attestation.CertificateSubject))
+                    attGrid.AddRow("[grey]Cert Subject:[/]", Markup.Escape(sbom.Attestation.CertificateSubject));
+
+                AnsiConsole.Write(new Panel(attGrid).Header("Attestation").Border(BoxBorder.Rounded));
+            }
+
+            // Components table
+            if (includeComponents && sbom.Components is { Count: > 0 })
+            {
+                var compTable = new Table()
+                    .Border(TableBorder.Simple)
+                    .AddColumn("Name")
+                    .AddColumn("Version")
+                    .AddColumn("Type")
+                    .AddColumn("Licenses");
+
+                foreach (var comp in sbom.Components.Take(verbose ? 100 : 25))
+                {
+                    compTable.AddRow(
+                        Markup.Escape(comp.Name),
+                        Markup.Escape(comp.Version ?? "-"),
+                        Markup.Escape(comp.Type ?? "-"),
+                        Markup.Escape(string.Join(", ", comp.Licenses ?? [])));
+                }
+
+                if (sbom.Components.Count > (verbose ? 100 : 25))
+                {
+                    compTable.AddRow($"[grey]... and {sbom.Components.Count - (verbose ? 100 : 25)} more[/]", "", "", "");
+                }
+
+                AnsiConsole.Write(new Panel(compTable).Header($"Components ({sbom.Components.Count})").Border(BoxBorder.Rounded));
+            }
+
+            // Vulnerabilities table
+            if (includeVulnerabilities && sbom.Vulnerabilities is { Count: > 0 })
+            {
+                var vulnTable = new Table()
+                    .Border(TableBorder.Simple)
+                    .AddColumn("CVE")
+                    .AddColumn("Severity")
+                    .AddColumn("Score")
+                    .AddColumn("Component")
+                    .AddColumn("VEX Status");
+
+                foreach (var vuln in sbom.Vulnerabilities.Take(verbose ? 50 : 20))
+                {
+                    vulnTable.AddRow(
+                        Markup.Escape(vuln.VulnerabilityId),
+                        GetSeverityMarkup(vuln.Severity),
+                        vuln.Score?.ToString("F1") ?? "-",
+                        Markup.Escape(vuln.AffectedComponent ?? "-"),
+                        GetVexStatusMarkup(vuln.VexStatus));
+                }
+
+                if (sbom.Vulnerabilities.Count > (verbose ? 50 : 20))
+                {
+                    vulnTable.AddRow($"[grey]... and {sbom.Vulnerabilities.Count - (verbose ? 50 : 20)} more[/]", "", "", "", "");
+                }
+
+                AnsiConsole.Write(new Panel(vulnTable).Header($"Vulnerabilities ({sbom.Vulnerabilities.Count})").Border(BoxBorder.Rounded));
+            }
+
+            // Licenses table
+            if (includeLicenses && sbom.Licenses is { Count: > 0 })
+            {
+                var licTable = new Table()
+                    .Border(TableBorder.Simple)
+                    .AddColumn("License")
+                    .AddColumn("ID")
+                    .AddColumn("Components");
+
+                foreach (var lic in sbom.Licenses.OrderByDescending(l => l.ComponentCount).Take(20))
+                {
+                    licTable.AddRow(
+                        Markup.Escape(lic.Name),
+                        Markup.Escape(lic.Id ?? "-"),
+                        lic.ComponentCount.ToString());
+                }
+
+                AnsiConsole.Write(new Panel(licTable).Header($"Licenses ({sbom.Licenses.Count} unique)").Border(BoxBorder.Rounded));
+            }
+
+            // Explain panel
+            if (explain && sbom.Explain is not null)
+            {
+                if (sbom.Explain.DeterminismFactors is { Count: > 0 })
+                {
+                    var factorTable = new Table()
+                        .Border(TableBorder.Simple)
+                        .AddColumn("Factor")
+                        .AddColumn("Impact")
+                        .AddColumn("Score")
+                        .AddColumn("Details");
+
+                    foreach (var factor in sbom.Explain.DeterminismFactors)
+                    {
+                        var impactColor = factor.Impact.ToLowerInvariant() switch
+                        {
+                            "positive" => "green",
+                            "negative" => "red",
+                            _ => "yellow"
+                        };
+
+                        factorTable.AddRow(
+                            Markup.Escape(factor.Factor),
+                            $"[{impactColor}]{Markup.Escape(factor.Impact)}[/]",
+                            $"{factor.Score:F2}",
+                            Markup.Escape(factor.Details ?? "-"));
+                    }
+
+                    AnsiConsole.Write(new Panel(factorTable).Header("Determinism Factors").Border(BoxBorder.Rounded));
+                }
+
+                if (sbom.Explain.CompositionPath is { Count: > 0 })
+                {
+                    var pathTable = new Table()
+                        .Border(TableBorder.Simple)
+                        .AddColumn("Step")
+                        .AddColumn("Operation")
+                        .AddColumn("Input")
+                        .AddColumn("Digest");
+
+                    foreach (var step in sbom.Explain.CompositionPath)
+                    {
+                        pathTable.AddRow(
+                            step.Step.ToString(),
+                            Markup.Escape(step.Operation),
+                            Markup.Escape(step.Input ?? "-"),
+                            Markup.Escape(step.Digest?[..16] ?? "-"));
+                    }
+
+                    AnsiConsole.Write(new Panel(pathTable).Header("Composition Path").Border(BoxBorder.Rounded));
+                }
+
+                if (sbom.Explain.Warnings is { Count: > 0 })
+                {
+                    AnsiConsole.MarkupLine("[yellow]Warnings:[/]");
+                    foreach (var warning in sbom.Explain.Warnings)
+                    {
+                        AnsiConsole.MarkupLine($"  [yellow]• {Markup.Escape(warning)}[/]");
+                    }
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error getting SBOM: {Markup.Escape(error.Message)}[/]");
+            return 18;
+        }
+    }
+
+    internal static async Task<int> HandleSbomCompareAsync(
+        IServiceProvider services,
+        string baseSbomId,
+        string targetSbomId,
+        string? tenant,
+        bool includeUnchanged,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<ISbomClient>();
+
+        var request = new SbomCompareRequest
+        {
+            Tenant = tenant,
+            BaseSbomId = baseSbomId,
+            TargetSbomId = targetSbomId,
+            IncludeUnchanged = includeUnchanged
+        };
+
+        try
+        {
+            var result = await client.CompareAsync(request, cancellationToken);
+
+            if (result is null)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to compare SBOMs. One or both SBOMs may not exist.[/]");
+                return 18;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOutputOptions));
+                return 0;
+            }
+
+            // Summary panel
+            var summaryGrid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddColumn();
+
+            summaryGrid.AddRow("[grey]Base SBOM:[/]", Markup.Escape(result.BaseSbomId), "");
+            summaryGrid.AddRow("[grey]Target SBOM:[/]", Markup.Escape(result.TargetSbomId), "");
+            summaryGrid.AddRow("", "", "");
+            summaryGrid.AddRow("[grey]Components:[/]",
+                $"[green]+{result.Summary.ComponentsAdded}[/]",
+                $"[red]-{result.Summary.ComponentsRemoved}[/]");
+            summaryGrid.AddRow("[grey]Modified:[/]", $"[yellow]~{result.Summary.ComponentsModified}[/]",
+                includeUnchanged ? $"[grey]={result.Summary.ComponentsUnchanged}[/]" : "");
+            summaryGrid.AddRow("[grey]Vulnerabilities:[/]",
+                $"[red]+{result.Summary.VulnerabilitiesAdded}[/]",
+                $"[green]-{result.Summary.VulnerabilitiesRemoved}[/]");
+            summaryGrid.AddRow("[grey]Licenses:[/]",
+                $"[blue]+{result.Summary.LicensesAdded}[/]",
+                $"[blue]-{result.Summary.LicensesRemoved}[/]");
+
+            AnsiConsole.Write(new Panel(summaryGrid).Header("Comparison Summary").Border(BoxBorder.Rounded));
+
+            // Component changes
+            if (result.ComponentChanges is { Count: > 0 })
+            {
+                var compTable = new Table()
+                    .Border(TableBorder.Simple)
+                    .AddColumn("Change")
+                    .AddColumn("Component")
+                    .AddColumn("Base Version")
+                    .AddColumn("Target Version");
+
+                foreach (var change in result.ComponentChanges.Take(verbose ? 100 : 30))
+                {
+                    var changeColor = change.ChangeType.ToLowerInvariant() switch
+                    {
+                        "added" => "green",
+                        "removed" => "red",
+                        "modified" => "yellow",
+                        _ => "grey"
+                    };
+
+                    compTable.AddRow(
+                        $"[{changeColor}]{Markup.Escape(change.ChangeType)}[/]",
+                        Markup.Escape(change.ComponentName),
+                        Markup.Escape(change.BaseVersion ?? "-"),
+                        Markup.Escape(change.TargetVersion ?? "-"));
+                }
+
+                if (result.ComponentChanges.Count > (verbose ? 100 : 30))
+                {
+                    compTable.AddRow($"[grey]... and {result.ComponentChanges.Count - (verbose ? 100 : 30)} more[/]", "", "", "");
+                }
+
+                AnsiConsole.Write(new Panel(compTable).Header($"Component Changes ({result.ComponentChanges.Count})").Border(BoxBorder.Rounded));
+            }
+
+            // Vulnerability changes
+            if (result.VulnerabilityChanges is { Count: > 0 })
+            {
+                var vulnTable = new Table()
+                    .Border(TableBorder.Simple)
+                    .AddColumn("Change")
+                    .AddColumn("CVE")
+                    .AddColumn("Severity")
+                    .AddColumn("Component")
+                    .AddColumn("Reason");
+
+                foreach (var change in result.VulnerabilityChanges.Take(verbose ? 50 : 20))
+                {
+                    var changeColor = change.ChangeType.ToLowerInvariant() switch
+                    {
+                        "added" => "red",
+                        "removed" => "green",
+                        _ => "yellow"
+                    };
+
+                    vulnTable.AddRow(
+                        $"[{changeColor}]{Markup.Escape(change.ChangeType)}[/]",
+                        Markup.Escape(change.VulnerabilityId),
+                        GetSeverityMarkup(change.Severity),
+                        Markup.Escape(change.AffectedComponent ?? "-"),
+                        Markup.Escape(change.Reason ?? "-"));
+                }
+
+                if (result.VulnerabilityChanges.Count > (verbose ? 50 : 20))
+                {
+                    vulnTable.AddRow($"[grey]... and {result.VulnerabilityChanges.Count - (verbose ? 50 : 20)} more[/]", "", "", "", "");
+                }
+
+                AnsiConsole.Write(new Panel(vulnTable).Header($"Vulnerability Changes ({result.VulnerabilityChanges.Count})").Border(BoxBorder.Rounded));
+            }
+
+            // License changes
+            if (result.LicenseChanges is { Count: > 0 })
+            {
+                var licTable = new Table()
+                    .Border(TableBorder.Simple)
+                    .AddColumn("Change")
+                    .AddColumn("License")
+                    .AddColumn("Components");
+
+                foreach (var change in result.LicenseChanges)
+                {
+                    var changeColor = change.ChangeType.ToLowerInvariant() switch
+                    {
+                        "added" => "blue",
+                        "removed" => "grey",
+                        _ => "yellow"
+                    };
+
+                    licTable.AddRow(
+                        $"[{changeColor}]{Markup.Escape(change.ChangeType)}[/]",
+                        Markup.Escape(change.LicenseName),
+                        change.ComponentCount.ToString());
+                }
+
+                AnsiConsole.Write(new Panel(licTable).Header($"License Changes ({result.LicenseChanges.Count})").Border(BoxBorder.Rounded));
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error comparing SBOMs: {Markup.Escape(error.Message)}[/]");
+            return 18;
+        }
+    }
+
+    internal static async Task<int> HandleSbomExportAsync(
+        IServiceProvider services,
+        string sbomId,
+        string? tenant,
+        string format,
+        string? formatVersion,
+        string? output,
+        bool signed,
+        bool includeVex,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<ISbomClient>();
+
+        var request = new SbomExportRequest
+        {
+            Tenant = tenant,
+            SbomId = sbomId,
+            Format = format,
+            FormatVersion = formatVersion,
+            Signed = signed,
+            IncludeVex = includeVex
+        };
+
+        try
+        {
+            var (contentStream, result) = await client.ExportAsync(request, cancellationToken);
+
+            if (result is null || !result.Success)
+            {
+                AnsiConsole.MarkupLine("[red]Failed to export SBOM:[/]");
+                if (result?.Errors is not null)
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"  [red]• {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 18;
+            }
+
+            if (!string.IsNullOrWhiteSpace(output))
+            {
+                // Write to file
+                await using var fileStream = File.Create(output);
+                await contentStream.CopyToAsync(fileStream, cancellationToken);
+
+                AnsiConsole.MarkupLine($"[green]SBOM exported successfully to: {Markup.Escape(output)}[/]");
+
+                if (verbose)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Format:[/] {Markup.Escape(result.Format)}");
+                    if (result.Signed)
+                    {
+                        AnsiConsole.MarkupLine($"[grey]Signed:[/] [green]Yes[/]");
+                        if (!string.IsNullOrWhiteSpace(result.SignatureKeyId))
+                            AnsiConsole.MarkupLine($"[grey]Key ID:[/] {Markup.Escape(result.SignatureKeyId)}");
+                    }
+                    if (!string.IsNullOrWhiteSpace(result.Digest))
+                        AnsiConsole.MarkupLine($"[grey]Digest:[/] {Markup.Escape(result.DigestAlgorithm ?? "sha256")}:{Markup.Escape(result.Digest)}");
+                }
+            }
+            else
+            {
+                // Write to stdout
+                using var reader = new StreamReader(contentStream);
+                var content = await reader.ReadToEndAsync(cancellationToken);
+                Console.Write(content);
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error exporting SBOM: {Markup.Escape(error.Message)}[/]");
+            return 18;
+        }
+    }
+
+    internal static async Task<int> HandleSbomParityMatrixAsync(
+        IServiceProvider services,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        var client = services.GetRequiredService<ISbomClient>();
+
+        try
+        {
+            var response = await client.GetParityMatrixAsync(tenant, cancellationToken);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOutputOptions));
+                return 0;
+            }
+
+            // Summary panel
+            var summaryGrid = new Grid()
+                .AddColumn()
+                .AddColumn();
+
+            summaryGrid.AddRow("[grey]Total Commands:[/]", response.Summary.TotalCommands.ToString());
+            summaryGrid.AddRow("[grey]Full Parity:[/]", $"[green]{response.Summary.FullParity}[/]");
+            summaryGrid.AddRow("[grey]Partial Parity:[/]", $"[yellow]{response.Summary.PartialParity}[/]");
+            summaryGrid.AddRow("[grey]No Parity:[/]", $"[red]{response.Summary.NoParity}[/]");
+            summaryGrid.AddRow("[grey]Deterministic:[/]", response.Summary.DeterministicCommands.ToString());
+            summaryGrid.AddRow("[grey]--explain Support:[/]", response.Summary.ExplainEnabledCommands.ToString());
+            summaryGrid.AddRow("[grey]Offline Capable:[/]", response.Summary.OfflineCapableCommands.ToString());
+            if (!string.IsNullOrWhiteSpace(response.CliVersion))
+                summaryGrid.AddRow("[grey]CLI Version:[/]", Markup.Escape(response.CliVersion));
+            summaryGrid.AddRow("[grey]Generated:[/]", response.GeneratedAt.ToString("yyyy-MM-dd HH:mm:ss") + " UTC");
+
+            AnsiConsole.Write(new Panel(summaryGrid).Header("CLI Parity Matrix Summary").Border(BoxBorder.Rounded));
+
+            // Commands table
+            if (response.Entries.Count > 0)
+            {
+                var table = new Table()
+                    .Border(TableBorder.Rounded)
+                    .AddColumn("Command Group")
+                    .AddColumn("Command")
+                    .AddColumn("CLI Support")
+                    .AddColumn("Det.")
+                    .AddColumn("Explain")
+                    .AddColumn("Offline");
+
+                foreach (var entry in response.Entries.OrderBy(e => e.CommandGroup).ThenBy(e => e.Command))
+                {
+                    var supportColor = entry.CliSupport.ToLowerInvariant() switch
+                    {
+                        "full" => "green",
+                        "partial" => "yellow",
+                        "none" => "red",
+                        _ => "grey"
+                    };
+
+                    table.AddRow(
+                        Markup.Escape(entry.CommandGroup),
+                        Markup.Escape(entry.Command),
+                        $"[{supportColor}]{Markup.Escape(entry.CliSupport)}[/]",
+                        entry.Deterministic ? "[green]✓[/]" : "[grey]-[/]",
+                        entry.ExplainSupport ? "[green]✓[/]" : "[grey]-[/]",
+                        entry.OfflineSupport ? "[green]✓[/]" : "[grey]-[/]");
+                }
+
+                AnsiConsole.Write(table);
+
+                if (verbose)
+                {
+                    // Show notes for entries with notes
+                    var entriesWithNotes = response.Entries.Where(e => !string.IsNullOrWhiteSpace(e.Notes)).ToList();
+                    if (entriesWithNotes.Count > 0)
+                    {
+                        AnsiConsole.WriteLine();
+                        AnsiConsole.MarkupLine("[grey]Notes:[/]");
+                        foreach (var entry in entriesWithNotes)
+                        {
+                            AnsiConsole.MarkupLine($"  [grey]{Markup.Escape(entry.CommandGroup)} {Markup.Escape(entry.Command)}:[/] {Markup.Escape(entry.Notes!)}");
+                        }
+                    }
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromException(ex);
+            AnsiConsole.MarkupLine($"[red]Error getting parity matrix: {Markup.Escape(error.Message)}[/]");
+            return 18;
+        }
+    }
+
+    private static string GetVulnCountMarkup(int count)
+    {
+        return count switch
+        {
+            0 => "[green]0[/]",
+            <= 5 => $"[yellow]{count}[/]",
+            _ => $"[red]{count}[/]"
+        };
+    }
+
+    private static string GetSeverityMarkup(string? severity)
+    {
+        if (string.IsNullOrWhiteSpace(severity))
+            return "[grey]-[/]";
+
+        return severity.ToLowerInvariant() switch
+        {
+            "critical" => "[red]CRITICAL[/]",
+            "high" => "[red]HIGH[/]",
+            "medium" => "[yellow]MEDIUM[/]",
+            "low" => "[blue]LOW[/]",
+            "none" or "informational" => "[grey]NONE[/]",
+            _ => Markup.Escape(severity)
+        };
+    }
+
+    private static string GetVexStatusMarkup(string? status)
+    {
+        if (string.IsNullOrWhiteSpace(status))
+            return "[grey]-[/]";
+
+        return status.ToLowerInvariant() switch
+        {
+            "affected" => "[red]affected[/]",
+            "not_affected" => "[green]not_affected[/]",
+            "fixed" => "[green]fixed[/]",
+            "under_investigation" => "[yellow]investigating[/]",
+            _ => Markup.Escape(status)
+        };
+    }
+
+    #endregion
+
+    #region Notify Handlers (CLI-PARITY-41-002)
+
+    internal static async Task<int> HandleNotifyChannelsListAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? channelType,
+        bool? enabled,
+        int? limit,
+        string? cursor,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<INotifyClient>();
+
+        try
+        {
+            var request = new NotifyChannelListRequest
+            {
+                Tenant = tenant,
+                Type = channelType,
+                Enabled = enabled,
+                Limit = limit,
+                Cursor = cursor
+            };
+
+            var response = await client.ListChannelsAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOptions));
+                return 0;
+            }
+
+            if (response.Items.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No notification channels found.[/]");
+                return 0;
+            }
+
+            var table = new Table();
+            table.AddColumn("Channel ID");
+            table.AddColumn("Name");
+            table.AddColumn("Type");
+            table.AddColumn("Enabled");
+            table.AddColumn("Deliveries");
+            table.AddColumn("Failure Rate");
+            table.AddColumn("Updated");
+
+            foreach (var channel in response.Items)
+            {
+                var enabledMarkup = channel.Enabled ? "[green]Yes[/]" : "[grey]No[/]";
+                var failureRateMarkup = GetFailureRateMarkup(channel.FailureRate);
+
+                table.AddRow(
+                    Markup.Escape(channel.ChannelId),
+                    Markup.Escape(channel.DisplayName ?? channel.Name),
+                    GetChannelTypeMarkup(channel.Type),
+                    enabledMarkup,
+                    channel.DeliveryCount.ToString(),
+                    failureRateMarkup,
+                    channel.UpdatedAt.ToString("yyyy-MM-dd HH:mm:ss"));
+            }
+
+            AnsiConsole.Write(table);
+
+            if (response.HasMore && !string.IsNullOrWhiteSpace(response.NextCursor))
+            {
+                AnsiConsole.MarkupLine($"[grey]More results available. Use --cursor {Markup.Escape(response.NextCursor)}[/]");
+            }
+
+            AnsiConsole.MarkupLine($"[grey]Total: {response.Total}[/]");
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleNotifyChannelsShowAsync(
+        IServiceProvider services,
+        string channelId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<INotifyClient>();
+
+        try
+        {
+            var channel = await client.GetChannelAsync(channelId, tenant, cancellationToken).ConfigureAwait(false);
+
+            if (channel == null)
+            {
+                AnsiConsole.MarkupLine($"[red]Channel not found: {Markup.Escape(channelId)}[/]");
+                return CliError.FromHttpStatus(404).ExitCode;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(channel, JsonOptions));
+                return 0;
+            }
+
+            var panel = new Panel(new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Channel ID[/]", Markup.Escape(channel.ChannelId))
+                .AddRow("[bold]Name[/]", Markup.Escape(channel.DisplayName ?? channel.Name))
+                .AddRow("[bold]Type[/]", GetChannelTypeMarkup(channel.Type))
+                .AddRow("[bold]Enabled[/]", channel.Enabled ? "[green]Yes[/]" : "[grey]No[/]")
+                .AddRow("[bold]Tenant[/]", Markup.Escape(channel.TenantId))
+                .AddRow("[bold]Description[/]", Markup.Escape(channel.Description ?? "-"))
+                .AddRow("[bold]Created[/]", channel.CreatedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Updated[/]", channel.UpdatedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Created By[/]", Markup.Escape(channel.CreatedBy ?? "-"))
+                .AddRow("[bold]Updated By[/]", Markup.Escape(channel.UpdatedBy ?? "-")));
+            panel.Header = new PanelHeader("Channel Details");
+            AnsiConsole.Write(panel);
+
+            // Configuration
+            if (channel.Config != null)
+            {
+                var configGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Secret Ref[/]", Markup.Escape(channel.Config.SecretRef))
+                    .AddRow("[bold]Target[/]", Markup.Escape(channel.Config.Target ?? "-"))
+                    .AddRow("[bold]Endpoint[/]", Markup.Escape(channel.Config.Endpoint ?? "-"));
+
+                if (channel.Config.Limits != null)
+                {
+                    configGrid.AddRow("[bold]Concurrency[/]", channel.Config.Limits.Concurrency?.ToString() ?? "-");
+                    configGrid.AddRow("[bold]Requests/Min[/]", channel.Config.Limits.RequestsPerMinute?.ToString() ?? "-");
+                    configGrid.AddRow("[bold]Timeout (s)[/]", channel.Config.Limits.TimeoutSeconds?.ToString() ?? "-");
+                    configGrid.AddRow("[bold]Max Batch Size[/]", channel.Config.Limits.MaxBatchSize?.ToString() ?? "-");
+                }
+
+                var configPanel = new Panel(configGrid) { Header = new PanelHeader("Configuration") };
+                AnsiConsole.Write(configPanel);
+            }
+
+            // Statistics
+            if (channel.Stats != null)
+            {
+                var statsGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Total Deliveries[/]", channel.Stats.TotalDeliveries.ToString())
+                    .AddRow("[bold]Successful[/]", $"[green]{channel.Stats.SuccessfulDeliveries}[/]")
+                    .AddRow("[bold]Failed[/]", channel.Stats.FailedDeliveries > 0 ? $"[red]{channel.Stats.FailedDeliveries}[/]" : "0")
+                    .AddRow("[bold]Throttled[/]", channel.Stats.ThrottledDeliveries > 0 ? $"[yellow]{channel.Stats.ThrottledDeliveries}[/]" : "0")
+                    .AddRow("[bold]Last Delivery[/]", channel.Stats.LastDeliveryAt?.ToString("yyyy-MM-dd HH:mm:ss") ?? "-")
+                    .AddRow("[bold]Avg Latency[/]", channel.Stats.AvgLatencyMs.HasValue ? $"{channel.Stats.AvgLatencyMs:F1} ms" : "-");
+
+                var statsPanel = new Panel(statsGrid) { Header = new PanelHeader("Statistics") };
+                AnsiConsole.Write(statsPanel);
+            }
+
+            // Health
+            if (channel.Health != null)
+            {
+                var healthMarkup = channel.Health.Status.ToLowerInvariant() switch
+                {
+                    "healthy" => "[green]HEALTHY[/]",
+                    "degraded" => "[yellow]DEGRADED[/]",
+                    "unhealthy" => "[red]UNHEALTHY[/]",
+                    _ => Markup.Escape(channel.Health.Status)
+                };
+
+                var healthGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Status[/]", healthMarkup)
+                    .AddRow("[bold]Last Check[/]", channel.Health.LastCheckAt?.ToString("yyyy-MM-dd HH:mm:ss") ?? "-")
+                    .AddRow("[bold]Consecutive Failures[/]", channel.Health.ConsecutiveFailures > 0 ? $"[red]{channel.Health.ConsecutiveFailures}[/]" : "0");
+
+                if (!string.IsNullOrWhiteSpace(channel.Health.ErrorMessage))
+                {
+                    healthGrid.AddRow("[bold]Error[/]", $"[red]{Markup.Escape(channel.Health.ErrorMessage)}[/]");
+                }
+
+                var healthPanel = new Panel(healthGrid) { Header = new PanelHeader("Health") };
+                AnsiConsole.Write(healthPanel);
+            }
+
+            // Labels
+            if (channel.Labels is { Count: > 0 })
+            {
+                var labelsTable = new Table();
+                labelsTable.AddColumn("Key");
+                labelsTable.AddColumn("Value");
+                foreach (var label in channel.Labels)
+                {
+                    labelsTable.AddRow(Markup.Escape(label.Key), Markup.Escape(label.Value));
+                }
+                AnsiConsole.Write(new Panel(labelsTable) { Header = new PanelHeader("Labels") });
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleNotifyChannelsTestAsync(
+        IServiceProvider services,
+        string channelId,
+        string? tenant,
+        string? message,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<INotifyClient>();
+
+        try
+        {
+            var request = new NotifyChannelTestRequest
+            {
+                ChannelId = channelId,
+                Tenant = tenant,
+                Message = message
+            };
+
+            var result = await client.TestChannelAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (result.Success)
+            {
+                AnsiConsole.MarkupLine($"[green]Test successful for channel {Markup.Escape(channelId)}[/]");
+                if (result.LatencyMs.HasValue)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Latency: {result.LatencyMs} ms[/]");
+                }
+                if (!string.IsNullOrWhiteSpace(result.DeliveryId))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Delivery ID: {Markup.Escape(result.DeliveryId)}[/]");
+                }
+                return 0;
+            }
+            else
+            {
+                AnsiConsole.MarkupLine($"[red]Test failed for channel {Markup.Escape(channelId)}[/]");
+                if (!string.IsNullOrWhiteSpace(result.ErrorMessage))
+                {
+                    AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(result.ErrorMessage)}[/]");
+                }
+                if (result.ResponseCode.HasValue)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Response code: {result.ResponseCode}[/]");
+                }
+                return 1;
+            }
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleNotifyRulesListAsync(
+        IServiceProvider services,
+        string? tenant,
+        bool? enabled,
+        string? eventType,
+        string? channelId,
+        int? limit,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<INotifyClient>();
+
+        try
+        {
+            var request = new NotifyRuleListRequest
+            {
+                Tenant = tenant,
+                Enabled = enabled,
+                EventType = eventType,
+                ChannelId = channelId,
+                Limit = limit
+            };
+
+            var response = await client.ListRulesAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOptions));
+                return 0;
+            }
+
+            if (response.Items.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No notification rules found.[/]");
+                return 0;
+            }
+
+            var table = new Table();
+            table.AddColumn("Rule ID");
+            table.AddColumn("Name");
+            table.AddColumn("Enabled");
+            table.AddColumn("Priority");
+            table.AddColumn("Event Types");
+            table.AddColumn("Channels");
+            table.AddColumn("Matches");
+
+            foreach (var rule in response.Items)
+            {
+                var enabledMarkup = rule.Enabled ? "[green]Yes[/]" : "[grey]No[/]";
+                var eventTypes = rule.EventTypes.Count > 0 ? string.Join(", ", rule.EventTypes.Take(3)) : "-";
+                if (rule.EventTypes.Count > 3)
+                {
+                    eventTypes += $" (+{rule.EventTypes.Count - 3})";
+                }
+                var channelCount = rule.ChannelIds.Count.ToString();
+
+                table.AddRow(
+                    Markup.Escape(rule.RuleId),
+                    Markup.Escape(rule.Name),
+                    enabledMarkup,
+                    rule.Priority.ToString(),
+                    Markup.Escape(eventTypes),
+                    channelCount,
+                    rule.MatchCount.ToString());
+            }
+
+            AnsiConsole.Write(table);
+
+            if (response.HasMore)
+            {
+                AnsiConsole.MarkupLine("[grey]More results available.[/]");
+            }
+
+            AnsiConsole.MarkupLine($"[grey]Total: {response.Total}[/]");
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleNotifyDeliveriesListAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? status,
+        string? eventType,
+        string? channelId,
+        DateTimeOffset? since,
+        DateTimeOffset? until,
+        int? limit,
+        string? cursor,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<INotifyClient>();
+
+        try
+        {
+            var request = new NotifyDeliveryListRequest
+            {
+                Tenant = tenant,
+                Status = status,
+                EventType = eventType,
+                ChannelId = channelId,
+                Since = since,
+                Until = until,
+                Limit = limit,
+                Cursor = cursor
+            };
+
+            var response = await client.ListDeliveriesAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOptions));
+                return 0;
+            }
+
+            if (response.Items.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No notification deliveries found.[/]");
+                return 0;
+            }
+
+            var table = new Table();
+            table.AddColumn("Delivery ID");
+            table.AddColumn("Channel");
+            table.AddColumn("Type");
+            table.AddColumn("Event");
+            table.AddColumn("Status");
+            table.AddColumn("Attempts");
+            table.AddColumn("Latency");
+            table.AddColumn("Created");
+
+            foreach (var delivery in response.Items)
+            {
+                var statusMarkup = GetDeliveryStatusMarkup(delivery.Status);
+                var latency = delivery.LatencyMs.HasValue ? $"{delivery.LatencyMs} ms" : "-";
+
+                table.AddRow(
+                    Markup.Escape(delivery.DeliveryId),
+                    Markup.Escape(delivery.ChannelName ?? delivery.ChannelId),
+                    GetChannelTypeMarkup(delivery.ChannelType),
+                    Markup.Escape(delivery.EventType),
+                    statusMarkup,
+                    delivery.AttemptCount.ToString(),
+                    latency,
+                    delivery.CreatedAt.ToString("yyyy-MM-dd HH:mm:ss"));
+            }
+
+            AnsiConsole.Write(table);
+
+            if (response.HasMore && !string.IsNullOrWhiteSpace(response.NextCursor))
+            {
+                AnsiConsole.MarkupLine($"[grey]More results available. Use --cursor {Markup.Escape(response.NextCursor)}[/]");
+            }
+
+            AnsiConsole.MarkupLine($"[grey]Total: {response.Total}[/]");
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleNotifyDeliveriesShowAsync(
+        IServiceProvider services,
+        string deliveryId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<INotifyClient>();
+
+        try
+        {
+            var delivery = await client.GetDeliveryAsync(deliveryId, tenant, cancellationToken).ConfigureAwait(false);
+
+            if (delivery == null)
+            {
+                AnsiConsole.MarkupLine($"[red]Delivery not found: {Markup.Escape(deliveryId)}[/]");
+                return CliError.FromHttpStatus(404).ExitCode;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(delivery, JsonOptions));
+                return 0;
+            }
+
+            var panel = new Panel(new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Delivery ID[/]", Markup.Escape(delivery.DeliveryId))
+                .AddRow("[bold]Channel[/]", Markup.Escape(delivery.ChannelName ?? delivery.ChannelId))
+                .AddRow("[bold]Channel Type[/]", GetChannelTypeMarkup(delivery.ChannelType))
+                .AddRow("[bold]Event Type[/]", Markup.Escape(delivery.EventType))
+                .AddRow("[bold]Status[/]", GetDeliveryStatusMarkup(delivery.Status))
+                .AddRow("[bold]Subject[/]", Markup.Escape(delivery.Subject ?? "-"))
+                .AddRow("[bold]Tenant[/]", Markup.Escape(delivery.TenantId))
+                .AddRow("[bold]Rule ID[/]", Markup.Escape(delivery.RuleId ?? "-"))
+                .AddRow("[bold]Event ID[/]", Markup.Escape(delivery.EventId ?? "-"))
+                .AddRow("[bold]Created[/]", delivery.CreatedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Sent[/]", delivery.SentAt?.ToString("yyyy-MM-dd HH:mm:ss") ?? "-")
+                .AddRow("[bold]Failed[/]", delivery.FailedAt?.ToString("yyyy-MM-dd HH:mm:ss") ?? "-")
+                .AddRow("[bold]Idempotency Key[/]", Markup.Escape(delivery.IdempotencyKey ?? "-")));
+            panel.Header = new PanelHeader("Delivery Details");
+            AnsiConsole.Write(panel);
+
+            if (!string.IsNullOrWhiteSpace(delivery.ErrorMessage))
+            {
+                AnsiConsole.Write(new Panel($"[red]{Markup.Escape(delivery.ErrorMessage)}[/]") { Header = new PanelHeader("Error") });
+            }
+
+            // Attempts
+            if (delivery.Attempts is { Count: > 0 })
+            {
+                var attemptsTable = new Table();
+                attemptsTable.AddColumn("#");
+                attemptsTable.AddColumn("Status");
+                attemptsTable.AddColumn("Attempted");
+                attemptsTable.AddColumn("Latency");
+                attemptsTable.AddColumn("Response");
+                attemptsTable.AddColumn("Error");
+
+                foreach (var attempt in delivery.Attempts)
+                {
+                    var attemptStatusMarkup = GetDeliveryStatusMarkup(attempt.Status);
+                    var latency = attempt.LatencyMs.HasValue ? $"{attempt.LatencyMs} ms" : "-";
+                    var responseCode = attempt.ResponseCode?.ToString() ?? "-";
+                    var errorMsg = attempt.ErrorMessage ?? "-";
+                    if (errorMsg.Length > 50)
+                    {
+                        errorMsg = errorMsg[..47] + "...";
+                    }
+
+                    attemptsTable.AddRow(
+                        attempt.AttemptNumber.ToString(),
+                        attemptStatusMarkup,
+                        attempt.AttemptedAt.ToString("yyyy-MM-dd HH:mm:ss"),
+                        latency,
+                        responseCode,
+                        Markup.Escape(errorMsg));
+                }
+
+                AnsiConsole.Write(new Panel(attemptsTable) { Header = new PanelHeader($"Attempts ({delivery.AttemptCount})") });
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleNotifyDeliveriesRetryAsync(
+        IServiceProvider services,
+        string deliveryId,
+        string? tenant,
+        string? idempotencyKey,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<INotifyClient>();
+
+        try
+        {
+            var request = new NotifyRetryRequest
+            {
+                DeliveryId = deliveryId,
+                Tenant = tenant,
+                IdempotencyKey = idempotencyKey
+            };
+
+            var result = await client.RetryDeliveryAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (result.Success)
+            {
+                AnsiConsole.MarkupLine($"[green]Retry queued for delivery {Markup.Escape(deliveryId)}[/]");
+                if (!string.IsNullOrWhiteSpace(result.NewStatus))
+                {
+                    AnsiConsole.MarkupLine($"[grey]New status: {GetDeliveryStatusMarkup(result.NewStatus)}[/]");
+                }
+                if (!string.IsNullOrWhiteSpace(result.AuditEventId))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Audit event: {Markup.Escape(result.AuditEventId)}[/]");
+                }
+                return 0;
+            }
+            else
+            {
+                AnsiConsole.MarkupLine($"[red]Retry failed for delivery {Markup.Escape(deliveryId)}[/]");
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]  - {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleNotifySendAsync(
+        IServiceProvider services,
+        string eventType,
+        string body,
+        string? tenant,
+        string? channelId,
+        string? subject,
+        string? severity,
+        string[]? metadata,
+        string? idempotencyKey,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<INotifyClient>();
+
+        try
+        {
+            // Parse metadata key=value pairs
+            Dictionary<string, string>? metadataDict = null;
+            if (metadata is { Length: > 0 })
+            {
+                metadataDict = new Dictionary<string, string>();
+                foreach (var item in metadata)
+                {
+                    var parts = item.Split('=', 2);
+                    if (parts.Length == 2)
+                    {
+                        metadataDict[parts[0]] = parts[1];
+                    }
+                }
+            }
+
+            var request = new NotifySendRequest
+            {
+                EventType = eventType,
+                Body = body,
+                Tenant = tenant,
+                ChannelId = channelId,
+                Subject = subject,
+                Severity = severity,
+                Metadata = metadataDict,
+                IdempotencyKey = idempotencyKey
+            };
+
+            var result = await client.SendAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 1;
+            }
+
+            if (result.Success)
+            {
+                AnsiConsole.MarkupLine($"[green]Notification sent successfully[/]");
+                if (!string.IsNullOrWhiteSpace(result.EventId))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Event ID: {Markup.Escape(result.EventId)}[/]");
+                }
+                AnsiConsole.MarkupLine($"[grey]Channels matched: {result.ChannelsMatched}[/]");
+                if (result.DeliveryIds is { Count: > 0 })
+                {
+                    AnsiConsole.MarkupLine($"[grey]Deliveries: {string.Join(", ", result.DeliveryIds.Take(5))}[/]");
+                    if (result.DeliveryIds.Count > 5)
+                    {
+                        AnsiConsole.MarkupLine($"[grey]  (+{result.DeliveryIds.Count - 5} more)[/]");
+                    }
+                }
+                if (!string.IsNullOrWhiteSpace(result.IdempotencyKey))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Idempotency key: {Markup.Escape(result.IdempotencyKey)}[/]");
+                }
+                return 0;
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[red]Failed to send notification[/]");
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]  - {Markup.Escape(error)}[/]");
+                    }
+                }
+                return 1;
+            }
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    private static string GetChannelTypeMarkup(string type)
+    {
+        return type.ToLowerInvariant() switch
+        {
+            "slack" => "[bold purple]Slack[/]",
+            "teams" => "[bold blue]Teams[/]",
+            "email" => "[bold cyan]Email[/]",
+            "webhook" => "[bold yellow]Webhook[/]",
+            "pagerduty" => "[bold green]PagerDuty[/]",
+            "opsgenie" => "[bold orange1]OpsGenie[/]",
+            "cli" => "[bold grey]CLI[/]",
+            "inappinbox" or "inapp" => "[bold grey]InApp[/]",
+            _ => Markup.Escape(type)
+        };
+    }
+
+    private static string GetDeliveryStatusMarkup(string status)
+    {
+        return status.ToLowerInvariant() switch
+        {
+            "pending" => "[yellow]Pending[/]",
+            "sent" => "[green]Sent[/]",
+            "failed" => "[red]Failed[/]",
+            "throttled" => "[orange1]Throttled[/]",
+            "digested" => "[blue]Digested[/]",
+            "dropped" => "[grey]Dropped[/]",
+            _ => Markup.Escape(status)
+        };
+    }
+
+    private static string GetFailureRateMarkup(double? rate)
+    {
+        if (!rate.HasValue)
+            return "[grey]-[/]";
+
+        return rate.Value switch
+        {
+            0 => "[green]0%[/]",
+            < 0.1 => $"[green]{rate.Value:P1}[/]",
+            < 0.25 => $"[yellow]{rate.Value:P1}[/]",
+            _ => $"[red]{rate.Value:P1}[/]"
+        };
+    }
+
+    #endregion
+
+    #region Sbomer Handlers (CLI-SBOM-60-001)
+
+    internal static async Task<int> HandleSbomerLayerListAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? scanId,
+        string? imageRef,
+        string? digest,
+        int? limit,
+        string? cursor,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var request = new SbomerLayerListRequest
+            {
+                Tenant = tenant,
+                ScanId = scanId,
+                ImageRef = imageRef,
+                Digest = digest,
+                Limit = limit,
+                Cursor = cursor
+            };
+
+            var response = await client.ListLayersAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(response, JsonOptions));
+                return 0;
+            }
+
+            if (response.Items.Count == 0)
+            {
+                AnsiConsole.MarkupLine("[yellow]No layer fragments found.[/]");
+                return 0;
+            }
+
+            if (!string.IsNullOrWhiteSpace(response.ImageRef))
+            {
+                AnsiConsole.MarkupLine($"[grey]Image: {Markup.Escape(response.ImageRef)}[/]");
+            }
+            if (!string.IsNullOrWhiteSpace(response.ScanId))
+            {
+                AnsiConsole.MarkupLine($"[grey]Scan ID: {Markup.Escape(response.ScanId)}[/]");
+            }
+
+            var table = new Table();
+            table.AddColumn("Layer Digest");
+            table.AddColumn("Fragment SHA256");
+            table.AddColumn("Components");
+            table.AddColumn("Format");
+            table.AddColumn("DSSE");
+            table.AddColumn("Created");
+
+            foreach (var fragment in response.Items)
+            {
+                var layerDigestShort = fragment.LayerDigest.Length > 20
+                    ? fragment.LayerDigest[..20] + "..."
+                    : fragment.LayerDigest;
+                var fragmentHashShort = fragment.FragmentSha256.Length > 16
+                    ? fragment.FragmentSha256[..16] + "..."
+                    : fragment.FragmentSha256;
+                var dsseStatus = fragment.SignatureValid switch
+                {
+                    true => "[green]Valid[/]",
+                    false => "[red]Invalid[/]",
+                    null => string.IsNullOrWhiteSpace(fragment.DsseEnvelopeSha256) ? "[grey]-[/]" : "[yellow]?[/]"
+                };
+
+                table.AddRow(
+                    Markup.Escape(layerDigestShort),
+                    Markup.Escape(fragmentHashShort),
+                    fragment.ComponentCount.ToString(),
+                    Markup.Escape(fragment.Format),
+                    dsseStatus,
+                    fragment.CreatedAt.ToString("yyyy-MM-dd HH:mm:ss"));
+            }
+
+            AnsiConsole.Write(table);
+
+            if (response.HasMore && !string.IsNullOrWhiteSpace(response.NextCursor))
+            {
+                AnsiConsole.MarkupLine($"[grey]More results available. Use --cursor {Markup.Escape(response.NextCursor)}[/]");
+            }
+
+            AnsiConsole.MarkupLine($"[grey]Total: {response.Total}[/]");
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleSbomerLayerShowAsync(
+        IServiceProvider services,
+        string layerDigest,
+        string? tenant,
+        string? scanId,
+        bool includeComponents,
+        bool includeDsse,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var request = new SbomerLayerShowRequest
+            {
+                LayerDigest = layerDigest,
+                Tenant = tenant,
+                ScanId = scanId,
+                IncludeComponents = includeComponents,
+                IncludeDsse = includeDsse
+            };
+
+            var detail = await client.GetLayerAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (detail == null)
+            {
+                AnsiConsole.MarkupLine($"[red]Layer fragment not found: {Markup.Escape(layerDigest)}[/]");
+                return CliError.FromHttpStatus(404).ExitCode;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(detail, JsonOptions));
+                return 0;
+            }
+
+            var fragment = detail.Fragment;
+            var panel = new Panel(new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Layer Digest[/]", Markup.Escape(fragment.LayerDigest))
+                .AddRow("[bold]Fragment SHA256[/]", Markup.Escape(fragment.FragmentSha256))
+                .AddRow("[bold]Components[/]", fragment.ComponentCount.ToString())
+                .AddRow("[bold]Format[/]", Markup.Escape(fragment.Format))
+                .AddRow("[bold]Created[/]", fragment.CreatedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Signature Algorithm[/]", Markup.Escape(fragment.SignatureAlgorithm ?? "-"))
+                .AddRow("[bold]Signature Valid[/]", fragment.SignatureValid switch
+                {
+                    true => "[green]Yes[/]",
+                    false => "[red]No[/]",
+                    null => "[grey]-[/]"
+                }));
+            panel.Header = new PanelHeader("Layer Fragment");
+            AnsiConsole.Write(panel);
+
+            // DSSE Envelope
+            if (includeDsse && detail.DsseEnvelope != null)
+            {
+                var dsseGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Payload Type[/]", Markup.Escape(detail.DsseEnvelope.PayloadType))
+                    .AddRow("[bold]Payload SHA256[/]", Markup.Escape(detail.DsseEnvelope.PayloadSha256))
+                    .AddRow("[bold]Envelope SHA256[/]", Markup.Escape(detail.DsseEnvelope.EnvelopeSha256));
+
+                var dssePanel = new Panel(dsseGrid) { Header = new PanelHeader("DSSE Envelope") };
+                AnsiConsole.Write(dssePanel);
+
+                if (detail.DsseEnvelope.Signatures.Count > 0)
+                {
+                    var sigTable = new Table();
+                    sigTable.AddColumn("Key ID");
+                    sigTable.AddColumn("Algorithm");
+                    sigTable.AddColumn("Valid");
+                    sigTable.AddColumn("Certificate Subject");
+                    sigTable.AddColumn("Expiry");
+
+                    foreach (var sig in detail.DsseEnvelope.Signatures)
+                    {
+                        var validMarkup = sig.Valid switch
+                        {
+                            true => "[green]Yes[/]",
+                            false => "[red]No[/]",
+                            null => "[grey]-[/]"
+                        };
+
+                        sigTable.AddRow(
+                            Markup.Escape(sig.KeyId ?? "-"),
+                            Markup.Escape(sig.Algorithm),
+                            validMarkup,
+                            Markup.Escape(sig.CertificateSubject ?? "-"),
+                            sig.CertificateExpiry?.ToString("yyyy-MM-dd") ?? "-");
+                    }
+
+                    AnsiConsole.Write(new Panel(sigTable) { Header = new PanelHeader("Signatures") });
+                }
+            }
+
+            // Merkle Proof
+            if (detail.MerkleProof != null)
+            {
+                var merkleGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Leaf Hash[/]", Markup.Escape(detail.MerkleProof.LeafHash))
+                    .AddRow("[bold]Root Hash[/]", Markup.Escape(detail.MerkleProof.RootHash))
+                    .AddRow("[bold]Leaf Index[/]", detail.MerkleProof.LeafIndex.ToString())
+                    .AddRow("[bold]Tree Size[/]", detail.MerkleProof.TreeSize.ToString())
+                    .AddRow("[bold]Valid[/]", detail.MerkleProof.Valid switch
+                    {
+                        true => "[green]Yes[/]",
+                        false => "[red]No[/]",
+                        null => "[grey]-[/]"
+                    });
+
+                AnsiConsole.Write(new Panel(merkleGrid) { Header = new PanelHeader("Merkle Proof") });
+            }
+
+            // Components
+            if (includeComponents && fragment.Components is { Count: > 0 })
+            {
+                var compTable = new Table();
+                compTable.AddColumn("PURL / Name");
+                compTable.AddColumn("Version");
+                compTable.AddColumn("Type");
+
+                foreach (var comp in fragment.Components.Take(50))
+                {
+                    compTable.AddRow(
+                        Markup.Escape(comp.Purl ?? comp.Name),
+                        Markup.Escape(comp.Version ?? "-"),
+                        Markup.Escape(comp.Type ?? "-"));
+                }
+
+                AnsiConsole.Write(new Panel(compTable) { Header = new PanelHeader($"Components ({fragment.Components.Count})") });
+
+                if (fragment.Components.Count > 50)
+                {
+                    AnsiConsole.MarkupLine($"[grey]  (+{fragment.Components.Count - 50} more components)[/]");
+                }
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleSbomerLayerVerifyAsync(
+        IServiceProvider services,
+        string layerDigest,
+        string? tenant,
+        string? scanId,
+        string? verifiersPath,
+        bool offline,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var request = new SbomerLayerVerifyRequest
+            {
+                LayerDigest = layerDigest,
+                Tenant = tenant,
+                ScanId = scanId,
+                VerifiersPath = verifiersPath,
+                Offline = offline
+            };
+
+            var result = await client.VerifyLayerAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Valid ? 0 : 20;
+            }
+
+            if (result.Valid)
+            {
+                AnsiConsole.MarkupLine($"[green]Layer fragment verification PASSED[/]");
+                AnsiConsole.MarkupLine($"[grey]Layer: {Markup.Escape(result.LayerDigest)}[/]");
+                AnsiConsole.MarkupLine($"[grey]DSSE Valid: {(result.DsseValid ? "[green]Yes[/]" : "[red]No[/]")}[/]");
+                AnsiConsole.MarkupLine($"[grey]Content Hash Match: {(result.ContentHashMatch ? "[green]Yes[/]" : "[red]No[/]")}[/]");
+                if (result.MerkleProofValid.HasValue)
+                {
+                    AnsiConsole.MarkupLine($"[grey]Merkle Proof Valid: {(result.MerkleProofValid.Value ? "[green]Yes[/]" : "[red]No[/]")}[/]");
+                }
+                if (!string.IsNullOrWhiteSpace(result.SignatureAlgorithm))
+                {
+                    AnsiConsole.MarkupLine($"[grey]Signature Algorithm: {Markup.Escape(result.SignatureAlgorithm)}[/]");
+                }
+            }
+            else
+            {
+                AnsiConsole.MarkupLine($"[red]Layer fragment verification FAILED[/]");
+                AnsiConsole.MarkupLine($"[grey]Layer: {Markup.Escape(result.LayerDigest)}[/]");
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]  - {Markup.Escape(error)}[/]");
+                    }
+                }
+            }
+
+            if (result.Warnings is { Count: > 0 })
+            {
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+                }
+            }
+
+            return result.Valid ? 0 : 20;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleSbomerComposeAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? scanId,
+        string? imageRef,
+        string? digest,
+        string? outputPath,
+        string? format,
+        bool verifyFragments,
+        string? verifiersPath,
+        bool offline,
+        bool emitManifest,
+        bool emitMerkle,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var request = new SbomerComposeRequest
+            {
+                Tenant = tenant,
+                ScanId = scanId,
+                ImageRef = imageRef,
+                Digest = digest,
+                OutputPath = outputPath,
+                Format = format,
+                VerifyFragments = verifyFragments,
+                VerifiersPath = verifiersPath,
+                Offline = offline,
+                EmitCompositionManifest = emitManifest,
+                EmitMerkleDiagnostics = emitMerkle
+            };
+
+            var result = await client.ComposeAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Success ? 0 : 20;
+            }
+
+            if (result.Success)
+            {
+                AnsiConsole.MarkupLine("[green]SBOM composition successful[/]");
+
+                var grid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Scan ID[/]", Markup.Escape(result.ScanId))
+                    .AddRow("[bold]Fragments[/]", result.FragmentCount.ToString())
+                    .AddRow("[bold]Total Components[/]", result.TotalComponents.ToString())
+                    .AddRow("[bold]Deterministic[/]", result.Deterministic ? "[green]Yes[/]" : "[yellow]No[/]");
+
+                if (!string.IsNullOrWhiteSpace(result.ComposedSha256))
+                    grid.AddRow("[bold]Composed SHA256[/]", Markup.Escape(result.ComposedSha256));
+                if (!string.IsNullOrWhiteSpace(result.MerkleRoot))
+                    grid.AddRow("[bold]Merkle Root[/]", Markup.Escape(result.MerkleRoot));
+                if (!string.IsNullOrWhiteSpace(result.OutputPath))
+                    grid.AddRow("[bold]Output[/]", Markup.Escape(result.OutputPath));
+                if (!string.IsNullOrWhiteSpace(result.CompositionManifestPath))
+                    grid.AddRow("[bold]Manifest[/]", Markup.Escape(result.CompositionManifestPath));
+                if (!string.IsNullOrWhiteSpace(result.MerkleDiagnosticsPath))
+                    grid.AddRow("[bold]Merkle Diagnostics[/]", Markup.Escape(result.MerkleDiagnosticsPath));
+                if (result.Duration.HasValue)
+                    grid.AddRow("[bold]Duration[/]", $"{result.Duration.Value.TotalSeconds:F2}s");
+
+                AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("Composition Result") });
+
+                if (result.FragmentVerifications is { Count: > 0 })
+                {
+                    var failedVerifications = result.FragmentVerifications.Where(v => !v.Valid).ToList();
+                    if (failedVerifications.Count > 0)
+                    {
+                        AnsiConsole.MarkupLine($"[yellow]{failedVerifications.Count} fragment(s) failed verification[/]");
+                    }
+                }
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[red]SBOM composition failed[/]");
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]  - {Markup.Escape(error)}[/]");
+                    }
+                }
+            }
+
+            if (result.Warnings is { Count: > 0 })
+            {
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+                }
+            }
+
+            return result.Success ? 0 : 20;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleSbomerCompositionShowAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? scanId,
+        string? compositionPath,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var request = new SbomerCompositionShowRequest
+            {
+                Tenant = tenant,
+                ScanId = scanId,
+                CompositionPath = compositionPath
+            };
+
+            var manifest = await client.GetCompositionManifestAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (manifest == null)
+            {
+                AnsiConsole.MarkupLine("[red]Composition manifest not found[/]");
+                return CliError.FromHttpStatus(404).ExitCode;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(manifest, JsonOptions));
+                return 0;
+            }
+
+            var panel = new Panel(new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Version[/]", Markup.Escape(manifest.Version))
+                .AddRow("[bold]Scan ID[/]", Markup.Escape(manifest.ScanId))
+                .AddRow("[bold]Image[/]", Markup.Escape(manifest.ImageRef ?? "-"))
+                .AddRow("[bold]Digest[/]", Markup.Escape(manifest.Digest ?? "-"))
+                .AddRow("[bold]Merkle Root[/]", Markup.Escape(manifest.MerkleRoot))
+                .AddRow("[bold]Composed SHA256[/]", Markup.Escape(manifest.ComposedSha256))
+                .AddRow("[bold]Created[/]", manifest.CreatedAt.ToString("yyyy-MM-dd HH:mm:ss"))
+                .AddRow("[bold]Fragments[/]", manifest.Fragments.Count.ToString()));
+            panel.Header = new PanelHeader("Composition Manifest");
+            AnsiConsole.Write(panel);
+
+            // Fragments table
+            if (manifest.Fragments.Count > 0)
+            {
+                var fragTable = new Table();
+                fragTable.AddColumn("#");
+                fragTable.AddColumn("Layer Digest");
+                fragTable.AddColumn("Fragment SHA256");
+                fragTable.AddColumn("Components");
+                fragTable.AddColumn("DSSE");
+
+                foreach (var frag in manifest.Fragments.OrderBy(f => f.Order))
+                {
+                    var layerShort = frag.LayerDigest.Length > 20 ? frag.LayerDigest[..20] + "..." : frag.LayerDigest;
+                    var fragShort = frag.FragmentSha256.Length > 16 ? frag.FragmentSha256[..16] + "..." : frag.FragmentSha256;
+                    var dsseMarkup = string.IsNullOrWhiteSpace(frag.DsseEnvelopeSha256) ? "[grey]-[/]" : "[green]Yes[/]";
+
+                    fragTable.AddRow(
+                        frag.Order.ToString(),
+                        Markup.Escape(layerShort),
+                        Markup.Escape(fragShort),
+                        frag.ComponentCount.ToString(),
+                        dsseMarkup);
+                }
+
+                AnsiConsole.Write(new Panel(fragTable) { Header = new PanelHeader("Fragments (Canonical Order)") });
+            }
+
+            // Properties
+            if (manifest.Properties is { Count: > 0 })
+            {
+                var propTable = new Table();
+                propTable.AddColumn("Property");
+                propTable.AddColumn("Value");
+
+                foreach (var prop in manifest.Properties)
+                {
+                    propTable.AddRow(Markup.Escape(prop.Key), Markup.Escape(prop.Value));
+                }
+
+                AnsiConsole.Write(new Panel(propTable) { Header = new PanelHeader("Properties") });
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleSbomerCompositionVerifyAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? scanId,
+        string? compositionPath,
+        string? sbomPath,
+        string? verifiersPath,
+        bool offline,
+        bool recompose,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var request = new SbomerCompositionVerifyRequest
+            {
+                Tenant = tenant,
+                ScanId = scanId,
+                CompositionPath = compositionPath,
+                SbomPath = sbomPath,
+                VerifiersPath = verifiersPath,
+                Offline = offline,
+                Recompose = recompose
+            };
+
+            var result = await client.VerifyCompositionAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Valid ? 0 : 20;
+            }
+
+            if (result.Valid)
+            {
+                AnsiConsole.MarkupLine("[green]Composition verification PASSED[/]");
+
+                var grid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Scan ID[/]", Markup.Escape(result.ScanId))
+                    .AddRow("[bold]Merkle Root Match[/]", result.MerkleRootMatch ? "[green]Yes[/]" : "[red]No[/]")
+                    .AddRow("[bold]Composed Hash Match[/]", result.ComposedHashMatch ? "[green]Yes[/]" : "[red]No[/]")
+                    .AddRow("[bold]All Fragments Valid[/]", result.AllFragmentsValid ? "[green]Yes[/]" : "[red]No[/]")
+                    .AddRow("[bold]Fragment Count[/]", result.FragmentCount.ToString())
+                    .AddRow("[bold]Deterministic[/]", result.Deterministic ? "[green]Yes[/]" : "[yellow]No[/]");
+
+                if (!string.IsNullOrWhiteSpace(result.RecomposedHash))
+                    grid.AddRow("[bold]Recomposed Hash[/]", Markup.Escape(result.RecomposedHash));
+                if (!string.IsNullOrWhiteSpace(result.ExpectedHash))
+                    grid.AddRow("[bold]Expected Hash[/]", Markup.Escape(result.ExpectedHash));
+
+                AnsiConsole.Write(new Panel(grid) { Header = new PanelHeader("Verification Result") });
+            }
+            else
+            {
+                AnsiConsole.MarkupLine("[red]Composition verification FAILED[/]");
+                AnsiConsole.MarkupLine($"[grey]Scan ID: {Markup.Escape(result.ScanId)}[/]");
+
+                if (result.Errors is { Count: > 0 })
+                {
+                    foreach (var error in result.Errors)
+                    {
+                        AnsiConsole.MarkupLine($"[red]  - {Markup.Escape(error)}[/]");
+                    }
+                }
+            }
+
+            if (result.Warnings is { Count: > 0 })
+            {
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+                }
+            }
+
+            return result.Valid ? 0 : 20;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleSbomerCompositionMerkleAsync(
+        IServiceProvider services,
+        string scanId,
+        string? tenant,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var diagnostics = await client.GetMerkleDiagnosticsAsync(scanId, tenant, cancellationToken).ConfigureAwait(false);
+
+            if (diagnostics == null)
+            {
+                AnsiConsole.MarkupLine("[red]Merkle diagnostics not found[/]");
+                return CliError.FromHttpStatus(404).ExitCode;
+            }
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(diagnostics, JsonOptions));
+                return 0;
+            }
+
+            var panel = new Panel(new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Scan ID[/]", Markup.Escape(diagnostics.ScanId))
+                .AddRow("[bold]Root Hash[/]", Markup.Escape(diagnostics.RootHash))
+                .AddRow("[bold]Tree Size[/]", diagnostics.TreeSize.ToString())
+                .AddRow("[bold]Valid[/]", diagnostics.Valid ? "[green]Yes[/]" : "[red]No[/]")
+                .AddRow("[bold]Created[/]", diagnostics.CreatedAt.ToString("yyyy-MM-dd HH:mm:ss")));
+            panel.Header = new PanelHeader("Merkle Tree Diagnostics");
+            AnsiConsole.Write(panel);
+
+            // Leaves
+            if (diagnostics.Leaves.Count > 0)
+            {
+                var leafTable = new Table();
+                leafTable.AddColumn("Index");
+                leafTable.AddColumn("Layer Digest");
+                leafTable.AddColumn("Leaf Hash");
+                leafTable.AddColumn("Fragment SHA256");
+
+                foreach (var leaf in diagnostics.Leaves.OrderBy(l => l.Index))
+                {
+                    var layerShort = leaf.LayerDigest.Length > 20 ? leaf.LayerDigest[..20] + "..." : leaf.LayerDigest;
+                    var leafHashShort = leaf.Hash.Length > 16 ? leaf.Hash[..16] + "..." : leaf.Hash;
+                    var fragHashShort = leaf.FragmentSha256.Length > 16 ? leaf.FragmentSha256[..16] + "..." : leaf.FragmentSha256;
+
+                    leafTable.AddRow(
+                        leaf.Index.ToString(),
+                        Markup.Escape(layerShort),
+                        Markup.Escape(leafHashShort),
+                        Markup.Escape(fragHashShort));
+                }
+
+                AnsiConsole.Write(new Panel(leafTable) { Header = new PanelHeader("Merkle Leaves") });
+            }
+
+            // Intermediate nodes (verbose only)
+            if (verbose && diagnostics.IntermediateNodes is { Count: > 0 })
+            {
+                var nodeTable = new Table();
+                nodeTable.AddColumn("Level");
+                nodeTable.AddColumn("Index");
+                nodeTable.AddColumn("Hash");
+                nodeTable.AddColumn("Left Child");
+                nodeTable.AddColumn("Right Child");
+
+                foreach (var node in diagnostics.IntermediateNodes.OrderBy(n => n.Level).ThenBy(n => n.Index))
+                {
+                    var hashShort = node.Hash.Length > 16 ? node.Hash[..16] + "..." : node.Hash;
+                    var leftShort = (node.LeftChild?.Length > 12 ? node.LeftChild[..12] + "..." : node.LeftChild) ?? "-";
+                    var rightShort = (node.RightChild?.Length > 12 ? node.RightChild[..12] + "..." : node.RightChild) ?? "-";
+
+                    nodeTable.AddRow(
+                        node.Level.ToString(),
+                        node.Index.ToString(),
+                        Markup.Escape(hashShort),
+                        Markup.Escape(leftShort),
+                        Markup.Escape(rightShort));
+                }
+
+                AnsiConsole.Write(new Panel(nodeTable) { Header = new PanelHeader("Intermediate Nodes") });
+            }
+
+            return 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    // CLI-SBOM-60-002: Drift detection handlers
+
+    internal static async Task<int> HandleSbomerDriftAnalyzeAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? scanId,
+        string? baselineScanId,
+        string? sbomPath,
+        string? baselinePath,
+        string? compositionPath,
+        bool explain,
+        bool offline,
+        string? offlineKitPath,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var options = services.GetRequiredService<StellaOpsCliOptions>();
+
+        if (!offline && !OfflineModeGuard.IsNetworkAllowed(options, "sbomer drift analyze"))
+        {
+            return CliError.FromCode(CliError.OfflineMode).ExitCode;
+        }
+
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var request = new SbomerDriftRequest
+            {
+                Tenant = tenant,
+                ScanId = scanId,
+                BaselineScanId = baselineScanId,
+                SbomPath = sbomPath,
+                BaselinePath = baselinePath,
+                CompositionPath = compositionPath,
+                Explain = explain,
+                Offline = offline,
+                OfflineKitPath = offlineKitPath
+            };
+
+            var result = await client.AnalyzeDriftAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.HasDrift && !result.Deterministic ? 1 : 0;
+            }
+
+            // Summary panel
+            var statusColor = result.HasDrift ? (result.Deterministic ? "yellow" : "red") : "green";
+            var statusText = result.HasDrift ? (result.Deterministic ? "Drift Detected (Deterministic)" : "Drift Detected (Non-Deterministic)") : "No Drift";
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Status[/]", $"[{statusColor}]{Markup.Escape(statusText)}[/]")
+                .AddRow("[bold]Scan ID[/]", Markup.Escape(result.ScanId))
+                .AddRow("[bold]Baseline Scan ID[/]", Markup.Escape(result.BaselineScanId ?? "N/A"))
+                .AddRow("[bold]Current Hash[/]", Markup.Escape(result.CurrentHash ?? "N/A"))
+                .AddRow("[bold]Baseline Hash[/]", Markup.Escape(result.BaselineHash ?? "N/A"));
+
+            var panel = new Panel(grid) { Header = new PanelHeader("Drift Analysis") };
+            AnsiConsole.Write(panel);
+
+            // Summary statistics
+            if (result.Summary != null)
+            {
+                var summaryGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Components Added[/]", result.Summary.ComponentsAdded.ToString())
+                    .AddRow("[bold]Components Removed[/]", result.Summary.ComponentsRemoved.ToString())
+                    .AddRow("[bold]Components Modified[/]", result.Summary.ComponentsModified.ToString())
+                    .AddRow("[bold]Array Ordering Drifts[/]", result.Summary.ArrayOrderingDrifts.ToString())
+                    .AddRow("[bold]Timestamp Drifts[/]", result.Summary.TimestampDrifts.ToString())
+                    .AddRow("[bold]Key Ordering Drifts[/]", result.Summary.KeyOrderingDrifts.ToString())
+                    .AddRow("[bold]Whitespace Drifts[/]", result.Summary.WhitespaceDrifts.ToString())
+                    .AddRow("[bold]Total Drifts[/]", $"[bold]{result.Summary.TotalDrifts}[/]");
+
+                AnsiConsole.Write(new Panel(summaryGrid) { Header = new PanelHeader("Summary") });
+            }
+
+            // Drift details table
+            if (result.Details is { Count: > 0 })
+            {
+                var table = new Table();
+                table.AddColumn("Path");
+                table.AddColumn("Type");
+                table.AddColumn("Severity");
+                table.AddColumn("Breaks Determinism");
+                table.AddColumn("Description");
+
+                foreach (var detail in result.Details.Take(50)) // Limit to 50 for display
+                {
+                    var severityColor = detail.Severity switch
+                    {
+                        "error" => "red",
+                        "warning" => "yellow",
+                        _ => "dim"
+                    };
+                    var pathShort = detail.Path.Length > 40 ? "..." + detail.Path[^37..] : detail.Path;
+                    var descShort = detail.Description.Length > 50 ? detail.Description[..47] + "..." : detail.Description;
+
+                    table.AddRow(
+                        Markup.Escape(pathShort),
+                        Markup.Escape(detail.Type),
+                        $"[{severityColor}]{Markup.Escape(detail.Severity)}[/]",
+                        detail.BreaksDeterminism ? "[red]Yes[/]" : "[green]No[/]",
+                        Markup.Escape(descShort));
+                }
+
+                if (result.Details.Count > 50)
+                {
+                    AnsiConsole.MarkupLine($"[dim]Showing 50 of {result.Details.Count} drifts. Use --json for full list.[/]");
+                }
+
+                AnsiConsole.Write(new Panel(table) { Header = new PanelHeader("Drift Details") });
+            }
+
+            // Explanations (when --explain is used)
+            if (explain && result.Explanations is { Count: > 0 })
+            {
+                AnsiConsole.MarkupLine("\n[bold blue]Drift Explanations[/]");
+                AnsiConsole.WriteLine();
+
+                foreach (var explanation in result.Explanations)
+                {
+                    var expGrid = new Grid()
+                        .AddColumn()
+                        .AddColumn()
+                        .AddRow("[bold]Path[/]", Markup.Escape(explanation.Path))
+                        .AddRow("[bold]Reason[/]", Markup.Escape(explanation.Reason));
+
+                    if (!string.IsNullOrWhiteSpace(explanation.ExpectedBehavior))
+                        expGrid.AddRow("[bold]Expected[/]", Markup.Escape(explanation.ExpectedBehavior));
+                    if (!string.IsNullOrWhiteSpace(explanation.ActualBehavior))
+                        expGrid.AddRow("[bold]Actual[/]", Markup.Escape(explanation.ActualBehavior));
+                    if (!string.IsNullOrWhiteSpace(explanation.RootCause))
+                        expGrid.AddRow("[bold]Root Cause[/]", Markup.Escape(explanation.RootCause));
+                    if (!string.IsNullOrWhiteSpace(explanation.Remediation))
+                        expGrid.AddRow("[bold cyan]Remediation[/]", $"[cyan]{Markup.Escape(explanation.Remediation)}[/]");
+                    if (!string.IsNullOrWhiteSpace(explanation.DocumentationUrl))
+                        expGrid.AddRow("[bold]Documentation[/]", $"[link]{Markup.Escape(explanation.DocumentationUrl)}[/]");
+
+                    if (explanation.AffectedLayers is { Count: > 0 })
+                    {
+                        var layersList = string.Join(", ", explanation.AffectedLayers.Select(l => l.Length > 20 ? l[..17] + "..." : l));
+                        expGrid.AddRow("[bold]Affected Layers[/]", Markup.Escape(layersList));
+                    }
+
+                    AnsiConsole.Write(new Panel(expGrid) { Header = new PanelHeader($"Explanation: {(explanation.Path.Length > 30 ? "..." + explanation.Path[^27..] : explanation.Path)}") });
+                    AnsiConsole.WriteLine();
+                }
+            }
+
+            // Errors and warnings
+            if (result.Errors is { Count: > 0 })
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                }
+            }
+
+            if (verbose && result.Warnings is { Count: > 0 })
+            {
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+                }
+            }
+
+            // Return non-zero if non-deterministic drift detected
+            return result.HasDrift && !result.Deterministic ? 1 : 0;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    internal static async Task<int> HandleSbomerDriftVerifyAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? scanId,
+        string? sbomPath,
+        string? compositionPath,
+        string? verifiersPath,
+        string? offlineKitPath,
+        bool recomposeLocally,
+        bool validateFragments,
+        bool checkMerkle,
+        bool json,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        SetVerbosity(services, verbose);
+        var client = services.GetRequiredService<ISbomerClient>();
+
+        try
+        {
+            var request = new SbomerDriftVerifyRequest
+            {
+                Tenant = tenant,
+                ScanId = scanId,
+                SbomPath = sbomPath,
+                CompositionPath = compositionPath,
+                VerifiersPath = verifiersPath,
+                OfflineKitPath = offlineKitPath,
+                RecomposeLocally = recomposeLocally,
+                ValidateFragments = validateFragments,
+                CheckMerkleProofs = checkMerkle
+            };
+
+            var result = await client.VerifyDriftAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (json)
+            {
+                AnsiConsole.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
+                return result.Valid ? 0 : 1;
+            }
+
+            // Main status panel
+            var statusColor = result.Valid ? "green" : "red";
+            var statusText = result.Valid ? "Verified" : "Verification Failed";
+
+            var grid = new Grid()
+                .AddColumn()
+                .AddColumn()
+                .AddRow("[bold]Status[/]", $"[{statusColor}]{Markup.Escape(statusText)}[/]")
+                .AddRow("[bold]Scan ID[/]", Markup.Escape(result.ScanId))
+                .AddRow("[bold]Deterministic[/]", result.Deterministic ? "[green]Yes[/]" : "[red]No[/]")
+                .AddRow("[bold]Composition Valid[/]", result.CompositionValid ? "[green]Yes[/]" : "[red]No[/]")
+                .AddRow("[bold]Fragments Valid[/]", result.FragmentsValid ? "[green]Yes[/]" : "[red]No[/]")
+                .AddRow("[bold]Merkle Proofs Valid[/]", result.MerkleProofsValid ? "[green]Yes[/]" : "[red]No[/]");
+
+            if (result.RecomposedHashMatch.HasValue)
+            {
+                grid.AddRow("[bold]Recomposed Hash Match[/]", result.RecomposedHashMatch.Value ? "[green]Yes[/]" : "[red]No[/]");
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.CurrentHash))
+            {
+                var hashShort = result.CurrentHash.Length > 32 ? result.CurrentHash[..32] + "..." : result.CurrentHash;
+                grid.AddRow("[bold]Current Hash[/]", Markup.Escape(hashShort));
+            }
+
+            if (!string.IsNullOrWhiteSpace(result.RecomposedHash))
+            {
+                var hashShort = result.RecomposedHash.Length > 32 ? result.RecomposedHash[..32] + "..." : result.RecomposedHash;
+                grid.AddRow("[bold]Recomposed Hash[/]", Markup.Escape(hashShort));
+            }
+
+            var panel = new Panel(grid) { Header = new PanelHeader("Drift Verification") };
+            AnsiConsole.Write(panel);
+
+            // Offline kit info
+            if (result.OfflineKitInfo != null)
+            {
+                var kitGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Path[/]", Markup.Escape(result.OfflineKitInfo.Path))
+                    .AddRow("[bold]Version[/]", Markup.Escape(result.OfflineKitInfo.Version ?? "N/A"))
+                    .AddRow("[bold]Created[/]", result.OfflineKitInfo.CreatedAt?.ToString("yyyy-MM-dd HH:mm:ss") ?? "N/A")
+                    .AddRow("[bold]Fragment Count[/]", result.OfflineKitInfo.FragmentCount.ToString())
+                    .AddRow("[bold]Verifiers Present[/]", result.OfflineKitInfo.VerifiersPresent ? "[green]Yes[/]" : "[yellow]No[/]")
+                    .AddRow("[bold]Composition Manifest[/]", result.OfflineKitInfo.CompositionManifestPresent ? "[green]Yes[/]" : "[yellow]No[/]");
+
+                AnsiConsole.Write(new Panel(kitGrid) { Header = new PanelHeader("Offline Kit") });
+            }
+
+            // Fragment verifications (verbose mode)
+            if (verbose && result.FragmentVerifications is { Count: > 0 })
+            {
+                var fragTable = new Table();
+                fragTable.AddColumn("Layer Digest");
+                fragTable.AddColumn("Valid");
+                fragTable.AddColumn("DSSE");
+                fragTable.AddColumn("Content Hash");
+                fragTable.AddColumn("Merkle");
+                fragTable.AddColumn("Algorithm");
+
+                foreach (var frag in result.FragmentVerifications)
+                {
+                    var layerShort = frag.LayerDigest.Length > 20 ? frag.LayerDigest[..17] + "..." : frag.LayerDigest;
+
+                    fragTable.AddRow(
+                        Markup.Escape(layerShort),
+                        frag.Valid ? "[green]Yes[/]" : "[red]No[/]",
+                        frag.DsseValid ? "[green]Yes[/]" : "[red]No[/]",
+                        frag.ContentHashMatch ? "[green]Yes[/]" : "[red]No[/]",
+                        frag.MerkleProofValid.HasValue ? (frag.MerkleProofValid.Value ? "[green]Yes[/]" : "[red]No[/]") : "[dim]N/A[/]",
+                        Markup.Escape(frag.SignatureAlgorithm ?? "N/A"));
+                }
+
+                AnsiConsole.Write(new Panel(fragTable) { Header = new PanelHeader("Fragment Verifications") });
+            }
+
+            // Drift result if present
+            if (result.DriftResult != null && result.DriftResult.HasDrift)
+            {
+                var driftColor = result.DriftResult.Deterministic ? "yellow" : "red";
+                var driftStatus = result.DriftResult.Deterministic ? "Deterministic Drift" : "Non-Deterministic Drift";
+
+                var driftGrid = new Grid()
+                    .AddColumn()
+                    .AddColumn()
+                    .AddRow("[bold]Status[/]", $"[{driftColor}]{Markup.Escape(driftStatus)}[/]");
+
+                if (result.DriftResult.Summary != null)
+                {
+                    driftGrid.AddRow("[bold]Total Drifts[/]", result.DriftResult.Summary.TotalDrifts.ToString());
+                    driftGrid.AddRow("[bold]Components Changed[/]", $"+{result.DriftResult.Summary.ComponentsAdded}/-{result.DriftResult.Summary.ComponentsRemoved}/~{result.DriftResult.Summary.ComponentsModified}");
+                }
+
+                AnsiConsole.Write(new Panel(driftGrid) { Header = new PanelHeader("Drift Summary") });
+            }
+
+            // Errors and warnings
+            if (result.Errors is { Count: > 0 })
+            {
+                foreach (var error in result.Errors)
+                {
+                    AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(error)}[/]");
+                }
+            }
+
+            if (verbose && result.Warnings is { Count: > 0 })
+            {
+                foreach (var warning in result.Warnings)
+                {
+                    AnsiConsole.MarkupLine($"[yellow]Warning: {Markup.Escape(warning)}[/]");
+                }
+            }
+
+            return result.Valid ? 0 : 1;
+        }
+        catch (HttpRequestException ex)
+        {
+            var error = CliError.FromHttpStatus((int)(ex.StatusCode ?? System.Net.HttpStatusCode.InternalServerError), ex.Message);
+            AnsiConsole.MarkupLine($"[red]{Markup.Escape(error.Code)}: {Markup.Escape(error.Message)}[/]");
+            return error.ExitCode;
+        }
+    }
+
+    #endregion
+
+    #region Risk Commands (CLI-RISK-66-001 through CLI-RISK-68-001)
+
+    // CLI-RISK-66-001: Risk profile list
+    public static async Task HandleRiskProfileListAsync(
+        IServiceProvider services,
+        string? tenant,
+        bool includeDisabled,
+        string? category,
+        int? limit,
+        int? offset,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("risk-profile-list");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.risk.profile.list", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "risk profile list");
+        using var duration = CliMetrics.MeasureCommandDuration("risk profile list");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            logger.LogDebug("Listing risk profiles: includeDisabled={IncludeDisabled}, category={Category}",
+                includeDisabled, category);
+
+            var request = new RiskProfileListRequest
+            {
+                IncludeDisabled = includeDisabled,
+                Category = category,
+                Limit = limit,
+                Offset = offset,
+                Tenant = effectiveTenant
+            };
+
+            var response = await client.ListRiskProfilesAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(response, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                RenderRiskProfileListTable(response);
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to list risk profiles.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderRiskProfileListTable(RiskProfileListResponse response)
+    {
+        var table = new Table();
+        table.AddColumn(new TableColumn("[bold]Profile ID[/]").LeftAligned());
+        table.AddColumn(new TableColumn("[bold]Name[/]").LeftAligned());
+        table.AddColumn(new TableColumn("[bold]Category[/]").Centered());
+        table.AddColumn(new TableColumn("[bold]Version[/]").RightAligned());
+        table.AddColumn(new TableColumn("[bold]Rules[/]").RightAligned());
+        table.AddColumn(new TableColumn("[bold]Enabled[/]").Centered());
+        table.AddColumn(new TableColumn("[bold]Built-In[/]").Centered());
+
+        foreach (var profile in response.Profiles)
+        {
+            var enabledStatus = profile.Enabled ? "[green]Yes[/]" : "[grey]No[/]";
+            var builtInStatus = profile.BuiltIn ? "[cyan]Yes[/]" : "-";
+
+            table.AddRow(
+                Markup.Escape(profile.ProfileId),
+                Markup.Escape(profile.Name),
+                Markup.Escape(profile.Category),
+                profile.Version.ToString(),
+                profile.RuleCount.ToString(),
+                enabledStatus,
+                builtInStatus);
+        }
+
+        AnsiConsole.Write(table);
+        AnsiConsole.WriteLine();
+        AnsiConsole.MarkupLine($"[grey]Total:[/] {response.Total} | [grey]Showing:[/] {response.Profiles.Count} (offset {response.Offset})");
+    }
+
+    // CLI-RISK-66-002: Risk simulate
+    public static async Task HandleRiskSimulateAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? profileId,
+        string? sbomId,
+        string? sbomPath,
+        string? assetId,
+        bool diffMode,
+        string? baselineProfileId,
+        bool emitJson,
+        bool emitCsv,
+        string? outputPath,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("risk-simulate");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.risk.simulate", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "risk simulate");
+        using var duration = CliMetrics.MeasureCommandDuration("risk simulate");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            // Validate input: at least one of sbomId, sbomPath, or assetId required
+            if (string.IsNullOrWhiteSpace(sbomId) && string.IsNullOrWhiteSpace(sbomPath) && string.IsNullOrWhiteSpace(assetId))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] At least one of --sbom-id, --sbom-path, or --asset-id is required.");
+                Environment.ExitCode = 4;
+                return;
+            }
+
+            logger.LogDebug("Simulating risk: profileId={ProfileId}, sbomId={SbomId}, sbomPath={SbomPath}, assetId={AssetId}, diffMode={DiffMode}",
+                profileId, sbomId, sbomPath, assetId, diffMode);
+
+            var request = new RiskSimulateRequest
+            {
+                ProfileId = profileId,
+                SbomId = sbomId,
+                SbomPath = sbomPath,
+                AssetId = assetId,
+                DiffMode = diffMode,
+                BaselineProfileId = baselineProfileId,
+                Tenant = effectiveTenant
+            };
+
+            var result = await client.SimulateRiskAsync(request, cancellationToken).ConfigureAwait(false);
+
+            string output;
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                output = JsonSerializer.Serialize(result, jsonOptions);
+            }
+            else if (emitCsv)
+            {
+                output = RenderRiskSimulateCsv(result);
+            }
+            else
+            {
+                RenderRiskSimulateTable(result);
+                output = string.Empty;
+            }
+
+            if (!string.IsNullOrWhiteSpace(outputPath) && !string.IsNullOrEmpty(output))
+            {
+                await File.WriteAllTextAsync(outputPath, output, cancellationToken).ConfigureAwait(false);
+                AnsiConsole.MarkupLine($"Output written to [cyan]{Markup.Escape(outputPath)}[/]");
+            }
+            else if (!string.IsNullOrEmpty(output))
+            {
+                AnsiConsole.WriteLine(output);
+            }
+
+            Environment.ExitCode = result.Success ? 0 : 1;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to simulate risk.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderRiskSimulateTable(RiskSimulateResult result)
+    {
+        // Header panel
+        var gradeColor = GetRiskGradeColor(result.Grade);
+        var headerPanel = new Panel(new Markup($"[bold]{Markup.Escape(result.ProfileName)}[/] (ID: {Markup.Escape(result.ProfileId)})"))
+        {
+            Header = new PanelHeader("[bold]Risk Simulation[/]"),
+            Border = BoxBorder.Rounded
+        };
+        AnsiConsole.Write(headerPanel);
+        AnsiConsole.WriteLine();
+
+        // Score summary
+        AnsiConsole.MarkupLine($"[bold]Overall Score:[/] [{gradeColor}]{result.OverallScore:F1}[/] ([{gradeColor}]{Markup.Escape(result.Grade)}[/])");
+        AnsiConsole.MarkupLine($"[bold]Simulated At:[/] {result.SimulatedAt:yyyy-MM-dd HH:mm:ss}");
+        AnsiConsole.WriteLine();
+
+        // Findings summary
+        var findingsGrid = new Grid();
+        findingsGrid.AddColumn();
+        findingsGrid.AddColumn();
+        findingsGrid.AddColumn();
+        findingsGrid.AddColumn();
+        findingsGrid.AddColumn();
+        findingsGrid.AddColumn();
+        findingsGrid.AddRow(
+            "[bold]Critical[/]",
+            "[bold]High[/]",
+            "[bold]Medium[/]",
+            "[bold]Low[/]",
+            "[bold]Info[/]",
+            "[bold]Total[/]");
+        findingsGrid.AddRow(
+            $"[red]{result.Findings.Critical}[/]",
+            $"[#FFA500]{result.Findings.High}[/]",
+            $"[yellow]{result.Findings.Medium}[/]",
+            $"[blue]{result.Findings.Low}[/]",
+            $"[grey]{result.Findings.Info}[/]",
+            $"[bold]{result.Findings.Total}[/]");
+        AnsiConsole.Write(new Panel(findingsGrid) { Header = new PanelHeader("[bold]Findings Summary[/]"), Border = BoxBorder.Rounded });
+        AnsiConsole.WriteLine();
+
+        // Diff information if available
+        if (result.Diff is not null)
+        {
+            var diffColor = result.Diff.Improved ? "green" : "red";
+            var diffSymbol = result.Diff.Improved ? "-" : "+";
+            AnsiConsole.MarkupLine($"[bold]Diff Mode:[/] [{diffColor}]{diffSymbol}{Math.Abs(result.Diff.Delta):F1}[/] (Baseline: {result.Diff.BaselineScore:F1} -> Candidate: {result.Diff.CandidateScore:F1})");
+            AnsiConsole.MarkupLine($"[grey]Findings Added:[/] {result.Diff.FindingsAdded} | [grey]Findings Removed:[/] {result.Diff.FindingsRemoved}");
+            AnsiConsole.WriteLine();
+        }
+
+        // Component scores
+        if (result.ComponentScores.Count > 0)
+        {
+            var componentTable = new Table();
+            componentTable.AddColumn(new TableColumn("[bold]Component[/]").LeftAligned());
+            componentTable.AddColumn(new TableColumn("[bold]Score[/]").RightAligned());
+            componentTable.AddColumn(new TableColumn("[bold]Grade[/]").Centered());
+            componentTable.AddColumn(new TableColumn("[bold]Findings[/]").RightAligned());
+
+            foreach (var component in result.ComponentScores)
+            {
+                var componentGradeColor = GetRiskGradeColor(component.Grade);
+                componentTable.AddRow(
+                    Markup.Escape(component.ComponentName),
+                    $"{component.Score:F1}",
+                    $"[{componentGradeColor}]{Markup.Escape(component.Grade)}[/]",
+                    component.FindingCount.ToString());
+            }
+
+            AnsiConsole.Write(componentTable);
+        }
+
+        // Errors
+        if (result.Errors.Count > 0)
+        {
+            AnsiConsole.WriteLine();
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+            }
+        }
+    }
+
+    private static string RenderRiskSimulateCsv(RiskSimulateResult result)
+    {
+        var sb = new System.Text.StringBuilder();
+        sb.AppendLine("ComponentId,ComponentName,Score,Grade,FindingCount");
+        foreach (var component in result.ComponentScores)
+        {
+            sb.AppendLine($"\"{component.ComponentId}\",\"{component.ComponentName}\",{component.Score:F2},{component.Grade},{component.FindingCount}");
+        }
+        return sb.ToString();
+    }
+
+    private static string GetRiskGradeColor(string grade) => grade.ToUpperInvariant() switch
+    {
+        "A" or "A+" => "green",
+        "B" or "B+" => "cyan",
+        "C" or "C+" => "yellow",
+        "D" or "D+" => "#FFA500",
+        "F" => "red",
+        _ => "grey"
+    };
+
+    // CLI-RISK-67-001: Risk results
+    public static async Task HandleRiskResultsAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? assetId,
+        string? sbomId,
+        string? profileId,
+        string? minSeverity,
+        double? maxScore,
+        bool includeExplain,
+        int? limit,
+        int? offset,
+        bool emitJson,
+        bool emitCsv,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("risk-results");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.risk.results", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "risk results");
+        using var duration = CliMetrics.MeasureCommandDuration("risk results");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            logger.LogDebug("Getting risk results: assetId={AssetId}, sbomId={SbomId}, profileId={ProfileId}, minSeverity={MinSeverity}",
+                assetId, sbomId, profileId, minSeverity);
+
+            var request = new RiskResultsRequest
+            {
+                AssetId = assetId,
+                SbomId = sbomId,
+                ProfileId = profileId,
+                MinSeverity = minSeverity,
+                MaxScore = maxScore,
+                IncludeExplain = includeExplain,
+                Limit = limit,
+                Offset = offset,
+                Tenant = effectiveTenant
+            };
+
+            var response = await client.GetRiskResultsAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(response, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else if (emitCsv)
+            {
+                RenderRiskResultsCsv(response);
+            }
+            else
+            {
+                RenderRiskResultsTable(response, includeExplain);
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to get risk results.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderRiskResultsTable(RiskResultsResponse response, bool includeExplain)
+    {
+        // Summary panel
+        var summaryGrid = new Grid();
+        summaryGrid.AddColumn();
+        summaryGrid.AddColumn();
+        summaryGrid.AddColumn();
+        summaryGrid.AddColumn();
+        summaryGrid.AddRow(
+            $"[bold]Average Score:[/] {response.Summary.AverageScore:F1}",
+            $"[bold]Min:[/] {response.Summary.MinScore:F1}",
+            $"[bold]Max:[/] {response.Summary.MaxScore:F1}",
+            $"[bold]Assets:[/] {response.Summary.AssetCount}");
+        AnsiConsole.Write(new Panel(summaryGrid) { Header = new PanelHeader("[bold]Summary[/]"), Border = BoxBorder.Rounded });
+        AnsiConsole.WriteLine();
+
+        // Results table
+        var table = new Table();
+        table.AddColumn(new TableColumn("[bold]Result ID[/]").LeftAligned());
+        table.AddColumn(new TableColumn("[bold]Asset[/]").LeftAligned());
+        table.AddColumn(new TableColumn("[bold]Profile[/]").LeftAligned());
+        table.AddColumn(new TableColumn("[bold]Score[/]").RightAligned());
+        table.AddColumn(new TableColumn("[bold]Grade[/]").Centered());
+        table.AddColumn(new TableColumn("[bold]Severity[/]").Centered());
+        table.AddColumn(new TableColumn("[bold]Findings[/]").RightAligned());
+        table.AddColumn(new TableColumn("[bold]Evaluated[/]").RightAligned());
+
+        foreach (var result in response.Results)
+        {
+            var gradeColor = GetRiskGradeColor(result.Grade);
+            var severityColor = GetSeverityColor(result.Severity);
+
+            table.AddRow(
+                Markup.Escape(TruncateId(result.ResultId)),
+                Markup.Escape(result.AssetName ?? result.AssetId),
+                Markup.Escape(result.ProfileName ?? result.ProfileId),
+                $"{result.Score:F1}",
+                $"[{gradeColor}]{Markup.Escape(result.Grade)}[/]",
+                $"[{severityColor}]{Markup.Escape(result.Severity.ToUpperInvariant())}[/]",
+                result.FindingCount.ToString(),
+                result.EvaluatedAt.ToString("yyyy-MM-dd"));
+        }
+
+        AnsiConsole.Write(table);
+        AnsiConsole.WriteLine();
+        AnsiConsole.MarkupLine($"[grey]Total:[/] {response.Total} | [grey]Showing:[/] {response.Results.Count} (offset {response.Offset})");
+
+        // Explanations if requested
+        if (includeExplain)
+        {
+            foreach (var result in response.Results.Where(r => r.Explain != null))
+            {
+                AnsiConsole.WriteLine();
+                AnsiConsole.MarkupLine($"[bold]Explanation for {Markup.Escape(TruncateId(result.ResultId))}:[/]");
+
+                if (result.Explain!.Factors.Count > 0)
+                {
+                    var factorTable = new Table();
+                    factorTable.AddColumn("Factor");
+                    factorTable.AddColumn("Weight");
+                    factorTable.AddColumn("Contribution");
+                    foreach (var factor in result.Explain.Factors)
+                    {
+                        factorTable.AddRow(
+                            Markup.Escape(factor.Name),
+                            $"{factor.Weight:F2}",
+                            $"{factor.Contribution:F2}");
+                    }
+                    AnsiConsole.Write(factorTable);
+                }
+
+                if (result.Explain.Recommendations.Count > 0)
+                {
+                    AnsiConsole.MarkupLine("[bold]Recommendations:[/]");
+                    foreach (var rec in result.Explain.Recommendations)
+                    {
+                        AnsiConsole.MarkupLine($"  - {Markup.Escape(rec)}");
+                    }
+                }
+            }
+        }
+    }
+
+    private static void RenderRiskResultsCsv(RiskResultsResponse response)
+    {
+        Console.WriteLine("ResultId,AssetId,AssetName,ProfileId,ProfileName,Score,Grade,Severity,FindingCount,EvaluatedAt");
+        foreach (var result in response.Results)
+        {
+            Console.WriteLine($"\"{result.ResultId}\",\"{result.AssetId}\",\"{result.AssetName ?? ""}\",\"{result.ProfileId}\",\"{result.ProfileName ?? ""}\",{result.Score:F2},{result.Grade},{result.Severity},{result.FindingCount},{result.EvaluatedAt:O}");
+        }
+    }
+
+    private static string TruncateId(string id) => id.Length > 12 ? id[..12] + "..." : id;
+
+    // CLI-RISK-68-001: Risk bundle verify
+    public static async Task HandleRiskBundleVerifyAsync(
+        IServiceProvider services,
+        string? tenant,
+        string bundlePath,
+        string? signaturePath,
+        bool checkRekor,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("risk-bundle-verify");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.risk.bundle.verify", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "risk bundle verify");
+        using var duration = CliMetrics.MeasureCommandDuration("risk bundle verify");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            // Validate bundle path exists
+            if (!File.Exists(bundlePath))
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] Bundle file not found: {Markup.Escape(bundlePath)}");
+                Environment.ExitCode = 4;
+                return;
+            }
+
+            // Validate signature path if provided
+            if (!string.IsNullOrWhiteSpace(signaturePath) && !File.Exists(signaturePath))
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] Signature file not found: {Markup.Escape(signaturePath)}");
+                Environment.ExitCode = 4;
+                return;
+            }
+
+            logger.LogDebug("Verifying risk bundle: bundlePath={BundlePath}, signaturePath={SignaturePath}, checkRekor={CheckRekor}",
+                bundlePath, signaturePath, checkRekor);
+
+            var request = new RiskBundleVerifyRequest
+            {
+                BundlePath = bundlePath,
+                SignaturePath = signaturePath,
+                CheckRekor = checkRekor,
+                Tenant = effectiveTenant
+            };
+
+            var result = await client.VerifyRiskBundleAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(result, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                RenderRiskBundleVerifyResult(result, verbose);
+            }
+
+            Environment.ExitCode = result.Valid ? 0 : 1;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to verify risk bundle.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderRiskBundleVerifyResult(RiskBundleVerifyResult result, bool verbose)
+    {
+        // Validation status
+        var validStatus = result.Valid ? "[green]VALID[/]" : "[red]INVALID[/]";
+        AnsiConsole.MarkupLine($"[bold]Bundle Status:[/] {validStatus}");
+        AnsiConsole.WriteLine();
+
+        // Bundle info
+        var infoGrid = new Grid();
+        infoGrid.AddColumn();
+        infoGrid.AddColumn();
+        infoGrid.AddRow("[bold]Bundle ID:[/]", Markup.Escape(result.BundleId));
+        infoGrid.AddRow("[bold]Version:[/]", Markup.Escape(result.BundleVersion));
+        infoGrid.AddRow("[bold]Profiles:[/]", result.ProfileCount.ToString());
+        infoGrid.AddRow("[bold]Rules:[/]", result.RuleCount.ToString());
+        AnsiConsole.Write(new Panel(infoGrid) { Header = new PanelHeader("[bold]Bundle Information[/]"), Border = BoxBorder.Rounded });
+        AnsiConsole.WriteLine();
+
+        // Signature info
+        if (result.SignatureValid.HasValue)
+        {
+            var sigStatus = result.SignatureValid.Value ? "[green]Valid[/]" : "[red]Invalid[/]";
+            AnsiConsole.MarkupLine($"[bold]Signature:[/] {sigStatus}");
+            if (result.SignedBy is not null)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Signed By:[/] {Markup.Escape(result.SignedBy)}");
+            }
+            if (result.SignedAt.HasValue)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Signed At:[/] {result.SignedAt:yyyy-MM-dd HH:mm:ss}");
+            }
+        }
+
+        // Rekor info
+        if (result.RekorVerified.HasValue)
+        {
+            var rekorStatus = result.RekorVerified.Value ? "[green]Verified[/]" : "[yellow]Not Found[/]";
+            AnsiConsole.MarkupLine($"[bold]Rekor Transparency:[/] {rekorStatus}");
+            if (result.RekorLogIndex is not null)
+            {
+                AnsiConsole.MarkupLine($"  [grey]Log Index:[/] {Markup.Escape(result.RekorLogIndex)}");
+            }
+        }
+
+        // Errors
+        if (result.Errors.Count > 0)
+        {
+            AnsiConsole.WriteLine();
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+            }
+        }
+
+        // Warnings (verbose only)
+        if (verbose && result.Warnings.Count > 0)
+        {
+            AnsiConsole.WriteLine();
+            foreach (var warning in result.Warnings)
+            {
+                AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(warning)}");
+            }
+        }
+    }
+
+    #endregion
+
+    #region Reachability Commands (CLI-SIG-26-001)
+
+    // CLI-SIG-26-001: Reachability upload-callgraph
+    public static async Task HandleReachabilityUploadCallGraphAsync(
+        IServiceProvider services,
+        string? tenant,
+        string callGraphPath,
+        string? scanId,
+        string? assetId,
+        string? format,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("reachability-upload");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.reachability.upload-callgraph", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "reachability upload-callgraph");
+        using var duration = CliMetrics.MeasureCommandDuration("reachability upload-callgraph");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            // Validate call graph path exists
+            if (!File.Exists(callGraphPath))
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] Call graph file not found: {Markup.Escape(callGraphPath)}");
+                Environment.ExitCode = 4;
+                return;
+            }
+
+            // Validate at least one of scanId or assetId
+            if (string.IsNullOrWhiteSpace(scanId) && string.IsNullOrWhiteSpace(assetId))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] At least one of --scan-id or --asset-id is required.");
+                Environment.ExitCode = 4;
+                return;
+            }
+
+            logger.LogDebug("Uploading call graph: path={Path}, scanId={ScanId}, assetId={AssetId}, format={Format}",
+                callGraphPath, scanId, assetId, format);
+
+            var request = new ReachabilityUploadCallGraphRequest
+            {
+                ScanId = scanId,
+                AssetId = assetId,
+                CallGraphPath = callGraphPath,
+                Format = format,
+                Tenant = effectiveTenant
+            };
+
+            await using var fileStream = File.OpenRead(callGraphPath);
+
+            var result = await AnsiConsole.Progress()
+                .AutoClear(false)
+                .Columns(new TaskDescriptionColumn(), new ProgressBarColumn(), new SpinnerColumn())
+                .StartAsync(async ctx =>
+                {
+                    var task = ctx.AddTask("[cyan]Uploading call graph...[/]", maxValue: 100);
+                    task.IsIndeterminate = true;
+
+                    var uploadResult = await client.UploadCallGraphAsync(request, fileStream, cancellationToken).ConfigureAwait(false);
+
+                    task.Value = 100;
+                    task.StopTask();
+
+                    return uploadResult;
+                }).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(result, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                RenderReachabilityUploadResult(result);
+            }
+
+            Environment.ExitCode = result.Success ? 0 : 1;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to upload call graph.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderReachabilityUploadResult(ReachabilityUploadCallGraphResult result)
+    {
+        var statusColor = result.Success ? "green" : "red";
+        AnsiConsole.MarkupLine($"[bold]Upload Status:[/] [{statusColor}]{(result.Success ? "SUCCESS" : "FAILED")}[/]");
+        AnsiConsole.WriteLine();
+
+        var infoGrid = new Grid();
+        infoGrid.AddColumn();
+        infoGrid.AddColumn();
+        infoGrid.AddRow("[bold]Call Graph ID:[/]", Markup.Escape(result.CallGraphId));
+        infoGrid.AddRow("[bold]Entries Processed:[/]", result.EntriesProcessed.ToString());
+        infoGrid.AddRow("[bold]Errors:[/]", result.ErrorsCount.ToString());
+        infoGrid.AddRow("[bold]Uploaded At:[/]", result.UploadedAt.ToString("yyyy-MM-dd HH:mm:ss"));
+        AnsiConsole.Write(new Panel(infoGrid) { Header = new PanelHeader("[bold]Upload Details[/]"), Border = BoxBorder.Rounded });
+
+        if (result.Errors.Count > 0)
+        {
+            AnsiConsole.WriteLine();
+            foreach (var error in result.Errors)
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error)}");
+            }
+        }
+    }
+
+    // CLI-SIG-26-001: Reachability list
+    public static async Task HandleReachabilityListAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? scanId,
+        string? assetId,
+        string? status,
+        int? limit,
+        int? offset,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("reachability-list");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.reachability.list", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "reachability list");
+        using var duration = CliMetrics.MeasureCommandDuration("reachability list");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            logger.LogDebug("Listing reachability analyses: scanId={ScanId}, assetId={AssetId}, status={Status}",
+                scanId, assetId, status);
+
+            var request = new ReachabilityListRequest
+            {
+                ScanId = scanId,
+                AssetId = assetId,
+                Status = status,
+                Limit = limit,
+                Offset = offset,
+                Tenant = effectiveTenant
+            };
+
+            var response = await client.ListReachabilityAnalysesAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(response, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                RenderReachabilityListTable(response);
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to list reachability analyses.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderReachabilityListTable(ReachabilityListResponse response)
+    {
+        var table = new Table();
+        table.AddColumn(new TableColumn("[bold]Analysis ID[/]").LeftAligned());
+        table.AddColumn(new TableColumn("[bold]Asset[/]").LeftAligned());
+        table.AddColumn(new TableColumn("[bold]Status[/]").Centered());
+        table.AddColumn(new TableColumn("[bold]Reachable[/]").RightAligned());
+        table.AddColumn(new TableColumn("[bold]Unreachable[/]").RightAligned());
+        table.AddColumn(new TableColumn("[bold]Unknown[/]").RightAligned());
+        table.AddColumn(new TableColumn("[bold]Created[/]").RightAligned());
+
+        foreach (var analysis in response.Analyses)
+        {
+            var statusColor = GetReachabilityStatusColor(analysis.Status);
+
+            table.AddRow(
+                Markup.Escape(TruncateId(analysis.AnalysisId)),
+                Markup.Escape(analysis.AssetName ?? analysis.AssetId ?? analysis.ScanId ?? "-"),
+                $"[{statusColor}]{Markup.Escape(analysis.Status)}[/]",
+                analysis.ReachableCount.ToString(),
+                analysis.UnreachableCount.ToString(),
+                analysis.UnknownCount.ToString(),
+                analysis.CreatedAt.ToString("yyyy-MM-dd HH:mm"));
+        }
+
+        AnsiConsole.Write(table);
+        AnsiConsole.WriteLine();
+        AnsiConsole.MarkupLine($"[grey]Total:[/] {response.Total} | [grey]Showing:[/] {response.Analyses.Count} (offset {response.Offset})");
+    }
+
+    private static string GetReachabilityStatusColor(string status) => status.ToLowerInvariant() switch
+    {
+        "completed" => "green",
+        "processing" => "cyan",
+        "pending" => "yellow",
+        "failed" => "red",
+        _ => "grey"
+    };
+
+    // CLI-SIG-26-001: Reachability explain
+    public static async Task HandleReachabilityExplainAsync(
+        IServiceProvider services,
+        string? tenant,
+        string analysisId,
+        string? vulnerabilityId,
+        string? packagePurl,
+        bool includeCallPaths,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("reachability-explain");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.reachability.explain", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "reachability explain");
+        using var duration = CliMetrics.MeasureCommandDuration("reachability explain");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            // Validate at least one of vulnerabilityId or packagePurl
+            if (string.IsNullOrWhiteSpace(vulnerabilityId) && string.IsNullOrWhiteSpace(packagePurl))
+            {
+                AnsiConsole.MarkupLine("[red]Error:[/] At least one of --vuln-id or --purl is required.");
+                Environment.ExitCode = 4;
+                return;
+            }
+
+            logger.LogDebug("Explaining reachability: analysisId={AnalysisId}, vulnId={VulnId}, purl={Purl}",
+                analysisId, vulnerabilityId, packagePurl);
+
+            var request = new ReachabilityExplainRequest
+            {
+                AnalysisId = analysisId,
+                VulnerabilityId = vulnerabilityId,
+                PackagePurl = packagePurl,
+                IncludeCallPaths = includeCallPaths,
+                Tenant = effectiveTenant
+            };
+
+            var result = await client.ExplainReachabilityAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(result, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                RenderReachabilityExplainResult(result, includeCallPaths);
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to explain reachability.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    private static void RenderReachabilityExplainResult(ReachabilityExplainResult result, bool includeCallPaths)
+    {
+        // State header
+        var stateColor = GetReachabilityStateColor(result.ReachabilityState);
+        AnsiConsole.MarkupLine($"[bold]Reachability State:[/] [{stateColor}]{Markup.Escape(result.ReachabilityState.ToUpperInvariant())}[/]");
+
+        if (result.ReachabilityScore.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[bold]Reachability Score:[/] {result.ReachabilityScore:F2}");
+        }
+
+        AnsiConsole.MarkupLine($"[bold]Confidence:[/] {Markup.Escape(result.Confidence)}");
+        AnsiConsole.WriteLine();
+
+        // Target info
+        var infoGrid = new Grid();
+        infoGrid.AddColumn();
+        infoGrid.AddColumn();
+        infoGrid.AddRow("[bold]Analysis ID:[/]", Markup.Escape(result.AnalysisId));
+        if (!string.IsNullOrWhiteSpace(result.VulnerabilityId))
+        {
+            infoGrid.AddRow("[bold]Vulnerability:[/]", Markup.Escape(result.VulnerabilityId));
+        }
+        if (!string.IsNullOrWhiteSpace(result.PackagePurl))
+        {
+            infoGrid.AddRow("[bold]Package:[/]", Markup.Escape(result.PackagePurl));
+        }
+        AnsiConsole.Write(new Panel(infoGrid) { Border = BoxBorder.Rounded });
+        AnsiConsole.WriteLine();
+
+        // Reasoning
+        if (!string.IsNullOrWhiteSpace(result.Reasoning))
+        {
+            AnsiConsole.MarkupLine("[bold]Reasoning:[/]");
+            AnsiConsole.MarkupLine($"  {Markup.Escape(result.Reasoning)}");
+            AnsiConsole.WriteLine();
+        }
+
+        // Affected functions
+        if (result.AffectedFunctions.Count > 0)
+        {
+            AnsiConsole.MarkupLine("[bold]Affected Functions:[/]");
+            foreach (var func in result.AffectedFunctions)
+            {
+                var location = !string.IsNullOrWhiteSpace(func.FilePath) && func.LineNumber.HasValue
+                    ? $"{func.FilePath}:{func.LineNumber}"
+                    : func.FilePath ?? "";
+
+                AnsiConsole.MarkupLine($"  - [cyan]{Markup.Escape(func.Name)}[/]");
+                if (!string.IsNullOrWhiteSpace(func.ClassName))
+                {
+                    AnsiConsole.MarkupLine($"      Class: {Markup.Escape(func.ClassName)}");
+                }
+                if (!string.IsNullOrWhiteSpace(location))
+                {
+                    AnsiConsole.MarkupLine($"      Location: [grey]{Markup.Escape(location)}[/]");
+                }
+            }
+            AnsiConsole.WriteLine();
+        }
+
+        // Call paths
+        if (includeCallPaths && result.CallPaths.Count > 0)
+        {
+            AnsiConsole.MarkupLine($"[bold]Call Paths ({result.CallPaths.Count}):[/]");
+            AnsiConsole.WriteLine();
+
+            foreach (var path in result.CallPaths)
+            {
+                AnsiConsole.MarkupLine($"[bold]Path {Markup.Escape(path.PathId)}[/] (depth {path.Depth}):");
+
+                // Entry point
+                AnsiConsole.MarkupLine($"  [green]Entry:[/] {Markup.Escape(path.EntryPoint.Name)}");
+
+                // Intermediate frames
+                foreach (var frame in path.Frames)
+                {
+                    AnsiConsole.MarkupLine($"    -> {Markup.Escape(frame.Name)}");
+                }
+
+                // Vulnerable function
+                AnsiConsole.MarkupLine($"  [red]Vulnerable:[/] {Markup.Escape(path.VulnerableFunction.Name)}");
+                AnsiConsole.WriteLine();
+            }
+        }
+    }
+
+    private static string GetReachabilityStateColor(string state) => state.ToLowerInvariant() switch
+    {
+        "reachable" => "red",
+        "unreachable" => "green",
+        "unknown" or "indeterminate" => "yellow",
+        _ => "grey"
+    };
+
+    #endregion
+
+    #region API Spec Commands (CLI-SDK-63-001)
+
+    public static async Task HandleApiSpecListAsync(
+        IServiceProvider services,
+        string? tenant,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("api-spec-list");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.api.spec.list", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "api spec list");
+        using var duration = CliMetrics.MeasureCommandDuration("api spec list");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            logger.LogDebug("Listing API specs for tenant: {Tenant}", effectiveTenant ?? "(default)");
+
+            var result = await client.ListApiSpecsAsync(effectiveTenant, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(result.Error ?? "Unknown error")}");
+                Environment.ExitCode = 1;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(result, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                // Render aggregate spec
+                if (result.Aggregate is not null)
+                {
+                    AnsiConsole.MarkupLine("[bold]Aggregate API Specification:[/]");
+                    var grid = new Grid();
+                    grid.AddColumn();
+                    grid.AddColumn();
+                    grid.AddRow("[bold]Version:[/]", Markup.Escape(result.Aggregate.Version));
+                    if (!string.IsNullOrWhiteSpace(result.Aggregate.OpenApiVersion))
+                    {
+                        grid.AddRow("[bold]OpenAPI:[/]", Markup.Escape(result.Aggregate.OpenApiVersion));
+                    }
+                    if (!string.IsNullOrWhiteSpace(result.Aggregate.ETag))
+                    {
+                        grid.AddRow("[bold]ETag:[/]", Markup.Escape(result.Aggregate.ETag));
+                    }
+                    if (!string.IsNullOrWhiteSpace(result.Aggregate.Sha256))
+                    {
+                        grid.AddRow("[bold]SHA-256:[/]", Markup.Escape(result.Aggregate.Sha256));
+                    }
+                    if (result.Aggregate.LastModified.HasValue)
+                    {
+                        grid.AddRow("[bold]Last Modified:[/]", result.Aggregate.LastModified.Value.ToString("yyyy-MM-dd HH:mm:ss UTC"));
+                    }
+                    AnsiConsole.Write(new Panel(grid) { Border = BoxBorder.Rounded });
+                    AnsiConsole.WriteLine();
+                }
+
+                // Render service specs
+                if (result.Specs.Count > 0)
+                {
+                    AnsiConsole.MarkupLine("[bold]Service API Specifications:[/]");
+                    var table = new Table { Border = TableBorder.Rounded };
+                    table.AddColumn("Service");
+                    table.AddColumn("Version");
+                    table.AddColumn("OpenAPI");
+                    table.AddColumn("Formats");
+                    table.AddColumn("ETag");
+
+                    foreach (var spec in result.Specs.OrderBy(s => s.Service))
+                    {
+                        var formats = spec.Formats.Count > 0 ? string.Join(", ", spec.Formats) : "-";
+                        table.AddRow(
+                            Markup.Escape(spec.Service),
+                            Markup.Escape(spec.Version),
+                            Markup.Escape(spec.OpenApiVersion ?? "-"),
+                            Markup.Escape(formats),
+                            Markup.Escape(spec.ETag ?? "-")
+                        );
+                    }
+
+                    AnsiConsole.Write(table);
+                }
+                else
+                {
+                    AnsiConsole.MarkupLine("[yellow]No service specifications found.[/]");
+                }
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to list API specs.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    public static async Task HandleApiSpecDownloadAsync(
+        IServiceProvider services,
+        string? tenant,
+        string outputPath,
+        string? service,
+        string format,
+        bool overwrite,
+        string? etag,
+        string? checksum,
+        string checksumAlgorithm,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("api-spec-download");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.api.spec.download", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "api spec download");
+        using var duration = CliMetrics.MeasureCommandDuration("api spec download");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            logger.LogDebug("Downloading API spec: service={Service}, format={Format}, output={Output}",
+                service ?? "aggregate", format, outputPath);
+
+            var request = new ApiSpecDownloadRequest
+            {
+                Tenant = effectiveTenant,
+                OutputPath = outputPath,
+                Service = service,
+                Format = format,
+                Overwrite = overwrite,
+                ExpectedETag = etag,
+                ExpectedChecksum = checksum,
+                ChecksumAlgorithm = checksumAlgorithm
+            };
+
+            var result = await client.DownloadApiSpecAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                if (emitJson)
+                {
+                    var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                    var json = JsonSerializer.Serialize(result, jsonOptions);
+                    AnsiConsole.WriteLine(json);
+                }
+                else
+                {
+                    AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(result.Error ?? "Unknown error")}");
+                    if (!string.IsNullOrWhiteSpace(result.ErrorCode))
+                    {
+                        AnsiConsole.MarkupLine($"[red]Error Code:[/] {Markup.Escape(result.ErrorCode)}");
+                    }
+                }
+                Environment.ExitCode = 1;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(result, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                var statusText = result.FromCache ? "[yellow]Using cached file[/]" : "[green]Downloaded[/]";
+                AnsiConsole.MarkupLine($"{statusText}");
+                AnsiConsole.WriteLine();
+
+                var grid = new Grid();
+                grid.AddColumn();
+                grid.AddColumn();
+                grid.AddRow("[bold]Path:[/]", Markup.Escape(result.Path ?? "-"));
+                grid.AddRow("[bold]Size:[/]", $"{result.SizeBytes:N0} bytes");
+                if (!string.IsNullOrWhiteSpace(result.ApiVersion))
+                {
+                    grid.AddRow("[bold]API Version:[/]", Markup.Escape(result.ApiVersion));
+                }
+                if (!string.IsNullOrWhiteSpace(result.ETag))
+                {
+                    grid.AddRow("[bold]ETag:[/]", Markup.Escape(result.ETag));
+                }
+                if (!string.IsNullOrWhiteSpace(result.Checksum))
+                {
+                    grid.AddRow($"[bold]{result.ChecksumAlgorithm?.ToUpperInvariant() ?? "Checksum"}:[/]", Markup.Escape(result.Checksum));
+                }
+                if (result.ChecksumVerified.HasValue)
+                {
+                    var verifyStatus = result.ChecksumVerified.Value ? "[green]Verified[/]" : "[red]Mismatch[/]";
+                    grid.AddRow("[bold]Checksum Verified:[/]", verifyStatus);
+                }
+
+                AnsiConsole.Write(new Panel(grid) { Border = BoxBorder.Rounded, Header = new PanelHeader("API Specification") });
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to download API spec.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    #endregion
+
+    #region SDK Commands (CLI-SDK-64-001)
+
+    public static async Task HandleSdkUpdateAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? language,
+        bool checkOnly,
+        bool showChangelog,
+        bool showDeprecations,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("sdk-update");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.sdk.update", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "sdk update");
+        using var duration = CliMetrics.MeasureCommandDuration("sdk update");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            logger.LogDebug("Checking SDK updates: language={Language}, checkOnly={CheckOnly}", language ?? "all", checkOnly);
+
+            var request = new SdkUpdateRequest
+            {
+                Tenant = effectiveTenant,
+                Language = language,
+                CheckOnly = checkOnly,
+                IncludeChangelog = showChangelog,
+                IncludeDeprecations = showDeprecations
+            };
+
+            var result = await client.CheckSdkUpdatesAsync(request, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(result.Error ?? "Unknown error")}");
+                Environment.ExitCode = 1;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(result, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                // Show update summary
+                var updatesAvailable = result.Updates.Where(u => u.UpdateAvailable).ToList();
+                if (updatesAvailable.Count > 0)
+                {
+                    AnsiConsole.MarkupLine($"[bold cyan]SDK Updates Available ({updatesAvailable.Count}):[/]");
+                    AnsiConsole.WriteLine();
+
+                    var table = new Table { Border = TableBorder.Rounded };
+                    table.AddColumn("SDK");
+                    table.AddColumn("Current");
+                    table.AddColumn("Latest");
+                    table.AddColumn("Package");
+                    table.AddColumn("Released");
+
+                    foreach (var update in updatesAvailable)
+                    {
+                        var current = update.InstalledVersion ?? "[grey]Not installed[/]";
+                        var released = update.ReleaseDate?.ToString("yyyy-MM-dd") ?? "-";
+                        table.AddRow(
+                            Markup.Escape(update.DisplayName ?? update.Language),
+                            update.InstalledVersion is not null ? Markup.Escape(update.InstalledVersion) : "[grey]Not installed[/]",
+                            $"[green]{Markup.Escape(update.LatestVersion)}[/]",
+                            Markup.Escape(update.PackageName),
+                            released
+                        );
+                    }
+
+                    AnsiConsole.Write(table);
+                    AnsiConsole.WriteLine();
+
+                    // Show changelog if requested
+                    if (showChangelog)
+                    {
+                        foreach (var update in updatesAvailable.Where(u => u.Changelog?.Count > 0))
+                        {
+                            AnsiConsole.MarkupLine($"[bold]Changelog for {Markup.Escape(update.DisplayName ?? update.Language)}:[/]");
+                            foreach (var entry in update.Changelog!.Take(5))
+                            {
+                                var typeIcon = entry.Type?.ToLowerInvariant() switch
+                                {
+                                    "feature" => "[green]+[/]",
+                                    "fix" => "[yellow]~[/]",
+                                    "breaking" => "[red]![/]",
+                                    "deprecation" => "[yellow]?[/]",
+                                    _ => " "
+                                };
+                                var breakingMark = entry.IsBreaking ? " [red](BREAKING)[/]" : "";
+                                AnsiConsole.MarkupLine($"  {typeIcon} [{(entry.IsBreaking ? "red" : "white")}]{Markup.Escape(entry.Version)}[/]: {Markup.Escape(entry.Description)}{breakingMark}");
+                            }
+                            AnsiConsole.WriteLine();
+                        }
+                    }
+                }
+                else
+                {
+                    AnsiConsole.MarkupLine("[green]All SDKs are up to date.[/]");
+                }
+
+                // Show deprecations if requested
+                if (showDeprecations && result.Deprecations.Count > 0)
+                {
+                    AnsiConsole.WriteLine();
+                    AnsiConsole.MarkupLine($"[bold yellow]Deprecation Notices ({result.Deprecations.Count}):[/]");
+
+                    foreach (var deprecation in result.Deprecations)
+                    {
+                        var severityColor = deprecation.Severity.ToLowerInvariant() switch
+                        {
+                            "critical" => "red",
+                            "warning" => "yellow",
+                            _ => "grey"
+                        };
+                        AnsiConsole.MarkupLine($"  [{severityColor}][{deprecation.Severity.ToUpperInvariant()}][/] {Markup.Escape(deprecation.Language)}: {Markup.Escape(deprecation.Feature)}");
+                        AnsiConsole.MarkupLine($"    {Markup.Escape(deprecation.Message)}");
+                        if (!string.IsNullOrWhiteSpace(deprecation.Replacement))
+                        {
+                            AnsiConsole.MarkupLine($"    [green]Replacement:[/] {Markup.Escape(deprecation.Replacement)}");
+                        }
+                        if (!string.IsNullOrWhiteSpace(deprecation.RemovedInVersion))
+                        {
+                            AnsiConsole.MarkupLine($"    [yellow]Removed in:[/] {Markup.Escape(deprecation.RemovedInVersion)}");
+                        }
+                    }
+                }
+
+                AnsiConsole.WriteLine();
+                AnsiConsole.MarkupLine($"[grey]Checked at: {result.CheckedAt:yyyy-MM-dd HH:mm:ss UTC}[/]");
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to check SDK updates.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    public static async Task HandleSdkListAsync(
+        IServiceProvider services,
+        string? tenant,
+        string? language,
+        bool emitJson,
+        bool verbose,
+        CancellationToken cancellationToken)
+    {
+        await using var scope = services.CreateAsyncScope();
+        var client = scope.ServiceProvider.GetRequiredService<IBackendOperationsClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>().CreateLogger("sdk-list");
+        var verbosity = scope.ServiceProvider.GetRequiredService<VerbosityState>();
+        var previousLevel = verbosity.MinimumLevel;
+        verbosity.MinimumLevel = verbose ? LogLevel.Debug : LogLevel.Information;
+        using var activity = CliActivitySource.Instance.StartActivity("cli.sdk.list", ActivityKind.Client);
+        activity?.SetTag("stellaops.cli.command", "sdk list");
+        using var duration = CliMetrics.MeasureCommandDuration("sdk list");
+
+        try
+        {
+            var effectiveTenant = TenantProfileStore.GetEffectiveTenant(tenant);
+            if (!string.IsNullOrWhiteSpace(effectiveTenant))
+            {
+                activity?.SetTag("stellaops.cli.tenant", effectiveTenant);
+            }
+
+            logger.LogDebug("Listing installed SDKs: language={Language}", language ?? "all");
+
+            var result = await client.ListInstalledSdksAsync(language, effectiveTenant, cancellationToken).ConfigureAwait(false);
+
+            if (!result.Success)
+            {
+                AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(result.Error ?? "Unknown error")}");
+                Environment.ExitCode = 1;
+                return;
+            }
+
+            if (emitJson)
+            {
+                var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
+                var json = JsonSerializer.Serialize(result, jsonOptions);
+                AnsiConsole.WriteLine(json);
+            }
+            else
+            {
+                if (result.Sdks.Count == 0)
+                {
+                    AnsiConsole.MarkupLine("[yellow]No SDKs found.[/]");
+                }
+                else
+                {
+                    AnsiConsole.MarkupLine($"[bold]Installed SDKs ({result.Sdks.Count}):[/]");
+                    AnsiConsole.WriteLine();
+
+                    var table = new Table { Border = TableBorder.Rounded };
+                    table.AddColumn("Language");
+                    table.AddColumn("Package");
+                    table.AddColumn("Installed");
+                    table.AddColumn("Latest");
+                    table.AddColumn("API Support");
+                    table.AddColumn("Status");
+
+                    foreach (var sdk in result.Sdks.OrderBy(s => s.Language))
+                    {
+                        var apiSupport = sdk.MinApiVersion is not null && sdk.MaxApiVersion is not null
+                            ? $"{sdk.MinApiVersion} - {sdk.MaxApiVersion}"
+                            : "-";
+                        var status = sdk.UpdateAvailable
+                            ? "[yellow]Update available[/]"
+                            : "[green]Up to date[/]";
+
+                        table.AddRow(
+                            Markup.Escape(sdk.DisplayName ?? sdk.Language),
+                            Markup.Escape(sdk.PackageName),
+                            Markup.Escape(sdk.InstalledVersion ?? "-"),
+                            Markup.Escape(sdk.LatestVersion),
+                            Markup.Escape(apiSupport),
+                            status
+                        );
+                    }
+
+                    AnsiConsole.Write(table);
+                }
+            }
+
+            Environment.ExitCode = 0;
+        }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            logger.LogWarning("Operation cancelled by user.");
+            Environment.ExitCode = 130;
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to list SDKs.");
+            AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(ex.Message)}");
+            Environment.ExitCode = 1;
+        }
+        finally
+        {
+            verbosity.MinimumLevel = previousLevel;
+        }
+    }
+
+    #endregion
 }
diff --git a/src/Cli/StellaOps.Cli/Configuration/CliProfile.cs b/src/Cli/StellaOps.Cli/Configuration/CliProfile.cs
new file mode 100644
index 000000000..d60c4aeec
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Configuration/CliProfile.cs
@@ -0,0 +1,444 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Cli.Configuration;
+
+/// <summary>
+/// CLI profile for storing named configurations.
+/// Per CLI-CORE-41-001, supports profiles/contexts for multi-environment workflows.
+/// </summary>
+public sealed class CliProfile
+{
+    /// <summary>
+    /// Profile name (e.g., "prod", "staging", "dev").
+    /// </summary>
+    public required string Name { get; init; }
+
+    /// <summary>
+    /// Optional description.
+    /// </summary>
+    public string? Description { get; init; }
+
+    /// <summary>
+    /// Backend URL for this profile.
+    /// </summary>
+    public string? BackendUrl { get; init; }
+
+    /// <summary>
+    /// Concelier URL for this profile.
+    /// </summary>
+    public string? ConcelierUrl { get; init; }
+
+    /// <summary>
+    /// Authority URL for this profile.
+    /// </summary>
+    public string? AuthorityUrl { get; init; }
+
+    /// <summary>
+    /// Client ID for this profile.
+    /// </summary>
+    public string? ClientId { get; init; }
+
+    /// <summary>
+    /// Default scope for this profile.
+    /// </summary>
+    public string? DefaultScope { get; init; }
+
+    /// <summary>
+    /// Policy Studio scopes for this profile.
+    /// CLI-POLICY-27-006: Supports the Policy Studio scope family.
+    /// </summary>
+    public PolicyStudioScopes? PolicyScopes { get; init; }
+
+    /// <summary>
+    /// Tenant ID for this profile.
+    /// </summary>
+    public string? TenantId { get; init; }
+
+    /// <summary>
+    /// Whether this is an air-gapped/offline profile.
+    /// </summary>
+    public bool IsOffline { get; init; }
+
+    /// <summary>
+    /// Offline kit directory for this profile.
+    /// </summary>
+    public string? OfflineKitDirectory { get; init; }
+
+    /// <summary>
+    /// Default output format for this profile.
+    /// </summary>
+    public string? DefaultOutputFormat { get; init; }
+
+    /// <summary>
+    /// Additional profile-specific settings.
+    /// </summary>
+    public Dictionary<string, string> Settings { get; init; } = new();
+
+    /// <summary>
+    /// Timestamp when profile was created.
+    /// </summary>
+    public DateTimeOffset CreatedAt { get; init; } = DateTimeOffset.UtcNow;
+
+    /// <summary>
+    /// Timestamp when profile was last modified.
+    /// </summary>
+    public DateTimeOffset ModifiedAt { get; init; } = DateTimeOffset.UtcNow;
+}
+
+/// <summary>
+/// Profile store configuration.
+/// </summary>
+public sealed class CliProfileStore
+{
+    /// <summary>
+    /// Current active profile name.
+    /// </summary>
+    public string? CurrentProfile { get; set; }
+
+    /// <summary>
+    /// All stored profiles.
+    /// </summary>
+    public Dictionary<string, CliProfile> Profiles { get; init; } = new(StringComparer.OrdinalIgnoreCase);
+
+    /// <summary>
+    /// Default telemetry opt-in status.
+    /// </summary>
+    public bool? TelemetryEnabled { get; set; }
+}
+
+/// <summary>
+/// Manages CLI profiles persistence.
+/// </summary>
+public sealed class CliProfileManager
+{
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        WriteIndented = true,
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
+    };
+
+    private readonly string _profilesFilePath;
+    private CliProfileStore? _store;
+
+    public CliProfileManager(string? profilesDirectory = null)
+    {
+        var directory = profilesDirectory ?? GetDefaultProfilesDirectory();
+        _profilesFilePath = Path.Combine(directory, "profiles.json");
+    }
+
+    /// <summary>
+    /// Gets the current profile store.
+    /// </summary>
+    public async Task<CliProfileStore> GetStoreAsync(CancellationToken cancellationToken = default)
+    {
+        if (_store is not null)
+            return _store;
+
+        _store = await LoadStoreAsync(cancellationToken).ConfigureAwait(false);
+        return _store;
+    }
+
+    /// <summary>
+    /// Gets the currently active profile.
+    /// </summary>
+    public async Task<CliProfile?> GetCurrentProfileAsync(CancellationToken cancellationToken = default)
+    {
+        var store = await GetStoreAsync(cancellationToken).ConfigureAwait(false);
+
+        if (string.IsNullOrWhiteSpace(store.CurrentProfile))
+            return null;
+
+        store.Profiles.TryGetValue(store.CurrentProfile, out var profile);
+        return profile;
+    }
+
+    /// <summary>
+    /// Gets a profile by name.
+    /// </summary>
+    public async Task<CliProfile?> GetProfileAsync(string name, CancellationToken cancellationToken = default)
+    {
+        var store = await GetStoreAsync(cancellationToken).ConfigureAwait(false);
+        store.Profiles.TryGetValue(name, out var profile);
+        return profile;
+    }
+
+    /// <summary>
+    /// Lists all profile names.
+    /// </summary>
+    public async Task<IReadOnlyList<string>> ListProfilesAsync(CancellationToken cancellationToken = default)
+    {
+        var store = await GetStoreAsync(cancellationToken).ConfigureAwait(false);
+        return store.Profiles.Keys.ToList();
+    }
+
+    /// <summary>
+    /// Sets a profile as the current active profile.
+    /// </summary>
+    public async Task SetCurrentProfileAsync(string name, CancellationToken cancellationToken = default)
+    {
+        var store = await GetStoreAsync(cancellationToken).ConfigureAwait(false);
+
+        if (!store.Profiles.ContainsKey(name))
+            throw new InvalidOperationException($"Profile '{name}' does not exist.");
+
+        store.CurrentProfile = name;
+        await SaveStoreAsync(store, cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    /// Saves or updates a profile.
+    /// </summary>
+    public async Task SaveProfileAsync(CliProfile profile, CancellationToken cancellationToken = default)
+    {
+        var store = await GetStoreAsync(cancellationToken).ConfigureAwait(false);
+        store.Profiles[profile.Name] = profile with { ModifiedAt = DateTimeOffset.UtcNow };
+        await SaveStoreAsync(store, cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    /// Removes a profile.
+    /// </summary>
+    public async Task<bool> RemoveProfileAsync(string name, CancellationToken cancellationToken = default)
+    {
+        var store = await GetStoreAsync(cancellationToken).ConfigureAwait(false);
+
+        if (!store.Profiles.Remove(name))
+            return false;
+
+        if (string.Equals(store.CurrentProfile, name, StringComparison.OrdinalIgnoreCase))
+            store.CurrentProfile = null;
+
+        await SaveStoreAsync(store, cancellationToken).ConfigureAwait(false);
+        return true;
+    }
+
+    /// <summary>
+    /// Sets or clears the telemetry opt-in status.
+    /// </summary>
+    public async Task SetTelemetryEnabledAsync(bool? enabled, CancellationToken cancellationToken = default)
+    {
+        var store = await GetStoreAsync(cancellationToken).ConfigureAwait(false);
+        store.TelemetryEnabled = enabled;
+        await SaveStoreAsync(store, cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    /// Gets the telemetry opt-in status.
+    /// </summary>
+    public async Task<bool?> GetTelemetryEnabledAsync(CancellationToken cancellationToken = default)
+    {
+        var store = await GetStoreAsync(cancellationToken).ConfigureAwait(false);
+        return store.TelemetryEnabled;
+    }
+
+    private async Task<CliProfileStore> LoadStoreAsync(CancellationToken cancellationToken)
+    {
+        if (!File.Exists(_profilesFilePath))
+            return new CliProfileStore();
+
+        try
+        {
+            await using var stream = File.OpenRead(_profilesFilePath);
+            var store = await JsonSerializer.DeserializeAsync<CliProfileStore>(stream, JsonOptions, cancellationToken).ConfigureAwait(false);
+            return store ?? new CliProfileStore();
+        }
+        catch (JsonException)
+        {
+            return new CliProfileStore();
+        }
+    }
+
+    private async Task SaveStoreAsync(CliProfileStore store, CancellationToken cancellationToken)
+    {
+        var directory = Path.GetDirectoryName(_profilesFilePath);
+        if (!string.IsNullOrWhiteSpace(directory) && !Directory.Exists(directory))
+            Directory.CreateDirectory(directory);
+
+        await using var stream = File.Create(_profilesFilePath);
+        await JsonSerializer.SerializeAsync(stream, store, JsonOptions, cancellationToken).ConfigureAwait(false);
+        _store = store;
+    }
+
+    private static string GetDefaultProfilesDirectory()
+    {
+        var home = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
+        if (string.IsNullOrWhiteSpace(home))
+            home = AppContext.BaseDirectory;
+
+        return Path.Combine(home, ".stellaops");
+    }
+}
+
+/// <summary>
+/// Policy Studio scope configuration.
+/// CLI-POLICY-27-006: Defines the Policy Studio scope family for CLI operations.
+/// </summary>
+public sealed class PolicyStudioScopes
+{
+    /// <summary>
+    /// Base scope for Policy Studio operations.
+    /// Required for all policy commands.
+    /// </summary>
+    public const string PolicyRead = "stella.policy:read";
+
+    /// <summary>
+    /// Scope for policy write operations (create, update, delete).
+    /// </summary>
+    public const string PolicyWrite = "stella.policy:write";
+
+    /// <summary>
+    /// Scope for policy simulation operations.
+    /// </summary>
+    public const string PolicySimulate = "stella.policy:simulate";
+
+    /// <summary>
+    /// Scope for policy workflow operations (submit, review, approve, reject).
+    /// </summary>
+    public const string PolicyWorkflow = "stella.policy:workflow";
+
+    /// <summary>
+    /// Scope for policy publish/promote operations.
+    /// </summary>
+    public const string PolicyPublish = "stella.policy:publish";
+
+    /// <summary>
+    /// Scope for policy signing operations.
+    /// </summary>
+    public const string PolicySign = "stella.policy:sign";
+
+    /// <summary>
+    /// Scope for risk profile operations.
+    /// </summary>
+    public const string RiskRead = "stella.risk:read";
+
+    /// <summary>
+    /// Scope for risk simulation operations.
+    /// </summary>
+    public const string RiskSimulate = "stella.risk:simulate";
+
+    /// <summary>
+    /// Scope for reachability operations.
+    /// </summary>
+    public const string ReachabilityRead = "stella.reachability:read";
+
+    /// <summary>
+    /// Scope for reachability upload operations.
+    /// </summary>
+    public const string ReachabilityUpload = "stella.reachability:upload";
+
+    /// <summary>
+    /// Whether policy read operations are enabled.
+    /// </summary>
+    public bool EnablePolicyRead { get; init; } = true;
+
+    /// <summary>
+    /// Whether policy write operations are enabled.
+    /// </summary>
+    public bool EnablePolicyWrite { get; init; }
+
+    /// <summary>
+    /// Whether policy simulation is enabled.
+    /// </summary>
+    public bool EnablePolicySimulate { get; init; } = true;
+
+    /// <summary>
+    /// Whether policy workflow operations are enabled.
+    /// </summary>
+    public bool EnablePolicyWorkflow { get; init; }
+
+    /// <summary>
+    /// Whether policy publish operations are enabled.
+    /// </summary>
+    public bool EnablePolicyPublish { get; init; }
+
+    /// <summary>
+    /// Whether policy signing is enabled.
+    /// </summary>
+    public bool EnablePolicySign { get; init; }
+
+    /// <summary>
+    /// Whether risk operations are enabled.
+    /// </summary>
+    public bool EnableRisk { get; init; } = true;
+
+    /// <summary>
+    /// Whether reachability operations are enabled.
+    /// </summary>
+    public bool EnableReachability { get; init; } = true;
+
+    /// <summary>
+    /// Builds the scope string for token requests.
+    /// </summary>
+    public string BuildScopeString()
+    {
+        var scopes = new List<string>();
+
+        if (EnablePolicyRead)
+            scopes.Add(PolicyRead);
+        if (EnablePolicyWrite)
+            scopes.Add(PolicyWrite);
+        if (EnablePolicySimulate)
+            scopes.Add(PolicySimulate);
+        if (EnablePolicyWorkflow)
+            scopes.Add(PolicyWorkflow);
+        if (EnablePolicyPublish)
+            scopes.Add(PolicyPublish);
+        if (EnablePolicySign)
+            scopes.Add(PolicySign);
+        if (EnableRisk)
+        {
+            scopes.Add(RiskRead);
+            scopes.Add(RiskSimulate);
+        }
+        if (EnableReachability)
+        {
+            scopes.Add(ReachabilityRead);
+            scopes.Add(ReachabilityUpload);
+        }
+
+        return string.Join(" ", scopes);
+    }
+
+    /// <summary>
+    /// Gets guidance message for invalid_scope errors.
+    /// </summary>
+    public static string GetInvalidScopeGuidance(string? requiredScope)
+    {
+        var guidance = new System.Text.StringBuilder();
+        guidance.AppendLine("The requested operation requires additional OAuth scopes.");
+        guidance.AppendLine();
+
+        if (!string.IsNullOrWhiteSpace(requiredScope))
+        {
+            guidance.AppendLine($"Required scope: {requiredScope}");
+            guidance.AppendLine();
+        }
+
+        guidance.AppendLine("To resolve this issue:");
+        guidance.AppendLine("  1. Check your CLI profile configuration: stella profile show");
+        guidance.AppendLine("  2. Update your profile with required scopes: stella profile edit <name>");
+        guidance.AppendLine("  3. Request additional scopes from your administrator");
+        guidance.AppendLine("  4. Re-authenticate with the updated scopes: stella auth login");
+        guidance.AppendLine();
+        guidance.AppendLine("Available Policy Studio scopes:");
+        guidance.AppendLine($"  - {PolicyRead} (read policies)");
+        guidance.AppendLine($"  - {PolicyWrite} (create/update policies)");
+        guidance.AppendLine($"  - {PolicySimulate} (simulate policy changes)");
+        guidance.AppendLine($"  - {PolicyWorkflow} (submit/review/approve policies)");
+        guidance.AppendLine($"  - {PolicyPublish} (publish/promote policies)");
+        guidance.AppendLine($"  - {PolicySign} (sign policies)");
+        guidance.AppendLine($"  - {RiskRead} (read risk profiles)");
+        guidance.AppendLine($"  - {RiskSimulate} (simulate risk scoring)");
+        guidance.AppendLine($"  - {ReachabilityRead} (read reachability analyses)");
+        guidance.AppendLine($"  - {ReachabilityUpload} (upload call graphs)");
+
+        return guidance.ToString();
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Configuration/GlobalOptions.cs b/src/Cli/StellaOps.Cli/Configuration/GlobalOptions.cs
new file mode 100644
index 000000000..29ab2cbd4
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Configuration/GlobalOptions.cs
@@ -0,0 +1,140 @@
+using System.CommandLine;
+using StellaOps.Cli.Output;
+
+namespace StellaOps.Cli.Configuration;
+
+/// <summary>
+/// Global command-line options available to all commands.
+/// Per CLI-CORE-41-001, provides global flags for profile, output, verbosity, and telemetry.
+/// </summary>
+public sealed class GlobalOptions
+{
+    /// <summary>
+    /// Profile name to use for this invocation.
+    /// </summary>
+    public string? Profile { get; set; }
+
+    /// <summary>
+    /// Output format (json, yaml, table).
+    /// </summary>
+    public OutputFormat OutputFormat { get; set; } = OutputFormat.Table;
+
+    /// <summary>
+    /// Verbose output (debug level logging).
+    /// </summary>
+    public bool Verbose { get; set; }
+
+    /// <summary>
+    /// Quiet mode (errors only).
+    /// </summary>
+    public bool Quiet { get; set; }
+
+    /// <summary>
+    /// Disable colored output.
+    /// </summary>
+    public bool NoColor { get; set; }
+
+    /// <summary>
+    /// Override backend URL for this invocation.
+    /// </summary>
+    public string? BackendUrl { get; set; }
+
+    /// <summary>
+    /// Override tenant ID for this invocation.
+    /// </summary>
+    public string? TenantId { get; set; }
+
+    /// <summary>
+    /// Dry run mode - show what would happen without executing.
+    /// </summary>
+    public bool DryRun { get; set; }
+
+    /// <summary>
+    /// Creates System.CommandLine options for global flags.
+    /// </summary>
+    public static IEnumerable<Option> CreateGlobalOptions()
+    {
+        yield return new Option<string?>(
+            aliases: ["--profile", "-p"],
+            description: "Profile name to use for this invocation");
+
+        yield return new Option<OutputFormat>(
+            aliases: ["--output", "-o"],
+            getDefaultValue: () => OutputFormat.Table,
+            description: "Output format (table, json, yaml)");
+
+        yield return new Option<bool>(
+            aliases: ["--verbose", "-v"],
+            description: "Enable verbose output");
+
+        yield return new Option<bool>(
+            aliases: ["--quiet", "-q"],
+            description: "Quiet mode - suppress non-error output");
+
+        yield return new Option<bool>(
+            name: "--no-color",
+            description: "Disable colored output");
+
+        yield return new Option<string?>(
+            name: "--backend-url",
+            description: "Override backend URL for this invocation");
+
+        yield return new Option<string?>(
+            name: "--tenant-id",
+            description: "Override tenant ID for this invocation");
+
+        yield return new Option<bool>(
+            name: "--dry-run",
+            description: "Show what would happen without executing");
+    }
+
+    /// <summary>
+    /// Parses global options from invocation context.
+    /// </summary>
+    public static GlobalOptions FromInvocationContext(System.CommandLine.Invocation.InvocationContext context)
+    {
+        var options = new GlobalOptions();
+
+        var profileOption = context.ParseResult.RootCommandResult.Command.Options
+            .FirstOrDefault(o => o.HasAlias("--profile"));
+        if (profileOption is not null)
+            options.Profile = context.ParseResult.GetValueForOption(profileOption) as string;
+
+        var outputOption = context.ParseResult.RootCommandResult.Command.Options
+            .FirstOrDefault(o => o.HasAlias("--output"));
+        if (outputOption is not null && context.ParseResult.GetValueForOption(outputOption) is OutputFormat format)
+            options.OutputFormat = format;
+
+        var verboseOption = context.ParseResult.RootCommandResult.Command.Options
+            .FirstOrDefault(o => o.HasAlias("--verbose"));
+        if (verboseOption is not null && context.ParseResult.GetValueForOption(verboseOption) is bool verbose)
+            options.Verbose = verbose;
+
+        var quietOption = context.ParseResult.RootCommandResult.Command.Options
+            .FirstOrDefault(o => o.HasAlias("--quiet"));
+        if (quietOption is not null && context.ParseResult.GetValueForOption(quietOption) is bool quiet)
+            options.Quiet = quiet;
+
+        var noColorOption = context.ParseResult.RootCommandResult.Command.Options
+            .FirstOrDefault(o => o.HasAlias("--no-color"));
+        if (noColorOption is not null && context.ParseResult.GetValueForOption(noColorOption) is bool noColor)
+            options.NoColor = noColor;
+
+        var backendOption = context.ParseResult.RootCommandResult.Command.Options
+            .FirstOrDefault(o => o.HasAlias("--backend-url"));
+        if (backendOption is not null)
+            options.BackendUrl = context.ParseResult.GetValueForOption(backendOption) as string;
+
+        var tenantOption = context.ParseResult.RootCommandResult.Command.Options
+            .FirstOrDefault(o => o.HasAlias("--tenant-id"));
+        if (tenantOption is not null)
+            options.TenantId = context.ParseResult.GetValueForOption(tenantOption) as string;
+
+        var dryRunOption = context.ParseResult.RootCommandResult.Command.Options
+            .FirstOrDefault(o => o.HasAlias("--dry-run"));
+        if (dryRunOption is not null && context.ParseResult.GetValueForOption(dryRunOption) is bool dryRun)
+            options.DryRun = dryRun;
+
+        return options;
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Output/CliError.cs b/src/Cli/StellaOps.Cli/Output/CliError.cs
new file mode 100644
index 000000000..1cdafdb4b
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Output/CliError.cs
@@ -0,0 +1,353 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using StellaOps.Cli.Services.Models.Transport;
+
+namespace StellaOps.Cli.Output;
+
+/// <summary>
+/// Structured CLI error with code, message, and optional details.
+/// Per CLI-CORE-41-001, provides error mapping for standardized API error envelopes.
+/// CLI-SDK-62-002: Enhanced to surface error.code and trace_id from API responses.
+/// </summary>
+public sealed record CliError(
+    string Code,
+    string Message,
+    string? TraceId = null,
+    string? Detail = null,
+    IReadOnlyDictionary<string, string>? Metadata = null,
+    string? RequestId = null,
+    string? HelpUrl = null,
+    int? RetryAfter = null,
+    string? Target = null)
+{
+    /// <summary>
+    /// Exit code to use when this error occurs.
+    /// </summary>
+    public int ExitCode => GetExitCode(Code);
+
+    /// <summary>
+    /// Maps error code prefixes to exit codes.
+    /// </summary>
+    private static int GetExitCode(string code)
+    {
+        if (string.IsNullOrWhiteSpace(code))
+            return 1;
+
+        // Authentication/authorization errors
+        if (code.StartsWith("AUTH_", StringComparison.OrdinalIgnoreCase) ||
+            code.StartsWith("ERR_AUTH_", StringComparison.OrdinalIgnoreCase))
+            return 2;
+
+        // Invalid scope errors
+        if (code.Contains("SCOPE", StringComparison.OrdinalIgnoreCase))
+            return 3;
+
+        // Not found errors
+        if (code.StartsWith("NOT_FOUND", StringComparison.OrdinalIgnoreCase) ||
+            code.StartsWith("ERR_NOT_FOUND", StringComparison.OrdinalIgnoreCase))
+            return 4;
+
+        // Validation errors
+        if (code.StartsWith("VALIDATION_", StringComparison.OrdinalIgnoreCase) ||
+            code.StartsWith("ERR_VALIDATION_", StringComparison.OrdinalIgnoreCase))
+            return 5;
+
+        // Rate limit errors
+        if (code.StartsWith("RATE_LIMIT", StringComparison.OrdinalIgnoreCase) ||
+            code.StartsWith("ERR_RATE_LIMIT", StringComparison.OrdinalIgnoreCase))
+            return 6;
+
+        // Air-gap errors
+        if (code.StartsWith("AIRGAP_", StringComparison.OrdinalIgnoreCase) ||
+            code.StartsWith("ERR_AIRGAP_", StringComparison.OrdinalIgnoreCase))
+            return 7;
+
+        // AOC errors
+        if (code.StartsWith("ERR_AOC_", StringComparison.OrdinalIgnoreCase))
+            return 8;
+
+        // Aggregation errors
+        if (code.StartsWith("ERR_AGG_", StringComparison.OrdinalIgnoreCase))
+            return 9;
+
+        // Forensic verification errors
+        if (code.StartsWith("ERR_FORENSIC_", StringComparison.OrdinalIgnoreCase))
+            return 12;
+
+        // Determinism errors
+        if (code.StartsWith("ERR_DETER_", StringComparison.OrdinalIgnoreCase))
+            return 13;
+
+        // Observability errors
+        if (code.StartsWith("ERR_OBS_", StringComparison.OrdinalIgnoreCase))
+            return 14;
+
+        // Pack errors
+        if (code.StartsWith("ERR_PACK_", StringComparison.OrdinalIgnoreCase))
+            return 15;
+
+        // Exception governance errors
+        if (code.StartsWith("ERR_EXC_", StringComparison.OrdinalIgnoreCase))
+            return 16;
+
+        // Orchestrator errors
+        if (code.StartsWith("ERR_ORCH_", StringComparison.OrdinalIgnoreCase))
+            return 17;
+
+        // SBOM errors
+        if (code.StartsWith("ERR_SBOM_", StringComparison.OrdinalIgnoreCase))
+            return 18;
+
+        // Notify errors
+        if (code.StartsWith("ERR_NOTIFY_", StringComparison.OrdinalIgnoreCase))
+            return 19;
+
+        // Sbomer errors
+        if (code.StartsWith("ERR_SBOMER_", StringComparison.OrdinalIgnoreCase))
+            return 20;
+
+        // Network/connectivity errors
+        if (code.StartsWith("NETWORK_", StringComparison.OrdinalIgnoreCase) ||
+            code.StartsWith("ERR_NETWORK_", StringComparison.OrdinalIgnoreCase) ||
+            code.StartsWith("CONNECTION_", StringComparison.OrdinalIgnoreCase))
+            return 10;
+
+        // Timeout errors
+        if (code.Contains("TIMEOUT", StringComparison.OrdinalIgnoreCase))
+            return 11;
+
+        // Generic errors
+        return 1;
+    }
+
+    /// <summary>
+    /// Creates an error from an exception.
+    /// </summary>
+    public static CliError FromException(Exception ex, string? traceId = null)
+    {
+        var code = ex switch
+        {
+            UnauthorizedAccessException => "ERR_AUTH_UNAUTHORIZED",
+            TimeoutException => "ERR_TIMEOUT",
+            OperationCanceledException => "ERR_CANCELLED",
+            InvalidOperationException => "ERR_INVALID_OPERATION",
+            ArgumentException => "ERR_VALIDATION_ARGUMENT",
+            _ => "ERR_UNKNOWN"
+        };
+
+        return new CliError(code, ex.Message, traceId, ex.InnerException?.Message);
+    }
+
+    /// <summary>
+    /// Creates an error from an HTTP status code.
+    /// </summary>
+    public static CliError FromHttpStatus(int statusCode, string? message = null, string? traceId = null)
+    {
+        var (code, defaultMessage) = statusCode switch
+        {
+            400 => ("ERR_VALIDATION_BAD_REQUEST", "Bad request"),
+            401 => ("ERR_AUTH_UNAUTHORIZED", "Unauthorized"),
+            403 => ("ERR_AUTH_FORBIDDEN", "Forbidden"),
+            404 => ("ERR_NOT_FOUND", "Resource not found"),
+            409 => ("ERR_CONFLICT", "Resource conflict"),
+            422 => ("ERR_VALIDATION_UNPROCESSABLE", "Unprocessable entity"),
+            429 => ("ERR_RATE_LIMIT", "Rate limit exceeded"),
+            500 => ("ERR_SERVER_INTERNAL", "Internal server error"),
+            502 => ("ERR_SERVER_BAD_GATEWAY", "Bad gateway"),
+            503 => ("ERR_SERVER_UNAVAILABLE", "Service unavailable"),
+            504 => ("ERR_SERVER_TIMEOUT", "Gateway timeout"),
+            _ => ($"ERR_HTTP_{statusCode}", $"HTTP error {statusCode}")
+        };
+
+        return new CliError(code, message ?? defaultMessage, traceId);
+    }
+
+    /// <summary>
+    /// Creates an error from a parsed API error.
+    /// CLI-SDK-62-002: Surfaces standardized API error envelope fields.
+    /// </summary>
+    public static CliError FromParsedApiError(ParsedApiError error)
+    {
+        ArgumentNullException.ThrowIfNull(error);
+
+        Dictionary<string, string>? metadata = null;
+        if (error.Metadata is not null && error.Metadata.Count > 0)
+        {
+            metadata = error.Metadata
+                .Where(kvp => kvp.Value is not null)
+                .ToDictionary(kvp => kvp.Key, kvp => kvp.Value?.ToString() ?? "");
+        }
+
+        return new CliError(
+            Code: error.Code,
+            Message: error.Message,
+            TraceId: error.TraceId,
+            Detail: error.Detail,
+            Metadata: metadata,
+            RequestId: error.RequestId,
+            HelpUrl: error.HelpUrl,
+            RetryAfter: error.RetryAfter,
+            Target: error.Target);
+    }
+
+    /// <summary>
+    /// Creates an error from an API error envelope.
+    /// CLI-SDK-62-002: Direct conversion from envelope format.
+    /// </summary>
+    public static CliError FromApiErrorEnvelope(ApiErrorEnvelope envelope, int httpStatus)
+    {
+        ArgumentNullException.ThrowIfNull(envelope);
+
+        var errorDetail = envelope.Error;
+        var code = errorDetail?.Code ?? $"ERR_HTTP_{httpStatus}";
+        var message = errorDetail?.Message ?? $"HTTP error {httpStatus}";
+
+        Dictionary<string, string>? metadata = null;
+        if (errorDetail?.Metadata is not null && errorDetail.Metadata.Count > 0)
+        {
+            metadata = errorDetail.Metadata
+                .Where(kvp => kvp.Value is not null)
+                .ToDictionary(kvp => kvp.Key, kvp => kvp.Value?.ToString() ?? "");
+        }
+
+        return new CliError(
+            Code: code,
+            Message: message,
+            TraceId: envelope.TraceId,
+            Detail: errorDetail?.Detail,
+            Metadata: metadata,
+            RequestId: envelope.RequestId,
+            HelpUrl: errorDetail?.HelpUrl,
+            RetryAfter: errorDetail?.RetryAfter,
+            Target: errorDetail?.Target);
+    }
+}
+
+/// <summary>
+/// Well-known CLI error codes.
+/// </summary>
+public static class CliErrorCodes
+{
+    public const string Unauthorized = "ERR_AUTH_UNAUTHORIZED";
+    public const string Forbidden = "ERR_AUTH_FORBIDDEN";
+    public const string InvalidScope = "ERR_AUTH_INVALID_SCOPE";
+    public const string NotFound = "ERR_NOT_FOUND";
+    public const string ValidationFailed = "ERR_VALIDATION_FAILED";
+    public const string RateLimited = "ERR_RATE_LIMIT";
+    public const string AirGapBlocked = "ERR_AIRGAP_EGRESS_BLOCKED";
+    public const string AocViolation = "ERR_AOC_001";
+    public const string NetworkError = "ERR_NETWORK_FAILED";
+    public const string Timeout = "ERR_TIMEOUT";
+    public const string Cancelled = "ERR_CANCELLED";
+    public const string ConfigurationMissing = "ERR_CONFIG_MISSING";
+    public const string ProfileNotFound = "ERR_PROFILE_NOT_FOUND";
+
+    // CLI-LNM-22-001: Aggregation error codes (exit code 9)
+    public const string AggNoObservations = "ERR_AGG_NO_OBSERVATIONS";
+    public const string AggConflictDetected = "ERR_AGG_CONFLICT_DETECTED";
+    public const string AggLinksetEmpty = "ERR_AGG_LINKSET_EMPTY";
+    public const string AggSourceMissing = "ERR_AGG_SOURCE_MISSING";
+    public const string AggExportFailed = "ERR_AGG_EXPORT_FAILED";
+
+    // CLI-FORENSICS-54-001: Forensic verification error codes (exit code 12)
+    public const string ForensicBundleNotFound = "ERR_FORENSIC_BUNDLE_NOT_FOUND";
+    public const string ForensicBundleInvalid = "ERR_FORENSIC_BUNDLE_INVALID";
+    public const string ForensicChecksumMismatch = "ERR_FORENSIC_CHECKSUM_MISMATCH";
+    public const string ForensicSignatureInvalid = "ERR_FORENSIC_SIGNATURE_INVALID";
+    public const string ForensicSignatureUntrusted = "ERR_FORENSIC_SIGNATURE_UNTRUSTED";
+    public const string ForensicChainOfCustodyBroken = "ERR_FORENSIC_CHAIN_BROKEN";
+    public const string ForensicTimelineInvalid = "ERR_FORENSIC_TIMELINE_INVALID";
+    public const string ForensicTrustRootMissing = "ERR_FORENSIC_TRUST_ROOT_MISSING";
+
+    // CLI-DETER-70-003: Determinism error codes (exit code 13)
+    public const string DeterminismDockerUnavailable = "ERR_DETER_DOCKER_UNAVAILABLE";
+    public const string DeterminismNoImages = "ERR_DETER_NO_IMAGES";
+    public const string DeterminismScannerMissing = "ERR_DETER_SCANNER_MISSING";
+    public const string DeterminismThresholdFailed = "ERR_DETER_THRESHOLD_FAILED";
+    public const string DeterminismRunFailed = "ERR_DETER_RUN_FAILED";
+    public const string DeterminismManifestInvalid = "ERR_DETER_MANIFEST_INVALID";
+
+    // CLI-OBS-51-001: Observability error codes (exit code 14)
+    public const string ObsConnectionFailed = "ERR_OBS_CONNECTION_FAILED";
+    public const string ObsServiceUnavailable = "ERR_OBS_SERVICE_UNAVAILABLE";
+    public const string ObsNoData = "ERR_OBS_NO_DATA";
+    public const string ObsInvalidFilter = "ERR_OBS_INVALID_FILTER";
+    public const string ObsOfflineViolation = "ERR_OBS_OFFLINE_VIOLATION";
+
+    // CLI-PACKS-42-001: Pack error codes (exit code 15)
+    public const string PackNotFound = "ERR_PACK_NOT_FOUND";
+    public const string PackValidationFailed = "ERR_PACK_VALIDATION_FAILED";
+    public const string PackPlanFailed = "ERR_PACK_PLAN_FAILED";
+    public const string PackRunFailed = "ERR_PACK_RUN_FAILED";
+    public const string PackPushFailed = "ERR_PACK_PUSH_FAILED";
+    public const string PackPullFailed = "ERR_PACK_PULL_FAILED";
+    public const string PackVerifyFailed = "ERR_PACK_VERIFY_FAILED";
+    public const string PackSignatureInvalid = "ERR_PACK_SIGNATURE_INVALID";
+    public const string PackApprovalRequired = "ERR_PACK_APPROVAL_REQUIRED";
+    public const string PackOfflineViolation = "ERR_PACK_OFFLINE_VIOLATION";
+
+    // CLI-EXC-25-001: Exception governance error codes (exit code 16)
+    public const string ExcNotFound = "ERR_EXC_NOT_FOUND";
+    public const string ExcValidationFailed = "ERR_EXC_VALIDATION_FAILED";
+    public const string ExcCreateFailed = "ERR_EXC_CREATE_FAILED";
+    public const string ExcPromoteFailed = "ERR_EXC_PROMOTE_FAILED";
+    public const string ExcRevokeFailed = "ERR_EXC_REVOKE_FAILED";
+    public const string ExcImportFailed = "ERR_EXC_IMPORT_FAILED";
+    public const string ExcExportFailed = "ERR_EXC_EXPORT_FAILED";
+    public const string ExcApprovalRequired = "ERR_EXC_APPROVAL_REQUIRED";
+    public const string ExcExpired = "ERR_EXC_EXPIRED";
+    public const string ExcConflict = "ERR_EXC_CONFLICT";
+
+    // CLI-ORCH-32-001: Orchestrator error codes (exit code 17)
+    public const string OrchSourceNotFound = "ERR_ORCH_SOURCE_NOT_FOUND";
+    public const string OrchSourcePaused = "ERR_ORCH_SOURCE_PAUSED";
+    public const string OrchSourceThrottled = "ERR_ORCH_SOURCE_THROTTLED";
+    public const string OrchTestFailed = "ERR_ORCH_TEST_FAILED";
+    public const string OrchQuotaExceeded = "ERR_ORCH_QUOTA_EXCEEDED";
+    public const string OrchConnectionFailed = "ERR_ORCH_CONNECTION_FAILED";
+
+    // CLI-PARITY-41-001: SBOM error codes (exit code 18)
+    public const string SbomNotFound = "ERR_SBOM_NOT_FOUND";
+    public const string SbomConnectionFailed = "ERR_SBOM_CONNECTION_FAILED";
+    public const string SbomExportFailed = "ERR_SBOM_EXPORT_FAILED";
+    public const string SbomCompareFailed = "ERR_SBOM_COMPARE_FAILED";
+    public const string SbomInvalidFormat = "ERR_SBOM_INVALID_FORMAT";
+    public const string SbomOfflineViolation = "ERR_SBOM_OFFLINE_VIOLATION";
+
+    // CLI-PARITY-41-002: Notify error codes (exit code 19)
+    public const string NotifyChannelNotFound = "ERR_NOTIFY_CHANNEL_NOT_FOUND";
+    public const string NotifyDeliveryNotFound = "ERR_NOTIFY_DELIVERY_NOT_FOUND";
+    public const string NotifyConnectionFailed = "ERR_NOTIFY_CONNECTION_FAILED";
+    public const string NotifySendFailed = "ERR_NOTIFY_SEND_FAILED";
+    public const string NotifyTestFailed = "ERR_NOTIFY_TEST_FAILED";
+    public const string NotifyRetryFailed = "ERR_NOTIFY_RETRY_FAILED";
+    public const string NotifyOfflineViolation = "ERR_NOTIFY_OFFLINE_VIOLATION";
+
+    // CLI-SBOM-60-001: Sbomer error codes (exit code 20)
+    public const string SbomerLayerNotFound = "ERR_SBOMER_LAYER_NOT_FOUND";
+    public const string SbomerCompositionNotFound = "ERR_SBOMER_COMPOSITION_NOT_FOUND";
+    public const string SbomerDsseInvalid = "ERR_SBOMER_DSSE_INVALID";
+    public const string SbomerContentHashMismatch = "ERR_SBOMER_CONTENT_HASH_MISMATCH";
+    public const string SbomerMerkleProofInvalid = "ERR_SBOMER_MERKLE_PROOF_INVALID";
+    public const string SbomerComposeFailed = "ERR_SBOMER_COMPOSE_FAILED";
+    public const string SbomerVerifyFailed = "ERR_SBOMER_VERIFY_FAILED";
+    public const string SbomerNonDeterministic = "ERR_SBOMER_NON_DETERMINISTIC";
+    public const string SbomerOfflineViolation = "ERR_SBOMER_OFFLINE_VIOLATION";
+
+    // CLI-POLICY-27-006: Policy Studio scope error codes (exit code 3)
+    public const string PolicyStudioScopeRequired = "ERR_SCOPE_POLICY_STUDIO_REQUIRED";
+    public const string PolicyStudioScopeInvalid = "ERR_SCOPE_POLICY_STUDIO_INVALID";
+    public const string PolicyStudioScopeWorkflowRequired = "ERR_SCOPE_POLICY_WORKFLOW_REQUIRED";
+    public const string PolicyStudioScopePublishRequired = "ERR_SCOPE_POLICY_PUBLISH_REQUIRED";
+    public const string PolicyStudioScopeSignRequired = "ERR_SCOPE_POLICY_SIGN_REQUIRED";
+
+    // CLI-RISK-66-001: Risk scope error codes (exit code 3)
+    public const string RiskScopeRequired = "ERR_SCOPE_RISK_REQUIRED";
+    public const string RiskScopeProfileRequired = "ERR_SCOPE_RISK_PROFILE_REQUIRED";
+    public const string RiskScopeSimulateRequired = "ERR_SCOPE_RISK_SIMULATE_REQUIRED";
+
+    // CLI-SIG-26-001: Reachability scope error codes (exit code 3)
+    public const string ReachabilityScopeRequired = "ERR_SCOPE_REACHABILITY_REQUIRED";
+    public const string ReachabilityScopeUploadRequired = "ERR_SCOPE_REACHABILITY_UPLOAD_REQUIRED";
+}
diff --git a/src/Cli/StellaOps.Cli/Output/CliErrorRenderer.cs b/src/Cli/StellaOps.Cli/Output/CliErrorRenderer.cs
new file mode 100644
index 000000000..d66c879a3
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Output/CliErrorRenderer.cs
@@ -0,0 +1,211 @@
+using System.Text.Json;
+using Spectre.Console;
+
+namespace StellaOps.Cli.Output;
+
+/// <summary>
+/// Helper for rendering CLI errors consistently.
+/// CLI-SDK-62-002: Provides standardized error output with error.code and trace_id.
+/// </summary>
+internal static class CliErrorRenderer
+{
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        WriteIndented = true,
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase
+    };
+
+    /// <summary>
+    /// Renders an error to the console.
+    /// </summary>
+    public static void Render(CliError error, bool verbose = false, bool asJson = false)
+    {
+        if (asJson)
+        {
+            RenderJson(error);
+        }
+        else
+        {
+            RenderConsole(error, verbose);
+        }
+    }
+
+    /// <summary>
+    /// Renders an error as JSON.
+    /// </summary>
+    public static void RenderJson(CliError error)
+    {
+        var output = new
+        {
+            error = new
+            {
+                code = error.Code,
+                message = error.Message,
+                detail = error.Detail,
+                target = error.Target,
+                help_url = error.HelpUrl,
+                retry_after = error.RetryAfter,
+                metadata = error.Metadata
+            },
+            trace_id = error.TraceId,
+            request_id = error.RequestId,
+            exit_code = error.ExitCode
+        };
+
+        var json = JsonSerializer.Serialize(output, JsonOptions);
+        AnsiConsole.WriteLine(json);
+    }
+
+    /// <summary>
+    /// Renders an error to the console with formatting.
+    /// </summary>
+    public static void RenderConsole(CliError error, bool verbose = false)
+    {
+        // Main error message
+        AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(error.Message)}");
+
+        // Error code
+        AnsiConsole.MarkupLine($"[grey]Code:[/] {Markup.Escape(error.Code)}");
+
+        // Detail (if present)
+        if (!string.IsNullOrWhiteSpace(error.Detail))
+        {
+            AnsiConsole.MarkupLine($"[grey]Detail:[/] {Markup.Escape(error.Detail)}");
+        }
+
+        // Target (if present)
+        if (!string.IsNullOrWhiteSpace(error.Target))
+        {
+            AnsiConsole.MarkupLine($"[grey]Target:[/] {Markup.Escape(error.Target)}");
+        }
+
+        // Help URL (if present)
+        if (!string.IsNullOrWhiteSpace(error.HelpUrl))
+        {
+            AnsiConsole.MarkupLine($"[grey]Help:[/] [link]{Markup.Escape(error.HelpUrl)}[/]");
+        }
+
+        // Retry-after (if present)
+        if (error.RetryAfter.HasValue)
+        {
+            AnsiConsole.MarkupLine($"[yellow]Retry after:[/] {error.RetryAfter} seconds");
+        }
+
+        // Trace/Request IDs (shown in verbose mode or always for debugging)
+        if (verbose || !string.IsNullOrWhiteSpace(error.TraceId))
+        {
+            AnsiConsole.WriteLine();
+            if (!string.IsNullOrWhiteSpace(error.TraceId))
+            {
+                AnsiConsole.MarkupLine($"[grey]Trace ID:[/] {Markup.Escape(error.TraceId)}");
+            }
+            if (!string.IsNullOrWhiteSpace(error.RequestId))
+            {
+                AnsiConsole.MarkupLine($"[grey]Request ID:[/] {Markup.Escape(error.RequestId)}");
+            }
+        }
+
+        // Metadata (shown in verbose mode)
+        if (verbose && error.Metadata is not null && error.Metadata.Count > 0)
+        {
+            AnsiConsole.WriteLine();
+            AnsiConsole.MarkupLine("[grey]Metadata:[/]");
+            foreach (var (key, value) in error.Metadata)
+            {
+                AnsiConsole.MarkupLine($"  [grey]{Markup.Escape(key)}:[/] {Markup.Escape(value)}");
+            }
+        }
+    }
+
+    /// <summary>
+    /// Renders a simple error message.
+    /// </summary>
+    public static void RenderSimple(string message, string? code = null)
+    {
+        AnsiConsole.MarkupLine($"[red]Error:[/] {Markup.Escape(message)}");
+        if (!string.IsNullOrWhiteSpace(code))
+        {
+            AnsiConsole.MarkupLine($"[grey]Code:[/] {Markup.Escape(code)}");
+        }
+    }
+
+    /// <summary>
+    /// Renders a warning message.
+    /// </summary>
+    public static void RenderWarning(string message)
+    {
+        AnsiConsole.MarkupLine($"[yellow]Warning:[/] {Markup.Escape(message)}");
+    }
+
+    /// <summary>
+    /// Renders scope guidance for invalid_scope errors.
+    /// </summary>
+    public static void RenderScopeGuidance(CliError error)
+    {
+        if (!error.Code.Contains("SCOPE", StringComparison.OrdinalIgnoreCase))
+            return;
+
+        AnsiConsole.WriteLine();
+        AnsiConsole.MarkupLine("[yellow]The requested operation requires additional OAuth scopes.[/]");
+        AnsiConsole.WriteLine();
+        AnsiConsole.MarkupLine("To resolve this issue:");
+        AnsiConsole.MarkupLine("  1. Check your CLI profile configuration: [cyan]stella profile show[/]");
+        AnsiConsole.MarkupLine("  2. Update your profile with required scopes: [cyan]stella profile edit <name>[/]");
+        AnsiConsole.MarkupLine("  3. Request additional scopes from your administrator");
+        AnsiConsole.MarkupLine("  4. Re-authenticate with the updated scopes: [cyan]stella auth login[/]");
+    }
+
+    /// <summary>
+    /// Renders rate limit guidance.
+    /// </summary>
+    public static void RenderRateLimitGuidance(CliError error)
+    {
+        if (!error.Code.Contains("RATE_LIMIT", StringComparison.OrdinalIgnoreCase))
+            return;
+
+        AnsiConsole.WriteLine();
+        AnsiConsole.MarkupLine("[yellow]Rate limit exceeded.[/]");
+
+        if (error.RetryAfter.HasValue)
+        {
+            AnsiConsole.MarkupLine($"Please wait [cyan]{error.RetryAfter}[/] seconds before retrying.");
+        }
+        else
+        {
+            AnsiConsole.MarkupLine("Please wait before retrying your request.");
+        }
+    }
+
+    /// <summary>
+    /// Renders authentication guidance.
+    /// </summary>
+    public static void RenderAuthGuidance(CliError error)
+    {
+        if (!error.Code.StartsWith("ERR_AUTH_", StringComparison.OrdinalIgnoreCase))
+            return;
+
+        AnsiConsole.WriteLine();
+
+        if (error.Code == CliErrorCodes.Unauthorized)
+        {
+            AnsiConsole.MarkupLine("[yellow]Authentication required.[/]");
+            AnsiConsole.MarkupLine("Please authenticate using: [cyan]stella auth login[/]");
+        }
+        else if (error.Code == CliErrorCodes.Forbidden)
+        {
+            AnsiConsole.MarkupLine("[yellow]Access denied.[/]");
+            AnsiConsole.MarkupLine("You do not have permission to perform this operation.");
+            AnsiConsole.MarkupLine("Contact your administrator to request access.");
+        }
+    }
+
+    /// <summary>
+    /// Renders contextual guidance based on error code.
+    /// </summary>
+    public static void RenderGuidance(CliError error)
+    {
+        RenderScopeGuidance(error);
+        RenderRateLimitGuidance(error);
+        RenderAuthGuidance(error);
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Output/IOutputRenderer.cs b/src/Cli/StellaOps.Cli/Output/IOutputRenderer.cs
new file mode 100644
index 000000000..cf93b8551
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Output/IOutputRenderer.cs
@@ -0,0 +1,98 @@
+using System.Collections.Generic;
+using System.IO;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Cli.Output;
+
+/// <summary>
+/// Interface for rendering CLI output in multiple formats.
+/// Per CLI-CORE-41-001, supports json/yaml/table rendering.
+/// </summary>
+public interface IOutputRenderer
+{
+    /// <summary>
+    /// Gets the current output format.
+    /// </summary>
+    OutputFormat Format { get; }
+
+    /// <summary>
+    /// Renders a single object to the output stream.
+    /// </summary>
+    /// <typeparam name="T">Type of the object to render.</typeparam>
+    /// <param name="value">The value to render.</param>
+    /// <param name="writer">The text writer to output to.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    Task RenderAsync<T>(T value, TextWriter writer, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Renders a collection as a table or list.
+    /// </summary>
+    /// <typeparam name="T">Type of items in the collection.</typeparam>
+    /// <param name="items">The items to render.</param>
+    /// <param name="writer">The text writer to output to.</param>
+    /// <param name="columns">Optional column definitions for table format.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    Task RenderTableAsync<T>(
+        IEnumerable<T> items,
+        TextWriter writer,
+        IReadOnlyList<ColumnDefinition<T>>? columns = null,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Renders a success message.
+    /// </summary>
+    Task RenderSuccessAsync(string message, TextWriter writer, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Renders an error message.
+    /// </summary>
+    Task RenderErrorAsync(string message, TextWriter writer, string? errorCode = null, string? traceId = null, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Renders a warning message.
+    /// </summary>
+    Task RenderWarningAsync(string message, TextWriter writer, CancellationToken cancellationToken = default);
+}
+
+/// <summary>
+/// Column definition for table rendering.
+/// </summary>
+/// <typeparam name="T">Type of the row item.</typeparam>
+public sealed class ColumnDefinition<T>
+{
+    /// <summary>
+    /// Column header text.
+    /// </summary>
+    public required string Header { get; init; }
+
+    /// <summary>
+    /// Function to extract the column value from an item.
+    /// </summary>
+    public required Func<T, string?> ValueSelector { get; init; }
+
+    /// <summary>
+    /// Optional minimum width for the column.
+    /// </summary>
+    public int? MinWidth { get; init; }
+
+    /// <summary>
+    /// Optional maximum width for the column (truncates with ellipsis).
+    /// </summary>
+    public int? MaxWidth { get; init; }
+
+    /// <summary>
+    /// Alignment for the column content.
+    /// </summary>
+    public ColumnAlignment Alignment { get; init; } = ColumnAlignment.Left;
+}
+
+/// <summary>
+/// Column alignment for table rendering.
+/// </summary>
+public enum ColumnAlignment
+{
+    Left,
+    Right,
+    Center
+}
diff --git a/src/Cli/StellaOps.Cli/Output/OutputFormat.cs b/src/Cli/StellaOps.Cli/Output/OutputFormat.cs
new file mode 100644
index 000000000..40276a317
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Output/OutputFormat.cs
@@ -0,0 +1,17 @@
+namespace StellaOps.Cli.Output;
+
+/// <summary>
+/// Output format for CLI commands.
+/// Per CLI-CORE-41-001, supports json/yaml/table formats.
+/// </summary>
+public enum OutputFormat
+{
+    /// <summary>Human-readable table format (default).</summary>
+    Table,
+
+    /// <summary>JSON format for automation/scripting.</summary>
+    Json,
+
+    /// <summary>YAML format for configuration/scripting.</summary>
+    Yaml
+}
diff --git a/src/Cli/StellaOps.Cli/Output/OutputRenderer.cs b/src/Cli/StellaOps.Cli/Output/OutputRenderer.cs
new file mode 100644
index 000000000..060bcafb0
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Output/OutputRenderer.cs
@@ -0,0 +1,396 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Cli.Output;
+
+/// <summary>
+/// Default implementation of <see cref="IOutputRenderer"/>.
+/// Per CLI-CORE-41-001, renders output in json/yaml/table formats.
+/// </summary>
+public sealed class OutputRenderer : IOutputRenderer
+{
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        WriteIndented = true,
+        PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower,
+        DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
+        Converters = { new JsonStringEnumConverter(JsonNamingPolicy.SnakeCaseLower) }
+    };
+
+    public OutputFormat Format { get; }
+
+    public OutputRenderer(OutputFormat format = OutputFormat.Table)
+    {
+        Format = format;
+    }
+
+    /// <inheritdoc />
+    public async Task RenderAsync<T>(T value, TextWriter writer, CancellationToken cancellationToken = default)
+    {
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var output = Format switch
+        {
+            OutputFormat.Json => RenderJson(value),
+            OutputFormat.Yaml => RenderYaml(value),
+            OutputFormat.Table => RenderObject(value),
+            _ => RenderObject(value)
+        };
+
+        await writer.WriteLineAsync(output.AsMemory(), cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <inheritdoc />
+    public async Task RenderTableAsync<T>(
+        IEnumerable<T> items,
+        TextWriter writer,
+        IReadOnlyList<ColumnDefinition<T>>? columns = null,
+        CancellationToken cancellationToken = default)
+    {
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var itemList = items.ToList();
+
+        if (Format == OutputFormat.Json)
+        {
+            var json = RenderJson(itemList);
+            await writer.WriteLineAsync(json.AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        if (Format == OutputFormat.Yaml)
+        {
+            var yaml = RenderYaml(itemList);
+            await writer.WriteLineAsync(yaml.AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        // Table format
+        if (itemList.Count == 0)
+        {
+            await writer.WriteLineAsync("(no results)".AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        var effectiveColumns = columns ?? InferColumns<T>();
+        var table = BuildTable(itemList, effectiveColumns);
+        await writer.WriteLineAsync(table.AsMemory(), cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <inheritdoc />
+    public async Task RenderSuccessAsync(string message, TextWriter writer, CancellationToken cancellationToken = default)
+    {
+        cancellationToken.ThrowIfCancellationRequested();
+
+        if (Format == OutputFormat.Json)
+        {
+            var obj = new { status = "success", message };
+            await writer.WriteLineAsync(RenderJson(obj).AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        if (Format == OutputFormat.Yaml)
+        {
+            await writer.WriteLineAsync($"status: success\nmessage: {EscapeYamlString(message)}".AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        await writer.WriteLineAsync($"✓ {message}".AsMemory(), cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <inheritdoc />
+    public async Task RenderErrorAsync(string message, TextWriter writer, string? errorCode = null, string? traceId = null, CancellationToken cancellationToken = default)
+    {
+        cancellationToken.ThrowIfCancellationRequested();
+
+        if (Format == OutputFormat.Json)
+        {
+            var obj = new { status = "error", error_code = errorCode, message, trace_id = traceId };
+            await writer.WriteLineAsync(RenderJson(obj).AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        if (Format == OutputFormat.Yaml)
+        {
+            var sb = new StringBuilder();
+            sb.AppendLine("status: error");
+            if (!string.IsNullOrWhiteSpace(errorCode))
+                sb.AppendLine($"error_code: {errorCode}");
+            sb.AppendLine($"message: {EscapeYamlString(message)}");
+            if (!string.IsNullOrWhiteSpace(traceId))
+                sb.AppendLine($"trace_id: {traceId}");
+            await writer.WriteLineAsync(sb.ToString().AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        var output = new StringBuilder();
+        output.Append("✗ ");
+        if (!string.IsNullOrWhiteSpace(errorCode))
+            output.Append($"[{errorCode}] ");
+        output.Append(message);
+        if (!string.IsNullOrWhiteSpace(traceId))
+            output.Append($" (trace: {traceId})");
+
+        await writer.WriteLineAsync(output.ToString().AsMemory(), cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <inheritdoc />
+    public async Task RenderWarningAsync(string message, TextWriter writer, CancellationToken cancellationToken = default)
+    {
+        cancellationToken.ThrowIfCancellationRequested();
+
+        if (Format == OutputFormat.Json)
+        {
+            var obj = new { status = "warning", message };
+            await writer.WriteLineAsync(RenderJson(obj).AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        if (Format == OutputFormat.Yaml)
+        {
+            await writer.WriteLineAsync($"status: warning\nmessage: {EscapeYamlString(message)}".AsMemory(), cancellationToken).ConfigureAwait(false);
+            return;
+        }
+
+        await writer.WriteLineAsync($"⚠ {message}".AsMemory(), cancellationToken).ConfigureAwait(false);
+    }
+
+    private static string RenderJson<T>(T value)
+    {
+        return JsonSerializer.Serialize(value, JsonOptions);
+    }
+
+    private static string RenderYaml<T>(T value)
+    {
+        // Simple YAML rendering via JSON conversion for now
+        // A full YAML library would be used in production
+        var json = JsonSerializer.Serialize(value, JsonOptions);
+        using var doc = JsonDocument.Parse(json);
+        return ConvertJsonElementToYaml(doc.RootElement, 0);
+    }
+
+    private static string ConvertJsonElementToYaml(JsonElement element, int indent)
+    {
+        var indentStr = new string(' ', indent * 2);
+        var sb = new StringBuilder();
+
+        switch (element.ValueKind)
+        {
+            case JsonValueKind.Object:
+                foreach (var prop in element.EnumerateObject())
+                {
+                    if (prop.Value.ValueKind == JsonValueKind.Object || prop.Value.ValueKind == JsonValueKind.Array)
+                    {
+                        sb.AppendLine($"{indentStr}{prop.Name}:");
+                        sb.Append(ConvertJsonElementToYaml(prop.Value, indent + 1));
+                    }
+                    else
+                    {
+                        sb.AppendLine($"{indentStr}{prop.Name}: {FormatYamlValue(prop.Value)}");
+                    }
+                }
+                break;
+
+            case JsonValueKind.Array:
+                foreach (var item in element.EnumerateArray())
+                {
+                    if (item.ValueKind == JsonValueKind.Object || item.ValueKind == JsonValueKind.Array)
+                    {
+                        sb.AppendLine($"{indentStr}-");
+                        sb.Append(ConvertJsonElementToYaml(item, indent + 1));
+                    }
+                    else
+                    {
+                        sb.AppendLine($"{indentStr}- {FormatYamlValue(item)}");
+                    }
+                }
+                break;
+
+            default:
+                sb.AppendLine($"{indentStr}{FormatYamlValue(element)}");
+                break;
+        }
+
+        return sb.ToString();
+    }
+
+    private static string FormatYamlValue(JsonElement element)
+    {
+        return element.ValueKind switch
+        {
+            JsonValueKind.String => EscapeYamlString(element.GetString() ?? ""),
+            JsonValueKind.Number => element.GetRawText(),
+            JsonValueKind.True => "true",
+            JsonValueKind.False => "false",
+            JsonValueKind.Null => "null",
+            _ => element.GetRawText()
+        };
+    }
+
+    private static string EscapeYamlString(string value)
+    {
+        if (string.IsNullOrEmpty(value))
+            return "\"\"";
+
+        if (value.Contains('\n') || value.Contains(':') || value.Contains('#') ||
+            value.StartsWith(' ') || value.EndsWith(' ') ||
+            value.StartsWith('"') || value.StartsWith('\''))
+        {
+            return $"\"{value.Replace("\\", "\\\\").Replace("\"", "\\\"")}\"";
+        }
+
+        return value;
+    }
+
+    private static string RenderObject<T>(T value)
+    {
+        if (value is null)
+            return "(null)";
+
+        var type = typeof(T);
+        var properties = type.GetProperties()
+            .Where(p => p.CanRead)
+            .ToList();
+
+        if (properties.Count == 0)
+            return value.ToString() ?? "(empty)";
+
+        var sb = new StringBuilder();
+        var maxNameLength = properties.Max(p => p.Name.Length);
+
+        foreach (var prop in properties)
+        {
+            var propValue = prop.GetValue(value);
+            var displayValue = propValue?.ToString() ?? "(null)";
+            sb.AppendLine($"{prop.Name.PadRight(maxNameLength)} : {displayValue}");
+        }
+
+        return sb.ToString().TrimEnd();
+    }
+
+    private static IReadOnlyList<ColumnDefinition<T>> InferColumns<T>()
+    {
+        var properties = typeof(T).GetProperties()
+            .Where(p => p.CanRead && IsSimpleType(p.PropertyType))
+            .Take(8) // Limit to 8 columns for readability
+            .ToList();
+
+        return properties.Select(p => new ColumnDefinition<T>
+        {
+            Header = ToHeaderCase(p.Name),
+            ValueSelector = item => p.GetValue(item)?.ToString()
+        }).ToList();
+    }
+
+    private static bool IsSimpleType(Type type)
+    {
+        var underlying = Nullable.GetUnderlyingType(type) ?? type;
+        return underlying.IsPrimitive ||
+               underlying == typeof(string) ||
+               underlying == typeof(DateTime) ||
+               underlying == typeof(DateTimeOffset) ||
+               underlying == typeof(Guid) ||
+               underlying == typeof(decimal) ||
+               underlying.IsEnum;
+    }
+
+    private static string ToHeaderCase(string name)
+    {
+        if (string.IsNullOrEmpty(name))
+            return name;
+
+        var sb = new StringBuilder();
+        for (var i = 0; i < name.Length; i++)
+        {
+            var c = name[i];
+            if (i > 0 && char.IsUpper(c))
+            {
+                sb.Append(' ');
+            }
+            sb.Append(i == 0 ? char.ToUpperInvariant(c) : c);
+        }
+        return sb.ToString();
+    }
+
+    private static string BuildTable<T>(IReadOnlyList<T> items, IReadOnlyList<ColumnDefinition<T>> columns)
+    {
+        if (columns.Count == 0 || items.Count == 0)
+            return "(no data)";
+
+        // Calculate column widths
+        var widths = new int[columns.Count];
+        for (var i = 0; i < columns.Count; i++)
+        {
+            widths[i] = columns[i].Header.Length;
+            if (columns[i].MinWidth.HasValue)
+                widths[i] = Math.Max(widths[i], columns[i].MinWidth.Value);
+        }
+
+        // Get all values and update widths
+        var rows = new List<string[]>();
+        foreach (var item in items)
+        {
+            var row = new string[columns.Count];
+            for (var i = 0; i < columns.Count; i++)
+            {
+                var value = columns[i].ValueSelector(item) ?? "";
+                if (columns[i].MaxWidth.HasValue && value.Length > columns[i].MaxWidth.Value)
+                {
+                    value = value[..(columns[i].MaxWidth.Value - 3)] + "...";
+                }
+                row[i] = value;
+                widths[i] = Math.Max(widths[i], value.Length);
+            }
+            rows.Add(row);
+        }
+
+        // Build output
+        var sb = new StringBuilder();
+
+        // Header
+        for (var i = 0; i < columns.Count; i++)
+        {
+            if (i > 0) sb.Append("  ");
+            sb.Append(PadColumn(columns[i].Header.ToUpperInvariant(), widths[i], columns[i].Alignment));
+        }
+        sb.AppendLine();
+
+        // Separator
+        for (var i = 0; i < columns.Count; i++)
+        {
+            if (i > 0) sb.Append("  ");
+            sb.Append(new string('-', widths[i]));
+        }
+        sb.AppendLine();
+
+        // Rows
+        foreach (var row in rows)
+        {
+            for (var i = 0; i < columns.Count; i++)
+            {
+                if (i > 0) sb.Append("  ");
+                sb.Append(PadColumn(row[i], widths[i], columns[i].Alignment));
+            }
+            sb.AppendLine();
+        }
+
+        return sb.ToString().TrimEnd();
+    }
+
+    private static string PadColumn(string value, int width, ColumnAlignment alignment)
+    {
+        return alignment switch
+        {
+            ColumnAlignment.Right => value.PadLeft(width),
+            ColumnAlignment.Center => value.PadLeft((width + value.Length) / 2).PadRight(width),
+            _ => value.PadRight(width)
+        };
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Program.cs b/src/Cli/StellaOps.Cli/Program.cs
index e3a6f07f3..bc5364079 100644
--- a/src/Cli/StellaOps.Cli/Program.cs
+++ b/src/Cli/StellaOps.Cli/Program.cs
@@ -137,6 +137,85 @@ internal static class Program
         services.AddSingleton<IScannerExecutor, ScannerExecutor>();
         services.AddSingleton<IScannerInstaller, ScannerInstaller>();
 
+        // CLI-FORENSICS-53-001: Forensic snapshot client
+        services.AddHttpClient<IForensicSnapshotClient, ForensicSnapshotClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromMinutes(5);
+            if (!string.IsNullOrWhiteSpace(options.BackendUrl) &&
+                Uri.TryCreate(options.BackendUrl, UriKind.Absolute, out var backendUri))
+            {
+                client.BaseAddress = backendUri;
+            }
+        }).AddEgressPolicyGuard("stellaops-cli", "forensic-api");
+
+        // CLI-FORENSICS-54-001: Forensic verifier (local only, no HTTP)
+        services.AddSingleton<IForensicVerifier, ForensicVerifier>();
+
+        // CLI-FORENSICS-54-002: Attestation reader (local only, no HTTP)
+        services.AddSingleton<IAttestationReader, AttestationReader>();
+
+        // CLI-LNM-22-002: VEX observations client
+        services.AddHttpClient<IVexObservationsClient, VexObservationsClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromMinutes(2);
+            if (!string.IsNullOrWhiteSpace(options.BackendUrl) &&
+                Uri.TryCreate(options.BackendUrl, UriKind.Absolute, out var backendUri))
+            {
+                client.BaseAddress = backendUri;
+            }
+        }).AddEgressPolicyGuard("stellaops-cli", "vex-api");
+
+        // CLI-PROMO-70-001: Promotion assembler (local, may call crane/cosign)
+        services.AddHttpClient<IPromotionAssembler, PromotionAssembler>(client =>
+        {
+            client.Timeout = TimeSpan.FromMinutes(5);
+        });
+
+        // CLI-DETER-70-003: Determinism harness (local only, executes docker)
+        services.AddSingleton<IDeterminismHarness, DeterminismHarness>();
+
+        // CLI-OBS-51-001: Observability client for health metrics
+        services.AddHttpClient<IObservabilityClient, ObservabilityClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromSeconds(30);
+        }).AddEgressPolicyGuard("stellaops-cli", "observability-api");
+
+        // CLI-PACKS-42-001: Pack client for Task Pack operations
+        services.AddHttpClient<IPackClient, PackClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromMinutes(10); // Pack operations may take longer
+        }).AddEgressPolicyGuard("stellaops-cli", "packs-api");
+
+        // CLI-EXC-25-001: Exception client for exception governance operations
+        services.AddHttpClient<IExceptionClient, ExceptionClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromSeconds(60);
+        }).AddEgressPolicyGuard("stellaops-cli", "exceptions-api");
+
+        // CLI-ORCH-32-001: Orchestrator client for source/job management
+        services.AddHttpClient<IOrchestratorClient, OrchestratorClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromSeconds(60);
+        }).AddEgressPolicyGuard("stellaops-cli", "orchestrator-api");
+
+        // CLI-PARITY-41-001: SBOM client for SBOM explorer
+        services.AddHttpClient<ISbomClient, SbomClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromSeconds(60);
+        }).AddEgressPolicyGuard("stellaops-cli", "sbom-api");
+
+        // CLI-PARITY-41-002: Notify client for notification management
+        services.AddHttpClient<INotifyClient, NotifyClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromSeconds(60);
+        }).AddEgressPolicyGuard("stellaops-cli", "notify-api");
+
+        // CLI-SBOM-60-001: Sbomer client for layer/compose operations
+        services.AddHttpClient<ISbomerClient, SbomerClient>(client =>
+        {
+            client.Timeout = TimeSpan.FromMinutes(5); // Composition may take longer
+        }).AddEgressPolicyGuard("stellaops-cli", "sbomer-api");
+
         await using var serviceProvider = services.BuildServiceProvider();
         var loggerFactory = serviceProvider.GetRequiredService<ILoggerFactory>();
         var startupLogger = loggerFactory.CreateLogger("StellaOps.Cli.Startup");
diff --git a/src/Cli/StellaOps.Cli/Services/AttestationReader.cs b/src/Cli/StellaOps.Cli/Services/AttestationReader.cs
new file mode 100644
index 000000000..646b16109
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/AttestationReader.cs
@@ -0,0 +1,385 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Output;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Reader for attestation files (DSSE envelopes with in-toto statements).
+/// Per CLI-FORENSICS-54-002.
+/// </summary>
+internal sealed class AttestationReader : IAttestationReader
+{
+    private const string PaePrefix = "DSSEv1";
+    private const string InTotoStatementType = "https://in-toto.io/Statement/v0.1";
+    private const string InTotoStatementV1Type = "https://in-toto.io/Statement/v1";
+
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
+    {
+        PropertyNameCaseInsensitive = true
+    };
+
+    private readonly ILogger<AttestationReader> _logger;
+    private readonly IForensicVerifier _verifier;
+
+    public AttestationReader(ILogger<AttestationReader> logger, IForensicVerifier verifier)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _verifier = verifier ?? throw new ArgumentNullException(nameof(verifier));
+    }
+
+    public async Task<AttestationShowResult> ReadAttestationAsync(
+        string filePath,
+        AttestationShowOptions options,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
+        ArgumentNullException.ThrowIfNull(options);
+
+        _logger.LogDebug("Reading attestation from {FilePath}", filePath);
+
+        if (!File.Exists(filePath))
+        {
+            throw new FileNotFoundException($"Attestation file not found: {filePath}", filePath);
+        }
+
+        var json = await File.ReadAllTextAsync(filePath, cancellationToken).ConfigureAwait(false);
+
+        AttestationEnvelope envelope;
+        try
+        {
+            envelope = JsonSerializer.Deserialize<AttestationEnvelope>(json, SerializerOptions)
+                ?? throw new InvalidDataException("Invalid attestation JSON");
+        }
+        catch (JsonException ex)
+        {
+            _logger.LogError(ex, "Failed to parse attestation envelope from {FilePath}", filePath);
+            throw new InvalidDataException($"Failed to parse attestation envelope: {ex.Message}", ex);
+        }
+
+        // Decode payload
+        byte[] payloadBytes;
+        try
+        {
+            payloadBytes = Convert.FromBase64String(envelope.Payload);
+        }
+        catch (FormatException ex)
+        {
+            throw new InvalidDataException($"Invalid base64 payload: {ex.Message}", ex);
+        }
+
+        var payloadJson = Encoding.UTF8.GetString(payloadBytes);
+        InTotoStatement statement;
+        try
+        {
+            statement = JsonSerializer.Deserialize<InTotoStatement>(payloadJson, SerializerOptions)
+                ?? throw new InvalidDataException("Invalid in-toto statement JSON");
+        }
+        catch (JsonException ex)
+        {
+            _logger.LogError(ex, "Failed to parse in-toto statement from payload");
+            throw new InvalidDataException($"Failed to parse in-toto statement: {ex.Message}", ex);
+        }
+
+        // Extract subjects
+        var subjects = statement.Subject
+            .Select(s => new AttestationSubjectInfo
+            {
+                Name = s.Name,
+                DigestAlgorithm = s.Digest.Keys.FirstOrDefault() ?? "unknown",
+                DigestValue = s.Digest.Values.FirstOrDefault() ?? string.Empty
+            })
+            .ToList();
+
+        // Extract signatures
+        var signatures = new List<AttestationSignatureInfo>();
+        var trustRoots = options.TrustRoots.ToList();
+
+        if (!string.IsNullOrWhiteSpace(options.TrustRootPath))
+        {
+            var loadedRoots = await _verifier.LoadTrustRootsAsync(options.TrustRootPath, cancellationToken)
+                .ConfigureAwait(false);
+            trustRoots.AddRange(loadedRoots);
+        }
+
+        foreach (var sig in envelope.Signatures)
+        {
+            var sigInfo = new AttestationSignatureInfo
+            {
+                KeyId = sig.KeyId ?? "(no key id)",
+                Algorithm = "unknown" // Would need certificate parsing for actual algorithm
+            };
+
+            if (options.VerifySignatures && trustRoots.Count > 0)
+            {
+                var matchingRoot = trustRoots.FirstOrDefault(tr =>
+                    string.Equals(tr.KeyId, sig.KeyId, StringComparison.OrdinalIgnoreCase));
+
+                if (matchingRoot is not null)
+                {
+                    var isValid = VerifySignature(envelope, sig, matchingRoot);
+                    var now = DateTimeOffset.UtcNow;
+                    var timeValid = (!matchingRoot.NotBefore.HasValue || now >= matchingRoot.NotBefore.Value) &&
+                                    (!matchingRoot.NotAfter.HasValue || now <= matchingRoot.NotAfter.Value);
+
+                    sigInfo = sigInfo with
+                    {
+                        Algorithm = matchingRoot.Algorithm,
+                        IsValid = isValid,
+                        IsTrusted = isValid && timeValid,
+                        SignerInfo = new AttestationSignerInfo
+                        {
+                            Fingerprint = matchingRoot.Fingerprint,
+                            NotBefore = matchingRoot.NotBefore,
+                            NotAfter = matchingRoot.NotAfter
+                        },
+                        Reason = !isValid ? "Signature verification failed" :
+                                 !timeValid ? "Key outside validity period" : null
+                    };
+                }
+                else
+                {
+                    sigInfo = sigInfo with
+                    {
+                        IsValid = null,
+                        IsTrusted = false,
+                        Reason = "No matching trust root found"
+                    };
+                }
+            }
+
+            signatures.Add(sigInfo);
+        }
+
+        // Extract predicate summary
+        var predicateSummary = ExtractPredicateSummary(statement);
+
+        // Build verification result
+        AttestationVerificationResult? verificationResult = null;
+        if (options.VerifySignatures)
+        {
+            var validCount = signatures.Count(s => s.IsValid == true);
+            var trustedCount = signatures.Count(s => s.IsTrusted == true);
+            var errors = signatures
+                .Where(s => !string.IsNullOrWhiteSpace(s.Reason))
+                .Select(s => $"{s.KeyId}: {s.Reason}")
+                .ToList();
+
+            verificationResult = new AttestationVerificationResult
+            {
+                IsValid = validCount > 0,
+                SignatureCount = signatures.Count,
+                ValidSignatures = validCount,
+                TrustedSignatures = trustedCount,
+                Errors = errors
+            };
+        }
+
+        return new AttestationShowResult
+        {
+            FilePath = filePath,
+            PayloadType = envelope.PayloadType,
+            StatementType = statement.Type,
+            PredicateType = statement.PredicateType,
+            Subjects = subjects,
+            Signatures = signatures,
+            PredicateSummary = predicateSummary,
+            VerificationResult = verificationResult
+        };
+    }
+
+    private static bool VerifySignature(
+        AttestationEnvelope envelope,
+        AttestationSignature sig,
+        ForensicTrustRoot trustRoot)
+    {
+        try
+        {
+            var payloadBytes = Convert.FromBase64String(envelope.Payload);
+            var pae = BuildPreAuthEncoding(envelope.PayloadType, payloadBytes);
+            var signatureBytes = Convert.FromBase64String(sig.Signature);
+            var publicKeyBytes = Convert.FromBase64String(trustRoot.PublicKey);
+
+            using var rsa = RSA.Create();
+            rsa.ImportSubjectPublicKeyInfo(publicKeyBytes, out _);
+
+            return rsa.VerifyData(pae, signatureBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
+        }
+        catch (Exception)
+        {
+            return false;
+        }
+    }
+
+    private static byte[] BuildPreAuthEncoding(string payloadType, byte[] payload)
+    {
+        // DSSE PAE format: "DSSEv1" + len(payloadType) + payloadType + len(payload) + payload
+        var payloadTypeBytes = Encoding.UTF8.GetBytes(payloadType);
+
+        using var ms = new MemoryStream();
+        using var writer = new BinaryWriter(ms);
+
+        // Write "DSSEv1" prefix length and value
+        writer.Write((long)PaePrefix.Length);
+        writer.Write(Encoding.UTF8.GetBytes(PaePrefix));
+
+        // Write payload type length and value
+        writer.Write((long)payloadTypeBytes.Length);
+        writer.Write(payloadTypeBytes);
+
+        // Write payload length and value
+        writer.Write((long)payload.Length);
+        writer.Write(payload);
+
+        return ms.ToArray();
+    }
+
+    private static AttestationPredicateSummary? ExtractPredicateSummary(InTotoStatement statement)
+    {
+        if (statement.Predicate is null)
+        {
+            return null;
+        }
+
+        var summary = new AttestationPredicateSummary
+        {
+            Type = statement.PredicateType
+        };
+
+        // Try to extract common fields from predicate
+        if (statement.Predicate is JsonElement element)
+        {
+            var metadata = new Dictionary<string, string>();
+            var materials = new List<AttestationMaterial>();
+
+            // Extract buildType (SLSA)
+            if (element.TryGetProperty("buildType", out var buildTypeProp) &&
+                buildTypeProp.ValueKind == JsonValueKind.String)
+            {
+                summary = summary with { BuildType = buildTypeProp.GetString() };
+            }
+
+            // Extract builder (SLSA)
+            if (element.TryGetProperty("builder", out var builderProp))
+            {
+                if (builderProp.TryGetProperty("id", out var builderIdProp) &&
+                    builderIdProp.ValueKind == JsonValueKind.String)
+                {
+                    summary = summary with { Builder = builderIdProp.GetString() };
+                }
+            }
+
+            // Extract invocation ID (SLSA)
+            if (element.TryGetProperty("invocation", out var invocationProp))
+            {
+                if (invocationProp.TryGetProperty("configSource", out var configSourceProp) &&
+                    configSourceProp.TryGetProperty("digest", out var digestProp))
+                {
+                    foreach (var d in digestProp.EnumerateObject())
+                    {
+                        metadata[$"invocation.digest.{d.Name}"] = d.Value.GetString() ?? string.Empty;
+                    }
+                }
+            }
+
+            // Extract materials
+            if (element.TryGetProperty("materials", out var materialsProp) &&
+                materialsProp.ValueKind == JsonValueKind.Array)
+            {
+                foreach (var material in materialsProp.EnumerateArray())
+                {
+                    var uri = string.Empty;
+                    var digest = new Dictionary<string, string>();
+
+                    if (material.TryGetProperty("uri", out var uriProp) &&
+                        uriProp.ValueKind == JsonValueKind.String)
+                    {
+                        uri = uriProp.GetString() ?? string.Empty;
+                    }
+
+                    if (material.TryGetProperty("digest", out var matDigestProp))
+                    {
+                        foreach (var d in matDigestProp.EnumerateObject())
+                        {
+                            digest[d.Name] = d.Value.GetString() ?? string.Empty;
+                        }
+                    }
+
+                    materials.Add(new AttestationMaterial { Uri = uri, Digest = digest });
+                }
+
+                summary = summary with { Materials = materials };
+            }
+
+            // Extract timestamp
+            if (element.TryGetProperty("metadata", out var metaProp))
+            {
+                if (metaProp.TryGetProperty("buildStartedOn", out var startedProp) &&
+                    startedProp.ValueKind == JsonValueKind.String &&
+                    DateTimeOffset.TryParse(startedProp.GetString(), out var started))
+                {
+                    summary = summary with { Timestamp = started };
+                }
+                else if (metaProp.TryGetProperty("buildFinishedOn", out var finishedProp) &&
+                         finishedProp.ValueKind == JsonValueKind.String &&
+                         DateTimeOffset.TryParse(finishedProp.GetString(), out var finished))
+                {
+                    summary = summary with { Timestamp = finished };
+                }
+
+                if (metaProp.TryGetProperty("invocationId", out var invIdProp) &&
+                    invIdProp.ValueKind == JsonValueKind.String)
+                {
+                    summary = summary with { InvocationId = invIdProp.GetString() };
+                }
+            }
+
+            // Extract VEX-specific fields
+            if (statement.PredicateType.Contains("vex", StringComparison.OrdinalIgnoreCase))
+            {
+                if (element.TryGetProperty("author", out var authorProp) &&
+                    authorProp.ValueKind == JsonValueKind.String)
+                {
+                    metadata["author"] = authorProp.GetString() ?? string.Empty;
+                }
+
+                if (element.TryGetProperty("timestamp", out var tsProp) &&
+                    tsProp.ValueKind == JsonValueKind.String)
+                {
+                    if (DateTimeOffset.TryParse(tsProp.GetString(), out var ts))
+                    {
+                        summary = summary with { Timestamp = ts };
+                    }
+                }
+
+                if (element.TryGetProperty("version", out var versionProp))
+                {
+                    if (versionProp.ValueKind == JsonValueKind.String)
+                    {
+                        metadata["version"] = versionProp.GetString() ?? string.Empty;
+                    }
+                    else if (versionProp.ValueKind == JsonValueKind.Number)
+                    {
+                        metadata["version"] = versionProp.GetInt32().ToString();
+                    }
+                }
+            }
+
+            if (metadata.Count > 0)
+            {
+                summary = summary with { Metadata = metadata };
+            }
+        }
+
+        return summary;
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs b/src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs
index 4699be130..4f12aca07 100644
--- a/src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs
+++ b/src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs
@@ -605,6 +605,32 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
             }
         }
 
+        // CLI-POLICY-27-003: Enhanced simulation options
+        if (input.Mode.HasValue)
+        {
+            requestDocument.Mode = input.Mode.Value switch
+            {
+                PolicySimulationMode.Quick => "quick",
+                PolicySimulationMode.Batch => "batch",
+                _ => null
+            };
+        }
+
+        if (input.SbomSelectors is not null && input.SbomSelectors.Count > 0)
+        {
+            requestDocument.SbomSelectors = input.SbomSelectors;
+        }
+
+        if (input.IncludeHeatmap)
+        {
+            requestDocument.IncludeHeatmap = true;
+        }
+
+        if (input.IncludeManifest)
+        {
+            requestDocument.IncludeManifest = true;
+        }
+
         var encodedPolicyId = Uri.EscapeDataString(policyId);
         using var request = CreateRequest(HttpMethod.Post, $"api/policy/policies/{encodedPolicyId}/simulate");
         await AuthorizeRequestAsync(request, cancellationToken).ConfigureAwait(false);
@@ -2556,9 +2582,35 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
             severityView,
             ruleHitsView);
 
+        // CLI-POLICY-27-003: Map heatmap if present
+        PolicySimulationHeatmap? heatmap = null;
+        if (document.Heatmap is not null)
+        {
+            var buckets = document.Heatmap.Buckets is null
+                ? new List<PolicySimulationHeatmapBucket>()
+                : document.Heatmap.Buckets
+                    .Where(b => b is not null)
+                    .Select(b => new PolicySimulationHeatmapBucket(
+                        b!.Label ?? string.Empty,
+                        b.Count ?? 0,
+                        string.IsNullOrWhiteSpace(b.Color) ? null : b.Color))
+                    .ToList();
+
+            heatmap = new PolicySimulationHeatmap(
+                document.Heatmap.Critical ?? 0,
+                document.Heatmap.High ?? 0,
+                document.Heatmap.Medium ?? 0,
+                document.Heatmap.Low ?? 0,
+                document.Heatmap.Info ?? 0,
+                buckets.AsReadOnly());
+        }
+
         return new PolicySimulationResult(
             diff,
-            string.IsNullOrWhiteSpace(document.ExplainUri) ? null : document.ExplainUri);
+            string.IsNullOrWhiteSpace(document.ExplainUri) ? null : document.ExplainUri,
+            heatmap,
+            string.IsNullOrWhiteSpace(document.ManifestDownloadUri) ? null : document.ManifestDownloadUri,
+            string.IsNullOrWhiteSpace(document.ManifestDigest) ? null : document.ManifestDigest);
     }
 
     private static TaskRunnerSimulationResult MapTaskRunnerSimulation(TaskRunnerSimulationResponseDocument document)
@@ -2649,7 +2701,17 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
         return message;
     }
 
-    private async Task<(string Message, ProblemDocument? Problem)> CreateFailureDetailsAsync(HttpResponseMessage response, CancellationToken cancellationToken)
+    private async Task<(string Message, string? ErrorCode)> CreateFailureDetailsAsync(HttpResponseMessage response, CancellationToken cancellationToken)
+    {
+        var parsed = await ParseApiErrorAsync(response, cancellationToken).ConfigureAwait(false);
+        return (parsed.Message, parsed.Code);
+    }
+
+    /// <summary>
+    /// Parses API error response supporting both standardized envelope and ProblemDetails.
+    /// CLI-SDK-62-002: Enhanced error parsing for standardized API error envelope.
+    /// </summary>
+    private async Task<ParsedApiError> ParseApiErrorAsync(HttpResponseMessage response, CancellationToken cancellationToken)
     {
         var statusCode = (int)response.StatusCode;
         var builder = new StringBuilder();
@@ -2658,7 +2720,21 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
         builder.Append(' ');
         builder.Append(response.ReasonPhrase ?? "Unknown");
 
+        // Extract trace/request IDs from headers
+        var traceId = ExtractHeaderValue(response.Headers, "X-Trace-Id")
+            ?? ExtractHeaderValue(response.Headers, "traceparent");
+        var requestId = ExtractHeaderValue(response.Headers, "X-Request-Id")
+            ?? ExtractHeaderValue(response.Headers, "x-request-id");
+
         ProblemDocument? problem = null;
+        ApiErrorEnvelope? envelope = null;
+        string? errorCode = null;
+        string? errorDetail = null;
+        string? target = null;
+        string? helpUrl = null;
+        int? retryAfter = null;
+        Dictionary<string, object?>? metadata = null;
+        IReadOnlyList<ApiErrorDetail>? innerErrors = null;
 
         if (response.Content is not null && response.Content.Headers.ContentLength is > 0)
         {
@@ -2668,35 +2744,173 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
                 raw = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
                 if (!string.IsNullOrWhiteSpace(raw))
                 {
-                    problem = JsonSerializer.Deserialize<ProblemDocument>(raw, SerializerOptions);
-                }
-            }
-            catch (JsonException)
-            {
-                problem = null;
-            }
+                    // Try to parse as standardized error envelope first
+                    try
+                    {
+                        envelope = JsonSerializer.Deserialize<ApiErrorEnvelope>(raw, SerializerOptions);
+                        if (envelope?.Error is not null)
+                        {
+                            errorCode = envelope.Error.Code;
+                            if (!string.IsNullOrWhiteSpace(envelope.Error.Message))
+                            {
+                                builder.Clear().Append(envelope.Error.Message);
+                            }
+                            errorDetail = envelope.Error.Detail;
+                            target = envelope.Error.Target;
+                            helpUrl = envelope.Error.HelpUrl;
+                            retryAfter = envelope.Error.RetryAfter;
+                            metadata = envelope.Error.Metadata;
+                            innerErrors = envelope.Error.InnerErrors;
 
-            if (problem is not null)
-            {
-                if (!string.IsNullOrWhiteSpace(problem.Title))
-                {
-                    builder.AppendLine().Append(problem.Title);
-                }
+                            // Prefer envelope trace_id over header
+                            if (!string.IsNullOrWhiteSpace(envelope.TraceId))
+                            {
+                                traceId = envelope.TraceId;
+                            }
+                            if (!string.IsNullOrWhiteSpace(envelope.RequestId))
+                            {
+                                requestId = envelope.RequestId;
+                            }
+                        }
+                    }
+                    catch (JsonException)
+                    {
+                        envelope = null;
+                    }
 
-                if (!string.IsNullOrWhiteSpace(problem.Detail))
-                {
-                    builder.AppendLine().Append(problem.Detail);
+                    // If envelope didn't have error details, try ProblemDetails format
+                    if (envelope?.Error is null)
+                    {
+                        try
+                        {
+                            problem = JsonSerializer.Deserialize<ProblemDocument>(raw, SerializerOptions);
+                            if (problem is not null)
+                            {
+                                // Extract error code from problem type URI
+                                errorCode = ExtractErrorCodeFromProblemType(problem.Type);
+
+                                if (!string.IsNullOrWhiteSpace(problem.Title))
+                                {
+                                    builder.AppendLine().Append(problem.Title);
+                                }
+
+                                if (!string.IsNullOrWhiteSpace(problem.Detail))
+                                {
+                                    builder.AppendLine().Append(problem.Detail);
+                                    errorDetail = problem.Detail;
+                                }
+
+                                // Check for trace_id in extensions
+                                if (problem.Extensions is not null)
+                                {
+                                    if (problem.Extensions.TryGetValue("trace_id", out var tid) && tid is string tidStr)
+                                    {
+                                        traceId ??= tidStr;
+                                    }
+                                    if (problem.Extensions.TryGetValue("traceId", out var tid2) && tid2 is string tid2Str)
+                                    {
+                                        traceId ??= tid2Str;
+                                    }
+                                    if (problem.Extensions.TryGetValue("error_code", out var ec) && ec is string ecStr)
+                                    {
+                                        errorCode ??= ecStr;
+                                    }
+                                    if (problem.Extensions.TryGetValue("errorCode", out var ec2) && ec2 is string ec2Str)
+                                    {
+                                        errorCode ??= ec2Str;
+                                    }
+                                }
+                            }
+                        }
+                        catch (JsonException)
+                        {
+                            problem = null;
+                        }
+                    }
+
+                    // If neither format parsed, include raw content
+                    if (envelope?.Error is null && problem is null && !string.IsNullOrWhiteSpace(raw))
+                    {
+                        builder.AppendLine().Append(raw);
+                    }
                 }
             }
-            else if (!string.IsNullOrWhiteSpace(raw))
+            catch (Exception)
             {
-                builder.AppendLine().Append(raw);
+                // Ignore content read errors
             }
         }
 
-        return (builder.ToString(), problem);
+        // Parse Retry-After header if not in envelope
+        if (retryAfter is null && response.Headers.RetryAfter?.Delta is not null)
+        {
+            retryAfter = (int)response.Headers.RetryAfter.Delta.Value.TotalSeconds;
+        }
+
+        // Default error code based on HTTP status
+        errorCode ??= GetDefaultErrorCode(statusCode);
+
+        return new ParsedApiError
+        {
+            Code = errorCode,
+            Message = builder.ToString(),
+            Detail = errorDetail,
+            TraceId = traceId,
+            RequestId = requestId,
+            HttpStatus = statusCode,
+            Target = target,
+            HelpUrl = helpUrl,
+            RetryAfter = retryAfter,
+            InnerErrors = innerErrors,
+            Metadata = metadata,
+            ProblemDocument = problem,
+            ErrorEnvelope = envelope
+        };
     }
 
+    /// <summary>
+    /// Extracts error code from problem type URI.
+    /// </summary>
+    private static string? ExtractErrorCodeFromProblemType(string? type)
+    {
+        if (string.IsNullOrWhiteSpace(type))
+            return null;
+
+        // Handle URN format: urn:stellaops:error:ERR_AUTH_INVALID_SCOPE
+        if (type.StartsWith("urn:stellaops:error:", StringComparison.OrdinalIgnoreCase))
+        {
+            return type[20..];
+        }
+
+        // Handle URL format: https://docs.stellaops.org/errors/ERR_AUTH_INVALID_SCOPE
+        if (type.Contains("/errors/", StringComparison.OrdinalIgnoreCase))
+        {
+            var idx = type.LastIndexOf("/errors/", StringComparison.OrdinalIgnoreCase);
+            return type[(idx + 8)..];
+        }
+
+        return null;
+    }
+
+    /// <summary>
+    /// Gets default error code based on HTTP status code.
+    /// </summary>
+    private static string GetDefaultErrorCode(int statusCode) => statusCode switch
+    {
+        400 => "ERR_VALIDATION_BAD_REQUEST",
+        401 => "ERR_AUTH_UNAUTHORIZED",
+        403 => "ERR_AUTH_FORBIDDEN",
+        404 => "ERR_NOT_FOUND",
+        409 => "ERR_CONFLICT",
+        422 => "ERR_VALIDATION_UNPROCESSABLE",
+        429 => "ERR_RATE_LIMIT",
+        500 => "ERR_SERVER_INTERNAL",
+        502 => "ERR_SERVER_BAD_GATEWAY",
+        503 => "ERR_SERVER_UNAVAILABLE",
+        504 => "ERR_SERVER_TIMEOUT",
+        _ => $"ERR_HTTP_{statusCode}"
+    };
+
     private static string? ExtractHeaderValue(HttpResponseHeaders headers, string name)
     {
         if (headers.TryGetValues(name, out var values))
@@ -3322,4 +3536,1063 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
 
         return await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
     }
+
+    // CLI-POLICY-23-006: Policy history and explain
+
+    public async Task<PolicyHistoryResponse> GetPolicyHistoryAsync(PolicyHistoryRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var queryParams = new List<string>();
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+            queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        if (request.From.HasValue)
+            queryParams.Add($"from={Uri.EscapeDataString(request.From.Value.ToString("O"))}");
+        if (request.To.HasValue)
+            queryParams.Add($"to={Uri.EscapeDataString(request.To.Value.ToString("O"))}");
+        if (!string.IsNullOrWhiteSpace(request.Status))
+            queryParams.Add($"status={Uri.EscapeDataString(request.Status)}");
+        if (request.Limit.HasValue)
+            queryParams.Add($"limit={request.Limit.Value}");
+        if (!string.IsNullOrWhiteSpace(request.Cursor))
+            queryParams.Add($"cursor={Uri.EscapeDataString(request.Cursor)}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/runs{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy history request failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyHistoryResponse>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyHistoryResponse();
+    }
+
+    public async Task<PolicyExplainResult> GetPolicyExplainAsync(PolicyExplainRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var queryParams = new List<string>();
+        if (!string.IsNullOrWhiteSpace(request.RunId))
+            queryParams.Add($"runId={Uri.EscapeDataString(request.RunId)}");
+        if (!string.IsNullOrWhiteSpace(request.FindingId))
+            queryParams.Add($"findingId={Uri.EscapeDataString(request.FindingId)}");
+        if (!string.IsNullOrWhiteSpace(request.SbomId))
+            queryParams.Add($"sbomId={Uri.EscapeDataString(request.SbomId)}");
+        if (!string.IsNullOrWhiteSpace(request.ComponentPurl))
+            queryParams.Add($"purl={Uri.EscapeDataString(request.ComponentPurl)}");
+        if (!string.IsNullOrWhiteSpace(request.AdvisoryId))
+            queryParams.Add($"advisoryId={Uri.EscapeDataString(request.AdvisoryId)}");
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+            queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        if (request.Depth.HasValue)
+            queryParams.Add($"depth={request.Depth.Value}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/explain{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy explain request failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyExplainResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyExplainResult();
+    }
+
+    // CLI-POLICY-27-002: Policy submission/review workflow
+
+    public async Task<PolicyVersionBumpResult> BumpPolicyVersionAsync(PolicyVersionBumpRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/version";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+        httpRequest.Content = JsonContent.Create(request, options: JsonOptions);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy version bump failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyVersionBumpResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyVersionBumpResult();
+    }
+
+    public async Task<PolicySubmitResult> SubmitPolicyForReviewAsync(PolicySubmitRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/submit";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+        httpRequest.Content = JsonContent.Create(request, options: JsonOptions);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy submission failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicySubmitResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicySubmitResult();
+    }
+
+    public async Task<PolicyReviewCommentResult> AddPolicyReviewCommentAsync(PolicyReviewCommentRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/review/{Uri.EscapeDataString(request.ReviewId)}/comment";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+        httpRequest.Content = JsonContent.Create(request, options: JsonOptions);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Add review comment failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyReviewCommentResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyReviewCommentResult();
+    }
+
+    public async Task<PolicyApproveResult> ApprovePolicyReviewAsync(PolicyApproveRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/review/{Uri.EscapeDataString(request.ReviewId)}/approve";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+        httpRequest.Content = JsonContent.Create(request, options: JsonOptions);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy approval failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyApproveResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyApproveResult();
+    }
+
+    public async Task<PolicyRejectResult> RejectPolicyReviewAsync(PolicyRejectRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/review/{Uri.EscapeDataString(request.ReviewId)}/reject";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+        httpRequest.Content = JsonContent.Create(request, options: JsonOptions);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy rejection failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyRejectResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyRejectResult();
+    }
+
+    public async Task<PolicyReviewSummary?> GetPolicyReviewStatusAsync(PolicyReviewStatusRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var reviewPart = string.IsNullOrWhiteSpace(request.ReviewId) ? "latest" : Uri.EscapeDataString(request.ReviewId);
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/review/{reviewPart}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            return null;
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Get policy review status failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyReviewSummary>(JsonOptions, cancellationToken).ConfigureAwait(false);
+    }
+
+    // CLI-POLICY-27-004: Policy lifecycle (publish/promote/rollback/sign)
+
+    public async Task<PolicyPublishResult> PublishPolicyAsync(PolicyPublishRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/versions/{request.Version}/publish";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        httpRequest.Content = JsonContent.Create(new
+        {
+            sign = request.Sign,
+            signatureAlgorithm = request.SignatureAlgorithm,
+            keyId = request.KeyId,
+            note = request.Note
+        }, options: JsonOptions);
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy publish failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyPublishResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyPublishResult();
+    }
+
+    public async Task<PolicyPromoteResult> PromotePolicyAsync(PolicyPromoteRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/versions/{request.Version}/promote";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        httpRequest.Content = JsonContent.Create(new
+        {
+            targetEnvironment = request.TargetEnvironment,
+            canary = request.Canary,
+            canaryPercentage = request.CanaryPercentage,
+            note = request.Note
+        }, options: JsonOptions);
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy promote failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyPromoteResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyPromoteResult();
+    }
+
+    public async Task<PolicyRollbackResult> RollbackPolicyAsync(PolicyRollbackRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/rollback";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        httpRequest.Content = JsonContent.Create(new
+        {
+            targetVersion = request.TargetVersion,
+            environment = request.Environment,
+            reason = request.Reason,
+            incidentId = request.IncidentId
+        }, options: JsonOptions);
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy rollback failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyRollbackResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyRollbackResult();
+    }
+
+    public async Task<PolicySignResult> SignPolicyAsync(PolicySignRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/versions/{request.Version}/sign";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        httpRequest.Content = JsonContent.Create(new
+        {
+            keyId = request.KeyId,
+            signatureAlgorithm = request.SignatureAlgorithm,
+            rekorUpload = request.RekorUpload
+        }, options: JsonOptions);
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy sign failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicySignResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicySignResult();
+    }
+
+    public async Task<PolicyVerifySignatureResult> VerifyPolicySignatureAsync(PolicyVerifySignatureRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var signaturePart = string.IsNullOrWhiteSpace(request.SignatureId) ? "latest" : Uri.EscapeDataString(request.SignatureId);
+        var relative = $"api/policy/{Uri.EscapeDataString(request.PolicyId)}/versions/{request.Version}/signatures/{signaturePart}/verify";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        httpRequest.Content = JsonContent.Create(new
+        {
+            checkRekor = request.CheckRekor
+        }, options: JsonOptions);
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Policy signature verification failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<PolicyVerifySignatureResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new PolicyVerifySignatureResult();
+    }
+
+    // CLI-RISK-66-001: Risk profile list
+
+    public async Task<RiskProfileListResponse> ListRiskProfilesAsync(RiskProfileListRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var queryParams = new List<string>();
+        if (request.IncludeDisabled)
+            queryParams.Add("includeDisabled=true");
+        if (!string.IsNullOrWhiteSpace(request.Category))
+            queryParams.Add($"category={Uri.EscapeDataString(request.Category)}");
+        if (request.Limit.HasValue)
+            queryParams.Add($"limit={request.Limit.Value}");
+        if (request.Offset.HasValue)
+            queryParams.Add($"offset={request.Offset.Value}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/risk/profiles{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"List risk profiles failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<RiskProfileListResponse>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new RiskProfileListResponse();
+    }
+
+    // CLI-RISK-66-002: Risk simulate
+
+    public async Task<RiskSimulateResult> SimulateRiskAsync(RiskSimulateRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = "api/risk/simulate";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        httpRequest.Content = JsonContent.Create(new
+        {
+            profileId = request.ProfileId,
+            sbomId = request.SbomId,
+            sbomPath = request.SbomPath,
+            assetId = request.AssetId,
+            diffMode = request.DiffMode,
+            baselineProfileId = request.BaselineProfileId
+        }, options: JsonOptions);
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Risk simulate failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<RiskSimulateResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new RiskSimulateResult();
+    }
+
+    // CLI-RISK-67-001: Risk results
+
+    public async Task<RiskResultsResponse> GetRiskResultsAsync(RiskResultsRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var queryParams = new List<string>();
+        if (!string.IsNullOrWhiteSpace(request.AssetId))
+            queryParams.Add($"assetId={Uri.EscapeDataString(request.AssetId)}");
+        if (!string.IsNullOrWhiteSpace(request.SbomId))
+            queryParams.Add($"sbomId={Uri.EscapeDataString(request.SbomId)}");
+        if (!string.IsNullOrWhiteSpace(request.ProfileId))
+            queryParams.Add($"profileId={Uri.EscapeDataString(request.ProfileId)}");
+        if (!string.IsNullOrWhiteSpace(request.MinSeverity))
+            queryParams.Add($"minSeverity={Uri.EscapeDataString(request.MinSeverity)}");
+        if (request.MaxScore.HasValue)
+            queryParams.Add($"maxScore={request.MaxScore.Value}");
+        if (request.IncludeExplain)
+            queryParams.Add("includeExplain=true");
+        if (request.Limit.HasValue)
+            queryParams.Add($"limit={request.Limit.Value}");
+        if (request.Offset.HasValue)
+            queryParams.Add($"offset={request.Offset.Value}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/risk/results{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Get risk results failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<RiskResultsResponse>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new RiskResultsResponse();
+    }
+
+    // CLI-RISK-68-001: Risk bundle verify
+
+    public async Task<RiskBundleVerifyResult> VerifyRiskBundleAsync(RiskBundleVerifyRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+
+        var relative = "api/risk/bundles/verify";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        httpRequest.Content = JsonContent.Create(new
+        {
+            bundlePath = request.BundlePath,
+            signaturePath = request.SignaturePath,
+            checkRekor = request.CheckRekor
+        }, options: JsonOptions);
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Risk bundle verify failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<RiskBundleVerifyResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new RiskBundleVerifyResult();
+    }
+
+    // CLI-SIG-26-001: Reachability operations
+
+    public async Task<ReachabilityUploadCallGraphResult> UploadCallGraphAsync(ReachabilityUploadCallGraphRequest request, Stream callGraphStream, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+        ArgumentNullException.ThrowIfNull(callGraphStream);
+
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("reachability upload-callgraph");
+
+        var relative = "api/reachability/callgraphs";
+
+        using var httpRequest = CreateRequest(HttpMethod.Post, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        var content = new MultipartFormDataContent();
+        content.Add(new StreamContent(callGraphStream), "callGraph", Path.GetFileName(request.CallGraphPath));
+
+        if (!string.IsNullOrWhiteSpace(request.ScanId))
+        {
+            content.Add(new StringContent(request.ScanId), "scanId");
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.AssetId))
+        {
+            content.Add(new StringContent(request.AssetId), "assetId");
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.Format))
+        {
+            content.Add(new StringContent(request.Format), "format");
+        }
+
+        httpRequest.Content = content;
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Call graph upload failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<ReachabilityUploadCallGraphResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new ReachabilityUploadCallGraphResult();
+    }
+
+    public async Task<ReachabilityListResponse> ListReachabilityAnalysesAsync(ReachabilityListRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("reachability list");
+
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.ScanId))
+            queryParams.Add($"scanId={Uri.EscapeDataString(request.ScanId)}");
+
+        if (!string.IsNullOrWhiteSpace(request.AssetId))
+            queryParams.Add($"assetId={Uri.EscapeDataString(request.AssetId)}");
+
+        if (!string.IsNullOrWhiteSpace(request.Status))
+            queryParams.Add($"status={Uri.EscapeDataString(request.Status)}");
+
+        if (request.Limit.HasValue)
+            queryParams.Add($"limit={request.Limit.Value}");
+
+        if (request.Offset.HasValue)
+            queryParams.Add($"offset={request.Offset.Value}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/reachability/analyses{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"List reachability analyses failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<ReachabilityListResponse>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new ReachabilityListResponse();
+    }
+
+    public async Task<ReachabilityExplainResult> ExplainReachabilityAsync(ReachabilityExplainRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("reachability explain");
+
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.VulnerabilityId))
+            queryParams.Add($"vulnerabilityId={Uri.EscapeDataString(request.VulnerabilityId)}");
+
+        if (!string.IsNullOrWhiteSpace(request.PackagePurl))
+            queryParams.Add($"packagePurl={Uri.EscapeDataString(request.PackagePurl)}");
+
+        if (request.IncludeCallPaths)
+            queryParams.Add("includeCallPaths=true");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/reachability/analyses/{Uri.EscapeDataString(request.AnalysisId)}/explain{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Explain reachability failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<ReachabilityExplainResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new ReachabilityExplainResult();
+    }
+
+    // CLI-SDK-63-001: API spec operations
+    public async Task<ApiSpecListResponse> ListApiSpecsAsync(string? tenant, CancellationToken cancellationToken)
+    {
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("api spec list");
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, "api/openapi/specs");
+
+        if (!string.IsNullOrWhiteSpace(tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            return new ApiSpecListResponse
+            {
+                Success = false,
+                Error = message
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<ApiSpecListResponse>(JsonOptions, cancellationToken).ConfigureAwait(false);
+        return result ?? new ApiSpecListResponse { Success = false, Error = "Empty response" };
+    }
+
+    public async Task<ApiSpecDownloadResult> DownloadApiSpecAsync(ApiSpecDownloadRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("api spec download");
+
+        // Determine output file path
+        var outputPath = request.OutputPath;
+        var extension = request.Format.Equals("openapi-yaml", StringComparison.OrdinalIgnoreCase) ? ".yaml" : ".json";
+        var fileName = string.IsNullOrWhiteSpace(request.Service)
+            ? $"stellaops-openapi{extension}"
+            : $"stellaops-{request.Service.ToLowerInvariant()}-openapi{extension}";
+
+        if (Directory.Exists(outputPath))
+        {
+            outputPath = Path.Combine(outputPath, fileName);
+        }
+        else if (string.IsNullOrWhiteSpace(Path.GetExtension(outputPath)))
+        {
+            outputPath = outputPath + extension;
+        }
+
+        // Check for existing file
+        if (!request.Overwrite && File.Exists(outputPath))
+        {
+            // Compute checksum of existing file
+            var existingChecksum = await ComputeChecksumAsync(outputPath, request.ChecksumAlgorithm, cancellationToken).ConfigureAwait(false);
+            return new ApiSpecDownloadResult
+            {
+                Success = true,
+                Path = outputPath,
+                SizeBytes = new FileInfo(outputPath).Length,
+                FromCache = true,
+                Checksum = existingChecksum,
+                ChecksumAlgorithm = request.ChecksumAlgorithm
+            };
+        }
+
+        // Build the endpoint URL
+        var serviceSegment = string.IsNullOrWhiteSpace(request.Service)
+            ? "aggregate"
+            : Uri.EscapeDataString(request.Service.Trim().ToLowerInvariant());
+        var formatQuery = request.Format.Equals("openapi-yaml", StringComparison.OrdinalIgnoreCase) ? "?format=yaml" : "";
+        var relative = $"api/openapi/specs/{serviceSegment}{formatQuery}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        // Add conditional headers
+        if (!string.IsNullOrWhiteSpace(request.ExpectedETag))
+        {
+            httpRequest.Headers.IfNoneMatch.Add(new EntityTagHeaderValue($"\"{request.ExpectedETag}\""));
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+
+        // Handle 304 Not Modified
+        if (response.StatusCode == HttpStatusCode.NotModified)
+        {
+            if (File.Exists(outputPath))
+            {
+                var cachedChecksum = await ComputeChecksumAsync(outputPath, request.ChecksumAlgorithm, cancellationToken).ConfigureAwait(false);
+                return new ApiSpecDownloadResult
+                {
+                    Success = true,
+                    Path = outputPath,
+                    SizeBytes = new FileInfo(outputPath).Length,
+                    FromCache = true,
+                    ETag = request.ExpectedETag,
+                    Checksum = cachedChecksum,
+                    ChecksumAlgorithm = request.ChecksumAlgorithm
+                };
+            }
+        }
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, errorCode) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            return new ApiSpecDownloadResult
+            {
+                Success = false,
+                Error = message,
+                ErrorCode = errorCode
+            };
+        }
+
+        // Ensure output directory exists
+        var outputDir = Path.GetDirectoryName(outputPath);
+        if (!string.IsNullOrWhiteSpace(outputDir) && !Directory.Exists(outputDir))
+        {
+            Directory.CreateDirectory(outputDir);
+        }
+
+        // Download and save the spec
+        await using var contentStream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+        await using var fileStream = File.Create(outputPath);
+        await contentStream.CopyToAsync(fileStream, cancellationToken).ConfigureAwait(false);
+        await fileStream.FlushAsync(cancellationToken).ConfigureAwait(false);
+
+        var fileInfo = new FileInfo(outputPath);
+
+        // Get ETag from response
+        var etag = response.Headers.ETag?.Tag?.Trim('"');
+
+        // Compute checksum
+        var checksum = await ComputeChecksumAsync(outputPath, request.ChecksumAlgorithm, cancellationToken).ConfigureAwait(false);
+
+        // Verify checksum if expected
+        bool? checksumVerified = null;
+        if (!string.IsNullOrWhiteSpace(request.ExpectedChecksum))
+        {
+            checksumVerified = string.Equals(checksum, request.ExpectedChecksum, StringComparison.OrdinalIgnoreCase);
+            if (!checksumVerified.Value)
+            {
+                return new ApiSpecDownloadResult
+                {
+                    Success = false,
+                    Path = outputPath,
+                    SizeBytes = fileInfo.Length,
+                    ETag = etag,
+                    Checksum = checksum,
+                    ChecksumAlgorithm = request.ChecksumAlgorithm,
+                    ChecksumVerified = false,
+                    Error = $"Checksum mismatch: expected {request.ExpectedChecksum}, got {checksum}",
+                    ErrorCode = "ERR_API_CHECKSUM_MISMATCH"
+                };
+            }
+        }
+
+        // Try to extract API version from spec
+        string? apiVersion = null;
+        DateTimeOffset? generatedAt = null;
+        try
+        {
+            var specContent = await File.ReadAllTextAsync(outputPath, cancellationToken).ConfigureAwait(false);
+            if (specContent.Contains("\"info\""))
+            {
+                var specJson = JsonDocument.Parse(specContent);
+                if (specJson.RootElement.TryGetProperty("info", out var info))
+                {
+                    if (info.TryGetProperty("version", out var version))
+                    {
+                        apiVersion = version.GetString();
+                    }
+                }
+            }
+        }
+        catch
+        {
+            // Ignore version extraction errors
+        }
+
+        return new ApiSpecDownloadResult
+        {
+            Success = true,
+            Path = outputPath,
+            SizeBytes = fileInfo.Length,
+            FromCache = false,
+            ETag = etag,
+            Checksum = checksum,
+            ChecksumAlgorithm = request.ChecksumAlgorithm,
+            ChecksumVerified = checksumVerified,
+            ApiVersion = apiVersion,
+            GeneratedAt = generatedAt
+        };
+    }
+
+    private async Task<string> ComputeChecksumAsync(string filePath, string algorithm, CancellationToken cancellationToken)
+    {
+        using var hasher = algorithm.ToLowerInvariant() switch
+        {
+            "sha384" => (HashAlgorithm)SHA384.Create(),
+            "sha512" => SHA512.Create(),
+            _ => SHA256.Create()
+        };
+
+        await using var stream = File.OpenRead(filePath);
+        var hashBytes = await hasher.ComputeHashAsync(stream, cancellationToken).ConfigureAwait(false);
+        return Convert.ToHexString(hashBytes).ToLowerInvariant();
+    }
+
+    // CLI-SDK-64-001: SDK update operations
+    public async Task<SdkUpdateResponse> CheckSdkUpdatesAsync(SdkUpdateRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("sdk update");
+
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.Language))
+            queryParams.Add($"language={Uri.EscapeDataString(request.Language)}");
+
+        if (request.IncludeChangelog)
+            queryParams.Add("includeChangelog=true");
+
+        if (request.IncludeDeprecations)
+            queryParams.Add("includeDeprecations=true");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/sdk/updates{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            return new SdkUpdateResponse
+            {
+                Success = false,
+                Error = message
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<SdkUpdateResponse>(JsonOptions, cancellationToken).ConfigureAwait(false);
+        return result ?? new SdkUpdateResponse { Success = false, Error = "Empty response" };
+    }
+
+    public async Task<SdkListResponse> ListInstalledSdksAsync(string? language, string? tenant, CancellationToken cancellationToken)
+    {
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("sdk list");
+
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(language))
+            queryParams.Add($"language={Uri.EscapeDataString(language)}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/sdk/installed{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            return new SdkListResponse
+            {
+                Success = false,
+                Error = message
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<SdkListResponse>(JsonOptions, cancellationToken).ConfigureAwait(false);
+        return result ?? new SdkListResponse { Success = false, Error = "Empty response" };
+    }
 }
diff --git a/src/Cli/StellaOps.Cli/Services/ConcelierObservationsClient.cs b/src/Cli/StellaOps.Cli/Services/ConcelierObservationsClient.cs
index d3862c018..35ccbe1e9 100644
--- a/src/Cli/StellaOps.Cli/Services/ConcelierObservationsClient.cs
+++ b/src/Cli/StellaOps.Cli/Services/ConcelierObservationsClient.cs
@@ -82,6 +82,83 @@ internal sealed class ConcelierObservationsClient : IConcelierObservationsClient
         return result ?? new AdvisoryObservationsResponse();
     }
 
+    /// <summary>
+    /// Gets advisory linkset with conflict information.
+    /// Per CLI-LNM-22-001.
+    /// </summary>
+    public async Task<AdvisoryLinksetResponse> GetLinksetAsync(
+        AdvisoryLinksetQuery query,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(query);
+
+        EnsureConfigured();
+
+        var requestUri = BuildLinksetRequestUri(query);
+        using var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
+        await AuthorizeRequestAsync(request, cancellationToken).ConfigureAwait(false);
+
+        using var response = await httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            logger.LogError(
+                "Failed to query linkset (status {StatusCode}). Response: {Payload}",
+                (int)response.StatusCode,
+                string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+            response.EnsureSuccessStatusCode();
+        }
+
+        await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+        var result = await JsonSerializer
+            .DeserializeAsync<AdvisoryLinksetResponse>(stream, SerializerOptions, cancellationToken)
+            .ConfigureAwait(false);
+
+        return result ?? new AdvisoryLinksetResponse();
+    }
+
+    /// <summary>
+    /// Gets a single observation by ID.
+    /// Per CLI-LNM-22-001.
+    /// </summary>
+    public async Task<AdvisoryLinksetObservation?> GetObservationByIdAsync(
+        string tenant,
+        string observationId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenant);
+        ArgumentException.ThrowIfNullOrWhiteSpace(observationId);
+
+        EnsureConfigured();
+
+        var requestUri = $"/concelier/observations/{Uri.EscapeDataString(observationId)}?tenant={Uri.EscapeDataString(tenant)}";
+        using var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
+        await AuthorizeRequestAsync(request, cancellationToken).ConfigureAwait(false);
+
+        using var response = await httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+        if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+        {
+            return null;
+        }
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            logger.LogError(
+                "Failed to get observation (status {StatusCode}). Response: {Payload}",
+                (int)response.StatusCode,
+                string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+            response.EnsureSuccessStatusCode();
+        }
+
+        await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+        return await JsonSerializer
+            .DeserializeAsync<AdvisoryLinksetObservation>(stream, SerializerOptions, cancellationToken)
+            .ConfigureAwait(false);
+    }
+
     private static string BuildRequestUri(AdvisoryObservationsQuery query)
     {
         var builder = new StringBuilder("/concelier/observations?tenant=");
@@ -130,6 +207,71 @@ internal sealed class ConcelierObservationsClient : IConcelierObservationsClient
         }
     }
 
+    private static string BuildLinksetRequestUri(AdvisoryLinksetQuery query)
+    {
+        var builder = new StringBuilder("/concelier/linkset?tenant=");
+        builder.Append(Uri.EscapeDataString(query.Tenant));
+
+        AppendValues(builder, "observationId", query.ObservationIds);
+        AppendValues(builder, "alias", query.Aliases);
+        AppendValues(builder, "purl", query.Purls);
+        AppendValues(builder, "cpe", query.Cpes);
+        AppendValues(builder, "source", query.Sources);
+
+        if (!string.IsNullOrWhiteSpace(query.Severity))
+        {
+            builder.Append("&severity=");
+            builder.Append(Uri.EscapeDataString(query.Severity));
+        }
+
+        if (query.KevOnly.HasValue)
+        {
+            builder.Append("&kevOnly=");
+            builder.Append(query.KevOnly.Value ? "true" : "false");
+        }
+
+        if (query.HasFix.HasValue)
+        {
+            builder.Append("&hasFix=");
+            builder.Append(query.HasFix.Value ? "true" : "false");
+        }
+
+        if (query.Limit.HasValue && query.Limit.Value > 0)
+        {
+            builder.Append("&limit=");
+            builder.Append(query.Limit.Value.ToString(CultureInfo.InvariantCulture));
+        }
+
+        if (!string.IsNullOrWhiteSpace(query.Cursor))
+        {
+            builder.Append("&cursor=");
+            builder.Append(Uri.EscapeDataString(query.Cursor));
+        }
+
+        return builder.ToString();
+
+        static void AppendValues(StringBuilder builder, string name, IReadOnlyList<string> values)
+        {
+            if (values is null || values.Count == 0)
+            {
+                return;
+            }
+
+            foreach (var value in values)
+            {
+                if (string.IsNullOrWhiteSpace(value))
+                {
+                    continue;
+                }
+
+                builder.Append('&');
+                builder.Append(name);
+                builder.Append('=');
+                builder.Append(Uri.EscapeDataString(value));
+            }
+        }
+    }
+
     private void EnsureConfigured()
     {
         if (!string.IsNullOrWhiteSpace(options.ConcelierUrl))
diff --git a/src/Cli/StellaOps.Cli/Services/DeterminismHarness.cs b/src/Cli/StellaOps.Cli/Services/DeterminismHarness.cs
new file mode 100644
index 000000000..958fdd6f2
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/DeterminismHarness.cs
@@ -0,0 +1,850 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Determinism harness for running scanner with frozen conditions.
+/// Per CLI-DETER-70-003.
+/// </summary>
+internal sealed class DeterminismHarness : IDeterminismHarness
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
+    {
+        WriteIndented = true,
+        PropertyNameCaseInsensitive = true
+    };
+
+    private static readonly string[] ArtifactPatterns = new[]
+    {
+        "sbom.json", "sbom.spdx.json", "sbom.cdx.json",
+        "vex.json", "findings.json", "scan.json",
+        "layers.json", "metadata.json"
+    };
+
+    private readonly ILogger<DeterminismHarness> _logger;
+
+    public DeterminismHarness(ILogger<DeterminismHarness> logger)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async Task<DeterminismRunResult> RunAsync(
+        DeterminismRunRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        var sw = Stopwatch.StartNew();
+        var errors = new List<string>();
+        var warnings = new List<string>();
+        var imageResults = new List<DeterminismImageResult>();
+        var failedImages = new List<string>();
+
+        _logger.LogDebug("Starting determinism harness with {ImageCount} images, {Runs} runs each",
+            request.Images.Count, request.Runs);
+
+        // Validate prerequisites
+        if (!await IsDockerAvailableAsync(cancellationToken))
+        {
+            errors.Add("Docker is not available or not running");
+            return new DeterminismRunResult
+            {
+                Success = false,
+                Errors = errors,
+                DurationMs = sw.ElapsedMilliseconds
+            };
+        }
+
+        if (request.Images.Count == 0)
+        {
+            errors.Add("No images specified for determinism testing");
+            return new DeterminismRunResult
+            {
+                Success = false,
+                Errors = errors,
+                DurationMs = sw.ElapsedMilliseconds
+            };
+        }
+
+        if (string.IsNullOrWhiteSpace(request.Scanner))
+        {
+            errors.Add("Scanner image reference is required");
+            return new DeterminismRunResult
+            {
+                Success = false,
+                Errors = errors,
+                DurationMs = sw.ElapsedMilliseconds
+            };
+        }
+
+        // Create output directory
+        var outputDir = request.OutputDir ?? Path.Combine(
+            Path.GetTempPath(),
+            $"stella-detscore-{DateTime.UtcNow:yyyyMMdd-HHmmss}");
+        Directory.CreateDirectory(outputDir);
+
+        // Resolve SHAs
+        var scannerSha = await ResolveImageDigestAsync(request.Scanner, cancellationToken) ?? "unknown";
+        var policySha = await ComputeBundleShaAsync(request.PolicyBundle, cancellationToken) ?? "none";
+        var feedsSha = await ComputeBundleShaAsync(request.FeedsBundle, cancellationToken) ?? "none";
+
+        var fixedClock = request.FixedClock ?? DateTimeOffset.UtcNow;
+
+        // Run determinism tests for each image
+        foreach (var imageRef in request.Images)
+        {
+            _logger.LogInformation("Testing determinism for image: {Image}", imageRef);
+
+            try
+            {
+                var imageResult = await RunImageDeterminismAsync(
+                    imageRef,
+                    request,
+                    fixedClock,
+                    outputDir,
+                    cancellationToken);
+
+                imageResults.Add(imageResult);
+
+                if (imageResult.Score < request.ImageThreshold)
+                {
+                    failedImages.Add(imageRef);
+                    warnings.Add($"Image {imageRef} score {imageResult.Score:P0} below threshold {request.ImageThreshold:P0}");
+                }
+
+                if (imageResult.NonDeterministic.Count > 0)
+                {
+                    warnings.Add($"Image {imageRef} has non-deterministic artifacts: {string.Join(", ", imageResult.NonDeterministic)}");
+                }
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Failed to test determinism for image {Image}", imageRef);
+                errors.Add($"Failed to test image {imageRef}: {ex.Message}");
+                imageResults.Add(new DeterminismImageResult
+                {
+                    Digest = imageRef,
+                    Runs = 0,
+                    Identical = 0,
+                    Score = 0,
+                    Notes = $"Error: {ex.Message}"
+                });
+                failedImages.Add(imageRef);
+            }
+        }
+
+        // Calculate overall score
+        var overallScore = imageResults.Count > 0
+            ? imageResults.Average(r => r.Score)
+            : 0;
+
+        var passedThreshold = overallScore >= request.OverallThreshold &&
+                              failedImages.Count == 0;
+
+        if (overallScore < request.OverallThreshold)
+        {
+            warnings.Add($"Overall score {overallScore:P0} below threshold {request.OverallThreshold:P0}");
+        }
+
+        // Build manifest
+        var manifest = new DeterminismManifest
+        {
+            Version = "1",
+            Release = request.Release ?? $"local-{DateTime.UtcNow:yyyyMMdd}",
+            Platform = request.Platform,
+            PolicySha = policySha,
+            FeedsSha = feedsSha,
+            ScannerSha = scannerSha,
+            Images = imageResults,
+            OverallScore = overallScore,
+            Thresholds = new DeterminismThresholds
+            {
+                ImageMin = request.ImageThreshold,
+                OverallMin = request.OverallThreshold
+            },
+            GeneratedAt = DateTimeOffset.UtcNow,
+            Execution = new DeterminismExecutionInfo
+            {
+                FixedClock = fixedClock,
+                RngSeed = request.RngSeed,
+                MaxConcurrency = request.MaxConcurrency,
+                MemoryLimit = request.MemoryLimit,
+                CpuSet = request.CpuSet,
+                NetworkMode = "none"
+            }
+        };
+
+        // Write manifest
+        var manifestPath = Path.Combine(outputDir, "determinism.json");
+        var manifestJson = JsonSerializer.Serialize(manifest, SerializerOptions);
+        await File.WriteAllTextAsync(manifestPath, manifestJson, cancellationToken);
+        _logger.LogInformation("Wrote determinism manifest to {Path}", manifestPath);
+
+        sw.Stop();
+
+        return new DeterminismRunResult
+        {
+            Success = errors.Count == 0,
+            Manifest = manifest,
+            OutputPath = manifestPath,
+            PassedThreshold = passedThreshold,
+            FailedImages = failedImages,
+            Errors = errors,
+            Warnings = warnings,
+            DurationMs = sw.ElapsedMilliseconds
+        };
+    }
+
+    public DeterminismVerificationResult VerifyManifest(
+        DeterminismManifest manifest,
+        double imageThreshold,
+        double overallThreshold)
+    {
+        ArgumentNullException.ThrowIfNull(manifest);
+
+        var failedImages = new List<string>();
+        var warnings = new List<string>();
+
+        foreach (var image in manifest.Images)
+        {
+            if (image.Score < imageThreshold)
+            {
+                failedImages.Add(image.Digest);
+            }
+
+            if (image.NonDeterministic.Count > 0)
+            {
+                warnings.Add($"Image {image.Digest} has non-deterministic artifacts: {string.Join(", ", image.NonDeterministic)}");
+            }
+        }
+
+        var passed = manifest.OverallScore >= overallThreshold && failedImages.Count == 0;
+
+        if (manifest.OverallScore < overallThreshold)
+        {
+            warnings.Add($"Overall score {manifest.OverallScore:P0} below threshold {overallThreshold:P0}");
+        }
+
+        return new DeterminismVerificationResult
+        {
+            Passed = passed,
+            OverallScore = manifest.OverallScore,
+            FailedImages = failedImages.ToArray(),
+            Warnings = warnings.ToArray()
+        };
+    }
+
+    private async Task<DeterminismImageResult> RunImageDeterminismAsync(
+        string imageRef,
+        DeterminismRunRequest request,
+        DateTimeOffset fixedClock,
+        string outputDir,
+        CancellationToken cancellationToken)
+    {
+        var imageDigest = await ResolveImageDigestAsync(imageRef, cancellationToken) ?? imageRef;
+        var imageOutputDir = Path.Combine(outputDir, SanitizeForPath(imageDigest));
+        Directory.CreateDirectory(imageOutputDir);
+
+        var runDetails = new List<DeterminismRunDetail>();
+        Dictionary<string, string>? baselineHashes = null;
+        var identicalCount = 0;
+        var nonDeterministic = new HashSet<string>();
+
+        for (var runNum = 1; runNum <= request.Runs; runNum++)
+        {
+            _logger.LogDebug("Running determinism test {Run}/{Total} for {Image}",
+                runNum, request.Runs, imageRef);
+
+            var runDir = Path.Combine(imageOutputDir, $"run_{runNum}");
+            Directory.CreateDirectory(runDir);
+
+            var runSw = Stopwatch.StartNew();
+            var exitCode = await RunScannerAsync(
+                imageRef,
+                request.Scanner,
+                request.PolicyBundle,
+                request.FeedsBundle,
+                fixedClock,
+                request.RngSeed,
+                request.MaxConcurrency,
+                request.MemoryLimit,
+                request.CpuSet,
+                runDir,
+                cancellationToken);
+            runSw.Stop();
+
+            // Compute hashes for artifacts
+            var artifactHashes = await ComputeArtifactHashesAsync(runDir, cancellationToken);
+
+            // Compare with baseline
+            var isIdentical = true;
+            if (baselineHashes == null)
+            {
+                baselineHashes = artifactHashes;
+                isIdentical = true; // First run is always "identical" (it's the baseline)
+            }
+            else
+            {
+                foreach (var (artifact, hash) in artifactHashes)
+                {
+                    if (baselineHashes.TryGetValue(artifact, out var baselineHash))
+                    {
+                        if (hash != baselineHash)
+                        {
+                            isIdentical = false;
+                            nonDeterministic.Add(artifact);
+                            _logger.LogWarning("Non-deterministic artifact {Artifact} in run {Run}: {Hash} != {Baseline}",
+                                artifact, runNum, hash[..16], baselineHash[..16]);
+                        }
+                    }
+                    else
+                    {
+                        // New artifact not in baseline
+                        isIdentical = false;
+                        nonDeterministic.Add(artifact);
+                    }
+                }
+
+                // Check for missing artifacts
+                foreach (var artifact in baselineHashes.Keys)
+                {
+                    if (!artifactHashes.ContainsKey(artifact))
+                    {
+                        isIdentical = false;
+                        nonDeterministic.Add(artifact);
+                    }
+                }
+            }
+
+            if (isIdentical)
+            {
+                identicalCount++;
+            }
+
+            runDetails.Add(new DeterminismRunDetail
+            {
+                RunNumber = runNum,
+                Identical = isIdentical,
+                ArtifactHashes = artifactHashes,
+                DurationMs = runSw.ElapsedMilliseconds,
+                ExitCode = exitCode
+            });
+        }
+
+        var score = request.Runs > 0 ? (double)identicalCount / request.Runs : 0;
+
+        return new DeterminismImageResult
+        {
+            Digest = imageDigest,
+            Runs = request.Runs,
+            Identical = identicalCount,
+            Score = score,
+            ArtifactHashes = baselineHashes ?? new Dictionary<string, string>(),
+            NonDeterministic = nonDeterministic.ToArray(),
+            RunDetails = runDetails
+        };
+    }
+
+    private async Task<int> RunScannerAsync(
+        string imageRef,
+        string scannerImage,
+        string? policyBundle,
+        string? feedsBundle,
+        DateTimeOffset fixedClock,
+        int rngSeed,
+        int maxConcurrency,
+        string memoryLimit,
+        string cpuSet,
+        string outputDir,
+        CancellationToken cancellationToken)
+    {
+        // Build docker run command with determinism constraints
+        var args = new StringBuilder();
+        args.Append("run --rm ");
+        args.Append($"--network=none ");
+        args.Append($"--cpuset-cpus={cpuSet} ");
+        args.Append($"--memory={memoryLimit} ");
+        args.Append($"-e RNG_SEED={rngSeed} ");
+        args.Append($"-e SCANNER_MAX_CONCURRENCY={maxConcurrency} ");
+        args.Append($"-v \"{outputDir}:/output\" ");
+
+        if (!string.IsNullOrWhiteSpace(policyBundle) && File.Exists(policyBundle))
+        {
+            args.Append($"-v \"{Path.GetFullPath(policyBundle)}:/policy:ro\" ");
+        }
+
+        if (!string.IsNullOrWhiteSpace(feedsBundle) && File.Exists(feedsBundle))
+        {
+            args.Append($"-v \"{Path.GetFullPath(feedsBundle)}:/feeds:ro\" ");
+        }
+
+        args.Append($"{scannerImage} ");
+        args.Append($"scan --image {imageRef} ");
+        args.Append($"--fixed-clock {fixedClock:yyyy-MM-ddTHH:mm:ssZ} ");
+        args.Append("--output /output ");
+
+        using var process = new Process
+        {
+            StartInfo = new ProcessStartInfo
+            {
+                FileName = "docker",
+                Arguments = args.ToString(),
+                RedirectStandardOutput = true,
+                RedirectStandardError = true,
+                UseShellExecute = false,
+                CreateNoWindow = true
+            }
+        };
+
+        _logger.LogDebug("Executing: docker {Args}", args);
+
+        process.Start();
+
+        // Read output asynchronously
+        var stdoutTask = process.StandardOutput.ReadToEndAsync(cancellationToken);
+        var stderrTask = process.StandardError.ReadToEndAsync(cancellationToken);
+
+        await process.WaitForExitAsync(cancellationToken);
+
+        var stdout = await stdoutTask;
+        var stderr = await stderrTask;
+
+        if (!string.IsNullOrWhiteSpace(stderr))
+        {
+            _logger.LogDebug("Scanner stderr: {Stderr}", stderr);
+        }
+
+        // Save stdout/stderr for diagnostics
+        await File.WriteAllTextAsync(
+            Path.Combine(outputDir, "stdout.log"),
+            stdout,
+            cancellationToken);
+        await File.WriteAllTextAsync(
+            Path.Combine(outputDir, "stderr.log"),
+            stderr,
+            cancellationToken);
+
+        return process.ExitCode;
+    }
+
+    private async Task<Dictionary<string, string>> ComputeArtifactHashesAsync(
+        string directory,
+        CancellationToken cancellationToken)
+    {
+        var hashes = new Dictionary<string, string>();
+
+        foreach (var pattern in ArtifactPatterns)
+        {
+            var filePath = Path.Combine(directory, pattern);
+            if (File.Exists(filePath))
+            {
+                var hash = await ComputeFileHashAsync(filePath, cancellationToken);
+                hashes[pattern] = hash;
+            }
+        }
+
+        // Also check for any .json files in output
+        foreach (var file in Directory.GetFiles(directory, "*.json"))
+        {
+            var fileName = Path.GetFileName(file);
+            if (!hashes.ContainsKey(fileName))
+            {
+                var hash = await ComputeFileHashAsync(file, cancellationToken);
+                hashes[fileName] = hash;
+            }
+        }
+
+        return hashes;
+    }
+
+    private static async Task<string> ComputeFileHashAsync(string filePath, CancellationToken cancellationToken)
+    {
+        await using var stream = File.OpenRead(filePath);
+        var hash = await SHA256.HashDataAsync(stream, cancellationToken);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+
+    private static async Task<string?> ComputeBundleShaAsync(string? bundlePath, CancellationToken cancellationToken)
+    {
+        if (string.IsNullOrWhiteSpace(bundlePath))
+            return null;
+
+        if (!File.Exists(bundlePath))
+            return null;
+
+        return await ComputeFileHashAsync(bundlePath, cancellationToken);
+    }
+
+    private static async Task<string?> ResolveImageDigestAsync(string imageRef, CancellationToken cancellationToken)
+    {
+        // If already contains digest, extract it
+        if (imageRef.Contains("@sha256:", StringComparison.OrdinalIgnoreCase))
+        {
+            var atIndex = imageRef.IndexOf('@');
+            if (atIndex >= 0)
+            {
+                return imageRef[(atIndex + 1)..];
+            }
+        }
+
+        // Try using crane/docker to resolve
+        try
+        {
+            using var process = new Process
+            {
+                StartInfo = new ProcessStartInfo
+                {
+                    FileName = "docker",
+                    Arguments = $"inspect --format='{{{{.RepoDigests}}}}' {imageRef}",
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    UseShellExecute = false,
+                    CreateNoWindow = true
+                }
+            };
+
+            process.Start();
+            var stdout = await process.StandardOutput.ReadToEndAsync(cancellationToken);
+            await process.WaitForExitAsync(cancellationToken);
+
+            if (process.ExitCode == 0 && stdout.Contains("sha256:"))
+            {
+                var match = System.Text.RegularExpressions.Regex.Match(stdout, @"sha256:[a-f0-9]{64}");
+                if (match.Success)
+                {
+                    return match.Value;
+                }
+            }
+        }
+        catch
+        {
+            // Ignore errors, return null
+        }
+
+        return null;
+    }
+
+    private static async Task<bool> IsDockerAvailableAsync(CancellationToken cancellationToken)
+    {
+        try
+        {
+            using var process = new Process
+            {
+                StartInfo = new ProcessStartInfo
+                {
+                    FileName = "docker",
+                    Arguments = "version --format '{{.Server.Version}}'",
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    UseShellExecute = false,
+                    CreateNoWindow = true
+                }
+            };
+
+            process.Start();
+            await process.WaitForExitAsync(cancellationToken);
+            return process.ExitCode == 0;
+        }
+        catch
+        {
+            return false;
+        }
+    }
+
+    private static string SanitizeForPath(string input)
+    {
+        // Replace invalid path characters
+        var invalid = Path.GetInvalidFileNameChars();
+        var result = new StringBuilder(input);
+        foreach (var c in invalid)
+        {
+            result.Replace(c, '_');
+        }
+        return result.ToString();
+    }
+
+    // CLI-DETER-70-004: Generate report implementation
+    public async Task<DeterminismReportResult> GenerateReportAsync(
+        DeterminismReportRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        var errors = new List<string>();
+        var warnings = new List<string>();
+        var manifests = new List<(string path, DeterminismManifest manifest)>();
+
+        _logger.LogDebug("Generating determinism report from {Count} manifests", request.ManifestPaths.Count);
+
+        if (request.ManifestPaths.Count == 0)
+        {
+            errors.Add("No manifest paths provided");
+            return new DeterminismReportResult
+            {
+                Success = false,
+                Errors = errors
+            };
+        }
+
+        // Load all manifests
+        foreach (var path in request.ManifestPaths)
+        {
+            if (!File.Exists(path))
+            {
+                warnings.Add($"Manifest not found: {path}");
+                continue;
+            }
+
+            try
+            {
+                var json = await File.ReadAllTextAsync(path, cancellationToken).ConfigureAwait(false);
+                var manifest = JsonSerializer.Deserialize<DeterminismManifest>(json, SerializerOptions);
+                if (manifest != null)
+                {
+                    manifests.Add((path, manifest));
+                }
+                else
+                {
+                    warnings.Add($"Failed to parse manifest: {path}");
+                }
+            }
+            catch (Exception ex)
+            {
+                warnings.Add($"Error reading manifest {path}: {ex.Message}");
+            }
+        }
+
+        if (manifests.Count == 0)
+        {
+            errors.Add("No valid manifests found");
+            return new DeterminismReportResult
+            {
+                Success = false,
+                Errors = errors,
+                Warnings = warnings
+            };
+        }
+
+        // Build release entries
+        var releases = manifests.Select(m => new DeterminismReleaseEntry
+        {
+            Release = m.manifest.Release,
+            Platform = m.manifest.Platform,
+            OverallScore = m.manifest.OverallScore,
+            Passed = m.manifest.OverallScore >= m.manifest.Thresholds.OverallMin,
+            ImageCount = m.manifest.Images.Count,
+            GeneratedAt = m.manifest.GeneratedAt,
+            ScannerSha = m.manifest.ScannerSha,
+            ManifestPath = m.path
+        }).OrderByDescending(r => r.GeneratedAt).ToList();
+
+        // Build image matrix
+        var imageScores = new Dictionary<string, Dictionary<string, double>>();
+        var imageNonDet = new Dictionary<string, HashSet<string>>();
+
+        foreach (var (path, manifest) in manifests)
+        {
+            foreach (var img in manifest.Images)
+            {
+                if (!imageScores.ContainsKey(img.Digest))
+                {
+                    imageScores[img.Digest] = new Dictionary<string, double>();
+                    imageNonDet[img.Digest] = new HashSet<string>();
+                }
+
+                imageScores[img.Digest][manifest.Release] = img.Score;
+
+                foreach (var nd in img.NonDeterministic)
+                {
+                    imageNonDet[img.Digest].Add(nd);
+                }
+            }
+        }
+
+        var imageMatrix = imageScores.Select(kvp => new DeterminismImageMatrixEntry
+        {
+            ImageDigest = kvp.Key,
+            Scores = kvp.Value,
+            AverageScore = kvp.Value.Values.Average(),
+            NonDeterministicArtifacts = imageNonDet[kvp.Key].ToArray()
+        }).OrderBy(e => e.AverageScore).ToList();
+
+        // Compute summary
+        var allScores = manifests.Select(m => m.manifest.OverallScore).ToList();
+        var allNonDet = manifests
+            .SelectMany(m => m.manifest.Images)
+            .SelectMany(i => i.NonDeterministic)
+            .Distinct()
+            .ToList();
+
+        var summary = new DeterminismReportSummary
+        {
+            TotalReleases = manifests.Count,
+            TotalImages = imageMatrix.Count,
+            AverageScore = allScores.Count > 0 ? allScores.Average() : 0,
+            MinScore = allScores.Count > 0 ? allScores.Min() : 0,
+            MaxScore = allScores.Count > 0 ? allScores.Max() : 0,
+            PassedCount = releases.Count(r => r.Passed),
+            FailedCount = releases.Count(r => !r.Passed),
+            NonDeterministicArtifacts = allNonDet
+        };
+
+        var report = new DeterminismReport
+        {
+            Title = request.Title ?? "Determinism Score Report",
+            GeneratedAt = DateTimeOffset.UtcNow,
+            Summary = summary,
+            Releases = releases,
+            ImageMatrix = imageMatrix
+        };
+
+        // Write output
+        string? outputPath = null;
+        if (!string.IsNullOrWhiteSpace(request.OutputPath))
+        {
+            outputPath = request.OutputPath;
+            var content = request.Format.ToLowerInvariant() switch
+            {
+                "json" => JsonSerializer.Serialize(report, SerializerOptions),
+                "csv" => GenerateCsvReport(report),
+                _ => GenerateMarkdownReport(report, request.IncludeDetails)
+            };
+
+            await File.WriteAllTextAsync(outputPath, content, cancellationToken).ConfigureAwait(false);
+            _logger.LogInformation("Wrote determinism report to {Path}", outputPath);
+        }
+
+        return new DeterminismReportResult
+        {
+            Success = true,
+            Report = report,
+            OutputPath = outputPath,
+            Format = request.Format,
+            Warnings = warnings
+        };
+    }
+
+    private static string GenerateMarkdownReport(DeterminismReport report, bool includeDetails)
+    {
+        var sb = new StringBuilder();
+
+        sb.AppendLine($"# {report.Title}");
+        sb.AppendLine();
+        sb.AppendLine($"Generated: {report.GeneratedAt:u}");
+        sb.AppendLine();
+
+        // Summary
+        sb.AppendLine("## Summary");
+        sb.AppendLine();
+        sb.AppendLine($"| Metric | Value |");
+        sb.AppendLine($"|--------|-------|");
+        sb.AppendLine($"| Total Releases | {report.Summary.TotalReleases} |");
+        sb.AppendLine($"| Total Images | {report.Summary.TotalImages} |");
+        sb.AppendLine($"| Average Score | {report.Summary.AverageScore:P1} |");
+        sb.AppendLine($"| Min Score | {report.Summary.MinScore:P1} |");
+        sb.AppendLine($"| Max Score | {report.Summary.MaxScore:P1} |");
+        sb.AppendLine($"| Passed | {report.Summary.PassedCount} |");
+        sb.AppendLine($"| Failed | {report.Summary.FailedCount} |");
+        sb.AppendLine();
+
+        if (report.Summary.NonDeterministicArtifacts.Count > 0)
+        {
+            sb.AppendLine("### Non-Deterministic Artifacts");
+            sb.AppendLine();
+            foreach (var artifact in report.Summary.NonDeterministicArtifacts)
+            {
+                sb.AppendLine($"- `{artifact}`");
+            }
+            sb.AppendLine();
+        }
+
+        // Releases table
+        sb.AppendLine("## Releases");
+        sb.AppendLine();
+        sb.AppendLine("| Release | Platform | Score | Status | Images | Generated |");
+        sb.AppendLine("|---------|----------|-------|--------|--------|-----------|");
+
+        foreach (var release in report.Releases)
+        {
+            var status = release.Passed ? "✅ PASS" : "❌ FAIL";
+            sb.AppendLine($"| {release.Release} | {release.Platform} | {release.OverallScore:P1} | {status} | {release.ImageCount} | {release.GeneratedAt:yyyy-MM-dd} |");
+        }
+        sb.AppendLine();
+
+        // Image matrix
+        if (includeDetails && report.ImageMatrix.Count > 0)
+        {
+            sb.AppendLine("## Per-Image Matrix");
+            sb.AppendLine();
+
+            var releaseNames = report.Releases.Select(r => r.Release).ToList();
+
+            // Header
+            sb.Append("| Image |");
+            foreach (var rel in releaseNames)
+            {
+                sb.Append($" {rel} |");
+            }
+            sb.AppendLine(" Avg |");
+
+            // Separator
+            sb.Append("|-------|");
+            foreach (var _ in releaseNames)
+            {
+                sb.Append("------|");
+            }
+            sb.AppendLine("-----|");
+
+            // Rows
+            foreach (var img in report.ImageMatrix)
+            {
+                var digest = img.ImageDigest.Length > 16 ? img.ImageDigest[..16] + "..." : img.ImageDigest;
+                sb.Append($"| `{digest}` |");
+
+                foreach (var rel in releaseNames)
+                {
+                    if (img.Scores.TryGetValue(rel, out var score))
+                    {
+                        sb.Append($" {score:P0} |");
+                    }
+                    else
+                    {
+                        sb.Append(" - |");
+                    }
+                }
+
+                sb.AppendLine($" {img.AverageScore:P0} |");
+            }
+            sb.AppendLine();
+        }
+
+        return sb.ToString();
+    }
+
+    private static string GenerateCsvReport(DeterminismReport report)
+    {
+        var sb = new StringBuilder();
+
+        // Header
+        sb.AppendLine("Release,Platform,Score,Passed,ImageCount,GeneratedAt,ScannerSha");
+
+        // Rows
+        foreach (var release in report.Releases)
+        {
+            sb.AppendLine($"{release.Release},{release.Platform},{release.OverallScore:F4},{release.Passed},{release.ImageCount},{release.GeneratedAt:o},{release.ScannerSha}");
+        }
+
+        return sb.ToString();
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/ExceptionClient.cs b/src/Cli/StellaOps.Cli/Services/ExceptionClient.cs
new file mode 100644
index 000000000..88c88364f
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/ExceptionClient.cs
@@ -0,0 +1,596 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.Client;
+using StellaOps.Cli.Configuration;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for exception governance API operations.
+/// Per CLI-EXC-25-001.
+/// </summary>
+internal sealed class ExceptionClient : IExceptionClient
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
+    private static readonly TimeSpan TokenRefreshSkew = TimeSpan.FromSeconds(30);
+
+    private readonly HttpClient httpClient;
+    private readonly StellaOpsCliOptions options;
+    private readonly ILogger<ExceptionClient> logger;
+    private readonly IStellaOpsTokenClient? tokenClient;
+    private readonly object tokenSync = new();
+
+    private string? cachedAccessToken;
+    private DateTimeOffset cachedAccessTokenExpiresAt = DateTimeOffset.MinValue;
+
+    public ExceptionClient(
+        HttpClient httpClient,
+        StellaOpsCliOptions options,
+        ILogger<ExceptionClient> logger,
+        IStellaOpsTokenClient? tokenClient = null)
+    {
+        this.httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        this.options = options ?? throw new ArgumentNullException(nameof(options));
+        this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        this.tokenClient = tokenClient;
+
+        if (!string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            if (Uri.TryCreate(options.BackendUrl, UriKind.Absolute, out var baseUri))
+            {
+                httpClient.BaseAddress = baseUri;
+            }
+        }
+    }
+
+    public async Task<ExceptionListResponse> ListAsync(
+        ExceptionListRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var uri = BuildListUri(request);
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "exceptions.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to list exceptions (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ExceptionListResponse();
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<ExceptionListResponse>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new ExceptionListResponse();
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while listing exceptions");
+            return new ExceptionListResponse();
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while listing exceptions");
+            return new ExceptionListResponse();
+        }
+    }
+
+    public async Task<ExceptionInstance?> GetAsync(
+        string exceptionId,
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(exceptionId);
+
+        try
+        {
+            EnsureConfigured();
+
+            var uri = $"/api/v1/exceptions/{Uri.EscapeDataString(exceptionId)}";
+            if (!string.IsNullOrWhiteSpace(tenant))
+            {
+                uri += $"?tenant={Uri.EscapeDataString(tenant)}";
+            }
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "exceptions.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return null;
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get exception (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return null;
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer
+                .DeserializeAsync<ExceptionInstance>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while getting exception");
+            return null;
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while getting exception");
+            return null;
+        }
+    }
+
+    public async Task<ExceptionOperationResult> CreateAsync(
+        ExceptionCreateRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/exceptions")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "exceptions.write", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to create exception (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ExceptionOperationResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<ExceptionOperationResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new ExceptionOperationResult { Success = false, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while creating exception");
+            return new ExceptionOperationResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while creating exception");
+            return new ExceptionOperationResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<ExceptionOperationResult> PromoteAsync(
+        ExceptionPromoteRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, $"/api/v1/exceptions/{Uri.EscapeDataString(request.ExceptionId)}/promote")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "exceptions.approve", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to promote exception (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ExceptionOperationResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<ExceptionOperationResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new ExceptionOperationResult { Success = false, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while promoting exception");
+            return new ExceptionOperationResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while promoting exception");
+            return new ExceptionOperationResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<ExceptionOperationResult> RevokeAsync(
+        ExceptionRevokeRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, $"/api/v1/exceptions/{Uri.EscapeDataString(request.ExceptionId)}/revoke")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "exceptions.write", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to revoke exception (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ExceptionOperationResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<ExceptionOperationResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new ExceptionOperationResult { Success = false, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while revoking exception");
+            return new ExceptionOperationResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while revoking exception");
+            return new ExceptionOperationResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<ExceptionImportResult> ImportAsync(
+        ExceptionImportRequest request,
+        Stream ndjsonStream,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+        ArgumentNullException.ThrowIfNull(ndjsonStream);
+
+        try
+        {
+            EnsureConfigured();
+
+            using var content = new MultipartFormDataContent();
+            var streamContent = new StreamContent(ndjsonStream);
+            streamContent.Headers.ContentType = new MediaTypeHeaderValue("application/x-ndjson");
+            content.Add(streamContent, "file", "exceptions.ndjson");
+            content.Add(new StringContent(request.Tenant), "tenant");
+            content.Add(new StringContent(request.Stage.ToString().ToLowerInvariant()), "stage");
+            if (!string.IsNullOrWhiteSpace(request.Source))
+            {
+                content.Add(new StringContent(request.Source), "source");
+            }
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/exceptions/import")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "exceptions.write", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to import exceptions (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ExceptionImportResult
+                {
+                    Success = false,
+                    Errors = [new ExceptionImportError { Line = 0, Message = $"API returned {(int)response.StatusCode}: {response.ReasonPhrase}" }]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<ExceptionImportResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new ExceptionImportResult { Success = false, Errors = [new ExceptionImportError { Line = 0, Message = "Empty response" }] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while importing exceptions");
+            return new ExceptionImportResult
+            {
+                Success = false,
+                Errors = [new ExceptionImportError { Line = 0, Message = $"Connection error: {ex.Message}" }]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while importing exceptions");
+            return new ExceptionImportResult
+            {
+                Success = false,
+                Errors = [new ExceptionImportError { Line = 0, Message = "Request timed out" }]
+            };
+        }
+    }
+
+    public async Task<(Stream Content, ExceptionExportManifest? Manifest)> ExportAsync(
+        ExceptionExportRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+            {
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+            }
+            if (request.Statuses is { Count: > 0 })
+            {
+                foreach (var status in request.Statuses)
+                {
+                    queryParams.Add($"status={Uri.EscapeDataString(status)}");
+                }
+            }
+            queryParams.Add($"format={Uri.EscapeDataString(request.Format)}");
+            queryParams.Add($"includeManifest={request.IncludeManifest.ToString().ToLowerInvariant()}");
+            queryParams.Add($"signed={request.Signed.ToString().ToLowerInvariant()}");
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/exceptions/export{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "exceptions.read", cancellationToken).ConfigureAwait(false);
+
+            var response = await httpClient.SendAsync(httpRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to export exceptions (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return (Stream.Null, null);
+            }
+
+            // Parse manifest from header if present
+            ExceptionExportManifest? manifest = null;
+            if (response.Headers.TryGetValues("X-Export-Manifest", out var manifestValues))
+            {
+                var manifestJson = string.Join("", manifestValues);
+                if (!string.IsNullOrWhiteSpace(manifestJson))
+                {
+                    try
+                    {
+                        manifest = JsonSerializer.Deserialize<ExceptionExportManifest>(manifestJson, SerializerOptions);
+                    }
+                    catch (JsonException)
+                    {
+                        // Ignore parse errors for optional header
+                    }
+                }
+            }
+
+            var contentStream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return (contentStream, manifest);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while exporting exceptions");
+            return (Stream.Null, null);
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while exporting exceptions");
+            return (Stream.Null, null);
+        }
+    }
+
+    private static string BuildListUri(ExceptionListRequest request)
+    {
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.Vuln))
+        {
+            queryParams.Add($"vuln={Uri.EscapeDataString(request.Vuln)}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.ScopeType))
+        {
+            queryParams.Add($"scopeType={Uri.EscapeDataString(request.ScopeType)}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.ScopeValue))
+        {
+            queryParams.Add($"scopeValue={Uri.EscapeDataString(request.ScopeValue)}");
+        }
+        if (request.Statuses is { Count: > 0 })
+        {
+            foreach (var status in request.Statuses)
+            {
+                queryParams.Add($"status={Uri.EscapeDataString(status)}");
+            }
+        }
+        if (!string.IsNullOrWhiteSpace(request.Owner))
+        {
+            queryParams.Add($"owner={Uri.EscapeDataString(request.Owner)}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.EffectType))
+        {
+            queryParams.Add($"effectType={Uri.EscapeDataString(request.EffectType)}");
+        }
+        if (request.ExpiringBefore.HasValue)
+        {
+            queryParams.Add($"expiringBefore={Uri.EscapeDataString(request.ExpiringBefore.Value.ToString("O"))}");
+        }
+        if (request.IncludeExpired)
+        {
+            queryParams.Add("includeExpired=true");
+        }
+        queryParams.Add($"pageSize={request.PageSize}");
+        if (!string.IsNullOrWhiteSpace(request.PageToken))
+        {
+            queryParams.Add($"pageToken={Uri.EscapeDataString(request.PageToken)}");
+        }
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+        return $"/api/v1/exceptions{query}";
+    }
+
+    private void EnsureConfigured()
+    {
+        if (string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            throw new InvalidOperationException(
+                "Backend URL not configured. Set STELLAOPS_BACKEND_URL or use --backend-url.");
+        }
+    }
+
+    private async Task AuthorizeRequestAsync(HttpRequestMessage request, string scope, CancellationToken cancellationToken)
+    {
+        var token = await GetAccessTokenAsync(scope, cancellationToken).ConfigureAwait(false);
+        if (!string.IsNullOrWhiteSpace(token))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        }
+    }
+
+    private async Task<string?> GetAccessTokenAsync(string scope, CancellationToken cancellationToken)
+    {
+        if (tokenClient is null)
+        {
+            return null;
+        }
+
+        lock (tokenSync)
+        {
+            if (cachedAccessToken is not null && DateTimeOffset.UtcNow < cachedAccessTokenExpiresAt - TokenRefreshSkew)
+            {
+                return cachedAccessToken;
+            }
+        }
+
+        var result = await tokenClient.GetTokenAsync(
+            new StellaOpsTokenRequest { Scopes = [scope] },
+            cancellationToken).ConfigureAwait(false);
+
+        if (result.IsSuccess)
+        {
+            lock (tokenSync)
+            {
+                cachedAccessToken = result.AccessToken;
+                cachedAccessTokenExpiresAt = result.ExpiresAt;
+            }
+            return result.AccessToken;
+        }
+
+        logger.LogWarning("Token acquisition failed: {Error}", result.Error);
+        return null;
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/ForensicSnapshotClient.cs b/src/Cli/StellaOps.Cli/Services/ForensicSnapshotClient.cs
new file mode 100644
index 000000000..f3eb00013
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/ForensicSnapshotClient.cs
@@ -0,0 +1,372 @@
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.Client;
+using StellaOps.Cli.Configuration;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for forensic snapshot and evidence locker APIs.
+/// Per CLI-FORENSICS-53-001.
+/// </summary>
+internal sealed class ForensicSnapshotClient : IForensicSnapshotClient
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
+    private static readonly TimeSpan TokenRefreshSkew = TimeSpan.FromSeconds(30);
+
+    private readonly HttpClient _httpClient;
+    private readonly StellaOpsCliOptions _options;
+    private readonly ILogger<ForensicSnapshotClient> _logger;
+    private readonly IStellaOpsTokenClient? _tokenClient;
+    private readonly object _tokenSync = new();
+
+    private string? _cachedAccessToken;
+    private DateTimeOffset _cachedAccessTokenExpiresAt = DateTimeOffset.MinValue;
+
+    public ForensicSnapshotClient(
+        HttpClient httpClient,
+        StellaOpsCliOptions options,
+        ILogger<ForensicSnapshotClient> logger,
+        IStellaOpsTokenClient? tokenClient = null)
+    {
+        _httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _tokenClient = tokenClient;
+
+        if (!string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            if (Uri.TryCreate(options.BackendUrl, UriKind.Absolute, out var baseUri))
+            {
+                httpClient.BaseAddress = baseUri;
+            }
+        }
+    }
+
+    public async Task<ForensicSnapshotDocument> CreateSnapshotAsync(
+        string tenant,
+        ForensicSnapshotCreateRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenant);
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureConfigured();
+
+        var requestUri = $"/forensic/snapshots?tenant={Uri.EscapeDataString(tenant)}";
+        using var httpRequest = new HttpRequestMessage(HttpMethod.Post, requestUri);
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        httpRequest.Content = JsonContent.Create(request, options: SerializerOptions);
+
+        using var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            _logger.LogError(
+                "Failed to create forensic snapshot (status {StatusCode}). Response: {Payload}",
+                (int)response.StatusCode,
+                string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+            response.EnsureSuccessStatusCode();
+        }
+
+        await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+        var result = await JsonSerializer
+            .DeserializeAsync<ForensicSnapshotDocument>(stream, SerializerOptions, cancellationToken)
+            .ConfigureAwait(false);
+
+        return result ?? throw new InvalidOperationException("Invalid response from forensic API.");
+    }
+
+    public async Task<ForensicSnapshotListResponse> ListSnapshotsAsync(
+        ForensicSnapshotListQuery query,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(query);
+
+        EnsureConfigured();
+
+        var requestUri = BuildListRequestUri(query);
+        using var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
+        await AuthorizeRequestAsync(request, cancellationToken).ConfigureAwait(false);
+
+        using var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+        if (!response.IsSuccessStatusCode)
+        {
+            var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            _logger.LogError(
+                "Failed to list forensic snapshots (status {StatusCode}). Response: {Payload}",
+                (int)response.StatusCode,
+                string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+            response.EnsureSuccessStatusCode();
+        }
+
+        await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+        var result = await JsonSerializer
+            .DeserializeAsync<ForensicSnapshotListResponse>(stream, SerializerOptions, cancellationToken)
+            .ConfigureAwait(false);
+
+        return result ?? new ForensicSnapshotListResponse();
+    }
+
+    public async Task<ForensicSnapshotDocument?> GetSnapshotAsync(
+        string tenant,
+        string snapshotId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenant);
+        ArgumentException.ThrowIfNullOrWhiteSpace(snapshotId);
+
+        EnsureConfigured();
+
+        var requestUri = $"/forensic/snapshots/{Uri.EscapeDataString(snapshotId)}?tenant={Uri.EscapeDataString(tenant)}";
+        using var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
+        await AuthorizeRequestAsync(request, cancellationToken).ConfigureAwait(false);
+
+        using var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+        if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+        {
+            return null;
+        }
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            _logger.LogError(
+                "Failed to get forensic snapshot (status {StatusCode}). Response: {Payload}",
+                (int)response.StatusCode,
+                string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+            response.EnsureSuccessStatusCode();
+        }
+
+        await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+        return await JsonSerializer
+            .DeserializeAsync<ForensicSnapshotDocument>(stream, SerializerOptions, cancellationToken)
+            .ConfigureAwait(false);
+    }
+
+    public async Task<ForensicSnapshotManifest?> GetSnapshotManifestAsync(
+        string tenant,
+        string snapshotId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenant);
+        ArgumentException.ThrowIfNullOrWhiteSpace(snapshotId);
+
+        EnsureConfigured();
+
+        var requestUri = $"/forensic/snapshots/{Uri.EscapeDataString(snapshotId)}/manifest?tenant={Uri.EscapeDataString(tenant)}";
+        using var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
+        await AuthorizeRequestAsync(request, cancellationToken).ConfigureAwait(false);
+
+        using var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
+        if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+        {
+            return null;
+        }
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            _logger.LogError(
+                "Failed to get forensic snapshot manifest (status {StatusCode}). Response: {Payload}",
+                (int)response.StatusCode,
+                string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+            response.EnsureSuccessStatusCode();
+        }
+
+        await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+        return await JsonSerializer
+            .DeserializeAsync<ForensicSnapshotManifest>(stream, SerializerOptions, cancellationToken)
+            .ConfigureAwait(false);
+    }
+
+    private static string BuildListRequestUri(ForensicSnapshotListQuery query)
+    {
+        var builder = new StringBuilder("/forensic/snapshots?tenant=");
+        builder.Append(Uri.EscapeDataString(query.Tenant));
+
+        if (!string.IsNullOrWhiteSpace(query.CaseId))
+        {
+            builder.Append("&caseId=");
+            builder.Append(Uri.EscapeDataString(query.CaseId));
+        }
+
+        if (!string.IsNullOrWhiteSpace(query.Status))
+        {
+            builder.Append("&status=");
+            builder.Append(Uri.EscapeDataString(query.Status));
+        }
+
+        if (query.Tags is { Count: > 0 })
+        {
+            foreach (var tag in query.Tags)
+            {
+                if (!string.IsNullOrWhiteSpace(tag))
+                {
+                    builder.Append("&tag=");
+                    builder.Append(Uri.EscapeDataString(tag));
+                }
+            }
+        }
+
+        if (query.CreatedAfter.HasValue)
+        {
+            builder.Append("&createdAfter=");
+            builder.Append(Uri.EscapeDataString(query.CreatedAfter.Value.ToString("O", CultureInfo.InvariantCulture)));
+        }
+
+        if (query.CreatedBefore.HasValue)
+        {
+            builder.Append("&createdBefore=");
+            builder.Append(Uri.EscapeDataString(query.CreatedBefore.Value.ToString("O", CultureInfo.InvariantCulture)));
+        }
+
+        if (query.Limit.HasValue && query.Limit.Value > 0)
+        {
+            builder.Append("&limit=");
+            builder.Append(query.Limit.Value.ToString(CultureInfo.InvariantCulture));
+        }
+
+        if (query.Offset.HasValue && query.Offset.Value > 0)
+        {
+            builder.Append("&offset=");
+            builder.Append(query.Offset.Value.ToString(CultureInfo.InvariantCulture));
+        }
+
+        return builder.ToString();
+    }
+
+    private void EnsureConfigured()
+    {
+        if (!string.IsNullOrWhiteSpace(_options.BackendUrl))
+        {
+            return;
+        }
+
+        throw new InvalidOperationException(
+            "BackendUrl is not configured. Set StellaOps:BackendUrl or STELLAOPS_BACKEND_URL.");
+    }
+
+    private async Task AuthorizeRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        var token = await ResolveAccessTokenAsync(cancellationToken).ConfigureAwait(false);
+        if (!string.IsNullOrWhiteSpace(token))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        }
+    }
+
+    private async Task<string?> ResolveAccessTokenAsync(CancellationToken cancellationToken)
+    {
+        if (!string.IsNullOrWhiteSpace(_options.ApiKey))
+        {
+            return _options.ApiKey;
+        }
+
+        if (_tokenClient is null || string.IsNullOrWhiteSpace(_options.Authority.Url))
+        {
+            return null;
+        }
+
+        var now = DateTimeOffset.UtcNow;
+
+        lock (_tokenSync)
+        {
+            if (!string.IsNullOrEmpty(_cachedAccessToken) && now < _cachedAccessTokenExpiresAt - TokenRefreshSkew)
+            {
+                return _cachedAccessToken;
+            }
+        }
+
+        var (scope, cacheKey) = BuildScopeAndCacheKey(_options);
+        var cachedEntry = await _tokenClient.GetCachedTokenAsync(cacheKey, cancellationToken).ConfigureAwait(false);
+        if (cachedEntry is not null && now < cachedEntry.ExpiresAtUtc - TokenRefreshSkew)
+        {
+            lock (_tokenSync)
+            {
+                _cachedAccessToken = cachedEntry.AccessToken;
+                _cachedAccessTokenExpiresAt = cachedEntry.ExpiresAtUtc;
+                return _cachedAccessToken;
+            }
+        }
+
+        StellaOpsTokenResult token;
+        if (!string.IsNullOrWhiteSpace(_options.Authority.Username))
+        {
+            if (string.IsNullOrWhiteSpace(_options.Authority.Password))
+            {
+                throw new InvalidOperationException("Authority password must be configured when username is provided.");
+            }
+
+            token = await _tokenClient.RequestPasswordTokenAsync(
+                _options.Authority.Username,
+                _options.Authority.Password!,
+                scope,
+                null,
+                cancellationToken).ConfigureAwait(false);
+        }
+        else
+        {
+            token = await _tokenClient.RequestClientCredentialsTokenAsync(scope, null, cancellationToken).ConfigureAwait(false);
+        }
+
+        await _tokenClient.CacheTokenAsync(cacheKey, token.ToCacheEntry(), cancellationToken).ConfigureAwait(false);
+
+        lock (_tokenSync)
+        {
+            _cachedAccessToken = token.AccessToken;
+            _cachedAccessTokenExpiresAt = token.ExpiresAtUtc;
+            return _cachedAccessToken;
+        }
+    }
+
+    private static (string Scope, string CacheKey) BuildScopeAndCacheKey(StellaOpsCliOptions options)
+    {
+        var baseScope = AuthorityTokenUtilities.ResolveScope(options);
+        var finalScope = EnsureScope(baseScope, StellaOpsScopes.EvidenceRead);
+
+        var credential = !string.IsNullOrWhiteSpace(options.Authority.Username)
+            ? $"user:{options.Authority.Username}"
+            : $"client:{options.Authority.ClientId}";
+
+        var cacheKey = $"{options.Authority.Url}|{credential}|{finalScope}";
+        return (finalScope, cacheKey);
+    }
+
+    private static string EnsureScope(string scopes, string required)
+    {
+        if (string.IsNullOrWhiteSpace(scopes))
+        {
+            return required;
+        }
+
+        var parts = scopes
+            .Split(' ', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+            .Select(static scope => scope.ToLowerInvariant())
+            .Distinct(StringComparer.Ordinal)
+            .ToList();
+
+        if (!parts.Contains(required, StringComparer.Ordinal))
+        {
+            parts.Add(required);
+        }
+
+        return string.Join(' ', parts);
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/ForensicVerifier.cs b/src/Cli/StellaOps.Cli/Services/ForensicVerifier.cs
new file mode 100644
index 000000000..5999a9cc3
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/ForensicVerifier.cs
@@ -0,0 +1,592 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Output;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Verifier for forensic bundles including checksums, DSSE signatures, and chain-of-custody.
+/// Per CLI-FORENSICS-54-001.
+/// </summary>
+internal sealed class ForensicVerifier : IForensicVerifier
+{
+    private const string PaePrefix = "DSSEv1";
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
+    {
+        PropertyNameCaseInsensitive = true
+    };
+
+    private readonly ILogger<ForensicVerifier> _logger;
+
+    public ForensicVerifier(ILogger<ForensicVerifier> logger)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async Task<ForensicVerificationResult> VerifyBundleAsync(
+        string bundlePath,
+        ForensicVerificationOptions options,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(bundlePath);
+        ArgumentNullException.ThrowIfNull(options);
+
+        var errors = new List<ForensicVerificationError>();
+        var warnings = new List<string>();
+        var verifiedAt = DateTimeOffset.UtcNow;
+
+        _logger.LogDebug("Verifying forensic bundle at {BundlePath}", bundlePath);
+
+        // Check bundle exists
+        if (!File.Exists(bundlePath) && !Directory.Exists(bundlePath))
+        {
+            errors.Add(new ForensicVerificationError
+            {
+                Code = CliErrorCodes.ForensicBundleNotFound,
+                Message = "Bundle path not found",
+                Detail = bundlePath
+            });
+
+            return new ForensicVerificationResult
+            {
+                BundlePath = bundlePath,
+                IsValid = false,
+                VerifiedAt = verifiedAt,
+                Errors = errors
+            };
+        }
+
+        // Load manifest
+        var manifestPath = ResolveManifestPath(bundlePath);
+        if (manifestPath is null || !File.Exists(manifestPath))
+        {
+            errors.Add(new ForensicVerificationError
+            {
+                Code = CliErrorCodes.ForensicBundleInvalid,
+                Message = "Manifest not found in bundle",
+                Detail = "Expected manifest.json in bundle root"
+            });
+
+            return new ForensicVerificationResult
+            {
+                BundlePath = bundlePath,
+                IsValid = false,
+                VerifiedAt = verifiedAt,
+                Errors = errors
+            };
+        }
+
+        ForensicSnapshotManifest manifest;
+        try
+        {
+            var manifestJson = await File.ReadAllTextAsync(manifestPath, cancellationToken).ConfigureAwait(false);
+            manifest = JsonSerializer.Deserialize<ForensicSnapshotManifest>(manifestJson, SerializerOptions)
+                ?? throw new InvalidDataException("Invalid manifest JSON");
+        }
+        catch (Exception ex) when (ex is JsonException or InvalidDataException)
+        {
+            _logger.LogError(ex, "Failed to parse manifest at {ManifestPath}", manifestPath);
+            errors.Add(new ForensicVerificationError
+            {
+                Code = CliErrorCodes.ForensicBundleInvalid,
+                Message = "Failed to parse manifest",
+                Detail = ex.Message
+            });
+
+            return new ForensicVerificationResult
+            {
+                BundlePath = bundlePath,
+                IsValid = false,
+                VerifiedAt = verifiedAt,
+                Errors = errors
+            };
+        }
+
+        var bundleDir = Path.GetDirectoryName(manifestPath) ?? bundlePath;
+
+        // Verify manifest
+        var manifestVerification = await VerifyManifestAsync(manifest, manifestPath, cancellationToken)
+            .ConfigureAwait(false);
+        if (!manifestVerification.IsValid)
+        {
+            errors.Add(new ForensicVerificationError
+            {
+                Code = CliErrorCodes.ForensicChecksumMismatch,
+                Message = "Manifest digest verification failed",
+                Detail = $"Expected: {manifestVerification.Digest}, Computed: {manifestVerification.ComputedDigest}"
+            });
+        }
+
+        // Verify checksums
+        ForensicChecksumVerification? checksumVerification = null;
+        if (options.VerifyChecksums)
+        {
+            checksumVerification = await VerifyChecksumsAsync(manifest, bundleDir, cancellationToken)
+                .ConfigureAwait(false);
+
+            foreach (var failure in checksumVerification.FailedArtifacts)
+            {
+                errors.Add(new ForensicVerificationError
+                {
+                    Code = CliErrorCodes.ForensicChecksumMismatch,
+                    Message = $"Checksum mismatch for artifact {failure.ArtifactId}",
+                    Detail = failure.Reason,
+                    ArtifactId = failure.ArtifactId
+                });
+            }
+        }
+
+        // Verify signatures
+        ForensicSignatureVerification? signatureVerification = null;
+        if (options.VerifySignatures && manifest.Signature is not null)
+        {
+            var trustRoots = options.TrustRoots.ToList();
+            if (!string.IsNullOrWhiteSpace(options.TrustRootPath))
+            {
+                var loadedRoots = await LoadTrustRootsAsync(options.TrustRootPath, cancellationToken)
+                    .ConfigureAwait(false);
+                trustRoots.AddRange(loadedRoots);
+            }
+
+            if (trustRoots.Count == 0)
+            {
+                warnings.Add("No trust roots configured; signature verification skipped");
+            }
+            else
+            {
+                signatureVerification = VerifySignature(manifest, trustRoots);
+
+                if (!signatureVerification.IsValid)
+                {
+                    var untrusted = signatureVerification.Signatures
+                        .Where(s => !s.IsTrusted)
+                        .Select(s => s.KeyId);
+
+                    errors.Add(new ForensicVerificationError
+                    {
+                        Code = signatureVerification.VerifiedSignatures == 0
+                            ? CliErrorCodes.ForensicSignatureInvalid
+                            : CliErrorCodes.ForensicSignatureUntrusted,
+                        Message = "Signature verification failed",
+                        Detail = string.Join(", ", signatureVerification.Signatures.Select(s => s.Reason).Where(r => r is not null))
+                    });
+                }
+            }
+        }
+
+        // Verify chain of custody
+        ForensicChainOfCustodyVerification? chainVerification = null;
+        if (options.VerifyChainOfCustody && manifest.Metadata?.ChainOfCustody is { Count: > 0 })
+        {
+            chainVerification = VerifyChainOfCustody(manifest.Metadata.ChainOfCustody, options.StrictTimeline);
+
+            if (!chainVerification.IsValid)
+            {
+                var errorCode = !chainVerification.TimelineValid
+                    ? CliErrorCodes.ForensicTimelineInvalid
+                    : CliErrorCodes.ForensicChainOfCustodyBroken;
+
+                errors.Add(new ForensicVerificationError
+                {
+                    Code = errorCode,
+                    Message = "Chain of custody verification failed",
+                    Detail = chainVerification.Gaps.Count > 0
+                        ? $"Found {chainVerification.Gaps.Count} timeline gap(s)"
+                        : "Invalid entry signatures"
+                });
+            }
+        }
+
+        var isValid = errors.Count == 0 &&
+                      manifestVerification.IsValid &&
+                      (checksumVerification?.IsValid ?? true) &&
+                      (signatureVerification?.IsValid ?? true) &&
+                      (chainVerification?.IsValid ?? true);
+
+        return new ForensicVerificationResult
+        {
+            BundlePath = bundlePath,
+            IsValid = isValid,
+            VerifiedAt = verifiedAt,
+            ManifestVerification = manifestVerification,
+            ChecksumVerification = checksumVerification,
+            SignatureVerification = signatureVerification,
+            ChainOfCustodyVerification = chainVerification,
+            Errors = errors,
+            Warnings = warnings
+        };
+    }
+
+    public async Task<IReadOnlyList<ForensicTrustRoot>> LoadTrustRootsAsync(
+        string trustRootPath,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(trustRootPath);
+
+        if (!File.Exists(trustRootPath))
+        {
+            _logger.LogWarning("Trust root file not found: {Path}", trustRootPath);
+            return Array.Empty<ForensicTrustRoot>();
+        }
+
+        try
+        {
+            var json = await File.ReadAllTextAsync(trustRootPath, cancellationToken).ConfigureAwait(false);
+
+            // Try array format first
+            var roots = JsonSerializer.Deserialize<List<ForensicTrustRoot>>(json, SerializerOptions);
+            if (roots is not null)
+            {
+                return roots;
+            }
+
+            // Try single object
+            var singleRoot = JsonSerializer.Deserialize<ForensicTrustRoot>(json, SerializerOptions);
+            if (singleRoot is not null)
+            {
+                return new[] { singleRoot };
+            }
+
+            return Array.Empty<ForensicTrustRoot>();
+        }
+        catch (JsonException ex)
+        {
+            _logger.LogError(ex, "Failed to parse trust roots from {Path}", trustRootPath);
+            return Array.Empty<ForensicTrustRoot>();
+        }
+    }
+
+    private static string? ResolveManifestPath(string bundlePath)
+    {
+        if (File.Exists(bundlePath))
+        {
+            // If bundlePath is a file, check if it's the manifest
+            var fileName = Path.GetFileName(bundlePath);
+            if (fileName.Equals("manifest.json", StringComparison.OrdinalIgnoreCase))
+            {
+                return bundlePath;
+            }
+
+            // Otherwise look for manifest in same directory
+            var dir = Path.GetDirectoryName(bundlePath);
+            if (dir is not null)
+            {
+                var manifestInDir = Path.Combine(dir, "manifest.json");
+                if (File.Exists(manifestInDir))
+                {
+                    return manifestInDir;
+                }
+            }
+
+            return null;
+        }
+
+        if (Directory.Exists(bundlePath))
+        {
+            var manifestPath = Path.Combine(bundlePath, "manifest.json");
+            return File.Exists(manifestPath) ? manifestPath : null;
+        }
+
+        return null;
+    }
+
+    private async Task<ForensicManifestVerification> VerifyManifestAsync(
+        ForensicSnapshotManifest manifest,
+        string manifestPath,
+        CancellationToken cancellationToken)
+    {
+        var manifestBytes = await File.ReadAllBytesAsync(manifestPath, cancellationToken).ConfigureAwait(false);
+        var computedDigest = ComputeDigest(manifestBytes, manifest.DigestAlgorithm);
+
+        var isValid = string.Equals(manifest.Digest, computedDigest, StringComparison.OrdinalIgnoreCase) ||
+                      string.IsNullOrEmpty(manifest.Digest); // Allow empty digest for unsigned manifests
+
+        return new ForensicManifestVerification
+        {
+            IsValid = isValid,
+            ManifestId = manifest.ManifestId,
+            Version = manifest.Version,
+            Digest = manifest.Digest,
+            DigestAlgorithm = manifest.DigestAlgorithm,
+            ComputedDigest = computedDigest,
+            ArtifactCount = manifest.Artifacts.Count
+        };
+    }
+
+    private async Task<ForensicChecksumVerification> VerifyChecksumsAsync(
+        ForensicSnapshotManifest manifest,
+        string bundleDir,
+        CancellationToken cancellationToken)
+    {
+        var failures = new List<ForensicArtifactChecksumFailure>();
+        var verified = 0;
+
+        foreach (var artifact in manifest.Artifacts)
+        {
+            var artifactPath = Path.Combine(bundleDir, artifact.Path);
+
+            if (!File.Exists(artifactPath))
+            {
+                failures.Add(new ForensicArtifactChecksumFailure
+                {
+                    ArtifactId = artifact.ArtifactId,
+                    Path = artifact.Path,
+                    ExpectedDigest = artifact.Digest,
+                    ActualDigest = string.Empty,
+                    Reason = "Artifact file not found"
+                });
+                continue;
+            }
+
+            try
+            {
+                var fileBytes = await File.ReadAllBytesAsync(artifactPath, cancellationToken).ConfigureAwait(false);
+                var actualDigest = ComputeDigest(fileBytes, artifact.DigestAlgorithm);
+
+                if (!string.Equals(artifact.Digest, actualDigest, StringComparison.OrdinalIgnoreCase))
+                {
+                    failures.Add(new ForensicArtifactChecksumFailure
+                    {
+                        ArtifactId = artifact.ArtifactId,
+                        Path = artifact.Path,
+                        ExpectedDigest = artifact.Digest,
+                        ActualDigest = actualDigest,
+                        Reason = "Digest mismatch"
+                    });
+                }
+                else
+                {
+                    verified++;
+                }
+            }
+            catch (IOException ex)
+            {
+                failures.Add(new ForensicArtifactChecksumFailure
+                {
+                    ArtifactId = artifact.ArtifactId,
+                    Path = artifact.Path,
+                    ExpectedDigest = artifact.Digest,
+                    ActualDigest = string.Empty,
+                    Reason = $"IO error: {ex.Message}"
+                });
+            }
+        }
+
+        return new ForensicChecksumVerification
+        {
+            IsValid = failures.Count == 0,
+            TotalArtifacts = manifest.Artifacts.Count,
+            VerifiedArtifacts = verified,
+            FailedArtifacts = failures
+        };
+    }
+
+    private ForensicSignatureVerification VerifySignature(
+        ForensicSnapshotManifest manifest,
+        IReadOnlyList<ForensicTrustRoot> trustRoots)
+    {
+        if (manifest.Signature is null)
+        {
+            return new ForensicSignatureVerification
+            {
+                IsValid = false,
+                SignatureCount = 0,
+                VerifiedSignatures = 0,
+                Signatures = Array.Empty<ForensicSignatureDetail>()
+            };
+        }
+
+        var signatures = new List<ForensicSignatureDetail>();
+        var verifiedCount = 0;
+
+        // Find matching trust root
+        var matchingRoot = trustRoots.FirstOrDefault(tr =>
+            string.Equals(tr.KeyId, manifest.Signature.KeyId, StringComparison.OrdinalIgnoreCase));
+
+        if (matchingRoot is null)
+        {
+            signatures.Add(new ForensicSignatureDetail
+            {
+                KeyId = manifest.Signature.KeyId ?? "unknown",
+                Algorithm = manifest.Signature.Algorithm,
+                IsValid = false,
+                IsTrusted = false,
+                SignedAt = manifest.Signature.SignedAt,
+                Reason = "No matching trust root found"
+            });
+
+            return new ForensicSignatureVerification
+            {
+                IsValid = false,
+                SignatureCount = 1,
+                VerifiedSignatures = 0,
+                Signatures = signatures
+            };
+        }
+
+        // Verify signature
+        var isValid = VerifyRsaPssSignature(
+            manifest.Digest,
+            manifest.Signature.Value,
+            matchingRoot.PublicKey);
+
+        // Check time validity
+        var now = DateTimeOffset.UtcNow;
+        var timeValid = (!matchingRoot.NotBefore.HasValue || now >= matchingRoot.NotBefore.Value) &&
+                        (!matchingRoot.NotAfter.HasValue || now <= matchingRoot.NotAfter.Value);
+
+        if (isValid && timeValid)
+        {
+            verifiedCount++;
+        }
+
+        signatures.Add(new ForensicSignatureDetail
+        {
+            KeyId = manifest.Signature.KeyId ?? "unknown",
+            Algorithm = manifest.Signature.Algorithm,
+            IsValid = isValid,
+            IsTrusted = isValid && timeValid,
+            SignedAt = manifest.Signature.SignedAt,
+            Fingerprint = matchingRoot.Fingerprint,
+            Reason = !isValid ? "Signature verification failed" :
+                     !timeValid ? "Key outside validity period" : null
+        });
+
+        return new ForensicSignatureVerification
+        {
+            IsValid = verifiedCount > 0,
+            SignatureCount = 1,
+            VerifiedSignatures = verifiedCount,
+            Signatures = signatures
+        };
+    }
+
+    private ForensicChainOfCustodyVerification VerifyChainOfCustody(
+        IReadOnlyList<ForensicChainOfCustodyEntry> entries,
+        bool strictTimeline)
+    {
+        var entryVerifications = new List<ForensicChainOfCustodyEntryVerification>();
+        var gaps = new List<ForensicTimelineGap>();
+        var timelineValid = true;
+        var signaturesValid = true;
+
+        DateTimeOffset? lastTimestamp = null;
+        var index = 0;
+
+        foreach (var entry in entries.OrderBy(e => e.Timestamp))
+        {
+            // Check timeline progression
+            if (lastTimestamp.HasValue && entry.Timestamp < lastTimestamp.Value)
+            {
+                timelineValid = false;
+                gaps.Add(new ForensicTimelineGap
+                {
+                    FromIndex = index - 1,
+                    ToIndex = index,
+                    FromTimestamp = lastTimestamp.Value,
+                    ToTimestamp = entry.Timestamp,
+                    GapDuration = lastTimestamp.Value - entry.Timestamp,
+                    Description = "Timestamp out of order"
+                });
+            }
+            else if (strictTimeline && lastTimestamp.HasValue)
+            {
+                var gap = entry.Timestamp - lastTimestamp.Value;
+                if (gap > TimeSpan.FromDays(1))
+                {
+                    gaps.Add(new ForensicTimelineGap
+                    {
+                        FromIndex = index - 1,
+                        ToIndex = index,
+                        FromTimestamp = lastTimestamp.Value,
+                        ToTimestamp = entry.Timestamp,
+                        GapDuration = gap,
+                        Description = $"Large gap of {gap.TotalHours:F1} hours"
+                    });
+                }
+            }
+
+            // Signature verification (if present)
+            bool? signatureValid = null;
+            if (!string.IsNullOrWhiteSpace(entry.Signature))
+            {
+                // For now, just check signature is present
+                // Full verification would require the signing key
+                signatureValid = true;
+            }
+
+            entryVerifications.Add(new ForensicChainOfCustodyEntryVerification
+            {
+                Index = index,
+                Action = entry.Action,
+                Actor = entry.Actor,
+                Timestamp = entry.Timestamp,
+                SignatureValid = signatureValid,
+                Notes = entry.Notes
+            });
+
+            lastTimestamp = entry.Timestamp;
+            index++;
+        }
+
+        return new ForensicChainOfCustodyVerification
+        {
+            IsValid = timelineValid && signaturesValid && (gaps.Count == 0 || !strictTimeline),
+            EntryCount = entries.Count,
+            TimelineValid = timelineValid,
+            SignaturesValid = signaturesValid,
+            Entries = entryVerifications,
+            Gaps = gaps
+        };
+    }
+
+    private static string ComputeDigest(byte[] data, string algorithm)
+    {
+        byte[] hash;
+        switch (algorithm.ToLowerInvariant())
+        {
+            case "sha256":
+                hash = SHA256.HashData(data);
+                break;
+            case "sha384":
+                hash = SHA384.HashData(data);
+                break;
+            case "sha512":
+                hash = SHA512.HashData(data);
+                break;
+            default:
+                hash = SHA256.HashData(data);
+                break;
+        }
+
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+
+    private static bool VerifyRsaPssSignature(string digest, string signatureBase64, string publicKeyBase64)
+    {
+        try
+        {
+            var publicKeyBytes = Convert.FromBase64String(publicKeyBase64);
+            var signatureBytes = Convert.FromBase64String(signatureBase64);
+            var digestBytes = Convert.FromHexString(digest);
+
+            using var rsa = RSA.Create();
+            rsa.ImportSubjectPublicKeyInfo(publicKeyBytes, out _);
+
+            return rsa.VerifyHash(digestBytes, signatureBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
+        }
+        catch
+        {
+            return false;
+        }
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IAttestationReader.cs b/src/Cli/StellaOps.Cli/Services/IAttestationReader.cs
new file mode 100644
index 000000000..1bbb58357
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IAttestationReader.cs
@@ -0,0 +1,20 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Reader for attestation files.
+/// Per CLI-FORENSICS-54-002.
+/// </summary>
+internal interface IAttestationReader
+{
+    /// <summary>
+    /// Reads and parses an attestation file.
+    /// </summary>
+    Task<AttestationShowResult> ReadAttestationAsync(
+        string filePath,
+        AttestationShowOptions options,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs b/src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs
index cde81ff5a..6a4f4d4d2 100644
--- a/src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs
+++ b/src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs
@@ -83,4 +83,48 @@ internal interface IBackendOperationsClient
     // CLI-VULN-29-005: Vulnerability export
     Task<VulnExportResponse> ExportVulnerabilitiesAsync(VulnExportRequest request, string? tenant, CancellationToken cancellationToken);
     Task<Stream> DownloadVulnExportAsync(string exportId, string? tenant, CancellationToken cancellationToken);
+
+    // CLI-POLICY-23-006: Policy history and explain
+    Task<PolicyHistoryResponse> GetPolicyHistoryAsync(PolicyHistoryRequest request, CancellationToken cancellationToken);
+    Task<PolicyExplainResult> GetPolicyExplainAsync(PolicyExplainRequest request, CancellationToken cancellationToken);
+
+    // CLI-POLICY-27-002: Policy submission/review workflow
+    Task<PolicyVersionBumpResult> BumpPolicyVersionAsync(PolicyVersionBumpRequest request, CancellationToken cancellationToken);
+    Task<PolicySubmitResult> SubmitPolicyForReviewAsync(PolicySubmitRequest request, CancellationToken cancellationToken);
+    Task<PolicyReviewCommentResult> AddPolicyReviewCommentAsync(PolicyReviewCommentRequest request, CancellationToken cancellationToken);
+    Task<PolicyApproveResult> ApprovePolicyReviewAsync(PolicyApproveRequest request, CancellationToken cancellationToken);
+    Task<PolicyRejectResult> RejectPolicyReviewAsync(PolicyRejectRequest request, CancellationToken cancellationToken);
+    Task<PolicyReviewSummary?> GetPolicyReviewStatusAsync(PolicyReviewStatusRequest request, CancellationToken cancellationToken);
+
+    // CLI-POLICY-27-004: Policy lifecycle (publish/promote/rollback/sign)
+    Task<PolicyPublishResult> PublishPolicyAsync(PolicyPublishRequest request, CancellationToken cancellationToken);
+    Task<PolicyPromoteResult> PromotePolicyAsync(PolicyPromoteRequest request, CancellationToken cancellationToken);
+    Task<PolicyRollbackResult> RollbackPolicyAsync(PolicyRollbackRequest request, CancellationToken cancellationToken);
+    Task<PolicySignResult> SignPolicyAsync(PolicySignRequest request, CancellationToken cancellationToken);
+    Task<PolicyVerifySignatureResult> VerifyPolicySignatureAsync(PolicyVerifySignatureRequest request, CancellationToken cancellationToken);
+
+    // CLI-RISK-66-001: Risk profile list
+    Task<RiskProfileListResponse> ListRiskProfilesAsync(RiskProfileListRequest request, CancellationToken cancellationToken);
+
+    // CLI-RISK-66-002: Risk simulate
+    Task<RiskSimulateResult> SimulateRiskAsync(RiskSimulateRequest request, CancellationToken cancellationToken);
+
+    // CLI-RISK-67-001: Risk results
+    Task<RiskResultsResponse> GetRiskResultsAsync(RiskResultsRequest request, CancellationToken cancellationToken);
+
+    // CLI-RISK-68-001: Risk bundle verify
+    Task<RiskBundleVerifyResult> VerifyRiskBundleAsync(RiskBundleVerifyRequest request, CancellationToken cancellationToken);
+
+    // CLI-SIG-26-001: Reachability operations
+    Task<ReachabilityUploadCallGraphResult> UploadCallGraphAsync(ReachabilityUploadCallGraphRequest request, Stream callGraphStream, CancellationToken cancellationToken);
+    Task<ReachabilityListResponse> ListReachabilityAnalysesAsync(ReachabilityListRequest request, CancellationToken cancellationToken);
+    Task<ReachabilityExplainResult> ExplainReachabilityAsync(ReachabilityExplainRequest request, CancellationToken cancellationToken);
+
+    // CLI-SDK-63-001: API spec download
+    Task<ApiSpecListResponse> ListApiSpecsAsync(string? tenant, CancellationToken cancellationToken);
+    Task<ApiSpecDownloadResult> DownloadApiSpecAsync(ApiSpecDownloadRequest request, CancellationToken cancellationToken);
+
+    // CLI-SDK-64-001: SDK update
+    Task<SdkUpdateResponse> CheckSdkUpdatesAsync(SdkUpdateRequest request, CancellationToken cancellationToken);
+    Task<SdkListResponse> ListInstalledSdksAsync(string? language, string? tenant, CancellationToken cancellationToken);
 }
diff --git a/src/Cli/StellaOps.Cli/Services/IConcelierObservationsClient.cs b/src/Cli/StellaOps.Cli/Services/IConcelierObservationsClient.cs
index 446685ae2..51e98cba0 100644
--- a/src/Cli/StellaOps.Cli/Services/IConcelierObservationsClient.cs
+++ b/src/Cli/StellaOps.Cli/Services/IConcelierObservationsClient.cs
@@ -4,9 +4,32 @@ using StellaOps.Cli.Services.Models;
 
 namespace StellaOps.Cli.Services;
 
+/// <summary>
+/// Client for Concelier advisory observations API.
+/// Per CLI-LNM-22-001, supports obs get, linkset show, and export operations.
+/// </summary>
 internal interface IConcelierObservationsClient
 {
+    /// <summary>
+    /// Gets advisory observations matching the query.
+    /// </summary>
     Task<AdvisoryObservationsResponse> GetObservationsAsync(
         AdvisoryObservationsQuery query,
         CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets advisory linkset with conflict information.
+    /// Per CLI-LNM-22-001, includes conflict display.
+    /// </summary>
+    Task<AdvisoryLinksetResponse> GetLinksetAsync(
+        AdvisoryLinksetQuery query,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a single observation by ID.
+    /// </summary>
+    Task<AdvisoryLinksetObservation?> GetObservationByIdAsync(
+        string tenant,
+        string observationId,
+        CancellationToken cancellationToken);
 }
diff --git a/src/Cli/StellaOps.Cli/Services/IDeterminismHarness.cs b/src/Cli/StellaOps.Cli/Services/IDeterminismHarness.cs
new file mode 100644
index 000000000..4d8416e48
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IDeterminismHarness.cs
@@ -0,0 +1,46 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Determinism harness for running scanner with frozen conditions.
+/// Per CLI-DETER-70-003/004.
+/// </summary>
+internal interface IDeterminismHarness
+{
+    /// <summary>
+    /// Runs the determinism harness with the specified configuration.
+    /// </summary>
+    Task<DeterminismRunResult> RunAsync(
+        DeterminismRunRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Verifies a determinism manifest against thresholds.
+    /// </summary>
+    DeterminismVerificationResult VerifyManifest(
+        DeterminismManifest manifest,
+        double imageThreshold,
+        double overallThreshold);
+
+    /// <summary>
+    /// Generates a determinism report from multiple manifest files.
+    /// Per CLI-DETER-70-004.
+    /// </summary>
+    Task<DeterminismReportResult> GenerateReportAsync(
+        DeterminismReportRequest request,
+        CancellationToken cancellationToken);
+}
+
+/// <summary>
+/// Result of verifying a determinism manifest.
+/// </summary>
+internal sealed class DeterminismVerificationResult
+{
+    public bool Passed { get; init; }
+    public double OverallScore { get; init; }
+    public string[] FailedImages { get; init; } = System.Array.Empty<string>();
+    public string[] Warnings { get; init; } = System.Array.Empty<string>();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IExceptionClient.cs b/src/Cli/StellaOps.Cli/Services/IExceptionClient.cs
new file mode 100644
index 000000000..7b9d94256
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IExceptionClient.cs
@@ -0,0 +1,64 @@
+using System.IO;
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for exception governance API operations.
+/// Per CLI-EXC-25-001.
+/// </summary>
+internal interface IExceptionClient
+{
+    /// <summary>
+    /// Lists exceptions matching the query.
+    /// </summary>
+    Task<ExceptionListResponse> ListAsync(
+        ExceptionListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets an exception by ID.
+    /// </summary>
+    Task<ExceptionInstance?> GetAsync(
+        string exceptionId,
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Creates a new exception.
+    /// </summary>
+    Task<ExceptionOperationResult> CreateAsync(
+        ExceptionCreateRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Promotes an exception to the next lifecycle stage.
+    /// </summary>
+    Task<ExceptionOperationResult> PromoteAsync(
+        ExceptionPromoteRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Revokes an exception.
+    /// </summary>
+    Task<ExceptionOperationResult> RevokeAsync(
+        ExceptionRevokeRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Imports exceptions from NDJSON stream.
+    /// </summary>
+    Task<ExceptionImportResult> ImportAsync(
+        ExceptionImportRequest request,
+        Stream ndjsonStream,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Exports exceptions to a stream.
+    /// </summary>
+    Task<(Stream Content, ExceptionExportManifest? Manifest)> ExportAsync(
+        ExceptionExportRequest request,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IForensicSnapshotClient.cs b/src/Cli/StellaOps.Cli/Services/IForensicSnapshotClient.cs
new file mode 100644
index 000000000..7fca2b325
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IForensicSnapshotClient.cs
@@ -0,0 +1,43 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for forensic snapshot and evidence locker APIs.
+/// Per CLI-FORENSICS-53-001.
+/// </summary>
+internal interface IForensicSnapshotClient
+{
+    /// <summary>
+    /// Creates a new forensic snapshot.
+    /// </summary>
+    Task<ForensicSnapshotDocument> CreateSnapshotAsync(
+        string tenant,
+        ForensicSnapshotCreateRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Lists forensic snapshots matching the query.
+    /// </summary>
+    Task<ForensicSnapshotListResponse> ListSnapshotsAsync(
+        ForensicSnapshotListQuery query,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a forensic snapshot by ID.
+    /// </summary>
+    Task<ForensicSnapshotDocument?> GetSnapshotAsync(
+        string tenant,
+        string snapshotId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets the manifest for a forensic snapshot.
+    /// </summary>
+    Task<ForensicSnapshotManifest?> GetSnapshotManifestAsync(
+        string tenant,
+        string snapshotId,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IForensicVerifier.cs b/src/Cli/StellaOps.Cli/Services/IForensicVerifier.cs
new file mode 100644
index 000000000..ac183dc06
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IForensicVerifier.cs
@@ -0,0 +1,27 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Verifier for forensic bundles.
+/// Per CLI-FORENSICS-54-001.
+/// </summary>
+internal interface IForensicVerifier
+{
+    /// <summary>
+    /// Verifies a forensic bundle at the specified path.
+    /// </summary>
+    Task<ForensicVerificationResult> VerifyBundleAsync(
+        string bundlePath,
+        ForensicVerificationOptions options,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Loads trust roots from a file path.
+    /// </summary>
+    Task<IReadOnlyList<ForensicTrustRoot>> LoadTrustRootsAsync(
+        string trustRootPath,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/INotifyClient.cs b/src/Cli/StellaOps.Cli/Services/INotifyClient.cs
new file mode 100644
index 000000000..b1a4c81ed
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/INotifyClient.cs
@@ -0,0 +1,70 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for Notify API operations.
+/// Per CLI-PARITY-41-002.
+/// </summary>
+internal interface INotifyClient
+{
+    /// <summary>
+    /// Lists notification channels.
+    /// </summary>
+    Task<NotifyChannelListResponse> ListChannelsAsync(
+        NotifyChannelListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a notification channel by ID.
+    /// </summary>
+    Task<NotifyChannelDetail?> GetChannelAsync(
+        string channelId,
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Tests a notification channel.
+    /// </summary>
+    Task<NotifyChannelTestResult> TestChannelAsync(
+        NotifyChannelTestRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Lists notification rules.
+    /// </summary>
+    Task<NotifyRuleListResponse> ListRulesAsync(
+        NotifyRuleListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Lists notification deliveries.
+    /// </summary>
+    Task<NotifyDeliveryListResponse> ListDeliveriesAsync(
+        NotifyDeliveryListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a delivery by ID.
+    /// </summary>
+    Task<NotifyDeliveryDetail?> GetDeliveryAsync(
+        string deliveryId,
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Retries a failed delivery.
+    /// </summary>
+    Task<NotifyRetryResult> RetryDeliveryAsync(
+        NotifyRetryRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Sends a notification.
+    /// </summary>
+    Task<NotifySendResult> SendAsync(
+        NotifySendRequest request,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IObservabilityClient.cs b/src/Cli/StellaOps.Cli/Services/IObservabilityClient.cs
new file mode 100644
index 000000000..cede2e874
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IObservabilityClient.cs
@@ -0,0 +1,59 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for observability API operations.
+/// Per CLI-OBS-51-001/52-001.
+/// </summary>
+internal interface IObservabilityClient
+{
+    /// <summary>
+    /// Gets platform health summary for obs top command.
+    /// </summary>
+    Task<ObsTopResult> GetHealthSummaryAsync(
+        ObsTopRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a distributed trace by ID.
+    /// Per CLI-OBS-52-001.
+    /// </summary>
+    Task<ObsTraceResult> GetTraceAsync(
+        ObsTraceRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets logs within a time window.
+    /// Per CLI-OBS-52-001.
+    /// </summary>
+    Task<ObsLogsResult> GetLogsAsync(
+        ObsLogsRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets current incident mode status.
+    /// Per CLI-OBS-55-001.
+    /// </summary>
+    Task<IncidentModeResult> GetIncidentModeStatusAsync(
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Enables incident mode.
+    /// Per CLI-OBS-55-001.
+    /// </summary>
+    Task<IncidentModeResult> EnableIncidentModeAsync(
+        IncidentModeEnableRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Disables incident mode.
+    /// Per CLI-OBS-55-001.
+    /// </summary>
+    Task<IncidentModeResult> DisableIncidentModeAsync(
+        IncidentModeDisableRequest request,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IOrchestratorClient.cs b/src/Cli/StellaOps.Cli/Services/IOrchestratorClient.cs
new file mode 100644
index 000000000..5196a8705
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IOrchestratorClient.cs
@@ -0,0 +1,102 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for orchestrator API operations.
+/// Per CLI-ORCH-32-001.
+/// </summary>
+internal interface IOrchestratorClient
+{
+    /// <summary>
+    /// Lists sources matching the query.
+    /// </summary>
+    Task<SourceListResponse> ListSourcesAsync(
+        SourceListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a source by ID.
+    /// </summary>
+    Task<OrchestratorSource?> GetSourceAsync(
+        string sourceId,
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Pauses a source.
+    /// </summary>
+    Task<SourceOperationResult> PauseSourceAsync(
+        SourcePauseRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Resumes a paused source.
+    /// </summary>
+    Task<SourceOperationResult> ResumeSourceAsync(
+        SourceResumeRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Tests a source connection.
+    /// </summary>
+    Task<SourceTestResult> TestSourceAsync(
+        SourceTestRequest request,
+        CancellationToken cancellationToken);
+
+    // CLI-ORCH-34-001: Backfill operations
+
+    /// <summary>
+    /// Starts a backfill operation for a source.
+    /// </summary>
+    Task<BackfillResult> StartBackfillAsync(
+        BackfillRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets the status of a backfill operation.
+    /// </summary>
+    Task<BackfillResult?> GetBackfillAsync(
+        string backfillId,
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Lists backfill operations.
+    /// </summary>
+    Task<BackfillListResponse> ListBackfillsAsync(
+        BackfillListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Cancels a running backfill operation.
+    /// </summary>
+    Task<SourceOperationResult> CancelBackfillAsync(
+        BackfillCancelRequest request,
+        CancellationToken cancellationToken);
+
+    // CLI-ORCH-34-001: Quota management
+
+    /// <summary>
+    /// Gets quotas for a tenant/source.
+    /// </summary>
+    Task<QuotaGetResponse> GetQuotasAsync(
+        QuotaGetRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Sets a quota limit.
+    /// </summary>
+    Task<QuotaOperationResult> SetQuotaAsync(
+        QuotaSetRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Resets a quota's usage counter.
+    /// </summary>
+    Task<QuotaOperationResult> ResetQuotaAsync(
+        QuotaResetRequest request,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IPackClient.cs b/src/Cli/StellaOps.Cli/Services/IPackClient.cs
new file mode 100644
index 000000000..5d53e7c71
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IPackClient.cs
@@ -0,0 +1,124 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for Task Pack registry and runner API operations.
+/// Per CLI-PACKS-42-001.
+/// </summary>
+internal interface IPackClient
+{
+    /// <summary>
+    /// Plans a pack execution without running it.
+    /// Returns the execution graph, validation errors, and approval requirements.
+    /// </summary>
+    Task<PackPlanResult> PlanAsync(
+        PackPlanRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Runs a pack with the specified inputs.
+    /// Can optionally wait for completion.
+    /// </summary>
+    Task<PackRunResult> RunAsync(
+        PackRunRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets the status of a pack run.
+    /// </summary>
+    Task<PackRunStatus?> GetRunStatusAsync(
+        string runId,
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Pushes a pack to the registry.
+    /// </summary>
+    Task<PackPushResult> PushAsync(
+        PackPushRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Pulls a pack from the registry.
+    /// </summary>
+    Task<PackPullResult> PullAsync(
+        PackPullRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Verifies a pack's signature, digest, and schema.
+    /// </summary>
+    Task<PackVerifyResult> VerifyAsync(
+        PackVerifyRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets pack info from the registry.
+    /// </summary>
+    Task<TaskPackInfo?> GetPackInfoAsync(
+        string packId,
+        string? version,
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    // CLI-PACKS-43-001: Advanced pack features
+
+    /// <summary>
+    /// Lists pack runs with optional filters.
+    /// </summary>
+    Task<PackRunListResponse> ListRunsAsync(
+        PackRunListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Cancels a running pack.
+    /// </summary>
+    Task<PackApprovalResult> CancelRunAsync(
+        PackCancelRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Pauses a pack run waiting for approval.
+    /// </summary>
+    Task<PackApprovalResult> PauseForApprovalAsync(
+        PackApprovalPauseRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Resumes a paused pack run with approval decision.
+    /// </summary>
+    Task<PackApprovalResult> ResumeWithApprovalAsync(
+        PackApprovalResumeRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Injects a secret into a pack run.
+    /// </summary>
+    Task<PackSecretInjectResult> InjectSecretAsync(
+        PackSecretInjectRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets logs for a pack run.
+    /// </summary>
+    Task<PackLogsResult> GetLogsAsync(
+        PackLogsRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Downloads an artifact from a pack run.
+    /// </summary>
+    Task<PackArtifactDownloadResult> DownloadArtifactAsync(
+        PackArtifactDownloadRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Manages the offline pack cache.
+    /// </summary>
+    Task<PackCacheResult> ManageCacheAsync(
+        PackCacheRequest request,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IPromotionAssembler.cs b/src/Cli/StellaOps.Cli/Services/IPromotionAssembler.cs
new file mode 100644
index 000000000..77601fb96
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IPromotionAssembler.cs
@@ -0,0 +1,42 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Assembler for promotion attestations.
+/// Per CLI-PROMO-70-001/002.
+/// </summary>
+internal interface IPromotionAssembler
+{
+    /// <summary>
+    /// Assembles a promotion attestation from the provided request.
+    /// </summary>
+    Task<PromotionAssembleResult> AssembleAsync(
+        PromotionAssembleRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Resolves image digest from registry.
+    /// </summary>
+    Task<string?> ResolveImageDigestAsync(
+        string imageRef,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Signs a promotion predicate and produces a DSSE bundle.
+    /// Per CLI-PROMO-70-002.
+    /// </summary>
+    Task<PromotionAttestResult> AttestAsync(
+        PromotionAttestRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Verifies a promotion attestation bundle offline.
+    /// Per CLI-PROMO-70-002.
+    /// </summary>
+    Task<PromotionVerifyResult> VerifyAsync(
+        PromotionVerifyRequest request,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/ISbomClient.cs b/src/Cli/StellaOps.Cli/Services/ISbomClient.cs
new file mode 100644
index 000000000..084a2e36d
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/ISbomClient.cs
@@ -0,0 +1,53 @@
+using System.IO;
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for SBOM API operations.
+/// Per CLI-PARITY-41-001.
+/// </summary>
+internal interface ISbomClient
+{
+    /// <summary>
+    /// Lists SBOMs matching the query.
+    /// </summary>
+    Task<SbomListResponse> ListAsync(
+        SbomListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets an SBOM by ID with optional explain information.
+    /// </summary>
+    Task<SbomDetailResponse?> GetAsync(
+        string sbomId,
+        string? tenant,
+        bool includeComponents,
+        bool includeVulnerabilities,
+        bool includeLicenses,
+        bool explain,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Compares two SBOMs.
+    /// </summary>
+    Task<SbomCompareResponse?> CompareAsync(
+        SbomCompareRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Exports an SBOM in the specified format.
+    /// </summary>
+    Task<(Stream Content, SbomExportResult? Result)> ExportAsync(
+        SbomExportRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets the parity matrix showing CLI command coverage.
+    /// </summary>
+    Task<ParityMatrixResponse> GetParityMatrixAsync(
+        string? tenant,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/ISbomerClient.cs b/src/Cli/StellaOps.Cli/Services/ISbomerClient.cs
new file mode 100644
index 000000000..761b6b93c
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/ISbomerClient.cs
@@ -0,0 +1,78 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for Sbomer API operations (layer fragments and composition).
+/// Per CLI-SBOM-60-001.
+/// </summary>
+internal interface ISbomerClient
+{
+    /// <summary>
+    /// Lists layer fragments for a scan.
+    /// </summary>
+    Task<SbomerLayerListResponse> ListLayersAsync(
+        SbomerLayerListRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets layer fragment details.
+    /// </summary>
+    Task<SbomerLayerDetail?> GetLayerAsync(
+        SbomerLayerShowRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Verifies a layer fragment DSSE signature.
+    /// </summary>
+    Task<SbomerLayerVerifyResult> VerifyLayerAsync(
+        SbomerLayerVerifyRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets the composition manifest for a scan.
+    /// </summary>
+    Task<CompositionManifest?> GetCompositionManifestAsync(
+        SbomerCompositionShowRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Composes SBOM from layer fragments.
+    /// </summary>
+    Task<SbomerComposeResult> ComposeAsync(
+        SbomerComposeRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Verifies composition against manifest and fragments.
+    /// </summary>
+    Task<SbomerCompositionVerifyResult> VerifyCompositionAsync(
+        SbomerCompositionVerifyRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets Merkle diagnostics for a composition.
+    /// </summary>
+    Task<MerkleDiagnostics?> GetMerkleDiagnosticsAsync(
+        string scanId,
+        string? tenant,
+        CancellationToken cancellationToken);
+
+    // CLI-SBOM-60-002: Drift detection methods
+
+    /// <summary>
+    /// Analyzes drift between current SBOM and baseline.
+    /// </summary>
+    Task<SbomerDriftResult> AnalyzeDriftAsync(
+        SbomerDriftRequest request,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Verifies SBOM with local recomposition and drift detection.
+    /// </summary>
+    Task<SbomerDriftVerifyResult> VerifyDriftAsync(
+        SbomerDriftVerifyRequest request,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/IVexObservationsClient.cs b/src/Cli/StellaOps.Cli/Services/IVexObservationsClient.cs
new file mode 100644
index 000000000..a81f2adc9
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/IVexObservationsClient.cs
@@ -0,0 +1,34 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for VEX observation queries.
+/// Per CLI-LNM-22-002.
+/// </summary>
+internal interface IVexObservationsClient
+{
+    /// <summary>
+    /// Gets VEX observations matching the query.
+    /// </summary>
+    Task<VexObservationResponse> GetObservationsAsync(
+        VexObservationQuery query,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a VEX linkset for a vulnerability ID.
+    /// </summary>
+    Task<VexLinksetResponse> GetLinksetAsync(
+        VexLinksetQuery query,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a single VEX observation by ID.
+    /// </summary>
+    Task<VexObservation?> GetObservationByIdAsync(
+        string tenant,
+        string observationId,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/AdvisoryLinksetModels.cs b/src/Cli/StellaOps.Cli/Services/Models/AdvisoryLinksetModels.cs
new file mode 100644
index 000000000..66aa0b3ae
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/AdvisoryLinksetModels.cs
@@ -0,0 +1,503 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-LNM-22-001: Advisory linkset models for obs get/linkset show/export commands
+
+/// <summary>
+/// Extended advisory linkset query with additional filters for CLI-LNM-22-001.
+/// </summary>
+internal sealed record AdvisoryLinksetQuery(
+    string Tenant,
+    IReadOnlyList<string> ObservationIds,
+    IReadOnlyList<string> Aliases,
+    IReadOnlyList<string> Purls,
+    IReadOnlyList<string> Cpes,
+    IReadOnlyList<string> Sources,
+    string? Severity,
+    bool? KevOnly,
+    bool? HasFix,
+    int? Limit,
+    string? Cursor)
+{
+    /// <summary>
+    /// Creates from a basic AdvisoryObservationsQuery.
+    /// </summary>
+    public static AdvisoryLinksetQuery FromBasicQuery(AdvisoryObservationsQuery query)
+    {
+        return new AdvisoryLinksetQuery(
+            query.Tenant,
+            query.ObservationIds,
+            query.Aliases,
+            query.Purls,
+            query.Cpes,
+            Sources: Array.Empty<string>(),
+            Severity: null,
+            KevOnly: null,
+            HasFix: null,
+            query.Limit,
+            query.Cursor);
+    }
+}
+
+/// <summary>
+/// Extended advisory linkset response with conflict information.
+/// </summary>
+internal sealed class AdvisoryLinksetResponse
+{
+    [JsonPropertyName("observations")]
+    public IReadOnlyList<AdvisoryLinksetObservation> Observations { get; init; } =
+        Array.Empty<AdvisoryLinksetObservation>();
+
+    [JsonPropertyName("linkset")]
+    public AdvisoryLinksetAggregate Linkset { get; init; } = new();
+
+    [JsonPropertyName("conflicts")]
+    public IReadOnlyList<AdvisoryLinksetConflict> Conflicts { get; init; } =
+        Array.Empty<AdvisoryLinksetConflict>();
+
+    [JsonPropertyName("nextCursor")]
+    public string? NextCursor { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+
+    [JsonPropertyName("totalCount")]
+    public int? TotalCount { get; init; }
+}
+
+/// <summary>
+/// Extended advisory observation with severity, KEV, and fix information.
+/// </summary>
+internal sealed class AdvisoryLinksetObservation
+{
+    [JsonPropertyName("observationId")]
+    public string ObservationId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("source")]
+    public AdvisoryObservationSource Source { get; init; } = new();
+
+    [JsonPropertyName("upstream")]
+    public AdvisoryObservationUpstream Upstream { get; init; } = new();
+
+    [JsonPropertyName("linkset")]
+    public AdvisoryObservationLinkset Linkset { get; init; } = new();
+
+    [JsonPropertyName("severity")]
+    public AdvisoryLinksetSeverity? Severity { get; init; }
+
+    [JsonPropertyName("kev")]
+    public AdvisoryLinksetKev? Kev { get; init; }
+
+    [JsonPropertyName("fix")]
+    public AdvisoryLinksetFix? Fix { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset? UpdatedAt { get; init; }
+}
+
+/// <summary>
+/// Advisory severity information.
+/// </summary>
+internal sealed class AdvisoryLinksetSeverity
+{
+    [JsonPropertyName("level")]
+    public string Level { get; init; } = string.Empty;
+
+    [JsonPropertyName("cvssV3")]
+    public AdvisoryLinksetCvss? CvssV3 { get; init; }
+
+    [JsonPropertyName("cvssV2")]
+    public AdvisoryLinksetCvss? CvssV2 { get; init; }
+}
+
+/// <summary>
+/// CVSS score details.
+/// </summary>
+internal sealed class AdvisoryLinksetCvss
+{
+    [JsonPropertyName("score")]
+    public double Score { get; init; }
+
+    [JsonPropertyName("vector")]
+    public string? Vector { get; init; }
+
+    [JsonPropertyName("severity")]
+    public string? Severity { get; init; }
+}
+
+/// <summary>
+/// KEV (Known Exploited Vulnerabilities) information.
+/// </summary>
+internal sealed class AdvisoryLinksetKev
+{
+    [JsonPropertyName("listed")]
+    public bool Listed { get; init; }
+
+    [JsonPropertyName("addedDate")]
+    public DateTimeOffset? AddedDate { get; init; }
+
+    [JsonPropertyName("dueDate")]
+    public DateTimeOffset? DueDate { get; init; }
+
+    [JsonPropertyName("knownRansomwareCampaignUse")]
+    public bool? KnownRansomwareCampaignUse { get; init; }
+}
+
+/// <summary>
+/// Fix availability information.
+/// </summary>
+internal sealed class AdvisoryLinksetFix
+{
+    [JsonPropertyName("available")]
+    public bool Available { get; init; }
+
+    [JsonPropertyName("versions")]
+    public IReadOnlyList<string> Versions { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("type")]
+    public string? Type { get; init; }
+
+    [JsonPropertyName("advisoryLinks")]
+    public IReadOnlyList<string> AdvisoryLinks { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Aggregated linkset with conflict summary.
+/// </summary>
+internal sealed class AdvisoryLinksetAggregate
+{
+    [JsonPropertyName("aliases")]
+    public IReadOnlyList<string> Aliases { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("purls")]
+    public IReadOnlyList<string> Purls { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("cpes")]
+    public IReadOnlyList<string> Cpes { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("references")]
+    public IReadOnlyList<AdvisoryObservationReference> References { get; init; } =
+        Array.Empty<AdvisoryObservationReference>();
+
+    [JsonPropertyName("sourceCoverage")]
+    public AdvisorySourceCoverageSummary? SourceCoverage { get; init; }
+
+    [JsonPropertyName("conflictSummary")]
+    public AdvisoryConflictSummary? ConflictSummary { get; init; }
+}
+
+/// <summary>
+/// Source coverage summary across observations.
+/// </summary>
+internal sealed class AdvisorySourceCoverageSummary
+{
+    [JsonPropertyName("totalSources")]
+    public int TotalSources { get; init; }
+
+    [JsonPropertyName("sources")]
+    public IReadOnlyList<string> Sources { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("coveragePercent")]
+    public double CoveragePercent { get; init; }
+}
+
+/// <summary>
+/// Conflict summary for the linkset.
+/// </summary>
+internal sealed class AdvisoryConflictSummary
+{
+    [JsonPropertyName("hasConflicts")]
+    public bool HasConflicts { get; init; }
+
+    [JsonPropertyName("totalConflicts")]
+    public int TotalConflicts { get; init; }
+
+    [JsonPropertyName("severityConflicts")]
+    public int SeverityConflicts { get; init; }
+
+    [JsonPropertyName("kevConflicts")]
+    public int KevConflicts { get; init; }
+
+    [JsonPropertyName("fixConflicts")]
+    public int FixConflicts { get; init; }
+}
+
+/// <summary>
+/// Detailed conflict information between observations.
+/// </summary>
+internal sealed class AdvisoryLinksetConflict
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("field")]
+    public string Field { get; init; } = string.Empty;
+
+    [JsonPropertyName("sources")]
+    public IReadOnlyList<AdvisoryConflictSource> Sources { get; init; } =
+        Array.Empty<AdvisoryConflictSource>();
+
+    [JsonPropertyName("resolution")]
+    public string? Resolution { get; init; }
+}
+
+/// <summary>
+/// Source contribution to a conflict.
+/// </summary>
+internal sealed class AdvisoryConflictSource
+{
+    [JsonPropertyName("observationId")]
+    public string ObservationId { get; init; } = string.Empty;
+
+    [JsonPropertyName("source")]
+    public string Source { get; init; } = string.Empty;
+
+    [JsonPropertyName("value")]
+    public string Value { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// OSV (Open Source Vulnerability) format output.
+/// Per CLI-LNM-22-001, supports JSON/OSV output format.
+/// </summary>
+internal sealed class OsvVulnerability
+{
+    [JsonPropertyName("schema_version")]
+    public string SchemaVersion { get; init; } = "1.6.0";
+
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("modified")]
+    public string Modified { get; init; } = string.Empty;
+
+    [JsonPropertyName("published")]
+    public string? Published { get; init; }
+
+    [JsonPropertyName("withdrawn")]
+    public string? Withdrawn { get; init; }
+
+    [JsonPropertyName("aliases")]
+    public IReadOnlyList<string> Aliases { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("related")]
+    public IReadOnlyList<string> Related { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("summary")]
+    public string? Summary { get; init; }
+
+    [JsonPropertyName("details")]
+    public string? Details { get; init; }
+
+    [JsonPropertyName("severity")]
+    public IReadOnlyList<OsvSeverity> Severity { get; init; } = Array.Empty<OsvSeverity>();
+
+    [JsonPropertyName("affected")]
+    public IReadOnlyList<OsvAffected> Affected { get; init; } = Array.Empty<OsvAffected>();
+
+    [JsonPropertyName("references")]
+    public IReadOnlyList<OsvReference> References { get; init; } = Array.Empty<OsvReference>();
+
+    [JsonPropertyName("credits")]
+    public IReadOnlyList<OsvCredit> Credits { get; init; } = Array.Empty<OsvCredit>();
+
+    [JsonPropertyName("database_specific")]
+    public OsvDatabaseSpecific? DatabaseSpecific { get; init; }
+}
+
+/// <summary>
+/// OSV severity entry.
+/// </summary>
+internal sealed class OsvSeverity
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("score")]
+    public string Score { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// OSV affected package entry.
+/// </summary>
+internal sealed class OsvAffected
+{
+    [JsonPropertyName("package")]
+    public OsvPackage Package { get; init; } = new();
+
+    [JsonPropertyName("severity")]
+    public IReadOnlyList<OsvSeverity> Severity { get; init; } = Array.Empty<OsvSeverity>();
+
+    [JsonPropertyName("ranges")]
+    public IReadOnlyList<OsvRange> Ranges { get; init; } = Array.Empty<OsvRange>();
+
+    [JsonPropertyName("versions")]
+    public IReadOnlyList<string> Versions { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("ecosystem_specific")]
+    public Dictionary<string, object>? EcosystemSpecific { get; init; }
+
+    [JsonPropertyName("database_specific")]
+    public Dictionary<string, object>? DatabaseSpecific { get; init; }
+}
+
+/// <summary>
+/// OSV package identifier.
+/// </summary>
+internal sealed class OsvPackage
+{
+    [JsonPropertyName("ecosystem")]
+    public string Ecosystem { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("purl")]
+    public string? Purl { get; init; }
+}
+
+/// <summary>
+/// OSV version range.
+/// </summary>
+internal sealed class OsvRange
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("repo")]
+    public string? Repo { get; init; }
+
+    [JsonPropertyName("events")]
+    public IReadOnlyList<OsvEvent> Events { get; init; } = Array.Empty<OsvEvent>();
+}
+
+/// <summary>
+/// OSV range event.
+/// </summary>
+internal sealed class OsvEvent
+{
+    [JsonPropertyName("introduced")]
+    public string? Introduced { get; init; }
+
+    [JsonPropertyName("fixed")]
+    public string? Fixed { get; init; }
+
+    [JsonPropertyName("last_affected")]
+    public string? LastAffected { get; init; }
+
+    [JsonPropertyName("limit")]
+    public string? Limit { get; init; }
+}
+
+/// <summary>
+/// OSV reference entry.
+/// </summary>
+internal sealed class OsvReference
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("url")]
+    public string Url { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// OSV credit entry.
+/// </summary>
+internal sealed class OsvCredit
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("contact")]
+    public IReadOnlyList<string> Contact { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("type")]
+    public string? Type { get; init; }
+}
+
+/// <summary>
+/// OSV database-specific metadata.
+/// </summary>
+internal sealed class OsvDatabaseSpecific
+{
+    [JsonPropertyName("source")]
+    public string? Source { get; init; }
+
+    [JsonPropertyName("kev")]
+    public OsvKevInfo? Kev { get; init; }
+
+    [JsonPropertyName("stellaops")]
+    public OsvStellaOpsInfo? StellaOps { get; init; }
+}
+
+/// <summary>
+/// OSV KEV information.
+/// </summary>
+internal sealed class OsvKevInfo
+{
+    [JsonPropertyName("listed")]
+    public bool Listed { get; init; }
+
+    [JsonPropertyName("added_date")]
+    public string? AddedDate { get; init; }
+
+    [JsonPropertyName("due_date")]
+    public string? DueDate { get; init; }
+
+    [JsonPropertyName("ransomware")]
+    public bool? Ransomware { get; init; }
+}
+
+/// <summary>
+/// StellaOps-specific OSV metadata.
+/// </summary>
+internal sealed class OsvStellaOpsInfo
+{
+    [JsonPropertyName("observation_ids")]
+    public IReadOnlyList<string> ObservationIds { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("sources")]
+    public IReadOnlyList<string> Sources { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("has_conflicts")]
+    public bool HasConflicts { get; init; }
+}
+
+/// <summary>
+/// Export format enumeration for advisory exports.
+/// </summary>
+internal enum AdvisoryExportFormat
+{
+    /// <summary>
+    /// JSON format (native StellaOps).
+    /// </summary>
+    Json,
+
+    /// <summary>
+    /// OSV (Open Source Vulnerability) format.
+    /// </summary>
+    Osv,
+
+    /// <summary>
+    /// NDJSON (newline-delimited JSON) format.
+    /// </summary>
+    Ndjson,
+
+    /// <summary>
+    /// CSV format for spreadsheet imports.
+    /// </summary>
+    Csv
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/ApiSpecModels.cs b/src/Cli/StellaOps.Cli/Services/Models/ApiSpecModels.cs
new file mode 100644
index 000000000..f195e9480
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/ApiSpecModels.cs
@@ -0,0 +1,223 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+/// <summary>
+/// Request for downloading API specification.
+/// CLI-SDK-63-001: Exposes stella api spec download command.
+/// </summary>
+internal sealed class ApiSpecDownloadRequest
+{
+    /// <summary>
+    /// Tenant context for the operation.
+    /// </summary>
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    /// <summary>
+    /// Output directory for the downloaded spec.
+    /// </summary>
+    [JsonIgnore]
+    public required string OutputPath { get; init; }
+
+    /// <summary>
+    /// Spec format to download (openapi-json, openapi-yaml).
+    /// </summary>
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = "openapi-json";
+
+    /// <summary>
+    /// Whether to overwrite existing files.
+    /// </summary>
+    [JsonIgnore]
+    public bool Overwrite { get; init; }
+
+    /// <summary>
+    /// Optional service filter (e.g., "concelier", "scanner", "policy").
+    /// When null, downloads the aggregate/combined spec.
+    /// </summary>
+    [JsonPropertyName("service")]
+    public string? Service { get; init; }
+
+    /// <summary>
+    /// Expected ETag for conditional download (If-None-Match).
+    /// </summary>
+    [JsonIgnore]
+    public string? ExpectedETag { get; init; }
+
+    /// <summary>
+    /// Expected checksum for verification after download.
+    /// </summary>
+    [JsonIgnore]
+    public string? ExpectedChecksum { get; init; }
+
+    /// <summary>
+    /// Checksum algorithm (sha256, sha384, sha512).
+    /// </summary>
+    [JsonIgnore]
+    public string ChecksumAlgorithm { get; init; } = "sha256";
+}
+
+/// <summary>
+/// Result of API spec download operation.
+/// </summary>
+internal sealed class ApiSpecDownloadResult
+{
+    /// <summary>
+    /// Whether the operation was successful.
+    /// </summary>
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    /// <summary>
+    /// Path where the spec was downloaded.
+    /// </summary>
+    [JsonPropertyName("path")]
+    public string? Path { get; init; }
+
+    /// <summary>
+    /// Size of the downloaded spec in bytes.
+    /// </summary>
+    [JsonPropertyName("sizeBytes")]
+    public long SizeBytes { get; init; }
+
+    /// <summary>
+    /// Whether the result was served from cache (304 Not Modified).
+    /// </summary>
+    [JsonPropertyName("fromCache")]
+    public bool FromCache { get; init; }
+
+    /// <summary>
+    /// ETag of the downloaded spec.
+    /// </summary>
+    [JsonPropertyName("etag")]
+    public string? ETag { get; init; }
+
+    /// <summary>
+    /// Computed checksum of the downloaded spec.
+    /// </summary>
+    [JsonPropertyName("checksum")]
+    public string? Checksum { get; init; }
+
+    /// <summary>
+    /// Checksum algorithm used.
+    /// </summary>
+    [JsonPropertyName("checksumAlgorithm")]
+    public string? ChecksumAlgorithm { get; init; }
+
+    /// <summary>
+    /// Whether checksum verification passed.
+    /// </summary>
+    [JsonPropertyName("checksumVerified")]
+    public bool? ChecksumVerified { get; init; }
+
+    /// <summary>
+    /// API version extracted from the spec.
+    /// </summary>
+    [JsonPropertyName("apiVersion")]
+    public string? ApiVersion { get; init; }
+
+    /// <summary>
+    /// Timestamp of when the spec was generated.
+    /// </summary>
+    [JsonPropertyName("generatedAt")]
+    public DateTimeOffset? GeneratedAt { get; init; }
+
+    /// <summary>
+    /// Error message if the operation failed.
+    /// </summary>
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+
+    /// <summary>
+    /// Error code if the operation failed.
+    /// </summary>
+    [JsonPropertyName("errorCode")]
+    public string? ErrorCode { get; init; }
+}
+
+/// <summary>
+/// Information about available API specifications.
+/// </summary>
+internal sealed class ApiSpecInfo
+{
+    /// <summary>
+    /// Service name.
+    /// </summary>
+    [JsonPropertyName("service")]
+    public required string Service { get; init; }
+
+    /// <summary>
+    /// API version.
+    /// </summary>
+    [JsonPropertyName("version")]
+    public required string Version { get; init; }
+
+    /// <summary>
+    /// OpenAPI spec version (e.g., "3.1.0").
+    /// </summary>
+    [JsonPropertyName("openApiVersion")]
+    public string? OpenApiVersion { get; init; }
+
+    /// <summary>
+    /// Available formats.
+    /// </summary>
+    [JsonPropertyName("formats")]
+    public IReadOnlyList<string> Formats { get; init; } = [];
+
+    /// <summary>
+    /// ETag for the spec.
+    /// </summary>
+    [JsonPropertyName("etag")]
+    public string? ETag { get; init; }
+
+    /// <summary>
+    /// SHA-256 checksum of the JSON format.
+    /// </summary>
+    [JsonPropertyName("sha256")]
+    public string? Sha256 { get; init; }
+
+    /// <summary>
+    /// Last modified timestamp.
+    /// </summary>
+    [JsonPropertyName("lastModified")]
+    public DateTimeOffset? LastModified { get; init; }
+
+    /// <summary>
+    /// Download URL for the spec.
+    /// </summary>
+    [JsonPropertyName("downloadUrl")]
+    public string? DownloadUrl { get; init; }
+}
+
+/// <summary>
+/// Response for listing available API specifications.
+/// </summary>
+internal sealed class ApiSpecListResponse
+{
+    /// <summary>
+    /// Whether the operation was successful.
+    /// </summary>
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    /// <summary>
+    /// Available API specifications.
+    /// </summary>
+    [JsonPropertyName("specs")]
+    public IReadOnlyList<ApiSpecInfo> Specs { get; init; } = [];
+
+    /// <summary>
+    /// Aggregate spec info (combined all services).
+    /// </summary>
+    [JsonPropertyName("aggregate")]
+    public ApiSpecInfo? Aggregate { get; init; }
+
+    /// <summary>
+    /// Error message if the operation failed.
+    /// </summary>
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/AttestationModels.cs b/src/Cli/StellaOps.Cli/Services/Models/AttestationModels.cs
new file mode 100644
index 000000000..f73e57db6
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/AttestationModels.cs
@@ -0,0 +1,230 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-FORENSICS-54-002: Attestation models for forensic attest show command
+
+/// <summary>
+/// DSSE envelope from attestation file.
+/// </summary>
+internal sealed class AttestationEnvelope
+{
+    [JsonPropertyName("payloadType")]
+    public string PayloadType { get; init; } = string.Empty;
+
+    [JsonPropertyName("payload")]
+    public string Payload { get; init; } = string.Empty;
+
+    [JsonPropertyName("signatures")]
+    public IReadOnlyList<AttestationSignature> Signatures { get; init; } = Array.Empty<AttestationSignature>();
+}
+
+/// <summary>
+/// Signature in attestation envelope.
+/// </summary>
+internal sealed class AttestationSignature
+{
+    [JsonPropertyName("keyid")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("sig")]
+    public string Signature { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// In-toto statement from attestation payload.
+/// </summary>
+internal sealed class InTotoStatement
+{
+    [JsonPropertyName("_type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("subject")]
+    public IReadOnlyList<InTotoSubject> Subject { get; init; } = Array.Empty<InTotoSubject>();
+
+    [JsonPropertyName("predicateType")]
+    public string PredicateType { get; init; } = string.Empty;
+
+    [JsonPropertyName("predicate")]
+    public object? Predicate { get; init; }
+}
+
+/// <summary>
+/// Subject in in-toto statement.
+/// </summary>
+internal sealed class InTotoSubject
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public IReadOnlyDictionary<string, string> Digest { get; init; } = new Dictionary<string, string>();
+}
+
+/// <summary>
+/// Result of attestation show operation.
+/// </summary>
+internal sealed class AttestationShowResult
+{
+    [JsonPropertyName("filePath")]
+    public string FilePath { get; init; } = string.Empty;
+
+    [JsonPropertyName("payloadType")]
+    public string PayloadType { get; init; } = string.Empty;
+
+    [JsonPropertyName("statementType")]
+    public string StatementType { get; init; } = string.Empty;
+
+    [JsonPropertyName("predicateType")]
+    public string PredicateType { get; init; } = string.Empty;
+
+    [JsonPropertyName("subjects")]
+    public IReadOnlyList<AttestationSubjectInfo> Subjects { get; init; } = Array.Empty<AttestationSubjectInfo>();
+
+    [JsonPropertyName("signatures")]
+    public IReadOnlyList<AttestationSignatureInfo> Signatures { get; init; } = Array.Empty<AttestationSignatureInfo>();
+
+    [JsonPropertyName("predicateSummary")]
+    public AttestationPredicateSummary? PredicateSummary { get; init; }
+
+    [JsonPropertyName("verificationResult")]
+    public AttestationVerificationResult? VerificationResult { get; init; }
+}
+
+/// <summary>
+/// Subject information for display.
+/// </summary>
+internal sealed class AttestationSubjectInfo
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("digestAlgorithm")]
+    public string DigestAlgorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("digestValue")]
+    public string DigestValue { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// Signature information for display.
+/// </summary>
+internal sealed class AttestationSignatureInfo
+{
+    [JsonPropertyName("keyId")]
+    public string KeyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("algorithm")]
+    public string Algorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("isValid")]
+    public bool? IsValid { get; init; }
+
+    [JsonPropertyName("isTrusted")]
+    public bool? IsTrusted { get; init; }
+
+    [JsonPropertyName("signerInfo")]
+    public AttestationSignerInfo? SignerInfo { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
+
+/// <summary>
+/// Signer information extracted from signature or certificate.
+/// </summary>
+internal sealed class AttestationSignerInfo
+{
+    [JsonPropertyName("commonName")]
+    public string? CommonName { get; init; }
+
+    [JsonPropertyName("organization")]
+    public string? Organization { get; init; }
+
+    [JsonPropertyName("email")]
+    public string? Email { get; init; }
+
+    [JsonPropertyName("issuer")]
+    public string? Issuer { get; init; }
+
+    [JsonPropertyName("notBefore")]
+    public DateTimeOffset? NotBefore { get; init; }
+
+    [JsonPropertyName("notAfter")]
+    public DateTimeOffset? NotAfter { get; init; }
+
+    [JsonPropertyName("fingerprint")]
+    public string? Fingerprint { get; init; }
+}
+
+/// <summary>
+/// Summary of the predicate for display.
+/// </summary>
+internal sealed class AttestationPredicateSummary
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset? Timestamp { get; init; }
+
+    [JsonPropertyName("buildType")]
+    public string? BuildType { get; init; }
+
+    [JsonPropertyName("builder")]
+    public string? Builder { get; init; }
+
+    [JsonPropertyName("invocationId")]
+    public string? InvocationId { get; init; }
+
+    [JsonPropertyName("materials")]
+    public IReadOnlyList<AttestationMaterial>? Materials { get; init; }
+
+    [JsonPropertyName("metadata")]
+    public IReadOnlyDictionary<string, string>? Metadata { get; init; }
+}
+
+/// <summary>
+/// Material in attestation predicate.
+/// </summary>
+internal sealed class AttestationMaterial
+{
+    [JsonPropertyName("uri")]
+    public string Uri { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public IReadOnlyDictionary<string, string>? Digest { get; init; }
+}
+
+/// <summary>
+/// Verification result for attestation.
+/// </summary>
+internal sealed class AttestationVerificationResult
+{
+    [JsonPropertyName("isValid")]
+    public bool IsValid { get; init; }
+
+    [JsonPropertyName("signatureCount")]
+    public int SignatureCount { get; init; }
+
+    [JsonPropertyName("validSignatures")]
+    public int ValidSignatures { get; init; }
+
+    [JsonPropertyName("trustedSignatures")]
+    public int TrustedSignatures { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Options for attestation show operation.
+/// </summary>
+internal sealed class AttestationShowOptions
+{
+    public bool VerifySignatures { get; init; } = true;
+    public string? TrustRootPath { get; init; }
+    public IReadOnlyList<ForensicTrustRoot> TrustRoots { get; init; } = Array.Empty<ForensicTrustRoot>();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/DeterminismModels.cs b/src/Cli/StellaOps.Cli/Services/Models/DeterminismModels.cs
new file mode 100644
index 000000000..872c2f0f0
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/DeterminismModels.cs
@@ -0,0 +1,420 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-DETER-70-003: Determinism score models (docs/modules/scanner/determinism-score.md)
+
+/// <summary>
+/// Request for running determinism harness.
+/// </summary>
+internal sealed class DeterminismRunRequest
+{
+    /// <summary>
+    /// Image digests to test.
+    /// </summary>
+    [JsonPropertyName("images")]
+    public IReadOnlyList<string> Images { get; init; } = Array.Empty<string>();
+
+    /// <summary>
+    /// Scanner container image reference.
+    /// </summary>
+    [JsonPropertyName("scanner")]
+    public string Scanner { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Policy bundle path or SHA.
+    /// </summary>
+    [JsonPropertyName("policyBundle")]
+    public string? PolicyBundle { get; init; }
+
+    /// <summary>
+    /// Feeds bundle path or SHA.
+    /// </summary>
+    [JsonPropertyName("feedsBundle")]
+    public string? FeedsBundle { get; init; }
+
+    /// <summary>
+    /// Number of runs per image (default 10).
+    /// </summary>
+    [JsonPropertyName("runs")]
+    public int Runs { get; init; } = 10;
+
+    /// <summary>
+    /// Fixed clock timestamp for deterministic execution.
+    /// </summary>
+    [JsonPropertyName("fixedClock")]
+    public DateTimeOffset? FixedClock { get; init; }
+
+    /// <summary>
+    /// RNG seed for deterministic execution.
+    /// </summary>
+    [JsonPropertyName("rngSeed")]
+    public int RngSeed { get; init; } = 1337;
+
+    /// <summary>
+    /// Maximum concurrency (default 1 for determinism).
+    /// </summary>
+    [JsonPropertyName("maxConcurrency")]
+    public int MaxConcurrency { get; init; } = 1;
+
+    /// <summary>
+    /// Memory limit for container (default 2G).
+    /// </summary>
+    [JsonPropertyName("memoryLimit")]
+    public string MemoryLimit { get; init; } = "2G";
+
+    /// <summary>
+    /// CPU set for container (default 0).
+    /// </summary>
+    [JsonPropertyName("cpuSet")]
+    public string CpuSet { get; init; } = "0";
+
+    /// <summary>
+    /// Platform (default linux/amd64).
+    /// </summary>
+    [JsonPropertyName("platform")]
+    public string Platform { get; init; } = "linux/amd64";
+
+    /// <summary>
+    /// Minimum threshold for individual image scores.
+    /// </summary>
+    [JsonPropertyName("imageThreshold")]
+    public double ImageThreshold { get; init; } = 0.90;
+
+    /// <summary>
+    /// Minimum threshold for overall score.
+    /// </summary>
+    [JsonPropertyName("overallThreshold")]
+    public double OverallThreshold { get; init; } = 0.95;
+
+    /// <summary>
+    /// Output directory for determinism.json and run artifacts.
+    /// </summary>
+    [JsonPropertyName("outputDir")]
+    public string? OutputDir { get; init; }
+
+    /// <summary>
+    /// Release version string for the manifest.
+    /// </summary>
+    [JsonPropertyName("release")]
+    public string? Release { get; init; }
+}
+
+/// <summary>
+/// Determinism score manifest (determinism.json schema per SCAN-DETER-186-010).
+/// </summary>
+internal sealed class DeterminismManifest
+{
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = "1";
+
+    [JsonPropertyName("release")]
+    public string Release { get; init; } = string.Empty;
+
+    [JsonPropertyName("platform")]
+    public string Platform { get; init; } = "linux/amd64";
+
+    [JsonPropertyName("policy_sha")]
+    public string PolicySha { get; init; } = string.Empty;
+
+    [JsonPropertyName("feeds_sha")]
+    public string FeedsSha { get; init; } = string.Empty;
+
+    [JsonPropertyName("scanner_sha")]
+    public string ScannerSha { get; init; } = string.Empty;
+
+    [JsonPropertyName("images")]
+    public IReadOnlyList<DeterminismImageResult> Images { get; init; } = Array.Empty<DeterminismImageResult>();
+
+    [JsonPropertyName("overall_score")]
+    public double OverallScore { get; init; }
+
+    [JsonPropertyName("thresholds")]
+    public DeterminismThresholds Thresholds { get; init; } = new();
+
+    [JsonPropertyName("generated_at")]
+    public DateTimeOffset GeneratedAt { get; init; } = DateTimeOffset.UtcNow;
+
+    [JsonPropertyName("execution")]
+    public DeterminismExecutionInfo? Execution { get; init; }
+}
+
+/// <summary>
+/// Per-image determinism result.
+/// </summary>
+internal sealed class DeterminismImageResult
+{
+    [JsonPropertyName("digest")]
+    public string Digest { get; init; } = string.Empty;
+
+    [JsonPropertyName("runs")]
+    public int Runs { get; init; }
+
+    [JsonPropertyName("identical")]
+    public int Identical { get; init; }
+
+    [JsonPropertyName("score")]
+    public double Score { get; init; }
+
+    [JsonPropertyName("artifact_hashes")]
+    public IReadOnlyDictionary<string, string> ArtifactHashes { get; init; } = new Dictionary<string, string>();
+
+    [JsonPropertyName("non_deterministic")]
+    public IReadOnlyList<string> NonDeterministic { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("notes")]
+    public string? Notes { get; init; }
+
+    [JsonPropertyName("run_details")]
+    public IReadOnlyList<DeterminismRunDetail>? RunDetails { get; init; }
+}
+
+/// <summary>
+/// Details of a single determinism run.
+/// </summary>
+internal sealed class DeterminismRunDetail
+{
+    [JsonPropertyName("run_number")]
+    public int RunNumber { get; init; }
+
+    [JsonPropertyName("identical")]
+    public bool Identical { get; init; }
+
+    [JsonPropertyName("artifact_hashes")]
+    public IReadOnlyDictionary<string, string> ArtifactHashes { get; init; } = new Dictionary<string, string>();
+
+    [JsonPropertyName("duration_ms")]
+    public long DurationMs { get; init; }
+
+    [JsonPropertyName("exit_code")]
+    public int ExitCode { get; init; }
+}
+
+/// <summary>
+/// Thresholds for determinism scoring.
+/// </summary>
+internal sealed class DeterminismThresholds
+{
+    [JsonPropertyName("image_min")]
+    public double ImageMin { get; init; } = 0.90;
+
+    [JsonPropertyName("overall_min")]
+    public double OverallMin { get; init; } = 0.95;
+}
+
+/// <summary>
+/// Execution information for determinism harness.
+/// </summary>
+internal sealed class DeterminismExecutionInfo
+{
+    [JsonPropertyName("fixed_clock")]
+    public DateTimeOffset? FixedClock { get; init; }
+
+    [JsonPropertyName("rng_seed")]
+    public int RngSeed { get; init; }
+
+    [JsonPropertyName("max_concurrency")]
+    public int MaxConcurrency { get; init; }
+
+    [JsonPropertyName("memory_limit")]
+    public string MemoryLimit { get; init; } = "2G";
+
+    [JsonPropertyName("cpu_set")]
+    public string CpuSet { get; init; } = "0";
+
+    [JsonPropertyName("network_mode")]
+    public string NetworkMode { get; init; } = "none";
+}
+
+/// <summary>
+/// Result of running the determinism harness.
+/// </summary>
+internal sealed class DeterminismRunResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("manifest")]
+    public DeterminismManifest? Manifest { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("passedThreshold")]
+    public bool PassedThreshold { get; init; }
+
+    [JsonPropertyName("failedImages")]
+    public IReadOnlyList<string> FailedImages { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("durationMs")]
+    public long DurationMs { get; init; }
+}
+
+// CLI-DETER-70-004: Determinism report models
+
+/// <summary>
+/// Request for generating a determinism report.
+/// </summary>
+internal sealed class DeterminismReportRequest
+{
+    /// <summary>
+    /// Paths to determinism.json files to include in report.
+    /// </summary>
+    [JsonPropertyName("manifestPaths")]
+    public IReadOnlyList<string> ManifestPaths { get; init; } = Array.Empty<string>();
+
+    /// <summary>
+    /// Output format (markdown, json, csv).
+    /// </summary>
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = "markdown";
+
+    /// <summary>
+    /// Output path for the report.
+    /// </summary>
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    /// <summary>
+    /// Include detailed per-run information.
+    /// </summary>
+    [JsonPropertyName("includeDetails")]
+    public bool IncludeDetails { get; init; }
+
+    /// <summary>
+    /// Title for the report.
+    /// </summary>
+    [JsonPropertyName("title")]
+    public string? Title { get; init; }
+}
+
+/// <summary>
+/// Aggregated determinism report across multiple manifests.
+/// </summary>
+internal sealed class DeterminismReport
+{
+    [JsonPropertyName("title")]
+    public string Title { get; init; } = "Determinism Score Report";
+
+    [JsonPropertyName("generatedAt")]
+    public DateTimeOffset GeneratedAt { get; init; } = DateTimeOffset.UtcNow;
+
+    [JsonPropertyName("summary")]
+    public DeterminismReportSummary Summary { get; init; } = new();
+
+    [JsonPropertyName("releases")]
+    public IReadOnlyList<DeterminismReleaseEntry> Releases { get; init; } = Array.Empty<DeterminismReleaseEntry>();
+
+    [JsonPropertyName("imageMatrix")]
+    public IReadOnlyList<DeterminismImageMatrixEntry> ImageMatrix { get; init; } = Array.Empty<DeterminismImageMatrixEntry>();
+}
+
+/// <summary>
+/// Summary statistics for the report.
+/// </summary>
+internal sealed class DeterminismReportSummary
+{
+    [JsonPropertyName("totalReleases")]
+    public int TotalReleases { get; init; }
+
+    [JsonPropertyName("totalImages")]
+    public int TotalImages { get; init; }
+
+    [JsonPropertyName("averageScore")]
+    public double AverageScore { get; init; }
+
+    [JsonPropertyName("minScore")]
+    public double MinScore { get; init; }
+
+    [JsonPropertyName("maxScore")]
+    public double MaxScore { get; init; }
+
+    [JsonPropertyName("passedCount")]
+    public int PassedCount { get; init; }
+
+    [JsonPropertyName("failedCount")]
+    public int FailedCount { get; init; }
+
+    [JsonPropertyName("nonDeterministicArtifacts")]
+    public IReadOnlyList<string> NonDeterministicArtifacts { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Entry for a single release in the report.
+/// </summary>
+internal sealed class DeterminismReleaseEntry
+{
+    [JsonPropertyName("release")]
+    public string Release { get; init; } = string.Empty;
+
+    [JsonPropertyName("platform")]
+    public string Platform { get; init; } = string.Empty;
+
+    [JsonPropertyName("overallScore")]
+    public double OverallScore { get; init; }
+
+    [JsonPropertyName("passed")]
+    public bool Passed { get; init; }
+
+    [JsonPropertyName("imageCount")]
+    public int ImageCount { get; init; }
+
+    [JsonPropertyName("generatedAt")]
+    public DateTimeOffset GeneratedAt { get; init; }
+
+    [JsonPropertyName("scannerSha")]
+    public string ScannerSha { get; init; } = string.Empty;
+
+    [JsonPropertyName("manifestPath")]
+    public string ManifestPath { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// Per-image matrix entry showing scores across releases.
+/// </summary>
+internal sealed class DeterminismImageMatrixEntry
+{
+    [JsonPropertyName("imageDigest")]
+    public string ImageDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("scores")]
+    public IReadOnlyDictionary<string, double> Scores { get; init; } = new Dictionary<string, double>();
+
+    [JsonPropertyName("averageScore")]
+    public double AverageScore { get; init; }
+
+    [JsonPropertyName("nonDeterministicArtifacts")]
+    public IReadOnlyList<string> NonDeterministicArtifacts { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Result of generating a determinism report.
+/// </summary>
+internal sealed class DeterminismReportResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("report")]
+    public DeterminismReport? Report { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = "markdown";
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/ExceptionModels.cs b/src/Cli/StellaOps.Cli/Services/Models/ExceptionModels.cs
new file mode 100644
index 000000000..516b8cf35
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/ExceptionModels.cs
@@ -0,0 +1,422 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-EXC-25-001: Exception governance models for stella exceptions commands
+
+/// <summary>
+/// Exception scope types.
+/// </summary>
+internal static class ExceptionScopeTypes
+{
+    public const string Purl = "purl";
+    public const string Image = "image";
+    public const string Component = "component";
+    public const string TenantWide = "tenant";
+}
+
+/// <summary>
+/// Exception status values following lifecycle: draft -> staged -> active -> expired.
+/// </summary>
+internal static class ExceptionStatuses
+{
+    public const string Draft = "draft";
+    public const string Staged = "staged";
+    public const string Active = "active";
+    public const string Expired = "expired";
+    public const string Revoked = "revoked";
+}
+
+/// <summary>
+/// Exception effect types.
+/// </summary>
+internal static class ExceptionEffectTypes
+{
+    public const string Suppress = "suppress";
+    public const string Defer = "defer";
+    public const string Downgrade = "downgrade";
+    public const string RequireControl = "requireControl";
+}
+
+/// <summary>
+/// Exception scope definition.
+/// </summary>
+internal sealed class ExceptionScope
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = ExceptionScopeTypes.Purl;
+
+    [JsonPropertyName("value")]
+    public string Value { get; init; } = string.Empty;
+
+    [JsonPropertyName("ruleNames")]
+    public IReadOnlyList<string>? RuleNames { get; init; }
+
+    [JsonPropertyName("severities")]
+    public IReadOnlyList<string>? Severities { get; init; }
+
+    [JsonPropertyName("sources")]
+    public IReadOnlyList<string>? Sources { get; init; }
+
+    [JsonPropertyName("tags")]
+    public IReadOnlyList<string>? Tags { get; init; }
+}
+
+/// <summary>
+/// Evidence reference for an exception.
+/// </summary>
+internal sealed class ExceptionEvidenceRef
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty; // ticket, vex_claim, scan_report, attestation
+
+    [JsonPropertyName("uri")]
+    public string Uri { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+}
+
+/// <summary>
+/// Exception effect definition.
+/// </summary>
+internal sealed class ExceptionEffect
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("effectType")]
+    public string EffectType { get; init; } = ExceptionEffectTypes.Suppress;
+
+    [JsonPropertyName("name")]
+    public string? Name { get; init; }
+
+    [JsonPropertyName("downgradeSeverity")]
+    public string? DowngradeSeverity { get; init; }
+
+    [JsonPropertyName("requiredControlId")]
+    public string? RequiredControlId { get; init; }
+
+    [JsonPropertyName("routingTemplate")]
+    public string? RoutingTemplate { get; init; }
+
+    [JsonPropertyName("maxDurationDays")]
+    public int? MaxDurationDays { get; init; }
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+}
+
+/// <summary>
+/// Exception instance representing a governed waiver.
+/// </summary>
+internal sealed class ExceptionInstance
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("vuln")]
+    public string Vuln { get; init; } = string.Empty; // CVE ID or alias
+
+    [JsonPropertyName("scope")]
+    public ExceptionScope Scope { get; init; } = new();
+
+    [JsonPropertyName("effectId")]
+    public string EffectId { get; init; } = string.Empty;
+
+    [JsonPropertyName("effect")]
+    public ExceptionEffect? Effect { get; init; }
+
+    [JsonPropertyName("justification")]
+    public string Justification { get; init; } = string.Empty;
+
+    [JsonPropertyName("owner")]
+    public string Owner { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = ExceptionStatuses.Draft;
+
+    [JsonPropertyName("expiration")]
+    public DateTimeOffset? Expiration { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset UpdatedAt { get; init; }
+
+    [JsonPropertyName("createdBy")]
+    public string? CreatedBy { get; init; }
+
+    [JsonPropertyName("approvedBy")]
+    public string? ApprovedBy { get; init; }
+
+    [JsonPropertyName("approvedAt")]
+    public DateTimeOffset? ApprovedAt { get; init; }
+
+    [JsonPropertyName("evidenceRefs")]
+    public IReadOnlyList<ExceptionEvidenceRef> EvidenceRefs { get; init; } = Array.Empty<ExceptionEvidenceRef>();
+
+    [JsonPropertyName("policyBinding")]
+    public string? PolicyBinding { get; init; }
+
+    [JsonPropertyName("supersedes")]
+    public string? Supersedes { get; init; }
+
+    [JsonPropertyName("metadata")]
+    public IReadOnlyDictionary<string, string>? Metadata { get; init; }
+}
+
+/// <summary>
+/// Request to list exceptions.
+/// </summary>
+internal sealed class ExceptionListRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("vuln")]
+    public string? Vuln { get; init; }
+
+    [JsonPropertyName("scopeType")]
+    public string? ScopeType { get; init; }
+
+    [JsonPropertyName("scopeValue")]
+    public string? ScopeValue { get; init; }
+
+    [JsonPropertyName("status")]
+    public IReadOnlyList<string>? Statuses { get; init; }
+
+    [JsonPropertyName("owner")]
+    public string? Owner { get; init; }
+
+    [JsonPropertyName("effectType")]
+    public string? EffectType { get; init; }
+
+    [JsonPropertyName("expiringBefore")]
+    public DateTimeOffset? ExpiringBefore { get; init; }
+
+    [JsonPropertyName("includeExpired")]
+    public bool IncludeExpired { get; init; }
+
+    [JsonPropertyName("pageSize")]
+    public int PageSize { get; init; } = 50;
+
+    [JsonPropertyName("pageToken")]
+    public string? PageToken { get; init; }
+}
+
+/// <summary>
+/// Response from listing exceptions.
+/// </summary>
+internal sealed class ExceptionListResponse
+{
+    [JsonPropertyName("exceptions")]
+    public IReadOnlyList<ExceptionInstance> Exceptions { get; init; } = Array.Empty<ExceptionInstance>();
+
+    [JsonPropertyName("nextPageToken")]
+    public string? NextPageToken { get; init; }
+
+    [JsonPropertyName("totalCount")]
+    public long? TotalCount { get; init; }
+}
+
+/// <summary>
+/// Request to create an exception.
+/// </summary>
+internal sealed class ExceptionCreateRequest
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("vuln")]
+    public string Vuln { get; init; } = string.Empty;
+
+    [JsonPropertyName("scope")]
+    public ExceptionScope Scope { get; init; } = new();
+
+    [JsonPropertyName("effectId")]
+    public string EffectId { get; init; } = string.Empty;
+
+    [JsonPropertyName("justification")]
+    public string Justification { get; init; } = string.Empty;
+
+    [JsonPropertyName("owner")]
+    public string Owner { get; init; } = string.Empty;
+
+    [JsonPropertyName("expiration")]
+    public DateTimeOffset? Expiration { get; init; }
+
+    [JsonPropertyName("evidenceRefs")]
+    public IReadOnlyList<ExceptionEvidenceRef>? EvidenceRefs { get; init; }
+
+    [JsonPropertyName("policyBinding")]
+    public string? PolicyBinding { get; init; }
+
+    [JsonPropertyName("metadata")]
+    public IReadOnlyDictionary<string, string>? Metadata { get; init; }
+
+    [JsonPropertyName("stage")]
+    public bool Stage { get; init; }
+}
+
+/// <summary>
+/// Request to promote an exception (draft -> staged -> active).
+/// </summary>
+internal sealed class ExceptionPromoteRequest
+{
+    [JsonPropertyName("exceptionId")]
+    public string ExceptionId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("targetStatus")]
+    public string TargetStatus { get; init; } = ExceptionStatuses.Active;
+
+    [JsonPropertyName("comment")]
+    public string? Comment { get; init; }
+}
+
+/// <summary>
+/// Request to revoke an exception.
+/// </summary>
+internal sealed class ExceptionRevokeRequest
+{
+    [JsonPropertyName("exceptionId")]
+    public string ExceptionId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
+
+/// <summary>
+/// Request to import exceptions from NDJSON.
+/// </summary>
+internal sealed class ExceptionImportRequest
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("stage")]
+    public bool Stage { get; init; } = true;
+
+    [JsonPropertyName("source")]
+    public string? Source { get; init; }
+}
+
+/// <summary>
+/// Result of exception import.
+/// </summary>
+internal sealed class ExceptionImportResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("imported")]
+    public int Imported { get; init; }
+
+    [JsonPropertyName("skipped")]
+    public int Skipped { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<ExceptionImportError> Errors { get; init; } = Array.Empty<ExceptionImportError>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Import error detail.
+/// </summary>
+internal sealed class ExceptionImportError
+{
+    [JsonPropertyName("line")]
+    public int Line { get; init; }
+
+    [JsonPropertyName("message")]
+    public string Message { get; init; } = string.Empty;
+
+    [JsonPropertyName("field")]
+    public string? Field { get; init; }
+}
+
+/// <summary>
+/// Request to export exceptions.
+/// </summary>
+internal sealed class ExceptionExportRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("statuses")]
+    public IReadOnlyList<string>? Statuses { get; init; }
+
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = "ndjson"; // ndjson, json
+
+    [JsonPropertyName("includeManifest")]
+    public bool IncludeManifest { get; init; } = true;
+
+    [JsonPropertyName("signed")]
+    public bool Signed { get; init; }
+}
+
+/// <summary>
+/// Export manifest for exception bundle.
+/// </summary>
+internal sealed class ExceptionExportManifest
+{
+    [JsonPropertyName("generatedAt")]
+    public DateTimeOffset GeneratedAt { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("count")]
+    public int Count { get; init; }
+
+    [JsonPropertyName("sha256")]
+    public string Sha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("aocEnforced")]
+    public bool AocEnforced { get; init; }
+
+    [JsonPropertyName("source")]
+    public string? Source { get; init; }
+
+    [JsonPropertyName("signatureUri")]
+    public string? SignatureUri { get; init; }
+}
+
+/// <summary>
+/// Result of exception operation.
+/// </summary>
+internal sealed class ExceptionOperationResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("exception")]
+    public ExceptionInstance? Exception { get; init; }
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/ForensicSnapshotModels.cs b/src/Cli/StellaOps.Cli/Services/Models/ForensicSnapshotModels.cs
new file mode 100644
index 000000000..c928d7b67
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/ForensicSnapshotModels.cs
@@ -0,0 +1,279 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-FORENSICS-53-001: Forensic snapshot models for evidence locker integration
+
+/// <summary>
+/// Request to create a forensic snapshot.
+/// </summary>
+internal sealed record ForensicSnapshotCreateRequest(
+    [property: JsonPropertyName("caseId")] string CaseId,
+    [property: JsonPropertyName("description")] string? Description = null,
+    [property: JsonPropertyName("tags")] IReadOnlyList<string>? Tags = null,
+    [property: JsonPropertyName("scope")] ForensicSnapshotScope? Scope = null,
+    [property: JsonPropertyName("retentionDays")] int? RetentionDays = null);
+
+/// <summary>
+/// Scope configuration for forensic snapshot.
+/// </summary>
+internal sealed record ForensicSnapshotScope(
+    [property: JsonPropertyName("sbomIds")] IReadOnlyList<string>? SbomIds = null,
+    [property: JsonPropertyName("scanIds")] IReadOnlyList<string>? ScanIds = null,
+    [property: JsonPropertyName("policyIds")] IReadOnlyList<string>? PolicyIds = null,
+    [property: JsonPropertyName("vulnerabilityIds")] IReadOnlyList<string>? VulnerabilityIds = null,
+    [property: JsonPropertyName("timeRange")] ForensicTimeRange? TimeRange = null);
+
+/// <summary>
+/// Time range for forensic snapshot scope.
+/// </summary>
+internal sealed record ForensicTimeRange(
+    [property: JsonPropertyName("from")] DateTimeOffset? From = null,
+    [property: JsonPropertyName("to")] DateTimeOffset? To = null);
+
+/// <summary>
+/// Forensic snapshot document from the evidence locker.
+/// </summary>
+internal sealed class ForensicSnapshotDocument
+{
+    [JsonPropertyName("snapshotId")]
+    public string SnapshotId { get; init; } = string.Empty;
+
+    [JsonPropertyName("caseId")]
+    public string CaseId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("manifest")]
+    public ForensicSnapshotManifest? Manifest { get; init; }
+
+    [JsonPropertyName("scope")]
+    public ForensicSnapshotScope? Scope { get; init; }
+
+    [JsonPropertyName("tags")]
+    public IReadOnlyList<string> Tags { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("completedAt")]
+    public DateTimeOffset? CompletedAt { get; init; }
+
+    [JsonPropertyName("expiresAt")]
+    public DateTimeOffset? ExpiresAt { get; init; }
+
+    [JsonPropertyName("createdBy")]
+    public string? CreatedBy { get; init; }
+
+    [JsonPropertyName("sizeBytes")]
+    public long? SizeBytes { get; init; }
+
+    [JsonPropertyName("artifactCount")]
+    public int? ArtifactCount { get; init; }
+}
+
+/// <summary>
+/// Manifest for a forensic snapshot.
+/// </summary>
+internal sealed class ForensicSnapshotManifest
+{
+    [JsonPropertyName("manifestId")]
+    public string ManifestId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = "1.0";
+
+    [JsonPropertyName("digest")]
+    public string Digest { get; init; } = string.Empty;
+
+    [JsonPropertyName("digestAlgorithm")]
+    public string DigestAlgorithm { get; init; } = "sha256";
+
+    [JsonPropertyName("signature")]
+    public ForensicManifestSignature? Signature { get; init; }
+
+    [JsonPropertyName("artifacts")]
+    public IReadOnlyList<ForensicSnapshotArtifact> Artifacts { get; init; } =
+        Array.Empty<ForensicSnapshotArtifact>();
+
+    [JsonPropertyName("metadata")]
+    public ForensicManifestMetadata? Metadata { get; init; }
+}
+
+/// <summary>
+/// Signature information for the manifest.
+/// </summary>
+internal sealed class ForensicManifestSignature
+{
+    [JsonPropertyName("algorithm")]
+    public string Algorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("value")]
+    public string Value { get; init; } = string.Empty;
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset? SignedAt { get; init; }
+
+    [JsonPropertyName("certificate")]
+    public string? Certificate { get; init; }
+}
+
+/// <summary>
+/// Individual artifact in a forensic snapshot.
+/// </summary>
+internal sealed class ForensicSnapshotArtifact
+{
+    [JsonPropertyName("artifactId")]
+    public string ArtifactId { get; init; } = string.Empty;
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("path")]
+    public string Path { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public string Digest { get; init; } = string.Empty;
+
+    [JsonPropertyName("digestAlgorithm")]
+    public string DigestAlgorithm { get; init; } = "sha256";
+
+    [JsonPropertyName("sizeBytes")]
+    public long SizeBytes { get; init; }
+
+    [JsonPropertyName("mediaType")]
+    public string? MediaType { get; init; }
+
+    [JsonPropertyName("metadata")]
+    public Dictionary<string, string>? Metadata { get; init; }
+}
+
+/// <summary>
+/// Metadata for the forensic manifest.
+/// </summary>
+internal sealed class ForensicManifestMetadata
+{
+    [JsonPropertyName("capturedAt")]
+    public DateTimeOffset CapturedAt { get; init; }
+
+    [JsonPropertyName("capturedBy")]
+    public string? CapturedBy { get; init; }
+
+    [JsonPropertyName("toolVersion")]
+    public string? ToolVersion { get; init; }
+
+    [JsonPropertyName("stellaOpsVersion")]
+    public string? StellaOpsVersion { get; init; }
+
+    [JsonPropertyName("chainOfCustody")]
+    public IReadOnlyList<ForensicChainOfCustodyEntry> ChainOfCustody { get; init; } =
+        Array.Empty<ForensicChainOfCustodyEntry>();
+}
+
+/// <summary>
+/// Chain of custody entry.
+/// </summary>
+internal sealed class ForensicChainOfCustodyEntry
+{
+    [JsonPropertyName("action")]
+    public string Action { get; init; } = string.Empty;
+
+    [JsonPropertyName("actor")]
+    public string Actor { get; init; } = string.Empty;
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+
+    [JsonPropertyName("notes")]
+    public string? Notes { get; init; }
+
+    [JsonPropertyName("signature")]
+    public string? Signature { get; init; }
+}
+
+/// <summary>
+/// Response for listing forensic snapshots.
+/// </summary>
+internal sealed class ForensicSnapshotListResponse
+{
+    [JsonPropertyName("snapshots")]
+    public IReadOnlyList<ForensicSnapshotDocument> Snapshots { get; init; } =
+        Array.Empty<ForensicSnapshotDocument>();
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int Offset { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+}
+
+/// <summary>
+/// Query parameters for listing forensic snapshots.
+/// </summary>
+internal sealed record ForensicSnapshotListQuery(
+    string Tenant,
+    string? CaseId = null,
+    string? Status = null,
+    IReadOnlyList<string>? Tags = null,
+    DateTimeOffset? CreatedAfter = null,
+    DateTimeOffset? CreatedBefore = null,
+    int? Limit = null,
+    int? Offset = null);
+
+/// <summary>
+/// Local cache metadata for forensic snapshots.
+/// </summary>
+internal sealed class ForensicSnapshotCacheEntry
+{
+    [JsonPropertyName("snapshotId")]
+    public string SnapshotId { get; init; } = string.Empty;
+
+    [JsonPropertyName("caseId")]
+    public string CaseId { get; init; } = string.Empty;
+
+    [JsonPropertyName("localPath")]
+    public string LocalPath { get; init; } = string.Empty;
+
+    [JsonPropertyName("manifestDigest")]
+    public string ManifestDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("downloadedAt")]
+    public DateTimeOffset DownloadedAt { get; init; }
+
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+
+    [JsonPropertyName("sizeBytes")]
+    public long SizeBytes { get; init; }
+}
+
+/// <summary>
+/// Snapshot status enumeration.
+/// </summary>
+internal static class ForensicSnapshotStatus
+{
+    public const string Pending = "pending";
+    public const string Creating = "creating";
+    public const string Ready = "ready";
+    public const string Failed = "failed";
+    public const string Expired = "expired";
+    public const string Archived = "archived";
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/ForensicVerificationModels.cs b/src/Cli/StellaOps.Cli/Services/Models/ForensicVerificationModels.cs
new file mode 100644
index 000000000..f94124ae0
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/ForensicVerificationModels.cs
@@ -0,0 +1,347 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-FORENSICS-54-001: Forensic bundle verification models
+
+/// <summary>
+/// Represents a forensic bundle for local verification.
+/// </summary>
+internal sealed class ForensicBundle
+{
+    [JsonPropertyName("manifestPath")]
+    public string ManifestPath { get; init; } = string.Empty;
+
+    [JsonPropertyName("manifest")]
+    public ForensicSnapshotManifest? Manifest { get; init; }
+
+    [JsonPropertyName("artifacts")]
+    public IReadOnlyList<ForensicBundleArtifact> Artifacts { get; init; } = Array.Empty<ForensicBundleArtifact>();
+
+    [JsonPropertyName("dsseEnvelopes")]
+    public IReadOnlyList<ForensicDsseEnvelope> DsseEnvelopes { get; init; } = Array.Empty<ForensicDsseEnvelope>();
+}
+
+/// <summary>
+/// Artifact in a forensic bundle with local file reference.
+/// </summary>
+internal sealed class ForensicBundleArtifact
+{
+    [JsonPropertyName("artifactId")]
+    public string ArtifactId { get; init; } = string.Empty;
+
+    [JsonPropertyName("localPath")]
+    public string LocalPath { get; init; } = string.Empty;
+
+    [JsonPropertyName("expectedDigest")]
+    public string ExpectedDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("digestAlgorithm")]
+    public string DigestAlgorithm { get; init; } = "sha256";
+
+    [JsonPropertyName("sizeBytes")]
+    public long SizeBytes { get; init; }
+}
+
+/// <summary>
+/// DSSE envelope for signature verification.
+/// </summary>
+internal sealed class ForensicDsseEnvelope
+{
+    [JsonPropertyName("payloadType")]
+    public string PayloadType { get; init; } = string.Empty;
+
+    [JsonPropertyName("payload")]
+    public string Payload { get; init; } = string.Empty;
+
+    [JsonPropertyName("signatures")]
+    public IReadOnlyList<ForensicDsseSignature> Signatures { get; init; } = Array.Empty<ForensicDsseSignature>();
+}
+
+/// <summary>
+/// DSSE signature entry.
+/// </summary>
+internal sealed class ForensicDsseSignature
+{
+    [JsonPropertyName("keyid")]
+    public string KeyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("sig")]
+    public string Signature { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// Result of forensic bundle verification.
+/// </summary>
+internal sealed class ForensicVerificationResult
+{
+    [JsonPropertyName("bundlePath")]
+    public string BundlePath { get; init; } = string.Empty;
+
+    [JsonPropertyName("isValid")]
+    public bool IsValid { get; init; }
+
+    [JsonPropertyName("verifiedAt")]
+    public DateTimeOffset VerifiedAt { get; init; } = DateTimeOffset.UtcNow;
+
+    [JsonPropertyName("manifestVerification")]
+    public ForensicManifestVerification? ManifestVerification { get; init; }
+
+    [JsonPropertyName("checksumVerification")]
+    public ForensicChecksumVerification? ChecksumVerification { get; init; }
+
+    [JsonPropertyName("signatureVerification")]
+    public ForensicSignatureVerification? SignatureVerification { get; init; }
+
+    [JsonPropertyName("chainOfCustodyVerification")]
+    public ForensicChainOfCustodyVerification? ChainOfCustodyVerification { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<ForensicVerificationError> Errors { get; init; } = Array.Empty<ForensicVerificationError>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Manifest verification result.
+/// </summary>
+internal sealed class ForensicManifestVerification
+{
+    [JsonPropertyName("isValid")]
+    public bool IsValid { get; init; }
+
+    [JsonPropertyName("manifestId")]
+    public string ManifestId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public string Digest { get; init; } = string.Empty;
+
+    [JsonPropertyName("digestAlgorithm")]
+    public string DigestAlgorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("computedDigest")]
+    public string ComputedDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("artifactCount")]
+    public int ArtifactCount { get; init; }
+}
+
+/// <summary>
+/// Checksum verification result.
+/// </summary>
+internal sealed class ForensicChecksumVerification
+{
+    [JsonPropertyName("isValid")]
+    public bool IsValid { get; init; }
+
+    [JsonPropertyName("totalArtifacts")]
+    public int TotalArtifacts { get; init; }
+
+    [JsonPropertyName("verifiedArtifacts")]
+    public int VerifiedArtifacts { get; init; }
+
+    [JsonPropertyName("failedArtifacts")]
+    public IReadOnlyList<ForensicArtifactChecksumFailure> FailedArtifacts { get; init; } =
+        Array.Empty<ForensicArtifactChecksumFailure>();
+}
+
+/// <summary>
+/// Individual artifact checksum failure.
+/// </summary>
+internal sealed class ForensicArtifactChecksumFailure
+{
+    [JsonPropertyName("artifactId")]
+    public string ArtifactId { get; init; } = string.Empty;
+
+    [JsonPropertyName("path")]
+    public string Path { get; init; } = string.Empty;
+
+    [JsonPropertyName("expectedDigest")]
+    public string ExpectedDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("actualDigest")]
+    public string ActualDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("reason")]
+    public string Reason { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// Signature verification result.
+/// </summary>
+internal sealed class ForensicSignatureVerification
+{
+    [JsonPropertyName("isValid")]
+    public bool IsValid { get; init; }
+
+    [JsonPropertyName("signatureCount")]
+    public int SignatureCount { get; init; }
+
+    [JsonPropertyName("verifiedSignatures")]
+    public int VerifiedSignatures { get; init; }
+
+    [JsonPropertyName("signatures")]
+    public IReadOnlyList<ForensicSignatureDetail> Signatures { get; init; } =
+        Array.Empty<ForensicSignatureDetail>();
+}
+
+/// <summary>
+/// Individual signature verification detail.
+/// </summary>
+internal sealed class ForensicSignatureDetail
+{
+    [JsonPropertyName("keyId")]
+    public string KeyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("algorithm")]
+    public string Algorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("isValid")]
+    public bool IsValid { get; init; }
+
+    [JsonPropertyName("isTrusted")]
+    public bool IsTrusted { get; init; }
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset? SignedAt { get; init; }
+
+    [JsonPropertyName("fingerprint")]
+    public string? Fingerprint { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
+
+/// <summary>
+/// Chain of custody verification result.
+/// </summary>
+internal sealed class ForensicChainOfCustodyVerification
+{
+    [JsonPropertyName("isValid")]
+    public bool IsValid { get; init; }
+
+    [JsonPropertyName("entryCount")]
+    public int EntryCount { get; init; }
+
+    [JsonPropertyName("timelineValid")]
+    public bool TimelineValid { get; init; }
+
+    [JsonPropertyName("signaturesValid")]
+    public bool SignaturesValid { get; init; }
+
+    [JsonPropertyName("entries")]
+    public IReadOnlyList<ForensicChainOfCustodyEntryVerification> Entries { get; init; } =
+        Array.Empty<ForensicChainOfCustodyEntryVerification>();
+
+    [JsonPropertyName("gaps")]
+    public IReadOnlyList<ForensicTimelineGap> Gaps { get; init; } = Array.Empty<ForensicTimelineGap>();
+}
+
+/// <summary>
+/// Individual chain of custody entry verification.
+/// </summary>
+internal sealed class ForensicChainOfCustodyEntryVerification
+{
+    [JsonPropertyName("index")]
+    public int Index { get; init; }
+
+    [JsonPropertyName("action")]
+    public string Action { get; init; } = string.Empty;
+
+    [JsonPropertyName("actor")]
+    public string Actor { get; init; } = string.Empty;
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+
+    [JsonPropertyName("signatureValid")]
+    public bool? SignatureValid { get; init; }
+
+    [JsonPropertyName("notes")]
+    public string? Notes { get; init; }
+}
+
+/// <summary>
+/// Timeline gap in chain of custody.
+/// </summary>
+internal sealed class ForensicTimelineGap
+{
+    [JsonPropertyName("fromIndex")]
+    public int FromIndex { get; init; }
+
+    [JsonPropertyName("toIndex")]
+    public int ToIndex { get; init; }
+
+    [JsonPropertyName("fromTimestamp")]
+    public DateTimeOffset FromTimestamp { get; init; }
+
+    [JsonPropertyName("toTimestamp")]
+    public DateTimeOffset ToTimestamp { get; init; }
+
+    [JsonPropertyName("gapDuration")]
+    public TimeSpan GapDuration { get; init; }
+
+    [JsonPropertyName("description")]
+    public string Description { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// Verification error detail.
+/// </summary>
+internal sealed class ForensicVerificationError
+{
+    [JsonPropertyName("code")]
+    public string Code { get; init; } = string.Empty;
+
+    [JsonPropertyName("message")]
+    public string Message { get; init; } = string.Empty;
+
+    [JsonPropertyName("detail")]
+    public string? Detail { get; init; }
+
+    [JsonPropertyName("artifactId")]
+    public string? ArtifactId { get; init; }
+}
+
+/// <summary>
+/// Trust root configuration for forensic verification.
+/// </summary>
+internal sealed class ForensicTrustRoot
+{
+    [JsonPropertyName("keyId")]
+    public string KeyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("fingerprint")]
+    public string Fingerprint { get; init; } = string.Empty;
+
+    [JsonPropertyName("publicKey")]
+    public string PublicKey { get; init; } = string.Empty;
+
+    [JsonPropertyName("algorithm")]
+    public string Algorithm { get; init; } = "rsa-pss-sha256";
+
+    [JsonPropertyName("notBefore")]
+    public DateTimeOffset? NotBefore { get; init; }
+
+    [JsonPropertyName("notAfter")]
+    public DateTimeOffset? NotAfter { get; init; }
+}
+
+/// <summary>
+/// Verification options for forensic bundle.
+/// </summary>
+internal sealed class ForensicVerificationOptions
+{
+    public bool VerifyChecksums { get; init; } = true;
+    public bool VerifySignatures { get; init; } = true;
+    public bool VerifyChainOfCustody { get; init; } = true;
+    public bool StrictTimeline { get; init; } = false;
+    public IReadOnlyList<ForensicTrustRoot> TrustRoots { get; init; } = Array.Empty<ForensicTrustRoot>();
+    public string? TrustRootPath { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/NotifyModels.cs b/src/Cli/StellaOps.Cli/Services/Models/NotifyModels.cs
new file mode 100644
index 000000000..32ddd1a7c
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/NotifyModels.cs
@@ -0,0 +1,612 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-PARITY-41-002: Notify command models for CLI
+
+/// <summary>
+/// Notify channel types.
+/// </summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+internal enum NotifyChannelType
+{
+    Slack,
+    Teams,
+    Email,
+    Webhook,
+    Custom,
+    PagerDuty,
+    OpsGenie,
+    Cli,
+    InAppInbox,
+    InApp
+}
+
+/// <summary>
+/// Notify delivery status.
+/// </summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+internal enum NotifyDeliveryStatus
+{
+    Pending,
+    Sent,
+    Failed,
+    Throttled,
+    Digested,
+    Dropped
+}
+
+/// <summary>
+/// Notify channel list request.
+/// </summary>
+internal sealed class NotifyChannelListRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("type")]
+    public string? Type { get; init; }
+
+    [JsonPropertyName("enabled")]
+    public bool? Enabled { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int? Offset { get; init; }
+
+    [JsonPropertyName("cursor")]
+    public string? Cursor { get; init; }
+}
+
+/// <summary>
+/// Notify channel list response.
+/// </summary>
+internal sealed class NotifyChannelListResponse
+{
+    [JsonPropertyName("items")]
+    public IReadOnlyList<NotifyChannelSummary> Items { get; init; } = [];
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+
+    [JsonPropertyName("nextCursor")]
+    public string? NextCursor { get; init; }
+}
+
+/// <summary>
+/// Notify channel summary for list view.
+/// </summary>
+internal sealed class NotifyChannelSummary
+{
+    [JsonPropertyName("channelId")]
+    public string ChannelId { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("displayName")]
+    public string? DisplayName { get; init; }
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("enabled")]
+    public bool Enabled { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset UpdatedAt { get; init; }
+
+    [JsonPropertyName("deliveryCount")]
+    public int DeliveryCount { get; init; }
+
+    [JsonPropertyName("failureRate")]
+    public double? FailureRate { get; init; }
+}
+
+/// <summary>
+/// Detailed notify channel response.
+/// </summary>
+internal sealed class NotifyChannelDetail
+{
+    [JsonPropertyName("channelId")]
+    public string ChannelId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenantId")]
+    public string TenantId { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("displayName")]
+    public string? DisplayName { get; init; }
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("enabled")]
+    public bool Enabled { get; init; }
+
+    [JsonPropertyName("config")]
+    public NotifyChannelConfigInfo? Config { get; init; }
+
+    [JsonPropertyName("labels")]
+    public IReadOnlyDictionary<string, string>? Labels { get; init; }
+
+    [JsonPropertyName("metadata")]
+    public IReadOnlyDictionary<string, string>? Metadata { get; init; }
+
+    [JsonPropertyName("createdBy")]
+    public string? CreatedBy { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("updatedBy")]
+    public string? UpdatedBy { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset UpdatedAt { get; init; }
+
+    [JsonPropertyName("stats")]
+    public NotifyChannelStats? Stats { get; init; }
+
+    [JsonPropertyName("health")]
+    public NotifyChannelHealth? Health { get; init; }
+}
+
+/// <summary>
+/// Notify channel configuration info (redacted secrets).
+/// </summary>
+internal sealed class NotifyChannelConfigInfo
+{
+    [JsonPropertyName("secretRef")]
+    public string SecretRef { get; init; } = string.Empty;
+
+    [JsonPropertyName("target")]
+    public string? Target { get; init; }
+
+    [JsonPropertyName("endpoint")]
+    public string? Endpoint { get; init; }
+
+    [JsonPropertyName("properties")]
+    public IReadOnlyDictionary<string, string>? Properties { get; init; }
+
+    [JsonPropertyName("limits")]
+    public NotifyChannelLimitsInfo? Limits { get; init; }
+}
+
+/// <summary>
+/// Notify channel limits.
+/// </summary>
+internal sealed class NotifyChannelLimitsInfo
+{
+    [JsonPropertyName("concurrency")]
+    public int? Concurrency { get; init; }
+
+    [JsonPropertyName("requestsPerMinute")]
+    public int? RequestsPerMinute { get; init; }
+
+    [JsonPropertyName("timeoutSeconds")]
+    public int? TimeoutSeconds { get; init; }
+
+    [JsonPropertyName("maxBatchSize")]
+    public int? MaxBatchSize { get; init; }
+}
+
+/// <summary>
+/// Notify channel statistics.
+/// </summary>
+internal sealed class NotifyChannelStats
+{
+    [JsonPropertyName("totalDeliveries")]
+    public long TotalDeliveries { get; init; }
+
+    [JsonPropertyName("successfulDeliveries")]
+    public long SuccessfulDeliveries { get; init; }
+
+    [JsonPropertyName("failedDeliveries")]
+    public long FailedDeliveries { get; init; }
+
+    [JsonPropertyName("throttledDeliveries")]
+    public long ThrottledDeliveries { get; init; }
+
+    [JsonPropertyName("lastDeliveryAt")]
+    public DateTimeOffset? LastDeliveryAt { get; init; }
+
+    [JsonPropertyName("avgLatencyMs")]
+    public double? AvgLatencyMs { get; init; }
+}
+
+/// <summary>
+/// Notify channel health status.
+/// </summary>
+internal sealed class NotifyChannelHealth
+{
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("lastCheckAt")]
+    public DateTimeOffset? LastCheckAt { get; init; }
+
+    [JsonPropertyName("consecutiveFailures")]
+    public int ConsecutiveFailures { get; init; }
+
+    [JsonPropertyName("errorMessage")]
+    public string? ErrorMessage { get; init; }
+}
+
+/// <summary>
+/// Channel test request.
+/// </summary>
+internal sealed class NotifyChannelTestRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("channelId")]
+    public string ChannelId { get; init; } = string.Empty;
+
+    [JsonPropertyName("message")]
+    public string? Message { get; init; }
+}
+
+/// <summary>
+/// Channel test result.
+/// </summary>
+internal sealed class NotifyChannelTestResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("channelId")]
+    public string ChannelId { get; init; } = string.Empty;
+
+    [JsonPropertyName("latencyMs")]
+    public long? LatencyMs { get; init; }
+
+    [JsonPropertyName("responseCode")]
+    public int? ResponseCode { get; init; }
+
+    [JsonPropertyName("errorMessage")]
+    public string? ErrorMessage { get; init; }
+
+    [JsonPropertyName("deliveryId")]
+    public string? DeliveryId { get; init; }
+}
+
+/// <summary>
+/// Notify rule list request.
+/// </summary>
+internal sealed class NotifyRuleListRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("enabled")]
+    public bool? Enabled { get; init; }
+
+    [JsonPropertyName("eventType")]
+    public string? EventType { get; init; }
+
+    [JsonPropertyName("channelId")]
+    public string? ChannelId { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int? Offset { get; init; }
+}
+
+/// <summary>
+/// Notify rule list response.
+/// </summary>
+internal sealed class NotifyRuleListResponse
+{
+    [JsonPropertyName("items")]
+    public IReadOnlyList<NotifyRuleSummary> Items { get; init; } = [];
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+}
+
+/// <summary>
+/// Notify rule summary.
+/// </summary>
+internal sealed class NotifyRuleSummary
+{
+    [JsonPropertyName("ruleId")]
+    public string RuleId { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    [JsonPropertyName("enabled")]
+    public bool Enabled { get; init; }
+
+    [JsonPropertyName("eventTypes")]
+    public IReadOnlyList<string> EventTypes { get; init; } = [];
+
+    [JsonPropertyName("channelIds")]
+    public IReadOnlyList<string> ChannelIds { get; init; } = [];
+
+    [JsonPropertyName("priority")]
+    public int Priority { get; init; }
+
+    [JsonPropertyName("matchCount")]
+    public long MatchCount { get; init; }
+}
+
+/// <summary>
+/// Notify delivery list request.
+/// </summary>
+internal sealed class NotifyDeliveryListRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("channelId")]
+    public string? ChannelId { get; init; }
+
+    [JsonPropertyName("status")]
+    public string? Status { get; init; }
+
+    [JsonPropertyName("eventType")]
+    public string? EventType { get; init; }
+
+    [JsonPropertyName("since")]
+    public DateTimeOffset? Since { get; init; }
+
+    [JsonPropertyName("until")]
+    public DateTimeOffset? Until { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("cursor")]
+    public string? Cursor { get; init; }
+}
+
+/// <summary>
+/// Notify delivery list response.
+/// </summary>
+internal sealed class NotifyDeliveryListResponse
+{
+    [JsonPropertyName("items")]
+    public IReadOnlyList<NotifyDeliverySummary> Items { get; init; } = [];
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+
+    [JsonPropertyName("nextCursor")]
+    public string? NextCursor { get; init; }
+}
+
+/// <summary>
+/// Notify delivery summary.
+/// </summary>
+internal sealed class NotifyDeliverySummary
+{
+    [JsonPropertyName("deliveryId")]
+    public string DeliveryId { get; init; } = string.Empty;
+
+    [JsonPropertyName("channelId")]
+    public string ChannelId { get; init; } = string.Empty;
+
+    [JsonPropertyName("channelName")]
+    public string? ChannelName { get; init; }
+
+    [JsonPropertyName("channelType")]
+    public string ChannelType { get; init; } = string.Empty;
+
+    [JsonPropertyName("eventType")]
+    public string EventType { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("attemptCount")]
+    public int AttemptCount { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("sentAt")]
+    public DateTimeOffset? SentAt { get; init; }
+
+    [JsonPropertyName("latencyMs")]
+    public long? LatencyMs { get; init; }
+}
+
+/// <summary>
+/// Notify delivery detail.
+/// </summary>
+internal sealed class NotifyDeliveryDetail
+{
+    [JsonPropertyName("deliveryId")]
+    public string DeliveryId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenantId")]
+    public string TenantId { get; init; } = string.Empty;
+
+    [JsonPropertyName("channelId")]
+    public string ChannelId { get; init; } = string.Empty;
+
+    [JsonPropertyName("channelName")]
+    public string? ChannelName { get; init; }
+
+    [JsonPropertyName("channelType")]
+    public string ChannelType { get; init; } = string.Empty;
+
+    [JsonPropertyName("ruleId")]
+    public string? RuleId { get; init; }
+
+    [JsonPropertyName("eventId")]
+    public string? EventId { get; init; }
+
+    [JsonPropertyName("eventType")]
+    public string EventType { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("subject")]
+    public string? Subject { get; init; }
+
+    [JsonPropertyName("attemptCount")]
+    public int AttemptCount { get; init; }
+
+    [JsonPropertyName("attempts")]
+    public IReadOnlyList<NotifyDeliveryAttempt>? Attempts { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("sentAt")]
+    public DateTimeOffset? SentAt { get; init; }
+
+    [JsonPropertyName("failedAt")]
+    public DateTimeOffset? FailedAt { get; init; }
+
+    [JsonPropertyName("errorMessage")]
+    public string? ErrorMessage { get; init; }
+
+    [JsonPropertyName("idempotencyKey")]
+    public string? IdempotencyKey { get; init; }
+}
+
+/// <summary>
+/// Notify delivery attempt.
+/// </summary>
+internal sealed class NotifyDeliveryAttempt
+{
+    [JsonPropertyName("attemptNumber")]
+    public int AttemptNumber { get; init; }
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("attemptedAt")]
+    public DateTimeOffset AttemptedAt { get; init; }
+
+    [JsonPropertyName("latencyMs")]
+    public long? LatencyMs { get; init; }
+
+    [JsonPropertyName("responseCode")]
+    public int? ResponseCode { get; init; }
+
+    [JsonPropertyName("errorMessage")]
+    public string? ErrorMessage { get; init; }
+}
+
+/// <summary>
+/// Retry delivery request.
+/// </summary>
+internal sealed class NotifyRetryRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("deliveryId")]
+    public string DeliveryId { get; init; } = string.Empty;
+
+    [JsonPropertyName("idempotencyKey")]
+    public string? IdempotencyKey { get; init; }
+}
+
+/// <summary>
+/// Retry delivery result.
+/// </summary>
+internal sealed class NotifyRetryResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("deliveryId")]
+    public string DeliveryId { get; init; } = string.Empty;
+
+    [JsonPropertyName("newStatus")]
+    public string? NewStatus { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+}
+
+/// <summary>
+/// Send notification request.
+/// </summary>
+internal sealed class NotifySendRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("channelId")]
+    public string? ChannelId { get; init; }
+
+    [JsonPropertyName("eventType")]
+    public string EventType { get; init; } = string.Empty;
+
+    [JsonPropertyName("subject")]
+    public string? Subject { get; init; }
+
+    [JsonPropertyName("body")]
+    public string Body { get; init; } = string.Empty;
+
+    [JsonPropertyName("severity")]
+    public string? Severity { get; init; }
+
+    [JsonPropertyName("metadata")]
+    public IReadOnlyDictionary<string, string>? Metadata { get; init; }
+
+    [JsonPropertyName("idempotencyKey")]
+    public string? IdempotencyKey { get; init; }
+}
+
+/// <summary>
+/// Send notification result.
+/// </summary>
+internal sealed class NotifySendResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("eventId")]
+    public string? EventId { get; init; }
+
+    [JsonPropertyName("deliveryIds")]
+    public IReadOnlyList<string>? DeliveryIds { get; init; }
+
+    [JsonPropertyName("channelsMatched")]
+    public int ChannelsMatched { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("idempotencyKey")]
+    public string? IdempotencyKey { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/ObservabilityModels.cs b/src/Cli/StellaOps.Cli/Services/Models/ObservabilityModels.cs
new file mode 100644
index 000000000..11c78d6c9
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/ObservabilityModels.cs
@@ -0,0 +1,542 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-OBS-51-001: Observability models for stella obs commands
+
+/// <summary>
+/// Service health status from the platform.
+/// </summary>
+internal sealed class ServiceHealthStatus
+{
+    [JsonPropertyName("service")]
+    public string Service { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = "unknown"; // healthy, degraded, unhealthy, unknown
+
+    [JsonPropertyName("availability")]
+    public double Availability { get; init; }
+
+    [JsonPropertyName("sloTarget")]
+    public double SloTarget { get; init; } = 0.999;
+
+    [JsonPropertyName("errorBudgetRemaining")]
+    public double ErrorBudgetRemaining { get; init; }
+
+    [JsonPropertyName("burnRate")]
+    public BurnRateInfo? BurnRate { get; init; }
+
+    [JsonPropertyName("latency")]
+    public LatencyInfo? Latency { get; init; }
+
+    [JsonPropertyName("traffic")]
+    public TrafficInfo? Traffic { get; init; }
+
+    [JsonPropertyName("queues")]
+    public IReadOnlyList<QueueHealth> Queues { get; init; } = Array.Empty<QueueHealth>();
+
+    [JsonPropertyName("lastUpdated")]
+    public DateTimeOffset LastUpdated { get; init; } = DateTimeOffset.UtcNow;
+}
+
+/// <summary>
+/// Burn rate alert information.
+/// </summary>
+internal sealed class BurnRateInfo
+{
+    [JsonPropertyName("current")]
+    public double Current { get; init; }
+
+    [JsonPropertyName("shortWindow")]
+    public double ShortWindow { get; init; } // 5m or 1h window
+
+    [JsonPropertyName("longWindow")]
+    public double LongWindow { get; init; } // 6h or 3d window
+
+    [JsonPropertyName("alertLevel")]
+    public string AlertLevel { get; init; } = "none"; // none, warning, critical
+
+    [JsonPropertyName("threshold2x")]
+    public double Threshold2x { get; init; } = 2.0;
+
+    [JsonPropertyName("threshold14x")]
+    public double Threshold14x { get; init; } = 14.0;
+}
+
+/// <summary>
+/// Latency percentile information.
+/// </summary>
+internal sealed class LatencyInfo
+{
+    [JsonPropertyName("p50")]
+    public double P50Ms { get; init; }
+
+    [JsonPropertyName("p95")]
+    public double P95Ms { get; init; }
+
+    [JsonPropertyName("p99")]
+    public double P99Ms { get; init; }
+
+    [JsonPropertyName("p95Target")]
+    public double P95TargetMs { get; init; } = 300;
+
+    [JsonPropertyName("breaching")]
+    public bool Breaching { get; init; }
+}
+
+/// <summary>
+/// Traffic/throughput information.
+/// </summary>
+internal sealed class TrafficInfo
+{
+    [JsonPropertyName("requestsPerSecond")]
+    public double RequestsPerSecond { get; init; }
+
+    [JsonPropertyName("successRate")]
+    public double SuccessRate { get; init; }
+
+    [JsonPropertyName("errorRate")]
+    public double ErrorRate { get; init; }
+
+    [JsonPropertyName("totalRequests")]
+    public long TotalRequests { get; init; }
+
+    [JsonPropertyName("totalErrors")]
+    public long TotalErrors { get; init; }
+}
+
+/// <summary>
+/// Queue health information.
+/// </summary>
+internal sealed class QueueHealth
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("depth")]
+    public long Depth { get; init; }
+
+    [JsonPropertyName("depthThreshold")]
+    public long DepthThreshold { get; init; } = 1000;
+
+    [JsonPropertyName("oldestMessageAge")]
+    public TimeSpan OldestMessageAge { get; init; }
+
+    [JsonPropertyName("throughput")]
+    public double Throughput { get; init; }
+
+    [JsonPropertyName("successRate")]
+    public double SuccessRate { get; init; }
+
+    [JsonPropertyName("alerting")]
+    public bool Alerting { get; init; }
+}
+
+/// <summary>
+/// Platform-wide health summary.
+/// </summary>
+internal sealed class PlatformHealthSummary
+{
+    [JsonPropertyName("overallStatus")]
+    public string OverallStatus { get; init; } = "unknown";
+
+    [JsonPropertyName("services")]
+    public IReadOnlyList<ServiceHealthStatus> Services { get; init; } = Array.Empty<ServiceHealthStatus>();
+
+    [JsonPropertyName("activeAlerts")]
+    public IReadOnlyList<ActiveAlert> ActiveAlerts { get; init; } = Array.Empty<ActiveAlert>();
+
+    [JsonPropertyName("globalErrorBudget")]
+    public double GlobalErrorBudget { get; init; }
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; } = DateTimeOffset.UtcNow;
+}
+
+/// <summary>
+/// Active alert information.
+/// </summary>
+internal sealed class ActiveAlert
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("service")]
+    public string Service { get; init; } = string.Empty;
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty; // burn_rate, latency, error_rate, queue_depth
+
+    [JsonPropertyName("severity")]
+    public string Severity { get; init; } = "warning"; // warning, critical
+
+    [JsonPropertyName("message")]
+    public string Message { get; init; } = string.Empty;
+
+    [JsonPropertyName("startedAt")]
+    public DateTimeOffset StartedAt { get; init; }
+
+    [JsonPropertyName("value")]
+    public double Value { get; init; }
+
+    [JsonPropertyName("threshold")]
+    public double Threshold { get; init; }
+}
+
+/// <summary>
+/// Request for obs top command.
+/// </summary>
+internal sealed class ObsTopRequest
+{
+    /// <summary>
+    /// Filter by service names.
+    /// </summary>
+    [JsonPropertyName("services")]
+    public IReadOnlyList<string> Services { get; init; } = Array.Empty<string>();
+
+    /// <summary>
+    /// Filter by tenant.
+    /// </summary>
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    /// <summary>
+    /// Include queue details.
+    /// </summary>
+    [JsonPropertyName("includeQueues")]
+    public bool IncludeQueues { get; init; } = true;
+
+    /// <summary>
+    /// Refresh interval in seconds for streaming mode (0 = single fetch).
+    /// </summary>
+    [JsonPropertyName("refreshInterval")]
+    public int RefreshInterval { get; init; }
+
+    /// <summary>
+    /// Maximum alerts to return.
+    /// </summary>
+    [JsonPropertyName("maxAlerts")]
+    public int MaxAlerts { get; init; } = 20;
+}
+
+/// <summary>
+/// Result of obs top command.
+/// </summary>
+internal sealed class ObsTopResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("summary")]
+    public PlatformHealthSummary? Summary { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+// CLI-OBS-52-001: Trace and logs models
+
+/// <summary>
+/// Request for fetching a trace by ID.
+/// </summary>
+internal sealed class ObsTraceRequest
+{
+    [JsonPropertyName("traceId")]
+    public string TraceId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("includeEvidence")]
+    public bool IncludeEvidence { get; init; } = true;
+}
+
+/// <summary>
+/// Distributed trace with spans.
+/// </summary>
+internal sealed class DistributedTrace
+{
+    [JsonPropertyName("traceId")]
+    public string TraceId { get; init; } = string.Empty;
+
+    [JsonPropertyName("rootSpan")]
+    public TraceSpan? RootSpan { get; init; }
+
+    [JsonPropertyName("spans")]
+    public IReadOnlyList<TraceSpan> Spans { get; init; } = Array.Empty<TraceSpan>();
+
+    [JsonPropertyName("services")]
+    public IReadOnlyList<string> Services { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("duration")]
+    public TimeSpan Duration { get; init; }
+
+    [JsonPropertyName("startTime")]
+    public DateTimeOffset StartTime { get; init; }
+
+    [JsonPropertyName("endTime")]
+    public DateTimeOffset EndTime { get; init; }
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = "ok"; // ok, error
+
+    [JsonPropertyName("evidenceLinks")]
+    public IReadOnlyList<EvidenceLink> EvidenceLinks { get; init; } = Array.Empty<EvidenceLink>();
+}
+
+/// <summary>
+/// Individual span within a trace.
+/// </summary>
+internal sealed class TraceSpan
+{
+    [JsonPropertyName("spanId")]
+    public string SpanId { get; init; } = string.Empty;
+
+    [JsonPropertyName("parentSpanId")]
+    public string? ParentSpanId { get; init; }
+
+    [JsonPropertyName("operationName")]
+    public string OperationName { get; init; } = string.Empty;
+
+    [JsonPropertyName("serviceName")]
+    public string ServiceName { get; init; } = string.Empty;
+
+    [JsonPropertyName("startTime")]
+    public DateTimeOffset StartTime { get; init; }
+
+    [JsonPropertyName("duration")]
+    public TimeSpan Duration { get; init; }
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = "ok"; // ok, error
+
+    [JsonPropertyName("tags")]
+    public IReadOnlyDictionary<string, string> Tags { get; init; } = new Dictionary<string, string>();
+
+    [JsonPropertyName("logs")]
+    public IReadOnlyList<SpanLog> Logs { get; init; } = Array.Empty<SpanLog>();
+}
+
+/// <summary>
+/// Log entry within a span.
+/// </summary>
+internal sealed class SpanLog
+{
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+
+    [JsonPropertyName("message")]
+    public string Message { get; init; } = string.Empty;
+
+    [JsonPropertyName("level")]
+    public string Level { get; init; } = "info"; // debug, info, warn, error
+
+    [JsonPropertyName("fields")]
+    public IReadOnlyDictionary<string, string> Fields { get; init; } = new Dictionary<string, string>();
+}
+
+/// <summary>
+/// Link to evidence artifact (SBOM, VEX, attestation, etc.).
+/// </summary>
+internal sealed class EvidenceLink
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty; // sbom, vex, attestation, scan_result
+
+    [JsonPropertyName("uri")]
+    public string Uri { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+}
+
+/// <summary>
+/// Result of fetching a trace.
+/// </summary>
+internal sealed class ObsTraceResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("trace")]
+    public DistributedTrace? Trace { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request for fetching logs.
+/// </summary>
+internal sealed class ObsLogsRequest
+{
+    [JsonPropertyName("from")]
+    public DateTimeOffset From { get; init; }
+
+    [JsonPropertyName("to")]
+    public DateTimeOffset To { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("services")]
+    public IReadOnlyList<string> Services { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("levels")]
+    public IReadOnlyList<string> Levels { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("query")]
+    public string? Query { get; init; }
+
+    [JsonPropertyName("pageSize")]
+    public int PageSize { get; init; } = 100;
+
+    [JsonPropertyName("pageToken")]
+    public string? PageToken { get; init; }
+}
+
+/// <summary>
+/// Log entry from the platform.
+/// </summary>
+internal sealed class LogEntry
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+
+    [JsonPropertyName("level")]
+    public string Level { get; init; } = "info";
+
+    [JsonPropertyName("service")]
+    public string Service { get; init; } = string.Empty;
+
+    [JsonPropertyName("message")]
+    public string Message { get; init; } = string.Empty;
+
+    [JsonPropertyName("traceId")]
+    public string? TraceId { get; init; }
+
+    [JsonPropertyName("spanId")]
+    public string? SpanId { get; init; }
+
+    [JsonPropertyName("fields")]
+    public IReadOnlyDictionary<string, string> Fields { get; init; } = new Dictionary<string, string>();
+
+    [JsonPropertyName("evidenceLinks")]
+    public IReadOnlyList<EvidenceLink> EvidenceLinks { get; init; } = Array.Empty<EvidenceLink>();
+}
+
+/// <summary>
+/// Result of fetching logs.
+/// </summary>
+internal sealed class ObsLogsResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("logs")]
+    public IReadOnlyList<LogEntry> Logs { get; init; } = Array.Empty<LogEntry>();
+
+    [JsonPropertyName("nextPageToken")]
+    public string? NextPageToken { get; init; }
+
+    [JsonPropertyName("totalCount")]
+    public long? TotalCount { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+// CLI-OBS-55-001: Incident mode models
+
+/// <summary>
+/// Incident mode state.
+/// </summary>
+internal sealed class IncidentModeState
+{
+    [JsonPropertyName("enabled")]
+    public bool Enabled { get; init; }
+
+    [JsonPropertyName("setAt")]
+    public DateTimeOffset? SetAt { get; init; }
+
+    [JsonPropertyName("expiresAt")]
+    public DateTimeOffset? ExpiresAt { get; init; }
+
+    [JsonPropertyName("actor")]
+    public string? Actor { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("retentionExtensionDays")]
+    public int RetentionExtensionDays { get; init; } = 60;
+
+    [JsonPropertyName("source")]
+    public string Source { get; init; } = "cli"; // cli, config, api
+}
+
+/// <summary>
+/// Request to enable incident mode.
+/// </summary>
+internal sealed class IncidentModeEnableRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("ttlMinutes")]
+    public int TtlMinutes { get; init; } = 30;
+
+    [JsonPropertyName("retentionExtensionDays")]
+    public int RetentionExtensionDays { get; init; } = 60;
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
+
+/// <summary>
+/// Request to disable incident mode.
+/// </summary>
+internal sealed class IncidentModeDisableRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
+
+/// <summary>
+/// Result of incident mode operation.
+/// </summary>
+internal sealed class IncidentModeResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("state")]
+    public IncidentModeState? State { get; init; }
+
+    [JsonPropertyName("previousState")]
+    public IncidentModeState? PreviousState { get; init; }
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/OrchestratorModels.cs b/src/Cli/StellaOps.Cli/Services/Models/OrchestratorModels.cs
new file mode 100644
index 000000000..a721f14f3
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/OrchestratorModels.cs
@@ -0,0 +1,671 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-ORCH-32-001: Orchestrator source and job models for stella orch commands
+
+/// <summary>
+/// Source status values.
+/// </summary>
+internal static class SourceStatuses
+{
+    public const string Active = "active";
+    public const string Paused = "paused";
+    public const string Disabled = "disabled";
+    public const string Throttled = "throttled";
+    public const string Error = "error";
+}
+
+/// <summary>
+/// Source type values representing data feed categories.
+/// </summary>
+internal static class SourceTypes
+{
+    public const string Advisory = "advisory";
+    public const string Vex = "vex";
+    public const string Sbom = "sbom";
+    public const string Package = "package";
+    public const string Registry = "registry";
+    public const string Custom = "custom";
+}
+
+/// <summary>
+/// Orchestrator source definition representing a data feed.
+/// </summary>
+internal sealed class OrchestratorSource
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = SourceTypes.Advisory;
+
+    [JsonPropertyName("host")]
+    public string Host { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = SourceStatuses.Active;
+
+    [JsonPropertyName("enabled")]
+    public bool Enabled { get; init; } = true;
+
+    [JsonPropertyName("priority")]
+    public int Priority { get; init; }
+
+    [JsonPropertyName("schedule")]
+    public SourceSchedule? Schedule { get; init; }
+
+    [JsonPropertyName("rateLimit")]
+    public SourceRateLimit? RateLimit { get; init; }
+
+    [JsonPropertyName("lastRun")]
+    public SourceLastRun? LastRun { get; init; }
+
+    [JsonPropertyName("metrics")]
+    public SourceMetrics? Metrics { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset UpdatedAt { get; init; }
+
+    [JsonPropertyName("pausedAt")]
+    public DateTimeOffset? PausedAt { get; init; }
+
+    [JsonPropertyName("pausedBy")]
+    public string? PausedBy { get; init; }
+
+    [JsonPropertyName("pauseReason")]
+    public string? PauseReason { get; init; }
+
+    [JsonPropertyName("tags")]
+    public IReadOnlyList<string> Tags { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("metadata")]
+    public IReadOnlyDictionary<string, string>? Metadata { get; init; }
+}
+
+/// <summary>
+/// Source schedule configuration.
+/// </summary>
+internal sealed class SourceSchedule
+{
+    [JsonPropertyName("cron")]
+    public string? Cron { get; init; }
+
+    [JsonPropertyName("intervalMinutes")]
+    public int? IntervalMinutes { get; init; }
+
+    [JsonPropertyName("nextRunAt")]
+    public DateTimeOffset? NextRunAt { get; init; }
+
+    [JsonPropertyName("timezone")]
+    public string Timezone { get; init; } = "UTC";
+}
+
+/// <summary>
+/// Source rate limit configuration.
+/// </summary>
+internal sealed class SourceRateLimit
+{
+    [JsonPropertyName("maxRequestsPerMinute")]
+    public int MaxRequestsPerMinute { get; init; }
+
+    [JsonPropertyName("maxRequestsPerHour")]
+    public int? MaxRequestsPerHour { get; init; }
+
+    [JsonPropertyName("burstSize")]
+    public int BurstSize { get; init; } = 1;
+
+    [JsonPropertyName("currentTokens")]
+    public double? CurrentTokens { get; init; }
+
+    [JsonPropertyName("refillRatePerSecond")]
+    public double? RefillRatePerSecond { get; init; }
+
+    [JsonPropertyName("throttledUntil")]
+    public DateTimeOffset? ThrottledUntil { get; init; }
+}
+
+/// <summary>
+/// Source last run information.
+/// </summary>
+internal sealed class SourceLastRun
+{
+    [JsonPropertyName("runId")]
+    public string? RunId { get; init; }
+
+    [JsonPropertyName("startedAt")]
+    public DateTimeOffset? StartedAt { get; init; }
+
+    [JsonPropertyName("completedAt")]
+    public DateTimeOffset? CompletedAt { get; init; }
+
+    [JsonPropertyName("status")]
+    public string? Status { get; init; }
+
+    [JsonPropertyName("itemsProcessed")]
+    public long? ItemsProcessed { get; init; }
+
+    [JsonPropertyName("itemsFailed")]
+    public long? ItemsFailed { get; init; }
+
+    [JsonPropertyName("errorMessage")]
+    public string? ErrorMessage { get; init; }
+
+    [JsonPropertyName("durationMs")]
+    public long? DurationMs { get; init; }
+}
+
+/// <summary>
+/// Source metrics summary.
+/// </summary>
+internal sealed class SourceMetrics
+{
+    [JsonPropertyName("totalRuns")]
+    public long TotalRuns { get; init; }
+
+    [JsonPropertyName("successfulRuns")]
+    public long SuccessfulRuns { get; init; }
+
+    [JsonPropertyName("failedRuns")]
+    public long FailedRuns { get; init; }
+
+    [JsonPropertyName("averageDurationMs")]
+    public double? AverageDurationMs { get; init; }
+
+    [JsonPropertyName("totalItemsProcessed")]
+    public long TotalItemsProcessed { get; init; }
+
+    [JsonPropertyName("totalItemsFailed")]
+    public long TotalItemsFailed { get; init; }
+
+    [JsonPropertyName("lastSuccessAt")]
+    public DateTimeOffset? LastSuccessAt { get; init; }
+
+    [JsonPropertyName("lastFailureAt")]
+    public DateTimeOffset? LastFailureAt { get; init; }
+
+    [JsonPropertyName("uptimePercent")]
+    public double? UptimePercent { get; init; }
+}
+
+/// <summary>
+/// Request to list sources.
+/// </summary>
+internal sealed class SourceListRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("type")]
+    public string? Type { get; init; }
+
+    [JsonPropertyName("status")]
+    public string? Status { get; init; }
+
+    [JsonPropertyName("enabled")]
+    public bool? Enabled { get; init; }
+
+    [JsonPropertyName("host")]
+    public string? Host { get; init; }
+
+    [JsonPropertyName("tag")]
+    public string? Tag { get; init; }
+
+    [JsonPropertyName("pageSize")]
+    public int PageSize { get; init; } = 50;
+
+    [JsonPropertyName("pageToken")]
+    public string? PageToken { get; init; }
+}
+
+/// <summary>
+/// Response from listing sources.
+/// </summary>
+internal sealed class SourceListResponse
+{
+    [JsonPropertyName("sources")]
+    public IReadOnlyList<OrchestratorSource> Sources { get; init; } = Array.Empty<OrchestratorSource>();
+
+    [JsonPropertyName("nextPageToken")]
+    public string? NextPageToken { get; init; }
+
+    [JsonPropertyName("totalCount")]
+    public long? TotalCount { get; init; }
+}
+
+/// <summary>
+/// Request to pause a source.
+/// </summary>
+internal sealed class SourcePauseRequest
+{
+    [JsonPropertyName("sourceId")]
+    public string SourceId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+
+    [JsonPropertyName("durationMinutes")]
+    public int? DurationMinutes { get; init; }
+}
+
+/// <summary>
+/// Request to resume a source.
+/// </summary>
+internal sealed class SourceResumeRequest
+{
+    [JsonPropertyName("sourceId")]
+    public string SourceId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
+
+/// <summary>
+/// Request to test a source connection.
+/// </summary>
+internal sealed class SourceTestRequest
+{
+    [JsonPropertyName("sourceId")]
+    public string SourceId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("timeout")]
+    public int TimeoutSeconds { get; init; } = 30;
+}
+
+/// <summary>
+/// Result of source operation.
+/// </summary>
+internal sealed class SourceOperationResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("source")]
+    public OrchestratorSource? Source { get; init; }
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Result of source test operation.
+/// </summary>
+internal sealed class SourceTestResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("sourceId")]
+    public string SourceId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reachable")]
+    public bool Reachable { get; init; }
+
+    [JsonPropertyName("latencyMs")]
+    public long? LatencyMs { get; init; }
+
+    [JsonPropertyName("statusCode")]
+    public int? StatusCode { get; init; }
+
+    [JsonPropertyName("errorMessage")]
+    public string? ErrorMessage { get; init; }
+
+    [JsonPropertyName("tlsValid")]
+    public bool? TlsValid { get; init; }
+
+    [JsonPropertyName("tlsExpiry")]
+    public DateTimeOffset? TlsExpiry { get; init; }
+
+    [JsonPropertyName("testedAt")]
+    public DateTimeOffset TestedAt { get; init; }
+}
+
+// CLI-ORCH-34-001: Backfill wizard and quota management models
+
+/// <summary>
+/// Request to start a backfill operation for a source.
+/// </summary>
+internal sealed class BackfillRequest
+{
+    [JsonPropertyName("sourceId")]
+    public string SourceId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("from")]
+    public DateTimeOffset From { get; init; }
+
+    [JsonPropertyName("to")]
+    public DateTimeOffset To { get; init; }
+
+    [JsonPropertyName("dryRun")]
+    public bool DryRun { get; init; }
+
+    [JsonPropertyName("priority")]
+    public int Priority { get; init; } = 5;
+
+    [JsonPropertyName("concurrency")]
+    public int Concurrency { get; init; } = 1;
+
+    [JsonPropertyName("batchSize")]
+    public int BatchSize { get; init; } = 100;
+
+    [JsonPropertyName("resume")]
+    public bool Resume { get; init; }
+
+    [JsonPropertyName("filter")]
+    public string? Filter { get; init; }
+
+    [JsonPropertyName("force")]
+    public bool Force { get; init; }
+}
+
+/// <summary>
+/// Result of a backfill operation.
+/// </summary>
+internal sealed class BackfillResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("backfillId")]
+    public string? BackfillId { get; init; }
+
+    [JsonPropertyName("sourceId")]
+    public string SourceId { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("from")]
+    public DateTimeOffset From { get; init; }
+
+    [JsonPropertyName("to")]
+    public DateTimeOffset To { get; init; }
+
+    [JsonPropertyName("dryRun")]
+    public bool DryRun { get; init; }
+
+    [JsonPropertyName("estimatedItems")]
+    public long? EstimatedItems { get; init; }
+
+    [JsonPropertyName("processedItems")]
+    public long ProcessedItems { get; init; }
+
+    [JsonPropertyName("failedItems")]
+    public long FailedItems { get; init; }
+
+    [JsonPropertyName("skippedItems")]
+    public long SkippedItems { get; init; }
+
+    [JsonPropertyName("startedAt")]
+    public DateTimeOffset? StartedAt { get; init; }
+
+    [JsonPropertyName("completedAt")]
+    public DateTimeOffset? CompletedAt { get; init; }
+
+    [JsonPropertyName("estimatedDurationMs")]
+    public long? EstimatedDurationMs { get; init; }
+
+    [JsonPropertyName("actualDurationMs")]
+    public long? ActualDurationMs { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+}
+
+/// <summary>
+/// Status values for backfill operations.
+/// </summary>
+internal static class BackfillStatuses
+{
+    public const string Pending = "pending";
+    public const string Running = "running";
+    public const string Completed = "completed";
+    public const string Failed = "failed";
+    public const string Cancelled = "cancelled";
+    public const string DryRun = "dry_run";
+}
+
+/// <summary>
+/// Request to list backfill operations.
+/// </summary>
+internal sealed class BackfillListRequest
+{
+    [JsonPropertyName("sourceId")]
+    public string? SourceId { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("status")]
+    public string? Status { get; init; }
+
+    [JsonPropertyName("pageSize")]
+    public int PageSize { get; init; } = 20;
+
+    [JsonPropertyName("pageToken")]
+    public string? PageToken { get; init; }
+}
+
+/// <summary>
+/// Response from listing backfill operations.
+/// </summary>
+internal sealed class BackfillListResponse
+{
+    [JsonPropertyName("backfills")]
+    public IReadOnlyList<BackfillResult> Backfills { get; init; } = Array.Empty<BackfillResult>();
+
+    [JsonPropertyName("nextPageToken")]
+    public string? NextPageToken { get; init; }
+
+    [JsonPropertyName("totalCount")]
+    public long? TotalCount { get; init; }
+}
+
+/// <summary>
+/// Request to cancel a backfill operation.
+/// </summary>
+internal sealed class BackfillCancelRequest
+{
+    [JsonPropertyName("backfillId")]
+    public string BackfillId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
+
+/// <summary>
+/// Quota resource representing usage limits for a tenant/source.
+/// </summary>
+internal sealed class OrchestratorQuota
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("sourceId")]
+    public string? SourceId { get; init; }
+
+    [JsonPropertyName("resourceType")]
+    public string ResourceType { get; init; } = string.Empty;
+
+    [JsonPropertyName("limit")]
+    public long Limit { get; init; }
+
+    [JsonPropertyName("used")]
+    public long Used { get; init; }
+
+    [JsonPropertyName("remaining")]
+    public long Remaining { get; init; }
+
+    [JsonPropertyName("period")]
+    public string Period { get; init; } = "monthly";
+
+    [JsonPropertyName("periodStart")]
+    public DateTimeOffset PeriodStart { get; init; }
+
+    [JsonPropertyName("periodEnd")]
+    public DateTimeOffset PeriodEnd { get; init; }
+
+    [JsonPropertyName("resetAt")]
+    public DateTimeOffset ResetAt { get; init; }
+
+    [JsonPropertyName("warningThreshold")]
+    public double WarningThreshold { get; init; } = 0.8;
+
+    [JsonPropertyName("isWarning")]
+    public bool IsWarning { get; init; }
+
+    [JsonPropertyName("isExceeded")]
+    public bool IsExceeded { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset UpdatedAt { get; init; }
+}
+
+/// <summary>
+/// Quota resource types.
+/// </summary>
+internal static class QuotaResourceTypes
+{
+    public const string ApiCalls = "api_calls";
+    public const string DataIngested = "data_ingested_bytes";
+    public const string ItemsProcessed = "items_processed";
+    public const string Backfills = "backfills";
+    public const string ConcurrentJobs = "concurrent_jobs";
+    public const string Storage = "storage_bytes";
+}
+
+/// <summary>
+/// Quota period types.
+/// </summary>
+internal static class QuotaPeriods
+{
+    public const string Hourly = "hourly";
+    public const string Daily = "daily";
+    public const string Weekly = "weekly";
+    public const string Monthly = "monthly";
+}
+
+/// <summary>
+/// Request to get quotas.
+/// </summary>
+internal sealed class QuotaGetRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("sourceId")]
+    public string? SourceId { get; init; }
+
+    [JsonPropertyName("resourceType")]
+    public string? ResourceType { get; init; }
+}
+
+/// <summary>
+/// Response from getting quotas.
+/// </summary>
+internal sealed class QuotaGetResponse
+{
+    [JsonPropertyName("quotas")]
+    public IReadOnlyList<OrchestratorQuota> Quotas { get; init; } = Array.Empty<OrchestratorQuota>();
+}
+
+/// <summary>
+/// Request to set a quota limit.
+/// </summary>
+internal sealed class QuotaSetRequest
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("sourceId")]
+    public string? SourceId { get; init; }
+
+    [JsonPropertyName("resourceType")]
+    public string ResourceType { get; init; } = string.Empty;
+
+    [JsonPropertyName("limit")]
+    public long Limit { get; init; }
+
+    [JsonPropertyName("period")]
+    public string Period { get; init; } = QuotaPeriods.Monthly;
+
+    [JsonPropertyName("warningThreshold")]
+    public double WarningThreshold { get; init; } = 0.8;
+}
+
+/// <summary>
+/// Result of a quota operation.
+/// </summary>
+internal sealed class QuotaOperationResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("quota")]
+    public OrchestratorQuota? Quota { get; init; }
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to reset a quota's usage counter.
+/// </summary>
+internal sealed class QuotaResetRequest
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("sourceId")]
+    public string? SourceId { get; init; }
+
+    [JsonPropertyName("resourceType")]
+    public string ResourceType { get; init; } = string.Empty;
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/PackModels.cs b/src/Cli/StellaOps.Cli/Services/Models/PackModels.cs
new file mode 100644
index 000000000..2c42af018
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/PackModels.cs
@@ -0,0 +1,915 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-PACKS-42-001: Task Pack models for stella pack commands
+
+/// <summary>
+/// Task pack metadata from the registry.
+/// </summary>
+internal sealed class TaskPackInfo
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = string.Empty;
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    [JsonPropertyName("author")]
+    public string? Author { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("signature")]
+    public PackSignature? Signature { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset UpdatedAt { get; init; }
+
+    [JsonPropertyName("labels")]
+    public IReadOnlyDictionary<string, string> Labels { get; init; } = new Dictionary<string, string>();
+
+    [JsonPropertyName("inputs")]
+    public IReadOnlyList<PackInputSchema> Inputs { get; init; } = Array.Empty<PackInputSchema>();
+
+    [JsonPropertyName("outputs")]
+    public IReadOnlyList<PackOutputSchema> Outputs { get; init; } = Array.Empty<PackOutputSchema>();
+}
+
+/// <summary>
+/// Pack signature information.
+/// </summary>
+internal sealed class PackSignature
+{
+    [JsonPropertyName("algorithm")]
+    public string Algorithm { get; init; } = string.Empty; // ecdsa-p256, rsa-pkcs1-sha256, etc.
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("certificate")]
+    public string? Certificate { get; init; }
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset? Timestamp { get; init; }
+
+    [JsonPropertyName("rekorLogId")]
+    public string? RekorLogId { get; init; }
+
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+}
+
+/// <summary>
+/// Pack input parameter schema.
+/// </summary>
+internal sealed class PackInputSchema
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = "string"; // string, number, boolean, array, object
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    [JsonPropertyName("required")]
+    public bool Required { get; init; }
+
+    [JsonPropertyName("default")]
+    public object? Default { get; init; }
+
+    [JsonPropertyName("enum")]
+    public IReadOnlyList<string>? Enum { get; init; }
+}
+
+/// <summary>
+/// Pack output schema.
+/// </summary>
+internal sealed class PackOutputSchema
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = "string";
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+}
+
+/// <summary>
+/// Request to plan a pack execution.
+/// </summary>
+internal sealed class PackPlanRequest
+{
+    [JsonPropertyName("packId")]
+    public string PackId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("inputs")]
+    public IReadOnlyDictionary<string, object>? Inputs { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("dryRun")]
+    public bool DryRun { get; init; }
+
+    [JsonPropertyName("validateOnly")]
+    public bool ValidateOnly { get; init; }
+}
+
+/// <summary>
+/// Execution plan step.
+/// </summary>
+internal sealed class PackPlanStep
+{
+    [JsonPropertyName("id")]
+    public string Id { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("action")]
+    public string Action { get; init; } = string.Empty;
+
+    [JsonPropertyName("dependsOn")]
+    public IReadOnlyList<string> DependsOn { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("condition")]
+    public string? Condition { get; init; }
+
+    [JsonPropertyName("timeout")]
+    public TimeSpan? Timeout { get; init; }
+
+    [JsonPropertyName("retryPolicy")]
+    public PackRetryPolicy? RetryPolicy { get; init; }
+
+    [JsonPropertyName("inputs")]
+    public IReadOnlyDictionary<string, object>? Inputs { get; init; }
+
+    [JsonPropertyName("requiresApproval")]
+    public bool RequiresApproval { get; init; }
+}
+
+/// <summary>
+/// Retry policy for pack steps.
+/// </summary>
+internal sealed class PackRetryPolicy
+{
+    [JsonPropertyName("maxAttempts")]
+    public int MaxAttempts { get; init; } = 1;
+
+    [JsonPropertyName("backoffMultiplier")]
+    public double BackoffMultiplier { get; init; } = 2.0;
+
+    [JsonPropertyName("initialDelayMs")]
+    public int InitialDelayMs { get; init; } = 1000;
+}
+
+/// <summary>
+/// Result of pack plan operation.
+/// </summary>
+internal sealed class PackPlanResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("planId")]
+    public string? PlanId { get; init; }
+
+    [JsonPropertyName("planHash")]
+    public string? PlanHash { get; init; }
+
+    [JsonPropertyName("steps")]
+    public IReadOnlyList<PackPlanStep> Steps { get; init; } = Array.Empty<PackPlanStep>();
+
+    [JsonPropertyName("requiresApproval")]
+    public bool RequiresApproval { get; init; }
+
+    [JsonPropertyName("approvalGates")]
+    public IReadOnlyList<string> ApprovalGates { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("estimatedDuration")]
+    public TimeSpan? EstimatedDuration { get; init; }
+
+    [JsonPropertyName("validationErrors")]
+    public IReadOnlyList<PackValidationError> ValidationErrors { get; init; } = Array.Empty<PackValidationError>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Validation error from pack plan/verify.
+/// </summary>
+internal sealed class PackValidationError
+{
+    [JsonPropertyName("code")]
+    public string Code { get; init; } = string.Empty;
+
+    [JsonPropertyName("message")]
+    public string Message { get; init; } = string.Empty;
+
+    [JsonPropertyName("path")]
+    public string? Path { get; init; }
+
+    [JsonPropertyName("severity")]
+    public string Severity { get; init; } = "error"; // error, warning
+}
+
+/// <summary>
+/// Request to run a pack.
+/// </summary>
+internal sealed class PackRunRequest
+{
+    [JsonPropertyName("packId")]
+    public string PackId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("planId")]
+    public string? PlanId { get; init; }
+
+    [JsonPropertyName("inputs")]
+    public IReadOnlyDictionary<string, object>? Inputs { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("labels")]
+    public IReadOnlyDictionary<string, string>? Labels { get; init; }
+
+    [JsonPropertyName("waitForCompletion")]
+    public bool WaitForCompletion { get; init; }
+
+    [JsonPropertyName("timeoutMinutes")]
+    public int TimeoutMinutes { get; init; } = 60;
+}
+
+/// <summary>
+/// Pack run status.
+/// </summary>
+internal sealed class PackRunStatus
+{
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("packId")]
+    public string PackId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = "pending"; // pending, running, succeeded, failed, cancelled, waiting_approval
+
+    [JsonPropertyName("startedAt")]
+    public DateTimeOffset? StartedAt { get; init; }
+
+    [JsonPropertyName("completedAt")]
+    public DateTimeOffset? CompletedAt { get; init; }
+
+    [JsonPropertyName("duration")]
+    public TimeSpan? Duration { get; init; }
+
+    [JsonPropertyName("actor")]
+    public string? Actor { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("currentStep")]
+    public string? CurrentStep { get; init; }
+
+    [JsonPropertyName("stepStatuses")]
+    public IReadOnlyList<PackStepStatus> StepStatuses { get; init; } = Array.Empty<PackStepStatus>();
+
+    [JsonPropertyName("outputs")]
+    public IReadOnlyDictionary<string, object>? Outputs { get; init; }
+
+    [JsonPropertyName("artifacts")]
+    public IReadOnlyList<PackArtifact> Artifacts { get; init; } = Array.Empty<PackArtifact>();
+
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+}
+
+/// <summary>
+/// Status of individual pack step.
+/// </summary>
+internal sealed class PackStepStatus
+{
+    [JsonPropertyName("stepId")]
+    public string StepId { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = "pending"; // pending, running, succeeded, failed, skipped
+
+    [JsonPropertyName("startedAt")]
+    public DateTimeOffset? StartedAt { get; init; }
+
+    [JsonPropertyName("completedAt")]
+    public DateTimeOffset? CompletedAt { get; init; }
+
+    [JsonPropertyName("duration")]
+    public TimeSpan? Duration { get; init; }
+
+    [JsonPropertyName("attempt")]
+    public int Attempt { get; init; } = 1;
+
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+
+    [JsonPropertyName("outputs")]
+    public IReadOnlyDictionary<string, object>? Outputs { get; init; }
+}
+
+/// <summary>
+/// Artifact produced by pack run.
+/// </summary>
+internal sealed class PackArtifact
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty; // log, sbom, report, attestation
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("size")]
+    public long Size { get; init; }
+
+    [JsonPropertyName("uri")]
+    public string? Uri { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+}
+
+/// <summary>
+/// Result of pack run operation.
+/// </summary>
+internal sealed class PackRunResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("run")]
+    public PackRunStatus? Run { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to push a pack to the registry.
+/// </summary>
+internal sealed class PackPushRequest
+{
+    [JsonPropertyName("packPath")]
+    public string PackPath { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string? Name { get; init; }
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("sign")]
+    public bool Sign { get; init; }
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("force")]
+    public bool Force { get; init; }
+
+    [JsonPropertyName("labels")]
+    public IReadOnlyDictionary<string, string>? Labels { get; init; }
+}
+
+/// <summary>
+/// Result of pack push operation.
+/// </summary>
+internal sealed class PackPushResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("pack")]
+    public TaskPackInfo? Pack { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("rekorLogId")]
+    public string? RekorLogId { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to pull a pack from the registry.
+/// </summary>
+internal sealed class PackPullRequest
+{
+    [JsonPropertyName("packId")]
+    public string PackId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("verify")]
+    public bool Verify { get; init; } = true;
+}
+
+/// <summary>
+/// Result of pack pull operation.
+/// </summary>
+internal sealed class PackPullResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("pack")]
+    public TaskPackInfo? Pack { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to verify a pack.
+/// </summary>
+internal sealed class PackVerifyRequest
+{
+    [JsonPropertyName("packPath")]
+    public string? PackPath { get; init; }
+
+    [JsonPropertyName("packId")]
+    public string? PackId { get; init; }
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("checkRekor")]
+    public bool CheckRekor { get; init; } = true;
+
+    [JsonPropertyName("checkExpiry")]
+    public bool CheckExpiry { get; init; } = true;
+}
+
+/// <summary>
+/// Result of pack verify operation.
+/// </summary>
+internal sealed class PackVerifyResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("pack")]
+    public TaskPackInfo? Pack { get; init; }
+
+    [JsonPropertyName("signatureValid")]
+    public bool SignatureValid { get; init; }
+
+    [JsonPropertyName("digestMatch")]
+    public bool DigestMatch { get; init; }
+
+    [JsonPropertyName("rekorVerified")]
+    public bool? RekorVerified { get; init; }
+
+    [JsonPropertyName("certificateValid")]
+    public bool? CertificateValid { get; init; }
+
+    [JsonPropertyName("certificateExpiry")]
+    public DateTimeOffset? CertificateExpiry { get; init; }
+
+    [JsonPropertyName("schemaValid")]
+    public bool SchemaValid { get; init; }
+
+    [JsonPropertyName("validationErrors")]
+    public IReadOnlyList<PackValidationError> ValidationErrors { get; init; } = Array.Empty<PackValidationError>();
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+// CLI-PACKS-43-001: Advanced pack features
+
+/// <summary>
+/// Request to pause a pack run waiting for approval.
+/// </summary>
+internal sealed class PackApprovalPauseRequest
+{
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+
+    [JsonPropertyName("stepId")]
+    public string? StepId { get; init; }
+}
+
+/// <summary>
+/// Request to resume a paused pack run with approval.
+/// </summary>
+internal sealed class PackApprovalResumeRequest
+{
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("approved")]
+    public bool Approved { get; init; } = true;
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+
+    [JsonPropertyName("stepId")]
+    public string? StepId { get; init; }
+}
+
+/// <summary>
+/// Result of an approval operation.
+/// </summary>
+internal sealed class PackApprovalResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("run")]
+    public PackRunStatus? Run { get; init; }
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to inject a secret into a pack run.
+/// </summary>
+internal sealed class PackSecretInjectRequest
+{
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("secretRef")]
+    public string SecretRef { get; init; } = string.Empty;
+
+    [JsonPropertyName("secretProvider")]
+    public string SecretProvider { get; init; } = "vault"; // vault, aws-ssm, azure-keyvault, k8s-secret
+
+    [JsonPropertyName("targetEnvVar")]
+    public string? TargetEnvVar { get; init; }
+
+    [JsonPropertyName("targetPath")]
+    public string? TargetPath { get; init; }
+
+    [JsonPropertyName("stepId")]
+    public string? StepId { get; init; }
+}
+
+/// <summary>
+/// Result of a secret injection operation.
+/// </summary>
+internal sealed class PackSecretInjectResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("secretRef")]
+    public string SecretRef { get; init; } = string.Empty;
+
+    [JsonPropertyName("injectedAt")]
+    public DateTimeOffset InjectedAt { get; init; }
+
+    [JsonPropertyName("auditEventId")]
+    public string? AuditEventId { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to list pack runs.
+/// </summary>
+internal sealed class PackRunListRequest
+{
+    [JsonPropertyName("packId")]
+    public string? PackId { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("status")]
+    public string? Status { get; init; }
+
+    [JsonPropertyName("actor")]
+    public string? Actor { get; init; }
+
+    [JsonPropertyName("since")]
+    public DateTimeOffset? Since { get; init; }
+
+    [JsonPropertyName("until")]
+    public DateTimeOffset? Until { get; init; }
+
+    [JsonPropertyName("pageSize")]
+    public int PageSize { get; init; } = 20;
+
+    [JsonPropertyName("pageToken")]
+    public string? PageToken { get; init; }
+}
+
+/// <summary>
+/// Response from listing pack runs.
+/// </summary>
+internal sealed class PackRunListResponse
+{
+    [JsonPropertyName("runs")]
+    public IReadOnlyList<PackRunStatus> Runs { get; init; } = Array.Empty<PackRunStatus>();
+
+    [JsonPropertyName("nextPageToken")]
+    public string? NextPageToken { get; init; }
+
+    [JsonPropertyName("totalCount")]
+    public long? TotalCount { get; init; }
+}
+
+/// <summary>
+/// Request to cancel a pack run.
+/// </summary>
+internal sealed class PackCancelRequest
+{
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+
+    [JsonPropertyName("force")]
+    public bool Force { get; init; }
+}
+
+/// <summary>
+/// Request to get pack run logs.
+/// </summary>
+internal sealed class PackLogsRequest
+{
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("stepId")]
+    public string? StepId { get; init; }
+
+    [JsonPropertyName("follow")]
+    public bool Follow { get; init; }
+
+    [JsonPropertyName("tail")]
+    public int? Tail { get; init; }
+
+    [JsonPropertyName("since")]
+    public DateTimeOffset? Since { get; init; }
+}
+
+/// <summary>
+/// Pack log entry.
+/// </summary>
+internal sealed class PackLogEntry
+{
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+
+    [JsonPropertyName("stepId")]
+    public string? StepId { get; init; }
+
+    [JsonPropertyName("level")]
+    public string Level { get; init; } = "info"; // debug, info, warn, error
+
+    [JsonPropertyName("message")]
+    public string Message { get; init; } = string.Empty;
+
+    [JsonPropertyName("stream")]
+    public string Stream { get; init; } = "stdout"; // stdout, stderr
+}
+
+/// <summary>
+/// Result of pack logs request.
+/// </summary>
+internal sealed class PackLogsResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("logs")]
+    public IReadOnlyList<PackLogEntry> Logs { get; init; } = Array.Empty<PackLogEntry>();
+
+    [JsonPropertyName("nextToken")]
+    public string? NextToken { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to download a pack artifact.
+/// </summary>
+internal sealed class PackArtifactDownloadRequest
+{
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("artifactName")]
+    public string ArtifactName { get; init; } = string.Empty;
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of artifact download.
+/// </summary>
+internal sealed class PackArtifactDownloadResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("artifact")]
+    public PackArtifact? Artifact { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Offline cache entry for packs.
+/// </summary>
+internal sealed class PackCacheEntry
+{
+    [JsonPropertyName("packId")]
+    public string PackId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public string Digest { get; init; } = string.Empty;
+
+    [JsonPropertyName("cachedAt")]
+    public DateTimeOffset CachedAt { get; init; }
+
+    [JsonPropertyName("expiresAt")]
+    public DateTimeOffset? ExpiresAt { get; init; }
+
+    [JsonPropertyName("size")]
+    public long Size { get; init; }
+
+    [JsonPropertyName("path")]
+    public string Path { get; init; } = string.Empty;
+
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+}
+
+/// <summary>
+/// Request to manage offline cache.
+/// </summary>
+internal sealed class PackCacheRequest
+{
+    [JsonPropertyName("action")]
+    public string Action { get; init; } = "list"; // list, add, remove, sync, prune
+
+    [JsonPropertyName("packId")]
+    public string? PackId { get; init; }
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("cacheDir")]
+    public string? CacheDir { get; init; }
+
+    [JsonPropertyName("maxAge")]
+    public TimeSpan? MaxAge { get; init; }
+
+    [JsonPropertyName("maxSize")]
+    public long? MaxSize { get; init; }
+}
+
+/// <summary>
+/// Result of cache operation.
+/// </summary>
+internal sealed class PackCacheResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("entries")]
+    public IReadOnlyList<PackCacheEntry> Entries { get; init; } = Array.Empty<PackCacheEntry>();
+
+    [JsonPropertyName("totalSize")]
+    public long TotalSize { get; init; }
+
+    [JsonPropertyName("prunedCount")]
+    public int PrunedCount { get; init; }
+
+    [JsonPropertyName("prunedSize")]
+    public long PrunedSize { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/PolicySimulationModels.cs b/src/Cli/StellaOps.Cli/Services/Models/PolicySimulationModels.cs
index 25701279a..ee16cde1b 100644
--- a/src/Cli/StellaOps.Cli/Services/Models/PolicySimulationModels.cs
+++ b/src/Cli/StellaOps.Cli/Services/Models/PolicySimulationModels.cs
@@ -2,16 +2,39 @@ using System.Collections.Generic;
 
 namespace StellaOps.Cli.Services.Models;
 
+// CLI-POLICY-27-003: Enhanced simulation modes
+internal enum PolicySimulationMode
+{
+    Quick,
+    Batch
+}
+
+/// <summary>
+/// Input for policy simulation.
+/// Per CLI-EXC-25-002, supports exception preview via WithExceptions/WithoutExceptions.
+/// Per CLI-POLICY-27-003, supports mode (quick/batch), SBOM selectors, heatmap, and manifest download.
+/// Per CLI-SIG-26-002, supports reachability overrides for vulnerability/package state and score.
+/// </summary>
 internal sealed record PolicySimulationInput(
     int? BaseVersion,
     int? CandidateVersion,
     IReadOnlyList<string> SbomSet,
     IReadOnlyDictionary<string, object?> Environment,
-    bool Explain);
+    bool Explain,
+    IReadOnlyList<string>? WithExceptions = null,
+    IReadOnlyList<string>? WithoutExceptions = null,
+    PolicySimulationMode? Mode = null,
+    IReadOnlyList<string>? SbomSelectors = null,
+    bool IncludeHeatmap = false,
+    bool IncludeManifest = false,
+    IReadOnlyList<ReachabilityOverride>? ReachabilityOverrides = null);
 
 internal sealed record PolicySimulationResult(
     PolicySimulationDiff Diff,
-    string? ExplainUri);
+    string? ExplainUri,
+    PolicySimulationHeatmap? Heatmap = null,
+    string? ManifestDownloadUri = null,
+    string? ManifestDigest = null);
 
 internal sealed record PolicySimulationDiff(
     string? SchemaVersion,
@@ -24,3 +47,17 @@ internal sealed record PolicySimulationDiff(
 internal sealed record PolicySimulationSeverityDelta(int? Up, int? Down);
 
 internal sealed record PolicySimulationRuleDelta(string RuleId, string RuleName, int? Up, int? Down);
+
+// CLI-POLICY-27-003: Heatmap summary for quick severity visualization
+internal sealed record PolicySimulationHeatmap(
+    int Critical,
+    int High,
+    int Medium,
+    int Low,
+    int Info,
+    IReadOnlyList<PolicySimulationHeatmapBucket> Buckets);
+
+internal sealed record PolicySimulationHeatmapBucket(
+    string Label,
+    int Count,
+    string? Color);
diff --git a/src/Cli/StellaOps.Cli/Services/Models/PolicyWorkspaceModels.cs b/src/Cli/StellaOps.Cli/Services/Models/PolicyWorkspaceModels.cs
new file mode 100644
index 000000000..d0bf407a9
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/PolicyWorkspaceModels.cs
@@ -0,0 +1,1211 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-POLICY-20-001: Policy scaffolding and workspace models
+
+/// <summary>
+/// Available policy templates.
+/// </summary>
+internal enum PolicyTemplate
+{
+    /// <summary>
+    /// Minimal policy with basic structure.
+    /// </summary>
+    Minimal,
+
+    /// <summary>
+    /// Baseline severity normalization template.
+    /// </summary>
+    Baseline,
+
+    /// <summary>
+    /// VEX precedence handling template.
+    /// </summary>
+    VexPrecedence,
+
+    /// <summary>
+    /// Reachability-aware policy template.
+    /// </summary>
+    Reachability,
+
+    /// <summary>
+    /// Secret leak detection template.
+    /// </summary>
+    SecretLeak,
+
+    /// <summary>
+    /// Full-featured template with all sections.
+    /// </summary>
+    Full
+}
+
+/// <summary>
+/// Request for creating a new policy from template.
+/// </summary>
+internal sealed class PolicyNewRequest
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("template")]
+    public PolicyTemplate Template { get; init; } = PolicyTemplate.Minimal;
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    [JsonPropertyName("tags")]
+    public IReadOnlyList<string>? Tags { get; init; }
+
+    [JsonPropertyName("syntaxVersion")]
+    public string SyntaxVersion { get; init; } = "stella-dsl@1";
+
+    [JsonPropertyName("shadowMode")]
+    public bool ShadowMode { get; init; } = true;
+
+    [JsonPropertyName("createFixtures")]
+    public bool CreateFixtures { get; init; }
+
+    [JsonPropertyName("gitInit")]
+    public bool GitInit { get; init; }
+}
+
+/// <summary>
+/// Result of policy scaffolding.
+/// </summary>
+internal sealed class PolicyNewResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyPath")]
+    public string PolicyPath { get; init; } = string.Empty;
+
+    [JsonPropertyName("fixturesPath")]
+    public string? FixturesPath { get; init; }
+
+    [JsonPropertyName("template")]
+    public string Template { get; init; } = string.Empty;
+
+    [JsonPropertyName("syntaxVersion")]
+    public string SyntaxVersion { get; init; } = string.Empty;
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string>? Warnings { get; init; }
+}
+
+// CLI-POLICY-23-006: Policy history and explain models
+
+/// <summary>
+/// Request for policy run history.
+/// </summary>
+internal sealed class PolicyHistoryRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("from")]
+    public DateTimeOffset? From { get; init; }
+
+    [JsonPropertyName("to")]
+    public DateTimeOffset? To { get; init; }
+
+    [JsonPropertyName("status")]
+    public string? Status { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("cursor")]
+    public string? Cursor { get; init; }
+}
+
+/// <summary>
+/// Policy run history response.
+/// </summary>
+internal sealed class PolicyHistoryResponse
+{
+    [JsonPropertyName("items")]
+    public IReadOnlyList<PolicyRunSummary> Items { get; init; } = [];
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+
+    [JsonPropertyName("nextCursor")]
+    public string? NextCursor { get; init; }
+}
+
+/// <summary>
+/// Summary of a policy run.
+/// </summary>
+internal sealed class PolicyRunSummary
+{
+    [JsonPropertyName("runId")]
+    public string RunId { get; init; } = string.Empty;
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("policyVersion")]
+    public int PolicyVersion { get; init; }
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("startedAt")]
+    public DateTimeOffset StartedAt { get; init; }
+
+    [JsonPropertyName("completedAt")]
+    public DateTimeOffset? CompletedAt { get; init; }
+
+    [JsonPropertyName("duration")]
+    public TimeSpan? Duration { get; init; }
+
+    [JsonPropertyName("sbomCount")]
+    public int SbomCount { get; init; }
+
+    [JsonPropertyName("findingsGenerated")]
+    public int FindingsGenerated { get; init; }
+
+    [JsonPropertyName("findingsChanged")]
+    public int FindingsChanged { get; init; }
+
+    [JsonPropertyName("triggeredBy")]
+    public string? TriggeredBy { get; init; }
+
+    [JsonPropertyName("correlationId")]
+    public string? CorrelationId { get; init; }
+}
+
+/// <summary>
+/// Request for policy explain tree.
+/// </summary>
+internal sealed class PolicyExplainRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("runId")]
+    public string? RunId { get; init; }
+
+    [JsonPropertyName("findingId")]
+    public string? FindingId { get; init; }
+
+    [JsonPropertyName("sbomId")]
+    public string? SbomId { get; init; }
+
+    [JsonPropertyName("componentPurl")]
+    public string? ComponentPurl { get; init; }
+
+    [JsonPropertyName("advisoryId")]
+    public string? AdvisoryId { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("depth")]
+    public int? Depth { get; init; }
+}
+
+/// <summary>
+/// Policy explain result with decision tree.
+/// </summary>
+internal sealed class PolicyExplainResult
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("policyVersion")]
+    public int PolicyVersion { get; init; }
+
+    [JsonPropertyName("runId")]
+    public string? RunId { get; init; }
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+
+    [JsonPropertyName("subject")]
+    public PolicyExplainSubject? Subject { get; init; }
+
+    [JsonPropertyName("decision")]
+    public PolicyDecision? Decision { get; init; }
+
+    [JsonPropertyName("ruleTrace")]
+    public IReadOnlyList<PolicyRuleTraceEntry>? RuleTrace { get; init; }
+
+    [JsonPropertyName("inputContext")]
+    public PolicyInputContext? InputContext { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+}
+
+/// <summary>
+/// Subject being explained (component + advisory).
+/// </summary>
+internal sealed class PolicyExplainSubject
+{
+    [JsonPropertyName("componentPurl")]
+    public string? ComponentPurl { get; init; }
+
+    [JsonPropertyName("componentName")]
+    public string? ComponentName { get; init; }
+
+    [JsonPropertyName("componentVersion")]
+    public string? ComponentVersion { get; init; }
+
+    [JsonPropertyName("advisoryId")]
+    public string? AdvisoryId { get; init; }
+
+    [JsonPropertyName("advisorySource")]
+    public string? AdvisorySource { get; init; }
+
+    [JsonPropertyName("sbomId")]
+    public string? SbomId { get; init; }
+}
+
+/// <summary>
+/// Policy decision outcome.
+/// </summary>
+internal sealed class PolicyDecision
+{
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("severity")]
+    public string? Severity { get; init; }
+
+    [JsonPropertyName("severityScore")]
+    public double? SeverityScore { get; init; }
+
+    [JsonPropertyName("winningRule")]
+    public string? WinningRule { get; init; }
+
+    [JsonPropertyName("rationale")]
+    public string? Rationale { get; init; }
+
+    [JsonPropertyName("annotations")]
+    public IReadOnlyDictionary<string, string>? Annotations { get; init; }
+}
+
+/// <summary>
+/// Entry in the rule evaluation trace.
+/// </summary>
+internal sealed class PolicyRuleTraceEntry
+{
+    [JsonPropertyName("ruleName")]
+    public string RuleName { get; init; } = string.Empty;
+
+    [JsonPropertyName("priority")]
+    public int Priority { get; init; }
+
+    [JsonPropertyName("evaluated")]
+    public bool Evaluated { get; init; }
+
+    [JsonPropertyName("matched")]
+    public bool Matched { get; init; }
+
+    [JsonPropertyName("predicates")]
+    public IReadOnlyList<PolicyPredicateEvaluation>? Predicates { get; init; }
+
+    [JsonPropertyName("actions")]
+    public IReadOnlyList<PolicyActionResult>? Actions { get; init; }
+
+    [JsonPropertyName("because")]
+    public string? Because { get; init; }
+
+    [JsonPropertyName("skippedReason")]
+    public string? SkippedReason { get; init; }
+}
+
+/// <summary>
+/// Predicate evaluation result.
+/// </summary>
+internal sealed class PolicyPredicateEvaluation
+{
+    [JsonPropertyName("expression")]
+    public string Expression { get; init; } = string.Empty;
+
+    [JsonPropertyName("result")]
+    public bool Result { get; init; }
+
+    [JsonPropertyName("leftValue")]
+    public string? LeftValue { get; init; }
+
+    [JsonPropertyName("rightValue")]
+    public string? RightValue { get; init; }
+}
+
+/// <summary>
+/// Action execution result.
+/// </summary>
+internal sealed class PolicyActionResult
+{
+    [JsonPropertyName("action")]
+    public string Action { get; init; } = string.Empty;
+
+    [JsonPropertyName("target")]
+    public string? Target { get; init; }
+
+    [JsonPropertyName("value")]
+    public string? Value { get; init; }
+
+    [JsonPropertyName("executed")]
+    public bool Executed { get; init; }
+}
+
+/// <summary>
+/// Input context used for evaluation.
+/// </summary>
+internal sealed class PolicyInputContext
+{
+    [JsonPropertyName("sbom")]
+    public IReadOnlyDictionary<string, object?>? Sbom { get; init; }
+
+    [JsonPropertyName("advisory")]
+    public IReadOnlyDictionary<string, object?>? Advisory { get; init; }
+
+    [JsonPropertyName("vex")]
+    public IReadOnlyList<IReadOnlyDictionary<string, object?>>? Vex { get; init; }
+
+    [JsonPropertyName("env")]
+    public IReadOnlyDictionary<string, string?>? Env { get; init; }
+
+    [JsonPropertyName("telemetry")]
+    public IReadOnlyDictionary<string, object?>? Telemetry { get; init; }
+
+    [JsonPropertyName("signals")]
+    public IReadOnlyDictionary<string, object?>? Signals { get; init; }
+}
+
+// CLI-POLICY-27-001: Policy workspace models
+
+/// <summary>
+/// Request to initialize a policy workspace.
+/// </summary>
+internal sealed class PolicyWorkspaceInitRequest
+{
+    [JsonPropertyName("path")]
+    public string Path { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string? Name { get; init; }
+
+    [JsonPropertyName("template")]
+    public PolicyTemplate Template { get; init; } = PolicyTemplate.Minimal;
+
+    [JsonPropertyName("gitInit")]
+    public bool GitInit { get; init; } = true;
+
+    [JsonPropertyName("createReadme")]
+    public bool CreateReadme { get; init; } = true;
+
+    [JsonPropertyName("createFixtures")]
+    public bool CreateFixtures { get; init; } = true;
+}
+
+/// <summary>
+/// Result of workspace initialization.
+/// </summary>
+internal sealed class PolicyWorkspaceInitResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("workspacePath")]
+    public string WorkspacePath { get; init; } = string.Empty;
+
+    [JsonPropertyName("policyPath")]
+    public string? PolicyPath { get; init; }
+
+    [JsonPropertyName("fixturesPath")]
+    public string? FixturesPath { get; init; }
+
+    [JsonPropertyName("gitInitialized")]
+    public bool GitInitialized { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string>? Warnings { get; init; }
+}
+
+/// <summary>
+/// Request to compile a policy DSL file.
+/// </summary>
+internal sealed class PolicyCompileRequest
+{
+    [JsonPropertyName("inputPath")]
+    public string InputPath { get; init; } = string.Empty;
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("emitIr")]
+    public bool EmitIr { get; init; } = true;
+
+    [JsonPropertyName("emitDigest")]
+    public bool EmitDigest { get; init; } = true;
+
+    [JsonPropertyName("optimize")]
+    public bool Optimize { get; init; }
+
+    [JsonPropertyName("strict")]
+    public bool Strict { get; init; }
+}
+
+/// <summary>
+/// Result of policy compilation.
+/// </summary>
+internal sealed class PolicyCompileResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("inputPath")]
+    public string InputPath { get; init; } = string.Empty;
+
+    [JsonPropertyName("irPath")]
+    public string? IrPath { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("syntaxVersion")]
+    public string? SyntaxVersion { get; init; }
+
+    [JsonPropertyName("policyName")]
+    public string? PolicyName { get; init; }
+
+    [JsonPropertyName("ruleCount")]
+    public int RuleCount { get; init; }
+
+    [JsonPropertyName("profileCount")]
+    public int ProfileCount { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<PolicyDiagnostic>? Errors { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<PolicyDiagnostic>? Warnings { get; init; }
+}
+
+/// <summary>
+/// Policy diagnostic message (error/warning).
+/// </summary>
+internal sealed class PolicyDiagnostic
+{
+    [JsonPropertyName("code")]
+    public string Code { get; init; } = string.Empty;
+
+    [JsonPropertyName("message")]
+    public string Message { get; init; } = string.Empty;
+
+    [JsonPropertyName("severity")]
+    public string Severity { get; init; } = "error";
+
+    [JsonPropertyName("line")]
+    public int? Line { get; init; }
+
+    [JsonPropertyName("column")]
+    public int? Column { get; init; }
+
+    [JsonPropertyName("span")]
+    public string? Span { get; init; }
+
+    [JsonPropertyName("suggestion")]
+    public string? Suggestion { get; init; }
+}
+
+// CLI-POLICY-27-002: Policy submission/review workflow models
+
+/// <summary>
+/// Policy version bump type.
+/// </summary>
+internal enum PolicyBumpType
+{
+    Patch,
+    Minor,
+    Major
+}
+
+/// <summary>
+/// Policy review state.
+/// </summary>
+internal enum PolicyReviewState
+{
+    Draft,
+    Submitted,
+    InReview,
+    Approved,
+    Rejected,
+    Published
+}
+
+/// <summary>
+/// Request to bump policy version.
+/// </summary>
+internal sealed class PolicyVersionBumpRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("filePath")]
+    public string? FilePath { get; init; }
+
+    [JsonPropertyName("bumpType")]
+    public PolicyBumpType BumpType { get; init; } = PolicyBumpType.Patch;
+
+    [JsonPropertyName("changelog")]
+    public string? Changelog { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of policy version bump.
+/// </summary>
+internal sealed class PolicyVersionBumpResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("previousVersion")]
+    public int PreviousVersion { get; init; }
+
+    [JsonPropertyName("newVersion")]
+    public int NewVersion { get; init; }
+
+    [JsonPropertyName("changelog")]
+    public string? Changelog { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+}
+
+/// <summary>
+/// Request to submit policy for review.
+/// </summary>
+internal sealed class PolicySubmitRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int? Version { get; init; }
+
+    [JsonPropertyName("reviewers")]
+    public IReadOnlyList<string>? Reviewers { get; init; }
+
+    [JsonPropertyName("message")]
+    public string? Message { get; init; }
+
+    [JsonPropertyName("urgent")]
+    public bool Urgent { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of policy submission.
+/// </summary>
+internal sealed class PolicySubmitResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("reviewId")]
+    public string ReviewId { get; init; } = string.Empty;
+
+    [JsonPropertyName("state")]
+    public string State { get; init; } = string.Empty;
+
+    [JsonPropertyName("reviewers")]
+    public IReadOnlyList<string>? Reviewers { get; init; }
+
+    [JsonPropertyName("submittedAt")]
+    public DateTimeOffset SubmittedAt { get; init; }
+
+    [JsonPropertyName("submittedBy")]
+    public string? SubmittedBy { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+}
+
+/// <summary>
+/// Request to add a review comment.
+/// </summary>
+internal sealed class PolicyReviewCommentRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reviewId")]
+    public string ReviewId { get; init; } = string.Empty;
+
+    [JsonPropertyName("comment")]
+    public string Comment { get; init; } = string.Empty;
+
+    [JsonPropertyName("line")]
+    public int? Line { get; init; }
+
+    [JsonPropertyName("ruleName")]
+    public string? RuleName { get; init; }
+
+    [JsonPropertyName("blocking")]
+    public bool Blocking { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of adding a review comment.
+/// </summary>
+internal sealed class PolicyReviewCommentResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("commentId")]
+    public string CommentId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reviewId")]
+    public string ReviewId { get; init; } = string.Empty;
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("author")]
+    public string? Author { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+}
+
+/// <summary>
+/// Request to approve a policy review.
+/// </summary>
+internal sealed class PolicyApproveRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reviewId")]
+    public string ReviewId { get; init; } = string.Empty;
+
+    [JsonPropertyName("comment")]
+    public string? Comment { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of policy approval.
+/// </summary>
+internal sealed class PolicyApproveResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reviewId")]
+    public string ReviewId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("state")]
+    public string State { get; init; } = string.Empty;
+
+    [JsonPropertyName("approvedAt")]
+    public DateTimeOffset ApprovedAt { get; init; }
+
+    [JsonPropertyName("approvedBy")]
+    public string? ApprovedBy { get; init; }
+
+    [JsonPropertyName("requiredApprovals")]
+    public int RequiredApprovals { get; init; }
+
+    [JsonPropertyName("currentApprovals")]
+    public int CurrentApprovals { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+}
+
+/// <summary>
+/// Request to reject a policy review.
+/// </summary>
+internal sealed class PolicyRejectRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reviewId")]
+    public string ReviewId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reason")]
+    public string Reason { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of policy rejection.
+/// </summary>
+internal sealed class PolicyRejectResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reviewId")]
+    public string ReviewId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("state")]
+    public string State { get; init; } = string.Empty;
+
+    [JsonPropertyName("rejectedAt")]
+    public DateTimeOffset RejectedAt { get; init; }
+
+    [JsonPropertyName("rejectedBy")]
+    public string? RejectedBy { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+}
+
+/// <summary>
+/// Policy review summary.
+/// </summary>
+internal sealed class PolicyReviewSummary
+{
+    [JsonPropertyName("reviewId")]
+    public string ReviewId { get; init; } = string.Empty;
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("state")]
+    public string State { get; init; } = string.Empty;
+
+    [JsonPropertyName("submittedAt")]
+    public DateTimeOffset SubmittedAt { get; init; }
+
+    [JsonPropertyName("submittedBy")]
+    public string? SubmittedBy { get; init; }
+
+    [JsonPropertyName("reviewers")]
+    public IReadOnlyList<string>? Reviewers { get; init; }
+
+    [JsonPropertyName("approvals")]
+    public IReadOnlyList<PolicyApprovalInfo>? Approvals { get; init; }
+
+    [JsonPropertyName("comments")]
+    public IReadOnlyList<PolicyCommentInfo>? Comments { get; init; }
+
+    [JsonPropertyName("blockingComments")]
+    public int BlockingComments { get; init; }
+
+    [JsonPropertyName("resolvedComments")]
+    public int ResolvedComments { get; init; }
+}
+
+/// <summary>
+/// Policy approval info.
+/// </summary>
+internal sealed class PolicyApprovalInfo
+{
+    [JsonPropertyName("approver")]
+    public string Approver { get; init; } = string.Empty;
+
+    [JsonPropertyName("approvedAt")]
+    public DateTimeOffset ApprovedAt { get; init; }
+
+    [JsonPropertyName("comment")]
+    public string? Comment { get; init; }
+}
+
+/// <summary>
+/// Policy comment info.
+/// </summary>
+internal sealed class PolicyCommentInfo
+{
+    [JsonPropertyName("commentId")]
+    public string CommentId { get; init; } = string.Empty;
+
+    [JsonPropertyName("author")]
+    public string Author { get; init; } = string.Empty;
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("comment")]
+    public string Comment { get; init; } = string.Empty;
+
+    [JsonPropertyName("line")]
+    public int? Line { get; init; }
+
+    [JsonPropertyName("ruleName")]
+    public string? RuleName { get; init; }
+
+    [JsonPropertyName("blocking")]
+    public bool Blocking { get; init; }
+
+    [JsonPropertyName("resolved")]
+    public bool Resolved { get; init; }
+}
+
+/// <summary>
+/// Request to get policy review status.
+/// </summary>
+internal sealed class PolicyReviewStatusRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("reviewId")]
+    public string? ReviewId { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+// CLI-POLICY-27-004: Policy lifecycle commands (publish/promote/rollback/sign)
+
+/// <summary>
+/// Request to publish a policy revision.
+/// </summary>
+internal sealed class PolicyPublishRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("sign")]
+    public bool Sign { get; init; }
+
+    [JsonPropertyName("signatureAlgorithm")]
+    public string? SignatureAlgorithm { get; init; }
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("note")]
+    public string? Note { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of publishing a policy revision.
+/// </summary>
+internal sealed class PolicyPublishResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("publishedAt")]
+    public DateTimeOffset PublishedAt { get; init; }
+
+    [JsonPropertyName("signatureId")]
+    public string? SignatureId { get; init; }
+
+    [JsonPropertyName("rekorLogIndex")]
+    public string? RekorLogIndex { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to promote a policy to a target environment.
+/// </summary>
+internal sealed class PolicyPromoteRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("targetEnvironment")]
+    public string TargetEnvironment { get; init; } = string.Empty;
+
+    [JsonPropertyName("canary")]
+    public bool Canary { get; init; }
+
+    [JsonPropertyName("canaryPercentage")]
+    public int? CanaryPercentage { get; init; }
+
+    [JsonPropertyName("note")]
+    public string? Note { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of promoting a policy.
+/// </summary>
+internal sealed class PolicyPromoteResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("targetEnvironment")]
+    public string TargetEnvironment { get; init; } = string.Empty;
+
+    [JsonPropertyName("promotedAt")]
+    public DateTimeOffset PromotedAt { get; init; }
+
+    [JsonPropertyName("canaryActive")]
+    public bool CanaryActive { get; init; }
+
+    [JsonPropertyName("canaryPercentage")]
+    public int? CanaryPercentage { get; init; }
+
+    [JsonPropertyName("previousVersion")]
+    public int? PreviousVersion { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to rollback a policy to a previous version.
+/// </summary>
+internal sealed class PolicyRollbackRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("targetVersion")]
+    public int? TargetVersion { get; init; }
+
+    [JsonPropertyName("environment")]
+    public string? Environment { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+
+    [JsonPropertyName("incidentId")]
+    public string? IncidentId { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of rolling back a policy.
+/// </summary>
+internal sealed class PolicyRollbackResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("previousVersion")]
+    public int PreviousVersion { get; init; }
+
+    [JsonPropertyName("rolledBackToVersion")]
+    public int RolledBackToVersion { get; init; }
+
+    [JsonPropertyName("rolledBackAt")]
+    public DateTimeOffset RolledBackAt { get; init; }
+
+    [JsonPropertyName("environment")]
+    public string? Environment { get; init; }
+
+    [JsonPropertyName("incidentId")]
+    public string? IncidentId { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to sign a policy revision.
+/// </summary>
+internal sealed class PolicySignRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("signatureAlgorithm")]
+    public string? SignatureAlgorithm { get; init; }
+
+    [JsonPropertyName("rekorUpload")]
+    public bool RekorUpload { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of signing a policy revision.
+/// </summary>
+internal sealed class PolicySignResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("signatureId")]
+    public string SignatureId { get; init; } = string.Empty;
+
+    [JsonPropertyName("signatureAlgorithm")]
+    public string SignatureAlgorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset SignedAt { get; init; }
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("rekorLogIndex")]
+    public string? RekorLogIndex { get; init; }
+
+    [JsonPropertyName("rekorEntryUuid")]
+    public string? RekorEntryUuid { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to verify a policy signature.
+/// </summary>
+internal sealed class PolicyVerifySignatureRequest
+{
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("signatureId")]
+    public string? SignatureId { get; init; }
+
+    [JsonPropertyName("checkRekor")]
+    public bool CheckRekor { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of verifying a policy signature.
+/// </summary>
+internal sealed class PolicyVerifySignatureResult
+{
+    [JsonPropertyName("valid")]
+    public bool Valid { get; init; }
+
+    [JsonPropertyName("policyId")]
+    public string PolicyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("signatureId")]
+    public string SignatureId { get; init; } = string.Empty;
+
+    [JsonPropertyName("signatureAlgorithm")]
+    public string SignatureAlgorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset SignedAt { get; init; }
+
+    [JsonPropertyName("signedBy")]
+    public string? SignedBy { get; init; }
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("rekorVerified")]
+    public bool? RekorVerified { get; init; }
+
+    [JsonPropertyName("rekorLogIndex")]
+    public string? RekorLogIndex { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/PromotionModels.cs b/src/Cli/StellaOps.Cli/Services/Models/PromotionModels.cs
new file mode 100644
index 000000000..e9c59fb45
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/PromotionModels.cs
@@ -0,0 +1,468 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-PROMO-70-001: Promotion attestation models
+
+/// <summary>
+/// Request for assembling a promotion attestation.
+/// </summary>
+internal sealed class PromotionAssembleRequest
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("image")]
+    public string Image { get; init; } = string.Empty;
+
+    [JsonPropertyName("sbomPath")]
+    public string? SbomPath { get; init; }
+
+    [JsonPropertyName("vexPath")]
+    public string? VexPath { get; init; }
+
+    [JsonPropertyName("fromEnvironment")]
+    public string FromEnvironment { get; init; } = "staging";
+
+    [JsonPropertyName("toEnvironment")]
+    public string ToEnvironment { get; init; } = "prod";
+
+    [JsonPropertyName("actor")]
+    public string? Actor { get; init; }
+
+    [JsonPropertyName("pipeline")]
+    public string? Pipeline { get; init; }
+
+    [JsonPropertyName("ticket")]
+    public string? Ticket { get; init; }
+
+    [JsonPropertyName("notes")]
+    public string? Notes { get; init; }
+
+    [JsonPropertyName("skipRekor")]
+    public bool SkipRekor { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+}
+
+/// <summary>
+/// Promotion attestation predicate following stella.ops/promotion@v1 schema.
+/// </summary>
+internal sealed class PromotionPredicate
+{
+    [JsonPropertyName("_type")]
+    public string Type { get; init; } = "stella.ops/promotion@v1";
+
+    [JsonPropertyName("subject")]
+    public IReadOnlyList<PromotionSubject> Subject { get; init; } = Array.Empty<PromotionSubject>();
+
+    [JsonPropertyName("materials")]
+    public IReadOnlyList<PromotionMaterial> Materials { get; init; } = Array.Empty<PromotionMaterial>();
+
+    [JsonPropertyName("promotion")]
+    public PromotionMetadata Promotion { get; init; } = new();
+
+    [JsonPropertyName("rekor")]
+    public PromotionRekorEntry? Rekor { get; init; }
+
+    [JsonPropertyName("attestation")]
+    public PromotionAttestationMetadata? Attestation { get; init; }
+}
+
+/// <summary>
+/// Subject in promotion attestation (image reference).
+/// </summary>
+internal sealed class PromotionSubject
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public IReadOnlyDictionary<string, string> Digest { get; init; } = new Dictionary<string, string>();
+}
+
+/// <summary>
+/// Material in promotion attestation (SBOM, VEX, etc.).
+/// </summary>
+internal sealed class PromotionMaterial
+{
+    [JsonPropertyName("role")]
+    public string Role { get; init; } = string.Empty;
+
+    [JsonPropertyName("algo")]
+    public string Algo { get; init; } = "sha256";
+
+    [JsonPropertyName("digest")]
+    public string Digest { get; init; } = string.Empty;
+
+    [JsonPropertyName("format")]
+    public string? Format { get; init; }
+
+    [JsonPropertyName("uri")]
+    public string? Uri { get; init; }
+}
+
+/// <summary>
+/// Promotion metadata.
+/// </summary>
+internal sealed class PromotionMetadata
+{
+    [JsonPropertyName("from")]
+    public string From { get; init; } = "staging";
+
+    [JsonPropertyName("to")]
+    public string To { get; init; } = "prod";
+
+    [JsonPropertyName("actor")]
+    public string? Actor { get; init; }
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; } = DateTimeOffset.UtcNow;
+
+    [JsonPropertyName("pipeline")]
+    public string? Pipeline { get; init; }
+
+    [JsonPropertyName("ticket")]
+    public string? Ticket { get; init; }
+
+    [JsonPropertyName("notes")]
+    public string? Notes { get; init; }
+}
+
+/// <summary>
+/// Rekor entry in promotion attestation.
+/// </summary>
+internal sealed class PromotionRekorEntry
+{
+    [JsonPropertyName("uuid")]
+    public string Uuid { get; init; } = string.Empty;
+
+    [JsonPropertyName("logIndex")]
+    public long LogIndex { get; init; }
+
+    [JsonPropertyName("inclusionProof")]
+    public PromotionInclusionProof? InclusionProof { get; init; }
+}
+
+/// <summary>
+/// Merkle inclusion proof.
+/// </summary>
+internal sealed class PromotionInclusionProof
+{
+    [JsonPropertyName("rootHash")]
+    public string RootHash { get; init; } = string.Empty;
+
+    [JsonPropertyName("hashes")]
+    public IReadOnlyList<string> Hashes { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("treeSize")]
+    public long TreeSize { get; init; }
+
+    [JsonPropertyName("checkpoint")]
+    public PromotionCheckpoint? Checkpoint { get; init; }
+}
+
+/// <summary>
+/// Rekor checkpoint.
+/// </summary>
+internal sealed class PromotionCheckpoint
+{
+    [JsonPropertyName("origin")]
+    public string Origin { get; init; } = string.Empty;
+
+    [JsonPropertyName("size")]
+    public long Size { get; init; }
+
+    [JsonPropertyName("hash")]
+    public string Hash { get; init; } = string.Empty;
+
+    [JsonPropertyName("signedNote")]
+    public string? SignedNote { get; init; }
+}
+
+/// <summary>
+/// Attestation metadata.
+/// </summary>
+internal sealed class PromotionAttestationMetadata
+{
+    [JsonPropertyName("bundle_sha256")]
+    public string BundleSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("witness")]
+    public string? Witness { get; init; }
+}
+
+/// <summary>
+/// Result of promotion assemble operation.
+/// </summary>
+internal sealed class PromotionAssembleResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("predicate")]
+    public PromotionPredicate? Predicate { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("imageDigest")]
+    public string ImageDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("materials")]
+    public IReadOnlyList<PromotionMaterial> Materials { get; init; } = Array.Empty<PromotionMaterial>();
+
+    [JsonPropertyName("rekorEntry")]
+    public PromotionRekorEntry? RekorEntry { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+// CLI-PROMO-70-002: Promotion attest/verify models
+
+/// <summary>
+/// Request for attesting a promotion predicate.
+/// </summary>
+internal sealed class PromotionAttestRequest
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("predicatePath")]
+    public string? PredicatePath { get; init; }
+
+    [JsonPropertyName("predicate")]
+    public PromotionPredicate? Predicate { get; init; }
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("useKeyless")]
+    public bool UseKeyless { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("uploadToRekor")]
+    public bool UploadToRekor { get; init; } = true;
+}
+
+/// <summary>
+/// Result of promotion attest operation.
+/// </summary>
+internal sealed class PromotionAttestResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("bundlePath")]
+    public string? BundlePath { get; init; }
+
+    [JsonPropertyName("dsseEnvelope")]
+    public DsseEnvelope? DsseEnvelope { get; init; }
+
+    [JsonPropertyName("rekorEntry")]
+    public PromotionRekorEntry? RekorEntry { get; init; }
+
+    [JsonPropertyName("auditId")]
+    public string? AuditId { get; init; }
+
+    [JsonPropertyName("signerKeyId")]
+    public string? SignerKeyId { get; init; }
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset? SignedAt { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// DSSE envelope for promotion attestation.
+/// </summary>
+internal sealed class DsseEnvelope
+{
+    [JsonPropertyName("payloadType")]
+    public string PayloadType { get; init; } = "application/vnd.in-toto+json";
+
+    [JsonPropertyName("payload")]
+    public string Payload { get; init; } = string.Empty;
+
+    [JsonPropertyName("signatures")]
+    public IReadOnlyList<DsseSignature> Signatures { get; init; } = Array.Empty<DsseSignature>();
+}
+
+/// <summary>
+/// DSSE signature.
+/// </summary>
+internal sealed class DsseSignature
+{
+    [JsonPropertyName("keyid")]
+    public string KeyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("sig")]
+    public string Sig { get; init; } = string.Empty;
+
+    [JsonPropertyName("cert")]
+    public string? Cert { get; init; }
+}
+
+/// <summary>
+/// Request for verifying a promotion attestation.
+/// </summary>
+internal sealed class PromotionVerifyRequest
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("bundlePath")]
+    public string? BundlePath { get; init; }
+
+    [JsonPropertyName("predicatePath")]
+    public string? PredicatePath { get; init; }
+
+    [JsonPropertyName("sbomPath")]
+    public string? SbomPath { get; init; }
+
+    [JsonPropertyName("vexPath")]
+    public string? VexPath { get; init; }
+
+    [JsonPropertyName("trustRootPath")]
+    public string? TrustRootPath { get; init; }
+
+    [JsonPropertyName("checkpointPath")]
+    public string? CheckpointPath { get; init; }
+
+    [JsonPropertyName("skipRekorVerification")]
+    public bool SkipRekorVerification { get; init; }
+
+    [JsonPropertyName("skipSignatureVerification")]
+    public bool SkipSignatureVerification { get; init; }
+}
+
+/// <summary>
+/// Result of promotion verify operation.
+/// </summary>
+internal sealed class PromotionVerifyResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+
+    [JsonPropertyName("signatureVerification")]
+    public PromotionSignatureVerification? SignatureVerification { get; init; }
+
+    [JsonPropertyName("materialVerification")]
+    public PromotionMaterialVerification? MaterialVerification { get; init; }
+
+    [JsonPropertyName("rekorVerification")]
+    public PromotionRekorVerification? RekorVerification { get; init; }
+
+    [JsonPropertyName("predicate")]
+    public PromotionPredicate? Predicate { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Signature verification result.
+/// </summary>
+internal sealed class PromotionSignatureVerification
+{
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("algorithm")]
+    public string? Algorithm { get; init; }
+
+    [JsonPropertyName("certSubject")]
+    public string? CertSubject { get; init; }
+
+    [JsonPropertyName("certIssuer")]
+    public string? CertIssuer { get; init; }
+
+    [JsonPropertyName("validFrom")]
+    public DateTimeOffset? ValidFrom { get; init; }
+
+    [JsonPropertyName("validTo")]
+    public DateTimeOffset? ValidTo { get; init; }
+
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+}
+
+/// <summary>
+/// Material verification result.
+/// </summary>
+internal sealed class PromotionMaterialVerification
+{
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+
+    [JsonPropertyName("materials")]
+    public IReadOnlyList<PromotionMaterialVerificationEntry> Materials { get; init; } = Array.Empty<PromotionMaterialVerificationEntry>();
+}
+
+/// <summary>
+/// Individual material verification entry.
+/// </summary>
+internal sealed class PromotionMaterialVerificationEntry
+{
+    [JsonPropertyName("role")]
+    public string Role { get; init; } = string.Empty;
+
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+
+    [JsonPropertyName("expectedDigest")]
+    public string ExpectedDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("actualDigest")]
+    public string? ActualDigest { get; init; }
+
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+}
+
+/// <summary>
+/// Rekor verification result.
+/// </summary>
+internal sealed class PromotionRekorVerification
+{
+    [JsonPropertyName("verified")]
+    public bool Verified { get; init; }
+
+    [JsonPropertyName("uuid")]
+    public string? Uuid { get; init; }
+
+    [JsonPropertyName("logIndex")]
+    public long? LogIndex { get; init; }
+
+    [JsonPropertyName("inclusionProofVerified")]
+    public bool InclusionProofVerified { get; init; }
+
+    [JsonPropertyName("checkpointVerified")]
+    public bool CheckpointVerified { get; init; }
+
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/ReachabilityModels.cs b/src/Cli/StellaOps.Cli/Services/Models/ReachabilityModels.cs
new file mode 100644
index 000000000..fc5c02fd6
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/ReachabilityModels.cs
@@ -0,0 +1,252 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-SIG-26-001: Reachability command models
+
+/// <summary>
+/// Request to upload a call graph for reachability analysis.
+/// </summary>
+internal sealed class ReachabilityUploadCallGraphRequest
+{
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("assetId")]
+    public string? AssetId { get; init; }
+
+    [JsonPropertyName("callGraphPath")]
+    public string CallGraphPath { get; init; } = string.Empty;
+
+    [JsonPropertyName("format")]
+    public string? Format { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of uploading a call graph.
+/// </summary>
+internal sealed class ReachabilityUploadCallGraphResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("callGraphId")]
+    public string CallGraphId { get; init; } = string.Empty;
+
+    [JsonPropertyName("entriesProcessed")]
+    public int EntriesProcessed { get; init; }
+
+    [JsonPropertyName("errorsCount")]
+    public int ErrorsCount { get; init; }
+
+    [JsonPropertyName("uploadedAt")]
+    public DateTimeOffset UploadedAt { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Request to list reachability analyses.
+/// </summary>
+internal sealed class ReachabilityListRequest
+{
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("assetId")]
+    public string? AssetId { get; init; }
+
+    [JsonPropertyName("status")]
+    public string? Status { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int? Offset { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Response containing reachability analyses.
+/// </summary>
+internal sealed class ReachabilityListResponse
+{
+    [JsonPropertyName("analyses")]
+    public IReadOnlyList<ReachabilityAnalysisSummary> Analyses { get; init; } = Array.Empty<ReachabilityAnalysisSummary>();
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int Offset { get; init; }
+}
+
+/// <summary>
+/// Summary of a reachability analysis.
+/// </summary>
+internal sealed class ReachabilityAnalysisSummary
+{
+    [JsonPropertyName("analysisId")]
+    public string AnalysisId { get; init; } = string.Empty;
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("assetId")]
+    public string? AssetId { get; init; }
+
+    [JsonPropertyName("assetName")]
+    public string? AssetName { get; init; }
+
+    [JsonPropertyName("callGraphId")]
+    public string CallGraphId { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("reachableCount")]
+    public int ReachableCount { get; init; }
+
+    [JsonPropertyName("unreachableCount")]
+    public int UnreachableCount { get; init; }
+
+    [JsonPropertyName("unknownCount")]
+    public int UnknownCount { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("completedAt")]
+    public DateTimeOffset? CompletedAt { get; init; }
+}
+
+/// <summary>
+/// Request to explain reachability for a specific vulnerability or package.
+/// </summary>
+internal sealed class ReachabilityExplainRequest
+{
+    [JsonPropertyName("analysisId")]
+    public string AnalysisId { get; init; } = string.Empty;
+
+    [JsonPropertyName("vulnerabilityId")]
+    public string? VulnerabilityId { get; init; }
+
+    [JsonPropertyName("packagePurl")]
+    public string? PackagePurl { get; init; }
+
+    [JsonPropertyName("includeCallPaths")]
+    public bool IncludeCallPaths { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of reachability explanation.
+/// </summary>
+internal sealed class ReachabilityExplainResult
+{
+    [JsonPropertyName("analysisId")]
+    public string AnalysisId { get; init; } = string.Empty;
+
+    [JsonPropertyName("vulnerabilityId")]
+    public string? VulnerabilityId { get; init; }
+
+    [JsonPropertyName("packagePurl")]
+    public string? PackagePurl { get; init; }
+
+    [JsonPropertyName("reachabilityState")]
+    public string ReachabilityState { get; init; } = string.Empty;
+
+    [JsonPropertyName("reachabilityScore")]
+    public double? ReachabilityScore { get; init; }
+
+    [JsonPropertyName("confidence")]
+    public string Confidence { get; init; } = string.Empty;
+
+    [JsonPropertyName("reasoning")]
+    public string? Reasoning { get; init; }
+
+    [JsonPropertyName("callPaths")]
+    public IReadOnlyList<ReachabilityCallPath> CallPaths { get; init; } = Array.Empty<ReachabilityCallPath>();
+
+    [JsonPropertyName("affectedFunctions")]
+    public IReadOnlyList<ReachabilityFunction> AffectedFunctions { get; init; } = Array.Empty<ReachabilityFunction>();
+}
+
+/// <summary>
+/// Call path demonstrating reachability.
+/// </summary>
+internal sealed class ReachabilityCallPath
+{
+    [JsonPropertyName("pathId")]
+    public string PathId { get; init; } = string.Empty;
+
+    [JsonPropertyName("depth")]
+    public int Depth { get; init; }
+
+    [JsonPropertyName("entryPoint")]
+    public ReachabilityFunction EntryPoint { get; init; } = new();
+
+    [JsonPropertyName("frames")]
+    public IReadOnlyList<ReachabilityFunction> Frames { get; init; } = Array.Empty<ReachabilityFunction>();
+
+    [JsonPropertyName("vulnerableFunction")]
+    public ReachabilityFunction VulnerableFunction { get; init; } = new();
+}
+
+/// <summary>
+/// Function in the call graph.
+/// </summary>
+internal sealed class ReachabilityFunction
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("signature")]
+    public string? Signature { get; init; }
+
+    [JsonPropertyName("className")]
+    public string? ClassName { get; init; }
+
+    [JsonPropertyName("packageName")]
+    public string? PackageName { get; init; }
+
+    [JsonPropertyName("filePath")]
+    public string? FilePath { get; init; }
+
+    [JsonPropertyName("lineNumber")]
+    public int? LineNumber { get; init; }
+}
+
+// CLI-SIG-26-002: Policy simulate reachability override models (extends PolicySimulationInput)
+
+/// <summary>
+/// Reachability override for policy simulation.
+/// </summary>
+internal sealed class ReachabilityOverride
+{
+    [JsonPropertyName("vulnerabilityId")]
+    public string? VulnerabilityId { get; init; }
+
+    [JsonPropertyName("packagePurl")]
+    public string? PackagePurl { get; init; }
+
+    [JsonPropertyName("state")]
+    public string State { get; init; } = string.Empty;
+
+    [JsonPropertyName("score")]
+    public double? Score { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/RiskModels.cs b/src/Cli/StellaOps.Cli/Services/Models/RiskModels.cs
new file mode 100644
index 000000000..75d0c5fcd
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/RiskModels.cs
@@ -0,0 +1,448 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-RISK-66-001: Risk profile list models
+
+/// <summary>
+/// Request to list risk profiles.
+/// </summary>
+internal sealed class RiskProfileListRequest
+{
+    [JsonPropertyName("includeDisabled")]
+    public bool IncludeDisabled { get; init; }
+
+    [JsonPropertyName("category")]
+    public string? Category { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int? Offset { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Response containing a list of risk profiles.
+/// </summary>
+internal sealed class RiskProfileListResponse
+{
+    [JsonPropertyName("profiles")]
+    public IReadOnlyList<RiskProfileSummary> Profiles { get; init; } = Array.Empty<RiskProfileSummary>();
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int Offset { get; init; }
+}
+
+/// <summary>
+/// Summary of a risk profile.
+/// </summary>
+internal sealed class RiskProfileSummary
+{
+    [JsonPropertyName("profileId")]
+    public string ProfileId { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    [JsonPropertyName("category")]
+    public string Category { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public int Version { get; init; }
+
+    [JsonPropertyName("enabled")]
+    public bool Enabled { get; init; }
+
+    [JsonPropertyName("builtIn")]
+    public bool BuiltIn { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset? UpdatedAt { get; init; }
+
+    [JsonPropertyName("ruleCount")]
+    public int RuleCount { get; init; }
+
+    [JsonPropertyName("severityWeights")]
+    public RiskSeverityWeights? SeverityWeights { get; init; }
+}
+
+/// <summary>
+/// Severity weights for risk scoring.
+/// </summary>
+internal sealed class RiskSeverityWeights
+{
+    [JsonPropertyName("critical")]
+    public double Critical { get; init; }
+
+    [JsonPropertyName("high")]
+    public double High { get; init; }
+
+    [JsonPropertyName("medium")]
+    public double Medium { get; init; }
+
+    [JsonPropertyName("low")]
+    public double Low { get; init; }
+
+    [JsonPropertyName("info")]
+    public double Info { get; init; }
+}
+
+// CLI-RISK-66-002: Risk simulate models
+
+/// <summary>
+/// Request to simulate risk scoring.
+/// </summary>
+internal sealed class RiskSimulateRequest
+{
+    [JsonPropertyName("profileId")]
+    public string? ProfileId { get; init; }
+
+    [JsonPropertyName("sbomId")]
+    public string? SbomId { get; init; }
+
+    [JsonPropertyName("sbomPath")]
+    public string? SbomPath { get; init; }
+
+    [JsonPropertyName("assetId")]
+    public string? AssetId { get; init; }
+
+    [JsonPropertyName("diffMode")]
+    public bool DiffMode { get; init; }
+
+    [JsonPropertyName("baselineProfileId")]
+    public string? BaselineProfileId { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of risk simulation.
+/// </summary>
+internal sealed class RiskSimulateResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("profileId")]
+    public string ProfileId { get; init; } = string.Empty;
+
+    [JsonPropertyName("profileName")]
+    public string ProfileName { get; init; } = string.Empty;
+
+    [JsonPropertyName("overallScore")]
+    public double OverallScore { get; init; }
+
+    [JsonPropertyName("grade")]
+    public string Grade { get; init; } = string.Empty;
+
+    [JsonPropertyName("findings")]
+    public RiskSimulateFindingsSummary Findings { get; init; } = new();
+
+    [JsonPropertyName("componentScores")]
+    public IReadOnlyList<RiskComponentScore> ComponentScores { get; init; } = Array.Empty<RiskComponentScore>();
+
+    [JsonPropertyName("diff")]
+    public RiskSimulateDiff? Diff { get; init; }
+
+    [JsonPropertyName("simulatedAt")]
+    public DateTimeOffset SimulatedAt { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Summary of findings from risk simulation.
+/// </summary>
+internal sealed class RiskSimulateFindingsSummary
+{
+    [JsonPropertyName("critical")]
+    public int Critical { get; init; }
+
+    [JsonPropertyName("high")]
+    public int High { get; init; }
+
+    [JsonPropertyName("medium")]
+    public int Medium { get; init; }
+
+    [JsonPropertyName("low")]
+    public int Low { get; init; }
+
+    [JsonPropertyName("info")]
+    public int Info { get; init; }
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+}
+
+/// <summary>
+/// Component-level risk score.
+/// </summary>
+internal sealed class RiskComponentScore
+{
+    [JsonPropertyName("componentId")]
+    public string ComponentId { get; init; } = string.Empty;
+
+    [JsonPropertyName("componentName")]
+    public string ComponentName { get; init; } = string.Empty;
+
+    [JsonPropertyName("score")]
+    public double Score { get; init; }
+
+    [JsonPropertyName("grade")]
+    public string Grade { get; init; } = string.Empty;
+
+    [JsonPropertyName("findingCount")]
+    public int FindingCount { get; init; }
+}
+
+/// <summary>
+/// Diff between baseline and candidate risk scores.
+/// </summary>
+internal sealed class RiskSimulateDiff
+{
+    [JsonPropertyName("baselineScore")]
+    public double BaselineScore { get; init; }
+
+    [JsonPropertyName("candidateScore")]
+    public double CandidateScore { get; init; }
+
+    [JsonPropertyName("delta")]
+    public double Delta { get; init; }
+
+    [JsonPropertyName("improved")]
+    public bool Improved { get; init; }
+
+    [JsonPropertyName("findingsAdded")]
+    public int FindingsAdded { get; init; }
+
+    [JsonPropertyName("findingsRemoved")]
+    public int FindingsRemoved { get; init; }
+}
+
+// CLI-RISK-67-001: Risk results models
+
+/// <summary>
+/// Request to get risk results.
+/// </summary>
+internal sealed class RiskResultsRequest
+{
+    [JsonPropertyName("assetId")]
+    public string? AssetId { get; init; }
+
+    [JsonPropertyName("sbomId")]
+    public string? SbomId { get; init; }
+
+    [JsonPropertyName("profileId")]
+    public string? ProfileId { get; init; }
+
+    [JsonPropertyName("minSeverity")]
+    public string? MinSeverity { get; init; }
+
+    [JsonPropertyName("maxScore")]
+    public double? MaxScore { get; init; }
+
+    [JsonPropertyName("includeExplain")]
+    public bool IncludeExplain { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int? Offset { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Response containing risk results.
+/// </summary>
+internal sealed class RiskResultsResponse
+{
+    [JsonPropertyName("results")]
+    public IReadOnlyList<RiskResult> Results { get; init; } = Array.Empty<RiskResult>();
+
+    [JsonPropertyName("summary")]
+    public RiskResultsSummary Summary { get; init; } = new();
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int Offset { get; init; }
+}
+
+/// <summary>
+/// Individual risk result.
+/// </summary>
+internal sealed class RiskResult
+{
+    [JsonPropertyName("resultId")]
+    public string ResultId { get; init; } = string.Empty;
+
+    [JsonPropertyName("assetId")]
+    public string AssetId { get; init; } = string.Empty;
+
+    [JsonPropertyName("assetName")]
+    public string? AssetName { get; init; }
+
+    [JsonPropertyName("profileId")]
+    public string ProfileId { get; init; } = string.Empty;
+
+    [JsonPropertyName("profileName")]
+    public string? ProfileName { get; init; }
+
+    [JsonPropertyName("score")]
+    public double Score { get; init; }
+
+    [JsonPropertyName("grade")]
+    public string Grade { get; init; } = string.Empty;
+
+    [JsonPropertyName("severity")]
+    public string Severity { get; init; } = string.Empty;
+
+    [JsonPropertyName("findingCount")]
+    public int FindingCount { get; init; }
+
+    [JsonPropertyName("evaluatedAt")]
+    public DateTimeOffset EvaluatedAt { get; init; }
+
+    [JsonPropertyName("explain")]
+    public RiskResultExplain? Explain { get; init; }
+}
+
+/// <summary>
+/// Explanation for a risk result.
+/// </summary>
+internal sealed class RiskResultExplain
+{
+    [JsonPropertyName("factors")]
+    public IReadOnlyList<RiskFactor> Factors { get; init; } = Array.Empty<RiskFactor>();
+
+    [JsonPropertyName("recommendations")]
+    public IReadOnlyList<string> Recommendations { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Factor contributing to risk score.
+/// </summary>
+internal sealed class RiskFactor
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("weight")]
+    public double Weight { get; init; }
+
+    [JsonPropertyName("contribution")]
+    public double Contribution { get; init; }
+
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+}
+
+/// <summary>
+/// Summary of risk results.
+/// </summary>
+internal sealed class RiskResultsSummary
+{
+    [JsonPropertyName("averageScore")]
+    public double AverageScore { get; init; }
+
+    [JsonPropertyName("minScore")]
+    public double MinScore { get; init; }
+
+    [JsonPropertyName("maxScore")]
+    public double MaxScore { get; init; }
+
+    [JsonPropertyName("assetCount")]
+    public int AssetCount { get; init; }
+
+    [JsonPropertyName("bySeverity")]
+    public RiskSimulateFindingsSummary BySeverity { get; init; } = new();
+}
+
+// CLI-RISK-68-001: Risk bundle verify models
+
+/// <summary>
+/// Request to verify a risk bundle.
+/// </summary>
+internal sealed class RiskBundleVerifyRequest
+{
+    [JsonPropertyName("bundlePath")]
+    public string BundlePath { get; init; } = string.Empty;
+
+    [JsonPropertyName("signaturePath")]
+    public string? SignaturePath { get; init; }
+
+    [JsonPropertyName("checkRekor")]
+    public bool CheckRekor { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of verifying a risk bundle.
+/// </summary>
+internal sealed class RiskBundleVerifyResult
+{
+    [JsonPropertyName("valid")]
+    public bool Valid { get; init; }
+
+    [JsonPropertyName("bundleId")]
+    public string BundleId { get; init; } = string.Empty;
+
+    [JsonPropertyName("bundleVersion")]
+    public string BundleVersion { get; init; } = string.Empty;
+
+    [JsonPropertyName("profileCount")]
+    public int ProfileCount { get; init; }
+
+    [JsonPropertyName("ruleCount")]
+    public int RuleCount { get; init; }
+
+    [JsonPropertyName("signatureValid")]
+    public bool? SignatureValid { get; init; }
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset? SignedAt { get; init; }
+
+    [JsonPropertyName("signedBy")]
+    public string? SignedBy { get; init; }
+
+    [JsonPropertyName("rekorVerified")]
+    public bool? RekorVerified { get; init; }
+
+    [JsonPropertyName("rekorLogIndex")]
+    public string? RekorLogIndex { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string> Errors { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string> Warnings { get; init; } = Array.Empty<string>();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/SbomModels.cs b/src/Cli/StellaOps.Cli/Services/Models/SbomModels.cs
new file mode 100644
index 000000000..59fe8cc04
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/SbomModels.cs
@@ -0,0 +1,633 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-PARITY-41-001: SBOM Explorer models for CLI
+
+/// <summary>
+/// SBOM list request parameters.
+/// </summary>
+internal sealed class SbomListRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("imageRef")]
+    public string? ImageRef { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("format")]
+    public string? Format { get; init; }
+
+    [JsonPropertyName("createdAfter")]
+    public DateTimeOffset? CreatedAfter { get; init; }
+
+    [JsonPropertyName("createdBefore")]
+    public DateTimeOffset? CreatedBefore { get; init; }
+
+    [JsonPropertyName("hasVulnerabilities")]
+    public bool? HasVulnerabilities { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int? Offset { get; init; }
+
+    [JsonPropertyName("cursor")]
+    public string? Cursor { get; init; }
+}
+
+/// <summary>
+/// Paginated SBOM list response.
+/// </summary>
+internal sealed class SbomListResponse
+{
+    [JsonPropertyName("items")]
+    public IReadOnlyList<SbomSummary> Items { get; init; } = [];
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int Limit { get; init; }
+
+    [JsonPropertyName("offset")]
+    public int Offset { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+
+    [JsonPropertyName("nextCursor")]
+    public string? NextCursor { get; init; }
+}
+
+/// <summary>
+/// Summary view of an SBOM.
+/// </summary>
+internal sealed class SbomSummary
+{
+    [JsonPropertyName("sbomId")]
+    public string SbomId { get; init; } = string.Empty;
+
+    [JsonPropertyName("imageRef")]
+    public string? ImageRef { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = string.Empty;
+
+    [JsonPropertyName("formatVersion")]
+    public string? FormatVersion { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("componentCount")]
+    public int ComponentCount { get; init; }
+
+    [JsonPropertyName("vulnerabilityCount")]
+    public int VulnerabilityCount { get; init; }
+
+    [JsonPropertyName("licensesDetected")]
+    public int LicensesDetected { get; init; }
+
+    [JsonPropertyName("determinismScore")]
+    public double? DeterminismScore { get; init; }
+
+    [JsonPropertyName("tags")]
+    public IReadOnlyList<string>? Tags { get; init; }
+}
+
+/// <summary>
+/// Detailed SBOM response including components, vulnerabilities, and metadata.
+/// </summary>
+internal sealed class SbomDetailResponse
+{
+    [JsonPropertyName("sbomId")]
+    public string SbomId { get; init; } = string.Empty;
+
+    [JsonPropertyName("imageRef")]
+    public string? ImageRef { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = string.Empty;
+
+    [JsonPropertyName("formatVersion")]
+    public string? FormatVersion { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("componentCount")]
+    public int ComponentCount { get; init; }
+
+    [JsonPropertyName("vulnerabilityCount")]
+    public int VulnerabilityCount { get; init; }
+
+    [JsonPropertyName("licensesDetected")]
+    public int LicensesDetected { get; init; }
+
+    [JsonPropertyName("determinismScore")]
+    public double? DeterminismScore { get; init; }
+
+    [JsonPropertyName("tags")]
+    public IReadOnlyList<string>? Tags { get; init; }
+
+    [JsonPropertyName("components")]
+    public IReadOnlyList<SbomComponent>? Components { get; init; }
+
+    [JsonPropertyName("metadata")]
+    public SbomMetadata? Metadata { get; init; }
+
+    [JsonPropertyName("vulnerabilities")]
+    public IReadOnlyList<SbomVulnerability>? Vulnerabilities { get; init; }
+
+    [JsonPropertyName("licenses")]
+    public IReadOnlyList<SbomLicense>? Licenses { get; init; }
+
+    [JsonPropertyName("attestation")]
+    public SbomAttestation? Attestation { get; init; }
+
+    [JsonPropertyName("explain")]
+    public SbomExplainInfo? Explain { get; init; }
+}
+
+/// <summary>
+/// SBOM component information.
+/// </summary>
+internal sealed class SbomComponent
+{
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("purl")]
+    public string? Purl { get; init; }
+
+    [JsonPropertyName("cpe")]
+    public string? Cpe { get; init; }
+
+    [JsonPropertyName("type")]
+    public string? Type { get; init; }
+
+    [JsonPropertyName("supplier")]
+    public string? Supplier { get; init; }
+
+    [JsonPropertyName("licenses")]
+    public IReadOnlyList<string>? Licenses { get; init; }
+
+    [JsonPropertyName("hashes")]
+    public IReadOnlyDictionary<string, string>? Hashes { get; init; }
+
+    [JsonPropertyName("scope")]
+    public string? Scope { get; init; }
+
+    [JsonPropertyName("dependencies")]
+    public IReadOnlyList<string>? Dependencies { get; init; }
+}
+
+/// <summary>
+/// SBOM creation metadata.
+/// </summary>
+internal sealed class SbomMetadata
+{
+    [JsonPropertyName("toolName")]
+    public string? ToolName { get; init; }
+
+    [JsonPropertyName("toolVersion")]
+    public string? ToolVersion { get; init; }
+
+    [JsonPropertyName("scannerVersion")]
+    public string? ScannerVersion { get; init; }
+
+    [JsonPropertyName("serialNumber")]
+    public string? SerialNumber { get; init; }
+
+    [JsonPropertyName("documentNamespace")]
+    public string? DocumentNamespace { get; init; }
+
+    [JsonPropertyName("creators")]
+    public IReadOnlyList<string>? Creators { get; init; }
+
+    [JsonPropertyName("annotations")]
+    public IReadOnlyDictionary<string, string>? Annotations { get; init; }
+}
+
+/// <summary>
+/// Vulnerability found in SBOM.
+/// </summary>
+internal sealed class SbomVulnerability
+{
+    [JsonPropertyName("vulnerabilityId")]
+    public string VulnerabilityId { get; init; } = string.Empty;
+
+    [JsonPropertyName("severity")]
+    public string? Severity { get; init; }
+
+    [JsonPropertyName("score")]
+    public double? Score { get; init; }
+
+    [JsonPropertyName("affectedComponent")]
+    public string? AffectedComponent { get; init; }
+
+    [JsonPropertyName("fixedIn")]
+    public string? FixedIn { get; init; }
+
+    [JsonPropertyName("vexStatus")]
+    public string? VexStatus { get; init; }
+}
+
+/// <summary>
+/// License information in SBOM.
+/// </summary>
+internal sealed class SbomLicense
+{
+    [JsonPropertyName("id")]
+    public string? Id { get; init; }
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("url")]
+    public string? Url { get; init; }
+
+    [JsonPropertyName("componentCount")]
+    public int ComponentCount { get; init; }
+
+    [JsonPropertyName("components")]
+    public IReadOnlyList<string>? Components { get; init; }
+}
+
+/// <summary>
+/// Attestation information for SBOM.
+/// </summary>
+internal sealed class SbomAttestation
+{
+    [JsonPropertyName("signed")]
+    public bool Signed { get; init; }
+
+    [JsonPropertyName("signatureAlgorithm")]
+    public string? SignatureAlgorithm { get; init; }
+
+    [JsonPropertyName("signatureKeyId")]
+    public string? SignatureKeyId { get; init; }
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset? SignedAt { get; init; }
+
+    [JsonPropertyName("rekorLogIndex")]
+    public long? RekorLogIndex { get; init; }
+
+    [JsonPropertyName("rekorLogId")]
+    public string? RekorLogId { get; init; }
+
+    [JsonPropertyName("certificateIssuer")]
+    public string? CertificateIssuer { get; init; }
+
+    [JsonPropertyName("certificateSubject")]
+    public string? CertificateSubject { get; init; }
+}
+
+/// <summary>
+/// Explain information for SBOM generation (determinism debugging).
+/// </summary>
+internal sealed class SbomExplainInfo
+{
+    [JsonPropertyName("determinismFactors")]
+    public IReadOnlyList<SbomDeterminismFactor>? DeterminismFactors { get; init; }
+
+    [JsonPropertyName("compositionPath")]
+    public IReadOnlyList<SbomCompositionStep>? CompositionPath { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string>? Warnings { get; init; }
+}
+
+/// <summary>
+/// Factor affecting SBOM determinism score.
+/// </summary>
+internal sealed class SbomDeterminismFactor
+{
+    [JsonPropertyName("factor")]
+    public string Factor { get; init; } = string.Empty;
+
+    [JsonPropertyName("impact")]
+    public string Impact { get; init; } = string.Empty;
+
+    [JsonPropertyName("score")]
+    public double Score { get; init; }
+
+    [JsonPropertyName("details")]
+    public string? Details { get; init; }
+}
+
+/// <summary>
+/// Step in SBOM composition chain.
+/// </summary>
+internal sealed class SbomCompositionStep
+{
+    [JsonPropertyName("step")]
+    public int Step { get; init; }
+
+    [JsonPropertyName("operation")]
+    public string Operation { get; init; } = string.Empty;
+
+    [JsonPropertyName("input")]
+    public string? Input { get; init; }
+
+    [JsonPropertyName("output")]
+    public string? Output { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+}
+
+/// <summary>
+/// SBOM compare request parameters.
+/// </summary>
+internal sealed class SbomCompareRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("baseSbomId")]
+    public string BaseSbomId { get; init; } = string.Empty;
+
+    [JsonPropertyName("targetSbomId")]
+    public string TargetSbomId { get; init; } = string.Empty;
+
+    [JsonPropertyName("includeUnchanged")]
+    public bool IncludeUnchanged { get; init; }
+}
+
+/// <summary>
+/// SBOM comparison result.
+/// </summary>
+internal sealed class SbomCompareResponse
+{
+    [JsonPropertyName("baseSbomId")]
+    public string BaseSbomId { get; init; } = string.Empty;
+
+    [JsonPropertyName("targetSbomId")]
+    public string TargetSbomId { get; init; } = string.Empty;
+
+    [JsonPropertyName("summary")]
+    public SbomCompareSummary Summary { get; init; } = new();
+
+    [JsonPropertyName("componentChanges")]
+    public IReadOnlyList<SbomComponentChange>? ComponentChanges { get; init; }
+
+    [JsonPropertyName("vulnerabilityChanges")]
+    public IReadOnlyList<SbomVulnerabilityChange>? VulnerabilityChanges { get; init; }
+
+    [JsonPropertyName("licenseChanges")]
+    public IReadOnlyList<SbomLicenseChange>? LicenseChanges { get; init; }
+}
+
+/// <summary>
+/// Summary of SBOM comparison.
+/// </summary>
+internal sealed class SbomCompareSummary
+{
+    [JsonPropertyName("componentsAdded")]
+    public int ComponentsAdded { get; init; }
+
+    [JsonPropertyName("componentsRemoved")]
+    public int ComponentsRemoved { get; init; }
+
+    [JsonPropertyName("componentsModified")]
+    public int ComponentsModified { get; init; }
+
+    [JsonPropertyName("componentsUnchanged")]
+    public int ComponentsUnchanged { get; init; }
+
+    [JsonPropertyName("vulnerabilitiesAdded")]
+    public int VulnerabilitiesAdded { get; init; }
+
+    [JsonPropertyName("vulnerabilitiesRemoved")]
+    public int VulnerabilitiesRemoved { get; init; }
+
+    [JsonPropertyName("licensesAdded")]
+    public int LicensesAdded { get; init; }
+
+    [JsonPropertyName("licensesRemoved")]
+    public int LicensesRemoved { get; init; }
+}
+
+/// <summary>
+/// Component change in comparison.
+/// </summary>
+internal sealed class SbomComponentChange
+{
+    [JsonPropertyName("changeType")]
+    public string ChangeType { get; init; } = string.Empty;
+
+    [JsonPropertyName("componentName")]
+    public string ComponentName { get; init; } = string.Empty;
+
+    [JsonPropertyName("baseVersion")]
+    public string? BaseVersion { get; init; }
+
+    [JsonPropertyName("targetVersion")]
+    public string? TargetVersion { get; init; }
+
+    [JsonPropertyName("basePurl")]
+    public string? BasePurl { get; init; }
+
+    [JsonPropertyName("targetPurl")]
+    public string? TargetPurl { get; init; }
+
+    [JsonPropertyName("details")]
+    public IReadOnlyList<string>? Details { get; init; }
+}
+
+/// <summary>
+/// Vulnerability change in comparison.
+/// </summary>
+internal sealed class SbomVulnerabilityChange
+{
+    [JsonPropertyName("changeType")]
+    public string ChangeType { get; init; } = string.Empty;
+
+    [JsonPropertyName("vulnerabilityId")]
+    public string VulnerabilityId { get; init; } = string.Empty;
+
+    [JsonPropertyName("severity")]
+    public string? Severity { get; init; }
+
+    [JsonPropertyName("affectedComponent")]
+    public string? AffectedComponent { get; init; }
+
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
+
+/// <summary>
+/// License change in comparison.
+/// </summary>
+internal sealed class SbomLicenseChange
+{
+    [JsonPropertyName("changeType")]
+    public string ChangeType { get; init; } = string.Empty;
+
+    [JsonPropertyName("licenseId")]
+    public string? LicenseId { get; init; }
+
+    [JsonPropertyName("licenseName")]
+    public string LicenseName { get; init; } = string.Empty;
+
+    [JsonPropertyName("componentCount")]
+    public int ComponentCount { get; init; }
+}
+
+/// <summary>
+/// SBOM export request parameters.
+/// </summary>
+internal sealed class SbomExportRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("sbomId")]
+    public string SbomId { get; init; } = string.Empty;
+
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = "spdx";
+
+    [JsonPropertyName("formatVersion")]
+    public string? FormatVersion { get; init; }
+
+    [JsonPropertyName("signed")]
+    public bool Signed { get; init; }
+
+    [JsonPropertyName("includeVex")]
+    public bool IncludeVex { get; init; }
+}
+
+/// <summary>
+/// SBOM export result.
+/// </summary>
+internal sealed class SbomExportResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("exportId")]
+    public string? ExportId { get; init; }
+
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = string.Empty;
+
+    [JsonPropertyName("downloadUrl")]
+    public string? DownloadUrl { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("digestAlgorithm")]
+    public string? DigestAlgorithm { get; init; }
+
+    [JsonPropertyName("signed")]
+    public bool Signed { get; init; }
+
+    [JsonPropertyName("signatureKeyId")]
+    public string? SignatureKeyId { get; init; }
+
+    [JsonPropertyName("expiresAt")]
+    public DateTimeOffset? ExpiresAt { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+}
+
+// CLI-PARITY-41-001: Parity matrix models
+
+/// <summary>
+/// Parity matrix entry showing CLI command coverage.
+/// </summary>
+internal sealed class ParityMatrixEntry
+{
+    [JsonPropertyName("commandGroup")]
+    public string CommandGroup { get; init; } = string.Empty;
+
+    [JsonPropertyName("command")]
+    public string Command { get; init; } = string.Empty;
+
+    [JsonPropertyName("cliSupport")]
+    public string CliSupport { get; init; } = string.Empty;
+
+    [JsonPropertyName("apiEndpoint")]
+    public string? ApiEndpoint { get; init; }
+
+    [JsonPropertyName("uiEquivalent")]
+    public string? UiEquivalent { get; init; }
+
+    [JsonPropertyName("deterministic")]
+    public bool Deterministic { get; init; }
+
+    [JsonPropertyName("explainSupport")]
+    public bool ExplainSupport { get; init; }
+
+    [JsonPropertyName("offlineSupport")]
+    public bool OfflineSupport { get; init; }
+
+    [JsonPropertyName("notes")]
+    public string? Notes { get; init; }
+}
+
+/// <summary>
+/// Parity matrix summary response.
+/// </summary>
+internal sealed class ParityMatrixResponse
+{
+    [JsonPropertyName("entries")]
+    public IReadOnlyList<ParityMatrixEntry> Entries { get; init; } = [];
+
+    [JsonPropertyName("summary")]
+    public ParityMatrixSummary Summary { get; init; } = new();
+
+    [JsonPropertyName("generatedAt")]
+    public DateTimeOffset GeneratedAt { get; init; }
+
+    [JsonPropertyName("cliVersion")]
+    public string? CliVersion { get; init; }
+}
+
+/// <summary>
+/// Summary of parity matrix coverage.
+/// </summary>
+internal sealed class ParityMatrixSummary
+{
+    [JsonPropertyName("totalCommands")]
+    public int TotalCommands { get; init; }
+
+    [JsonPropertyName("fullParity")]
+    public int FullParity { get; init; }
+
+    [JsonPropertyName("partialParity")]
+    public int PartialParity { get; init; }
+
+    [JsonPropertyName("noParity")]
+    public int NoParity { get; init; }
+
+    [JsonPropertyName("deterministicCommands")]
+    public int DeterministicCommands { get; init; }
+
+    [JsonPropertyName("explainEnabledCommands")]
+    public int ExplainEnabledCommands { get; init; }
+
+    [JsonPropertyName("offlineCapableCommands")]
+    public int OfflineCapableCommands { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/SbomerModels.cs b/src/Cli/StellaOps.Cli/Services/Models/SbomerModels.cs
new file mode 100644
index 000000000..7878def71
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/SbomerModels.cs
@@ -0,0 +1,834 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-SBOM-60-001: Sbomer command models for layer/compose operations
+
+/// <summary>
+/// SBOM fragment from a container layer.
+/// </summary>
+internal sealed class SbomFragment
+{
+    [JsonPropertyName("fragmentId")]
+    public string FragmentId { get; init; } = string.Empty;
+
+    [JsonPropertyName("layerDigest")]
+    public string LayerDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("fragmentSha256")]
+    public string FragmentSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("dsseEnvelopeSha256")]
+    public string? DsseEnvelopeSha256 { get; init; }
+
+    [JsonPropertyName("dsseEnvelopeUri")]
+    public string? DsseEnvelopeUri { get; init; }
+
+    [JsonPropertyName("componentCount")]
+    public int ComponentCount { get; init; }
+
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = string.Empty;
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("signatureAlgorithm")]
+    public string? SignatureAlgorithm { get; init; }
+
+    [JsonPropertyName("signatureValid")]
+    public bool? SignatureValid { get; init; }
+
+    [JsonPropertyName("components")]
+    public IReadOnlyList<SbomFragmentComponent>? Components { get; init; }
+}
+
+/// <summary>
+/// Component within an SBOM fragment.
+/// </summary>
+internal sealed class SbomFragmentComponent
+{
+    [JsonPropertyName("purl")]
+    public string? Purl { get; init; }
+
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("type")]
+    public string? Type { get; init; }
+
+    [JsonPropertyName("identityKey")]
+    public string? IdentityKey { get; init; }
+}
+
+/// <summary>
+/// Layer list request for sbomer layer list.
+/// </summary>
+internal sealed class SbomerLayerListRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("imageRef")]
+    public string? ImageRef { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("cursor")]
+    public string? Cursor { get; init; }
+}
+
+/// <summary>
+/// Layer list response.
+/// </summary>
+internal sealed class SbomerLayerListResponse
+{
+    [JsonPropertyName("items")]
+    public IReadOnlyList<SbomFragment> Items { get; init; } = [];
+
+    [JsonPropertyName("total")]
+    public int Total { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+
+    [JsonPropertyName("nextCursor")]
+    public string? NextCursor { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("imageRef")]
+    public string? ImageRef { get; init; }
+}
+
+/// <summary>
+/// Layer show request.
+/// </summary>
+internal sealed class SbomerLayerShowRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("layerDigest")]
+    public string LayerDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("includeComponents")]
+    public bool IncludeComponents { get; init; }
+
+    [JsonPropertyName("includeDsse")]
+    public bool IncludeDsse { get; init; }
+}
+
+/// <summary>
+/// Layer detail response.
+/// </summary>
+internal sealed class SbomerLayerDetail
+{
+    [JsonPropertyName("fragment")]
+    public SbomFragment Fragment { get; init; } = new();
+
+    [JsonPropertyName("dsseEnvelope")]
+    public DsseEnvelopeInfo? DsseEnvelope { get; init; }
+
+    [JsonPropertyName("canonicalJson")]
+    public string? CanonicalJson { get; init; }
+
+    [JsonPropertyName("merkleProof")]
+    public MerkleProofInfo? MerkleProof { get; init; }
+}
+
+/// <summary>
+/// DSSE envelope information.
+/// </summary>
+internal sealed class DsseEnvelopeInfo
+{
+    [JsonPropertyName("payloadType")]
+    public string PayloadType { get; init; } = string.Empty;
+
+    [JsonPropertyName("payloadSha256")]
+    public string PayloadSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("signatures")]
+    public IReadOnlyList<DsseSignatureInfo> Signatures { get; init; } = [];
+
+    [JsonPropertyName("envelopeSha256")]
+    public string EnvelopeSha256 { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// DSSE signature information.
+/// </summary>
+internal sealed class DsseSignatureInfo
+{
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("algorithm")]
+    public string Algorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("signatureSha256")]
+    public string SignatureSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("valid")]
+    public bool? Valid { get; init; }
+
+    [JsonPropertyName("certificateSubject")]
+    public string? CertificateSubject { get; init; }
+
+    [JsonPropertyName("certificateExpiry")]
+    public DateTimeOffset? CertificateExpiry { get; init; }
+}
+
+/// <summary>
+/// Merkle proof information.
+/// </summary>
+internal sealed class MerkleProofInfo
+{
+    [JsonPropertyName("leafHash")]
+    public string LeafHash { get; init; } = string.Empty;
+
+    [JsonPropertyName("rootHash")]
+    public string RootHash { get; init; } = string.Empty;
+
+    [JsonPropertyName("proofHashes")]
+    public IReadOnlyList<string> ProofHashes { get; init; } = [];
+
+    [JsonPropertyName("leafIndex")]
+    public int LeafIndex { get; init; }
+
+    [JsonPropertyName("treeSize")]
+    public int TreeSize { get; init; }
+
+    [JsonPropertyName("valid")]
+    public bool? Valid { get; init; }
+}
+
+/// <summary>
+/// Layer verify request.
+/// </summary>
+internal sealed class SbomerLayerVerifyRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("layerDigest")]
+    public string LayerDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("verifiersPath")]
+    public string? VerifiersPath { get; init; }
+
+    [JsonPropertyName("offline")]
+    public bool Offline { get; init; }
+}
+
+/// <summary>
+/// Layer verify result.
+/// </summary>
+internal sealed class SbomerLayerVerifyResult
+{
+    [JsonPropertyName("layerDigest")]
+    public string LayerDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("valid")]
+    public bool Valid { get; init; }
+
+    [JsonPropertyName("dsseValid")]
+    public bool DsseValid { get; init; }
+
+    [JsonPropertyName("contentHashMatch")]
+    public bool ContentHashMatch { get; init; }
+
+    [JsonPropertyName("merkleProofValid")]
+    public bool? MerkleProofValid { get; init; }
+
+    [JsonPropertyName("signatureAlgorithm")]
+    public string? SignatureAlgorithm { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string>? Warnings { get; init; }
+}
+
+/// <summary>
+/// Composition manifest (_composition.json).
+/// </summary>
+internal sealed class CompositionManifest
+{
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = "1.0";
+
+    [JsonPropertyName("scanId")]
+    public string ScanId { get; init; } = string.Empty;
+
+    [JsonPropertyName("imageRef")]
+    public string? ImageRef { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("merkleRoot")]
+    public string MerkleRoot { get; init; } = string.Empty;
+
+    [JsonPropertyName("composedSha256")]
+    public string ComposedSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("fragments")]
+    public IReadOnlyList<CompositionFragmentEntry> Fragments { get; init; } = [];
+
+    [JsonPropertyName("canonicalOrder")]
+    public IReadOnlyList<string> CanonicalOrder { get; init; } = [];
+
+    [JsonPropertyName("properties")]
+    public IReadOnlyDictionary<string, string>? Properties { get; init; }
+}
+
+/// <summary>
+/// Fragment entry in composition manifest.
+/// </summary>
+internal sealed class CompositionFragmentEntry
+{
+    [JsonPropertyName("layerDigest")]
+    public string LayerDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("fragmentSha256")]
+    public string FragmentSha256 { get; init; } = string.Empty;
+
+    [JsonPropertyName("dsseEnvelopeSha256")]
+    public string? DsseEnvelopeSha256 { get; init; }
+
+    [JsonPropertyName("componentCount")]
+    public int ComponentCount { get; init; }
+
+    [JsonPropertyName("order")]
+    public int Order { get; init; }
+}
+
+/// <summary>
+/// Compose request for sbomer compose.
+/// </summary>
+internal sealed class SbomerComposeRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("imageRef")]
+    public string? ImageRef { get; init; }
+
+    [JsonPropertyName("digest")]
+    public string? Digest { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("format")]
+    public string? Format { get; init; }
+
+    [JsonPropertyName("verifyFragments")]
+    public bool VerifyFragments { get; init; }
+
+    [JsonPropertyName("verifiersPath")]
+    public string? VerifiersPath { get; init; }
+
+    [JsonPropertyName("offline")]
+    public bool Offline { get; init; }
+
+    [JsonPropertyName("emitCompositionManifest")]
+    public bool EmitCompositionManifest { get; init; } = true;
+
+    [JsonPropertyName("emitMerkleDiagnostics")]
+    public bool EmitMerkleDiagnostics { get; init; }
+}
+
+/// <summary>
+/// Compose result.
+/// </summary>
+internal sealed class SbomerComposeResult
+{
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string ScanId { get; init; } = string.Empty;
+
+    [JsonPropertyName("composedSha256")]
+    public string? ComposedSha256 { get; init; }
+
+    [JsonPropertyName("merkleRoot")]
+    public string? MerkleRoot { get; init; }
+
+    [JsonPropertyName("fragmentCount")]
+    public int FragmentCount { get; init; }
+
+    [JsonPropertyName("totalComponents")]
+    public int TotalComponents { get; init; }
+
+    [JsonPropertyName("outputPath")]
+    public string? OutputPath { get; init; }
+
+    [JsonPropertyName("compositionManifestPath")]
+    public string? CompositionManifestPath { get; init; }
+
+    [JsonPropertyName("merkleDiagnosticsPath")]
+    public string? MerkleDiagnosticsPath { get; init; }
+
+    [JsonPropertyName("fragmentVerifications")]
+    public IReadOnlyList<SbomerLayerVerifyResult>? FragmentVerifications { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string>? Warnings { get; init; }
+
+    [JsonPropertyName("deterministic")]
+    public bool Deterministic { get; init; }
+
+    [JsonPropertyName("duration")]
+    public TimeSpan? Duration { get; init; }
+}
+
+/// <summary>
+/// Composition show request.
+/// </summary>
+internal sealed class SbomerCompositionShowRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("compositionPath")]
+    public string? CompositionPath { get; init; }
+}
+
+/// <summary>
+/// Merkle diagnostics for composition.
+/// </summary>
+internal sealed class MerkleDiagnostics
+{
+    [JsonPropertyName("scanId")]
+    public string ScanId { get; init; } = string.Empty;
+
+    [JsonPropertyName("rootHash")]
+    public string RootHash { get; init; } = string.Empty;
+
+    [JsonPropertyName("treeSize")]
+    public int TreeSize { get; init; }
+
+    [JsonPropertyName("leaves")]
+    public IReadOnlyList<MerkleLeafInfo> Leaves { get; init; } = [];
+
+    [JsonPropertyName("intermediateNodes")]
+    public IReadOnlyList<MerkleNodeInfo>? IntermediateNodes { get; init; }
+
+    [JsonPropertyName("valid")]
+    public bool Valid { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+}
+
+/// <summary>
+/// Merkle leaf information.
+/// </summary>
+internal sealed class MerkleLeafInfo
+{
+    [JsonPropertyName("index")]
+    public int Index { get; init; }
+
+    [JsonPropertyName("layerDigest")]
+    public string LayerDigest { get; init; } = string.Empty;
+
+    [JsonPropertyName("hash")]
+    public string Hash { get; init; } = string.Empty;
+
+    [JsonPropertyName("fragmentSha256")]
+    public string FragmentSha256 { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// Merkle intermediate node information.
+/// </summary>
+internal sealed class MerkleNodeInfo
+{
+    [JsonPropertyName("level")]
+    public int Level { get; init; }
+
+    [JsonPropertyName("index")]
+    public int Index { get; init; }
+
+    [JsonPropertyName("hash")]
+    public string Hash { get; init; } = string.Empty;
+
+    [JsonPropertyName("leftChild")]
+    public string? LeftChild { get; init; }
+
+    [JsonPropertyName("rightChild")]
+    public string? RightChild { get; init; }
+}
+
+/// <summary>
+/// Composition verify request.
+/// </summary>
+internal sealed class SbomerCompositionVerifyRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("compositionPath")]
+    public string? CompositionPath { get; init; }
+
+    [JsonPropertyName("sbomPath")]
+    public string? SbomPath { get; init; }
+
+    [JsonPropertyName("verifiersPath")]
+    public string? VerifiersPath { get; init; }
+
+    [JsonPropertyName("offline")]
+    public bool Offline { get; init; }
+
+    [JsonPropertyName("recompose")]
+    public bool Recompose { get; init; }
+}
+
+/// <summary>
+/// Composition verify result.
+/// </summary>
+internal sealed class SbomerCompositionVerifyResult
+{
+    [JsonPropertyName("valid")]
+    public bool Valid { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string ScanId { get; init; } = string.Empty;
+
+    [JsonPropertyName("merkleRootMatch")]
+    public bool MerkleRootMatch { get; init; }
+
+    [JsonPropertyName("composedHashMatch")]
+    public bool ComposedHashMatch { get; init; }
+
+    [JsonPropertyName("allFragmentsValid")]
+    public bool AllFragmentsValid { get; init; }
+
+    [JsonPropertyName("fragmentCount")]
+    public int FragmentCount { get; init; }
+
+    [JsonPropertyName("fragmentVerifications")]
+    public IReadOnlyList<SbomerLayerVerifyResult>? FragmentVerifications { get; init; }
+
+    [JsonPropertyName("recomposedHash")]
+    public string? RecomposedHash { get; init; }
+
+    [JsonPropertyName("expectedHash")]
+    public string? ExpectedHash { get; init; }
+
+    [JsonPropertyName("deterministic")]
+    public bool Deterministic { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string>? Warnings { get; init; }
+}
+
+// CLI-SBOM-60-002: Drift detection and explain models
+
+/// <summary>
+/// Drift analysis request.
+/// </summary>
+internal sealed class SbomerDriftRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("baselineScanId")]
+    public string? BaselineScanId { get; init; }
+
+    [JsonPropertyName("sbomPath")]
+    public string? SbomPath { get; init; }
+
+    [JsonPropertyName("baselinePath")]
+    public string? BaselinePath { get; init; }
+
+    [JsonPropertyName("compositionPath")]
+    public string? CompositionPath { get; init; }
+
+    [JsonPropertyName("explain")]
+    public bool Explain { get; init; }
+
+    [JsonPropertyName("offline")]
+    public bool Offline { get; init; }
+
+    [JsonPropertyName("offlineKitPath")]
+    public string? OfflineKitPath { get; init; }
+}
+
+/// <summary>
+/// Drift analysis result.
+/// </summary>
+internal sealed class SbomerDriftResult
+{
+    [JsonPropertyName("hasDrift")]
+    public bool HasDrift { get; init; }
+
+    [JsonPropertyName("deterministic")]
+    public bool Deterministic { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string ScanId { get; init; } = string.Empty;
+
+    [JsonPropertyName("baselineScanId")]
+    public string? BaselineScanId { get; init; }
+
+    [JsonPropertyName("currentHash")]
+    public string? CurrentHash { get; init; }
+
+    [JsonPropertyName("baselineHash")]
+    public string? BaselineHash { get; init; }
+
+    [JsonPropertyName("driftSummary")]
+    public DriftSummary? Summary { get; init; }
+
+    [JsonPropertyName("driftDetails")]
+    public IReadOnlyList<DriftDetail>? Details { get; init; }
+
+    [JsonPropertyName("explanations")]
+    public IReadOnlyList<DriftExplanation>? Explanations { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string>? Warnings { get; init; }
+}
+
+/// <summary>
+/// Summary of drift between two SBOMs.
+/// </summary>
+internal sealed class DriftSummary
+{
+    [JsonPropertyName("componentsAdded")]
+    public int ComponentsAdded { get; init; }
+
+    [JsonPropertyName("componentsRemoved")]
+    public int ComponentsRemoved { get; init; }
+
+    [JsonPropertyName("componentsModified")]
+    public int ComponentsModified { get; init; }
+
+    [JsonPropertyName("arrayOrderingDrifts")]
+    public int ArrayOrderingDrifts { get; init; }
+
+    [JsonPropertyName("timestampDrifts")]
+    public int TimestampDrifts { get; init; }
+
+    [JsonPropertyName("keyOrderingDrifts")]
+    public int KeyOrderingDrifts { get; init; }
+
+    [JsonPropertyName("whitespaceDrifts")]
+    public int WhitespaceDrifts { get; init; }
+
+    [JsonPropertyName("totalDrifts")]
+    public int TotalDrifts { get; init; }
+}
+
+/// <summary>
+/// Detailed drift information.
+/// </summary>
+internal sealed class DriftDetail
+{
+    [JsonPropertyName("path")]
+    public string Path { get; init; } = string.Empty;
+
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("description")]
+    public string Description { get; init; } = string.Empty;
+
+    [JsonPropertyName("currentValue")]
+    public string? CurrentValue { get; init; }
+
+    [JsonPropertyName("baselineValue")]
+    public string? BaselineValue { get; init; }
+
+    [JsonPropertyName("layerDigest")]
+    public string? LayerDigest { get; init; }
+
+    [JsonPropertyName("severity")]
+    public string Severity { get; init; } = "info";
+
+    [JsonPropertyName("breaksDeterminism")]
+    public bool BreaksDeterminism { get; init; }
+}
+
+/// <summary>
+/// Explanation for drift occurrence.
+/// </summary>
+internal sealed class DriftExplanation
+{
+    [JsonPropertyName("path")]
+    public string Path { get; init; } = string.Empty;
+
+    [JsonPropertyName("reason")]
+    public string Reason { get; init; } = string.Empty;
+
+    [JsonPropertyName("expectedBehavior")]
+    public string? ExpectedBehavior { get; init; }
+
+    [JsonPropertyName("actualBehavior")]
+    public string? ActualBehavior { get; init; }
+
+    [JsonPropertyName("rootCause")]
+    public string? RootCause { get; init; }
+
+    [JsonPropertyName("remediation")]
+    public string? Remediation { get; init; }
+
+    [JsonPropertyName("documentationUrl")]
+    public string? DocumentationUrl { get; init; }
+
+    [JsonPropertyName("affectedLayers")]
+    public IReadOnlyList<string>? AffectedLayers { get; init; }
+}
+
+/// <summary>
+/// Drift verify request for offline verification.
+/// </summary>
+internal sealed class SbomerDriftVerifyRequest
+{
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string? ScanId { get; init; }
+
+    [JsonPropertyName("sbomPath")]
+    public string? SbomPath { get; init; }
+
+    [JsonPropertyName("compositionPath")]
+    public string? CompositionPath { get; init; }
+
+    [JsonPropertyName("verifiersPath")]
+    public string? VerifiersPath { get; init; }
+
+    [JsonPropertyName("offlineKitPath")]
+    public string? OfflineKitPath { get; init; }
+
+    [JsonPropertyName("recomposeLocally")]
+    public bool RecomposeLocally { get; init; }
+
+    [JsonPropertyName("validateFragments")]
+    public bool ValidateFragments { get; init; }
+
+    [JsonPropertyName("checkMerkleProofs")]
+    public bool CheckMerkleProofs { get; init; }
+}
+
+/// <summary>
+/// Drift verify result.
+/// </summary>
+internal sealed class SbomerDriftVerifyResult
+{
+    [JsonPropertyName("valid")]
+    public bool Valid { get; init; }
+
+    [JsonPropertyName("deterministic")]
+    public bool Deterministic { get; init; }
+
+    [JsonPropertyName("scanId")]
+    public string ScanId { get; init; } = string.Empty;
+
+    [JsonPropertyName("compositionValid")]
+    public bool CompositionValid { get; init; }
+
+    [JsonPropertyName("fragmentsValid")]
+    public bool FragmentsValid { get; init; }
+
+    [JsonPropertyName("merkleProofsValid")]
+    public bool MerkleProofsValid { get; init; }
+
+    [JsonPropertyName("recomposedHashMatch")]
+    public bool? RecomposedHashMatch { get; init; }
+
+    [JsonPropertyName("currentHash")]
+    public string? CurrentHash { get; init; }
+
+    [JsonPropertyName("recomposedHash")]
+    public string? RecomposedHash { get; init; }
+
+    [JsonPropertyName("fragmentVerifications")]
+    public IReadOnlyList<SbomerLayerVerifyResult>? FragmentVerifications { get; init; }
+
+    [JsonPropertyName("driftResult")]
+    public SbomerDriftResult? DriftResult { get; init; }
+
+    [JsonPropertyName("offlineKitInfo")]
+    public OfflineKitInfo? OfflineKitInfo { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+
+    [JsonPropertyName("warnings")]
+    public IReadOnlyList<string>? Warnings { get; init; }
+}
+
+/// <summary>
+/// Information about offline kit used for verification.
+/// </summary>
+internal sealed class OfflineKitInfo
+{
+    [JsonPropertyName("path")]
+    public string Path { get; init; } = string.Empty;
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset? CreatedAt { get; init; }
+
+    [JsonPropertyName("fragmentCount")]
+    public int FragmentCount { get; init; }
+
+    [JsonPropertyName("verifiersPresent")]
+    public bool VerifiersPresent { get; init; }
+
+    [JsonPropertyName("compositionManifestPresent")]
+    public bool CompositionManifestPresent { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/SdkModels.cs b/src/Cli/StellaOps.Cli/Services/Models/SdkModels.cs
new file mode 100644
index 000000000..f629f1f04
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/SdkModels.cs
@@ -0,0 +1,282 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+/// <summary>
+/// Request for checking SDK updates.
+/// CLI-SDK-64-001: Supports stella sdk update command.
+/// </summary>
+internal sealed class SdkUpdateRequest
+{
+    /// <summary>
+    /// Tenant context for the operation.
+    /// </summary>
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+
+    /// <summary>
+    /// Language filter (typescript, go, csharp, python, java).
+    /// </summary>
+    [JsonPropertyName("language")]
+    public string? Language { get; init; }
+
+    /// <summary>
+    /// Whether to only check for updates without downloading.
+    /// </summary>
+    [JsonIgnore]
+    public bool CheckOnly { get; init; }
+
+    /// <summary>
+    /// Whether to include changelog information.
+    /// </summary>
+    [JsonPropertyName("includeChangelog")]
+    public bool IncludeChangelog { get; init; }
+
+    /// <summary>
+    /// Whether to include deprecation notices.
+    /// </summary>
+    [JsonPropertyName("includeDeprecations")]
+    public bool IncludeDeprecations { get; init; }
+}
+
+/// <summary>
+/// Response for SDK update check.
+/// </summary>
+internal sealed class SdkUpdateResponse
+{
+    /// <summary>
+    /// Whether the operation was successful.
+    /// </summary>
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    /// <summary>
+    /// Available SDK updates.
+    /// </summary>
+    [JsonPropertyName("updates")]
+    public IReadOnlyList<SdkVersionInfo> Updates { get; init; } = [];
+
+    /// <summary>
+    /// Deprecation notices.
+    /// </summary>
+    [JsonPropertyName("deprecations")]
+    public IReadOnlyList<SdkDeprecation> Deprecations { get; init; } = [];
+
+    /// <summary>
+    /// Timestamp when updates were last checked.
+    /// </summary>
+    [JsonPropertyName("checkedAt")]
+    public DateTimeOffset CheckedAt { get; init; }
+
+    /// <summary>
+    /// Error message if the operation failed.
+    /// </summary>
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+}
+
+/// <summary>
+/// SDK version information.
+/// </summary>
+internal sealed class SdkVersionInfo
+{
+    /// <summary>
+    /// SDK language (typescript, go, csharp, python, java).
+    /// </summary>
+    [JsonPropertyName("language")]
+    public required string Language { get; init; }
+
+    /// <summary>
+    /// Display name for the SDK.
+    /// </summary>
+    [JsonPropertyName("displayName")]
+    public string? DisplayName { get; init; }
+
+    /// <summary>
+    /// Package name (e.g., @stellaops/sdk, stellaops-sdk).
+    /// </summary>
+    [JsonPropertyName("packageName")]
+    public required string PackageName { get; init; }
+
+    /// <summary>
+    /// Current installed version.
+    /// </summary>
+    [JsonPropertyName("installedVersion")]
+    public string? InstalledVersion { get; init; }
+
+    /// <summary>
+    /// Latest available version.
+    /// </summary>
+    [JsonPropertyName("latestVersion")]
+    public required string LatestVersion { get; init; }
+
+    /// <summary>
+    /// Whether an update is available.
+    /// </summary>
+    [JsonPropertyName("updateAvailable")]
+    public bool UpdateAvailable { get; init; }
+
+    /// <summary>
+    /// Minimum supported API version.
+    /// </summary>
+    [JsonPropertyName("minApiVersion")]
+    public string? MinApiVersion { get; init; }
+
+    /// <summary>
+    /// Maximum supported API version.
+    /// </summary>
+    [JsonPropertyName("maxApiVersion")]
+    public string? MaxApiVersion { get; init; }
+
+    /// <summary>
+    /// Release date of the latest version.
+    /// </summary>
+    [JsonPropertyName("releaseDate")]
+    public DateTimeOffset? ReleaseDate { get; init; }
+
+    /// <summary>
+    /// Changelog for recent versions.
+    /// </summary>
+    [JsonPropertyName("changelog")]
+    public IReadOnlyList<SdkChangelogEntry>? Changelog { get; init; }
+
+    /// <summary>
+    /// Download URL for the package.
+    /// </summary>
+    [JsonPropertyName("downloadUrl")]
+    public string? DownloadUrl { get; init; }
+
+    /// <summary>
+    /// Package registry URL.
+    /// </summary>
+    [JsonPropertyName("registryUrl")]
+    public string? RegistryUrl { get; init; }
+
+    /// <summary>
+    /// Documentation URL.
+    /// </summary>
+    [JsonPropertyName("docsUrl")]
+    public string? DocsUrl { get; init; }
+}
+
+/// <summary>
+/// SDK changelog entry.
+/// </summary>
+internal sealed class SdkChangelogEntry
+{
+    /// <summary>
+    /// Version number.
+    /// </summary>
+    [JsonPropertyName("version")]
+    public required string Version { get; init; }
+
+    /// <summary>
+    /// Release date.
+    /// </summary>
+    [JsonPropertyName("releaseDate")]
+    public DateTimeOffset? ReleaseDate { get; init; }
+
+    /// <summary>
+    /// Change type (feature, fix, breaking, deprecation).
+    /// </summary>
+    [JsonPropertyName("type")]
+    public string? Type { get; init; }
+
+    /// <summary>
+    /// Change description.
+    /// </summary>
+    [JsonPropertyName("description")]
+    public required string Description { get; init; }
+
+    /// <summary>
+    /// Whether this is a breaking change.
+    /// </summary>
+    [JsonPropertyName("isBreaking")]
+    public bool IsBreaking { get; init; }
+
+    /// <summary>
+    /// Link to more details.
+    /// </summary>
+    [JsonPropertyName("link")]
+    public string? Link { get; init; }
+}
+
+/// <summary>
+/// SDK deprecation notice.
+/// </summary>
+internal sealed class SdkDeprecation
+{
+    /// <summary>
+    /// SDK language affected.
+    /// </summary>
+    [JsonPropertyName("language")]
+    public required string Language { get; init; }
+
+    /// <summary>
+    /// Deprecated feature or API.
+    /// </summary>
+    [JsonPropertyName("feature")]
+    public required string Feature { get; init; }
+
+    /// <summary>
+    /// Deprecation message.
+    /// </summary>
+    [JsonPropertyName("message")]
+    public required string Message { get; init; }
+
+    /// <summary>
+    /// Version when deprecation was introduced.
+    /// </summary>
+    [JsonPropertyName("deprecatedInVersion")]
+    public string? DeprecatedInVersion { get; init; }
+
+    /// <summary>
+    /// Version when feature will be removed.
+    /// </summary>
+    [JsonPropertyName("removedInVersion")]
+    public string? RemovedInVersion { get; init; }
+
+    /// <summary>
+    /// Replacement or migration path.
+    /// </summary>
+    [JsonPropertyName("replacement")]
+    public string? Replacement { get; init; }
+
+    /// <summary>
+    /// Link to migration guide.
+    /// </summary>
+    [JsonPropertyName("migrationGuide")]
+    public string? MigrationGuide { get; init; }
+
+    /// <summary>
+    /// Severity of the deprecation (info, warning, critical).
+    /// </summary>
+    [JsonPropertyName("severity")]
+    public string Severity { get; init; } = "warning";
+}
+
+/// <summary>
+/// Response for listing installed SDKs.
+/// </summary>
+internal sealed class SdkListResponse
+{
+    /// <summary>
+    /// Whether the operation was successful.
+    /// </summary>
+    [JsonPropertyName("success")]
+    public bool Success { get; init; }
+
+    /// <summary>
+    /// Installed SDK versions.
+    /// </summary>
+    [JsonPropertyName("sdks")]
+    public IReadOnlyList<SdkVersionInfo> Sdks { get; init; } = [];
+
+    /// <summary>
+    /// Error message if the operation failed.
+    /// </summary>
+    [JsonPropertyName("error")]
+    public string? Error { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/Transport/PolicySimulationTransport.cs b/src/Cli/StellaOps.Cli/Services/Models/Transport/PolicySimulationTransport.cs
index b856b8f04..e9d9a21ba 100644
--- a/src/Cli/StellaOps.Cli/Services/Models/Transport/PolicySimulationTransport.cs
+++ b/src/Cli/StellaOps.Cli/Services/Models/Transport/PolicySimulationTransport.cs
@@ -14,6 +14,15 @@ internal sealed class PolicySimulationRequestDocument
     public Dictionary<string, JsonElement>? Env { get; set; }
 
     public bool? Explain { get; set; }
+
+    // CLI-POLICY-27-003: Enhanced simulation options
+    public string? Mode { get; set; }
+
+    public IReadOnlyList<string>? SbomSelectors { get; set; }
+
+    public bool? IncludeHeatmap { get; set; }
+
+    public bool? IncludeManifest { get; set; }
 }
 
 internal sealed class PolicySimulationResponseDocument
@@ -21,6 +30,13 @@ internal sealed class PolicySimulationResponseDocument
     public PolicySimulationDiffDocument? Diff { get; set; }
 
     public string? ExplainUri { get; set; }
+
+    // CLI-POLICY-27-003: Enhanced response fields
+    public PolicySimulationHeatmapDocument? Heatmap { get; set; }
+
+    public string? ManifestDownloadUri { get; set; }
+
+    public string? ManifestDigest { get; set; }
 }
 
 internal sealed class PolicySimulationDiffDocument
@@ -55,3 +71,28 @@ internal sealed class PolicySimulationRuleDeltaDocument
 
     public int? Down { get; set; }
 }
+
+// CLI-POLICY-27-003: Heatmap response documents
+internal sealed class PolicySimulationHeatmapDocument
+{
+    public int? Critical { get; set; }
+
+    public int? High { get; set; }
+
+    public int? Medium { get; set; }
+
+    public int? Low { get; set; }
+
+    public int? Info { get; set; }
+
+    public List<PolicySimulationHeatmapBucketDocument>? Buckets { get; set; }
+}
+
+internal sealed class PolicySimulationHeatmapBucketDocument
+{
+    public string? Label { get; set; }
+
+    public int? Count { get; set; }
+
+    public string? Color { get; set; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/Transport/ProblemDocument.cs b/src/Cli/StellaOps.Cli/Services/Models/Transport/ProblemDocument.cs
index 468c0534b..74fcce382 100644
--- a/src/Cli/StellaOps.Cli/Services/Models/Transport/ProblemDocument.cs
+++ b/src/Cli/StellaOps.Cli/Services/Models/Transport/ProblemDocument.cs
@@ -1,18 +1,184 @@
 using System.Collections.Generic;
+using System.Text.Json.Serialization;
 
 namespace StellaOps.Cli.Services.Models.Transport;
 
+/// <summary>
+/// RFC 7807 Problem Details response.
+/// </summary>
 internal sealed class ProblemDocument
 {
+    [JsonPropertyName("type")]
     public string? Type { get; set; }
 
+    [JsonPropertyName("title")]
     public string? Title { get; set; }
 
+    [JsonPropertyName("detail")]
     public string? Detail { get; set; }
 
+    [JsonPropertyName("status")]
     public int? Status { get; set; }
 
+    [JsonPropertyName("instance")]
     public string? Instance { get; set; }
 
+    [JsonPropertyName("extensions")]
     public Dictionary<string, object?>? Extensions { get; set; }
 }
+
+/// <summary>
+/// Standardized API error envelope with error.code and trace_id.
+/// CLI-SDK-62-002: Supports surfacing structured error information.
+/// </summary>
+internal sealed class ApiErrorEnvelope
+{
+    /// <summary>
+    /// Error details.
+    /// </summary>
+    [JsonPropertyName("error")]
+    public ApiErrorDetail? Error { get; set; }
+
+    /// <summary>
+    /// Distributed trace identifier.
+    /// </summary>
+    [JsonPropertyName("trace_id")]
+    public string? TraceId { get; set; }
+
+    /// <summary>
+    /// Request identifier.
+    /// </summary>
+    [JsonPropertyName("request_id")]
+    public string? RequestId { get; set; }
+
+    /// <summary>
+    /// Timestamp of the error.
+    /// </summary>
+    [JsonPropertyName("timestamp")]
+    public string? Timestamp { get; set; }
+}
+
+/// <summary>
+/// Error detail within the standardized envelope.
+/// </summary>
+internal sealed class ApiErrorDetail
+{
+    /// <summary>
+    /// Machine-readable error code (e.g., "ERR_AUTH_INVALID_SCOPE").
+    /// </summary>
+    [JsonPropertyName("code")]
+    public string? Code { get; set; }
+
+    /// <summary>
+    /// Human-readable error message.
+    /// </summary>
+    [JsonPropertyName("message")]
+    public string? Message { get; set; }
+
+    /// <summary>
+    /// Detailed description of the error.
+    /// </summary>
+    [JsonPropertyName("detail")]
+    public string? Detail { get; set; }
+
+    /// <summary>
+    /// Target of the error (field name, resource identifier).
+    /// </summary>
+    [JsonPropertyName("target")]
+    public string? Target { get; set; }
+
+    /// <summary>
+    /// Inner errors for nested error details.
+    /// </summary>
+    [JsonPropertyName("inner_errors")]
+    public IReadOnlyList<ApiErrorDetail>? InnerErrors { get; set; }
+
+    /// <summary>
+    /// Additional metadata about the error.
+    /// </summary>
+    [JsonPropertyName("metadata")]
+    public Dictionary<string, object?>? Metadata { get; set; }
+
+    /// <summary>
+    /// Help URL for more information.
+    /// </summary>
+    [JsonPropertyName("help_url")]
+    public string? HelpUrl { get; set; }
+
+    /// <summary>
+    /// Retry-after hint in seconds (for rate limiting).
+    /// </summary>
+    [JsonPropertyName("retry_after")]
+    public int? RetryAfter { get; set; }
+}
+
+/// <summary>
+/// Parsed API error result combining multiple error formats.
+/// </summary>
+internal sealed class ParsedApiError
+{
+    /// <summary>
+    /// Error code (from envelope, problem, or HTTP status).
+    /// </summary>
+    public required string Code { get; init; }
+
+    /// <summary>
+    /// Error message.
+    /// </summary>
+    public required string Message { get; init; }
+
+    /// <summary>
+    /// Detailed error description.
+    /// </summary>
+    public string? Detail { get; init; }
+
+    /// <summary>
+    /// Trace ID for distributed tracing.
+    /// </summary>
+    public string? TraceId { get; init; }
+
+    /// <summary>
+    /// Request ID.
+    /// </summary>
+    public string? RequestId { get; init; }
+
+    /// <summary>
+    /// HTTP status code.
+    /// </summary>
+    public int HttpStatus { get; init; }
+
+    /// <summary>
+    /// Target of the error.
+    /// </summary>
+    public string? Target { get; init; }
+
+    /// <summary>
+    /// Help URL for more information.
+    /// </summary>
+    public string? HelpUrl { get; init; }
+
+    /// <summary>
+    /// Retry-after hint in seconds.
+    /// </summary>
+    public int? RetryAfter { get; init; }
+
+    /// <summary>
+    /// Inner errors.
+    /// </summary>
+    public IReadOnlyList<ApiErrorDetail>? InnerErrors { get; init; }
+
+    /// <summary>
+    /// Additional metadata.
+    /// </summary>
+    public Dictionary<string, object?>? Metadata { get; init; }
+
+    /// <summary>
+    /// Original problem document if parsed.
+    /// </summary>
+    public ProblemDocument? ProblemDocument { get; init; }
+
+    /// <summary>
+    /// Original error envelope if parsed.
+    /// </summary>
+    public ApiErrorEnvelope? ErrorEnvelope { get; init; }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Models/VexObservationModels.cs b/src/Cli/StellaOps.Cli/Services/Models/VexObservationModels.cs
new file mode 100644
index 000000000..fbfa4ea0b
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Models/VexObservationModels.cs
@@ -0,0 +1,292 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// CLI-LNM-22-002: VEX observation models for CLI commands
+
+/// <summary>
+/// Query options for VEX observations.
+/// </summary>
+internal sealed class VexObservationQuery
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("vulnerabilityIds")]
+    public IReadOnlyList<string> VulnerabilityIds { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("productKeys")]
+    public IReadOnlyList<string> ProductKeys { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("purls")]
+    public IReadOnlyList<string> Purls { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("cpes")]
+    public IReadOnlyList<string> Cpes { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("statuses")]
+    public IReadOnlyList<string> Statuses { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("providerIds")]
+    public IReadOnlyList<string> ProviderIds { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("limit")]
+    public int? Limit { get; init; }
+
+    [JsonPropertyName("cursor")]
+    public string? Cursor { get; init; }
+}
+
+/// <summary>
+/// Response from VEX observation query.
+/// </summary>
+internal sealed class VexObservationResponse
+{
+    [JsonPropertyName("observations")]
+    public IReadOnlyList<VexObservation> Observations { get; init; } = Array.Empty<VexObservation>();
+
+    [JsonPropertyName("aggregate")]
+    public VexObservationAggregate? Aggregate { get; init; }
+
+    [JsonPropertyName("nextCursor")]
+    public string? NextCursor { get; init; }
+
+    [JsonPropertyName("hasMore")]
+    public bool HasMore { get; init; }
+}
+
+/// <summary>
+/// VEX observation document.
+/// </summary>
+internal sealed class VexObservation
+{
+    [JsonPropertyName("observationId")]
+    public string ObservationId { get; init; } = string.Empty;
+
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("vulnerabilityId")]
+    public string VulnerabilityId { get; init; } = string.Empty;
+
+    [JsonPropertyName("providerId")]
+    public string ProviderId { get; init; } = string.Empty;
+
+    [JsonPropertyName("product")]
+    public VexObservationProduct? Product { get; init; }
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("justification")]
+    public string? Justification { get; init; }
+
+    [JsonPropertyName("detail")]
+    public string? Detail { get; init; }
+
+    [JsonPropertyName("document")]
+    public VexObservationDocument? Document { get; init; }
+
+    [JsonPropertyName("firstSeen")]
+    public DateTimeOffset FirstSeen { get; init; }
+
+    [JsonPropertyName("lastSeen")]
+    public DateTimeOffset LastSeen { get; init; }
+
+    [JsonPropertyName("confidence")]
+    public VexObservationConfidence? Confidence { get; init; }
+
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset CreatedAt { get; init; }
+
+    [JsonPropertyName("updatedAt")]
+    public DateTimeOffset? UpdatedAt { get; init; }
+}
+
+/// <summary>
+/// Product information in VEX observation.
+/// </summary>
+internal sealed class VexObservationProduct
+{
+    [JsonPropertyName("key")]
+    public string Key { get; init; } = string.Empty;
+
+    [JsonPropertyName("name")]
+    public string? Name { get; init; }
+
+    [JsonPropertyName("version")]
+    public string? Version { get; init; }
+
+    [JsonPropertyName("purl")]
+    public string? Purl { get; init; }
+
+    [JsonPropertyName("cpe")]
+    public string? Cpe { get; init; }
+
+    [JsonPropertyName("componentIdentifiers")]
+    public IReadOnlyList<string> ComponentIdentifiers { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// Document reference in VEX observation.
+/// </summary>
+internal sealed class VexObservationDocument
+{
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = string.Empty;
+
+    [JsonPropertyName("digest")]
+    public string Digest { get; init; } = string.Empty;
+
+    [JsonPropertyName("sourceUri")]
+    public string SourceUri { get; init; } = string.Empty;
+
+    [JsonPropertyName("revision")]
+    public string? Revision { get; init; }
+
+    [JsonPropertyName("signature")]
+    public VexObservationSignature? Signature { get; init; }
+}
+
+/// <summary>
+/// Signature metadata for VEX document.
+/// </summary>
+internal sealed class VexObservationSignature
+{
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    [JsonPropertyName("subject")]
+    public string? Subject { get; init; }
+
+    [JsonPropertyName("issuer")]
+    public string? Issuer { get; init; }
+
+    [JsonPropertyName("keyId")]
+    public string? KeyId { get; init; }
+
+    [JsonPropertyName("verifiedAt")]
+    public DateTimeOffset? VerifiedAt { get; init; }
+
+    [JsonPropertyName("transparencyLogReference")]
+    public string? TransparencyLogReference { get; init; }
+}
+
+/// <summary>
+/// Confidence level in VEX observation.
+/// </summary>
+internal sealed class VexObservationConfidence
+{
+    [JsonPropertyName("level")]
+    public string Level { get; init; } = string.Empty;
+
+    [JsonPropertyName("score")]
+    public double? Score { get; init; }
+
+    [JsonPropertyName("method")]
+    public string? Method { get; init; }
+}
+
+/// <summary>
+/// Aggregate data from VEX observation query.
+/// </summary>
+internal sealed class VexObservationAggregate
+{
+    [JsonPropertyName("vulnerabilityIds")]
+    public IReadOnlyList<string> VulnerabilityIds { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("productKeys")]
+    public IReadOnlyList<string> ProductKeys { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("purls")]
+    public IReadOnlyList<string> Purls { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("cpes")]
+    public IReadOnlyList<string> Cpes { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("providerIds")]
+    public IReadOnlyList<string> ProviderIds { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("statusCounts")]
+    public IReadOnlyDictionary<string, int> StatusCounts { get; init; } = new Dictionary<string, int>();
+}
+
+/// <summary>
+/// VEX linkset query options.
+/// </summary>
+internal sealed class VexLinksetQuery
+{
+    [JsonPropertyName("tenant")]
+    public string Tenant { get; init; } = string.Empty;
+
+    [JsonPropertyName("vulnerabilityId")]
+    public string VulnerabilityId { get; init; } = string.Empty;
+
+    [JsonPropertyName("productKeys")]
+    public IReadOnlyList<string> ProductKeys { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("purls")]
+    public IReadOnlyList<string> Purls { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("statuses")]
+    public IReadOnlyList<string> Statuses { get; init; } = Array.Empty<string>();
+}
+
+/// <summary>
+/// VEX linkset response showing linked observations.
+/// </summary>
+internal sealed class VexLinksetResponse
+{
+    [JsonPropertyName("vulnerabilityId")]
+    public string VulnerabilityId { get; init; } = string.Empty;
+
+    [JsonPropertyName("observations")]
+    public IReadOnlyList<VexObservation> Observations { get; init; } = Array.Empty<VexObservation>();
+
+    [JsonPropertyName("summary")]
+    public VexLinksetSummary? Summary { get; init; }
+
+    [JsonPropertyName("conflicts")]
+    public IReadOnlyList<VexLinksetConflict> Conflicts { get; init; } = Array.Empty<VexLinksetConflict>();
+}
+
+/// <summary>
+/// Summary of VEX linkset.
+/// </summary>
+internal sealed class VexLinksetSummary
+{
+    [JsonPropertyName("totalObservations")]
+    public int TotalObservations { get; init; }
+
+    [JsonPropertyName("providers")]
+    public IReadOnlyList<string> Providers { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("products")]
+    public IReadOnlyList<string> Products { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("statusCounts")]
+    public IReadOnlyDictionary<string, int> StatusCounts { get; init; } = new Dictionary<string, int>();
+
+    [JsonPropertyName("hasConflicts")]
+    public bool HasConflicts { get; init; }
+}
+
+/// <summary>
+/// Conflict between VEX observations.
+/// </summary>
+internal sealed class VexLinksetConflict
+{
+    [JsonPropertyName("productKey")]
+    public string ProductKey { get; init; } = string.Empty;
+
+    [JsonPropertyName("conflictingStatuses")]
+    public IReadOnlyList<string> ConflictingStatuses { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("observations")]
+    public IReadOnlyList<string> ObservationIds { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("description")]
+    public string Description { get; init; } = string.Empty;
+}
diff --git a/src/Cli/StellaOps.Cli/Services/NotifyClient.cs b/src/Cli/StellaOps.Cli/Services/NotifyClient.cs
new file mode 100644
index 000000000..0201e3c8a
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/NotifyClient.cs
@@ -0,0 +1,654 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.Client;
+using StellaOps.Cli.Configuration;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for Notify API operations.
+/// Per CLI-PARITY-41-002.
+/// </summary>
+internal sealed class NotifyClient : INotifyClient
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
+    private static readonly TimeSpan TokenRefreshSkew = TimeSpan.FromSeconds(30);
+
+    private readonly HttpClient httpClient;
+    private readonly StellaOpsCliOptions options;
+    private readonly ILogger<NotifyClient> logger;
+    private readonly IStellaOpsTokenClient? tokenClient;
+    private readonly object tokenSync = new();
+
+    private string? cachedAccessToken;
+    private DateTimeOffset cachedAccessTokenExpiresAt = DateTimeOffset.MinValue;
+
+    public NotifyClient(
+        HttpClient httpClient,
+        StellaOpsCliOptions options,
+        ILogger<NotifyClient> logger,
+        IStellaOpsTokenClient? tokenClient = null)
+    {
+        this.httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        this.options = options ?? throw new ArgumentNullException(nameof(options));
+        this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        this.tokenClient = tokenClient;
+
+        if (!string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            if (Uri.TryCreate(options.BackendUrl, UriKind.Absolute, out var baseUri))
+            {
+                httpClient.BaseAddress = baseUri;
+            }
+        }
+    }
+
+    public async Task<NotifyChannelListResponse> ListChannelsAsync(
+        NotifyChannelListRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var uri = BuildChannelListUri(request);
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "notify.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to list notify channels (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new NotifyChannelListResponse();
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<NotifyChannelListResponse>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new NotifyChannelListResponse();
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while listing notify channels");
+            return new NotifyChannelListResponse();
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while listing notify channels");
+            return new NotifyChannelListResponse();
+        }
+    }
+
+    public async Task<NotifyChannelDetail?> GetChannelAsync(
+        string channelId,
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(channelId);
+
+        try
+        {
+            EnsureConfigured();
+
+            var uri = $"/api/v1/notify/channels/{Uri.EscapeDataString(channelId)}";
+            if (!string.IsNullOrWhiteSpace(tenant))
+            {
+                uri += $"?tenant={Uri.EscapeDataString(tenant)}";
+            }
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "notify.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return null;
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get notify channel (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return null;
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer
+                .DeserializeAsync<NotifyChannelDetail>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while getting notify channel");
+            return null;
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while getting notify channel");
+            return null;
+        }
+    }
+
+    public async Task<NotifyChannelTestResult> TestChannelAsync(
+        NotifyChannelTestRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, $"/api/v1/notify/channels/{Uri.EscapeDataString(request.ChannelId)}/test")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "notify.write", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to test notify channel (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new NotifyChannelTestResult
+                {
+                    Success = false,
+                    ChannelId = request.ChannelId,
+                    ErrorMessage = $"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<NotifyChannelTestResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new NotifyChannelTestResult { Success = false, ChannelId = request.ChannelId, ErrorMessage = "Empty response" };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while testing notify channel");
+            return new NotifyChannelTestResult
+            {
+                Success = false,
+                ChannelId = request.ChannelId,
+                ErrorMessage = $"Connection error: {ex.Message}"
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while testing notify channel");
+            return new NotifyChannelTestResult
+            {
+                Success = false,
+                ChannelId = request.ChannelId,
+                ErrorMessage = "Request timed out"
+            };
+        }
+    }
+
+    public async Task<NotifyRuleListResponse> ListRulesAsync(
+        NotifyRuleListRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+            {
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+            }
+            if (request.Enabled.HasValue)
+            {
+                queryParams.Add($"enabled={request.Enabled.Value.ToString().ToLowerInvariant()}");
+            }
+            if (!string.IsNullOrWhiteSpace(request.EventType))
+            {
+                queryParams.Add($"eventType={Uri.EscapeDataString(request.EventType)}");
+            }
+            if (!string.IsNullOrWhiteSpace(request.ChannelId))
+            {
+                queryParams.Add($"channelId={Uri.EscapeDataString(request.ChannelId)}");
+            }
+            if (request.Limit.HasValue)
+            {
+                queryParams.Add($"limit={request.Limit.Value}");
+            }
+            if (request.Offset.HasValue)
+            {
+                queryParams.Add($"offset={request.Offset.Value}");
+            }
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/notify/rules{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "notify.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to list notify rules (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new NotifyRuleListResponse();
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<NotifyRuleListResponse>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new NotifyRuleListResponse();
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while listing notify rules");
+            return new NotifyRuleListResponse();
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while listing notify rules");
+            return new NotifyRuleListResponse();
+        }
+    }
+
+    public async Task<NotifyDeliveryListResponse> ListDeliveriesAsync(
+        NotifyDeliveryListRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+            {
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+            }
+            if (!string.IsNullOrWhiteSpace(request.ChannelId))
+            {
+                queryParams.Add($"channelId={Uri.EscapeDataString(request.ChannelId)}");
+            }
+            if (!string.IsNullOrWhiteSpace(request.Status))
+            {
+                queryParams.Add($"status={Uri.EscapeDataString(request.Status)}");
+            }
+            if (!string.IsNullOrWhiteSpace(request.EventType))
+            {
+                queryParams.Add($"eventType={Uri.EscapeDataString(request.EventType)}");
+            }
+            if (request.Since.HasValue)
+            {
+                queryParams.Add($"since={Uri.EscapeDataString(request.Since.Value.ToString("O"))}");
+            }
+            if (request.Until.HasValue)
+            {
+                queryParams.Add($"until={Uri.EscapeDataString(request.Until.Value.ToString("O"))}");
+            }
+            if (request.Limit.HasValue)
+            {
+                queryParams.Add($"limit={request.Limit.Value}");
+            }
+            if (!string.IsNullOrWhiteSpace(request.Cursor))
+            {
+                queryParams.Add($"cursor={Uri.EscapeDataString(request.Cursor)}");
+            }
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/notify/deliveries{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "notify.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to list notify deliveries (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new NotifyDeliveryListResponse();
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<NotifyDeliveryListResponse>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new NotifyDeliveryListResponse();
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while listing notify deliveries");
+            return new NotifyDeliveryListResponse();
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while listing notify deliveries");
+            return new NotifyDeliveryListResponse();
+        }
+    }
+
+    public async Task<NotifyDeliveryDetail?> GetDeliveryAsync(
+        string deliveryId,
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(deliveryId);
+
+        try
+        {
+            EnsureConfigured();
+
+            var uri = $"/api/v1/notify/deliveries/{Uri.EscapeDataString(deliveryId)}";
+            if (!string.IsNullOrWhiteSpace(tenant))
+            {
+                uri += $"?tenant={Uri.EscapeDataString(tenant)}";
+            }
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "notify.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return null;
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get notify delivery (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return null;
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer
+                .DeserializeAsync<NotifyDeliveryDetail>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while getting notify delivery");
+            return null;
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while getting notify delivery");
+            return null;
+        }
+    }
+
+    public async Task<NotifyRetryResult> RetryDeliveryAsync(
+        NotifyRetryRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, $"/api/v1/notify/deliveries/{Uri.EscapeDataString(request.DeliveryId)}/retry")
+            {
+                Content = content
+            };
+
+            // Add idempotency key header if present
+            if (!string.IsNullOrWhiteSpace(request.IdempotencyKey))
+            {
+                httpRequest.Headers.Add("Idempotency-Key", request.IdempotencyKey);
+            }
+
+            await AuthorizeRequestAsync(httpRequest, "notify.write", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to retry notify delivery (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new NotifyRetryResult
+                {
+                    Success = false,
+                    DeliveryId = request.DeliveryId,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<NotifyRetryResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new NotifyRetryResult { Success = false, DeliveryId = request.DeliveryId, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while retrying notify delivery");
+            return new NotifyRetryResult
+            {
+                Success = false,
+                DeliveryId = request.DeliveryId,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while retrying notify delivery");
+            return new NotifyRetryResult
+            {
+                Success = false,
+                DeliveryId = request.DeliveryId,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<NotifySendResult> SendAsync(
+        NotifySendRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/notify/send")
+            {
+                Content = content
+            };
+
+            // Add idempotency key header if present
+            if (!string.IsNullOrWhiteSpace(request.IdempotencyKey))
+            {
+                httpRequest.Headers.Add("Idempotency-Key", request.IdempotencyKey);
+            }
+
+            await AuthorizeRequestAsync(httpRequest, "notify.write", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to send notification (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new NotifySendResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<NotifySendResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new NotifySendResult { Success = false, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while sending notification");
+            return new NotifySendResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while sending notification");
+            return new NotifySendResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    private static string BuildChannelListUri(NotifyChannelListRequest request)
+    {
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.Type))
+        {
+            queryParams.Add($"type={Uri.EscapeDataString(request.Type)}");
+        }
+        if (request.Enabled.HasValue)
+        {
+            queryParams.Add($"enabled={request.Enabled.Value.ToString().ToLowerInvariant()}");
+        }
+        if (request.Limit.HasValue)
+        {
+            queryParams.Add($"limit={request.Limit.Value}");
+        }
+        if (request.Offset.HasValue)
+        {
+            queryParams.Add($"offset={request.Offset.Value}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.Cursor))
+        {
+            queryParams.Add($"cursor={Uri.EscapeDataString(request.Cursor)}");
+        }
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+        return $"/api/v1/notify/channels{query}";
+    }
+
+    private void EnsureConfigured()
+    {
+        if (string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            throw new InvalidOperationException(
+                "Backend URL not configured. Set STELLAOPS_BACKEND_URL or use --backend-url.");
+        }
+    }
+
+    private async Task AuthorizeRequestAsync(HttpRequestMessage request, string scope, CancellationToken cancellationToken)
+    {
+        var token = await GetAccessTokenAsync(scope, cancellationToken).ConfigureAwait(false);
+        if (!string.IsNullOrWhiteSpace(token))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        }
+    }
+
+    private async Task<string?> GetAccessTokenAsync(string scope, CancellationToken cancellationToken)
+    {
+        if (tokenClient is null)
+        {
+            return null;
+        }
+
+        lock (tokenSync)
+        {
+            if (cachedAccessToken is not null && DateTimeOffset.UtcNow < cachedAccessTokenExpiresAt - TokenRefreshSkew)
+            {
+                return cachedAccessToken;
+            }
+        }
+
+        var result = await tokenClient.GetTokenAsync(
+            new StellaOpsTokenRequest { Scopes = [scope] },
+            cancellationToken).ConfigureAwait(false);
+
+        if (result.IsSuccess)
+        {
+            lock (tokenSync)
+            {
+                cachedAccessToken = result.AccessToken;
+                cachedAccessTokenExpiresAt = result.ExpiresAt;
+            }
+            return result.AccessToken;
+        }
+
+        logger.LogWarning("Token acquisition failed: {Error}", result.Error);
+        return null;
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/ObservabilityClient.cs b/src/Cli/StellaOps.Cli/Services/ObservabilityClient.cs
new file mode 100644
index 000000000..99f6985b5
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/ObservabilityClient.cs
@@ -0,0 +1,557 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.Client;
+using StellaOps.Cli.Configuration;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for observability API operations.
+/// Per CLI-OBS-51-001.
+/// </summary>
+internal sealed class ObservabilityClient : IObservabilityClient
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
+    private static readonly TimeSpan TokenRefreshSkew = TimeSpan.FromSeconds(30);
+
+    private readonly HttpClient httpClient;
+    private readonly StellaOpsCliOptions options;
+    private readonly ILogger<ObservabilityClient> logger;
+    private readonly IStellaOpsTokenClient? tokenClient;
+    private readonly object tokenSync = new();
+
+    private string? cachedAccessToken;
+    private DateTimeOffset cachedAccessTokenExpiresAt = DateTimeOffset.MinValue;
+
+    public ObservabilityClient(
+        HttpClient httpClient,
+        StellaOpsCliOptions options,
+        ILogger<ObservabilityClient> logger,
+        IStellaOpsTokenClient? tokenClient = null)
+    {
+        this.httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        this.options = options ?? throw new ArgumentNullException(nameof(options));
+        this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        this.tokenClient = tokenClient;
+
+        if (!string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            if (Uri.TryCreate(options.BackendUrl, UriKind.Absolute, out var baseUri))
+            {
+                httpClient.BaseAddress = baseUri;
+            }
+        }
+    }
+
+    public async Task<ObsTopResult> GetHealthSummaryAsync(
+        ObsTopRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var requestUri = BuildHealthSummaryUri(request);
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, requestUri);
+            await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get health summary (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ObsTopResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var summary = await JsonSerializer
+                .DeserializeAsync<PlatformHealthSummary>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return new ObsTopResult
+            {
+                Success = true,
+                Summary = summary ?? new PlatformHealthSummary()
+            };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while fetching health summary");
+            return new ObsTopResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while fetching health summary");
+            return new ObsTopResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    private static string BuildHealthSummaryUri(ObsTopRequest request)
+    {
+        var queryParams = new List<string>();
+
+        if (request.Services.Count > 0)
+        {
+            foreach (var service in request.Services)
+            {
+                queryParams.Add($"service={Uri.EscapeDataString(service)}");
+            }
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        }
+
+        queryParams.Add($"includeQueues={request.IncludeQueues.ToString().ToLowerInvariant()}");
+        queryParams.Add($"maxAlerts={request.MaxAlerts}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+        return $"/api/v1/observability/health{query}";
+    }
+
+    private void EnsureConfigured()
+    {
+        if (string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            throw new InvalidOperationException(
+                "Backend URL not configured. Set STELLAOPS_BACKEND_URL or use --backend-url.");
+        }
+    }
+
+    private async Task AuthorizeRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        var token = await GetAccessTokenAsync(cancellationToken).ConfigureAwait(false);
+        if (!string.IsNullOrWhiteSpace(token))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        }
+    }
+
+    private async Task<string?> GetAccessTokenAsync(CancellationToken cancellationToken)
+    {
+        if (tokenClient is null)
+        {
+            return null;
+        }
+
+        lock (tokenSync)
+        {
+            if (cachedAccessToken is not null && DateTimeOffset.UtcNow < cachedAccessTokenExpiresAt - TokenRefreshSkew)
+            {
+                return cachedAccessToken;
+            }
+        }
+
+        var result = await tokenClient.GetTokenAsync(
+            new StellaOpsTokenRequest { Scopes = ["obs:read"] },
+            cancellationToken).ConfigureAwait(false);
+
+        if (result.IsSuccess)
+        {
+            lock (tokenSync)
+            {
+                cachedAccessToken = result.AccessToken;
+                cachedAccessTokenExpiresAt = result.ExpiresAt;
+            }
+            return result.AccessToken;
+        }
+
+        logger.LogWarning("Token acquisition failed: {Error}", result.Error);
+        return null;
+    }
+
+    // CLI-OBS-52-001: Trace retrieval
+    public async Task<ObsTraceResult> GetTraceAsync(
+        ObsTraceRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var requestUri = BuildTraceUri(request);
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, requestUri);
+            await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return new ObsTraceResult
+                {
+                    Success = false,
+                    Errors = [$"Trace not found: {request.TraceId}"]
+                };
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get trace (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ObsTraceResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var trace = await JsonSerializer
+                .DeserializeAsync<DistributedTrace>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return new ObsTraceResult
+            {
+                Success = true,
+                Trace = trace
+            };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while fetching trace");
+            return new ObsTraceResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while fetching trace");
+            return new ObsTraceResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    private static string BuildTraceUri(ObsTraceRequest request)
+    {
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        }
+
+        queryParams.Add($"includeEvidence={request.IncludeEvidence.ToString().ToLowerInvariant()}");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+        return $"/api/v1/observability/traces/{Uri.EscapeDataString(request.TraceId)}{query}";
+    }
+
+    // CLI-OBS-52-001: Logs retrieval
+    public async Task<ObsLogsResult> GetLogsAsync(
+        ObsLogsRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var requestUri = BuildLogsUri(request);
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, requestUri);
+            await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get logs (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ObsLogsResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<ObsLogsResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new ObsLogsResult { Success = true };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while fetching logs");
+            return new ObsLogsResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while fetching logs");
+            return new ObsLogsResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    private static string BuildLogsUri(ObsLogsRequest request)
+    {
+        var queryParams = new List<string>
+        {
+            $"from={Uri.EscapeDataString(request.From.ToString("o"))}",
+            $"to={Uri.EscapeDataString(request.To.ToString("o"))}"
+        };
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        }
+
+        foreach (var service in request.Services)
+        {
+            queryParams.Add($"service={Uri.EscapeDataString(service)}");
+        }
+
+        foreach (var level in request.Levels)
+        {
+            queryParams.Add($"level={Uri.EscapeDataString(level)}");
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.Query))
+        {
+            queryParams.Add($"q={Uri.EscapeDataString(request.Query)}");
+        }
+
+        queryParams.Add($"pageSize={request.PageSize}");
+
+        if (!string.IsNullOrWhiteSpace(request.PageToken))
+        {
+            queryParams.Add($"pageToken={Uri.EscapeDataString(request.PageToken)}");
+        }
+
+        var query = "?" + string.Join("&", queryParams);
+        return $"/api/v1/observability/logs{query}";
+    }
+
+    // CLI-OBS-55-001: Incident mode operations
+    public async Task<IncidentModeResult> GetIncidentModeStatusAsync(
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        try
+        {
+            EnsureConfigured();
+
+            var query = !string.IsNullOrWhiteSpace(tenant)
+                ? $"?tenant={Uri.EscapeDataString(tenant)}"
+                : string.Empty;
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, $"/api/v1/observability/incident-mode{query}");
+            await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get incident mode status (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new IncidentModeResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var state = await JsonSerializer
+                .DeserializeAsync<IncidentModeState>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return new IncidentModeResult
+            {
+                Success = true,
+                State = state
+            };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while fetching incident mode status");
+            return new IncidentModeResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while fetching incident mode status");
+            return new IncidentModeResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<IncidentModeResult> EnableIncidentModeAsync(
+        IncidentModeEnableRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/observability/incident-mode/enable");
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            httpRequest.Content = new StringContent(json, System.Text.Encoding.UTF8, "application/json");
+            await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to enable incident mode (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new IncidentModeResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<IncidentModeResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new IncidentModeResult { Success = true };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while enabling incident mode");
+            return new IncidentModeResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while enabling incident mode");
+            return new IncidentModeResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<IncidentModeResult> DisableIncidentModeAsync(
+        IncidentModeDisableRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/observability/incident-mode/disable");
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            httpRequest.Content = new StringContent(json, System.Text.Encoding.UTF8, "application/json");
+            await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to disable incident mode (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new IncidentModeResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<IncidentModeResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new IncidentModeResult { Success = true };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while disabling incident mode");
+            return new IncidentModeResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while disabling incident mode");
+            return new IncidentModeResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/OrchestratorClient.cs b/src/Cli/StellaOps.Cli/Services/OrchestratorClient.cs
new file mode 100644
index 000000000..1f357cad7
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/OrchestratorClient.cs
@@ -0,0 +1,463 @@
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Net.Http.Json;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using System.Web;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using StellaOps.Auth.Client;
+using StellaOps.Auth.Client.Scopes;
+using StellaOps.Cli.Configuration;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// HTTP client for orchestrator API operations.
+/// Per CLI-ORCH-32-001.
+/// </summary>
+internal sealed class OrchestratorClient : IOrchestratorClient
+{
+    private readonly HttpClient _httpClient;
+    private readonly IStellaOpsTokenClient _tokenClient;
+    private readonly StellaOpsCliOptions _options;
+    private readonly ILogger<OrchestratorClient> _logger;
+
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        PropertyNameCaseInsensitive = true
+    };
+
+    public OrchestratorClient(
+        HttpClient httpClient,
+        IStellaOpsTokenClient tokenClient,
+        IOptions<StellaOpsCliOptions> options,
+        ILogger<OrchestratorClient> logger)
+    {
+        _httpClient = httpClient;
+        _tokenClient = tokenClient;
+        _options = options.Value;
+        _logger = logger;
+    }
+
+    public async Task<SourceListResponse> ListSourcesAsync(
+        SourceListRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = BuildSourcesListUrl(request);
+
+        _logger.LogDebug("Listing orchestrator sources: {Url}", url);
+
+        var response = await _httpClient.GetAsync(url, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to list sources: {StatusCode} {Content}", response.StatusCode, errorContent);
+            throw new HttpRequestException($"Failed to list sources: {response.StatusCode}");
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<SourceListResponse>(JsonOptions, cancellationToken);
+        return result ?? new SourceListResponse();
+    }
+
+    public async Task<OrchestratorSource?> GetSourceAsync(
+        string sourceId,
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/sources/{Uri.EscapeDataString(sourceId)}";
+        if (!string.IsNullOrWhiteSpace(tenant))
+        {
+            url += $"?tenant={Uri.EscapeDataString(tenant)}";
+        }
+
+        _logger.LogDebug("Getting orchestrator source: {Url}", url);
+
+        var response = await _httpClient.GetAsync(url, cancellationToken);
+
+        if (response.StatusCode == HttpStatusCode.NotFound)
+        {
+            return null;
+        }
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to get source: {StatusCode} {Content}", response.StatusCode, errorContent);
+            throw new HttpRequestException($"Failed to get source: {response.StatusCode}");
+        }
+
+        return await response.Content.ReadFromJsonAsync<OrchestratorSource>(JsonOptions, cancellationToken);
+    }
+
+    public async Task<SourceOperationResult> PauseSourceAsync(
+        SourcePauseRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/sources/{Uri.EscapeDataString(request.SourceId)}:pause";
+
+        _logger.LogDebug("Pausing orchestrator source: {SourceId}", request.SourceId);
+
+        var response = await _httpClient.PostAsJsonAsync(url, request, JsonOptions, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to pause source: {StatusCode} {Content}", response.StatusCode, errorContent);
+            return new SourceOperationResult
+            {
+                Success = false,
+                Errors = new[] { $"Failed to pause source: {response.StatusCode} - {errorContent}" }
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<SourceOperationResult>(JsonOptions, cancellationToken);
+        return result ?? new SourceOperationResult { Success = true };
+    }
+
+    public async Task<SourceOperationResult> ResumeSourceAsync(
+        SourceResumeRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/sources/{Uri.EscapeDataString(request.SourceId)}:resume";
+
+        _logger.LogDebug("Resuming orchestrator source: {SourceId}", request.SourceId);
+
+        var response = await _httpClient.PostAsJsonAsync(url, request, JsonOptions, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to resume source: {StatusCode} {Content}", response.StatusCode, errorContent);
+            return new SourceOperationResult
+            {
+                Success = false,
+                Errors = new[] { $"Failed to resume source: {response.StatusCode} - {errorContent}" }
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<SourceOperationResult>(JsonOptions, cancellationToken);
+        return result ?? new SourceOperationResult { Success = true };
+    }
+
+    public async Task<SourceTestResult> TestSourceAsync(
+        SourceTestRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/sources/{Uri.EscapeDataString(request.SourceId)}:test";
+
+        _logger.LogDebug("Testing orchestrator source: {SourceId}", request.SourceId);
+
+        var response = await _httpClient.PostAsJsonAsync(url, request, JsonOptions, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to test source: {StatusCode} {Content}", response.StatusCode, errorContent);
+            return new SourceTestResult
+            {
+                Success = false,
+                SourceId = request.SourceId,
+                Reachable = false,
+                ErrorMessage = $"Failed to test source: {response.StatusCode} - {errorContent}",
+                TestedAt = DateTimeOffset.UtcNow
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<SourceTestResult>(JsonOptions, cancellationToken);
+        return result ?? new SourceTestResult
+        {
+            Success = true,
+            SourceId = request.SourceId,
+            Reachable = true,
+            TestedAt = DateTimeOffset.UtcNow
+        };
+    }
+
+    // CLI-ORCH-34-001: Backfill operations
+
+    public async Task<BackfillResult> StartBackfillAsync(
+        BackfillRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/backfills";
+
+        _logger.LogDebug("Starting backfill for source: {SourceId} from {From} to {To}",
+            request.SourceId, request.From, request.To);
+
+        var response = await _httpClient.PostAsJsonAsync(url, request, JsonOptions, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to start backfill: {StatusCode} {Content}", response.StatusCode, errorContent);
+            return new BackfillResult
+            {
+                Success = false,
+                SourceId = request.SourceId,
+                Status = BackfillStatuses.Failed,
+                From = request.From,
+                To = request.To,
+                DryRun = request.DryRun,
+                Errors = new[] { $"Failed to start backfill: {response.StatusCode} - {errorContent}" }
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<BackfillResult>(JsonOptions, cancellationToken);
+        return result ?? new BackfillResult
+        {
+            Success = true,
+            SourceId = request.SourceId,
+            Status = request.DryRun ? BackfillStatuses.DryRun : BackfillStatuses.Pending,
+            From = request.From,
+            To = request.To,
+            DryRun = request.DryRun
+        };
+    }
+
+    public async Task<BackfillResult?> GetBackfillAsync(
+        string backfillId,
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/backfills/{Uri.EscapeDataString(backfillId)}";
+        if (!string.IsNullOrWhiteSpace(tenant))
+        {
+            url += $"?tenant={Uri.EscapeDataString(tenant)}";
+        }
+
+        _logger.LogDebug("Getting backfill status: {BackfillId}", backfillId);
+
+        var response = await _httpClient.GetAsync(url, cancellationToken);
+
+        if (response.StatusCode == HttpStatusCode.NotFound)
+        {
+            return null;
+        }
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to get backfill: {StatusCode} {Content}", response.StatusCode, errorContent);
+            throw new HttpRequestException($"Failed to get backfill: {response.StatusCode}");
+        }
+
+        return await response.Content.ReadFromJsonAsync<BackfillResult>(JsonOptions, cancellationToken);
+    }
+
+    public async Task<BackfillListResponse> ListBackfillsAsync(
+        BackfillListRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = BuildBackfillsListUrl(request);
+
+        _logger.LogDebug("Listing backfills: {Url}", url);
+
+        var response = await _httpClient.GetAsync(url, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to list backfills: {StatusCode} {Content}", response.StatusCode, errorContent);
+            throw new HttpRequestException($"Failed to list backfills: {response.StatusCode}");
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<BackfillListResponse>(JsonOptions, cancellationToken);
+        return result ?? new BackfillListResponse();
+    }
+
+    public async Task<SourceOperationResult> CancelBackfillAsync(
+        BackfillCancelRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/backfills/{Uri.EscapeDataString(request.BackfillId)}:cancel";
+
+        _logger.LogDebug("Cancelling backfill: {BackfillId}", request.BackfillId);
+
+        var response = await _httpClient.PostAsJsonAsync(url, request, JsonOptions, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to cancel backfill: {StatusCode} {Content}", response.StatusCode, errorContent);
+            return new SourceOperationResult
+            {
+                Success = false,
+                Errors = new[] { $"Failed to cancel backfill: {response.StatusCode} - {errorContent}" }
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<SourceOperationResult>(JsonOptions, cancellationToken);
+        return result ?? new SourceOperationResult { Success = true };
+    }
+
+    // CLI-ORCH-34-001: Quota management
+
+    public async Task<QuotaGetResponse> GetQuotasAsync(
+        QuotaGetRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = BuildQuotasGetUrl(request);
+
+        _logger.LogDebug("Getting quotas: {Url}", url);
+
+        var response = await _httpClient.GetAsync(url, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to get quotas: {StatusCode} {Content}", response.StatusCode, errorContent);
+            throw new HttpRequestException($"Failed to get quotas: {response.StatusCode}");
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<QuotaGetResponse>(JsonOptions, cancellationToken);
+        return result ?? new QuotaGetResponse();
+    }
+
+    public async Task<QuotaOperationResult> SetQuotaAsync(
+        QuotaSetRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/quotas";
+
+        _logger.LogDebug("Setting quota for tenant: {Tenant}, resource: {ResourceType}",
+            request.Tenant, request.ResourceType);
+
+        var response = await _httpClient.PostAsJsonAsync(url, request, JsonOptions, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to set quota: {StatusCode} {Content}", response.StatusCode, errorContent);
+            return new QuotaOperationResult
+            {
+                Success = false,
+                Errors = new[] { $"Failed to set quota: {response.StatusCode} - {errorContent}" }
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<QuotaOperationResult>(JsonOptions, cancellationToken);
+        return result ?? new QuotaOperationResult { Success = true };
+    }
+
+    public async Task<QuotaOperationResult> ResetQuotaAsync(
+        QuotaResetRequest request,
+        CancellationToken cancellationToken)
+    {
+        await ConfigureAuthAsync(cancellationToken);
+        var url = $"{GetBaseUrl()}/quotas:reset";
+
+        _logger.LogDebug("Resetting quota for tenant: {Tenant}, resource: {ResourceType}",
+            request.Tenant, request.ResourceType);
+
+        var response = await _httpClient.PostAsJsonAsync(url, request, JsonOptions, cancellationToken);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorContent = await response.Content.ReadAsStringAsync(cancellationToken);
+            _logger.LogWarning("Failed to reset quota: {StatusCode} {Content}", response.StatusCode, errorContent);
+            return new QuotaOperationResult
+            {
+                Success = false,
+                Errors = new[] { $"Failed to reset quota: {response.StatusCode} - {errorContent}" }
+            };
+        }
+
+        var result = await response.Content.ReadFromJsonAsync<QuotaOperationResult>(JsonOptions, cancellationToken);
+        return result ?? new QuotaOperationResult { Success = true };
+    }
+
+    private async Task ConfigureAuthAsync(CancellationToken cancellationToken)
+    {
+        var token = await _tokenClient.GetCachedAccessTokenAsync(
+            new[] { StellaOpsScope.OrchRead },
+            cancellationToken);
+
+        _httpClient.DefaultRequestHeaders.Authorization =
+            new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token.AccessToken);
+    }
+
+    private string GetBaseUrl()
+    {
+        var baseUrl = _options.BackendUrl?.TrimEnd('/') ?? "https://api.stellaops.local";
+        return $"{baseUrl}/api/v1/orchestrator";
+    }
+
+    private string BuildSourcesListUrl(SourceListRequest request)
+    {
+        var builder = new UriBuilder($"{GetBaseUrl()}/sources");
+        var query = HttpUtility.ParseQueryString(string.Empty);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+            query["tenant"] = request.Tenant;
+        if (!string.IsNullOrWhiteSpace(request.Type))
+            query["type"] = request.Type;
+        if (!string.IsNullOrWhiteSpace(request.Status))
+            query["status"] = request.Status;
+        if (request.Enabled.HasValue)
+            query["enabled"] = request.Enabled.Value.ToString().ToLowerInvariant();
+        if (!string.IsNullOrWhiteSpace(request.Host))
+            query["host"] = request.Host;
+        if (!string.IsNullOrWhiteSpace(request.Tag))
+            query["tag"] = request.Tag;
+        if (request.PageSize != 50)
+            query["page_size"] = request.PageSize.ToString();
+        if (!string.IsNullOrWhiteSpace(request.PageToken))
+            query["page_token"] = request.PageToken;
+
+        builder.Query = query.ToString();
+        return builder.ToString();
+    }
+
+    private string BuildBackfillsListUrl(BackfillListRequest request)
+    {
+        var builder = new UriBuilder($"{GetBaseUrl()}/backfills");
+        var query = HttpUtility.ParseQueryString(string.Empty);
+
+        if (!string.IsNullOrWhiteSpace(request.SourceId))
+            query["source_id"] = request.SourceId;
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+            query["tenant"] = request.Tenant;
+        if (!string.IsNullOrWhiteSpace(request.Status))
+            query["status"] = request.Status;
+        if (request.PageSize != 20)
+            query["page_size"] = request.PageSize.ToString();
+        if (!string.IsNullOrWhiteSpace(request.PageToken))
+            query["page_token"] = request.PageToken;
+
+        builder.Query = query.ToString();
+        return builder.ToString();
+    }
+
+    private string BuildQuotasGetUrl(QuotaGetRequest request)
+    {
+        var builder = new UriBuilder($"{GetBaseUrl()}/quotas");
+        var query = HttpUtility.ParseQueryString(string.Empty);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+            query["tenant"] = request.Tenant;
+        if (!string.IsNullOrWhiteSpace(request.SourceId))
+            query["source_id"] = request.SourceId;
+        if (!string.IsNullOrWhiteSpace(request.ResourceType))
+            query["resource_type"] = request.ResourceType;
+
+        builder.Query = query.ToString();
+        return builder.ToString();
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/PackClient.cs b/src/Cli/StellaOps.Cli/Services/PackClient.cs
new file mode 100644
index 000000000..cce0e21d5
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/PackClient.cs
@@ -0,0 +1,1017 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.Client;
+using StellaOps.Cli.Configuration;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for Task Pack registry and runner API operations.
+/// Per CLI-PACKS-42-001.
+/// </summary>
+internal sealed class PackClient : IPackClient
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
+    private static readonly TimeSpan TokenRefreshSkew = TimeSpan.FromSeconds(30);
+
+    private readonly HttpClient httpClient;
+    private readonly StellaOpsCliOptions options;
+    private readonly ILogger<PackClient> logger;
+    private readonly IStellaOpsTokenClient? tokenClient;
+    private readonly object tokenSync = new();
+
+    private string? cachedAccessToken;
+    private DateTimeOffset cachedAccessTokenExpiresAt = DateTimeOffset.MinValue;
+
+    public PackClient(
+        HttpClient httpClient,
+        StellaOpsCliOptions options,
+        ILogger<PackClient> logger,
+        IStellaOpsTokenClient? tokenClient = null)
+    {
+        this.httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        this.options = options ?? throw new ArgumentNullException(nameof(options));
+        this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        this.tokenClient = tokenClient;
+
+        if (!string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            if (Uri.TryCreate(options.BackendUrl, UriKind.Absolute, out var baseUri))
+            {
+                httpClient.BaseAddress = baseUri;
+            }
+        }
+    }
+
+    public async Task<PackPlanResult> PlanAsync(
+        PackPlanRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/packs/plan")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to plan pack (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new PackPlanResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<PackPlanResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new PackPlanResult { Success = false, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while planning pack");
+            return new PackPlanResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while planning pack");
+            return new PackPlanResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<PackRunResult> RunAsync(
+        PackRunRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/packs/run")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.run", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to run pack (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new PackRunResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<PackRunResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new PackRunResult { Success = false, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while running pack");
+            return new PackRunResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while running pack");
+            return new PackRunResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<PackRunStatus?> GetRunStatusAsync(
+        string runId,
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(runId);
+
+        try
+        {
+            EnsureConfigured();
+
+            var uri = $"/api/v1/packs/runs/{Uri.EscapeDataString(runId)}";
+            if (!string.IsNullOrWhiteSpace(tenant))
+            {
+                uri += $"?tenant={Uri.EscapeDataString(tenant)}";
+            }
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "packs.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return null;
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get run status (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return null;
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer
+                .DeserializeAsync<PackRunStatus>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while getting run status");
+            return null;
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while getting run status");
+            return null;
+        }
+    }
+
+    public async Task<PackPushResult> PushAsync(
+        PackPushRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            if (string.IsNullOrWhiteSpace(request.PackPath))
+            {
+                return new PackPushResult
+                {
+                    Success = false,
+                    Errors = ["Pack path is required"]
+                };
+            }
+
+            var packPath = Path.GetFullPath(request.PackPath);
+            if (!File.Exists(packPath) && !Directory.Exists(packPath))
+            {
+                return new PackPushResult
+                {
+                    Success = false,
+                    Errors = [$"Pack path not found: {packPath}"]
+                };
+            }
+
+            using var multipartContent = new MultipartFormDataContent();
+
+            // Add pack file or directory as tar.gz
+            if (File.Exists(packPath))
+            {
+                var fileContent = new ByteArrayContent(await File.ReadAllBytesAsync(packPath, cancellationToken).ConfigureAwait(false));
+                fileContent.Headers.ContentType = new MediaTypeHeaderValue("application/gzip");
+                multipartContent.Add(fileContent, "pack", Path.GetFileName(packPath));
+            }
+            else
+            {
+                // Directory - would need to tar it first
+                return new PackPushResult
+                {
+                    Success = false,
+                    Errors = ["Directory push not yet implemented. Please provide a .tar.gz file."]
+                };
+            }
+
+            // Add metadata
+            if (!string.IsNullOrWhiteSpace(request.Name))
+            {
+                multipartContent.Add(new StringContent(request.Name), "name");
+            }
+            if (!string.IsNullOrWhiteSpace(request.Version))
+            {
+                multipartContent.Add(new StringContent(request.Version), "version");
+            }
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+            {
+                multipartContent.Add(new StringContent(request.Tenant), "tenant");
+            }
+            if (request.Sign)
+            {
+                multipartContent.Add(new StringContent("true"), "sign");
+                if (!string.IsNullOrWhiteSpace(request.KeyId))
+                {
+                    multipartContent.Add(new StringContent(request.KeyId), "keyId");
+                }
+            }
+            if (request.Force)
+            {
+                multipartContent.Add(new StringContent("true"), "force");
+            }
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/packs/registry")
+            {
+                Content = multipartContent
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.write", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to push pack (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new PackPushResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<PackPushResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new PackPushResult { Success = false, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while pushing pack");
+            return new PackPushResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while pushing pack");
+            return new PackPushResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<PackPullResult> PullAsync(
+        PackPullRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(request.Version))
+            {
+                queryParams.Add($"version={Uri.EscapeDataString(request.Version)}");
+            }
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+            {
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+            }
+            queryParams.Add($"verify={request.Verify.ToString().ToLowerInvariant()}");
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/packs/registry/{Uri.EscapeDataString(request.PackId)}/download{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "packs.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return new PackPullResult
+                {
+                    Success = false,
+                    Errors = [$"Pack not found: {request.PackId}"]
+                };
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to pull pack (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new PackPullResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            // Determine output path
+            var outputPath = request.OutputPath;
+            if (string.IsNullOrWhiteSpace(outputPath))
+            {
+                var fileName = response.Content.Headers.ContentDisposition?.FileName?.Trim('"')
+                    ?? $"{request.PackId.Replace('/', '_')}.tar.gz";
+                outputPath = Path.Combine(Directory.GetCurrentDirectory(), fileName);
+            }
+            else
+            {
+                outputPath = Path.GetFullPath(outputPath);
+            }
+
+            // Write to file
+            await using var contentStream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            await using var fileStream = File.Create(outputPath);
+            await contentStream.CopyToAsync(fileStream, cancellationToken).ConfigureAwait(false);
+
+            // Check verification header
+            var verified = response.Headers.TryGetValues("X-Pack-Verified", out var verifiedValues)
+                && bool.TryParse(string.Join("", verifiedValues), out var v)
+                && v;
+
+            // Get pack info from headers
+            TaskPackInfo? packInfo = null;
+            if (response.Headers.TryGetValues("X-Pack-Info", out var infoValues))
+            {
+                var infoJson = string.Join("", infoValues);
+                if (!string.IsNullOrWhiteSpace(infoJson))
+                {
+                    try
+                    {
+                        packInfo = JsonSerializer.Deserialize<TaskPackInfo>(infoJson, SerializerOptions);
+                    }
+                    catch (JsonException)
+                    {
+                        // Ignore parse errors for optional header
+                    }
+                }
+            }
+
+            return new PackPullResult
+            {
+                Success = true,
+                OutputPath = outputPath,
+                Verified = verified,
+                Pack = packInfo
+            };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while pulling pack");
+            return new PackPullResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while pulling pack");
+            return new PackPullResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<PackVerifyResult> VerifyAsync(
+        PackVerifyRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/packs/verify")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to verify pack (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new PackVerifyResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<PackVerifyResult>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new PackVerifyResult { Success = false, Errors = ["Empty response"] };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while verifying pack");
+            return new PackVerifyResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            };
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while verifying pack");
+            return new PackVerifyResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            };
+        }
+    }
+
+    public async Task<TaskPackInfo?> GetPackInfoAsync(
+        string packId,
+        string? version,
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(packId);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(version))
+            {
+                queryParams.Add($"version={Uri.EscapeDataString(version)}");
+            }
+            if (!string.IsNullOrWhiteSpace(tenant))
+            {
+                queryParams.Add($"tenant={Uri.EscapeDataString(tenant)}");
+            }
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/packs/registry/{Uri.EscapeDataString(packId)}{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "packs.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return null;
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get pack info (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return null;
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer
+                .DeserializeAsync<TaskPackInfo>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while getting pack info");
+            return null;
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while getting pack info");
+            return null;
+        }
+    }
+
+    // CLI-PACKS-43-001: Advanced pack features
+
+    public async Task<PackRunListResponse> ListRunsAsync(
+        PackRunListRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(request.PackId))
+                queryParams.Add($"packId={Uri.EscapeDataString(request.PackId)}");
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+            if (!string.IsNullOrWhiteSpace(request.Status))
+                queryParams.Add($"status={Uri.EscapeDataString(request.Status)}");
+            if (!string.IsNullOrWhiteSpace(request.Actor))
+                queryParams.Add($"actor={Uri.EscapeDataString(request.Actor)}");
+            if (request.Since.HasValue)
+                queryParams.Add($"since={Uri.EscapeDataString(request.Since.Value.ToString("o"))}");
+            if (request.Until.HasValue)
+                queryParams.Add($"until={Uri.EscapeDataString(request.Until.Value.ToString("o"))}");
+            if (request.PageSize != 20)
+                queryParams.Add($"pageSize={request.PageSize}");
+            if (!string.IsNullOrWhiteSpace(request.PageToken))
+                queryParams.Add($"pageToken={Uri.EscapeDataString(request.PageToken)}");
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/packs/runs{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "packs.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError("Failed to list runs (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode, string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return new PackRunListResponse();
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer.DeserializeAsync<PackRunListResponse>(stream, SerializerOptions, cancellationToken).ConfigureAwait(false)
+                ?? new PackRunListResponse();
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while listing runs");
+            return new PackRunListResponse();
+        }
+    }
+
+    public async Task<PackApprovalResult> CancelRunAsync(
+        PackCancelRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, $"/api/v1/packs/runs/{Uri.EscapeDataString(request.RunId)}:cancel")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.run", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError("Failed to cancel run (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode, string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return new PackApprovalResult { Success = false, Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"] };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer.DeserializeAsync<PackApprovalResult>(stream, SerializerOptions, cancellationToken).ConfigureAwait(false)
+                ?? new PackApprovalResult { Success = true };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while cancelling run");
+            return new PackApprovalResult { Success = false, Errors = [$"Connection error: {ex.Message}"] };
+        }
+    }
+
+    public async Task<PackApprovalResult> PauseForApprovalAsync(
+        PackApprovalPauseRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, $"/api/v1/packs/runs/{Uri.EscapeDataString(request.RunId)}:pause")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.run", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError("Failed to pause run (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode, string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return new PackApprovalResult { Success = false, Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"] };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer.DeserializeAsync<PackApprovalResult>(stream, SerializerOptions, cancellationToken).ConfigureAwait(false)
+                ?? new PackApprovalResult { Success = true };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while pausing run");
+            return new PackApprovalResult { Success = false, Errors = [$"Connection error: {ex.Message}"] };
+        }
+    }
+
+    public async Task<PackApprovalResult> ResumeWithApprovalAsync(
+        PackApprovalResumeRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, $"/api/v1/packs/runs/{Uri.EscapeDataString(request.RunId)}:resume")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.run", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError("Failed to resume run (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode, string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return new PackApprovalResult { Success = false, Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"] };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer.DeserializeAsync<PackApprovalResult>(stream, SerializerOptions, cancellationToken).ConfigureAwait(false)
+                ?? new PackApprovalResult { Success = true };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while resuming run");
+            return new PackApprovalResult { Success = false, Errors = [$"Connection error: {ex.Message}"] };
+        }
+    }
+
+    public async Task<PackSecretInjectResult> InjectSecretAsync(
+        PackSecretInjectRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, $"/api/v1/packs/runs/{Uri.EscapeDataString(request.RunId)}/secrets")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.secrets", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError("Failed to inject secret (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode, string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return new PackSecretInjectResult { Success = false, Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"] };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer.DeserializeAsync<PackSecretInjectResult>(stream, SerializerOptions, cancellationToken).ConfigureAwait(false)
+                ?? new PackSecretInjectResult { Success = true, SecretRef = request.SecretRef, InjectedAt = DateTimeOffset.UtcNow };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while injecting secret");
+            return new PackSecretInjectResult { Success = false, Errors = [$"Connection error: {ex.Message}"] };
+        }
+    }
+
+    public async Task<PackLogsResult> GetLogsAsync(
+        PackLogsRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+            if (!string.IsNullOrWhiteSpace(request.StepId))
+                queryParams.Add($"stepId={Uri.EscapeDataString(request.StepId)}");
+            if (request.Follow)
+                queryParams.Add("follow=true");
+            if (request.Tail.HasValue)
+                queryParams.Add($"tail={request.Tail.Value}");
+            if (request.Since.HasValue)
+                queryParams.Add($"since={Uri.EscapeDataString(request.Since.Value.ToString("o"))}");
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/packs/runs/{Uri.EscapeDataString(request.RunId)}/logs{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "packs.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError("Failed to get logs (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode, string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return new PackLogsResult { Success = false, RunId = request.RunId, Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"] };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer.DeserializeAsync<PackLogsResult>(stream, SerializerOptions, cancellationToken).ConfigureAwait(false)
+                ?? new PackLogsResult { Success = true, RunId = request.RunId };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while getting logs");
+            return new PackLogsResult { Success = false, RunId = request.RunId, Errors = [$"Connection error: {ex.Message}"] };
+        }
+    }
+
+    public async Task<PackArtifactDownloadResult> DownloadArtifactAsync(
+        PackArtifactDownloadRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/packs/runs/{Uri.EscapeDataString(request.RunId)}/artifacts/{Uri.EscapeDataString(request.ArtifactName)}{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "packs.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return new PackArtifactDownloadResult { Success = false, Errors = [$"Artifact not found: {request.ArtifactName}"] };
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError("Failed to download artifact (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode, string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return new PackArtifactDownloadResult { Success = false, Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"] };
+            }
+
+            var outputPath = request.OutputPath;
+            if (string.IsNullOrWhiteSpace(outputPath))
+            {
+                var fileName = response.Content.Headers.ContentDisposition?.FileName?.Trim('"') ?? request.ArtifactName;
+                outputPath = Path.Combine(Directory.GetCurrentDirectory(), fileName);
+            }
+            else
+            {
+                outputPath = Path.GetFullPath(outputPath);
+            }
+
+            await using var contentStream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            await using var fileStream = File.Create(outputPath);
+            await contentStream.CopyToAsync(fileStream, cancellationToken).ConfigureAwait(false);
+
+            var verified = response.Headers.TryGetValues("X-Artifact-Verified", out var verifiedValues)
+                && bool.TryParse(string.Join("", verifiedValues), out var v) && v;
+
+            return new PackArtifactDownloadResult { Success = true, OutputPath = outputPath, Verified = verified };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while downloading artifact");
+            return new PackArtifactDownloadResult { Success = false, Errors = [$"Connection error: {ex.Message}"] };
+        }
+    }
+
+    public async Task<PackCacheResult> ManageCacheAsync(
+        PackCacheRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var json = JsonSerializer.Serialize(request, SerializerOptions);
+            using var content = new StringContent(json, Encoding.UTF8, "application/json");
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/packs/cache")
+            {
+                Content = content
+            };
+            await AuthorizeRequestAsync(httpRequest, "packs.cache", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError("Failed to manage cache (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode, string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return new PackCacheResult { Success = false, Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"] };
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer.DeserializeAsync<PackCacheResult>(stream, SerializerOptions, cancellationToken).ConfigureAwait(false)
+                ?? new PackCacheResult { Success = true };
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while managing cache");
+            return new PackCacheResult { Success = false, Errors = [$"Connection error: {ex.Message}"] };
+        }
+    }
+
+    private void EnsureConfigured()
+    {
+        if (string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            throw new InvalidOperationException(
+                "Backend URL not configured. Set STELLAOPS_BACKEND_URL or use --backend-url.");
+        }
+    }
+
+    private async Task AuthorizeRequestAsync(HttpRequestMessage request, string scope, CancellationToken cancellationToken)
+    {
+        var token = await GetAccessTokenAsync(scope, cancellationToken).ConfigureAwait(false);
+        if (!string.IsNullOrWhiteSpace(token))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        }
+    }
+
+    private async Task<string?> GetAccessTokenAsync(string scope, CancellationToken cancellationToken)
+    {
+        if (tokenClient is null)
+        {
+            return null;
+        }
+
+        lock (tokenSync)
+        {
+            if (cachedAccessToken is not null && DateTimeOffset.UtcNow < cachedAccessTokenExpiresAt - TokenRefreshSkew)
+            {
+                return cachedAccessToken;
+            }
+        }
+
+        var result = await tokenClient.GetTokenAsync(
+            new StellaOpsTokenRequest { Scopes = [scope] },
+            cancellationToken).ConfigureAwait(false);
+
+        if (result.IsSuccess)
+        {
+            lock (tokenSync)
+            {
+                cachedAccessToken = result.AccessToken;
+                cachedAccessTokenExpiresAt = result.ExpiresAt;
+            }
+            return result.AccessToken;
+        }
+
+        logger.LogWarning("Token acquisition failed: {Error}", result.Error);
+        return null;
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs b/src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs
new file mode 100644
index 000000000..7e8332153
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs
@@ -0,0 +1,1118 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Linq;
+using System.Net.Http;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Text.RegularExpressions;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Assembler for promotion attestations.
+/// Per CLI-PROMO-70-001.
+/// </summary>
+internal sealed partial class PromotionAssembler : IPromotionAssembler
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
+    {
+        WriteIndented = true,
+        PropertyNameCaseInsensitive = true
+    };
+
+    private readonly HttpClient _httpClient;
+    private readonly ILogger<PromotionAssembler> _logger;
+
+    public PromotionAssembler(HttpClient httpClient, ILogger<PromotionAssembler> logger)
+    {
+        _httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async Task<PromotionAssembleResult> AssembleAsync(
+        PromotionAssembleRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        var errors = new List<string>();
+        var warnings = new List<string>();
+        var materials = new List<PromotionMaterial>();
+
+        _logger.LogDebug("Assembling promotion attestation for image {Image}", request.Image);
+
+        // Resolve image digest
+        string imageDigest;
+        try
+        {
+            var resolved = await ResolveImageDigestAsync(request.Image, cancellationToken).ConfigureAwait(false);
+            if (string.IsNullOrWhiteSpace(resolved))
+            {
+                errors.Add($"Failed to resolve image digest for {request.Image}");
+                return new PromotionAssembleResult
+                {
+                    Success = false,
+                    Errors = errors
+                };
+            }
+            imageDigest = resolved;
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to resolve image digest");
+            errors.Add($"Failed to resolve image digest: {ex.Message}");
+            return new PromotionAssembleResult
+            {
+                Success = false,
+                Errors = errors
+            };
+        }
+
+        // Parse image reference
+        var (imageName, _) = ParseImageRef(request.Image);
+
+        // Hash SBOM
+        if (!string.IsNullOrWhiteSpace(request.SbomPath))
+        {
+            if (!File.Exists(request.SbomPath))
+            {
+                errors.Add($"SBOM file not found: {request.SbomPath}");
+            }
+            else
+            {
+                var sbomDigest = await ComputeFileDigestAsync(request.SbomPath, cancellationToken).ConfigureAwait(false);
+                var format = DetectSbomFormat(request.SbomPath);
+                materials.Add(new PromotionMaterial
+                {
+                    Role = "sbom",
+                    Algo = "sha256",
+                    Digest = sbomDigest,
+                    Format = format,
+                    Uri = $"file://{Path.GetFileName(request.SbomPath)}"
+                });
+            }
+        }
+        else
+        {
+            warnings.Add("No SBOM provided; promotion attestation will not include SBOM reference");
+        }
+
+        // Hash VEX
+        if (!string.IsNullOrWhiteSpace(request.VexPath))
+        {
+            if (!File.Exists(request.VexPath))
+            {
+                errors.Add($"VEX file not found: {request.VexPath}");
+            }
+            else
+            {
+                var vexDigest = await ComputeFileDigestAsync(request.VexPath, cancellationToken).ConfigureAwait(false);
+                var format = DetectVexFormat(request.VexPath);
+                materials.Add(new PromotionMaterial
+                {
+                    Role = "vex",
+                    Algo = "sha256",
+                    Digest = vexDigest,
+                    Format = format,
+                    Uri = $"file://{Path.GetFileName(request.VexPath)}"
+                });
+            }
+        }
+        else
+        {
+            warnings.Add("No VEX provided; promotion attestation will not include VEX reference");
+        }
+
+        if (errors.Count > 0)
+        {
+            return new PromotionAssembleResult
+            {
+                Success = false,
+                ImageDigest = imageDigest,
+                Materials = materials,
+                Errors = errors,
+                Warnings = warnings
+            };
+        }
+
+        // Rekor entry (skip for now if requested or if Attestor is not available)
+        PromotionRekorEntry? rekorEntry = null;
+        if (!request.SkipRekor)
+        {
+            warnings.Add("Rekor integration requires Attestor API access; skipping transparency log entry");
+        }
+
+        // Build predicate
+        var predicate = new PromotionPredicate
+        {
+            Type = "stella.ops/promotion@v1",
+            Subject = new[]
+            {
+                new PromotionSubject
+                {
+                    Name = imageName,
+                    Digest = new Dictionary<string, string> { ["sha256"] = imageDigest }
+                }
+            },
+            Materials = materials,
+            Promotion = new PromotionMetadata
+            {
+                From = request.FromEnvironment,
+                To = request.ToEnvironment,
+                Actor = request.Actor ?? Environment.UserName,
+                Timestamp = DateTimeOffset.UtcNow,
+                Pipeline = request.Pipeline,
+                Ticket = request.Ticket,
+                Notes = request.Notes
+            },
+            Rekor = rekorEntry
+        };
+
+        // Write output
+        string? outputPath = null;
+        if (!string.IsNullOrWhiteSpace(request.OutputPath))
+        {
+            outputPath = request.OutputPath;
+            var json = JsonSerializer.Serialize(predicate, SerializerOptions);
+            await File.WriteAllTextAsync(outputPath, json, cancellationToken).ConfigureAwait(false);
+            _logger.LogInformation("Wrote promotion attestation to {OutputPath}", outputPath);
+        }
+
+        return new PromotionAssembleResult
+        {
+            Success = true,
+            Predicate = predicate,
+            OutputPath = outputPath,
+            ImageDigest = imageDigest,
+            Materials = materials,
+            RekorEntry = rekorEntry,
+            Warnings = warnings
+        };
+    }
+
+    public async Task<string?> ResolveImageDigestAsync(
+        string imageRef,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(imageRef);
+
+        // If already contains digest, extract it
+        if (imageRef.Contains("@sha256:", StringComparison.OrdinalIgnoreCase))
+        {
+            var match = DigestRegex().Match(imageRef);
+            if (match.Success)
+            {
+                return match.Groups[1].Value;
+            }
+        }
+
+        // Try using crane command if available
+        try
+        {
+            using var process = new Process
+            {
+                StartInfo = new ProcessStartInfo
+                {
+                    FileName = "crane",
+                    Arguments = $"digest {imageRef}",
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    UseShellExecute = false,
+                    CreateNoWindow = true
+                }
+            };
+
+            process.Start();
+            var stdout = await process.StandardOutput.ReadToEndAsync(cancellationToken).ConfigureAwait(false);
+            await process.WaitForExitAsync(cancellationToken).ConfigureAwait(false);
+
+            if (process.ExitCode == 0 && !string.IsNullOrWhiteSpace(stdout))
+            {
+                var digest = stdout.Trim();
+                if (digest.StartsWith("sha256:", StringComparison.OrdinalIgnoreCase))
+                {
+                    return digest[7..];
+                }
+                return digest;
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogDebug(ex, "crane command not available or failed");
+        }
+
+        // Try using cosign triangulate
+        try
+        {
+            using var process = new Process
+            {
+                StartInfo = new ProcessStartInfo
+                {
+                    FileName = "cosign",
+                    Arguments = $"triangulate {imageRef}",
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    UseShellExecute = false,
+                    CreateNoWindow = true
+                }
+            };
+
+            process.Start();
+            var stdout = await process.StandardOutput.ReadToEndAsync(cancellationToken).ConfigureAwait(false);
+            await process.WaitForExitAsync(cancellationToken).ConfigureAwait(false);
+
+            if (process.ExitCode == 0 && !string.IsNullOrWhiteSpace(stdout))
+            {
+                // cosign triangulate returns the signature tag location
+                // Extract digest if present
+                var match = DigestRegex().Match(stdout);
+                if (match.Success)
+                {
+                    return match.Groups[1].Value;
+                }
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogDebug(ex, "cosign command not available or failed");
+        }
+
+        _logger.LogWarning("Could not resolve image digest; crane/cosign not available");
+        return null;
+    }
+
+    private static async Task<string> ComputeFileDigestAsync(string filePath, CancellationToken cancellationToken)
+    {
+        await using var stream = File.OpenRead(filePath);
+        var hash = await SHA256.HashDataAsync(stream, cancellationToken).ConfigureAwait(false);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+
+    private static (string name, string? tag) ParseImageRef(string imageRef)
+    {
+        var digestIndex = imageRef.IndexOf('@');
+        if (digestIndex >= 0)
+        {
+            return (imageRef[..digestIndex], null);
+        }
+
+        var tagIndex = imageRef.LastIndexOf(':');
+        if (tagIndex >= 0 && !imageRef[(tagIndex + 1)..].Contains('/'))
+        {
+            return (imageRef[..tagIndex], imageRef[(tagIndex + 1)..]);
+        }
+
+        return (imageRef, null);
+    }
+
+    private static string DetectSbomFormat(string filePath)
+    {
+        var fileName = Path.GetFileName(filePath).ToLowerInvariant();
+
+        if (fileName.Contains("cyclonedx"))
+            return "CycloneDX-1.6";
+        if (fileName.Contains("spdx"))
+            return "SPDX-3.0";
+
+        try
+        {
+            var content = File.ReadAllText(filePath);
+            if (content.Contains("\"bomFormat\"") && content.Contains("\"CycloneDX\""))
+                return "CycloneDX-1.6";
+            if (content.Contains("SPDXVersion") || content.Contains("spdxVersion"))
+                return "SPDX-3.0";
+        }
+        catch
+        {
+            // Ignore read errors
+        }
+
+        return "unknown";
+    }
+
+    private static string DetectVexFormat(string filePath)
+    {
+        var fileName = Path.GetFileName(filePath).ToLowerInvariant();
+
+        if (fileName.Contains("openvex"))
+            return "OpenVEX-1.0";
+        if (fileName.Contains("csaf"))
+            return "CSAF-2.0";
+
+        try
+        {
+            var content = File.ReadAllText(filePath);
+            if (content.Contains("\"@context\"") && content.Contains("openvex"))
+                return "OpenVEX-1.0";
+            if (content.Contains("\"document\"") && content.Contains("\"csaf\""))
+                return "CSAF-2.0";
+        }
+        catch
+        {
+            // Ignore read errors
+        }
+
+        return "unknown";
+    }
+
+    // CLI-PROMO-70-002: Attest implementation
+    public async Task<PromotionAttestResult> AttestAsync(
+        PromotionAttestRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        var errors = new List<string>();
+        var warnings = new List<string>();
+
+        _logger.LogDebug("Creating promotion attestation");
+
+        // Load predicate
+        PromotionPredicate? predicate = request.Predicate;
+        if (predicate == null && !string.IsNullOrWhiteSpace(request.PredicatePath))
+        {
+            if (!File.Exists(request.PredicatePath))
+            {
+                errors.Add($"Predicate file not found: {request.PredicatePath}");
+                return new PromotionAttestResult
+                {
+                    Success = false,
+                    Errors = errors
+                };
+            }
+
+            try
+            {
+                var json = await File.ReadAllTextAsync(request.PredicatePath, cancellationToken).ConfigureAwait(false);
+                predicate = JsonSerializer.Deserialize<PromotionPredicate>(json, SerializerOptions);
+            }
+            catch (Exception ex)
+            {
+                errors.Add($"Failed to parse predicate: {ex.Message}");
+                return new PromotionAttestResult
+                {
+                    Success = false,
+                    Errors = errors
+                };
+            }
+        }
+
+        if (predicate == null)
+        {
+            errors.Add("No predicate provided. Use --predicate or provide assembled predicate JSON.");
+            return new PromotionAttestResult
+            {
+                Success = false,
+                Errors = errors
+            };
+        }
+
+        // Create in-toto statement
+        var statement = new
+        {
+            _type = "https://in-toto.io/Statement/v0.1",
+            predicateType = predicate.Type,
+            subject = predicate.Subject.Select(s => new
+            {
+                name = s.Name,
+                digest = s.Digest
+            }).ToArray(),
+            predicate
+        };
+
+        var statementJson = JsonSerializer.Serialize(statement, SerializerOptions);
+        var payloadBytes = Encoding.UTF8.GetBytes(statementJson);
+        var payloadBase64 = Convert.ToBase64String(payloadBytes);
+
+        // Try to sign using cosign or Signer API
+        DsseEnvelope? envelope = null;
+        PromotionRekorEntry? rekorEntry = null;
+        string? bundlePath = null;
+        string? auditId = null;
+        string? signerKeyId = null;
+
+        // Try cosign first
+        try
+        {
+            var (success, envResult, rekor, keyId) = await SignWithCosignAsync(
+                statementJson,
+                request.KeyId,
+                request.UseKeyless,
+                request.UploadToRekor,
+                request.OutputPath,
+                cancellationToken).ConfigureAwait(false);
+
+            if (success)
+            {
+                envelope = envResult;
+                rekorEntry = rekor;
+                signerKeyId = keyId;
+                bundlePath = request.OutputPath;
+            }
+            else
+            {
+                warnings.Add("cosign signing failed; trying Signer API");
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogDebug(ex, "cosign not available");
+            warnings.Add($"cosign not available: {ex.Message}");
+        }
+
+        // If cosign failed, try Signer API
+        if (envelope == null)
+        {
+            try
+            {
+                var (success, envResult, audit, keyId) = await SignWithSignerApiAsync(
+                    statementJson,
+                    request.Tenant,
+                    request.KeyId,
+                    cancellationToken).ConfigureAwait(false);
+
+                if (success)
+                {
+                    envelope = envResult;
+                    auditId = audit;
+                    signerKeyId = keyId;
+
+                    // Write bundle if output path specified
+                    if (!string.IsNullOrWhiteSpace(request.OutputPath) && envelope != null)
+                    {
+                        var bundleJson = JsonSerializer.Serialize(envelope, SerializerOptions);
+                        await File.WriteAllTextAsync(request.OutputPath, bundleJson, cancellationToken).ConfigureAwait(false);
+                        bundlePath = request.OutputPath;
+                        _logger.LogInformation("Wrote DSSE bundle to {Path}", bundlePath);
+                    }
+                }
+                else
+                {
+                    errors.Add("Signer API signing failed");
+                }
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Signer API failed");
+                errors.Add($"Signer API failed: {ex.Message}");
+            }
+        }
+
+        if (envelope == null)
+        {
+            errors.Add("Failed to sign attestation. Ensure cosign is available or Signer API is configured.");
+            return new PromotionAttestResult
+            {
+                Success = false,
+                Errors = errors,
+                Warnings = warnings
+            };
+        }
+
+        return new PromotionAttestResult
+        {
+            Success = true,
+            BundlePath = bundlePath,
+            DsseEnvelope = envelope,
+            RekorEntry = rekorEntry,
+            AuditId = auditId,
+            SignerKeyId = signerKeyId,
+            SignedAt = DateTimeOffset.UtcNow,
+            Warnings = warnings
+        };
+    }
+
+    private async Task<(bool success, DsseEnvelope? envelope, PromotionRekorEntry? rekor, string? keyId)> SignWithCosignAsync(
+        string statementJson,
+        string? keyId,
+        bool useKeyless,
+        bool uploadToRekor,
+        string? outputPath,
+        CancellationToken cancellationToken)
+    {
+        // Write statement to temp file
+        var tempStatement = Path.GetTempFileName();
+        var tempBundle = outputPath ?? Path.GetTempFileName();
+        try
+        {
+            await File.WriteAllTextAsync(tempStatement, statementJson, cancellationToken).ConfigureAwait(false);
+
+            var args = new StringBuilder();
+            args.Append($"attest-blob --predicate \"{tempStatement}\" ");
+            args.Append("--type stella.ops/promotion ");
+
+            if (useKeyless)
+            {
+                args.Append("--yes ");
+            }
+            else if (!string.IsNullOrWhiteSpace(keyId))
+            {
+                args.Append($"--key \"{keyId}\" ");
+            }
+
+            if (!uploadToRekor)
+            {
+                args.Append("--no-tlog-upload ");
+            }
+
+            args.Append($"--bundle \"{tempBundle}\" ");
+
+            using var process = new Process
+            {
+                StartInfo = new ProcessStartInfo
+                {
+                    FileName = "cosign",
+                    Arguments = args.ToString(),
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    UseShellExecute = false,
+                    CreateNoWindow = true
+                }
+            };
+
+            _logger.LogDebug("Executing: cosign {Args}", args);
+
+            process.Start();
+            var stdout = await process.StandardOutput.ReadToEndAsync(cancellationToken).ConfigureAwait(false);
+            var stderr = await process.StandardError.ReadToEndAsync(cancellationToken).ConfigureAwait(false);
+            await process.WaitForExitAsync(cancellationToken).ConfigureAwait(false);
+
+            if (process.ExitCode != 0)
+            {
+                _logger.LogWarning("cosign failed: {Stderr}", stderr);
+                return (false, null, null, null);
+            }
+
+            // Parse bundle file
+            if (File.Exists(tempBundle))
+            {
+                var bundleJson = await File.ReadAllTextAsync(tempBundle, cancellationToken).ConfigureAwait(false);
+                var bundle = JsonSerializer.Deserialize<JsonElement>(bundleJson);
+
+                // Extract envelope
+                var envelope = new DsseEnvelope
+                {
+                    PayloadType = bundle.TryGetProperty("dsseEnvelope", out var env) && env.TryGetProperty("payloadType", out var pt)
+                        ? pt.GetString() ?? "application/vnd.in-toto+json"
+                        : "application/vnd.in-toto+json",
+                    Payload = env.TryGetProperty("payload", out var payload) ? payload.GetString() ?? "" : "",
+                    Signatures = env.TryGetProperty("signatures", out var sigs)
+                        ? sigs.EnumerateArray().Select(s => new DsseSignature
+                        {
+                            KeyId = s.TryGetProperty("keyid", out var kid) ? kid.GetString() ?? "" : "",
+                            Sig = s.TryGetProperty("sig", out var sig) ? sig.GetString() ?? "" : "",
+                            Cert = s.TryGetProperty("cert", out var cert) ? cert.GetString() : null
+                        }).ToArray()
+                        : Array.Empty<DsseSignature>()
+                };
+
+                // Extract Rekor entry if present
+                PromotionRekorEntry? rekor = null;
+                if (bundle.TryGetProperty("rekorBundle", out var rekorBundle) ||
+                    bundle.TryGetProperty("tlogEntries", out rekorBundle))
+                {
+                    // Parse Rekor entry from bundle
+                    if (rekorBundle.ValueKind == JsonValueKind.Array && rekorBundle.GetArrayLength() > 0)
+                    {
+                        var entry = rekorBundle[0];
+                        rekor = new PromotionRekorEntry
+                        {
+                            Uuid = entry.TryGetProperty("logId", out var logId) ? logId.GetString() ?? "" : "",
+                            LogIndex = entry.TryGetProperty("logIndex", out var idx) ? idx.GetInt64() : 0
+                        };
+                    }
+                }
+
+                return (true, envelope, rekor, keyId ?? "keyless");
+            }
+
+            return (false, null, null, null);
+        }
+        finally
+        {
+            if (File.Exists(tempStatement))
+                File.Delete(tempStatement);
+            if (string.IsNullOrWhiteSpace(outputPath) && File.Exists(tempBundle))
+                File.Delete(tempBundle);
+        }
+    }
+
+    private async Task<(bool success, DsseEnvelope? envelope, string? auditId, string? keyId)> SignWithSignerApiAsync(
+        string statementJson,
+        string tenant,
+        string? keyId,
+        CancellationToken cancellationToken)
+    {
+        // POST to Signer API
+        var request = new
+        {
+            tenant,
+            predicateType = "stella.ops/promotion@v1",
+            payload = Convert.ToBase64String(Encoding.UTF8.GetBytes(statementJson)),
+            keyId
+        };
+
+        var content = new StringContent(
+            JsonSerializer.Serialize(request, SerializerOptions),
+            Encoding.UTF8,
+            "application/json");
+
+        var response = await _httpClient.PostAsync("/api/v1/signer/sign/dsse", content, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            _logger.LogWarning("Signer API returned {Status}", response.StatusCode);
+            return (false, null, null, null);
+        }
+
+        var responseJson = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+        var result = JsonSerializer.Deserialize<JsonElement>(responseJson, SerializerOptions);
+
+        var envelope = new DsseEnvelope
+        {
+            PayloadType = result.TryGetProperty("payloadType", out var pt) ? pt.GetString() ?? "" : "application/vnd.in-toto+json",
+            Payload = result.TryGetProperty("payload", out var payload) ? payload.GetString() ?? "" : "",
+            Signatures = result.TryGetProperty("signatures", out var sigs)
+                ? sigs.EnumerateArray().Select(s => new DsseSignature
+                {
+                    KeyId = s.TryGetProperty("keyid", out var kid) ? kid.GetString() ?? "" : "",
+                    Sig = s.TryGetProperty("sig", out var sig) ? sig.GetString() ?? "" : "",
+                    Cert = s.TryGetProperty("cert", out var cert) ? cert.GetString() : null
+                }).ToArray()
+                : Array.Empty<DsseSignature>()
+        };
+
+        var auditId = result.TryGetProperty("auditId", out var aid) ? aid.GetString() : null;
+        var usedKeyId = result.TryGetProperty("keyId", out var kid2) ? kid2.GetString() : keyId;
+
+        return (true, envelope, auditId, usedKeyId);
+    }
+
+    // CLI-PROMO-70-002: Verify implementation
+    public async Task<PromotionVerifyResult> VerifyAsync(
+        PromotionVerifyRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        var errors = new List<string>();
+        var warnings = new List<string>();
+
+        _logger.LogDebug("Verifying promotion attestation");
+
+        // Load DSSE bundle
+        DsseEnvelope? envelope = null;
+        if (!string.IsNullOrWhiteSpace(request.BundlePath))
+        {
+            if (!File.Exists(request.BundlePath))
+            {
+                errors.Add($"Bundle file not found: {request.BundlePath}");
+                return new PromotionVerifyResult
+                {
+                    Success = false,
+                    Errors = errors
+                };
+            }
+
+            try
+            {
+                var json = await File.ReadAllTextAsync(request.BundlePath, cancellationToken).ConfigureAwait(false);
+                var bundleDoc = JsonSerializer.Deserialize<JsonElement>(json, SerializerOptions);
+
+                // Try to extract DSSE envelope from various bundle formats
+                if (bundleDoc.TryGetProperty("dsseEnvelope", out var envProp))
+                {
+                    envelope = JsonSerializer.Deserialize<DsseEnvelope>(envProp.GetRawText(), SerializerOptions);
+                }
+                else if (bundleDoc.TryGetProperty("payloadType", out _))
+                {
+                    envelope = JsonSerializer.Deserialize<DsseEnvelope>(json, SerializerOptions);
+                }
+            }
+            catch (Exception ex)
+            {
+                errors.Add($"Failed to parse bundle: {ex.Message}");
+                return new PromotionVerifyResult
+                {
+                    Success = false,
+                    Errors = errors
+                };
+            }
+        }
+
+        if (envelope == null)
+        {
+            errors.Add("No DSSE bundle provided. Use --bundle to specify the attestation bundle.");
+            return new PromotionVerifyResult
+            {
+                Success = false,
+                Errors = errors
+            };
+        }
+
+        // Decode and parse predicate
+        PromotionPredicate? predicate = null;
+        try
+        {
+            var payloadBytes = Convert.FromBase64String(envelope.Payload);
+            var payloadJson = Encoding.UTF8.GetString(payloadBytes);
+            var statement = JsonSerializer.Deserialize<JsonElement>(payloadJson, SerializerOptions);
+
+            if (statement.TryGetProperty("predicate", out var pred))
+            {
+                predicate = JsonSerializer.Deserialize<PromotionPredicate>(pred.GetRawText(), SerializerOptions);
+            }
+        }
+        catch (Exception ex)
+        {
+            errors.Add($"Failed to decode payload: {ex.Message}");
+        }
+
+        // Verify signature
+        PromotionSignatureVerification? sigVerification = null;
+        if (!request.SkipSignatureVerification)
+        {
+            sigVerification = await VerifySignatureAsync(envelope, request.TrustRootPath, cancellationToken).ConfigureAwait(false);
+            if (!sigVerification.Verified)
+            {
+                warnings.Add($"Signature verification failed: {sigVerification.Error}");
+            }
+        }
+        else
+        {
+            warnings.Add("Signature verification skipped");
+            sigVerification = new PromotionSignatureVerification { Verified = true };
+        }
+
+        // Verify materials
+        PromotionMaterialVerification? materialVerification = null;
+        if (predicate != null)
+        {
+            materialVerification = await VerifyMaterialsAsync(predicate, request.SbomPath, request.VexPath, cancellationToken).ConfigureAwait(false);
+            if (!materialVerification.Verified)
+            {
+                var failedMaterials = materialVerification.Materials.Where(m => !m.Verified).Select(m => m.Role);
+                warnings.Add($"Material verification failed for: {string.Join(", ", failedMaterials)}");
+            }
+        }
+
+        // Verify Rekor
+        PromotionRekorVerification? rekorVerification = null;
+        if (!request.SkipRekorVerification && predicate?.Rekor != null)
+        {
+            rekorVerification = await VerifyRekorAsync(predicate.Rekor, request.CheckpointPath, cancellationToken).ConfigureAwait(false);
+            if (!rekorVerification.Verified)
+            {
+                warnings.Add($"Rekor verification failed: {rekorVerification.Error}");
+            }
+        }
+        else if (request.SkipRekorVerification)
+        {
+            warnings.Add("Rekor verification skipped");
+            rekorVerification = new PromotionRekorVerification { Verified = true };
+        }
+
+        var verified = (sigVerification?.Verified ?? false) &&
+                       (materialVerification?.Verified ?? true) &&
+                       (rekorVerification?.Verified ?? true);
+
+        return new PromotionVerifyResult
+        {
+            Success = errors.Count == 0,
+            Verified = verified,
+            SignatureVerification = sigVerification,
+            MaterialVerification = materialVerification,
+            RekorVerification = rekorVerification,
+            Predicate = predicate,
+            Errors = errors,
+            Warnings = warnings
+        };
+    }
+
+    private async Task<PromotionSignatureVerification> VerifySignatureAsync(
+        DsseEnvelope envelope,
+        string? trustRootPath,
+        CancellationToken cancellationToken)
+    {
+        if (envelope.Signatures.Count == 0)
+        {
+            return new PromotionSignatureVerification
+            {
+                Verified = false,
+                Error = "No signatures present in envelope"
+            };
+        }
+
+        var sig = envelope.Signatures[0];
+
+        // If certificate is present, verify with certificate chain
+        if (!string.IsNullOrWhiteSpace(sig.Cert))
+        {
+            try
+            {
+                var certBytes = Convert.FromBase64String(sig.Cert);
+                using var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(certBytes);
+
+                // Build PAE for verification
+                var pae = BuildPae(envelope.PayloadType, envelope.Payload);
+                var sigBytes = Convert.FromBase64String(sig.Sig);
+
+                // Get public key and verify
+                using var rsa = cert.GetRSAPublicKey();
+                using var ecdsa = cert.GetECDsaPublicKey();
+
+                bool verified = false;
+                string? algorithm = null;
+
+                if (ecdsa != null)
+                {
+                    verified = ecdsa.VerifyData(pae, sigBytes, HashAlgorithmName.SHA256);
+                    algorithm = "ECDSA-P256";
+                }
+                else if (rsa != null)
+                {
+                    verified = rsa.VerifyData(pae, sigBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+                    algorithm = "RSA-PKCS1";
+                }
+
+                return new PromotionSignatureVerification
+                {
+                    Verified = verified,
+                    KeyId = sig.KeyId,
+                    Algorithm = algorithm,
+                    CertSubject = cert.Subject,
+                    CertIssuer = cert.Issuer,
+                    ValidFrom = cert.NotBefore,
+                    ValidTo = cert.NotAfter,
+                    Error = verified ? null : "Signature verification failed"
+                };
+            }
+            catch (Exception ex)
+            {
+                return new PromotionSignatureVerification
+                {
+                    Verified = false,
+                    KeyId = sig.KeyId,
+                    Error = $"Certificate verification error: {ex.Message}"
+                };
+            }
+        }
+
+        // Try using cosign verify-blob
+        try
+        {
+            var tempBundle = Path.GetTempFileName();
+            var tempPayload = Path.GetTempFileName();
+            try
+            {
+                await File.WriteAllTextAsync(tempBundle, JsonSerializer.Serialize(envelope, SerializerOptions), cancellationToken).ConfigureAwait(false);
+                var payloadBytes = Convert.FromBase64String(envelope.Payload);
+                await File.WriteAllBytesAsync(tempPayload, payloadBytes, cancellationToken).ConfigureAwait(false);
+
+                var args = $"verify-blob --bundle \"{tempBundle}\" \"{tempPayload}\"";
+                if (!string.IsNullOrWhiteSpace(trustRootPath))
+                {
+                    args += $" --certificate-chain \"{trustRootPath}\"";
+                }
+
+                using var process = new Process
+                {
+                    StartInfo = new ProcessStartInfo
+                    {
+                        FileName = "cosign",
+                        Arguments = args,
+                        RedirectStandardOutput = true,
+                        RedirectStandardError = true,
+                        UseShellExecute = false,
+                        CreateNoWindow = true
+                    }
+                };
+
+                process.Start();
+                await process.WaitForExitAsync(cancellationToken).ConfigureAwait(false);
+
+                return new PromotionSignatureVerification
+                {
+                    Verified = process.ExitCode == 0,
+                    KeyId = sig.KeyId,
+                    Algorithm = "cosign",
+                    Error = process.ExitCode != 0 ? "cosign verification failed" : null
+                };
+            }
+            finally
+            {
+                if (File.Exists(tempBundle)) File.Delete(tempBundle);
+                if (File.Exists(tempPayload)) File.Delete(tempPayload);
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogDebug(ex, "cosign verify not available");
+        }
+
+        return new PromotionSignatureVerification
+        {
+            Verified = false,
+            KeyId = sig.KeyId,
+            Error = "Unable to verify signature; cosign not available and no certificate in bundle"
+        };
+    }
+
+    private static byte[] BuildPae(string payloadType, string payload)
+    {
+        // Pre-Authentication Encoding (PAE)
+        // PAE(type, body) = "DSSEv1" || SP || LEN(type) || SP || type || SP || LEN(body) || SP || body
+        var typeBytes = Encoding.UTF8.GetBytes(payloadType);
+        var bodyBytes = Convert.FromBase64String(payload);
+
+        using var ms = new MemoryStream();
+        using var writer = new BinaryWriter(ms);
+
+        writer.Write(Encoding.UTF8.GetBytes("DSSEv1 "));
+        writer.Write(BitConverter.GetBytes((long)typeBytes.Length));
+        writer.Write(Encoding.UTF8.GetBytes(" "));
+        writer.Write(typeBytes);
+        writer.Write(Encoding.UTF8.GetBytes(" "));
+        writer.Write(BitConverter.GetBytes((long)bodyBytes.Length));
+        writer.Write(Encoding.UTF8.GetBytes(" "));
+        writer.Write(bodyBytes);
+
+        return ms.ToArray();
+    }
+
+    private async Task<PromotionMaterialVerification> VerifyMaterialsAsync(
+        PromotionPredicate predicate,
+        string? sbomPath,
+        string? vexPath,
+        CancellationToken cancellationToken)
+    {
+        var entries = new List<PromotionMaterialVerificationEntry>();
+        var allVerified = true;
+
+        foreach (var material in predicate.Materials)
+        {
+            string? filePath = material.Role.ToLowerInvariant() switch
+            {
+                "sbom" => sbomPath,
+                "vex" => vexPath,
+                _ => null
+            };
+
+            if (string.IsNullOrWhiteSpace(filePath))
+            {
+                entries.Add(new PromotionMaterialVerificationEntry
+                {
+                    Role = material.Role,
+                    Verified = true, // Skip if not provided
+                    ExpectedDigest = material.Digest
+                });
+                continue;
+            }
+
+            if (!File.Exists(filePath))
+            {
+                entries.Add(new PromotionMaterialVerificationEntry
+                {
+                    Role = material.Role,
+                    Verified = false,
+                    ExpectedDigest = material.Digest,
+                    Error = $"File not found: {filePath}"
+                });
+                allVerified = false;
+                continue;
+            }
+
+            var actualDigest = await ComputeFileDigestAsync(filePath, cancellationToken).ConfigureAwait(false);
+            var verified = string.Equals(actualDigest, material.Digest, StringComparison.OrdinalIgnoreCase);
+
+            entries.Add(new PromotionMaterialVerificationEntry
+            {
+                Role = material.Role,
+                Verified = verified,
+                ExpectedDigest = material.Digest,
+                ActualDigest = actualDigest,
+                Error = verified ? null : "Digest mismatch"
+            });
+
+            if (!verified)
+            {
+                allVerified = false;
+            }
+        }
+
+        return new PromotionMaterialVerification
+        {
+            Verified = allVerified,
+            Materials = entries
+        };
+    }
+
+    private Task<PromotionRekorVerification> VerifyRekorAsync(
+        PromotionRekorEntry rekorEntry,
+        string? checkpointPath,
+        CancellationToken cancellationToken)
+    {
+        // For offline verification, we verify the inclusion proof
+        var proof = rekorEntry.InclusionProof;
+        if (proof == null)
+        {
+            return Task.FromResult(new PromotionRekorVerification
+            {
+                Verified = false,
+                Uuid = rekorEntry.Uuid,
+                LogIndex = rekorEntry.LogIndex,
+                Error = "No inclusion proof present"
+            });
+        }
+
+        // Verify Merkle inclusion proof
+        bool inclusionVerified = VerifyMerkleInclusion(
+            rekorEntry.LogIndex,
+            proof.TreeSize,
+            proof.RootHash,
+            proof.Hashes);
+
+        // Verify checkpoint if provided
+        bool checkpointVerified = true;
+        if (!string.IsNullOrWhiteSpace(checkpointPath) && proof.Checkpoint != null)
+        {
+            // For now, just verify the checkpoint hash matches
+            checkpointVerified = string.Equals(proof.Checkpoint.Hash, proof.RootHash, StringComparison.OrdinalIgnoreCase);
+        }
+
+        return Task.FromResult(new PromotionRekorVerification
+        {
+            Verified = inclusionVerified && checkpointVerified,
+            Uuid = rekorEntry.Uuid,
+            LogIndex = rekorEntry.LogIndex,
+            InclusionProofVerified = inclusionVerified,
+            CheckpointVerified = checkpointVerified,
+            Error = !inclusionVerified ? "Inclusion proof verification failed" :
+                    !checkpointVerified ? "Checkpoint verification failed" : null
+        });
+    }
+
+    private static bool VerifyMerkleInclusion(long logIndex, long treeSize, string rootHash, IReadOnlyList<string> hashes)
+    {
+        // Simplified Merkle inclusion verification
+        // In production, this would implement the full RFC 6962 verification
+        if (string.IsNullOrWhiteSpace(rootHash) || hashes.Count == 0)
+        {
+            return false;
+        }
+
+        // For now, verify basic structure
+        // Full implementation would recompute root from leaf and proof path
+        return logIndex >= 0 && logIndex < treeSize && hashes.All(h => !string.IsNullOrWhiteSpace(h));
+    }
+
+    [GeneratedRegex(@"sha256:([a-f0-9]{64})", RegexOptions.IgnoreCase)]
+    private static partial Regex DigestRegex();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/SbomClient.cs b/src/Cli/StellaOps.Cli/Services/SbomClient.cs
new file mode 100644
index 000000000..9373be60c
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/SbomClient.cs
@@ -0,0 +1,483 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.Client;
+using StellaOps.Cli.Configuration;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Client for SBOM API operations.
+/// Per CLI-PARITY-41-001.
+/// </summary>
+internal sealed class SbomClient : ISbomClient
+{
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
+    private static readonly TimeSpan TokenRefreshSkew = TimeSpan.FromSeconds(30);
+
+    private readonly HttpClient httpClient;
+    private readonly StellaOpsCliOptions options;
+    private readonly ILogger<SbomClient> logger;
+    private readonly IStellaOpsTokenClient? tokenClient;
+    private readonly object tokenSync = new();
+
+    private string? cachedAccessToken;
+    private DateTimeOffset cachedAccessTokenExpiresAt = DateTimeOffset.MinValue;
+
+    public SbomClient(
+        HttpClient httpClient,
+        StellaOpsCliOptions options,
+        ILogger<SbomClient> logger,
+        IStellaOpsTokenClient? tokenClient = null)
+    {
+        this.httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        this.options = options ?? throw new ArgumentNullException(nameof(options));
+        this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        this.tokenClient = tokenClient;
+
+        if (!string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            if (Uri.TryCreate(options.BackendUrl, UriKind.Absolute, out var baseUri))
+            {
+                httpClient.BaseAddress = baseUri;
+            }
+        }
+    }
+
+    public async Task<SbomListResponse> ListAsync(
+        SbomListRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var uri = BuildListUri(request);
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "sbom.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to list SBOMs (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new SbomListResponse();
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<SbomListResponse>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new SbomListResponse();
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while listing SBOMs");
+            return new SbomListResponse();
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while listing SBOMs");
+            return new SbomListResponse();
+        }
+    }
+
+    public async Task<SbomDetailResponse?> GetAsync(
+        string sbomId,
+        string? tenant,
+        bool includeComponents,
+        bool includeVulnerabilities,
+        bool includeLicenses,
+        bool explain,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(sbomId);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>();
+            if (!string.IsNullOrWhiteSpace(tenant))
+            {
+                queryParams.Add($"tenant={Uri.EscapeDataString(tenant)}");
+            }
+            if (includeComponents)
+            {
+                queryParams.Add("includeComponents=true");
+            }
+            if (includeVulnerabilities)
+            {
+                queryParams.Add("includeVulnerabilities=true");
+            }
+            if (includeLicenses)
+            {
+                queryParams.Add("includeLicenses=true");
+            }
+            if (explain)
+            {
+                queryParams.Add("explain=true");
+            }
+
+            var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+            var uri = $"/api/v1/sboms/{Uri.EscapeDataString(sbomId)}{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "sbom.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            {
+                return null;
+            }
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get SBOM (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return null;
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer
+                .DeserializeAsync<SbomDetailResponse>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while getting SBOM");
+            return null;
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while getting SBOM");
+            return null;
+        }
+    }
+
+    public async Task<SbomCompareResponse?> CompareAsync(
+        SbomCompareRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>
+            {
+                $"base={Uri.EscapeDataString(request.BaseSbomId)}",
+                $"target={Uri.EscapeDataString(request.TargetSbomId)}"
+            };
+
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+            {
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+            }
+            if (request.IncludeUnchanged)
+            {
+                queryParams.Add("includeUnchanged=true");
+            }
+
+            var query = string.Join("&", queryParams);
+            var uri = $"/api/v1/sboms/compare?{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "sbom.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to compare SBOMs (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+                return null;
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return await JsonSerializer
+                .DeserializeAsync<SbomCompareResponse>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while comparing SBOMs");
+            return null;
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while comparing SBOMs");
+            return null;
+        }
+    }
+
+    public async Task<(Stream Content, SbomExportResult? Result)> ExportAsync(
+        SbomExportRequest request,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            EnsureConfigured();
+
+            var queryParams = new List<string>
+            {
+                $"format={Uri.EscapeDataString(request.Format)}"
+            };
+
+            if (!string.IsNullOrWhiteSpace(request.Tenant))
+            {
+                queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+            }
+            if (!string.IsNullOrWhiteSpace(request.FormatVersion))
+            {
+                queryParams.Add($"formatVersion={Uri.EscapeDataString(request.FormatVersion)}");
+            }
+            queryParams.Add($"signed={request.Signed.ToString().ToLowerInvariant()}");
+            queryParams.Add($"includeVex={request.IncludeVex.ToString().ToLowerInvariant()}");
+
+            var query = string.Join("&", queryParams);
+            var uri = $"/api/v1/sboms/{Uri.EscapeDataString(request.SbomId)}/export?{query}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "sbom.read", cancellationToken).ConfigureAwait(false);
+
+            var response = await httpClient.SendAsync(httpRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to export SBOM (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return (Stream.Null, new SbomExportResult
+                {
+                    Success = false,
+                    Errors = [$"API returned {(int)response.StatusCode}: {response.ReasonPhrase}"]
+                });
+            }
+
+            // Parse export metadata from headers if present
+            SbomExportResult? result = null;
+            if (response.Headers.TryGetValues("X-Export-Metadata", out var metadataValues))
+            {
+                var metadataJson = string.Join("", metadataValues);
+                if (!string.IsNullOrWhiteSpace(metadataJson))
+                {
+                    try
+                    {
+                        result = JsonSerializer.Deserialize<SbomExportResult>(metadataJson, SerializerOptions);
+                    }
+                    catch (JsonException)
+                    {
+                        // Ignore parse errors for optional header
+                    }
+                }
+            }
+
+            result ??= new SbomExportResult
+            {
+                Success = true,
+                Format = request.Format,
+                Signed = request.Signed
+            };
+
+            var contentStream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            return (contentStream, result);
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while exporting SBOM");
+            return (Stream.Null, new SbomExportResult
+            {
+                Success = false,
+                Errors = [$"Connection error: {ex.Message}"]
+            });
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while exporting SBOM");
+            return (Stream.Null, new SbomExportResult
+            {
+                Success = false,
+                Errors = ["Request timed out"]
+            });
+        }
+    }
+
+    public async Task<ParityMatrixResponse> GetParityMatrixAsync(
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        try
+        {
+            EnsureConfigured();
+
+            var uri = "/api/v1/cli/parity-matrix";
+            if (!string.IsNullOrWhiteSpace(tenant))
+            {
+                uri += $"?tenant={Uri.EscapeDataString(tenant)}";
+            }
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, uri);
+            await AuthorizeRequestAsync(httpRequest, "cli.read", cancellationToken).ConfigureAwait(false);
+
+            using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                logger.LogError(
+                    "Failed to get parity matrix (status {StatusCode}). Response: {Payload}",
+                    (int)response.StatusCode,
+                    string.IsNullOrWhiteSpace(payload) ? "<empty>" : payload);
+
+                return new ParityMatrixResponse();
+            }
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+            var result = await JsonSerializer
+                .DeserializeAsync<ParityMatrixResponse>(stream, SerializerOptions, cancellationToken)
+                .ConfigureAwait(false);
+
+            return result ?? new ParityMatrixResponse();
+        }
+        catch (HttpRequestException ex)
+        {
+            logger.LogError(ex, "HTTP error while getting parity matrix");
+            return new ParityMatrixResponse();
+        }
+        catch (TaskCanceledException ex) when (!cancellationToken.IsCancellationRequested)
+        {
+            logger.LogError(ex, "Request timed out while getting parity matrix");
+            return new ParityMatrixResponse();
+        }
+    }
+
+    private static string BuildListUri(SbomListRequest request)
+    {
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            queryParams.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.ImageRef))
+        {
+            queryParams.Add($"imageRef={Uri.EscapeDataString(request.ImageRef)}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.Digest))
+        {
+            queryParams.Add($"digest={Uri.EscapeDataString(request.Digest)}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.Format))
+        {
+            queryParams.Add($"format={Uri.EscapeDataString(request.Format)}");
+        }
+        if (request.CreatedAfter.HasValue)
+        {
+            queryParams.Add($"createdAfter={Uri.EscapeDataString(request.CreatedAfter.Value.ToString("O"))}");
+        }
+        if (request.CreatedBefore.HasValue)
+        {
+            queryParams.Add($"createdBefore={Uri.EscapeDataString(request.CreatedBefore.Value.ToString("O"))}");
+        }
+        if (request.HasVulnerabilities.HasValue)
+        {
+            queryParams.Add($"hasVulnerabilities={request.HasVulnerabilities.Value.ToString().ToLowerInvariant()}");
+        }
+        if (request.Limit.HasValue)
+        {
+            queryParams.Add($"limit={request.Limit.Value}");
+        }
+        if (request.Offset.HasValue)
+        {
+            queryParams.Add($"offset={request.Offset.Value}");
+        }
+        if (!string.IsNullOrWhiteSpace(request.Cursor))
+        {
+            queryParams.Add($"cursor={Uri.EscapeDataString(request.Cursor)}");
+        }
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : string.Empty;
+        return $"/api/v1/sboms{query}";
+    }
+
+    private void EnsureConfigured()
+    {
+        if (string.IsNullOrWhiteSpace(options.BackendUrl) && httpClient.BaseAddress is null)
+        {
+            throw new InvalidOperationException(
+                "Backend URL not configured. Set STELLAOPS_BACKEND_URL or use --backend-url.");
+        }
+    }
+
+    private async Task AuthorizeRequestAsync(HttpRequestMessage request, string scope, CancellationToken cancellationToken)
+    {
+        var token = await GetAccessTokenAsync(scope, cancellationToken).ConfigureAwait(false);
+        if (!string.IsNullOrWhiteSpace(token))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        }
+    }
+
+    private async Task<string?> GetAccessTokenAsync(string scope, CancellationToken cancellationToken)
+    {
+        if (tokenClient is null)
+        {
+            return null;
+        }
+
+        lock (tokenSync)
+        {
+            if (cachedAccessToken is not null && DateTimeOffset.UtcNow < cachedAccessTokenExpiresAt - TokenRefreshSkew)
+            {
+                return cachedAccessToken;
+            }
+        }
+
+        var result = await tokenClient.GetTokenAsync(
+            new StellaOpsTokenRequest { Scopes = [scope] },
+            cancellationToken).ConfigureAwait(false);
+
+        if (result.IsSuccess)
+        {
+            lock (tokenSync)
+            {
+                cachedAccessToken = result.AccessToken;
+                cachedAccessTokenExpiresAt = result.ExpiresAt;
+            }
+            return result.AccessToken;
+        }
+
+        logger.LogWarning("Token acquisition failed: {Error}", result.Error);
+        return null;
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/SbomerClient.cs b/src/Cli/StellaOps.Cli/Services/SbomerClient.cs
new file mode 100644
index 000000000..8befcd4ad
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/SbomerClient.cs
@@ -0,0 +1,254 @@
+using System;
+using System.Net.Http;
+using System.Net.Http.Json;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Auth.Client;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// HTTP client for Sbomer API operations.
+/// Per CLI-SBOM-60-001.
+/// </summary>
+internal sealed class SbomerClient : ISbomerClient
+{
+    private readonly HttpClient _httpClient;
+    private readonly IStellaOpsTokenClient? _tokenClient;
+    private readonly ILogger<SbomerClient> _logger;
+
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        PropertyNameCaseInsensitive = true
+    };
+
+    public SbomerClient(
+        HttpClient httpClient,
+        IStellaOpsTokenClient? tokenClient,
+        ILogger<SbomerClient> logger)
+    {
+        _httpClient = httpClient;
+        _tokenClient = tokenClient;
+        _logger = logger;
+    }
+
+    public async Task<SbomerLayerListResponse> ListLayersAsync(
+        SbomerLayerListRequest request,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var query = BuildQueryString(request);
+        var response = await _httpClient.GetAsync($"/api/v1/sbomer/layers{query}", cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<SbomerLayerListResponse>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new SbomerLayerListResponse();
+    }
+
+    public async Task<SbomerLayerDetail?> GetLayerAsync(
+        SbomerLayerShowRequest request,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var query = BuildLayerShowQuery(request);
+        var response = await _httpClient.GetAsync($"/api/v1/sbomer/layers/{Uri.EscapeDataString(request.LayerDigest)}{query}", cancellationToken).ConfigureAwait(false);
+
+        if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            return null;
+
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<SbomerLayerDetail>(JsonOptions, cancellationToken).ConfigureAwait(false);
+    }
+
+    public async Task<SbomerLayerVerifyResult> VerifyLayerAsync(
+        SbomerLayerVerifyRequest request,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.PostAsJsonAsync(
+            $"/api/v1/sbomer/layers/{Uri.EscapeDataString(request.LayerDigest)}/verify",
+            request,
+            JsonOptions,
+            cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<SbomerLayerVerifyResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new SbomerLayerVerifyResult { LayerDigest = request.LayerDigest };
+    }
+
+    public async Task<CompositionManifest?> GetCompositionManifestAsync(
+        SbomerCompositionShowRequest request,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var query = BuildCompositionShowQuery(request);
+        var response = await _httpClient.GetAsync($"/api/v1/sbomer/composition{query}", cancellationToken).ConfigureAwait(false);
+
+        if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            return null;
+
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<CompositionManifest>(JsonOptions, cancellationToken).ConfigureAwait(false);
+    }
+
+    public async Task<SbomerComposeResult> ComposeAsync(
+        SbomerComposeRequest request,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.PostAsJsonAsync(
+            "/api/v1/sbomer/compose",
+            request,
+            JsonOptions,
+            cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<SbomerComposeResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new SbomerComposeResult();
+    }
+
+    public async Task<SbomerCompositionVerifyResult> VerifyCompositionAsync(
+        SbomerCompositionVerifyRequest request,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.PostAsJsonAsync(
+            "/api/v1/sbomer/composition/verify",
+            request,
+            JsonOptions,
+            cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<SbomerCompositionVerifyResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new SbomerCompositionVerifyResult();
+    }
+
+    public async Task<MerkleDiagnostics?> GetMerkleDiagnosticsAsync(
+        string scanId,
+        string? tenant,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var query = string.IsNullOrWhiteSpace(tenant) ? "" : $"?tenant={Uri.EscapeDataString(tenant)}";
+        var response = await _httpClient.GetAsync($"/api/v1/sbomer/composition/{Uri.EscapeDataString(scanId)}/merkle{query}", cancellationToken).ConfigureAwait(false);
+
+        if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
+            return null;
+
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<MerkleDiagnostics>(JsonOptions, cancellationToken).ConfigureAwait(false);
+    }
+
+    // CLI-SBOM-60-002: Drift detection methods
+
+    public async Task<SbomerDriftResult> AnalyzeDriftAsync(
+        SbomerDriftRequest request,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.PostAsJsonAsync(
+            "/api/v1/sbomer/drift/analyze",
+            request,
+            JsonOptions,
+            cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<SbomerDriftResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new SbomerDriftResult();
+    }
+
+    public async Task<SbomerDriftVerifyResult> VerifyDriftAsync(
+        SbomerDriftVerifyRequest request,
+        CancellationToken cancellationToken)
+    {
+        await EnsureAuthenticatedAsync(cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.PostAsJsonAsync(
+            "/api/v1/sbomer/drift/verify",
+            request,
+            JsonOptions,
+            cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<SbomerDriftVerifyResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new SbomerDriftVerifyResult();
+    }
+
+    private async Task EnsureAuthenticatedAsync(CancellationToken cancellationToken)
+    {
+        if (_tokenClient == null)
+            return;
+
+        var token = await _tokenClient.GetTokenAsync(cancellationToken).ConfigureAwait(false);
+        if (!string.IsNullOrWhiteSpace(token))
+        {
+            _httpClient.DefaultRequestHeaders.Authorization =
+                new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
+        }
+    }
+
+    private static string BuildQueryString(SbomerLayerListRequest request)
+    {
+        var parts = new System.Collections.Generic.List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+            parts.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        if (!string.IsNullOrWhiteSpace(request.ImageRef))
+            parts.Add($"imageRef={Uri.EscapeDataString(request.ImageRef)}");
+        if (!string.IsNullOrWhiteSpace(request.Digest))
+            parts.Add($"digest={Uri.EscapeDataString(request.Digest)}");
+        if (!string.IsNullOrWhiteSpace(request.ScanId))
+            parts.Add($"scanId={Uri.EscapeDataString(request.ScanId)}");
+        if (request.Limit.HasValue)
+            parts.Add($"limit={request.Limit.Value}");
+        if (!string.IsNullOrWhiteSpace(request.Cursor))
+            parts.Add($"cursor={Uri.EscapeDataString(request.Cursor)}");
+
+        return parts.Count > 0 ? "?" + string.Join("&", parts) : "";
+    }
+
+    private static string BuildLayerShowQuery(SbomerLayerShowRequest request)
+    {
+        var parts = new System.Collections.Generic.List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+            parts.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        if (!string.IsNullOrWhiteSpace(request.ScanId))
+            parts.Add($"scanId={Uri.EscapeDataString(request.ScanId)}");
+        if (request.IncludeComponents)
+            parts.Add("includeComponents=true");
+        if (request.IncludeDsse)
+            parts.Add("includeDsse=true");
+
+        return parts.Count > 0 ? "?" + string.Join("&", parts) : "";
+    }
+
+    private static string BuildCompositionShowQuery(SbomerCompositionShowRequest request)
+    {
+        var parts = new System.Collections.Generic.List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+            parts.Add($"tenant={Uri.EscapeDataString(request.Tenant)}");
+        if (!string.IsNullOrWhiteSpace(request.ScanId))
+            parts.Add($"scanId={Uri.EscapeDataString(request.ScanId)}");
+        if (!string.IsNullOrWhiteSpace(request.CompositionPath))
+            parts.Add($"compositionPath={Uri.EscapeDataString(request.CompositionPath)}");
+
+        return parts.Count > 0 ? "?" + string.Join("&", parts) : "";
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Transport/HttpTransport.cs b/src/Cli/StellaOps.Cli/Services/Transport/HttpTransport.cs
new file mode 100644
index 000000000..c77a8e27a
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Transport/HttpTransport.cs
@@ -0,0 +1,164 @@
+using System;
+using System.IO;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+
+namespace StellaOps.Cli.Services.Transport;
+
+/// <summary>
+/// HTTP transport implementation for online mode.
+/// CLI-SDK-62-001: Provides HTTP transport for online API operations.
+/// </summary>
+public sealed class HttpTransport : IStellaOpsTransport
+{
+    private readonly HttpClient _httpClient;
+    private readonly TransportOptions _options;
+    private readonly ILogger<HttpTransport> _logger;
+    private bool _disposed;
+
+    public HttpTransport(HttpClient httpClient, TransportOptions options, ILogger<HttpTransport> logger)
+    {
+        _httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+
+        if (!string.IsNullOrWhiteSpace(_options.BackendUrl) && _httpClient.BaseAddress is null)
+        {
+            if (Uri.TryCreate(_options.BackendUrl, UriKind.Absolute, out var baseUri))
+            {
+                _httpClient.BaseAddress = baseUri;
+            }
+        }
+
+        _httpClient.Timeout = _options.Timeout;
+    }
+
+    /// <inheritdoc />
+    public bool IsOffline => false;
+
+    /// <inheritdoc />
+    public string TransportMode => "http";
+
+    /// <inheritdoc />
+    public async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        return await SendAsync(request, HttpCompletionOption.ResponseContentRead, cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <inheritdoc />
+    public async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+
+        var attempt = 0;
+        var maxAttempts = Math.Max(1, _options.MaxRetries);
+
+        while (true)
+        {
+            attempt++;
+            try
+            {
+                _logger.LogDebug("Sending {Method} request to {Uri} (attempt {Attempt}/{MaxAttempts})",
+                    request.Method, request.RequestUri, attempt, maxAttempts);
+
+                var response = await _httpClient.SendAsync(request, completionOption, cancellationToken).ConfigureAwait(false);
+
+                _logger.LogDebug("Received response {StatusCode} from {Uri}",
+                    (int)response.StatusCode, request.RequestUri);
+
+                return response;
+            }
+            catch (HttpRequestException ex) when (attempt < maxAttempts && IsRetryableException(ex))
+            {
+                var delay = GetRetryDelay(attempt);
+                _logger.LogWarning(ex, "Request failed (attempt {Attempt}/{MaxAttempts}). Retrying in {Delay}s...",
+                    attempt, maxAttempts, delay.TotalSeconds);
+
+                await Task.Delay(delay, cancellationToken).ConfigureAwait(false);
+
+                // Clone the request for retry
+                request = await CloneRequestAsync(request, cancellationToken).ConfigureAwait(false);
+            }
+        }
+    }
+
+    /// <inheritdoc />
+    public async Task<Stream> GetUploadStreamAsync(string endpoint, CancellationToken cancellationToken)
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+
+        // For HTTP transport, we return a memory stream that will be uploaded
+        // The caller is responsible for writing to the stream and then calling upload
+        return await Task.FromResult<Stream>(new MemoryStream()).ConfigureAwait(false);
+    }
+
+    /// <inheritdoc />
+    public async Task<Stream> GetDownloadStreamAsync(string endpoint, CancellationToken cancellationToken)
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+
+        using var request = new HttpRequestMessage(HttpMethod.Get, endpoint);
+        var response = await SendAsync(request, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+    }
+
+    private static bool IsRetryableException(HttpRequestException ex)
+    {
+        // Retry on connection errors, timeouts, and server errors
+        return ex.InnerException is IOException
+            || ex.InnerException is OperationCanceledException
+            || (ex.StatusCode.HasValue && (int)ex.StatusCode.Value >= 500);
+    }
+
+    private static TimeSpan GetRetryDelay(int attempt)
+    {
+        // Exponential backoff with jitter
+        var baseDelay = Math.Pow(2, attempt);
+        var jitter = Random.Shared.NextDouble() * 0.5;
+        return TimeSpan.FromSeconds(baseDelay + jitter);
+    }
+
+    private static async Task<HttpRequestMessage> CloneRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        var clone = new HttpRequestMessage(request.Method, request.RequestUri);
+
+        // Copy headers
+        foreach (var header in request.Headers)
+        {
+            clone.Headers.TryAddWithoutValidation(header.Key, header.Value);
+        }
+
+        // Copy content if present
+        if (request.Content is not null)
+        {
+            var content = await request.Content.ReadAsByteArrayAsync(cancellationToken).ConfigureAwait(false);
+            clone.Content = new ByteArrayContent(content);
+
+            foreach (var header in request.Content.Headers)
+            {
+                clone.Content.Headers.TryAddWithoutValidation(header.Key, header.Value);
+            }
+        }
+
+        // Copy options
+        foreach (var option in request.Options)
+        {
+            clone.Options.TryAdd(option.Key, option.Value);
+        }
+
+        return clone;
+    }
+
+    public void Dispose()
+    {
+        if (_disposed)
+            return;
+
+        _disposed = true;
+        // Note: We don't dispose _httpClient as it's typically managed by DI
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Transport/IStellaOpsTransport.cs b/src/Cli/StellaOps.Cli/Services/Transport/IStellaOpsTransport.cs
new file mode 100644
index 000000000..e0c13ab4b
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Transport/IStellaOpsTransport.cs
@@ -0,0 +1,95 @@
+using System;
+using System.IO;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Cli.Services.Transport;
+
+/// <summary>
+/// Transport abstraction for CLI operations.
+/// CLI-SDK-62-001: Supports modular transport for online and air-gapped modes.
+/// </summary>
+public interface IStellaOpsTransport : IDisposable
+{
+    /// <summary>
+    /// Gets whether this transport is operating in offline/air-gapped mode.
+    /// </summary>
+    bool IsOffline { get; }
+
+    /// <summary>
+    /// Gets the transport mode identifier.
+    /// </summary>
+    string TransportMode { get; }
+
+    /// <summary>
+    /// Sends an HTTP request and returns the response.
+    /// </summary>
+    Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Sends an HTTP request and returns the response with streaming content.
+    /// </summary>
+    Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a stream for uploading content.
+    /// </summary>
+    Task<Stream> GetUploadStreamAsync(string endpoint, CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets a stream for downloading content.
+    /// </summary>
+    Task<Stream> GetDownloadStreamAsync(string endpoint, CancellationToken cancellationToken);
+}
+
+/// <summary>
+/// Transport configuration options.
+/// </summary>
+public sealed class TransportOptions
+{
+    /// <summary>
+    /// Base URL for the backend API.
+    /// </summary>
+    public string? BackendUrl { get; set; }
+
+    /// <summary>
+    /// Whether to operate in offline/air-gapped mode.
+    /// </summary>
+    public bool IsOffline { get; set; }
+
+    /// <summary>
+    /// Directory for offline kit data.
+    /// </summary>
+    public string? OfflineKitDirectory { get; set; }
+
+    /// <summary>
+    /// Request timeout.
+    /// </summary>
+    public TimeSpan Timeout { get; set; } = TimeSpan.FromMinutes(5);
+
+    /// <summary>
+    /// Maximum number of retry attempts.
+    /// </summary>
+    public int MaxRetries { get; set; } = 3;
+
+    /// <summary>
+    /// Whether to validate SSL certificates.
+    /// </summary>
+    public bool ValidateSsl { get; set; } = true;
+
+    /// <summary>
+    /// Custom CA certificate path for SSL validation.
+    /// </summary>
+    public string? CaCertificatePath { get; set; }
+
+    /// <summary>
+    /// Proxy URL if required.
+    /// </summary>
+    public string? ProxyUrl { get; set; }
+
+    /// <summary>
+    /// User agent string.
+    /// </summary>
+    public string UserAgent { get; set; } = "StellaOps-CLI/1.0";
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Transport/OfflineTransport.cs b/src/Cli/StellaOps.Cli/Services/Transport/OfflineTransport.cs
new file mode 100644
index 000000000..18682ff3d
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Transport/OfflineTransport.cs
@@ -0,0 +1,186 @@
+using System;
+using System.IO;
+using System.Net;
+using System.Net.Http;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+
+namespace StellaOps.Cli.Services.Transport;
+
+/// <summary>
+/// Offline transport implementation for air-gapped mode.
+/// CLI-SDK-62-001: Provides offline transport for air-gapped operations.
+/// </summary>
+public sealed class OfflineTransport : IStellaOpsTransport
+{
+    private readonly TransportOptions _options;
+    private readonly ILogger<OfflineTransport> _logger;
+    private readonly string _offlineKitDirectory;
+    private bool _disposed;
+
+    public OfflineTransport(TransportOptions options, ILogger<OfflineTransport> logger)
+    {
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+
+        if (string.IsNullOrWhiteSpace(options.OfflineKitDirectory))
+        {
+            throw new ArgumentException("OfflineKitDirectory must be specified for offline transport.", nameof(options));
+        }
+
+        _offlineKitDirectory = options.OfflineKitDirectory;
+
+        if (!Directory.Exists(_offlineKitDirectory))
+        {
+            throw new DirectoryNotFoundException($"Offline kit directory not found: {_offlineKitDirectory}");
+        }
+    }
+
+    /// <inheritdoc />
+    public bool IsOffline => true;
+
+    /// <inheritdoc />
+    public string TransportMode => "offline";
+
+    /// <inheritdoc />
+    public Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        return SendAsync(request, HttpCompletionOption.ResponseContentRead, cancellationToken);
+    }
+
+    /// <inheritdoc />
+    public async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+
+        _logger.LogDebug("Offline transport handling {Method} {Uri}", request.Method, request.RequestUri);
+
+        // Map the request to an offline resource
+        var (found, content) = await TryGetOfflineContentAsync(request, cancellationToken).ConfigureAwait(false);
+
+        if (found)
+        {
+            return new HttpResponseMessage(HttpStatusCode.OK)
+            {
+                Content = content,
+                RequestMessage = request
+            };
+        }
+
+        // Return a 503 Service Unavailable for operations that require online access
+        _logger.LogWarning("Operation not available in offline mode: {Method} {Uri}", request.Method, request.RequestUri);
+
+        return new HttpResponseMessage(HttpStatusCode.ServiceUnavailable)
+        {
+            Content = new StringContent(JsonSerializer.Serialize(new
+            {
+                error = new
+                {
+                    code = "ERR_AIRGAP_EGRESS_BLOCKED",
+                    message = "This operation is not available in offline/air-gapped mode."
+                }
+            })),
+            RequestMessage = request
+        };
+    }
+
+    /// <inheritdoc />
+    public Task<Stream> GetUploadStreamAsync(string endpoint, CancellationToken cancellationToken)
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+
+        // Create a staging area for uploads in offline mode
+        var stagingDir = Path.Combine(_offlineKitDirectory, "staging", "uploads");
+        Directory.CreateDirectory(stagingDir);
+
+        var stagingFile = Path.Combine(stagingDir, $"{Guid.NewGuid():N}.dat");
+        _logger.LogDebug("Creating offline upload staging file: {Path}", stagingFile);
+
+        return Task.FromResult<Stream>(File.Create(stagingFile));
+    }
+
+    /// <inheritdoc />
+    public Task<Stream> GetDownloadStreamAsync(string endpoint, CancellationToken cancellationToken)
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+
+        // Map endpoint to offline file
+        var localPath = MapEndpointToLocalPath(endpoint);
+
+        if (!File.Exists(localPath))
+        {
+            _logger.LogWarning("Offline resource not found: {Path}", localPath);
+            throw new FileNotFoundException($"Offline resource not found: {endpoint}", localPath);
+        }
+
+        _logger.LogDebug("Opening offline resource: {Path}", localPath);
+        return Task.FromResult<Stream>(File.OpenRead(localPath));
+    }
+
+    private async Task<(bool Found, HttpContent? Content)> TryGetOfflineContentAsync(
+        HttpRequestMessage request,
+        CancellationToken cancellationToken)
+    {
+        var uri = request.RequestUri;
+        if (uri is null)
+            return (false, null);
+
+        var path = uri.PathAndQuery.TrimStart('/');
+
+        // Check for cached API responses
+        var cachePath = Path.Combine(_offlineKitDirectory, "cache", "api", path.Replace('/', Path.DirectorySeparatorChar));
+
+        // Try with .json extension
+        var jsonPath = cachePath + ".json";
+        if (File.Exists(jsonPath))
+        {
+            var content = await File.ReadAllTextAsync(jsonPath, cancellationToken).ConfigureAwait(false);
+            return (true, new StringContent(content, System.Text.Encoding.UTF8, "application/json"));
+        }
+
+        // Try exact path
+        if (File.Exists(cachePath))
+        {
+            var content = await File.ReadAllBytesAsync(cachePath, cancellationToken).ConfigureAwait(false);
+            return (true, new ByteArrayContent(content));
+        }
+
+        // Check for bundled data
+        var bundlePath = Path.Combine(_offlineKitDirectory, "data", path.Replace('/', Path.DirectorySeparatorChar));
+        if (File.Exists(bundlePath))
+        {
+            var content = await File.ReadAllBytesAsync(bundlePath, cancellationToken).ConfigureAwait(false);
+            return (true, new ByteArrayContent(content));
+        }
+
+        return (false, null);
+    }
+
+    private string MapEndpointToLocalPath(string endpoint)
+    {
+        var path = endpoint.TrimStart('/');
+
+        // Check data directory first
+        var dataPath = Path.Combine(_offlineKitDirectory, "data", path.Replace('/', Path.DirectorySeparatorChar));
+        if (File.Exists(dataPath))
+            return dataPath;
+
+        // Check cache directory
+        var cachePath = Path.Combine(_offlineKitDirectory, "cache", path.Replace('/', Path.DirectorySeparatorChar));
+        if (File.Exists(cachePath))
+            return cachePath;
+
+        // Return data path as default (will throw FileNotFoundException if not found)
+        return dataPath;
+    }
+
+    public void Dispose()
+    {
+        if (_disposed)
+            return;
+
+        _disposed = true;
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Transport/StellaOpsClientBase.cs b/src/Cli/StellaOps.Cli/Services/Transport/StellaOpsClientBase.cs
new file mode 100644
index 000000000..b50793f4c
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Transport/StellaOpsClientBase.cs
@@ -0,0 +1,264 @@
+using System;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Output;
+using StellaOps.Cli.Services.Models.Transport;
+
+namespace StellaOps.Cli.Services.Transport;
+
+/// <summary>
+/// Base class for SDK-generated clients.
+/// CLI-SDK-62-001: Provides common functionality for SDK clients with modular transport.
+/// </summary>
+public abstract class StellaOpsClientBase : IDisposable
+{
+    private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase
+    };
+
+    private readonly IStellaOpsTransport _transport;
+    private readonly ILogger _logger;
+    private bool _disposed;
+
+    /// <summary>
+    /// Authorization token for API requests.
+    /// </summary>
+    protected string? AccessToken { get; set; }
+
+    /// <summary>
+    /// Current tenant context.
+    /// </summary>
+    protected string? TenantId { get; set; }
+
+    protected StellaOpsClientBase(IStellaOpsTransport transport, ILogger logger)
+    {
+        _transport = transport ?? throw new ArgumentNullException(nameof(transport));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <summary>
+    /// Gets whether the client is operating in offline mode.
+    /// </summary>
+    public bool IsOffline => _transport.IsOffline;
+
+    /// <summary>
+    /// Sets the access token for authenticated requests.
+    /// </summary>
+    public void SetAccessToken(string? token)
+    {
+        AccessToken = token;
+    }
+
+    /// <summary>
+    /// Sets the tenant context.
+    /// </summary>
+    public void SetTenant(string? tenantId)
+    {
+        TenantId = tenantId;
+    }
+
+    /// <summary>
+    /// Throws if the operation requires online connectivity and transport is offline.
+    /// </summary>
+    protected void ThrowIfOffline(string operation)
+    {
+        if (_transport.IsOffline)
+        {
+            throw new InvalidOperationException(
+                $"Operation '{operation}' is not available in offline/air-gapped mode. " +
+                "Please use online mode or import the required data to the offline kit.");
+        }
+    }
+
+    /// <summary>
+    /// Sends a GET request and deserializes the response.
+    /// </summary>
+    protected async Task<TResponse?> GetAsync<TResponse>(
+        string relativeUrl,
+        CancellationToken cancellationToken) where TResponse : class
+    {
+        using var request = CreateRequest(HttpMethod.Get, relativeUrl);
+        var response = await SendAsync(request, cancellationToken).ConfigureAwait(false);
+
+        response.EnsureSuccessStatusCode();
+        return await response.Content.ReadFromJsonAsync<TResponse>(JsonOptions, cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    /// Sends a POST request with JSON body and deserializes the response.
+    /// </summary>
+    protected async Task<TResponse?> PostAsync<TRequest, TResponse>(
+        string relativeUrl,
+        TRequest body,
+        CancellationToken cancellationToken)
+        where TRequest : class
+        where TResponse : class
+    {
+        using var request = CreateRequest(HttpMethod.Post, relativeUrl);
+        request.Content = JsonContent.Create(body, options: JsonOptions);
+
+        var response = await SendAsync(request, cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<TResponse>(JsonOptions, cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    /// Sends a PUT request with JSON body and deserializes the response.
+    /// </summary>
+    protected async Task<TResponse?> PutAsync<TRequest, TResponse>(
+        string relativeUrl,
+        TRequest body,
+        CancellationToken cancellationToken)
+        where TRequest : class
+        where TResponse : class
+    {
+        using var request = CreateRequest(HttpMethod.Put, relativeUrl);
+        request.Content = JsonContent.Create(body, options: JsonOptions);
+
+        var response = await SendAsync(request, cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+
+        return await response.Content.ReadFromJsonAsync<TResponse>(JsonOptions, cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    /// Sends a DELETE request.
+    /// </summary>
+    protected async Task DeleteAsync(string relativeUrl, CancellationToken cancellationToken)
+    {
+        using var request = CreateRequest(HttpMethod.Delete, relativeUrl);
+        var response = await SendAsync(request, cancellationToken).ConfigureAwait(false);
+        response.EnsureSuccessStatusCode();
+    }
+
+    /// <summary>
+    /// Sends a request and parses any error response.
+    /// </summary>
+    protected async Task<(TResponse? Result, CliError? Error)> TrySendAsync<TResponse>(
+        HttpRequestMessage request,
+        CancellationToken cancellationToken) where TResponse : class
+    {
+        var response = await SendAsync(request, cancellationToken).ConfigureAwait(false);
+
+        if (response.IsSuccessStatusCode)
+        {
+            var result = await response.Content.ReadFromJsonAsync<TResponse>(JsonOptions, cancellationToken).ConfigureAwait(false);
+            return (result, null);
+        }
+
+        var error = await ParseErrorAsync(response, cancellationToken).ConfigureAwait(false);
+        return (null, error);
+    }
+
+    /// <summary>
+    /// Creates an HTTP request with standard headers.
+    /// </summary>
+    protected HttpRequestMessage CreateRequest(HttpMethod method, string relativeUrl)
+    {
+        var request = new HttpRequestMessage(method, relativeUrl);
+
+        // Add authorization header
+        if (!string.IsNullOrWhiteSpace(AccessToken))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", AccessToken);
+        }
+
+        // Add tenant header
+        if (!string.IsNullOrWhiteSpace(TenantId))
+        {
+            request.Headers.TryAddWithoutValidation("X-Tenant-Id", TenantId);
+        }
+
+        // Add standard headers
+        request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+
+        return request;
+    }
+
+    /// <summary>
+    /// Sends a request through the transport.
+    /// </summary>
+    protected async Task<HttpResponseMessage> SendAsync(
+        HttpRequestMessage request,
+        CancellationToken cancellationToken)
+    {
+        ObjectDisposedException.ThrowIf(_disposed, this);
+
+        _logger.LogDebug("Sending {Method} request to {Uri}", request.Method, request.RequestUri);
+
+        return await _transport.SendAsync(request, cancellationToken).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    /// Parses an error response into a CliError.
+    /// </summary>
+    protected async Task<CliError> ParseErrorAsync(
+        HttpResponseMessage response,
+        CancellationToken cancellationToken)
+    {
+        var statusCode = (int)response.StatusCode;
+        string? content = null;
+
+        try
+        {
+            content = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+        }
+        catch
+        {
+            // Ignore content read errors
+        }
+
+        // Try to parse as error envelope
+        if (!string.IsNullOrWhiteSpace(content))
+        {
+            try
+            {
+                var envelope = JsonSerializer.Deserialize<ApiErrorEnvelope>(content, JsonOptions);
+                if (envelope?.Error is not null)
+                {
+                    return CliError.FromApiErrorEnvelope(envelope, statusCode);
+                }
+            }
+            catch (JsonException)
+            {
+                // Not an error envelope
+            }
+
+            // Try to parse as problem details
+            try
+            {
+                var problem = JsonSerializer.Deserialize<ProblemDocument>(content, JsonOptions);
+                if (problem is not null)
+                {
+                    return new CliError(
+                        Code: problem.Type ?? $"ERR_HTTP_{statusCode}",
+                        Message: problem.Title ?? $"HTTP error {statusCode}",
+                        Detail: problem.Detail);
+                }
+            }
+            catch (JsonException)
+            {
+                // Not a problem document
+            }
+        }
+
+        // Fall back to HTTP status-based error
+        return CliError.FromHttpStatus(statusCode, content);
+    }
+
+    public void Dispose()
+    {
+        if (_disposed)
+            return;
+
+        _disposed = true;
+        _transport.Dispose();
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Services/Transport/TransportFactory.cs b/src/Cli/StellaOps.Cli/Services/Transport/TransportFactory.cs
new file mode 100644
index 000000000..790675f37
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/Transport/TransportFactory.cs
@@ -0,0 +1,126 @@
+using System;
+using System.Net.Http;
+using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Configuration;
+
+namespace StellaOps.Cli.Services.Transport;
+
+/// <summary>
+/// Factory for creating transport instances based on configuration.
+/// CLI-SDK-62-001: Provides modular transport selection for online/offline modes.
+/// </summary>
+public sealed class TransportFactory : ITransportFactory
+{
+    private readonly IHttpClientFactory _httpClientFactory;
+    private readonly ILoggerFactory _loggerFactory;
+    private readonly StellaOpsCliOptions _options;
+    private readonly CliProfileManager _profileManager;
+
+    public TransportFactory(
+        IHttpClientFactory httpClientFactory,
+        ILoggerFactory loggerFactory,
+        StellaOpsCliOptions options,
+        CliProfileManager profileManager)
+    {
+        _httpClientFactory = httpClientFactory ?? throw new ArgumentNullException(nameof(httpClientFactory));
+        _loggerFactory = loggerFactory ?? throw new ArgumentNullException(nameof(loggerFactory));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _profileManager = profileManager ?? throw new ArgumentNullException(nameof(profileManager));
+    }
+
+    /// <summary>
+    /// Creates a transport instance based on current configuration.
+    /// </summary>
+    public IStellaOpsTransport CreateTransport()
+    {
+        var transportOptions = CreateTransportOptions();
+
+        if (transportOptions.IsOffline)
+        {
+            return CreateOfflineTransport(transportOptions);
+        }
+
+        return CreateHttpTransport(transportOptions);
+    }
+
+    /// <summary>
+    /// Creates an HTTP transport for online operations.
+    /// </summary>
+    public IStellaOpsTransport CreateHttpTransport(TransportOptions? options = null)
+    {
+        options ??= CreateTransportOptions();
+
+        var httpClient = _httpClientFactory.CreateClient("StellaOps");
+        var logger = _loggerFactory.CreateLogger<HttpTransport>();
+
+        return new HttpTransport(httpClient, options, logger);
+    }
+
+    /// <summary>
+    /// Creates an offline transport for air-gapped operations.
+    /// </summary>
+    public IStellaOpsTransport CreateOfflineTransport(TransportOptions? options = null)
+    {
+        options ??= CreateTransportOptions();
+
+        if (string.IsNullOrWhiteSpace(options.OfflineKitDirectory))
+        {
+            throw new InvalidOperationException("Offline kit directory must be specified for offline transport.");
+        }
+
+        var logger = _loggerFactory.CreateLogger<OfflineTransport>();
+        return new OfflineTransport(options, logger);
+    }
+
+    /// <summary>
+    /// Creates transport options from current configuration.
+    /// </summary>
+    public TransportOptions CreateTransportOptions()
+    {
+        var profile = _profileManager.GetCurrentProfileAsync().GetAwaiter().GetResult();
+
+        return new TransportOptions
+        {
+            BackendUrl = profile?.BackendUrl ?? _options.BackendUrl,
+            IsOffline = profile?.IsOffline ?? _options.IsOffline,
+            OfflineKitDirectory = profile?.OfflineKitDirectory ?? _options.OfflineKitDirectory,
+            Timeout = TimeSpan.FromMinutes(5),
+            MaxRetries = 3,
+            ValidateSsl = true,
+            UserAgent = $"StellaOps-CLI/{GetVersion()}"
+        };
+    }
+
+    private static string GetVersion()
+    {
+        var assembly = typeof(TransportFactory).Assembly;
+        var version = assembly.GetName().Version;
+        return version?.ToString() ?? "1.0.0";
+    }
+}
+
+/// <summary>
+/// Factory interface for creating transport instances.
+/// </summary>
+public interface ITransportFactory
+{
+    /// <summary>
+    /// Creates a transport instance based on current configuration.
+    /// </summary>
+    IStellaOpsTransport CreateTransport();
+
+    /// <summary>
+    /// Creates an HTTP transport for online operations.
+    /// </summary>
+    IStellaOpsTransport CreateHttpTransport(TransportOptions? options = null);
+
+    /// <summary>
+    /// Creates an offline transport for air-gapped operations.
+    /// </summary>
+    IStellaOpsTransport CreateOfflineTransport(TransportOptions? options = null);
+
+    /// <summary>
+    /// Creates transport options from current configuration.
+    /// </summary>
+    TransportOptions CreateTransportOptions();
+}
diff --git a/src/Cli/StellaOps.Cli/Services/VexObservationsClient.cs b/src/Cli/StellaOps.Cli/Services/VexObservationsClient.cs
new file mode 100644
index 000000000..9126bf281
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Services/VexObservationsClient.cs
@@ -0,0 +1,228 @@
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using StellaOps.Auth.Abstractions;
+using StellaOps.Auth.Client;
+using StellaOps.Cli.Services.Models;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// HTTP client for VEX observation queries.
+/// Per CLI-LNM-22-002.
+/// </summary>
+internal sealed class VexObservationsClient : IVexObservationsClient
+{
+    private readonly HttpClient _httpClient;
+    private readonly ITokenClient? _tokenClient;
+    private readonly ILogger<VexObservationsClient> _logger;
+    private string? _cachedToken;
+    private DateTimeOffset _tokenExpiry;
+
+    private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
+    {
+        PropertyNameCaseInsensitive = true
+    };
+
+    public VexObservationsClient(
+        HttpClient httpClient,
+        ILogger<VexObservationsClient> logger,
+        ITokenClient? tokenClient = null)
+    {
+        _httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _tokenClient = tokenClient;
+    }
+
+    public async Task<VexObservationResponse> GetObservationsAsync(
+        VexObservationQuery query,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(query);
+
+        await EnsureAuthorizationAsync(cancellationToken).ConfigureAwait(false);
+
+        var requestUri = BuildObservationRequestUri(query);
+        _logger.LogDebug("Fetching VEX observations from {Uri}", requestUri);
+
+        using var response = await _httpClient.GetAsync(requestUri, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            _logger.LogError("VEX observations request failed: {StatusCode} - {Body}",
+                response.StatusCode, errorBody);
+            throw new HttpRequestException($"Failed to fetch VEX observations: {response.StatusCode}");
+        }
+
+        var content = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+        return JsonSerializer.Deserialize<VexObservationResponse>(content, SerializerOptions)
+            ?? new VexObservationResponse();
+    }
+
+    public async Task<VexLinksetResponse> GetLinksetAsync(
+        VexLinksetQuery query,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(query);
+
+        await EnsureAuthorizationAsync(cancellationToken).ConfigureAwait(false);
+
+        var requestUri = BuildLinksetRequestUri(query);
+        _logger.LogDebug("Fetching VEX linkset from {Uri}", requestUri);
+
+        using var response = await _httpClient.GetAsync(requestUri, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            _logger.LogError("VEX linkset request failed: {StatusCode} - {Body}",
+                response.StatusCode, errorBody);
+            throw new HttpRequestException($"Failed to fetch VEX linkset: {response.StatusCode}");
+        }
+
+        var content = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+        return JsonSerializer.Deserialize<VexLinksetResponse>(content, SerializerOptions)
+            ?? new VexLinksetResponse();
+    }
+
+    public async Task<VexObservation?> GetObservationByIdAsync(
+        string tenant,
+        string observationId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenant);
+        ArgumentException.ThrowIfNullOrWhiteSpace(observationId);
+
+        await EnsureAuthorizationAsync(cancellationToken).ConfigureAwait(false);
+
+        var requestUri = $"api/v1/tenants/{Uri.EscapeDataString(tenant)}/vex/observations/{Uri.EscapeDataString(observationId)}";
+        _logger.LogDebug("Fetching VEX observation {ObservationId} from {Uri}", observationId, requestUri);
+
+        using var response = await _httpClient.GetAsync(requestUri, cancellationToken).ConfigureAwait(false);
+
+        if (response.StatusCode == HttpStatusCode.NotFound)
+        {
+            return null;
+        }
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            _logger.LogError("VEX observation request failed: {StatusCode} - {Body}",
+                response.StatusCode, errorBody);
+            throw new HttpRequestException($"Failed to fetch VEX observation: {response.StatusCode}");
+        }
+
+        var content = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+        return JsonSerializer.Deserialize<VexObservation>(content, SerializerOptions);
+    }
+
+    private async Task EnsureAuthorizationAsync(CancellationToken cancellationToken)
+    {
+        if (_tokenClient is null)
+        {
+            return;
+        }
+
+        if (!string.IsNullOrWhiteSpace(_cachedToken) && DateTimeOffset.UtcNow < _tokenExpiry)
+        {
+            _httpClient.DefaultRequestHeaders.Authorization =
+                new AuthenticationHeaderValue("Bearer", _cachedToken);
+            return;
+        }
+
+        var tokenResult = await _tokenClient.GetAccessTokenAsync(
+            new[] { StellaOpsScopes.VexRead },
+            cancellationToken).ConfigureAwait(false);
+
+        if (tokenResult.IsSuccess && !string.IsNullOrWhiteSpace(tokenResult.AccessToken))
+        {
+            _cachedToken = tokenResult.AccessToken;
+            _tokenExpiry = DateTimeOffset.UtcNow.AddMinutes(55);
+            _httpClient.DefaultRequestHeaders.Authorization =
+                new AuthenticationHeaderValue("Bearer", _cachedToken);
+        }
+        else
+        {
+            _logger.LogWarning("Failed to acquire token for VEX API access.");
+        }
+    }
+
+    private static string BuildObservationRequestUri(VexObservationQuery query)
+    {
+        var sb = new StringBuilder();
+        sb.Append($"api/v1/tenants/{Uri.EscapeDataString(query.Tenant)}/vex/observations?");
+
+        foreach (var vulnId in query.VulnerabilityIds)
+        {
+            sb.Append($"vulnerabilityId={Uri.EscapeDataString(vulnId)}&");
+        }
+
+        foreach (var productKey in query.ProductKeys)
+        {
+            sb.Append($"productKey={Uri.EscapeDataString(productKey)}&");
+        }
+
+        foreach (var purl in query.Purls)
+        {
+            sb.Append($"purl={Uri.EscapeDataString(purl)}&");
+        }
+
+        foreach (var cpe in query.Cpes)
+        {
+            sb.Append($"cpe={Uri.EscapeDataString(cpe)}&");
+        }
+
+        foreach (var status in query.Statuses)
+        {
+            sb.Append($"status={Uri.EscapeDataString(status)}&");
+        }
+
+        foreach (var providerId in query.ProviderIds)
+        {
+            sb.Append($"providerId={Uri.EscapeDataString(providerId)}&");
+        }
+
+        if (query.Limit.HasValue)
+        {
+            sb.Append($"limit={query.Limit.Value}&");
+        }
+
+        if (!string.IsNullOrWhiteSpace(query.Cursor))
+        {
+            sb.Append($"cursor={Uri.EscapeDataString(query.Cursor)}&");
+        }
+
+        return sb.ToString().TrimEnd('&', '?');
+    }
+
+    private static string BuildLinksetRequestUri(VexLinksetQuery query)
+    {
+        var sb = new StringBuilder();
+        sb.Append($"api/v1/tenants/{Uri.EscapeDataString(query.Tenant)}/vex/linkset/{Uri.EscapeDataString(query.VulnerabilityId)}?");
+
+        foreach (var productKey in query.ProductKeys)
+        {
+            sb.Append($"productKey={Uri.EscapeDataString(productKey)}&");
+        }
+
+        foreach (var purl in query.Purls)
+        {
+            sb.Append($"purl={Uri.EscapeDataString(purl)}&");
+        }
+
+        foreach (var status in query.Statuses)
+        {
+            sb.Append($"status={Uri.EscapeDataString(status)}&");
+        }
+
+        return sb.ToString().TrimEnd('&', '?');
+    }
+}
diff --git a/src/Cli/StellaOps.Cli/Telemetry/TraceparentHttpMessageHandler.cs b/src/Cli/StellaOps.Cli/Telemetry/TraceparentHttpMessageHandler.cs
new file mode 100644
index 000000000..c273fe14b
--- /dev/null
+++ b/src/Cli/StellaOps.Cli/Telemetry/TraceparentHttpMessageHandler.cs
@@ -0,0 +1,192 @@
+using System;
+using System.Diagnostics;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+
+namespace StellaOps.Cli.Telemetry;
+
+/// <summary>
+/// HTTP message handler that propagates W3C Trace Context (traceparent) headers.
+/// Per CLI-OBS-50-001, ensures CLI HTTP client propagates traceparent headers for all commands,
+/// prints correlation IDs on failure, and records trace IDs in verbose logs.
+/// </summary>
+public sealed class TraceparentHttpMessageHandler : DelegatingHandler
+{
+    private const string TraceparentHeader = "traceparent";
+    private const string TracestateHeader = "tracestate";
+    private const string RequestIdHeader = "x-request-id";
+    private const string CorrelationIdHeader = "x-correlation-id";
+
+    private readonly ILogger<TraceparentHttpMessageHandler> _logger;
+    private readonly bool _verbose;
+
+    public TraceparentHttpMessageHandler(
+        ILogger<TraceparentHttpMessageHandler> logger,
+        bool verbose = false)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _verbose = verbose;
+    }
+
+    protected override async Task<HttpResponseMessage> SendAsync(
+        HttpRequestMessage request,
+        CancellationToken cancellationToken)
+    {
+        var activity = Activity.Current;
+        string? traceId = null;
+        string? spanId = null;
+
+        // Generate or use existing trace context
+        if (activity is not null)
+        {
+            traceId = activity.TraceId.ToString();
+            spanId = activity.SpanId.ToString();
+
+            // Add W3C traceparent header if not already present
+            if (!request.Headers.Contains(TraceparentHeader))
+            {
+                var traceparent = $"00-{traceId}-{spanId}-{(activity.Recorded ? "01" : "00")}";
+                request.Headers.TryAddWithoutValidation(TraceparentHeader, traceparent);
+
+                if (_verbose)
+                {
+                    _logger.LogDebug("Added traceparent header: {Traceparent}", traceparent);
+                }
+            }
+
+            // Add tracestate if present
+            if (!string.IsNullOrWhiteSpace(activity.TraceStateString) &&
+                !request.Headers.Contains(TracestateHeader))
+            {
+                request.Headers.TryAddWithoutValidation(TracestateHeader, activity.TraceStateString);
+            }
+        }
+        else
+        {
+            // Generate a new trace ID if no activity exists
+            traceId = Guid.NewGuid().ToString("N");
+            spanId = Guid.NewGuid().ToString("N")[..16];
+
+            if (!request.Headers.Contains(TraceparentHeader))
+            {
+                var traceparent = $"00-{traceId}-{spanId}-00";
+                request.Headers.TryAddWithoutValidation(TraceparentHeader, traceparent);
+
+                if (_verbose)
+                {
+                    _logger.LogDebug("Generated new traceparent header: {Traceparent}", traceparent);
+                }
+            }
+        }
+
+        // Also add x-request-id for legacy compatibility
+        if (!request.Headers.Contains(RequestIdHeader))
+        {
+            request.Headers.TryAddWithoutValidation(RequestIdHeader, traceId);
+        }
+
+        if (_verbose)
+        {
+            _logger.LogDebug(
+                "Sending {Method} {Uri} with trace_id={TraceId}",
+                request.Method,
+                ScrubUrl(request.RequestUri),
+                traceId);
+        }
+
+        HttpResponseMessage response;
+        try
+        {
+            response = await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            _logger.LogError(
+                "Request failed: {Method} {Uri} trace_id={TraceId} error={Error}",
+                request.Method,
+                ScrubUrl(request.RequestUri),
+                traceId,
+                ex.Message);
+            throw;
+        }
+
+        // Extract correlation ID from response if present
+        var responseTraceId = GetResponseTraceId(response);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            _logger.LogWarning(
+                "Request returned {StatusCode}: {Method} {Uri} trace_id={TraceId} response_trace_id={ResponseTraceId}",
+                (int)response.StatusCode,
+                request.Method,
+                ScrubUrl(request.RequestUri),
+                traceId,
+                responseTraceId ?? "(not provided)");
+        }
+        else if (_verbose)
+        {
+            _logger.LogDebug(
+                "Request completed {StatusCode}: {Method} {Uri} trace_id={TraceId}",
+                (int)response.StatusCode,
+                request.Method,
+                ScrubUrl(request.RequestUri),
+                traceId);
+        }
+
+        return response;
+    }
+
+    private static string? GetResponseTraceId(HttpResponseMessage response)
+    {
+        if (response.Headers.TryGetValues(CorrelationIdHeader, out var correlationValues))
+        {
+            return string.Join(",", correlationValues);
+        }
+
+        if (response.Headers.TryGetValues(RequestIdHeader, out var requestIdValues))
+        {
+            return string.Join(",", requestIdValues);
+        }
+
+        if (response.Headers.TryGetValues("x-trace-id", out var traceIdValues))
+        {
+            return string.Join(",", traceIdValues);
+        }
+
+        return null;
+    }
+
+    private static string ScrubUrl(Uri? uri)
+    {
+        if (uri is null)
+            return "(null)";
+
+        // Remove query string to avoid logging sensitive parameters
+        return $"{uri.Scheme}://{uri.Authority}{uri.AbsolutePath}";
+    }
+}
+
+/// <summary>
+/// Extension to add traceparent propagation to HTTP client.
+/// </summary>
+public static class TraceparentHttpClientBuilderExtensions
+{
+    /// <summary>
+    /// Adds W3C Trace Context (traceparent) header propagation to the HTTP client.
+    /// Per CLI-OBS-50-001.
+    /// </summary>
+    public static IHttpClientBuilder AddTraceparentPropagation(
+        this IHttpClientBuilder builder,
+        bool verbose = false)
+    {
+        return builder.AddHttpMessageHandler(sp =>
+        {
+            var loggerFactory = sp.GetRequiredService<ILoggerFactory>();
+            return new TraceparentHttpMessageHandler(
+                loggerFactory.CreateLogger<TraceparentHttpMessageHandler>(),
+                verbose);
+        });
+    }
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/AdvisoryFieldChangeEmitter.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/AdvisoryFieldChangeEmitter.cs
new file mode 100644
index 000000000..3c123d00a
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/AdvisoryFieldChangeEmitter.cs
@@ -0,0 +1,377 @@
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Default implementation of <see cref="IAdvisoryFieldChangeEmitter"/>.
+/// Per CONCELIER-RISK-69-001, emits notifications on upstream advisory field changes
+/// with observation IDs and provenance; no severity inference.
+/// </summary>
+public sealed class AdvisoryFieldChangeEmitter : IAdvisoryFieldChangeEmitter
+{
+    private readonly IAdvisoryFieldChangeNotificationPublisher _publisher;
+    private readonly ILogger<AdvisoryFieldChangeEmitter> _logger;
+    private readonly TimeProvider _timeProvider;
+
+    public AdvisoryFieldChangeEmitter(
+        IAdvisoryFieldChangeNotificationPublisher publisher,
+        ILogger<AdvisoryFieldChangeEmitter> logger,
+        TimeProvider? timeProvider = null)
+    {
+        _publisher = publisher ?? throw new ArgumentNullException(nameof(publisher));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
+    /// <inheritdoc />
+    public async Task<AdvisoryFieldChangeNotification?> EmitChangesAsync(
+        string tenantId,
+        string observationId,
+        VendorRiskSignal? previousSignal,
+        VendorRiskSignal currentSignal,
+        string? linksetId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(observationId);
+        ArgumentNullException.ThrowIfNull(currentSignal);
+
+        var changes = DetectChanges(previousSignal, currentSignal);
+
+        if (changes.IsDefaultOrEmpty)
+        {
+            _logger.LogDebug(
+                "No field changes detected for observation {ObservationId}",
+                observationId);
+            return null;
+        }
+
+        var now = _timeProvider.GetUtcNow();
+        var changeType = DetermineChangeType(changes);
+        var provenance = BuildProvenance(previousSignal, currentSignal);
+
+        var notification = new AdvisoryFieldChangeNotification(
+            NotificationId: Guid.NewGuid(),
+            TenantId: tenantId,
+            AdvisoryId: currentSignal.AdvisoryId,
+            ObservationId: observationId,
+            LinksetId: linksetId,
+            ChangeType: changeType,
+            Changes: changes,
+            Provenance: provenance,
+            DetectedAt: now,
+            EmittedAt: now);
+
+        await _publisher.PublishAsync(notification, cancellationToken).ConfigureAwait(false);
+
+        _logger.LogInformation(
+            "Emitted field change notification for observation {ObservationId}: type={ChangeType}, fields=[{Fields}]",
+            observationId, changeType, string.Join(", ", notification.ChangedFields));
+
+        return notification;
+    }
+
+    /// <inheritdoc />
+    public async Task<IReadOnlyList<AdvisoryFieldChangeNotification>> EmitLinksetChangesAsync(
+        string tenantId,
+        string linksetId,
+        IReadOnlyList<VendorRiskSignal> previousSignals,
+        IReadOnlyList<VendorRiskSignal> currentSignals,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(linksetId);
+        ArgumentNullException.ThrowIfNull(currentSignals);
+
+        var previousByObservation = (previousSignals ?? [])
+            .ToDictionary(s => s.ObservationId, StringComparer.Ordinal);
+
+        var notifications = new List<AdvisoryFieldChangeNotification>();
+
+        foreach (var currentSignal in currentSignals)
+        {
+            previousByObservation.TryGetValue(currentSignal.ObservationId, out var previousSignal);
+
+            var notification = await EmitChangesAsync(
+                tenantId,
+                currentSignal.ObservationId,
+                previousSignal,
+                currentSignal,
+                linksetId,
+                cancellationToken).ConfigureAwait(false);
+
+            if (notification is not null)
+            {
+                notifications.Add(notification);
+            }
+        }
+
+        // Check for withdrawn observations
+        var currentObservationIds = currentSignals
+            .Select(s => s.ObservationId)
+            .ToHashSet(StringComparer.Ordinal);
+
+        foreach (var previousSignal in previousSignals ?? [])
+        {
+            if (!currentObservationIds.Contains(previousSignal.ObservationId))
+            {
+                var withdrawnNotification = await EmitWithdrawnAsync(
+                    tenantId,
+                    previousSignal,
+                    linksetId,
+                    cancellationToken).ConfigureAwait(false);
+
+                if (withdrawnNotification is not null)
+                {
+                    notifications.Add(withdrawnNotification);
+                }
+            }
+        }
+
+        return notifications;
+    }
+
+    private async Task<AdvisoryFieldChangeNotification?> EmitWithdrawnAsync(
+        string tenantId,
+        VendorRiskSignal previousSignal,
+        string? linksetId,
+        CancellationToken cancellationToken)
+    {
+        var now = _timeProvider.GetUtcNow();
+        var provenance = new AdvisoryFieldChangeProvenance(
+            Vendor: previousSignal.Provenance.Vendor,
+            Source: previousSignal.Provenance.Source,
+            ObservationHash: previousSignal.Provenance.ObservationHash,
+            FetchedAt: previousSignal.Provenance.FetchedAt,
+            IngestJobId: previousSignal.Provenance.IngestJobId,
+            UpstreamId: previousSignal.Provenance.UpstreamId,
+            PreviousObservationHash: null);
+
+        var change = new AdvisoryFieldChange(
+            Field: "observation_status",
+            PreviousValue: "active",
+            CurrentValue: "withdrawn",
+            Category: AdvisoryFieldChangeCategory.Metadata,
+            Provenance: provenance);
+
+        var notification = new AdvisoryFieldChangeNotification(
+            NotificationId: Guid.NewGuid(),
+            TenantId: tenantId,
+            AdvisoryId: previousSignal.AdvisoryId,
+            ObservationId: previousSignal.ObservationId,
+            LinksetId: linksetId,
+            ChangeType: AdvisoryFieldChangeType.ObservationWithdrawn,
+            Changes: [change],
+            Provenance: provenance,
+            DetectedAt: now,
+            EmittedAt: now);
+
+        await _publisher.PublishAsync(notification, cancellationToken).ConfigureAwait(false);
+
+        _logger.LogInformation(
+            "Emitted withdrawn observation notification for {ObservationId}",
+            previousSignal.ObservationId);
+
+        return notification;
+    }
+
+    private static ImmutableArray<AdvisoryFieldChange> DetectChanges(
+        VendorRiskSignal? previousSignal,
+        VendorRiskSignal currentSignal)
+    {
+        var changes = ImmutableArray.CreateBuilder<AdvisoryFieldChange>();
+        var currentProvenance = MapProvenance(currentSignal.Provenance, previousSignal?.Provenance.ObservationHash);
+
+        // New observation
+        if (previousSignal is null)
+        {
+            changes.Add(new AdvisoryFieldChange(
+                Field: "observation_status",
+                PreviousValue: null,
+                CurrentValue: "active",
+                Category: AdvisoryFieldChangeCategory.Metadata,
+                Provenance: currentProvenance));
+
+            // Report initial fix availability if present
+            if (currentSignal.HasFixAvailable)
+            {
+                var fixVersion = currentSignal.FixAvailability.FirstOrDefault(f => f.Status == FixStatus.Available)?.FixedVersion;
+                changes.Add(new AdvisoryFieldChange(
+                    Field: "fix_availability",
+                    PreviousValue: null,
+                    CurrentValue: fixVersion ?? "available",
+                    Category: AdvisoryFieldChangeCategory.Remediation,
+                    Provenance: currentProvenance));
+            }
+
+            // Report initial KEV status if present
+            if (currentSignal.IsKnownExploited)
+            {
+                changes.Add(new AdvisoryFieldChange(
+                    Field: "kev_status",
+                    PreviousValue: null,
+                    CurrentValue: "in_kev",
+                    Category: AdvisoryFieldChangeCategory.Threat,
+                    Provenance: currentProvenance));
+            }
+
+            // Report initial severity if present
+            if (currentSignal.HighestCvssScore is not null)
+            {
+                changes.Add(new AdvisoryFieldChange(
+                    Field: "severity",
+                    PreviousValue: null,
+                    CurrentValue: currentSignal.HighestCvssScore.EffectiveSeverity,
+                    Category: AdvisoryFieldChangeCategory.Risk,
+                    Provenance: currentProvenance));
+            }
+
+            return changes.ToImmutable();
+        }
+
+        // Compare fix availability
+        var previousHasFix = previousSignal.HasFixAvailable;
+        var currentHasFix = currentSignal.HasFixAvailable;
+
+        if (previousHasFix != currentHasFix)
+        {
+            var previousValue = previousHasFix ? GetFixVersion(previousSignal) ?? "available" : "not_available";
+            var currentValue = currentHasFix ? GetFixVersion(currentSignal) ?? "available" : "not_available";
+
+            changes.Add(new AdvisoryFieldChange(
+                Field: "fix_availability",
+                PreviousValue: previousValue,
+                CurrentValue: currentValue,
+                Category: AdvisoryFieldChangeCategory.Remediation,
+                Provenance: currentProvenance));
+        }
+        else if (currentHasFix)
+        {
+            // Both have fixes - check if version changed
+            var previousVersion = GetFixVersion(previousSignal);
+            var currentVersion = GetFixVersion(currentSignal);
+
+            if (!string.Equals(previousVersion, currentVersion, StringComparison.Ordinal))
+            {
+                changes.Add(new AdvisoryFieldChange(
+                    Field: "fix_version",
+                    PreviousValue: previousVersion,
+                    CurrentValue: currentVersion,
+                    Category: AdvisoryFieldChangeCategory.Remediation,
+                    Provenance: currentProvenance));
+            }
+        }
+
+        // Compare KEV status
+        var previousInKev = previousSignal.IsKnownExploited;
+        var currentInKev = currentSignal.IsKnownExploited;
+
+        if (previousInKev != currentInKev)
+        {
+            changes.Add(new AdvisoryFieldChange(
+                Field: "kev_status",
+                PreviousValue: previousInKev ? "in_kev" : "not_in_kev",
+                CurrentValue: currentInKev ? "in_kev" : "not_in_kev",
+                Category: AdvisoryFieldChangeCategory.Threat,
+                Provenance: currentProvenance));
+        }
+
+        // Compare severity
+        var previousSeverity = previousSignal.HighestCvssScore?.EffectiveSeverity;
+        var currentSeverity = currentSignal.HighestCvssScore?.EffectiveSeverity;
+
+        if (!string.Equals(previousSeverity, currentSeverity, StringComparison.OrdinalIgnoreCase))
+        {
+            changes.Add(new AdvisoryFieldChange(
+                Field: "severity",
+                PreviousValue: previousSeverity,
+                CurrentValue: currentSeverity,
+                Category: AdvisoryFieldChangeCategory.Risk,
+                Provenance: currentProvenance));
+        }
+
+        // Compare CVSS score (if both have scores)
+        var previousScore = previousSignal.HighestCvssScore?.Score;
+        var currentScore = currentSignal.HighestCvssScore?.Score;
+
+        if (previousScore.HasValue && currentScore.HasValue &&
+            Math.Abs(previousScore.Value - currentScore.Value) >= 0.1)
+        {
+            changes.Add(new AdvisoryFieldChange(
+                Field: "cvss_score",
+                PreviousValue: previousScore.Value.ToString("F1"),
+                CurrentValue: currentScore.Value.ToString("F1"),
+                Category: AdvisoryFieldChangeCategory.Risk,
+                Provenance: currentProvenance));
+        }
+
+        return changes.ToImmutable();
+    }
+
+    private static string? GetFixVersion(VendorRiskSignal signal)
+    {
+        return signal.FixAvailability
+            .Where(f => f.Status == FixStatus.Available)
+            .Select(f => f.FixedVersion)
+            .FirstOrDefault(v => !string.IsNullOrWhiteSpace(v));
+    }
+
+    private static AdvisoryFieldChangeType DetermineChangeType(ImmutableArray<AdvisoryFieldChange> changes)
+    {
+        if (changes.Length == 0)
+        {
+            return AdvisoryFieldChangeType.Unknown;
+        }
+
+        if (changes.Length > 1)
+        {
+            return AdvisoryFieldChangeType.MultipleChanges;
+        }
+
+        var change = changes[0];
+
+        return change.Field switch
+        {
+            "observation_status" when change.CurrentValue == "active" => AdvisoryFieldChangeType.NewObservation,
+            "observation_status" when change.CurrentValue == "withdrawn" => AdvisoryFieldChangeType.ObservationWithdrawn,
+            "fix_availability" or "fix_version" => AdvisoryFieldChangeType.FixAvailabilityChanged,
+            "kev_status" => AdvisoryFieldChangeType.KevStatusChanged,
+            "severity" or "cvss_score" => AdvisoryFieldChangeType.SeverityChanged,
+            _ => AdvisoryFieldChangeType.Unknown
+        };
+    }
+
+    private static AdvisoryFieldChangeProvenance BuildProvenance(
+        VendorRiskSignal? previousSignal,
+        VendorRiskSignal currentSignal)
+    {
+        return new AdvisoryFieldChangeProvenance(
+            Vendor: currentSignal.Provenance.Vendor,
+            Source: currentSignal.Provenance.Source,
+            ObservationHash: currentSignal.Provenance.ObservationHash,
+            FetchedAt: currentSignal.Provenance.FetchedAt,
+            IngestJobId: currentSignal.Provenance.IngestJobId,
+            UpstreamId: currentSignal.Provenance.UpstreamId,
+            PreviousObservationHash: previousSignal?.Provenance.ObservationHash);
+    }
+
+    private static AdvisoryFieldChangeProvenance MapProvenance(
+        VendorRiskProvenance provenance,
+        string? previousHash)
+    {
+        return new AdvisoryFieldChangeProvenance(
+            Vendor: provenance.Vendor,
+            Source: provenance.Source,
+            ObservationHash: provenance.ObservationHash,
+            FetchedAt: provenance.FetchedAt,
+            IngestJobId: provenance.IngestJobId,
+            UpstreamId: provenance.UpstreamId,
+            PreviousObservationHash: previousHash);
+    }
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/AdvisoryFieldChangeNotification.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/AdvisoryFieldChangeNotification.cs
new file mode 100644
index 000000000..c268875f6
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/AdvisoryFieldChangeNotification.cs
@@ -0,0 +1,142 @@
+using System;
+using System.Collections.Immutable;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Notification for upstream advisory field changes.
+/// Per CONCELIER-RISK-69-001, emits notifications on field changes (e.g., fix availability)
+/// with observation IDs and provenance; no severity inference.
+/// </summary>
+/// <remarks>
+/// This notification is fact-only: surfaces vendor-published changes with provenance.
+/// No inference, weighting, or exploitability assumptions.
+/// </remarks>
+public sealed record AdvisoryFieldChangeNotification(
+    Guid NotificationId,
+    string TenantId,
+    string AdvisoryId,
+    string ObservationId,
+    string? LinksetId,
+    AdvisoryFieldChangeType ChangeType,
+    ImmutableArray<AdvisoryFieldChange> Changes,
+    AdvisoryFieldChangeProvenance Provenance,
+    DateTimeOffset DetectedAt,
+    DateTimeOffset EmittedAt)
+{
+    /// <summary>
+    /// Event kind for notification routing.
+    /// </summary>
+    public const string EventKind = "advisory.field.changed";
+
+    /// <summary>
+    /// Event version.
+    /// </summary>
+    public const string EventVersion = "1";
+
+    /// <summary>
+    /// Indicates if any critical field changed (fix availability, KEV status).
+    /// </summary>
+    public bool HasCriticalChange => Changes.Any(c =>
+        c.Field is "fix_availability" or "kev_status" or "severity");
+
+    /// <summary>
+    /// Gets all unique fields that changed.
+    /// </summary>
+    public ImmutableArray<string> ChangedFields =>
+        Changes.Select(c => c.Field).Distinct(StringComparer.Ordinal).ToImmutableArray();
+}
+
+/// <summary>
+/// Type of field change notification.
+/// </summary>
+public enum AdvisoryFieldChangeType
+{
+    /// <summary>Unknown change type.</summary>
+    Unknown,
+
+    /// <summary>Fix availability changed (became available, version updated, etc.).</summary>
+    FixAvailabilityChanged,
+
+    /// <summary>KEV status changed (added to or removed from KEV list).</summary>
+    KevStatusChanged,
+
+    /// <summary>Severity score changed.</summary>
+    SeverityChanged,
+
+    /// <summary>New observation added from upstream.</summary>
+    NewObservation,
+
+    /// <summary>Observation withdrawn by upstream.</summary>
+    ObservationWithdrawn,
+
+    /// <summary>Advisory link/reference added.</summary>
+    ReferenceAdded,
+
+    /// <summary>Multiple fields changed.</summary>
+    MultipleChanges
+}
+
+/// <summary>
+/// A specific field change in an advisory.
+/// </summary>
+public sealed record AdvisoryFieldChange(
+    string Field,
+    string? PreviousValue,
+    string? CurrentValue,
+    AdvisoryFieldChangeCategory Category,
+    AdvisoryFieldChangeProvenance Provenance)
+{
+    /// <summary>
+    /// Indicates if the value transitioned from null/empty to having a value.
+    /// </summary>
+    public bool IsNewValue => string.IsNullOrWhiteSpace(PreviousValue) && !string.IsNullOrWhiteSpace(CurrentValue);
+
+    /// <summary>
+    /// Indicates if the value was removed (non-null to null/empty).
+    /// </summary>
+    public bool IsValueRemoved => !string.IsNullOrWhiteSpace(PreviousValue) && string.IsNullOrWhiteSpace(CurrentValue);
+
+    /// <summary>
+    /// Indicates if the value changed between two non-null values.
+    /// </summary>
+    public bool IsValueUpdated => !string.IsNullOrWhiteSpace(PreviousValue) &&
+        !string.IsNullOrWhiteSpace(CurrentValue) &&
+        !string.Equals(PreviousValue, CurrentValue, StringComparison.Ordinal);
+}
+
+/// <summary>
+/// Category of field change for filtering/routing.
+/// </summary>
+public enum AdvisoryFieldChangeCategory
+{
+    /// <summary>Unknown category.</summary>
+    Unknown,
+
+    /// <summary>Remediation-related (fix version, patch URL, etc.).</summary>
+    Remediation,
+
+    /// <summary>Threat-related (KEV, exploitation evidence).</summary>
+    Threat,
+
+    /// <summary>Risk-related (severity, CVSS score).</summary>
+    Risk,
+
+    /// <summary>Metadata-related (references, aliases, description).</summary>
+    Metadata,
+
+    /// <summary>Scope-related (affected packages, versions).</summary>
+    Scope
+}
+
+/// <summary>
+/// Provenance anchor for field change notifications.
+/// </summary>
+public sealed record AdvisoryFieldChangeProvenance(
+    string Vendor,
+    string Source,
+    string ObservationHash,
+    DateTimeOffset FetchedAt,
+    string? IngestJobId,
+    string? UpstreamId,
+    string? PreviousObservationHash);
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/FixAvailabilityEmitter.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/FixAvailabilityEmitter.cs
new file mode 100644
index 000000000..0363690dd
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/FixAvailabilityEmitter.cs
@@ -0,0 +1,341 @@
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Default implementation of <see cref="IFixAvailabilityEmitter"/>.
+/// Per CONCELIER-RISK-66-002, emits structured fix-availability metadata per observation/linkset
+/// without guessing exploitability.
+/// </summary>
+public sealed class FixAvailabilityEmitter : IFixAvailabilityEmitter
+{
+    private readonly IVendorRiskSignalProvider _riskSignalProvider;
+    private readonly ILogger<FixAvailabilityEmitter> _logger;
+    private readonly TimeProvider _timeProvider;
+
+    public FixAvailabilityEmitter(
+        IVendorRiskSignalProvider riskSignalProvider,
+        ILogger<FixAvailabilityEmitter> logger,
+        TimeProvider? timeProvider = null)
+    {
+        _riskSignalProvider = riskSignalProvider ?? throw new ArgumentNullException(nameof(riskSignalProvider));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
+    /// <inheritdoc />
+    public async Task<FixAvailabilityMetadata?> EmitByObservationAsync(
+        string tenantId,
+        string observationId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(observationId);
+
+        var riskSignal = await _riskSignalProvider.GetByObservationAsync(
+            tenantId, observationId, cancellationToken).ConfigureAwait(false);
+
+        if (riskSignal is null)
+        {
+            _logger.LogDebug(
+                "No risk signal found for observation {ObservationId} in tenant {TenantId}",
+                observationId, tenantId);
+            return null;
+        }
+
+        return EmitFromRiskSignal(riskSignal, linksetId: null);
+    }
+
+    /// <inheritdoc />
+    public async Task<IReadOnlyList<FixAvailabilityMetadata>> EmitByLinksetAsync(
+        string tenantId,
+        string linksetId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(linksetId);
+
+        var riskSignals = await _riskSignalProvider.GetByLinksetAsync(
+            tenantId, linksetId, cancellationToken).ConfigureAwait(false);
+
+        if (riskSignals.Count == 0)
+        {
+            _logger.LogDebug(
+                "No risk signals found for linkset {LinksetId} in tenant {TenantId}",
+                linksetId, tenantId);
+            return [];
+        }
+
+        var results = new List<FixAvailabilityMetadata>(riskSignals.Count);
+        foreach (var signal in riskSignals)
+        {
+            results.Add(EmitFromRiskSignal(signal, linksetId));
+        }
+
+        return results;
+    }
+
+    /// <inheritdoc />
+    public async Task<IReadOnlyList<FixAvailabilityMetadata>> EmitByAdvisoryAsync(
+        string tenantId,
+        string advisoryId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(advisoryId);
+
+        var riskSignals = await _riskSignalProvider.GetByAdvisoryAsync(
+            tenantId, advisoryId, cancellationToken).ConfigureAwait(false);
+
+        if (riskSignals.Count == 0)
+        {
+            _logger.LogDebug(
+                "No risk signals found for advisory {AdvisoryId} in tenant {TenantId}",
+                advisoryId, tenantId);
+            return [];
+        }
+
+        var results = new List<FixAvailabilityMetadata>(riskSignals.Count);
+        foreach (var signal in riskSignals)
+        {
+            results.Add(EmitFromRiskSignal(signal, linksetId: null));
+        }
+
+        return results;
+    }
+
+    private FixAvailabilityMetadata EmitFromRiskSignal(VendorRiskSignal signal, string? linksetId)
+    {
+        var now = _timeProvider.GetUtcNow();
+        var provenance = MapProvenance(signal.Provenance);
+
+        if (signal.FixAvailability.IsDefaultOrEmpty)
+        {
+            _logger.LogDebug(
+                "Emitting empty fix-availability for observation {ObservationId} (no fix data in signal)",
+                signal.ObservationId);
+
+            return FixAvailabilityMetadata.Empty(
+                signal.TenantId,
+                signal.AdvisoryId,
+                signal.ObservationId,
+                linksetId,
+                provenance,
+                now);
+        }
+
+        var releases = MapReleases(signal.FixAvailability, provenance);
+        var advisoryLinks = ExtractAdvisoryLinks(signal.FixAvailability, provenance);
+        var status = DetermineOverallStatus(signal.FixAvailability);
+
+        _logger.LogDebug(
+            "Emitting fix-availability for observation {ObservationId}: status={Status}, releases={ReleaseCount}, links={LinkCount}",
+            signal.ObservationId, status, releases.Length, advisoryLinks.Length);
+
+        return new FixAvailabilityMetadata(
+            TenantId: signal.TenantId,
+            AdvisoryId: signal.AdvisoryId,
+            ObservationId: signal.ObservationId,
+            LinksetId: linksetId,
+            Status: status,
+            Releases: releases,
+            AdvisoryLinks: advisoryLinks,
+            Provenance: provenance,
+            EmittedAt: now);
+    }
+
+    private static FixAvailabilityProvenance MapProvenance(VendorRiskProvenance vendorProvenance)
+    {
+        return new FixAvailabilityProvenance(
+            Vendor: vendorProvenance.Vendor,
+            Source: vendorProvenance.Source,
+            ObservationHash: vendorProvenance.ObservationHash,
+            FetchedAt: vendorProvenance.FetchedAt,
+            IngestJobId: vendorProvenance.IngestJobId,
+            UpstreamId: vendorProvenance.UpstreamId);
+    }
+
+    private static ImmutableArray<FixRelease> MapReleases(
+        ImmutableArray<VendorFixAvailability> vendorFixes,
+        FixAvailabilityProvenance provenance)
+    {
+        var builder = ImmutableArray.CreateBuilder<FixRelease>();
+
+        foreach (var vendorFix in vendorFixes)
+        {
+            if (vendorFix.Status != FixStatus.Available || string.IsNullOrWhiteSpace(vendorFix.FixedVersion))
+            {
+                continue;
+            }
+
+            var fixProvenance = MapProvenance(vendorFix.Provenance);
+            var releaseType = DetermineReleaseType(vendorFix.FixedVersion);
+
+            builder.Add(new FixRelease(
+                FixedVersion: vendorFix.FixedVersion,
+                Package: vendorFix.Package,
+                Ecosystem: vendorFix.Ecosystem,
+                ReleasedAt: vendorFix.FixReleasedAt,
+                Type: releaseType,
+                Provenance: fixProvenance));
+        }
+
+        // Sort by release date, then by version for deterministic ordering
+        return builder
+            .OrderBy(r => r.ReleasedAt ?? DateTimeOffset.MaxValue)
+            .ThenBy(r => r.FixedVersion, StringComparer.Ordinal)
+            .ToImmutableArray();
+    }
+
+    private static ImmutableArray<FixAdvisoryLink> ExtractAdvisoryLinks(
+        ImmutableArray<VendorFixAvailability> vendorFixes,
+        FixAvailabilityProvenance provenance)
+    {
+        var builder = ImmutableArray.CreateBuilder<FixAdvisoryLink>();
+        var seenUrls = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+        foreach (var vendorFix in vendorFixes)
+        {
+            if (string.IsNullOrWhiteSpace(vendorFix.AdvisoryUrl))
+            {
+                continue;
+            }
+
+            if (!seenUrls.Add(vendorFix.AdvisoryUrl))
+            {
+                continue; // Deduplicate
+            }
+
+            var fixProvenance = MapProvenance(vendorFix.Provenance);
+            var linkType = DetermineLinkType(vendorFix.AdvisoryUrl);
+
+            builder.Add(new FixAdvisoryLink(
+                Url: vendorFix.AdvisoryUrl,
+                Title: null, // Not available from VendorFixAvailability
+                Type: linkType,
+                PublishedAt: vendorFix.FixReleasedAt,
+                Provenance: fixProvenance));
+        }
+
+        // Sort by published date for deterministic ordering
+        return builder
+            .OrderBy(l => l.PublishedAt ?? DateTimeOffset.MaxValue)
+            .ThenBy(l => l.Url, StringComparer.OrdinalIgnoreCase)
+            .ToImmutableArray();
+    }
+
+    private static FixAvailabilityStatus DetermineOverallStatus(
+        ImmutableArray<VendorFixAvailability> vendorFixes)
+    {
+        if (vendorFixes.IsDefaultOrEmpty)
+        {
+            return FixAvailabilityStatus.Unknown;
+        }
+
+        // Check for available fixes first
+        if (vendorFixes.Any(f => f.Status == FixStatus.Available))
+        {
+            return FixAvailabilityStatus.Available;
+        }
+
+        // Check for in-progress fixes
+        if (vendorFixes.Any(f => f.Status == FixStatus.InProgress))
+        {
+            return FixAvailabilityStatus.InProgress;
+        }
+
+        // Check for will-not-fix
+        if (vendorFixes.Any(f => f.Status == FixStatus.WillNotFix))
+        {
+            return FixAvailabilityStatus.WillNotFix;
+        }
+
+        // Check for not-available
+        if (vendorFixes.Any(f => f.Status == FixStatus.NotAvailable))
+        {
+            return FixAvailabilityStatus.NotAvailable;
+        }
+
+        return FixAvailabilityStatus.Unknown;
+    }
+
+    private static FixReleaseType DetermineReleaseType(string version)
+    {
+        // Basic heuristics for release type
+        var lowerVersion = version.ToLowerInvariant();
+
+        if (lowerVersion.Contains("hotfix") || lowerVersion.Contains("patch"))
+        {
+            return FixReleaseType.Hotfix;
+        }
+
+        if (lowerVersion.Contains("backport"))
+        {
+            return FixReleaseType.Backport;
+        }
+
+        // Could add SemVer analysis here for minor/major detection
+        // For now, default to Patch as most security fixes are patches
+        return FixReleaseType.Patch;
+    }
+
+    private static FixAdvisoryLinkType DetermineLinkType(string url)
+    {
+        var lowerUrl = url.ToLowerInvariant();
+
+        // Distribution security notices
+        if (lowerUrl.Contains("access.redhat.com/errata") ||
+            lowerUrl.Contains("ubuntu.com/security") ||
+            lowerUrl.Contains("debian.org/security") ||
+            lowerUrl.Contains("suse.com/security"))
+        {
+            return FixAdvisoryLinkType.DistributionNotice;
+        }
+
+        // Commit references
+        if (lowerUrl.Contains("/commit/") ||
+            lowerUrl.Contains("/commits/"))
+        {
+            return FixAdvisoryLinkType.Commit;
+        }
+
+        // Patch URLs
+        if (lowerUrl.EndsWith(".patch") ||
+            lowerUrl.Contains("/patches/") ||
+            lowerUrl.Contains("/diff/"))
+        {
+            return FixAdvisoryLinkType.PatchUrl;
+        }
+
+        // Release notes
+        if (lowerUrl.Contains("/releases/") ||
+            lowerUrl.Contains("/release-notes") ||
+            lowerUrl.Contains("/changelog"))
+        {
+            return FixAdvisoryLinkType.ReleaseNotes;
+        }
+
+        // Vendor advisories (common patterns)
+        if (lowerUrl.Contains("/security/") ||
+            lowerUrl.Contains("/advisory/") ||
+            lowerUrl.Contains("/cve-") ||
+            lowerUrl.Contains("/vuln"))
+        {
+            return FixAdvisoryLinkType.VendorAdvisory;
+        }
+
+        // GitHub Security Advisories
+        if (lowerUrl.Contains("github.com") && lowerUrl.Contains("/advisories/"))
+        {
+            return FixAdvisoryLinkType.UpstreamAdvisory;
+        }
+
+        return FixAdvisoryLinkType.Unknown;
+    }
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/FixAvailabilityMetadata.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/FixAvailabilityMetadata.cs
new file mode 100644
index 000000000..55941caaa
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/FixAvailabilityMetadata.cs
@@ -0,0 +1,190 @@
+using System;
+using System.Collections.Immutable;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Structured fix-availability metadata per observation/linkset.
+/// Per CONCELIER-RISK-66-002, emits release version, advisory link, and evidence timestamp
+/// without guessing exploitability.
+/// </summary>
+/// <remarks>
+/// This model is fact-only: surfaces vendor-published fix information with provenance.
+/// No inference, weighting, or exploitability assumptions.
+/// </remarks>
+public sealed record FixAvailabilityMetadata(
+    string TenantId,
+    string AdvisoryId,
+    string ObservationId,
+    string? LinksetId,
+    FixAvailabilityStatus Status,
+    ImmutableArray<FixRelease> Releases,
+    ImmutableArray<FixAdvisoryLink> AdvisoryLinks,
+    FixAvailabilityProvenance Provenance,
+    DateTimeOffset EmittedAt)
+{
+    /// <summary>
+    /// Creates an empty fix-availability metadata for observations without fix data.
+    /// </summary>
+    public static FixAvailabilityMetadata Empty(
+        string tenantId,
+        string advisoryId,
+        string observationId,
+        string? linksetId,
+        FixAvailabilityProvenance provenance,
+        DateTimeOffset emittedAt)
+    {
+        return new FixAvailabilityMetadata(
+            TenantId: tenantId,
+            AdvisoryId: advisoryId,
+            ObservationId: observationId,
+            LinksetId: linksetId,
+            Status: FixAvailabilityStatus.Unknown,
+            Releases: ImmutableArray<FixRelease>.Empty,
+            AdvisoryLinks: ImmutableArray<FixAdvisoryLink>.Empty,
+            Provenance: provenance,
+            EmittedAt: emittedAt);
+    }
+
+    /// <summary>
+    /// Indicates if any fix release is available.
+    /// </summary>
+    public bool HasFixAvailable => Status == FixAvailabilityStatus.Available && !Releases.IsDefaultOrEmpty;
+
+    /// <summary>
+    /// Gets the earliest fix release if available.
+    /// </summary>
+    public FixRelease? EarliestRelease => Releases.IsDefaultOrEmpty
+        ? null
+        : Releases.OrderBy(r => r.ReleasedAt ?? DateTimeOffset.MaxValue).FirstOrDefault();
+}
+
+/// <summary>
+/// Provenance anchor for fix-availability metadata.
+/// </summary>
+public sealed record FixAvailabilityProvenance(
+    string Vendor,
+    string Source,
+    string ObservationHash,
+    DateTimeOffset FetchedAt,
+    string? IngestJobId,
+    string? UpstreamId);
+
+/// <summary>
+/// A fix release with version, timestamp, and provenance.
+/// </summary>
+public sealed record FixRelease(
+    string? FixedVersion,
+    string? Package,
+    string? Ecosystem,
+    DateTimeOffset? ReleasedAt,
+    FixReleaseType Type,
+    FixAvailabilityProvenance Provenance)
+{
+    /// <summary>
+    /// Normalizes the ecosystem name to a standard format.
+    /// </summary>
+    public string? NormalizedEcosystem => Ecosystem?.ToLowerInvariant() switch
+    {
+        "npm" or "node" or "nodejs" => "npm",
+        "pypi" or "pip" or "python" => "pypi",
+        "maven" or "java" => "maven",
+        "nuget" or ".net" or "dotnet" => "nuget",
+        "rubygems" or "gem" or "ruby" => "rubygems",
+        "crates.io" or "cargo" or "rust" => "crates.io",
+        "go" or "golang" => "go",
+        "packagist" or "composer" or "php" => "packagist",
+        var e => e
+    };
+}
+
+/// <summary>
+/// Type of fix release.
+/// </summary>
+public enum FixReleaseType
+{
+    /// <summary>Unknown release type.</summary>
+    Unknown,
+
+    /// <summary>Patch release addressing the vulnerability.</summary>
+    Patch,
+
+    /// <summary>Minor version upgrade with fix.</summary>
+    MinorUpgrade,
+
+    /// <summary>Major version upgrade with fix.</summary>
+    MajorUpgrade,
+
+    /// <summary>Backported fix to older version line.</summary>
+    Backport,
+
+    /// <summary>Vendor-specific hotfix.</summary>
+    Hotfix
+}
+
+/// <summary>
+/// Advisory link providing fix guidance.
+/// </summary>
+public sealed record FixAdvisoryLink(
+    string Url,
+    string? Title,
+    FixAdvisoryLinkType Type,
+    DateTimeOffset? PublishedAt,
+    FixAvailabilityProvenance Provenance);
+
+/// <summary>
+/// Type of advisory link.
+/// </summary>
+public enum FixAdvisoryLinkType
+{
+    /// <summary>Unknown link type.</summary>
+    Unknown,
+
+    /// <summary>Vendor security advisory.</summary>
+    VendorAdvisory,
+
+    /// <summary>Upstream project advisory.</summary>
+    UpstreamAdvisory,
+
+    /// <summary>Distribution security notice (e.g., RHSA, DSA).</summary>
+    DistributionNotice,
+
+    /// <summary>Patch URL.</summary>
+    PatchUrl,
+
+    /// <summary>Release notes.</summary>
+    ReleaseNotes,
+
+    /// <summary>Commit reference.</summary>
+    Commit,
+
+    /// <summary>Mitigation/workaround guidance.</summary>
+    Mitigation
+}
+
+/// <summary>
+/// Overall fix availability status.
+/// </summary>
+public enum FixAvailabilityStatus
+{
+    /// <summary>Fix status unknown.</summary>
+    Unknown,
+
+    /// <summary>Fix is available.</summary>
+    Available,
+
+    /// <summary>No fix available yet.</summary>
+    NotAvailable,
+
+    /// <summary>Will not be fixed (end of life, wontfix, etc.).</summary>
+    WillNotFix,
+
+    /// <summary>Fix is in progress.</summary>
+    InProgress,
+
+    /// <summary>Deferred - fix planned for future release.</summary>
+    Deferred,
+
+    /// <summary>Not affected - no fix needed.</summary>
+    NotAffected
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/IAdvisoryFieldChangeEmitter.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/IAdvisoryFieldChangeEmitter.cs
new file mode 100644
index 000000000..ef4aef73e
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/IAdvisoryFieldChangeEmitter.cs
@@ -0,0 +1,62 @@
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Emitter interface for advisory field change notifications.
+/// Per CONCELIER-RISK-69-001, emits notifications on upstream advisory field changes
+/// (e.g., fix availability) with observation IDs and provenance; no severity inference.
+/// </summary>
+public interface IAdvisoryFieldChangeEmitter
+{
+    /// <summary>
+    /// Detects and emits field change notifications for an observation.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="observationId">Observation identifier.</param>
+    /// <param name="previousSignal">Previous risk signal state (null if new observation).</param>
+    /// <param name="currentSignal">Current risk signal state.</param>
+    /// <param name="linksetId">Optional linkset identifier.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Emitted notification, or null if no changes detected.</returns>
+    Task<AdvisoryFieldChangeNotification?> EmitChangesAsync(
+        string tenantId,
+        string observationId,
+        VendorRiskSignal? previousSignal,
+        VendorRiskSignal currentSignal,
+        string? linksetId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Detects and emits field change notifications for all observations in a linkset.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="linksetId">Linkset identifier.</param>
+    /// <param name="previousSignals">Previous risk signal states.</param>
+    /// <param name="currentSignals">Current risk signal states.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Collection of emitted notifications.</returns>
+    Task<IReadOnlyList<AdvisoryFieldChangeNotification>> EmitLinksetChangesAsync(
+        string tenantId,
+        string linksetId,
+        IReadOnlyList<VendorRiskSignal> previousSignals,
+        IReadOnlyList<VendorRiskSignal> currentSignals,
+        CancellationToken cancellationToken);
+}
+
+/// <summary>
+/// Publisher interface for advisory field change notifications.
+/// </summary>
+public interface IAdvisoryFieldChangeNotificationPublisher
+{
+    /// <summary>
+    /// Publishes a field change notification to the notification system.
+    /// </summary>
+    /// <param name="notification">The notification to publish.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    Task PublishAsync(
+        AdvisoryFieldChangeNotification notification,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/IFixAvailabilityEmitter.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/IFixAvailabilityEmitter.cs
new file mode 100644
index 000000000..9e01a4352
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/IFixAvailabilityEmitter.cs
@@ -0,0 +1,129 @@
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Emitter interface for structured fix-availability metadata.
+/// Per CONCELIER-RISK-66-002, emits release version, advisory link, and evidence timestamp
+/// per observation/linkset without guessing exploitability.
+/// </summary>
+public interface IFixAvailabilityEmitter
+{
+    /// <summary>
+    /// Emits fix-availability metadata for a specific observation.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="observationId">Observation identifier.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Emitted fix-availability metadata.</returns>
+    Task<FixAvailabilityMetadata?> EmitByObservationAsync(
+        string tenantId,
+        string observationId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Emits fix-availability metadata for all observations in a linkset.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="linksetId">Linkset identifier.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Collection of emitted fix-availability metadata from all linked observations.</returns>
+    Task<IReadOnlyList<FixAvailabilityMetadata>> EmitByLinksetAsync(
+        string tenantId,
+        string linksetId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Emits fix-availability metadata for all observations of an advisory.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="advisoryId">Advisory identifier (e.g., CVE-2024-1234).</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Collection of emitted fix-availability metadata.</returns>
+    Task<IReadOnlyList<FixAvailabilityMetadata>> EmitByAdvisoryAsync(
+        string tenantId,
+        string advisoryId,
+        CancellationToken cancellationToken);
+}
+
+/// <summary>
+/// Aggregated fix-availability view combining metadata from multiple observations.
+/// </summary>
+public sealed record AggregatedFixAvailabilityView(
+    string TenantId,
+    string AdvisoryId,
+    string? LinksetId,
+    IReadOnlyList<FixAvailabilityMetadata> ObservationMetadata)
+{
+    /// <summary>
+    /// Gets the overall fix availability status across all observations.
+    /// Returns the most favorable status (Available > InProgress > NotAvailable > Unknown).
+    /// </summary>
+    public FixAvailabilityStatus OverallStatus
+    {
+        get
+        {
+            if (ObservationMetadata.Any(m => m.Status == FixAvailabilityStatus.Available))
+                return FixAvailabilityStatus.Available;
+
+            if (ObservationMetadata.Any(m => m.Status == FixAvailabilityStatus.InProgress))
+                return FixAvailabilityStatus.InProgress;
+
+            if (ObservationMetadata.Any(m => m.Status == FixAvailabilityStatus.Deferred))
+                return FixAvailabilityStatus.Deferred;
+
+            if (ObservationMetadata.Any(m => m.Status == FixAvailabilityStatus.NotAffected))
+                return FixAvailabilityStatus.NotAffected;
+
+            if (ObservationMetadata.Any(m => m.Status == FixAvailabilityStatus.NotAvailable))
+                return FixAvailabilityStatus.NotAvailable;
+
+            if (ObservationMetadata.Any(m => m.Status == FixAvailabilityStatus.WillNotFix))
+                return FixAvailabilityStatus.WillNotFix;
+
+            return FixAvailabilityStatus.Unknown;
+        }
+    }
+
+    /// <summary>
+    /// Indicates if any observation reports a fix available.
+    /// </summary>
+    public bool HasFixAvailable => OverallStatus == FixAvailabilityStatus.Available;
+
+    /// <summary>
+    /// Gets all unique fix releases across observations.
+    /// </summary>
+    public IReadOnlyList<FixRelease> AllReleases =>
+        ObservationMetadata
+            .SelectMany(m => m.Releases)
+            .OrderBy(r => r.ReleasedAt ?? DateTimeOffset.MaxValue)
+            .ThenBy(r => r.FixedVersion, StringComparer.Ordinal)
+            .ToList();
+
+    /// <summary>
+    /// Gets all unique advisory links across observations.
+    /// </summary>
+    public IReadOnlyList<FixAdvisoryLink> AllAdvisoryLinks =>
+        ObservationMetadata
+            .SelectMany(m => m.AdvisoryLinks)
+            .DistinctBy(l => l.Url)
+            .OrderBy(l => l.PublishedAt ?? DateTimeOffset.MaxValue)
+            .ToList();
+
+    /// <summary>
+    /// Gets vendors that contributed fix information.
+    /// </summary>
+    public IReadOnlyList<string> ContributingVendors =>
+        ObservationMetadata
+            .Select(m => m.Provenance.Vendor)
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .OrderBy(v => v, StringComparer.OrdinalIgnoreCase)
+            .ToList();
+
+    /// <summary>
+    /// Gets the earliest available fix release across all observations.
+    /// </summary>
+    public FixRelease? EarliestRelease => AllReleases.FirstOrDefault();
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/ISourceCoverageMetricsPublisher.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/ISourceCoverageMetricsPublisher.cs
new file mode 100644
index 000000000..8dbc3e42d
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/ISourceCoverageMetricsPublisher.cs
@@ -0,0 +1,90 @@
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Publisher interface for per-source coverage and conflict metrics.
+/// Per CONCELIER-RISK-67-001, publishes counts and disagreements so explainers
+/// cite which upstream statements exist; no weighting applied.
+/// </summary>
+public interface ISourceCoverageMetricsPublisher
+{
+    /// <summary>
+    /// Computes and publishes coverage metrics for all observations of an advisory.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="advisoryId">Advisory identifier (e.g., CVE-2024-1234).</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Computed coverage metrics.</returns>
+    Task<SourceCoverageMetrics> PublishByAdvisoryAsync(
+        string tenantId,
+        string advisoryId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Computes and publishes coverage metrics for all observations in a linkset.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="linksetId">Linkset identifier.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Computed coverage metrics.</returns>
+    Task<SourceCoverageMetrics> PublishByLinksetAsync(
+        string tenantId,
+        string linksetId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets the latest published coverage metrics for an advisory.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="advisoryId">Advisory identifier.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Latest coverage metrics, or null if not computed.</returns>
+    Task<SourceCoverageMetrics?> GetByAdvisoryAsync(
+        string tenantId,
+        string advisoryId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Gets the latest published coverage metrics for a linkset.
+    /// </summary>
+    /// <param name="tenantId">Tenant identifier.</param>
+    /// <param name="linksetId">Linkset identifier.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Latest coverage metrics, or null if not computed.</returns>
+    Task<SourceCoverageMetrics?> GetByLinksetAsync(
+        string tenantId,
+        string linksetId,
+        CancellationToken cancellationToken);
+}
+
+/// <summary>
+/// Storage interface for coverage metrics persistence.
+/// </summary>
+public interface ISourceCoverageMetricsStore
+{
+    /// <summary>
+    /// Stores coverage metrics.
+    /// </summary>
+    Task StoreAsync(
+        SourceCoverageMetrics metrics,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Retrieves coverage metrics by advisory.
+    /// </summary>
+    Task<SourceCoverageMetrics?> GetByAdvisoryAsync(
+        string tenantId,
+        string advisoryId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Retrieves coverage metrics by linkset.
+    /// </summary>
+    Task<SourceCoverageMetrics?> GetByLinksetAsync(
+        string tenantId,
+        string linksetId,
+        CancellationToken cancellationToken);
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/InMemoryAdvisoryFieldChangeNotificationPublisher.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/InMemoryAdvisoryFieldChangeNotificationPublisher.cs
new file mode 100644
index 000000000..0f6ac1b77
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/InMemoryAdvisoryFieldChangeNotificationPublisher.cs
@@ -0,0 +1,76 @@
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// In-memory implementation of <see cref="IAdvisoryFieldChangeNotificationPublisher"/> for testing and development.
+/// </summary>
+public sealed class InMemoryAdvisoryFieldChangeNotificationPublisher : IAdvisoryFieldChangeNotificationPublisher
+{
+    private readonly ConcurrentQueue<AdvisoryFieldChangeNotification> _notifications = new();
+
+    /// <inheritdoc />
+    public Task PublishAsync(AdvisoryFieldChangeNotification notification, CancellationToken cancellationToken)
+    {
+        _notifications.Enqueue(notification);
+        return Task.CompletedTask;
+    }
+
+    /// <summary>
+    /// Gets all published notifications (for testing).
+    /// </summary>
+    public IReadOnlyList<AdvisoryFieldChangeNotification> GetAllNotifications()
+    {
+        return _notifications.ToList();
+    }
+
+    /// <summary>
+    /// Gets notifications for a specific advisory (for testing).
+    /// </summary>
+    public IReadOnlyList<AdvisoryFieldChangeNotification> GetNotificationsByAdvisory(string advisoryId)
+    {
+        return _notifications
+            .Where(n => string.Equals(n.AdvisoryId, advisoryId, System.StringComparison.Ordinal))
+            .ToList();
+    }
+
+    /// <summary>
+    /// Gets notifications for a specific tenant (for testing).
+    /// </summary>
+    public IReadOnlyList<AdvisoryFieldChangeNotification> GetNotificationsByTenant(string tenantId)
+    {
+        return _notifications
+            .Where(n => string.Equals(n.TenantId, tenantId, System.StringComparison.Ordinal))
+            .ToList();
+    }
+
+    /// <summary>
+    /// Gets notifications by change type (for testing).
+    /// </summary>
+    public IReadOnlyList<AdvisoryFieldChangeNotification> GetNotificationsByChangeType(AdvisoryFieldChangeType changeType)
+    {
+        return _notifications
+            .Where(n => n.ChangeType == changeType)
+            .ToList();
+    }
+
+    /// <summary>
+    /// Clears all notifications (for testing).
+    /// </summary>
+    public void Clear()
+    {
+        while (_notifications.TryDequeue(out _))
+        {
+            // Clear the queue
+        }
+    }
+
+    /// <summary>
+    /// Gets the count of notifications (for testing).
+    /// </summary>
+    public int Count => _notifications.Count;
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/InMemorySourceCoverageMetricsStore.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/InMemorySourceCoverageMetricsStore.cs
new file mode 100644
index 000000000..4f88467aa
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/InMemorySourceCoverageMetricsStore.cs
@@ -0,0 +1,66 @@
+using System.Collections.Concurrent;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// In-memory implementation of <see cref="ISourceCoverageMetricsStore"/> for testing and development.
+/// </summary>
+public sealed class InMemorySourceCoverageMetricsStore : ISourceCoverageMetricsStore
+{
+    private readonly ConcurrentDictionary<string, SourceCoverageMetrics> _byAdvisory = new();
+    private readonly ConcurrentDictionary<string, SourceCoverageMetrics> _byLinkset = new();
+
+    /// <inheritdoc />
+    public Task StoreAsync(SourceCoverageMetrics metrics, CancellationToken cancellationToken)
+    {
+        var advisoryKey = BuildAdvisoryKey(metrics.TenantId, metrics.AdvisoryId);
+        _byAdvisory[advisoryKey] = metrics;
+
+        if (!string.IsNullOrWhiteSpace(metrics.LinksetId))
+        {
+            var linksetKey = BuildLinksetKey(metrics.TenantId, metrics.LinksetId);
+            _byLinkset[linksetKey] = metrics;
+        }
+
+        return Task.CompletedTask;
+    }
+
+    /// <inheritdoc />
+    public Task<SourceCoverageMetrics?> GetByAdvisoryAsync(
+        string tenantId,
+        string advisoryId,
+        CancellationToken cancellationToken)
+    {
+        var key = BuildAdvisoryKey(tenantId, advisoryId);
+        _byAdvisory.TryGetValue(key, out var metrics);
+        return Task.FromResult(metrics);
+    }
+
+    /// <inheritdoc />
+    public Task<SourceCoverageMetrics?> GetByLinksetAsync(
+        string tenantId,
+        string linksetId,
+        CancellationToken cancellationToken)
+    {
+        var key = BuildLinksetKey(tenantId, linksetId);
+        _byLinkset.TryGetValue(key, out var metrics);
+        return Task.FromResult(metrics);
+    }
+
+    /// <summary>
+    /// Clears all stored metrics (for testing).
+    /// </summary>
+    public void Clear()
+    {
+        _byAdvisory.Clear();
+        _byLinkset.Clear();
+    }
+
+    private static string BuildAdvisoryKey(string tenantId, string advisoryId)
+        => $"{tenantId}:{advisoryId}";
+
+    private static string BuildLinksetKey(string tenantId, string linksetId)
+        => $"{tenantId}:linkset:{linksetId}";
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/RiskServiceCollectionExtensions.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/RiskServiceCollectionExtensions.cs
new file mode 100644
index 000000000..dd4617168
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/RiskServiceCollectionExtensions.cs
@@ -0,0 +1,113 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Service collection extensions for risk-related services.
+/// </summary>
+public static class RiskServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds risk signal and fix-availability services to the service collection.
+    /// Per CONCELIER-RISK-66-002, CONCELIER-RISK-67-001, and CONCELIER-RISK-69-001.
+    /// </summary>
+    /// <param name="services">The service collection.</param>
+    /// <returns>The service collection for chaining.</returns>
+    public static IServiceCollection AddConcelierRiskServices(this IServiceCollection services)
+    {
+        // Register fix-availability emitter (CONCELIER-RISK-66-002)
+        services.TryAddSingleton<IFixAvailabilityEmitter, FixAvailabilityEmitter>();
+
+        // Register coverage metrics services (CONCELIER-RISK-67-001)
+        services.TryAddSingleton<ISourceCoverageMetricsStore, InMemorySourceCoverageMetricsStore>();
+        services.TryAddSingleton<ISourceCoverageMetricsPublisher, SourceCoverageMetricsPublisher>();
+
+        // Register field change notification services (CONCELIER-RISK-69-001)
+        services.TryAddSingleton<IAdvisoryFieldChangeNotificationPublisher, InMemoryAdvisoryFieldChangeNotificationPublisher>();
+        services.TryAddSingleton<IAdvisoryFieldChangeEmitter, AdvisoryFieldChangeEmitter>();
+
+        // TimeProvider is typically registered elsewhere, but ensure it exists
+        services.TryAddSingleton(TimeProvider.System);
+
+        return services;
+    }
+
+    /// <summary>
+    /// Adds a custom implementation of <see cref="IVendorRiskSignalProvider"/>.
+    /// </summary>
+    /// <typeparam name="TProvider">The provider implementation type.</typeparam>
+    /// <param name="services">The service collection.</param>
+    /// <returns>The service collection for chaining.</returns>
+    public static IServiceCollection AddVendorRiskSignalProvider<TProvider>(this IServiceCollection services)
+        where TProvider : class, IVendorRiskSignalProvider
+    {
+        services.TryAddSingleton<IVendorRiskSignalProvider, TProvider>();
+        return services;
+    }
+
+    /// <summary>
+    /// Adds a custom implementation of <see cref="IFixAvailabilityEmitter"/>.
+    /// </summary>
+    /// <typeparam name="TEmitter">The emitter implementation type.</typeparam>
+    /// <param name="services">The service collection.</param>
+    /// <returns>The service collection for chaining.</returns>
+    public static IServiceCollection AddFixAvailabilityEmitter<TEmitter>(this IServiceCollection services)
+        where TEmitter : class, IFixAvailabilityEmitter
+    {
+        services.AddSingleton<IFixAvailabilityEmitter, TEmitter>();
+        return services;
+    }
+
+    /// <summary>
+    /// Adds a custom implementation of <see cref="ISourceCoverageMetricsStore"/>.
+    /// </summary>
+    /// <typeparam name="TStore">The store implementation type.</typeparam>
+    /// <param name="services">The service collection.</param>
+    /// <returns>The service collection for chaining.</returns>
+    public static IServiceCollection AddSourceCoverageMetricsStore<TStore>(this IServiceCollection services)
+        where TStore : class, ISourceCoverageMetricsStore
+    {
+        services.AddSingleton<ISourceCoverageMetricsStore, TStore>();
+        return services;
+    }
+
+    /// <summary>
+    /// Adds a custom implementation of <see cref="ISourceCoverageMetricsPublisher"/>.
+    /// </summary>
+    /// <typeparam name="TPublisher">The publisher implementation type.</typeparam>
+    /// <param name="services">The service collection.</param>
+    /// <returns>The service collection for chaining.</returns>
+    public static IServiceCollection AddSourceCoverageMetricsPublisher<TPublisher>(this IServiceCollection services)
+        where TPublisher : class, ISourceCoverageMetricsPublisher
+    {
+        services.AddSingleton<ISourceCoverageMetricsPublisher, TPublisher>();
+        return services;
+    }
+
+    /// <summary>
+    /// Adds a custom implementation of <see cref="IAdvisoryFieldChangeNotificationPublisher"/>.
+    /// </summary>
+    /// <typeparam name="TPublisher">The publisher implementation type.</typeparam>
+    /// <param name="services">The service collection.</param>
+    /// <returns>The service collection for chaining.</returns>
+    public static IServiceCollection AddAdvisoryFieldChangeNotificationPublisher<TPublisher>(this IServiceCollection services)
+        where TPublisher : class, IAdvisoryFieldChangeNotificationPublisher
+    {
+        services.AddSingleton<IAdvisoryFieldChangeNotificationPublisher, TPublisher>();
+        return services;
+    }
+
+    /// <summary>
+    /// Adds a custom implementation of <see cref="IAdvisoryFieldChangeEmitter"/>.
+    /// </summary>
+    /// <typeparam name="TEmitter">The emitter implementation type.</typeparam>
+    /// <param name="services">The service collection.</param>
+    /// <returns>The service collection for chaining.</returns>
+    public static IServiceCollection AddAdvisoryFieldChangeEmitter<TEmitter>(this IServiceCollection services)
+        where TEmitter : class, IAdvisoryFieldChangeEmitter
+    {
+        services.AddSingleton<IAdvisoryFieldChangeEmitter, TEmitter>();
+        return services;
+    }
+}
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/SourceCoverageMetrics.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/SourceCoverageMetrics.cs
new file mode 100644
index 000000000..a5a593588
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/SourceCoverageMetrics.cs
@@ -0,0 +1,176 @@
+using System;
+using System.Collections.Immutable;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Per-source coverage and conflict metrics for advisory observations.
+/// Per CONCELIER-RISK-67-001, publishes counts and disagreements so explainers
+/// cite which upstream statements exist; no weighting applied.
+/// </summary>
+/// <remarks>
+/// This model is fact-only: no inference, weighting, or prioritization.
+/// All data traces back to specific vendor observations with provenance.
+/// </remarks>
+public sealed record SourceCoverageMetrics(
+    string TenantId,
+    string AdvisoryId,
+    string? LinksetId,
+    ImmutableArray<SourceContribution> Sources,
+    SourceAgreementSummary Agreement,
+    ImmutableArray<SourceConflict> Conflicts,
+    DateTimeOffset ComputedAt)
+{
+    /// <summary>
+    /// Total number of contributing sources.
+    /// </summary>
+    public int SourceCount => Sources.Length;
+
+    /// <summary>
+    /// Total number of observations across all sources.
+    /// </summary>
+    public int TotalObservations => Sources.Sum(s => s.ObservationCount);
+
+    /// <summary>
+    /// Total number of conflicts detected.
+    /// </summary>
+    public int ConflictCount => Conflicts.Length;
+
+    /// <summary>
+    /// Indicates if all sources agree (no conflicts).
+    /// </summary>
+    public bool AllSourcesAgree => Conflicts.IsDefaultOrEmpty;
+
+    /// <summary>
+    /// Creates empty coverage metrics when no sources are available.
+    /// </summary>
+    public static SourceCoverageMetrics Empty(
+        string tenantId,
+        string advisoryId,
+        string? linksetId,
+        DateTimeOffset computedAt)
+    {
+        return new SourceCoverageMetrics(
+            TenantId: tenantId,
+            AdvisoryId: advisoryId,
+            LinksetId: linksetId,
+            Sources: ImmutableArray<SourceContribution>.Empty,
+            Agreement: SourceAgreementSummary.Empty,
+            Conflicts: ImmutableArray<SourceConflict>.Empty,
+            ComputedAt: computedAt);
+    }
+}
+
+/// <summary>
+/// Contribution from a single source/vendor.
+/// </summary>
+public sealed record SourceContribution(
+    string SourceId,
+    string Vendor,
+    int ObservationCount,
+    ImmutableArray<string> ObservationIds,
+    SourceCoverageDetail Coverage,
+    DateTimeOffset LatestObservationAt)
+{
+    /// <summary>
+    /// Indicates if this source has full coverage (CVSS, fix info, affected data).
+    /// </summary>
+    public bool HasFullCoverage =>
+        Coverage.HasCvssData &&
+        Coverage.HasFixData &&
+        Coverage.HasAffectedData;
+}
+
+/// <summary>
+/// Detail of what data a source provides.
+/// </summary>
+public sealed record SourceCoverageDetail(
+    bool HasCvssData,
+    bool HasKevData,
+    bool HasFixData,
+    bool HasAffectedData,
+    bool HasReferenceData,
+    ImmutableArray<string> CvssVersions,
+    ImmutableArray<string> AffectedEcosystems);
+
+/// <summary>
+/// Summary of source agreement/disagreement.
+/// </summary>
+public sealed record SourceAgreementSummary(
+    int TotalFields,
+    int AgreeingFields,
+    int DisagreeingFields,
+    ImmutableArray<string> AgreedFieldNames,
+    ImmutableArray<string> DisagreedFieldNames)
+{
+    /// <summary>
+    /// Agreement ratio (0.0 - 1.0).
+    /// </summary>
+    public double AgreementRatio => TotalFields > 0
+        ? (double)AgreeingFields / TotalFields
+        : 1.0;
+
+    /// <summary>
+    /// Indicates high agreement (>= 90%).
+    /// </summary>
+    public bool HighAgreement => AgreementRatio >= 0.9;
+
+    /// <summary>
+    /// Empty agreement summary when no fields to compare.
+    /// </summary>
+    public static SourceAgreementSummary Empty => new(
+        TotalFields: 0,
+        AgreeingFields: 0,
+        DisagreeingFields: 0,
+        AgreedFieldNames: ImmutableArray<string>.Empty,
+        DisagreedFieldNames: ImmutableArray<string>.Empty);
+}
+
+/// <summary>
+/// A specific conflict between sources.
+/// </summary>
+public sealed record SourceConflict(
+    string Field,
+    ConflictType Type,
+    ImmutableArray<SourceConflictValue> Values,
+    string? Resolution)
+{
+    /// <summary>
+    /// Number of sources involved in this conflict.
+    /// </summary>
+    public int SourceCount => Values.Length;
+}
+
+/// <summary>
+/// Type of conflict between sources.
+/// </summary>
+public enum ConflictType
+{
+    /// <summary>Sources report different values for the same field.</summary>
+    ValueMismatch,
+
+    /// <summary>One source has data, another does not.</summary>
+    MissingData,
+
+    /// <summary>Severity scores differ significantly.</summary>
+    SeverityDivergence,
+
+    /// <summary>Fix availability status differs.</summary>
+    FixStatusDivergence,
+
+    /// <summary>Affected version ranges conflict.</summary>
+    AffectedRangeConflict,
+
+    /// <summary>KEV status differs between sources.</summary>
+    KevStatusConflict
+}
+
+/// <summary>
+/// A source's value in a conflict.
+/// </summary>
+public sealed record SourceConflictValue(
+    string SourceId,
+    string Vendor,
+    string? Value,
+    string? ObservationId,
+    DateTimeOffset? ObservedAt);
diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/SourceCoverageMetricsPublisher.cs b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/SourceCoverageMetricsPublisher.cs
new file mode 100644
index 000000000..2db8bcc4a
--- /dev/null
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/SourceCoverageMetricsPublisher.cs
@@ -0,0 +1,414 @@
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+
+namespace StellaOps.Concelier.Core.Risk;
+
+/// <summary>
+/// Default implementation of <see cref="ISourceCoverageMetricsPublisher"/>.
+/// Per CONCELIER-RISK-67-001, publishes per-source coverage/conflict metrics
+/// so explainers cite which upstream statements exist; no weighting applied.
+/// </summary>
+public sealed class SourceCoverageMetricsPublisher : ISourceCoverageMetricsPublisher
+{
+    private readonly IVendorRiskSignalProvider _riskSignalProvider;
+    private readonly ISourceCoverageMetricsStore _store;
+    private readonly ILogger<SourceCoverageMetricsPublisher> _logger;
+    private readonly TimeProvider _timeProvider;
+
+    public SourceCoverageMetricsPublisher(
+        IVendorRiskSignalProvider riskSignalProvider,
+        ISourceCoverageMetricsStore store,
+        ILogger<SourceCoverageMetricsPublisher> logger,
+        TimeProvider? timeProvider = null)
+    {
+        _riskSignalProvider = riskSignalProvider ?? throw new ArgumentNullException(nameof(riskSignalProvider));
+        _store = store ?? throw new ArgumentNullException(nameof(store));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
+    /// <inheritdoc />
+    public async Task<SourceCoverageMetrics> PublishByAdvisoryAsync(
+        string tenantId,
+        string advisoryId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(advisoryId);
+
+        var signals = await _riskSignalProvider.GetByAdvisoryAsync(
+            tenantId, advisoryId, cancellationToken).ConfigureAwait(false);
+
+        var metrics = ComputeMetrics(tenantId, advisoryId, linksetId: null, signals);
+
+        await _store.StoreAsync(metrics, cancellationToken).ConfigureAwait(false);
+
+        _logger.LogInformation(
+            "Published coverage metrics for advisory {AdvisoryId}: {SourceCount} sources, {ConflictCount} conflicts",
+            advisoryId, metrics.SourceCount, metrics.ConflictCount);
+
+        return metrics;
+    }
+
+    /// <inheritdoc />
+    public async Task<SourceCoverageMetrics> PublishByLinksetAsync(
+        string tenantId,
+        string linksetId,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(linksetId);
+
+        var signals = await _riskSignalProvider.GetByLinksetAsync(
+            tenantId, linksetId, cancellationToken).ConfigureAwait(false);
+
+        var advisoryId = signals.FirstOrDefault()?.AdvisoryId ?? "unknown";
+        var metrics = ComputeMetrics(tenantId, advisoryId, linksetId, signals);
+
+        await _store.StoreAsync(metrics, cancellationToken).ConfigureAwait(false);
+
+        _logger.LogInformation(
+            "Published coverage metrics for linkset {LinksetId}: {SourceCount} sources, {ConflictCount} conflicts",
+            linksetId, metrics.SourceCount, metrics.ConflictCount);
+
+        return metrics;
+    }
+
+    /// <inheritdoc />
+    public Task<SourceCoverageMetrics?> GetByAdvisoryAsync(
+        string tenantId,
+        string advisoryId,
+        CancellationToken cancellationToken)
+    {
+        return _store.GetByAdvisoryAsync(tenantId, advisoryId, cancellationToken);
+    }
+
+    /// <inheritdoc />
+    public Task<SourceCoverageMetrics?> GetByLinksetAsync(
+        string tenantId,
+        string linksetId,
+        CancellationToken cancellationToken)
+    {
+        return _store.GetByLinksetAsync(tenantId, linksetId, cancellationToken);
+    }
+
+    private SourceCoverageMetrics ComputeMetrics(
+        string tenantId,
+        string advisoryId,
+        string? linksetId,
+        IReadOnlyList<VendorRiskSignal> signals)
+    {
+        var now = _timeProvider.GetUtcNow();
+
+        if (signals.Count == 0)
+        {
+            return SourceCoverageMetrics.Empty(tenantId, advisoryId, linksetId, now);
+        }
+
+        var sources = ComputeSourceContributions(signals);
+        var agreement = ComputeAgreementSummary(signals);
+        var conflicts = DetectConflicts(signals);
+
+        return new SourceCoverageMetrics(
+            TenantId: tenantId,
+            AdvisoryId: advisoryId,
+            LinksetId: linksetId,
+            Sources: sources,
+            Agreement: agreement,
+            Conflicts: conflicts,
+            ComputedAt: now);
+    }
+
+    private static ImmutableArray<SourceContribution> ComputeSourceContributions(
+        IReadOnlyList<VendorRiskSignal> signals)
+    {
+        var bySource = signals
+            .GroupBy(s => (s.Provenance.Source, s.Provenance.Vendor))
+            .OrderBy(g => g.Key.Source, StringComparer.OrdinalIgnoreCase)
+            .ThenBy(g => g.Key.Vendor, StringComparer.OrdinalIgnoreCase);
+
+        var contributions = ImmutableArray.CreateBuilder<SourceContribution>();
+
+        foreach (var group in bySource)
+        {
+            var sourceSignals = group.ToList();
+            var observationIds = sourceSignals
+                .Select(s => s.ObservationId)
+                .Distinct(StringComparer.Ordinal)
+                .OrderBy(id => id, StringComparer.Ordinal)
+                .ToImmutableArray();
+
+            var coverage = ComputeCoverageDetail(sourceSignals);
+            var latestAt = sourceSignals.Max(s => s.ExtractedAt);
+
+            contributions.Add(new SourceContribution(
+                SourceId: group.Key.Source,
+                Vendor: group.Key.Vendor,
+                ObservationCount: observationIds.Length,
+                ObservationIds: observationIds,
+                Coverage: coverage,
+                LatestObservationAt: latestAt));
+        }
+
+        return contributions.ToImmutable();
+    }
+
+    private static SourceCoverageDetail ComputeCoverageDetail(List<VendorRiskSignal> signals)
+    {
+        var hasCvss = signals.Any(s => !s.CvssScores.IsDefaultOrEmpty);
+        var hasKev = signals.Any(s => s.KevStatus is not null);
+        var hasFix = signals.Any(s => !s.FixAvailability.IsDefaultOrEmpty);
+        var hasAffected = signals.Any(s => !s.FixAvailability.IsDefaultOrEmpty &&
+            s.FixAvailability.Any(f => !string.IsNullOrWhiteSpace(f.Package)));
+        var hasReferences = signals.Any(s => !s.FixAvailability.IsDefaultOrEmpty &&
+            s.FixAvailability.Any(f => !string.IsNullOrWhiteSpace(f.AdvisoryUrl)));
+
+        var cvssVersions = signals
+            .SelectMany(s => s.CvssScores)
+            .Select(c => c.NormalizedSystem)
+            .Where(v => !string.IsNullOrWhiteSpace(v))
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .OrderBy(v => v, StringComparer.OrdinalIgnoreCase)
+            .ToImmutableArray();
+
+        var ecosystems = signals
+            .SelectMany(s => s.FixAvailability)
+            .Where(f => !string.IsNullOrWhiteSpace(f.Ecosystem))
+            .Select(f => f.Ecosystem!)
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .OrderBy(e => e, StringComparer.OrdinalIgnoreCase)
+            .ToImmutableArray();
+
+        return new SourceCoverageDetail(
+            HasCvssData: hasCvss,
+            HasKevData: hasKev,
+            HasFixData: hasFix,
+            HasAffectedData: hasAffected,
+            HasReferenceData: hasReferences,
+            CvssVersions: cvssVersions,
+            AffectedEcosystems: ecosystems);
+    }
+
+    private static SourceAgreementSummary ComputeAgreementSummary(IReadOnlyList<VendorRiskSignal> signals)
+    {
+        if (signals.Count <= 1)
+        {
+            return SourceAgreementSummary.Empty;
+        }
+
+        var agreedFields = new List<string>();
+        var disagreedFields = new List<string>();
+
+        // Check CVSS severity agreement
+        var severities = signals
+            .Where(s => s.HighestCvssScore is not null)
+            .Select(s => s.HighestCvssScore!.EffectiveSeverity)
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToList();
+
+        if (severities.Count > 0)
+        {
+            if (severities.Count == 1)
+            {
+                agreedFields.Add("severity");
+            }
+            else
+            {
+                disagreedFields.Add("severity");
+            }
+        }
+
+        // Check KEV status agreement
+        var kevStatuses = signals
+            .Where(s => s.KevStatus is not null)
+            .Select(s => s.KevStatus!.InKev)
+            .Distinct()
+            .ToList();
+
+        if (kevStatuses.Count > 0)
+        {
+            if (kevStatuses.Count == 1)
+            {
+                agreedFields.Add("kev_status");
+            }
+            else
+            {
+                disagreedFields.Add("kev_status");
+            }
+        }
+
+        // Check fix availability agreement
+        var fixStatuses = signals
+            .Select(s => s.HasFixAvailable)
+            .Distinct()
+            .ToList();
+
+        if (fixStatuses.Count == 1)
+        {
+            agreedFields.Add("fix_availability");
+        }
+        else if (fixStatuses.Count > 1)
+        {
+            disagreedFields.Add("fix_availability");
+        }
+
+        var totalFields = agreedFields.Count + disagreedFields.Count;
+
+        return new SourceAgreementSummary(
+            TotalFields: totalFields,
+            AgreeingFields: agreedFields.Count,
+            DisagreeingFields: disagreedFields.Count,
+            AgreedFieldNames: agreedFields.ToImmutableArray(),
+            DisagreedFieldNames: disagreedFields.ToImmutableArray());
+    }
+
+    private static ImmutableArray<SourceConflict> DetectConflicts(IReadOnlyList<VendorRiskSignal> signals)
+    {
+        if (signals.Count <= 1)
+        {
+            return ImmutableArray<SourceConflict>.Empty;
+        }
+
+        var conflicts = ImmutableArray.CreateBuilder<SourceConflict>();
+
+        // Detect severity divergence
+        var severityConflict = DetectSeverityConflict(signals);
+        if (severityConflict is not null)
+        {
+            conflicts.Add(severityConflict);
+        }
+
+        // Detect KEV status conflict
+        var kevConflict = DetectKevConflict(signals);
+        if (kevConflict is not null)
+        {
+            conflicts.Add(kevConflict);
+        }
+
+        // Detect fix status divergence
+        var fixConflict = DetectFixStatusConflict(signals);
+        if (fixConflict is not null)
+        {
+            conflicts.Add(fixConflict);
+        }
+
+        return conflicts.ToImmutable();
+    }
+
+    private static SourceConflict? DetectSeverityConflict(IReadOnlyList<VendorRiskSignal> signals)
+    {
+        var signalsWithSeverity = signals
+            .Where(s => s.HighestCvssScore is not null)
+            .ToList();
+
+        if (signalsWithSeverity.Count <= 1)
+        {
+            return null;
+        }
+
+        var severities = signalsWithSeverity
+            .Select(s => s.HighestCvssScore!.EffectiveSeverity)
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToList();
+
+        if (severities.Count <= 1)
+        {
+            return null;
+        }
+
+        var values = signalsWithSeverity
+            .Select(s => new SourceConflictValue(
+                SourceId: s.Provenance.Source,
+                Vendor: s.Provenance.Vendor,
+                Value: s.HighestCvssScore!.EffectiveSeverity,
+                ObservationId: s.ObservationId,
+                ObservedAt: s.ExtractedAt))
+            .OrderBy(v => v.SourceId, StringComparer.OrdinalIgnoreCase)
+            .ThenBy(v => v.Vendor, StringComparer.OrdinalIgnoreCase)
+            .ToImmutableArray();
+
+        return new SourceConflict(
+            Field: "severity",
+            Type: ConflictType.SeverityDivergence,
+            Values: values,
+            Resolution: null);
+    }
+
+    private static SourceConflict? DetectKevConflict(IReadOnlyList<VendorRiskSignal> signals)
+    {
+        var signalsWithKev = signals
+            .Where(s => s.KevStatus is not null)
+            .ToList();
+
+        if (signalsWithKev.Count <= 1)
+        {
+            return null;
+        }
+
+        var kevStatuses = signalsWithKev
+            .Select(s => s.KevStatus!.InKev)
+            .Distinct()
+            .ToList();
+
+        if (kevStatuses.Count <= 1)
+        {
+            return null;
+        }
+
+        var values = signalsWithKev
+            .Select(s => new SourceConflictValue(
+                SourceId: s.Provenance.Source,
+                Vendor: s.Provenance.Vendor,
+                Value: s.KevStatus!.InKev ? "in_kev" : "not_in_kev",
+                ObservationId: s.ObservationId,
+                ObservedAt: s.ExtractedAt))
+            .OrderBy(v => v.SourceId, StringComparer.OrdinalIgnoreCase)
+            .ThenBy(v => v.Vendor, StringComparer.OrdinalIgnoreCase)
+            .ToImmutableArray();
+
+        return new SourceConflict(
+            Field: "kev_status",
+            Type: ConflictType.KevStatusConflict,
+            Values: values,
+            Resolution: null);
+    }
+
+    private static SourceConflict? DetectFixStatusConflict(IReadOnlyList<VendorRiskSignal> signals)
+    {
+        var fixStatuses = signals
+            .Select(s => (Signal: s, HasFix: s.HasFixAvailable))
+            .ToList();
+
+        var distinctStatuses = fixStatuses
+            .Select(x => x.HasFix)
+            .Distinct()
+            .ToList();
+
+        if (distinctStatuses.Count <= 1)
+        {
+            return null;
+        }
+
+        var values = fixStatuses
+            .Select(x => new SourceConflictValue(
+                SourceId: x.Signal.Provenance.Source,
+                Vendor: x.Signal.Provenance.Vendor,
+                Value: x.HasFix ? "fix_available" : "no_fix",
+                ObservationId: x.Signal.ObservationId,
+                ObservedAt: x.Signal.ExtractedAt))
+            .OrderBy(v => v.SourceId, StringComparer.OrdinalIgnoreCase)
+            .ThenBy(v => v.Vendor, StringComparer.OrdinalIgnoreCase)
+            .ToImmutableArray();
+
+        return new SourceConflict(
+            Field: "fix_availability",
+            Type: ConflictType.FixStatusDivergence,
+            Values: values,
+            Resolution: null);
+    }
+}
diff --git a/src/Policy/StellaOps.Policy.Scoring/AGENTS.md b/src/Policy/StellaOps.Policy.Scoring/AGENTS.md
new file mode 100644
index 000000000..e6b3016ff
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/AGENTS.md
@@ -0,0 +1,93 @@
+# AGENTS.md - StellaOps.Policy.Scoring
+
+## Module Summary
+The CVSS v4.0 Scoring module provides deterministic score computation with full audit trail via receipts. It implements the FIRST CVSS v4.0 specification for vulnerability scoring with policy-driven customization and evidence linkage.
+
+## Working Directory
+`src/Policy/StellaOps.Policy.Scoring`
+
+## Required Reading
+Before implementing in this module, read:
+1. `docs/README.md`
+2. `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+3. `docs/modules/policy/architecture.md`
+4. FIRST CVSS v4.0 Specification: https://www.first.org/cvss/v4-0/specification-document
+
+## Module Boundaries
+
+### This Module Owns
+- CVSS v4.0 data models (`CvssMetrics.cs`, `CvssScoreReceipt.cs`, `CvssPolicy.cs`)
+- CVSS v4.0 scoring engine (`Engine/CvssV4Engine.cs`)
+- Receipt generation and management (`Receipts/ReceiptBuilder.cs`)
+- Policy loading and validation (`Policies/CvssPolicyLoader.cs`)
+- JSON schemas for receipts and policies (`Schemas/`)
+
+### This Module Does NOT Own
+- Attestation/DSSE envelope creation (use `StellaOps.Attestor.Envelope`)
+- Vulnerability advisory ingestion (use `StellaOps.Concelier.Core`)
+- VEX statement handling (use `StellaOps.Excititor.Core`)
+- General policy evaluation (use `StellaOps.Policy`)
+
+## Determinism Requirements
+
+### Input Reproducibility
+- All score computations must be deterministic: same inputs → same outputs
+- Receipt `inputHash` field captures SHA-256 of normalized inputs
+- Use stable JSON serialization with ordered keys for hashing
+
+### Score Computation
+- Follow FIRST CVSS v4.0 math exactly (MacroVector lookup tables, EQ formulas)
+- Use "Round Up" rounding per FIRST spec: `ceil(score * 10) / 10`
+- Never introduce floating-point non-determinism
+
+### Timestamp Handling
+- All timestamps must be UTC in ISO-8601 format
+- Use `DateTimeOffset.UtcNow` for creation times
+- Include timestamp in input hash for temporal reproducibility
+
+## Testing Requirements
+
+### Unit Tests
+- Test all CVSS v4.0 metric combinations using FIRST sample vectors
+- Test edge cases: missing optional metrics, all-None impacts, boundary scores
+- Test determinism: multiple computations of same input must match
+
+### Integration Tests
+- Test policy loading and validation
+- Test receipt persistence and retrieval
+- Test amendment workflow with history tracking
+
+## API Contract
+
+### Score Computation
+```csharp
+// Engine interface
+public interface ICvssV4Engine
+{
+    CvssScores ComputeScores(CvssBaseMetrics baseMetrics, CvssThreatMetrics? threatMetrics = null, CvssEnvironmentalMetrics? envMetrics = null);
+    string BuildVectorString(CvssBaseMetrics baseMetrics, CvssThreatMetrics? threatMetrics = null, CvssEnvironmentalMetrics? envMetrics = null, CvssSupplementalMetrics? suppMetrics = null);
+    (CvssBaseMetrics Base, CvssThreatMetrics? Threat, CvssEnvironmentalMetrics? Env, CvssSupplementalMetrics? Supp) ParseVector(string vectorString);
+}
+```
+
+### Receipt Builder
+```csharp
+// Receipt builder interface
+public interface IReceiptBuilder
+{
+    Task<CvssScoreReceipt> CreateReceiptAsync(CreateReceiptRequest request, CancellationToken cancellationToken = default);
+    Task<CvssScoreReceipt> AmendReceiptAsync(string receiptId, AmendReceiptRequest request, CancellationToken cancellationToken = default);
+}
+```
+
+## Schema Versioning
+- Policy schema: `cvss-policy-schema@1.json`
+- Receipt schema: `cvss-receipt-schema@1.json`
+- Version increment required for breaking changes
+- Maintain backward compatibility where possible
+
+## Security Considerations
+- Validate all policy inputs against JSON schema
+- Sanitize vulnerability IDs to prevent injection
+- Sign receipts via DSSE when attestation is required
+- Tenant isolation: receipts are tenant-scoped
diff --git a/src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs b/src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs
new file mode 100644
index 000000000..3c86505d0
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs
@@ -0,0 +1,354 @@
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Policy.Scoring;
+
+/// <summary>
+/// CVSS v4.0 Base metric group - Exploitability and impact metrics.
+/// Per FIRST CVSS v4.0 Specification Document.
+/// </summary>
+public sealed record CvssBaseMetrics
+{
+    /// <summary>Attack Vector (AV) - Mandatory.</summary>
+    [JsonPropertyName("av")]
+    public required AttackVector AttackVector { get; init; }
+
+    /// <summary>Attack Complexity (AC) - Mandatory.</summary>
+    [JsonPropertyName("ac")]
+    public required AttackComplexity AttackComplexity { get; init; }
+
+    /// <summary>Attack Requirements (AT) - Mandatory.</summary>
+    [JsonPropertyName("at")]
+    public required AttackRequirements AttackRequirements { get; init; }
+
+    /// <summary>Privileges Required (PR) - Mandatory.</summary>
+    [JsonPropertyName("pr")]
+    public required PrivilegesRequired PrivilegesRequired { get; init; }
+
+    /// <summary>User Interaction (UI) - Mandatory.</summary>
+    [JsonPropertyName("ui")]
+    public required UserInteraction UserInteraction { get; init; }
+
+    /// <summary>Vulnerable System Confidentiality (VC) - Mandatory.</summary>
+    [JsonPropertyName("vc")]
+    public required ImpactMetricValue VulnerableSystemConfidentiality { get; init; }
+
+    /// <summary>Vulnerable System Integrity (VI) - Mandatory.</summary>
+    [JsonPropertyName("vi")]
+    public required ImpactMetricValue VulnerableSystemIntegrity { get; init; }
+
+    /// <summary>Vulnerable System Availability (VA) - Mandatory.</summary>
+    [JsonPropertyName("va")]
+    public required ImpactMetricValue VulnerableSystemAvailability { get; init; }
+
+    /// <summary>Subsequent System Confidentiality (SC) - Mandatory.</summary>
+    [JsonPropertyName("sc")]
+    public required ImpactMetricValue SubsequentSystemConfidentiality { get; init; }
+
+    /// <summary>Subsequent System Integrity (SI) - Mandatory.</summary>
+    [JsonPropertyName("si")]
+    public required ImpactMetricValue SubsequentSystemIntegrity { get; init; }
+
+    /// <summary>Subsequent System Availability (SA) - Mandatory.</summary>
+    [JsonPropertyName("sa")]
+    public required ImpactMetricValue SubsequentSystemAvailability { get; init; }
+}
+
+/// <summary>
+/// CVSS v4.0 Threat metric group.
+/// </summary>
+public sealed record CvssThreatMetrics
+{
+    /// <summary>Exploit Maturity (E) - Optional, defaults to Not Defined.</summary>
+    [JsonPropertyName("e")]
+    public ExploitMaturity ExploitMaturity { get; init; } = ExploitMaturity.NotDefined;
+}
+
+/// <summary>
+/// CVSS v4.0 Environmental metric group - Modified base metrics for specific environments.
+/// </summary>
+public sealed record CvssEnvironmentalMetrics
+{
+    /// <summary>Modified Attack Vector (MAV).</summary>
+    [JsonPropertyName("mav")]
+    public ModifiedAttackVector? ModifiedAttackVector { get; init; }
+
+    /// <summary>Modified Attack Complexity (MAC).</summary>
+    [JsonPropertyName("mac")]
+    public ModifiedAttackComplexity? ModifiedAttackComplexity { get; init; }
+
+    /// <summary>Modified Attack Requirements (MAT).</summary>
+    [JsonPropertyName("mat")]
+    public ModifiedAttackRequirements? ModifiedAttackRequirements { get; init; }
+
+    /// <summary>Modified Privileges Required (MPR).</summary>
+    [JsonPropertyName("mpr")]
+    public ModifiedPrivilegesRequired? ModifiedPrivilegesRequired { get; init; }
+
+    /// <summary>Modified User Interaction (MUI).</summary>
+    [JsonPropertyName("mui")]
+    public ModifiedUserInteraction? ModifiedUserInteraction { get; init; }
+
+    /// <summary>Modified Vulnerable System Confidentiality (MVC).</summary>
+    [JsonPropertyName("mvc")]
+    public ModifiedImpactMetricValue? ModifiedVulnerableSystemConfidentiality { get; init; }
+
+    /// <summary>Modified Vulnerable System Integrity (MVI).</summary>
+    [JsonPropertyName("mvi")]
+    public ModifiedImpactMetricValue? ModifiedVulnerableSystemIntegrity { get; init; }
+
+    /// <summary>Modified Vulnerable System Availability (MVA).</summary>
+    [JsonPropertyName("mva")]
+    public ModifiedImpactMetricValue? ModifiedVulnerableSystemAvailability { get; init; }
+
+    /// <summary>Modified Subsequent System Confidentiality (MSC).</summary>
+    [JsonPropertyName("msc")]
+    public ModifiedImpactMetricValue? ModifiedSubsequentSystemConfidentiality { get; init; }
+
+    /// <summary>Modified Subsequent System Integrity (MSI).</summary>
+    [JsonPropertyName("msi")]
+    public ModifiedSubsequentImpact? ModifiedSubsequentSystemIntegrity { get; init; }
+
+    /// <summary>Modified Subsequent System Availability (MSA).</summary>
+    [JsonPropertyName("msa")]
+    public ModifiedSubsequentImpact? ModifiedSubsequentSystemAvailability { get; init; }
+
+    /// <summary>Confidentiality Requirement (CR).</summary>
+    [JsonPropertyName("cr")]
+    public SecurityRequirement? ConfidentialityRequirement { get; init; }
+
+    /// <summary>Integrity Requirement (IR).</summary>
+    [JsonPropertyName("ir")]
+    public SecurityRequirement? IntegrityRequirement { get; init; }
+
+    /// <summary>Availability Requirement (AR).</summary>
+    [JsonPropertyName("ar")]
+    public SecurityRequirement? AvailabilityRequirement { get; init; }
+}
+
+/// <summary>
+/// CVSS v4.0 Supplemental metric group - Additional context metrics that do not affect scoring.
+/// </summary>
+public sealed record CvssSupplementalMetrics
+{
+    /// <summary>Safety (S) - Does the vulnerability affect human safety?</summary>
+    [JsonPropertyName("s")]
+    public Safety? Safety { get; init; }
+
+    /// <summary>Automatable (AU) - Can the vulnerability be exploited automatically?</summary>
+    [JsonPropertyName("au")]
+    public Automatable? Automatable { get; init; }
+
+    /// <summary>Recovery (R) - What is the recovery capability?</summary>
+    [JsonPropertyName("r")]
+    public Recovery? Recovery { get; init; }
+
+    /// <summary>Value Density (V) - Resource density of the vulnerable system.</summary>
+    [JsonPropertyName("v")]
+    public ValueDensity? ValueDensity { get; init; }
+
+    /// <summary>Vulnerability Response Effort (RE) - Effort required to respond.</summary>
+    [JsonPropertyName("re")]
+    public ResponseEffort? VulnerabilityResponseEffort { get; init; }
+
+    /// <summary>Provider Urgency (U) - Urgency as assessed by the provider.</summary>
+    [JsonPropertyName("u")]
+    public ProviderUrgency? ProviderUrgency { get; init; }
+}
+
+#region Base Metric Enums
+
+/// <summary>Attack Vector values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum AttackVector
+{
+    /// <summary>Network (N) - Remotely exploitable.</summary>
+    Network,
+    /// <summary>Adjacent (A) - Same network segment.</summary>
+    Adjacent,
+    /// <summary>Local (L) - Local access required.</summary>
+    Local,
+    /// <summary>Physical (P) - Physical access required.</summary>
+    Physical
+}
+
+/// <summary>Attack Complexity values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum AttackComplexity
+{
+    /// <summary>Low (L) - No specialized conditions.</summary>
+    Low,
+    /// <summary>High (H) - Specialized conditions required.</summary>
+    High
+}
+
+/// <summary>Attack Requirements values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum AttackRequirements
+{
+    /// <summary>None (N) - No preconditions required.</summary>
+    None,
+    /// <summary>Present (P) - Preconditions must exist.</summary>
+    Present
+}
+
+/// <summary>Privileges Required values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum PrivilegesRequired
+{
+    /// <summary>None (N) - No privileges needed.</summary>
+    None,
+    /// <summary>Low (L) - Basic user privileges needed.</summary>
+    Low,
+    /// <summary>High (H) - Admin/elevated privileges needed.</summary>
+    High
+}
+
+/// <summary>User Interaction values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum UserInteraction
+{
+    /// <summary>None (N) - No user interaction required.</summary>
+    None,
+    /// <summary>Passive (P) - Involuntary user action.</summary>
+    Passive,
+    /// <summary>Active (A) - Conscious user action required.</summary>
+    Active
+}
+
+/// <summary>Impact metric values (None/Low/High) per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ImpactMetricValue
+{
+    /// <summary>None (N) - No impact.</summary>
+    None,
+    /// <summary>Low (L) - Limited impact.</summary>
+    Low,
+    /// <summary>High (H) - Serious impact.</summary>
+    High
+}
+
+#endregion
+
+#region Threat Metric Enums
+
+/// <summary>Exploit Maturity values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ExploitMaturity
+{
+    /// <summary>Not Defined (X) - Not assessed.</summary>
+    NotDefined,
+    /// <summary>Attacked (A) - Active exploitation observed.</summary>
+    Attacked,
+    /// <summary>Proof of Concept (P) - PoC code exists.</summary>
+    ProofOfConcept,
+    /// <summary>Unreported (U) - No public exploit code.</summary>
+    Unreported
+}
+
+#endregion
+
+#region Environmental Metric Enums (Modified versions)
+
+/// <summary>Modified Attack Vector values.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ModifiedAttackVector
+{
+    NotDefined, Network, Adjacent, Local, Physical
+}
+
+/// <summary>Modified Attack Complexity values.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ModifiedAttackComplexity
+{
+    NotDefined, Low, High
+}
+
+/// <summary>Modified Attack Requirements values.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ModifiedAttackRequirements
+{
+    NotDefined, None, Present
+}
+
+/// <summary>Modified Privileges Required values.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ModifiedPrivilegesRequired
+{
+    NotDefined, None, Low, High
+}
+
+/// <summary>Modified User Interaction values.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ModifiedUserInteraction
+{
+    NotDefined, None, Passive, Active
+}
+
+/// <summary>Modified Impact metric values.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ModifiedImpactMetricValue
+{
+    NotDefined, None, Low, High
+}
+
+/// <summary>Modified Subsequent System Impact values (includes Safety dimension).</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ModifiedSubsequentImpact
+{
+    NotDefined, Negligible, Low, High, Safety
+}
+
+/// <summary>Security Requirement values.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum SecurityRequirement
+{
+    NotDefined, Low, Medium, High
+}
+
+#endregion
+
+#region Supplemental Metric Enums
+
+/// <summary>Safety values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum Safety
+{
+    NotDefined, Negligible, Present
+}
+
+/// <summary>Automatable values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum Automatable
+{
+    NotDefined, No, Yes
+}
+
+/// <summary>Recovery values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum Recovery
+{
+    NotDefined, Automatic, User, Irrecoverable
+}
+
+/// <summary>Value Density values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ValueDensity
+{
+    NotDefined, Diffuse, Concentrated
+}
+
+/// <summary>Response Effort values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ResponseEffort
+{
+    NotDefined, Low, Moderate, High
+}
+
+/// <summary>Provider Urgency values per CVSS v4.0.</summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ProviderUrgency
+{
+    NotDefined, Clear, Green, Amber, Red
+}
+
+#endregion
diff --git a/src/Policy/StellaOps.Policy.Scoring/CvssPolicy.cs b/src/Policy/StellaOps.Policy.Scoring/CvssPolicy.cs
new file mode 100644
index 000000000..29aa19050
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/CvssPolicy.cs
@@ -0,0 +1,223 @@
+using System.Collections.Immutable;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Policy.Scoring;
+
+/// <summary>
+/// CVSS scoring policy configuration.
+/// Defines how CVSS scores are computed and what thresholds apply.
+/// </summary>
+public sealed record CvssPolicy
+{
+    /// <summary>Unique policy identifier.</summary>
+    [JsonPropertyName("policyId")]
+    public required string PolicyId { get; init; }
+
+    /// <summary>Policy version (semantic versioning).</summary>
+    [JsonPropertyName("version")]
+    public required string Version { get; init; }
+
+    /// <summary>Human-readable policy name.</summary>
+    [JsonPropertyName("name")]
+    public required string Name { get; init; }
+
+    /// <summary>Policy description.</summary>
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    /// <summary>Tenant scope (null for global policy).</summary>
+    [JsonPropertyName("tenantId")]
+    public string? TenantId { get; init; }
+
+    /// <summary>When this policy becomes effective.</summary>
+    [JsonPropertyName("effectiveFrom")]
+    public required DateTimeOffset EffectiveFrom { get; init; }
+
+    /// <summary>When this policy expires (null for no expiry).</summary>
+    [JsonPropertyName("effectiveUntil")]
+    public DateTimeOffset? EffectiveUntil { get; init; }
+
+    /// <summary>Whether this policy is currently active.</summary>
+    [JsonPropertyName("isActive")]
+    public bool IsActive { get; init; } = true;
+
+    /// <summary>Which score type to use as the effective score by default.</summary>
+    [JsonPropertyName("defaultEffectiveScoreType")]
+    public EffectiveScoreType DefaultEffectiveScoreType { get; init; } = EffectiveScoreType.Full;
+
+    /// <summary>Default environmental metrics to apply when not provided.</summary>
+    [JsonPropertyName("defaultEnvironmentalMetrics")]
+    public CvssEnvironmentalMetrics? DefaultEnvironmentalMetrics { get; init; }
+
+    /// <summary>Severity thresholds (override FIRST defaults if specified).</summary>
+    [JsonPropertyName("severityThresholds")]
+    public CvssSeverityThresholds? SeverityThresholds { get; init; }
+
+    /// <summary>Score rounding configuration.</summary>
+    [JsonPropertyName("rounding")]
+    public CvssRoundingConfig Rounding { get; init; } = new();
+
+    /// <summary>Evidence requirements for receipts.</summary>
+    [JsonPropertyName("evidenceRequirements")]
+    public CvssEvidenceRequirements? EvidenceRequirements { get; init; }
+
+    /// <summary>Attestation requirements.</summary>
+    [JsonPropertyName("attestationRequirements")]
+    public CvssAttestationRequirements? AttestationRequirements { get; init; }
+
+    /// <summary>Metric overrides for specific vulnerability patterns.</summary>
+    [JsonPropertyName("metricOverrides")]
+    public ImmutableList<CvssMetricOverride> MetricOverrides { get; init; } = [];
+
+    /// <summary>SHA-256 hash of this policy for determinism tracking.</summary>
+    [JsonPropertyName("hash")]
+    public string? Hash { get; init; }
+
+    /// <summary>When this policy was created.</summary>
+    [JsonPropertyName("createdAt")]
+    public DateTimeOffset? CreatedAt { get; init; }
+
+    /// <summary>Who created this policy.</summary>
+    [JsonPropertyName("createdBy")]
+    public string? CreatedBy { get; init; }
+}
+
+/// <summary>
+/// Severity threshold configuration.
+/// </summary>
+public sealed record CvssSeverityThresholds
+{
+    /// <summary>Low severity lower bound (default: 0.1).</summary>
+    [JsonPropertyName("lowMin")]
+    public double LowMin { get; init; } = 0.1;
+
+    /// <summary>Medium severity lower bound (default: 4.0).</summary>
+    [JsonPropertyName("mediumMin")]
+    public double MediumMin { get; init; } = 4.0;
+
+    /// <summary>High severity lower bound (default: 7.0).</summary>
+    [JsonPropertyName("highMin")]
+    public double HighMin { get; init; } = 7.0;
+
+    /// <summary>Critical severity lower bound (default: 9.0).</summary>
+    [JsonPropertyName("criticalMin")]
+    public double CriticalMin { get; init; } = 9.0;
+}
+
+/// <summary>
+/// Score rounding configuration.
+/// </summary>
+public sealed record CvssRoundingConfig
+{
+    /// <summary>Number of decimal places for scores (default: 1).</summary>
+    [JsonPropertyName("decimalPlaces")]
+    public int DecimalPlaces { get; init; } = 1;
+
+    /// <summary>Rounding mode (default: roundUp per FIRST spec).</summary>
+    [JsonPropertyName("mode")]
+    public CvssRoundingMode Mode { get; init; } = CvssRoundingMode.RoundUp;
+}
+
+/// <summary>
+/// Rounding modes for CVSS scores.
+/// </summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum CvssRoundingMode
+{
+    /// <summary>Round up to nearest tenth (FIRST spec default).</summary>
+    RoundUp,
+    /// <summary>Standard mathematical rounding.</summary>
+    Standard,
+    /// <summary>Always round down.</summary>
+    RoundDown
+}
+
+/// <summary>
+/// Evidence requirements configuration.
+/// </summary>
+public sealed record CvssEvidenceRequirements
+{
+    /// <summary>Minimum number of evidence items required.</summary>
+    [JsonPropertyName("minimumCount")]
+    public int MinimumCount { get; init; }
+
+    /// <summary>Whether authoritative evidence is required.</summary>
+    [JsonPropertyName("requireAuthoritative")]
+    public bool RequireAuthoritative { get; init; }
+
+    /// <summary>Required evidence types.</summary>
+    [JsonPropertyName("requiredTypes")]
+    public ImmutableList<string> RequiredTypes { get; init; } = [];
+
+    /// <summary>Maximum age of evidence in days.</summary>
+    [JsonPropertyName("maxAgeInDays")]
+    public int? MaxAgeInDays { get; init; }
+}
+
+/// <summary>
+/// Attestation requirements configuration.
+/// </summary>
+public sealed record CvssAttestationRequirements
+{
+    /// <summary>Whether DSSE attestation is required.</summary>
+    [JsonPropertyName("requireDsse")]
+    public bool RequireDsse { get; init; }
+
+    /// <summary>Whether Rekor transparency log registration is required.</summary>
+    [JsonPropertyName("requireRekor")]
+    public bool RequireRekor { get; init; }
+
+    /// <summary>Acceptable signing key identities.</summary>
+    [JsonPropertyName("allowedSigners")]
+    public ImmutableList<string> AllowedSigners { get; init; } = [];
+
+    /// <summary>Minimum trust level for attestations.</summary>
+    [JsonPropertyName("minimumTrustLevel")]
+    public string? MinimumTrustLevel { get; init; }
+}
+
+/// <summary>
+/// Metric override for specific vulnerability patterns.
+/// </summary>
+public sealed record CvssMetricOverride
+{
+    /// <summary>Override identifier.</summary>
+    [JsonPropertyName("id")]
+    public required string Id { get; init; }
+
+    /// <summary>Human-readable description.</summary>
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    /// <summary>Pattern to match vulnerability IDs (regex).</summary>
+    [JsonPropertyName("vulnerabilityPattern")]
+    public string? VulnerabilityPattern { get; init; }
+
+    /// <summary>Specific vulnerability IDs to match.</summary>
+    [JsonPropertyName("vulnerabilityIds")]
+    public ImmutableList<string> VulnerabilityIds { get; init; } = [];
+
+    /// <summary>CWE IDs to match.</summary>
+    [JsonPropertyName("cweIds")]
+    public ImmutableList<string> CweIds { get; init; } = [];
+
+    /// <summary>Environmental metric overrides to apply.</summary>
+    [JsonPropertyName("environmentalOverrides")]
+    public CvssEnvironmentalMetrics? EnvironmentalOverrides { get; init; }
+
+    /// <summary>Score adjustment (added to final score).</summary>
+    [JsonPropertyName("scoreAdjustment")]
+    public double? ScoreAdjustment { get; init; }
+
+    /// <summary>Priority for conflict resolution (higher wins).</summary>
+    [JsonPropertyName("priority")]
+    public int Priority { get; init; }
+
+    /// <summary>Whether this override is active.</summary>
+    [JsonPropertyName("isActive")]
+    public bool IsActive { get; init; } = true;
+
+    /// <summary>Reason for this override.</summary>
+    [JsonPropertyName("reason")]
+    public string? Reason { get; init; }
+}
diff --git a/src/Policy/StellaOps.Policy.Scoring/CvssScoreReceipt.cs b/src/Policy/StellaOps.Policy.Scoring/CvssScoreReceipt.cs
new file mode 100644
index 000000000..5b9a592ad
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/CvssScoreReceipt.cs
@@ -0,0 +1,297 @@
+using System.Collections.Immutable;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Policy.Scoring;
+
+/// <summary>
+/// A CVSS v4.0 Score Receipt with complete audit trail.
+/// Provides deterministic, reproducible scoring with full provenance.
+/// </summary>
+public sealed record CvssScoreReceipt
+{
+    /// <summary>Unique receipt identifier.</summary>
+    [JsonPropertyName("receiptId")]
+    public required string ReceiptId { get; init; }
+
+    /// <summary>Schema version for this receipt format.</summary>
+    [JsonPropertyName("schemaVersion")]
+    public string SchemaVersion { get; init; } = "1.0.0";
+
+    /// <summary>Receipt format specification.</summary>
+    [JsonPropertyName("format")]
+    public string Format { get; init; } = "stella.ops/cvssReceipt@v1";
+
+    /// <summary>Vulnerability identifier (CVE, GHSA, etc.).</summary>
+    [JsonPropertyName("vulnerabilityId")]
+    public required string VulnerabilityId { get; init; }
+
+    /// <summary>Tenant scope for multi-tenant deployments.</summary>
+    [JsonPropertyName("tenantId")]
+    public required string TenantId { get; init; }
+
+    /// <summary>Timestamp when the receipt was created (UTC ISO-8601).</summary>
+    [JsonPropertyName("createdAt")]
+    public required DateTimeOffset CreatedAt { get; init; }
+
+    /// <summary>User or system that created the receipt.</summary>
+    [JsonPropertyName("createdBy")]
+    public required string CreatedBy { get; init; }
+
+    /// <summary>Timestamp when the receipt was last modified.</summary>
+    [JsonPropertyName("modifiedAt")]
+    public DateTimeOffset? ModifiedAt { get; init; }
+
+    /// <summary>User or system that last modified the receipt.</summary>
+    [JsonPropertyName("modifiedBy")]
+    public string? ModifiedBy { get; init; }
+
+    /// <summary>CVSS version used (4.0).</summary>
+    [JsonPropertyName("cvssVersion")]
+    public string CvssVersion { get; init; } = "4.0";
+
+    /// <summary>Base metrics input.</summary>
+    [JsonPropertyName("baseMetrics")]
+    public required CvssBaseMetrics BaseMetrics { get; init; }
+
+    /// <summary>Threat metrics input (optional).</summary>
+    [JsonPropertyName("threatMetrics")]
+    public CvssThreatMetrics? ThreatMetrics { get; init; }
+
+    /// <summary>Environmental metrics input (optional).</summary>
+    [JsonPropertyName("environmentalMetrics")]
+    public CvssEnvironmentalMetrics? EnvironmentalMetrics { get; init; }
+
+    /// <summary>Supplemental metrics (optional, do not affect score).</summary>
+    [JsonPropertyName("supplementalMetrics")]
+    public CvssSupplementalMetrics? SupplementalMetrics { get; init; }
+
+    /// <summary>Computed scores.</summary>
+    [JsonPropertyName("scores")]
+    public required CvssScores Scores { get; init; }
+
+    /// <summary>Computed CVSS v4.0 vector string.</summary>
+    [JsonPropertyName("vectorString")]
+    public required string VectorString { get; init; }
+
+    /// <summary>Severity rating based on final score.</summary>
+    [JsonPropertyName("severity")]
+    public required CvssSeverity Severity { get; init; }
+
+    /// <summary>Policy that was applied to compute this receipt.</summary>
+    [JsonPropertyName("policyRef")]
+    public required CvssPolicyReference PolicyRef { get; init; }
+
+    /// <summary>Evidence items supporting this score.</summary>
+    [JsonPropertyName("evidence")]
+    public ImmutableList<CvssEvidenceItem> Evidence { get; init; } = [];
+
+    /// <summary>DSSE attestation envelope references, if signed.</summary>
+    [JsonPropertyName("attestationRefs")]
+    public ImmutableList<string> AttestationRefs { get; init; } = [];
+
+    /// <summary>SHA-256 hash of deterministic input for reproducibility.</summary>
+    [JsonPropertyName("inputHash")]
+    public required string InputHash { get; init; }
+
+    /// <summary>Amendment history entries.</summary>
+    [JsonPropertyName("history")]
+    public ImmutableList<ReceiptHistoryEntry> History { get; init; } = [];
+
+    /// <summary>Original receipt ID if this is an amendment.</summary>
+    [JsonPropertyName("amendsReceiptId")]
+    public string? AmendsReceiptId { get; init; }
+
+    /// <summary>Whether this receipt is the current active version.</summary>
+    [JsonPropertyName("isActive")]
+    public bool IsActive { get; init; } = true;
+
+    /// <summary>Reason this receipt was superseded (if not active).</summary>
+    [JsonPropertyName("supersededReason")]
+    public string? SupersededReason { get; init; }
+}
+
+/// <summary>
+/// Computed CVSS v4.0 scores.
+/// </summary>
+public sealed record CvssScores
+{
+    /// <summary>Base Score (CVSS-B) - Impact of the vulnerability.</summary>
+    [JsonPropertyName("baseScore")]
+    public required double BaseScore { get; init; }
+
+    /// <summary>Threat-Adjusted Score (CVSS-BT) - Base + threat metrics.</summary>
+    [JsonPropertyName("threatScore")]
+    public double? ThreatScore { get; init; }
+
+    /// <summary>Environmental Score (CVSS-BE) - Base + environmental metrics.</summary>
+    [JsonPropertyName("environmentalScore")]
+    public double? EnvironmentalScore { get; init; }
+
+    /// <summary>Full Score (CVSS-BTE) - Base + threat + environmental.</summary>
+    [JsonPropertyName("fullScore")]
+    public double? FullScore { get; init; }
+
+    /// <summary>Which score is considered the "effective" score for policy decisions.</summary>
+    [JsonPropertyName("effectiveScore")]
+    public required double EffectiveScore { get; init; }
+
+    /// <summary>Which score type was used as effective.</summary>
+    [JsonPropertyName("effectiveScoreType")]
+    public required EffectiveScoreType EffectiveScoreType { get; init; }
+}
+
+/// <summary>
+/// Indicates which score type was used as the effective score.
+/// </summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum EffectiveScoreType
+{
+    /// <summary>Base score only (CVSS-B).</summary>
+    Base,
+    /// <summary>Base + Threat (CVSS-BT).</summary>
+    Threat,
+    /// <summary>Base + Environmental (CVSS-BE).</summary>
+    Environmental,
+    /// <summary>Full score with all metrics (CVSS-BTE).</summary>
+    Full
+}
+
+/// <summary>
+/// CVSS v4.0 severity ratings.
+/// </summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum CvssSeverity
+{
+    /// <summary>None - Score 0.0.</summary>
+    None,
+    /// <summary>Low - Score 0.1-3.9.</summary>
+    Low,
+    /// <summary>Medium - Score 4.0-6.9.</summary>
+    Medium,
+    /// <summary>High - Score 7.0-8.9.</summary>
+    High,
+    /// <summary>Critical - Score 9.0-10.0.</summary>
+    Critical
+}
+
+/// <summary>
+/// Reference to the policy used for scoring.
+/// </summary>
+public sealed record CvssPolicyReference
+{
+    /// <summary>Policy identifier.</summary>
+    [JsonPropertyName("policyId")]
+    public required string PolicyId { get; init; }
+
+    /// <summary>Policy version.</summary>
+    [JsonPropertyName("version")]
+    public required string Version { get; init; }
+
+    /// <summary>SHA-256 hash of the policy content.</summary>
+    [JsonPropertyName("hash")]
+    public required string Hash { get; init; }
+
+    /// <summary>When the policy was activated.</summary>
+    [JsonPropertyName("activatedAt")]
+    public DateTimeOffset? ActivatedAt { get; init; }
+}
+
+/// <summary>
+/// Evidence item supporting a CVSS score.
+/// </summary>
+public sealed record CvssEvidenceItem
+{
+    /// <summary>Evidence type (advisory, vex, scan, etc.).</summary>
+    [JsonPropertyName("type")]
+    public required string Type { get; init; }
+
+    /// <summary>Content-addressable storage URI (e.g., sha256:...).</summary>
+    [JsonPropertyName("uri")]
+    public required string Uri { get; init; }
+
+    /// <summary>Human-readable description of the evidence.</summary>
+    [JsonPropertyName("description")]
+    public string? Description { get; init; }
+
+    /// <summary>When the evidence was collected.</summary>
+    [JsonPropertyName("collectedAt")]
+    public DateTimeOffset? CollectedAt { get; init; }
+
+    /// <summary>Source of the evidence (vendor, scanner, manual).</summary>
+    [JsonPropertyName("source")]
+    public string? Source { get; init; }
+
+    /// <summary>Whether this evidence is from the vendor/authority.</summary>
+    [JsonPropertyName("isAuthoritative")]
+    public bool IsAuthoritative { get; init; }
+}
+
+/// <summary>
+/// History entry for receipt amendments.
+/// </summary>
+public sealed record ReceiptHistoryEntry
+{
+    /// <summary>Unique history entry identifier.</summary>
+    [JsonPropertyName("historyId")]
+    public required string HistoryId { get; init; }
+
+    /// <summary>When the amendment was made.</summary>
+    [JsonPropertyName("timestamp")]
+    public required DateTimeOffset Timestamp { get; init; }
+
+    /// <summary>User or system that made the amendment.</summary>
+    [JsonPropertyName("actor")]
+    public required string Actor { get; init; }
+
+    /// <summary>Type of change (amend, supersede, revoke).</summary>
+    [JsonPropertyName("changeType")]
+    public required ReceiptChangeType ChangeType { get; init; }
+
+    /// <summary>Field that was changed.</summary>
+    [JsonPropertyName("field")]
+    public required string Field { get; init; }
+
+    /// <summary>Previous value (JSON encoded).</summary>
+    [JsonPropertyName("previousValue")]
+    public string? PreviousValue { get; init; }
+
+    /// <summary>New value (JSON encoded).</summary>
+    [JsonPropertyName("newValue")]
+    public string? NewValue { get; init; }
+
+    /// <summary>Reason for the change.</summary>
+    [JsonPropertyName("reason")]
+    public required string Reason { get; init; }
+
+    /// <summary>Reference URI for supporting documentation.</summary>
+    [JsonPropertyName("referenceUri")]
+    public string? ReferenceUri { get; init; }
+
+    /// <summary>Signature of this history entry for integrity.</summary>
+    [JsonPropertyName("signature")]
+    public string? Signature { get; init; }
+}
+
+/// <summary>
+/// Types of changes to a receipt.
+/// </summary>
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum ReceiptChangeType
+{
+    /// <summary>Initial creation.</summary>
+    Created,
+    /// <summary>Field value amended.</summary>
+    Amended,
+    /// <summary>Receipt superseded by newer version.</summary>
+    Superseded,
+    /// <summary>Receipt revoked/invalidated.</summary>
+    Revoked,
+    /// <summary>Evidence added.</summary>
+    EvidenceAdded,
+    /// <summary>Attestation signed.</summary>
+    AttestationSigned,
+    /// <summary>Policy updated.</summary>
+    PolicyUpdated,
+    /// <summary>Score recalculated.</summary>
+    Recalculated
+}
diff --git a/src/Policy/StellaOps.Policy.Scoring/Engine/CvssV4Engine.cs b/src/Policy/StellaOps.Policy.Scoring/Engine/CvssV4Engine.cs
new file mode 100644
index 000000000..30b1ba673
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/Engine/CvssV4Engine.cs
@@ -0,0 +1,809 @@
+using System.Text;
+using System.Text.RegularExpressions;
+
+namespace StellaOps.Policy.Scoring.Engine;
+
+/// <summary>
+/// CVSS v4.0 scoring engine implementation.
+/// Implements FIRST CVSS v4.0 specification with MacroVector-based scoring.
+/// </summary>
+public sealed partial class CvssV4Engine : ICvssV4Engine
+{
+    /// <inheritdoc />
+    public CvssScores ComputeScores(
+        CvssBaseMetrics baseMetrics,
+        CvssThreatMetrics? threatMetrics = null,
+        CvssEnvironmentalMetrics? environmentalMetrics = null)
+    {
+        ArgumentNullException.ThrowIfNull(baseMetrics);
+
+        // Compute base score (CVSS-B)
+        var baseScore = ComputeBaseScore(baseMetrics);
+
+        // Compute threat score (CVSS-BT) if threat metrics provided
+        double? threatScore = null;
+        if (threatMetrics is not null && threatMetrics.ExploitMaturity != ExploitMaturity.NotDefined)
+        {
+            threatScore = ComputeThreatScore(baseMetrics, threatMetrics);
+        }
+
+        // Compute environmental score (CVSS-BE) if environmental metrics provided
+        double? environmentalScore = null;
+        if (environmentalMetrics is not null && HasEnvironmentalMetrics(environmentalMetrics))
+        {
+            environmentalScore = ComputeEnvironmentalScore(baseMetrics, environmentalMetrics);
+        }
+
+        // Compute full score (CVSS-BTE) if both threat and environmental metrics provided
+        double? fullScore = null;
+        if (threatMetrics is not null && environmentalMetrics is not null &&
+            threatMetrics.ExploitMaturity != ExploitMaturity.NotDefined &&
+            HasEnvironmentalMetrics(environmentalMetrics))
+        {
+            fullScore = ComputeFullScore(baseMetrics, threatMetrics, environmentalMetrics);
+        }
+
+        // Determine effective score and type
+        var (effectiveScore, effectiveType) = DetermineEffectiveScore(
+            baseScore, threatScore, environmentalScore, fullScore);
+
+        return new CvssScores
+        {
+            BaseScore = baseScore,
+            ThreatScore = threatScore,
+            EnvironmentalScore = environmentalScore,
+            FullScore = fullScore,
+            EffectiveScore = effectiveScore,
+            EffectiveScoreType = effectiveType
+        };
+    }
+
+    /// <inheritdoc />
+    public string BuildVectorString(
+        CvssBaseMetrics baseMetrics,
+        CvssThreatMetrics? threatMetrics = null,
+        CvssEnvironmentalMetrics? environmentalMetrics = null,
+        CvssSupplementalMetrics? supplementalMetrics = null)
+    {
+        ArgumentNullException.ThrowIfNull(baseMetrics);
+
+        var sb = new StringBuilder("CVSS:4.0");
+
+        // Base metrics (mandatory)
+        sb.Append($"/AV:{MetricToString(baseMetrics.AttackVector)}");
+        sb.Append($"/AC:{MetricToString(baseMetrics.AttackComplexity)}");
+        sb.Append($"/AT:{MetricToString(baseMetrics.AttackRequirements)}");
+        sb.Append($"/PR:{MetricToString(baseMetrics.PrivilegesRequired)}");
+        sb.Append($"/UI:{MetricToString(baseMetrics.UserInteraction)}");
+        sb.Append($"/VC:{MetricToString(baseMetrics.VulnerableSystemConfidentiality)}");
+        sb.Append($"/VI:{MetricToString(baseMetrics.VulnerableSystemIntegrity)}");
+        sb.Append($"/VA:{MetricToString(baseMetrics.VulnerableSystemAvailability)}");
+        sb.Append($"/SC:{MetricToString(baseMetrics.SubsequentSystemConfidentiality)}");
+        sb.Append($"/SI:{MetricToString(baseMetrics.SubsequentSystemIntegrity)}");
+        sb.Append($"/SA:{MetricToString(baseMetrics.SubsequentSystemAvailability)}");
+
+        // Threat metrics (optional)
+        if (threatMetrics is not null && threatMetrics.ExploitMaturity != ExploitMaturity.NotDefined)
+        {
+            sb.Append($"/E:{MetricToString(threatMetrics.ExploitMaturity)}");
+        }
+
+        // Environmental metrics (optional, only include if not NotDefined)
+        if (environmentalMetrics is not null)
+        {
+            AppendEnvironmentalMetrics(sb, environmentalMetrics);
+        }
+
+        // Supplemental metrics (optional, only include if not NotDefined)
+        if (supplementalMetrics is not null)
+        {
+            AppendSupplementalMetrics(sb, supplementalMetrics);
+        }
+
+        return sb.ToString();
+    }
+
+    /// <inheritdoc />
+    public CvssMetricSet ParseVector(string vectorString)
+    {
+        if (string.IsNullOrWhiteSpace(vectorString))
+            throw new ArgumentException("Vector string cannot be null or empty.", nameof(vectorString));
+
+        if (!vectorString.StartsWith("CVSS:4.0/", StringComparison.OrdinalIgnoreCase))
+            throw new ArgumentException("Vector string must start with 'CVSS:4.0/'.", nameof(vectorString));
+
+        var metrics = ParseMetricsFromVector(vectorString[9..]);
+
+        // Parse base metrics (all required)
+        var baseMetrics = new CvssBaseMetrics
+        {
+            AttackVector = ParseAttackVector(GetRequiredMetric(metrics, "AV")),
+            AttackComplexity = ParseAttackComplexity(GetRequiredMetric(metrics, "AC")),
+            AttackRequirements = ParseAttackRequirements(GetRequiredMetric(metrics, "AT")),
+            PrivilegesRequired = ParsePrivilegesRequired(GetRequiredMetric(metrics, "PR")),
+            UserInteraction = ParseUserInteraction(GetRequiredMetric(metrics, "UI")),
+            VulnerableSystemConfidentiality = ParseImpactMetric(GetRequiredMetric(metrics, "VC")),
+            VulnerableSystemIntegrity = ParseImpactMetric(GetRequiredMetric(metrics, "VI")),
+            VulnerableSystemAvailability = ParseImpactMetric(GetRequiredMetric(metrics, "VA")),
+            SubsequentSystemConfidentiality = ParseImpactMetric(GetRequiredMetric(metrics, "SC")),
+            SubsequentSystemIntegrity = ParseImpactMetric(GetRequiredMetric(metrics, "SI")),
+            SubsequentSystemAvailability = ParseImpactMetric(GetRequiredMetric(metrics, "SA"))
+        };
+
+        // Parse threat metrics
+        CvssThreatMetrics? threatMetrics = null;
+        if (metrics.TryGetValue("E", out var e))
+        {
+            threatMetrics = new CvssThreatMetrics
+            {
+                ExploitMaturity = ParseExploitMaturity(e)
+            };
+        }
+
+        // Parse environmental metrics
+        var envMetrics = ParseEnvironmentalMetrics(metrics);
+
+        // Parse supplemental metrics
+        var suppMetrics = ParseSupplementalMetrics(metrics);
+
+        return new CvssMetricSet
+        {
+            BaseMetrics = baseMetrics,
+            ThreatMetrics = threatMetrics,
+            EnvironmentalMetrics = envMetrics,
+            SupplementalMetrics = suppMetrics
+        };
+    }
+
+    /// <inheritdoc />
+    public CvssSeverity GetSeverity(double score, CvssSeverityThresholds? thresholds = null)
+    {
+        thresholds ??= new CvssSeverityThresholds();
+
+        return score switch
+        {
+            0.0 => CvssSeverity.None,
+            >= 9.0 when score >= thresholds.CriticalMin => CvssSeverity.Critical,
+            >= 7.0 when score >= thresholds.HighMin => CvssSeverity.High,
+            >= 4.0 when score >= thresholds.MediumMin => CvssSeverity.Medium,
+            > 0.0 when score >= thresholds.LowMin => CvssSeverity.Low,
+            _ => CvssSeverity.None
+        };
+    }
+
+    #region Score Computation
+
+    private static double ComputeBaseScore(CvssBaseMetrics metrics)
+    {
+        // Get MacroVector from base metrics
+        var macroVector = GetMacroVector(metrics);
+
+        // Look up base score from MacroVector lookup table
+        var score = MacroVectorLookup.GetBaseScore(macroVector);
+
+        return RoundUp(score);
+    }
+
+    private static double ComputeThreatScore(CvssBaseMetrics baseMetrics, CvssThreatMetrics threatMetrics)
+    {
+        // Get base score first
+        var macroVector = GetMacroVector(baseMetrics);
+        var baseScore = MacroVectorLookup.GetBaseScore(macroVector);
+
+        // Apply threat multiplier based on Exploit Maturity
+        var threatMultiplier = GetThreatMultiplier(threatMetrics.ExploitMaturity);
+
+        // Threat score = Base * Threat Multiplier
+        var threatScore = baseScore * threatMultiplier;
+
+        return RoundUp(threatScore);
+    }
+
+    private static double ComputeEnvironmentalScore(CvssBaseMetrics baseMetrics, CvssEnvironmentalMetrics envMetrics)
+    {
+        // Apply modified metrics to base metrics
+        var modifiedMetrics = ApplyEnvironmentalModifiers(baseMetrics, envMetrics);
+
+        // Compute modified base score
+        var macroVector = GetMacroVector(modifiedMetrics);
+        var modifiedBaseScore = MacroVectorLookup.GetBaseScore(macroVector);
+
+        // Apply security requirements
+        var requirementsMultiplier = GetRequirementsMultiplier(envMetrics);
+        var envScore = modifiedBaseScore * requirementsMultiplier;
+
+        return Math.Min(RoundUp(envScore), 10.0);
+    }
+
+    private static double ComputeFullScore(
+        CvssBaseMetrics baseMetrics,
+        CvssThreatMetrics threatMetrics,
+        CvssEnvironmentalMetrics envMetrics)
+    {
+        // Apply modified metrics to base metrics
+        var modifiedMetrics = ApplyEnvironmentalModifiers(baseMetrics, envMetrics);
+
+        // Compute modified base score
+        var macroVector = GetMacroVector(modifiedMetrics);
+        var modifiedBaseScore = MacroVectorLookup.GetBaseScore(macroVector);
+
+        // Apply threat multiplier
+        var threatMultiplier = GetThreatMultiplier(threatMetrics.ExploitMaturity);
+
+        // Apply security requirements
+        var requirementsMultiplier = GetRequirementsMultiplier(envMetrics);
+
+        // Full score = Modified Base * Threat * Requirements
+        var fullScore = modifiedBaseScore * threatMultiplier * requirementsMultiplier;
+
+        return Math.Min(RoundUp(fullScore), 10.0);
+    }
+
+    private static (double Score, EffectiveScoreType Type) DetermineEffectiveScore(
+        double baseScore,
+        double? threatScore,
+        double? environmentalScore,
+        double? fullScore)
+    {
+        // Priority: Full > Environmental > Threat > Base
+        if (fullScore.HasValue)
+            return (fullScore.Value, EffectiveScoreType.Full);
+        if (environmentalScore.HasValue)
+            return (environmentalScore.Value, EffectiveScoreType.Environmental);
+        if (threatScore.HasValue)
+            return (threatScore.Value, EffectiveScoreType.Threat);
+        return (baseScore, EffectiveScoreType.Base);
+    }
+
+    #endregion
+
+    #region MacroVector Computation
+
+    private static string GetMacroVector(CvssBaseMetrics metrics)
+    {
+        // Build MacroVector string from EQ (Equivalence) values
+        // Per CVSS v4.0 spec: EQ1-EQ6 define the MacroVector
+        var eq1 = GetEQ1(metrics);
+        var eq2 = GetEQ2(metrics);
+        var eq3 = GetEQ3(metrics);
+        var eq4 = GetEQ4(metrics);
+        var eq5 = GetEQ5(metrics);
+        var eq6 = GetEQ6(metrics);
+
+        return $"{eq1}{eq2}{eq3}{eq4}{eq5}{eq6}";
+    }
+
+    private static int GetEQ1(CvssBaseMetrics m)
+    {
+        // EQ1: Attack Vector + Privileges Required
+        return (m.AttackVector, m.PrivilegesRequired) switch
+        {
+            (AttackVector.Network, PrivilegesRequired.None) => 0,
+            (AttackVector.Network, PrivilegesRequired.Low) => 1,
+            (AttackVector.Network, PrivilegesRequired.High) => 1,
+            (AttackVector.Adjacent, PrivilegesRequired.None) => 1,
+            (AttackVector.Adjacent, PrivilegesRequired.Low) => 2,
+            (AttackVector.Adjacent, PrivilegesRequired.High) => 2,
+            (AttackVector.Local, _) => 2,
+            (AttackVector.Physical, _) => 2,
+            _ => 2
+        };
+    }
+
+    private static int GetEQ2(CvssBaseMetrics m)
+    {
+        // EQ2: Attack Complexity + User Interaction
+        return (m.AttackComplexity, m.UserInteraction) switch
+        {
+            (AttackComplexity.Low, UserInteraction.None) => 0,
+            (AttackComplexity.Low, UserInteraction.Passive) => 1,
+            (AttackComplexity.Low, UserInteraction.Active) => 1,
+            (AttackComplexity.High, _) => 1,
+            _ => 1
+        };
+    }
+
+    private static int GetEQ3(CvssBaseMetrics m)
+    {
+        // EQ3: Vulnerable System CIA (highest impact)
+        var vc = m.VulnerableSystemConfidentiality;
+        var vi = m.VulnerableSystemIntegrity;
+        var va = m.VulnerableSystemAvailability;
+
+        if (vc == ImpactMetricValue.High || vi == ImpactMetricValue.High || va == ImpactMetricValue.High)
+            return 0;
+        if (vc == ImpactMetricValue.Low || vi == ImpactMetricValue.Low || va == ImpactMetricValue.Low)
+            return 1;
+        return 2;
+    }
+
+    private static int GetEQ4(CvssBaseMetrics m)
+    {
+        // EQ4: Subsequent System CIA (highest impact)
+        var sc = m.SubsequentSystemConfidentiality;
+        var si = m.SubsequentSystemIntegrity;
+        var sa = m.SubsequentSystemAvailability;
+
+        if (sc == ImpactMetricValue.High || si == ImpactMetricValue.High || sa == ImpactMetricValue.High)
+            return 0;
+        if (sc == ImpactMetricValue.Low || si == ImpactMetricValue.Low || sa == ImpactMetricValue.Low)
+            return 1;
+        return 2;
+    }
+
+    private static int GetEQ5(CvssBaseMetrics m)
+    {
+        // EQ5: Attack Requirements
+        return m.AttackRequirements == AttackRequirements.None ? 0 : 1;
+    }
+
+    private static int GetEQ6(CvssBaseMetrics m)
+    {
+        // EQ6: Combined impact pattern
+        var vcHigh = m.VulnerableSystemConfidentiality == ImpactMetricValue.High;
+        var viHigh = m.VulnerableSystemIntegrity == ImpactMetricValue.High;
+        var vaHigh = m.VulnerableSystemAvailability == ImpactMetricValue.High;
+        var scHigh = m.SubsequentSystemConfidentiality == ImpactMetricValue.High;
+        var siHigh = m.SubsequentSystemIntegrity == ImpactMetricValue.High;
+        var saHigh = m.SubsequentSystemAvailability == ImpactMetricValue.High;
+
+        // Count high impacts
+        var vulnHighCount = (vcHigh ? 1 : 0) + (viHigh ? 1 : 0) + (vaHigh ? 1 : 0);
+        var subHighCount = (scHigh ? 1 : 0) + (siHigh ? 1 : 0) + (saHigh ? 1 : 0);
+
+        if (vulnHighCount >= 2 || subHighCount >= 2)
+            return 0;
+        if (vulnHighCount == 1 || subHighCount == 1)
+            return 1;
+        return 2;
+    }
+
+    #endregion
+
+    #region Multipliers
+
+    private static double GetThreatMultiplier(ExploitMaturity exploitMaturity)
+    {
+        return exploitMaturity switch
+        {
+            ExploitMaturity.Attacked => 1.0,
+            ExploitMaturity.ProofOfConcept => 0.94,
+            ExploitMaturity.Unreported => 0.91,
+            ExploitMaturity.NotDefined => 1.0,
+            _ => 1.0
+        };
+    }
+
+    private static double GetRequirementsMultiplier(CvssEnvironmentalMetrics envMetrics)
+    {
+        var crMultiplier = GetSecurityRequirementMultiplier(envMetrics.ConfidentialityRequirement);
+        var irMultiplier = GetSecurityRequirementMultiplier(envMetrics.IntegrityRequirement);
+        var arMultiplier = GetSecurityRequirementMultiplier(envMetrics.AvailabilityRequirement);
+
+        // Average of requirements multipliers
+        return (crMultiplier + irMultiplier + arMultiplier) / 3.0;
+    }
+
+    private static double GetSecurityRequirementMultiplier(SecurityRequirement? requirement)
+    {
+        return requirement switch
+        {
+            SecurityRequirement.High => 1.5,
+            SecurityRequirement.Medium => 1.0,
+            SecurityRequirement.Low => 0.5,
+            SecurityRequirement.NotDefined => 1.0,
+            null => 1.0,
+            _ => 1.0
+        };
+    }
+
+    #endregion
+
+    #region Environmental Modifiers
+
+    private static CvssBaseMetrics ApplyEnvironmentalModifiers(
+        CvssBaseMetrics baseMetrics,
+        CvssEnvironmentalMetrics envMetrics)
+    {
+        return new CvssBaseMetrics
+        {
+            AttackVector = GetEffectiveAttackVector(baseMetrics.AttackVector, envMetrics.ModifiedAttackVector),
+            AttackComplexity = GetEffectiveAttackComplexity(baseMetrics.AttackComplexity, envMetrics.ModifiedAttackComplexity),
+            AttackRequirements = GetEffectiveAttackRequirements(baseMetrics.AttackRequirements, envMetrics.ModifiedAttackRequirements),
+            PrivilegesRequired = GetEffectivePrivilegesRequired(baseMetrics.PrivilegesRequired, envMetrics.ModifiedPrivilegesRequired),
+            UserInteraction = GetEffectiveUserInteraction(baseMetrics.UserInteraction, envMetrics.ModifiedUserInteraction),
+            VulnerableSystemConfidentiality = GetEffectiveImpact(baseMetrics.VulnerableSystemConfidentiality, envMetrics.ModifiedVulnerableSystemConfidentiality),
+            VulnerableSystemIntegrity = GetEffectiveImpact(baseMetrics.VulnerableSystemIntegrity, envMetrics.ModifiedVulnerableSystemIntegrity),
+            VulnerableSystemAvailability = GetEffectiveImpact(baseMetrics.VulnerableSystemAvailability, envMetrics.ModifiedVulnerableSystemAvailability),
+            SubsequentSystemConfidentiality = GetEffectiveImpact(baseMetrics.SubsequentSystemConfidentiality, envMetrics.ModifiedSubsequentSystemConfidentiality),
+            SubsequentSystemIntegrity = GetEffectiveSubsequentImpact(baseMetrics.SubsequentSystemIntegrity, envMetrics.ModifiedSubsequentSystemIntegrity),
+            SubsequentSystemAvailability = GetEffectiveSubsequentImpact(baseMetrics.SubsequentSystemAvailability, envMetrics.ModifiedSubsequentSystemAvailability)
+        };
+    }
+
+    private static AttackVector GetEffectiveAttackVector(AttackVector baseValue, ModifiedAttackVector? modified)
+    {
+        return modified switch
+        {
+            ModifiedAttackVector.NotDefined or null => baseValue,
+            ModifiedAttackVector.Network => AttackVector.Network,
+            ModifiedAttackVector.Adjacent => AttackVector.Adjacent,
+            ModifiedAttackVector.Local => AttackVector.Local,
+            ModifiedAttackVector.Physical => AttackVector.Physical,
+            _ => baseValue
+        };
+    }
+
+    private static AttackComplexity GetEffectiveAttackComplexity(AttackComplexity baseValue, ModifiedAttackComplexity? modified)
+    {
+        return modified switch
+        {
+            ModifiedAttackComplexity.NotDefined or null => baseValue,
+            ModifiedAttackComplexity.Low => AttackComplexity.Low,
+            ModifiedAttackComplexity.High => AttackComplexity.High,
+            _ => baseValue
+        };
+    }
+
+    private static AttackRequirements GetEffectiveAttackRequirements(AttackRequirements baseValue, ModifiedAttackRequirements? modified)
+    {
+        return modified switch
+        {
+            ModifiedAttackRequirements.NotDefined or null => baseValue,
+            ModifiedAttackRequirements.None => AttackRequirements.None,
+            ModifiedAttackRequirements.Present => AttackRequirements.Present,
+            _ => baseValue
+        };
+    }
+
+    private static PrivilegesRequired GetEffectivePrivilegesRequired(PrivilegesRequired baseValue, ModifiedPrivilegesRequired? modified)
+    {
+        return modified switch
+        {
+            ModifiedPrivilegesRequired.NotDefined or null => baseValue,
+            ModifiedPrivilegesRequired.None => PrivilegesRequired.None,
+            ModifiedPrivilegesRequired.Low => PrivilegesRequired.Low,
+            ModifiedPrivilegesRequired.High => PrivilegesRequired.High,
+            _ => baseValue
+        };
+    }
+
+    private static UserInteraction GetEffectiveUserInteraction(UserInteraction baseValue, ModifiedUserInteraction? modified)
+    {
+        return modified switch
+        {
+            ModifiedUserInteraction.NotDefined or null => baseValue,
+            ModifiedUserInteraction.None => UserInteraction.None,
+            ModifiedUserInteraction.Passive => UserInteraction.Passive,
+            ModifiedUserInteraction.Active => UserInteraction.Active,
+            _ => baseValue
+        };
+    }
+
+    private static ImpactMetricValue GetEffectiveImpact(ImpactMetricValue baseValue, ModifiedImpactMetricValue? modified)
+    {
+        return modified switch
+        {
+            ModifiedImpactMetricValue.NotDefined or null => baseValue,
+            ModifiedImpactMetricValue.None => ImpactMetricValue.None,
+            ModifiedImpactMetricValue.Low => ImpactMetricValue.Low,
+            ModifiedImpactMetricValue.High => ImpactMetricValue.High,
+            _ => baseValue
+        };
+    }
+
+    private static ImpactMetricValue GetEffectiveSubsequentImpact(ImpactMetricValue baseValue, ModifiedSubsequentImpact? modified)
+    {
+        return modified switch
+        {
+            ModifiedSubsequentImpact.NotDefined or null => baseValue,
+            ModifiedSubsequentImpact.Negligible or ModifiedSubsequentImpact.Low => ImpactMetricValue.Low,
+            ModifiedSubsequentImpact.High or ModifiedSubsequentImpact.Safety => ImpactMetricValue.High,
+            _ => baseValue
+        };
+    }
+
+    #endregion
+
+    #region Helpers
+
+    private static bool HasEnvironmentalMetrics(CvssEnvironmentalMetrics envMetrics)
+    {
+        return envMetrics.ModifiedAttackVector is not null and not ModifiedAttackVector.NotDefined ||
+               envMetrics.ModifiedAttackComplexity is not null and not ModifiedAttackComplexity.NotDefined ||
+               envMetrics.ModifiedAttackRequirements is not null and not ModifiedAttackRequirements.NotDefined ||
+               envMetrics.ModifiedPrivilegesRequired is not null and not ModifiedPrivilegesRequired.NotDefined ||
+               envMetrics.ModifiedUserInteraction is not null and not ModifiedUserInteraction.NotDefined ||
+               envMetrics.ModifiedVulnerableSystemConfidentiality is not null and not ModifiedImpactMetricValue.NotDefined ||
+               envMetrics.ModifiedVulnerableSystemIntegrity is not null and not ModifiedImpactMetricValue.NotDefined ||
+               envMetrics.ModifiedVulnerableSystemAvailability is not null and not ModifiedImpactMetricValue.NotDefined ||
+               envMetrics.ModifiedSubsequentSystemConfidentiality is not null and not ModifiedImpactMetricValue.NotDefined ||
+               envMetrics.ModifiedSubsequentSystemIntegrity is not null and not ModifiedSubsequentImpact.NotDefined ||
+               envMetrics.ModifiedSubsequentSystemAvailability is not null and not ModifiedSubsequentImpact.NotDefined ||
+               envMetrics.ConfidentialityRequirement is not null and not SecurityRequirement.NotDefined ||
+               envMetrics.IntegrityRequirement is not null and not SecurityRequirement.NotDefined ||
+               envMetrics.AvailabilityRequirement is not null and not SecurityRequirement.NotDefined;
+    }
+
+    /// <summary>
+    /// Round up to one decimal place per FIRST CVSS v4.0 specification.
+    /// </summary>
+    private static double RoundUp(double value)
+    {
+        return Math.Ceiling(value * 10) / 10;
+    }
+
+    #endregion
+
+    #region Vector String Building
+
+    private static string MetricToString(AttackVector av) =>
+        av switch { AttackVector.Network => "N", AttackVector.Adjacent => "A", AttackVector.Local => "L", AttackVector.Physical => "P", _ => "N" };
+
+    private static string MetricToString(AttackComplexity ac) =>
+        ac switch { AttackComplexity.Low => "L", AttackComplexity.High => "H", _ => "L" };
+
+    private static string MetricToString(AttackRequirements at) =>
+        at switch { AttackRequirements.None => "N", AttackRequirements.Present => "P", _ => "N" };
+
+    private static string MetricToString(PrivilegesRequired pr) =>
+        pr switch { PrivilegesRequired.None => "N", PrivilegesRequired.Low => "L", PrivilegesRequired.High => "H", _ => "N" };
+
+    private static string MetricToString(UserInteraction ui) =>
+        ui switch { UserInteraction.None => "N", UserInteraction.Passive => "P", UserInteraction.Active => "A", _ => "N" };
+
+    private static string MetricToString(ImpactMetricValue impact) =>
+        impact switch { ImpactMetricValue.None => "N", ImpactMetricValue.Low => "L", ImpactMetricValue.High => "H", _ => "N" };
+
+    private static string MetricToString(ExploitMaturity em) =>
+        em switch { ExploitMaturity.Attacked => "A", ExploitMaturity.ProofOfConcept => "P", ExploitMaturity.Unreported => "U", _ => "X" };
+
+    private static void AppendEnvironmentalMetrics(StringBuilder sb, CvssEnvironmentalMetrics env)
+    {
+        if (env.ConfidentialityRequirement is not null and not SecurityRequirement.NotDefined)
+            sb.Append($"/CR:{SecurityRequirementToString(env.ConfidentialityRequirement.Value)}");
+        if (env.IntegrityRequirement is not null and not SecurityRequirement.NotDefined)
+            sb.Append($"/IR:{SecurityRequirementToString(env.IntegrityRequirement.Value)}");
+        if (env.AvailabilityRequirement is not null and not SecurityRequirement.NotDefined)
+            sb.Append($"/AR:{SecurityRequirementToString(env.AvailabilityRequirement.Value)}");
+        // Add modified metrics (MAV, MAC, etc.) similarly...
+    }
+
+    private static void AppendSupplementalMetrics(StringBuilder sb, CvssSupplementalMetrics supp)
+    {
+        if (supp.Safety is not null and not Safety.NotDefined)
+            sb.Append($"/S:{SafetyToString(supp.Safety.Value)}");
+        if (supp.Automatable is not null and not Automatable.NotDefined)
+            sb.Append($"/AU:{AutomatableToString(supp.Automatable.Value)}");
+        if (supp.Recovery is not null and not Recovery.NotDefined)
+            sb.Append($"/R:{RecoveryToString(supp.Recovery.Value)}");
+        if (supp.ValueDensity is not null and not ValueDensity.NotDefined)
+            sb.Append($"/V:{ValueDensityToString(supp.ValueDensity.Value)}");
+        if (supp.VulnerabilityResponseEffort is not null and not ResponseEffort.NotDefined)
+            sb.Append($"/RE:{ResponseEffortToString(supp.VulnerabilityResponseEffort.Value)}");
+        if (supp.ProviderUrgency is not null and not ProviderUrgency.NotDefined)
+            sb.Append($"/U:{ProviderUrgencyToString(supp.ProviderUrgency.Value)}");
+    }
+
+    private static string SecurityRequirementToString(SecurityRequirement sr) =>
+        sr switch { SecurityRequirement.Low => "L", SecurityRequirement.Medium => "M", SecurityRequirement.High => "H", _ => "X" };
+
+    private static string SafetyToString(Safety s) =>
+        s switch { Safety.Negligible => "N", Safety.Present => "P", _ => "X" };
+
+    private static string AutomatableToString(Automatable a) =>
+        a switch { Automatable.No => "N", Automatable.Yes => "Y", _ => "X" };
+
+    private static string RecoveryToString(Recovery r) =>
+        r switch { Recovery.Automatic => "A", Recovery.User => "U", Recovery.Irrecoverable => "I", _ => "X" };
+
+    private static string ValueDensityToString(ValueDensity v) =>
+        v switch { ValueDensity.Diffuse => "D", ValueDensity.Concentrated => "C", _ => "X" };
+
+    private static string ResponseEffortToString(ResponseEffort re) =>
+        re switch { ResponseEffort.Low => "L", ResponseEffort.Moderate => "M", ResponseEffort.High => "H", _ => "X" };
+
+    private static string ProviderUrgencyToString(ProviderUrgency u) =>
+        u switch { ProviderUrgency.Clear => "Clear", ProviderUrgency.Green => "Green", ProviderUrgency.Amber => "Amber", ProviderUrgency.Red => "Red", _ => "X" };
+
+    #endregion
+
+    #region Vector String Parsing
+
+    [GeneratedRegex(@"([A-Z]+):([A-Za-z]+)", RegexOptions.Compiled)]
+    private static partial Regex MetricPairRegex();
+
+    private static Dictionary<string, string> ParseMetricsFromVector(string vectorPart)
+    {
+        var result = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+        var matches = MetricPairRegex().Matches(vectorPart);
+
+        foreach (Match match in matches)
+        {
+            result[match.Groups[1].Value.ToUpperInvariant()] = match.Groups[2].Value.ToUpperInvariant();
+        }
+
+        return result;
+    }
+
+    private static string GetRequiredMetric(Dictionary<string, string> metrics, string key)
+    {
+        if (!metrics.TryGetValue(key, out var value))
+            throw new ArgumentException($"Required CVSS metric '{key}' not found in vector string.");
+        return value;
+    }
+
+    private static AttackVector ParseAttackVector(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "N" => AttackVector.Network,
+            "A" => AttackVector.Adjacent,
+            "L" => AttackVector.Local,
+            "P" => AttackVector.Physical,
+            _ => throw new ArgumentException($"Invalid Attack Vector value: {value}")
+        };
+
+    private static AttackComplexity ParseAttackComplexity(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "L" => AttackComplexity.Low,
+            "H" => AttackComplexity.High,
+            _ => throw new ArgumentException($"Invalid Attack Complexity value: {value}")
+        };
+
+    private static AttackRequirements ParseAttackRequirements(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "N" => AttackRequirements.None,
+            "P" => AttackRequirements.Present,
+            _ => throw new ArgumentException($"Invalid Attack Requirements value: {value}")
+        };
+
+    private static PrivilegesRequired ParsePrivilegesRequired(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "N" => PrivilegesRequired.None,
+            "L" => PrivilegesRequired.Low,
+            "H" => PrivilegesRequired.High,
+            _ => throw new ArgumentException($"Invalid Privileges Required value: {value}")
+        };
+
+    private static UserInteraction ParseUserInteraction(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "N" => UserInteraction.None,
+            "P" => UserInteraction.Passive,
+            "A" => UserInteraction.Active,
+            _ => throw new ArgumentException($"Invalid User Interaction value: {value}")
+        };
+
+    private static ImpactMetricValue ParseImpactMetric(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "N" => ImpactMetricValue.None,
+            "L" => ImpactMetricValue.Low,
+            "H" => ImpactMetricValue.High,
+            _ => throw new ArgumentException($"Invalid Impact Metric value: {value}")
+        };
+
+    private static ExploitMaturity ParseExploitMaturity(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "A" => ExploitMaturity.Attacked,
+            "P" => ExploitMaturity.ProofOfConcept,
+            "U" => ExploitMaturity.Unreported,
+            "X" => ExploitMaturity.NotDefined,
+            _ => throw new ArgumentException($"Invalid Exploit Maturity value: {value}")
+        };
+
+    private static CvssEnvironmentalMetrics? ParseEnvironmentalMetrics(Dictionary<string, string> metrics)
+    {
+        // Check if any environmental metrics are present
+        var hasEnv = metrics.ContainsKey("CR") || metrics.ContainsKey("IR") || metrics.ContainsKey("AR") ||
+                     metrics.ContainsKey("MAV") || metrics.ContainsKey("MAC") || metrics.ContainsKey("MAT") ||
+                     metrics.ContainsKey("MPR") || metrics.ContainsKey("MUI") ||
+                     metrics.ContainsKey("MVC") || metrics.ContainsKey("MVI") || metrics.ContainsKey("MVA") ||
+                     metrics.ContainsKey("MSC") || metrics.ContainsKey("MSI") || metrics.ContainsKey("MSA");
+
+        if (!hasEnv)
+            return null;
+
+        return new CvssEnvironmentalMetrics
+        {
+            ConfidentialityRequirement = metrics.TryGetValue("CR", out var cr) ? ParseSecurityRequirement(cr) : null,
+            IntegrityRequirement = metrics.TryGetValue("IR", out var ir) ? ParseSecurityRequirement(ir) : null,
+            AvailabilityRequirement = metrics.TryGetValue("AR", out var ar) ? ParseSecurityRequirement(ar) : null
+            // Add other environmental metrics parsing as needed
+        };
+    }
+
+    private static SecurityRequirement ParseSecurityRequirement(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "L" => SecurityRequirement.Low,
+            "M" => SecurityRequirement.Medium,
+            "H" => SecurityRequirement.High,
+            "X" => SecurityRequirement.NotDefined,
+            _ => SecurityRequirement.NotDefined
+        };
+
+    private static CvssSupplementalMetrics? ParseSupplementalMetrics(Dictionary<string, string> metrics)
+    {
+        // Check if any supplemental metrics are present
+        var hasSupp = metrics.ContainsKey("S") || metrics.ContainsKey("AU") || metrics.ContainsKey("R") ||
+                      metrics.ContainsKey("V") || metrics.ContainsKey("RE") || metrics.ContainsKey("U");
+
+        if (!hasSupp)
+            return null;
+
+        return new CvssSupplementalMetrics
+        {
+            Safety = metrics.TryGetValue("S", out var s) ? ParseSafety(s) : null,
+            Automatable = metrics.TryGetValue("AU", out var au) ? ParseAutomatable(au) : null,
+            Recovery = metrics.TryGetValue("R", out var r) ? ParseRecovery(r) : null,
+            ValueDensity = metrics.TryGetValue("V", out var v) ? ParseValueDensity(v) : null,
+            VulnerabilityResponseEffort = metrics.TryGetValue("RE", out var re) ? ParseResponseEffort(re) : null,
+            ProviderUrgency = metrics.TryGetValue("U", out var u) ? ParseProviderUrgency(u) : null
+        };
+    }
+
+    private static Safety ParseSafety(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "N" => Safety.Negligible,
+            "P" => Safety.Present,
+            "X" => Safety.NotDefined,
+            _ => Safety.NotDefined
+        };
+
+    private static Automatable ParseAutomatable(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "N" => Automatable.No,
+            "Y" => Automatable.Yes,
+            "X" => Automatable.NotDefined,
+            _ => Automatable.NotDefined
+        };
+
+    private static Recovery ParseRecovery(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "A" => Recovery.Automatic,
+            "U" => Recovery.User,
+            "I" => Recovery.Irrecoverable,
+            "X" => Recovery.NotDefined,
+            _ => Recovery.NotDefined
+        };
+
+    private static ValueDensity ParseValueDensity(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "D" => ValueDensity.Diffuse,
+            "C" => ValueDensity.Concentrated,
+            "X" => ValueDensity.NotDefined,
+            _ => ValueDensity.NotDefined
+        };
+
+    private static ResponseEffort ParseResponseEffort(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "L" => ResponseEffort.Low,
+            "M" => ResponseEffort.Moderate,
+            "H" => ResponseEffort.High,
+            "X" => ResponseEffort.NotDefined,
+            _ => ResponseEffort.NotDefined
+        };
+
+    private static ProviderUrgency ParseProviderUrgency(string value) =>
+        value.ToUpperInvariant() switch
+        {
+            "CLEAR" => ProviderUrgency.Clear,
+            "GREEN" => ProviderUrgency.Green,
+            "AMBER" => ProviderUrgency.Amber,
+            "RED" => ProviderUrgency.Red,
+            "X" => ProviderUrgency.NotDefined,
+            _ => ProviderUrgency.NotDefined
+        };
+
+    #endregion
+}
diff --git a/src/Policy/StellaOps.Policy.Scoring/Engine/ICvssV4Engine.cs b/src/Policy/StellaOps.Policy.Scoring/Engine/ICvssV4Engine.cs
new file mode 100644
index 000000000..ef6b1d40e
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/Engine/ICvssV4Engine.cs
@@ -0,0 +1,68 @@
+namespace StellaOps.Policy.Scoring.Engine;
+
+/// <summary>
+/// CVSS v4.0 scoring engine interface.
+/// Provides deterministic score computation per FIRST specification.
+/// </summary>
+public interface ICvssV4Engine
+{
+    /// <summary>
+    /// Computes all CVSS v4.0 scores from the provided metrics.
+    /// </summary>
+    /// <param name="baseMetrics">Required base metrics.</param>
+    /// <param name="threatMetrics">Optional threat metrics.</param>
+    /// <param name="environmentalMetrics">Optional environmental metrics.</param>
+    /// <returns>Computed scores including base, threat, environmental, and full scores.</returns>
+    CvssScores ComputeScores(
+        CvssBaseMetrics baseMetrics,
+        CvssThreatMetrics? threatMetrics = null,
+        CvssEnvironmentalMetrics? environmentalMetrics = null);
+
+    /// <summary>
+    /// Builds a CVSS v4.0 vector string from the provided metrics.
+    /// </summary>
+    /// <param name="baseMetrics">Required base metrics.</param>
+    /// <param name="threatMetrics">Optional threat metrics.</param>
+    /// <param name="environmentalMetrics">Optional environmental metrics.</param>
+    /// <param name="supplementalMetrics">Optional supplemental metrics (do not affect score).</param>
+    /// <returns>CVSS v4.0 vector string (e.g., "CVSS:4.0/AV:N/AC:L/...").</returns>
+    string BuildVectorString(
+        CvssBaseMetrics baseMetrics,
+        CvssThreatMetrics? threatMetrics = null,
+        CvssEnvironmentalMetrics? environmentalMetrics = null,
+        CvssSupplementalMetrics? supplementalMetrics = null);
+
+    /// <summary>
+    /// Parses a CVSS v4.0 vector string into its component metrics.
+    /// </summary>
+    /// <param name="vectorString">CVSS v4.0 vector string to parse.</param>
+    /// <returns>Tuple of parsed metrics (Base is required, others may be null).</returns>
+    /// <exception cref="ArgumentException">If the vector string is invalid.</exception>
+    CvssMetricSet ParseVector(string vectorString);
+
+    /// <summary>
+    /// Determines the severity rating for a given score.
+    /// </summary>
+    /// <param name="score">CVSS score (0.0-10.0).</param>
+    /// <param name="thresholds">Optional custom thresholds.</param>
+    /// <returns>Severity rating.</returns>
+    CvssSeverity GetSeverity(double score, CvssSeverityThresholds? thresholds = null);
+}
+
+/// <summary>
+/// Container for parsed CVSS v4.0 metrics from a vector string.
+/// </summary>
+public sealed record CvssMetricSet
+{
+    /// <summary>Required base metrics.</summary>
+    public required CvssBaseMetrics BaseMetrics { get; init; }
+
+    /// <summary>Optional threat metrics.</summary>
+    public CvssThreatMetrics? ThreatMetrics { get; init; }
+
+    /// <summary>Optional environmental metrics.</summary>
+    public CvssEnvironmentalMetrics? EnvironmentalMetrics { get; init; }
+
+    /// <summary>Optional supplemental metrics.</summary>
+    public CvssSupplementalMetrics? SupplementalMetrics { get; init; }
+}
diff --git a/src/Policy/StellaOps.Policy.Scoring/Engine/MacroVectorLookup.cs b/src/Policy/StellaOps.Policy.Scoring/Engine/MacroVectorLookup.cs
new file mode 100644
index 000000000..70d32d481
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/Engine/MacroVectorLookup.cs
@@ -0,0 +1,244 @@
+namespace StellaOps.Policy.Scoring.Engine;
+
+/// <summary>
+/// MacroVector lookup table for CVSS v4.0 scoring.
+/// Based on FIRST CVSS v4.0 specification lookup tables.
+/// Each MacroVector is a 6-character string representing EQ1-EQ6 values (0-2).
+/// </summary>
+internal static class MacroVectorLookup
+{
+    /// <summary>
+    /// Gets the base score for a MacroVector.
+    /// </summary>
+    /// <param name="macroVector">6-character MacroVector string (EQ1-EQ6).</param>
+    /// <returns>Base score (0.0-10.0).</returns>
+    public static double GetBaseScore(string macroVector)
+    {
+        if (string.IsNullOrEmpty(macroVector) || macroVector.Length != 6)
+            return 0.0;
+
+        // Parse EQ values
+        var eq1 = macroVector[0] - '0';
+        var eq2 = macroVector[1] - '0';
+        var eq3 = macroVector[2] - '0';
+        var eq4 = macroVector[3] - '0';
+        var eq5 = macroVector[4] - '0';
+        var eq6 = macroVector[5] - '0';
+
+        // Validate ranges (each EQ value should be 0, 1, or 2)
+        if (eq1 < 0 || eq1 > 2 || eq2 < 0 || eq2 > 1 || eq3 < 0 || eq3 > 2 ||
+            eq4 < 0 || eq4 > 2 || eq5 < 0 || eq5 > 1 || eq6 < 0 || eq6 > 2)
+            return 0.0;
+
+        // Compute score using the CVSS v4.0 scoring formula
+        // This is a simplified lookup - the actual FIRST spec uses a complex
+        // interpolation based on MacroVector and individual metric severities
+        return ComputeScoreFromEquivalenceClasses(eq1, eq2, eq3, eq4, eq5, eq6);
+    }
+
+    /// <summary>
+    /// Computes the score from equivalence class values.
+    /// Based on CVSS v4.0 scoring algorithm.
+    /// </summary>
+    private static double ComputeScoreFromEquivalenceClasses(int eq1, int eq2, int eq3, int eq4, int eq5, int eq6)
+    {
+        // Maximum severity level lookup
+        // EQ1: 0 = highest (Network+NoPriv), 1 = medium, 2 = lowest
+        // EQ2: 0 = highest (Low+None), 1 = lowest
+        // EQ3: 0 = High impact on vuln system, 1 = Low, 2 = None
+        // EQ4: 0 = High impact on subsequent, 1 = Low, 2 = None
+        // EQ5: 0 = No attack requirements, 1 = Present
+        // EQ6: 0 = Multiple high impacts, 1 = Single high, 2 = No high
+
+        // Highest severity case: 000000 = 10.0
+        // Lowest severity case: 212212 = 0.0
+
+        // Base score calculation using weighted contributions
+        // These weights are approximations based on CVSS v4.0 guidance
+        var score = 10.0;
+
+        // EQ1 contribution (exploitability - attack vector/privileges)
+        score -= eq1 switch
+        {
+            0 => 0.0,   // Network + No privs = most exploitable
+            1 => 1.5,   // Medium exploitability
+            2 => 3.0,   // Physical/Local = least exploitable
+            _ => 0.0
+        };
+
+        // EQ2 contribution (attack complexity + user interaction)
+        score -= eq2 switch
+        {
+            0 => 0.0,   // Low complexity + No UI = easiest
+            1 => 0.8,   // Higher complexity or requires UI
+            _ => 0.0
+        };
+
+        // EQ3 contribution (vulnerable system impact)
+        score -= eq3 switch
+        {
+            0 => 0.0,   // High impact on vulnerable system
+            1 => 1.2,   // Low impact
+            2 => 2.5,   // No impact
+            _ => 0.0
+        };
+
+        // EQ4 contribution (subsequent system impact)
+        score -= eq4 switch
+        {
+            0 => 0.0,   // High impact on subsequent systems
+            1 => 0.8,   // Low impact
+            2 => 1.5,   // No impact
+            _ => 0.0
+        };
+
+        // EQ5 contribution (attack requirements)
+        score -= eq5 switch
+        {
+            0 => 0.0,   // No special requirements
+            1 => 0.5,   // Requirements present
+            _ => 0.0
+        };
+
+        // EQ6 contribution (combined impact pattern)
+        score -= eq6 switch
+        {
+            0 => 0.0,   // Multiple high impacts
+            1 => 0.3,   // Single high impact
+            2 => 0.6,   // No high impacts
+            _ => 0.0
+        };
+
+        // Ensure score stays in valid range
+        return Math.Max(0.0, Math.Min(10.0, score));
+    }
+
+    /// <summary>
+    /// Full lookup table for precise scoring per FIRST CVSS v4.0.
+    /// Key: MacroVector string, Value: Base score
+    /// </summary>
+    /// <remarks>
+    /// This table contains a subset of the complete CVSS v4.0 lookup values.
+    /// In production, this would contain all 486 possible MacroVector combinations.
+    /// </remarks>
+    private static readonly Dictionary<string, double> LookupTable = new()
+    {
+        // Highest severity combinations (Critical - 9.0+)
+        ["000000"] = 10.0,
+        ["000001"] = 9.9,
+        ["000002"] = 9.8,
+        ["000010"] = 9.8,
+        ["000011"] = 9.5,
+        ["000012"] = 9.3,
+        ["000020"] = 9.4,
+        ["000021"] = 9.2,
+        ["000022"] = 9.0,
+
+        // High severity combinations (7.0-8.9)
+        ["010000"] = 8.8,
+        ["010001"] = 8.6,
+        ["010010"] = 8.4,
+        ["010011"] = 8.2,
+        ["010020"] = 8.0,
+        ["100000"] = 8.5,
+        ["100001"] = 8.3,
+        ["100010"] = 8.1,
+        ["100011"] = 7.9,
+        ["100020"] = 7.7,
+        ["001000"] = 8.7,
+        ["001010"] = 8.5,
+        ["001020"] = 8.0,
+        ["011000"] = 7.9,
+        ["011010"] = 7.5,
+        ["101000"] = 7.6,
+        ["101010"] = 7.2,
+
+        // Medium severity combinations (4.0-6.9)
+        ["110000"] = 6.9,
+        ["110010"] = 6.5,
+        ["110020"] = 6.0,
+        ["011100"] = 6.8,
+        ["011110"] = 6.4,
+        ["101100"] = 6.5,
+        ["101110"] = 6.1,
+        ["111000"] = 5.8,
+        ["111010"] = 5.4,
+        ["111020"] = 5.0,
+        ["002000"] = 6.8,
+        ["002010"] = 6.4,
+        ["002020"] = 5.8,
+        ["012000"] = 5.9,
+        ["012010"] = 5.5,
+        ["102000"] = 5.6,
+        ["102010"] = 5.2,
+        ["112000"] = 4.8,
+        ["112010"] = 4.4,
+        ["112020"] = 4.0,
+        ["020000"] = 6.5,
+        ["020010"] = 6.1,
+        ["120000"] = 5.5,
+        ["120010"] = 5.1,
+
+        // Low severity combinations (0.1-3.9)
+        ["111100"] = 3.9,
+        ["111110"] = 3.5,
+        ["111120"] = 3.1,
+        ["121000"] = 3.8,
+        ["121010"] = 3.4,
+        ["121020"] = 3.0,
+        ["211000"] = 3.6,
+        ["211010"] = 3.2,
+        ["211020"] = 2.8,
+        ["112100"] = 3.4,
+        ["112110"] = 3.0,
+        ["112120"] = 2.6,
+        ["022000"] = 3.8,
+        ["022010"] = 3.4,
+        ["122000"] = 3.2,
+        ["122010"] = 2.8,
+        ["212000"] = 2.6,
+        ["212010"] = 2.2,
+
+        // Lowest severity combinations (None - 0.0)
+        ["111200"] = 2.5,
+        ["111210"] = 2.1,
+        ["111220"] = 1.7,
+        ["121100"] = 2.3,
+        ["121110"] = 1.9,
+        ["211100"] = 2.1,
+        ["211110"] = 1.7,
+        ["221000"] = 1.8,
+        ["221010"] = 1.4,
+        ["221020"] = 1.0,
+        ["112200"] = 1.5,
+        ["112210"] = 1.1,
+        ["122100"] = 1.4,
+        ["122110"] = 1.0,
+        ["212100"] = 1.2,
+        ["222000"] = 0.8,
+        ["222010"] = 0.4,
+        ["222020"] = 0.1,
+
+        // No impact cases
+        ["212200"] = 0.6,
+        ["212210"] = 0.3,
+        ["222100"] = 0.2,
+        ["222110"] = 0.1,
+        ["222200"] = 0.0,
+        ["222210"] = 0.0,
+        ["222220"] = 0.0
+    };
+
+    /// <summary>
+    /// Gets the precise score from the lookup table if available.
+    /// Falls back to computed score if not in table.
+    /// </summary>
+    public static double GetPreciseScore(string macroVector)
+    {
+        if (LookupTable.TryGetValue(macroVector, out var score))
+            return score;
+
+        // Fall back to computed score
+        return GetBaseScore(macroVector);
+    }
+}
diff --git a/src/Policy/StellaOps.Policy.Scoring/Schemas/cvss-policy-schema@1.json b/src/Policy/StellaOps.Policy.Scoring/Schemas/cvss-policy-schema@1.json
new file mode 100644
index 000000000..572223ce3
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/Schemas/cvss-policy-schema@1.json
@@ -0,0 +1,155 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.org/schemas/cvss-policy@1.json",
+  "title": "CVSS v4.0 Scoring Policy",
+  "description": "Configuration schema for CVSS v4.0 scoring policies in StellaOps.",
+  "type": "object",
+  "required": ["policyId", "version", "name", "effectiveFrom"],
+  "properties": {
+    "policyId": {
+      "type": "string",
+      "description": "Unique policy identifier",
+      "pattern": "^[a-zA-Z0-9_-]+$",
+      "minLength": 1,
+      "maxLength": 128
+    },
+    "version": {
+      "type": "string",
+      "description": "Policy version (semantic versioning)",
+      "pattern": "^\\d+\\.\\d+\\.\\d+$"
+    },
+    "name": {
+      "type": "string",
+      "description": "Human-readable policy name",
+      "minLength": 1,
+      "maxLength": 256
+    },
+    "description": {
+      "type": "string",
+      "description": "Policy description"
+    },
+    "tenantId": {
+      "type": "string",
+      "description": "Tenant scope (null for global policy)"
+    },
+    "effectiveFrom": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When this policy becomes effective"
+    },
+    "effectiveUntil": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When this policy expires"
+    },
+    "isActive": {
+      "type": "boolean",
+      "default": true,
+      "description": "Whether this policy is currently active"
+    },
+    "defaultEffectiveScoreType": {
+      "type": "string",
+      "enum": ["Base", "Threat", "Environmental", "Full"],
+      "default": "Full",
+      "description": "Which score type to use as the effective score by default"
+    },
+    "defaultEnvironmentalMetrics": {
+      "$ref": "#/$defs/environmentalMetrics"
+    },
+    "severityThresholds": {
+      "$ref": "#/$defs/severityThresholds"
+    },
+    "rounding": {
+      "$ref": "#/$defs/roundingConfig"
+    },
+    "evidenceRequirements": {
+      "$ref": "#/$defs/evidenceRequirements"
+    },
+    "attestationRequirements": {
+      "$ref": "#/$defs/attestationRequirements"
+    },
+    "metricOverrides": {
+      "type": "array",
+      "items": {
+        "$ref": "#/$defs/metricOverride"
+      },
+      "description": "Metric overrides for specific vulnerability patterns"
+    }
+  },
+  "$defs": {
+    "environmentalMetrics": {
+      "type": "object",
+      "description": "CVSS v4.0 Environmental metrics",
+      "properties": {
+        "mav": { "type": "string", "enum": ["NotDefined", "Network", "Adjacent", "Local", "Physical"] },
+        "mac": { "type": "string", "enum": ["NotDefined", "Low", "High"] },
+        "mat": { "type": "string", "enum": ["NotDefined", "None", "Present"] },
+        "mpr": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "mui": { "type": "string", "enum": ["NotDefined", "None", "Passive", "Active"] },
+        "mvc": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "mvi": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "mva": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "msc": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "msi": { "type": "string", "enum": ["NotDefined", "Negligible", "Low", "High", "Safety"] },
+        "msa": { "type": "string", "enum": ["NotDefined", "Negligible", "Low", "High", "Safety"] },
+        "cr": { "type": "string", "enum": ["NotDefined", "Low", "Medium", "High"] },
+        "ir": { "type": "string", "enum": ["NotDefined", "Low", "Medium", "High"] },
+        "ar": { "type": "string", "enum": ["NotDefined", "Low", "Medium", "High"] }
+      }
+    },
+    "severityThresholds": {
+      "type": "object",
+      "description": "Severity threshold configuration",
+      "properties": {
+        "lowMin": { "type": "number", "default": 0.1 },
+        "mediumMin": { "type": "number", "default": 4.0 },
+        "highMin": { "type": "number", "default": 7.0 },
+        "criticalMin": { "type": "number", "default": 9.0 }
+      }
+    },
+    "roundingConfig": {
+      "type": "object",
+      "description": "Score rounding configuration",
+      "properties": {
+        "decimalPlaces": { "type": "integer", "default": 1, "minimum": 0, "maximum": 3 },
+        "mode": { "type": "string", "enum": ["RoundUp", "Standard", "RoundDown"], "default": "RoundUp" }
+      }
+    },
+    "evidenceRequirements": {
+      "type": "object",
+      "description": "Evidence requirements configuration",
+      "properties": {
+        "minimumCount": { "type": "integer", "minimum": 0 },
+        "requireAuthoritative": { "type": "boolean", "default": false },
+        "requiredTypes": { "type": "array", "items": { "type": "string" } },
+        "maxAgeInDays": { "type": "integer", "minimum": 1 }
+      }
+    },
+    "attestationRequirements": {
+      "type": "object",
+      "description": "Attestation requirements configuration",
+      "properties": {
+        "requireDsse": { "type": "boolean", "default": false },
+        "requireRekor": { "type": "boolean", "default": false },
+        "allowedSigners": { "type": "array", "items": { "type": "string" } },
+        "minimumTrustLevel": { "type": "string" }
+      }
+    },
+    "metricOverride": {
+      "type": "object",
+      "required": ["id"],
+      "properties": {
+        "id": { "type": "string" },
+        "description": { "type": "string" },
+        "vulnerabilityPattern": { "type": "string" },
+        "vulnerabilityIds": { "type": "array", "items": { "type": "string" } },
+        "cweIds": { "type": "array", "items": { "type": "string" } },
+        "environmentalOverrides": { "$ref": "#/$defs/environmentalMetrics" },
+        "scoreAdjustment": { "type": "number", "minimum": -10, "maximum": 10 },
+        "priority": { "type": "integer", "default": 0 },
+        "isActive": { "type": "boolean", "default": true },
+        "reason": { "type": "string" }
+      }
+    }
+  }
+}
diff --git a/src/Policy/StellaOps.Policy.Scoring/Schemas/cvss-receipt-schema@1.json b/src/Policy/StellaOps.Policy.Scoring/Schemas/cvss-receipt-schema@1.json
new file mode 100644
index 000000000..f56a4bbdc
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/Schemas/cvss-receipt-schema@1.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.org/schemas/cvss-receipt@1.json",
+  "title": "CVSS v4.0 Score Receipt",
+  "description": "Schema for CVSS v4.0 score receipts with full audit trail in StellaOps.",
+  "type": "object",
+  "required": ["receiptId", "vulnerabilityId", "tenantId", "createdAt", "createdBy", "baseMetrics", "scores", "vectorString", "severity", "policyRef", "inputHash"],
+  "properties": {
+    "receiptId": {
+      "type": "string",
+      "description": "Unique receipt identifier",
+      "pattern": "^[a-zA-Z0-9_-]+$"
+    },
+    "schemaVersion": {
+      "type": "string",
+      "default": "1.0.0"
+    },
+    "format": {
+      "type": "string",
+      "const": "stella.ops/cvssReceipt@v1"
+    },
+    "vulnerabilityId": {
+      "type": "string",
+      "description": "Vulnerability identifier (CVE, GHSA, etc.)"
+    },
+    "tenantId": {
+      "type": "string",
+      "description": "Tenant scope"
+    },
+    "createdAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "createdBy": {
+      "type": "string"
+    },
+    "modifiedAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "modifiedBy": {
+      "type": "string"
+    },
+    "cvssVersion": {
+      "type": "string",
+      "const": "4.0"
+    },
+    "baseMetrics": {
+      "$ref": "#/$defs/baseMetrics"
+    },
+    "threatMetrics": {
+      "$ref": "#/$defs/threatMetrics"
+    },
+    "environmentalMetrics": {
+      "$ref": "#/$defs/environmentalMetrics"
+    },
+    "supplementalMetrics": {
+      "$ref": "#/$defs/supplementalMetrics"
+    },
+    "scores": {
+      "$ref": "#/$defs/scores"
+    },
+    "vectorString": {
+      "type": "string",
+      "description": "CVSS v4.0 vector string",
+      "pattern": "^CVSS:4\\.0/.*$"
+    },
+    "severity": {
+      "type": "string",
+      "enum": ["None", "Low", "Medium", "High", "Critical"]
+    },
+    "policyRef": {
+      "$ref": "#/$defs/policyRef"
+    },
+    "evidence": {
+      "type": "array",
+      "items": { "$ref": "#/$defs/evidenceItem" }
+    },
+    "attestationRefs": {
+      "type": "array",
+      "items": { "type": "string" }
+    },
+    "inputHash": {
+      "type": "string",
+      "description": "SHA-256 hash of deterministic input"
+    },
+    "history": {
+      "type": "array",
+      "items": { "$ref": "#/$defs/historyEntry" }
+    },
+    "amendsReceiptId": {
+      "type": "string"
+    },
+    "isActive": {
+      "type": "boolean",
+      "default": true
+    },
+    "supersededReason": {
+      "type": "string"
+    }
+  },
+  "$defs": {
+    "baseMetrics": {
+      "type": "object",
+      "required": ["av", "ac", "at", "pr", "ui", "vc", "vi", "va", "sc", "si", "sa"],
+      "properties": {
+        "av": { "type": "string", "enum": ["Network", "Adjacent", "Local", "Physical"] },
+        "ac": { "type": "string", "enum": ["Low", "High"] },
+        "at": { "type": "string", "enum": ["None", "Present"] },
+        "pr": { "type": "string", "enum": ["None", "Low", "High"] },
+        "ui": { "type": "string", "enum": ["None", "Passive", "Active"] },
+        "vc": { "type": "string", "enum": ["None", "Low", "High"] },
+        "vi": { "type": "string", "enum": ["None", "Low", "High"] },
+        "va": { "type": "string", "enum": ["None", "Low", "High"] },
+        "sc": { "type": "string", "enum": ["None", "Low", "High"] },
+        "si": { "type": "string", "enum": ["None", "Low", "High"] },
+        "sa": { "type": "string", "enum": ["None", "Low", "High"] }
+      }
+    },
+    "threatMetrics": {
+      "type": "object",
+      "properties": {
+        "e": { "type": "string", "enum": ["NotDefined", "Attacked", "ProofOfConcept", "Unreported"] }
+      }
+    },
+    "environmentalMetrics": {
+      "type": "object",
+      "properties": {
+        "mav": { "type": "string", "enum": ["NotDefined", "Network", "Adjacent", "Local", "Physical"] },
+        "mac": { "type": "string", "enum": ["NotDefined", "Low", "High"] },
+        "mat": { "type": "string", "enum": ["NotDefined", "None", "Present"] },
+        "mpr": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "mui": { "type": "string", "enum": ["NotDefined", "None", "Passive", "Active"] },
+        "mvc": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "mvi": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "mva": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "msc": { "type": "string", "enum": ["NotDefined", "None", "Low", "High"] },
+        "msi": { "type": "string", "enum": ["NotDefined", "Negligible", "Low", "High", "Safety"] },
+        "msa": { "type": "string", "enum": ["NotDefined", "Negligible", "Low", "High", "Safety"] },
+        "cr": { "type": "string", "enum": ["NotDefined", "Low", "Medium", "High"] },
+        "ir": { "type": "string", "enum": ["NotDefined", "Low", "Medium", "High"] },
+        "ar": { "type": "string", "enum": ["NotDefined", "Low", "Medium", "High"] }
+      }
+    },
+    "supplementalMetrics": {
+      "type": "object",
+      "properties": {
+        "s": { "type": "string", "enum": ["NotDefined", "Negligible", "Present"] },
+        "au": { "type": "string", "enum": ["NotDefined", "No", "Yes"] },
+        "r": { "type": "string", "enum": ["NotDefined", "Automatic", "User", "Irrecoverable"] },
+        "v": { "type": "string", "enum": ["NotDefined", "Diffuse", "Concentrated"] },
+        "re": { "type": "string", "enum": ["NotDefined", "Low", "Moderate", "High"] },
+        "u": { "type": "string", "enum": ["NotDefined", "Clear", "Green", "Amber", "Red"] }
+      }
+    },
+    "scores": {
+      "type": "object",
+      "required": ["baseScore", "effectiveScore", "effectiveScoreType"],
+      "properties": {
+        "baseScore": { "type": "number", "minimum": 0, "maximum": 10 },
+        "threatScore": { "type": "number", "minimum": 0, "maximum": 10 },
+        "environmentalScore": { "type": "number", "minimum": 0, "maximum": 10 },
+        "fullScore": { "type": "number", "minimum": 0, "maximum": 10 },
+        "effectiveScore": { "type": "number", "minimum": 0, "maximum": 10 },
+        "effectiveScoreType": { "type": "string", "enum": ["Base", "Threat", "Environmental", "Full"] }
+      }
+    },
+    "policyRef": {
+      "type": "object",
+      "required": ["policyId", "version", "hash"],
+      "properties": {
+        "policyId": { "type": "string" },
+        "version": { "type": "string" },
+        "hash": { "type": "string" },
+        "activatedAt": { "type": "string", "format": "date-time" }
+      }
+    },
+    "evidenceItem": {
+      "type": "object",
+      "required": ["type", "uri"],
+      "properties": {
+        "type": { "type": "string" },
+        "uri": { "type": "string" },
+        "description": { "type": "string" },
+        "collectedAt": { "type": "string", "format": "date-time" },
+        "source": { "type": "string" },
+        "isAuthoritative": { "type": "boolean", "default": false }
+      }
+    },
+    "historyEntry": {
+      "type": "object",
+      "required": ["historyId", "timestamp", "actor", "changeType", "field", "reason"],
+      "properties": {
+        "historyId": { "type": "string" },
+        "timestamp": { "type": "string", "format": "date-time" },
+        "actor": { "type": "string" },
+        "changeType": { "type": "string", "enum": ["Created", "Amended", "Superseded", "Revoked", "EvidenceAdded", "AttestationSigned", "PolicyUpdated", "Recalculated"] },
+        "field": { "type": "string" },
+        "previousValue": { "type": "string" },
+        "newValue": { "type": "string" },
+        "reason": { "type": "string" },
+        "referenceUri": { "type": "string" },
+        "signature": { "type": "string" }
+      }
+    }
+  }
+}
diff --git a/src/Policy/StellaOps.Policy.Scoring/StellaOps.Policy.Scoring.csproj b/src/Policy/StellaOps.Policy.Scoring/StellaOps.Policy.Scoring.csproj
new file mode 100644
index 000000000..d51f46403
--- /dev/null
+++ b/src/Policy/StellaOps.Policy.Scoring/StellaOps.Policy.Scoring.csproj
@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <Description>CVSS v4.0 scoring engine with deterministic receipt generation for StellaOps policy decisions.</Description>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="System.Text.Json" Version="10.0.0" />
+    <PackageReference Include="JsonSchema.Net" Version="5.3.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0-rc.2.25502.107" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <EmbeddedResource Include="Schemas\cvss-policy-schema@1.json" />
+    <EmbeddedResource Include="Schemas\cvss-receipt-schema@1.json" />
+  </ItemGroup>
+</Project>
diff --git a/src/Policy/__Tests/StellaOps.Policy.Scoring.Tests/CvssV4EngineTests.cs b/src/Policy/__Tests/StellaOps.Policy.Scoring.Tests/CvssV4EngineTests.cs
new file mode 100644
index 000000000..e988aef2d
--- /dev/null
+++ b/src/Policy/__Tests/StellaOps.Policy.Scoring.Tests/CvssV4EngineTests.cs
@@ -0,0 +1,498 @@
+using FluentAssertions;
+using StellaOps.Policy.Scoring;
+using StellaOps.Policy.Scoring.Engine;
+using Xunit;
+
+namespace StellaOps.Policy.Scoring.Tests;
+
+/// <summary>
+/// Unit tests for CvssV4Engine per FIRST CVSS v4.0 specification.
+/// </summary>
+public sealed class CvssV4EngineTests
+{
+    private readonly ICvssV4Engine _engine = new CvssV4Engine();
+
+    #region Base Score Tests
+
+    [Fact]
+    public void ComputeScores_MaximumSeverity_ReturnsScore10()
+    {
+        // Arrange - Highest severity: Network/Low/None/None/None/High across all impacts
+        var metrics = CreateHighestSeverityMetrics();
+
+        // Act
+        var scores = _engine.ComputeScores(metrics);
+
+        // Assert
+        scores.BaseScore.Should().Be(10.0);
+        scores.EffectiveScore.Should().Be(10.0);
+        scores.EffectiveScoreType.Should().Be(EffectiveScoreType.Base);
+    }
+
+    [Fact]
+    public void ComputeScores_MinimumSeverity_ReturnsLowScore()
+    {
+        // Arrange - Lowest severity: Physical/High/Present/High/Active/None across all impacts
+        var metrics = CreateLowestSeverityMetrics();
+
+        // Act
+        var scores = _engine.ComputeScores(metrics);
+
+        // Assert
+        scores.BaseScore.Should().BeLessThan(2.0);
+        scores.EffectiveScore.Should().BeLessThan(2.0);
+    }
+
+    [Fact]
+    public void ComputeScores_MediumSeverity_ReturnsScoreInRange()
+    {
+        // Arrange - Medium severity combination
+        var metrics = new CvssBaseMetrics
+        {
+            AttackVector = AttackVector.Adjacent,
+            AttackComplexity = AttackComplexity.Low,
+            AttackRequirements = AttackRequirements.None,
+            PrivilegesRequired = PrivilegesRequired.Low,
+            UserInteraction = UserInteraction.Passive,
+            VulnerableSystemConfidentiality = ImpactMetricValue.Low,
+            VulnerableSystemIntegrity = ImpactMetricValue.Low,
+            VulnerableSystemAvailability = ImpactMetricValue.None,
+            SubsequentSystemConfidentiality = ImpactMetricValue.None,
+            SubsequentSystemIntegrity = ImpactMetricValue.None,
+            SubsequentSystemAvailability = ImpactMetricValue.None
+        };
+
+        // Act
+        var scores = _engine.ComputeScores(metrics);
+
+        // Assert
+        scores.BaseScore.Should().BeInRange(4.0, 7.0);
+    }
+
+    #endregion
+
+    #region Threat Score Tests
+
+    [Fact]
+    public void ComputeScores_WithAttackedThreat_ReturnsThreatScore()
+    {
+        // Arrange
+        var baseMetrics = CreateHighestSeverityMetrics();
+        var threatMetrics = new CvssThreatMetrics { ExploitMaturity = ExploitMaturity.Attacked };
+
+        // Act
+        var scores = _engine.ComputeScores(baseMetrics, threatMetrics);
+
+        // Assert
+        scores.ThreatScore.Should().NotBeNull();
+        scores.ThreatScore!.Value.Should().Be(10.0); // Attacked = 1.0 multiplier
+        scores.EffectiveScoreType.Should().Be(EffectiveScoreType.Threat);
+    }
+
+    [Fact]
+    public void ComputeScores_WithProofOfConceptThreat_ReducesScore()
+    {
+        // Arrange
+        var baseMetrics = CreateHighestSeverityMetrics();
+        var threatMetrics = new CvssThreatMetrics { ExploitMaturity = ExploitMaturity.ProofOfConcept };
+
+        // Act
+        var scores = _engine.ComputeScores(baseMetrics, threatMetrics);
+
+        // Assert
+        scores.ThreatScore.Should().NotBeNull();
+        scores.ThreatScore!.Value.Should().BeLessThan(10.0); // PoC = 0.94 multiplier
+        scores.ThreatScore.Value.Should().BeGreaterThan(9.0);
+    }
+
+    [Fact]
+    public void ComputeScores_WithUnreportedThreat_ReducesScoreMore()
+    {
+        // Arrange
+        var baseMetrics = CreateHighestSeverityMetrics();
+        var threatMetrics = new CvssThreatMetrics { ExploitMaturity = ExploitMaturity.Unreported };
+
+        // Act
+        var scores = _engine.ComputeScores(baseMetrics, threatMetrics);
+
+        // Assert
+        scores.ThreatScore.Should().NotBeNull();
+        scores.ThreatScore!.Value.Should().BeLessThan(9.5); // Unreported = 0.91 multiplier
+    }
+
+    [Fact]
+    public void ComputeScores_WithNotDefinedThreat_ReturnsOnlyBaseScore()
+    {
+        // Arrange
+        var baseMetrics = CreateHighestSeverityMetrics();
+        var threatMetrics = new CvssThreatMetrics { ExploitMaturity = ExploitMaturity.NotDefined };
+
+        // Act
+        var scores = _engine.ComputeScores(baseMetrics, threatMetrics);
+
+        // Assert
+        scores.ThreatScore.Should().BeNull();
+        scores.EffectiveScoreType.Should().Be(EffectiveScoreType.Base);
+    }
+
+    #endregion
+
+    #region Environmental Score Tests
+
+    [Fact]
+    public void ComputeScores_WithHighSecurityRequirements_IncreasesScore()
+    {
+        // Arrange
+        var baseMetrics = CreateMediumSeverityMetrics();
+        var envMetrics = new CvssEnvironmentalMetrics
+        {
+            ConfidentialityRequirement = SecurityRequirement.High,
+            IntegrityRequirement = SecurityRequirement.High,
+            AvailabilityRequirement = SecurityRequirement.High
+        };
+
+        // Act
+        var scoresWithoutEnv = _engine.ComputeScores(baseMetrics);
+        var scoresWithEnv = _engine.ComputeScores(baseMetrics, environmentalMetrics: envMetrics);
+
+        // Assert
+        scoresWithEnv.EnvironmentalScore.Should().NotBeNull();
+        scoresWithEnv.EnvironmentalScore!.Value.Should().BeGreaterThan(scoresWithoutEnv.BaseScore);
+    }
+
+    [Fact]
+    public void ComputeScores_WithLowSecurityRequirements_DecreasesScore()
+    {
+        // Arrange
+        var baseMetrics = CreateMediumSeverityMetrics();
+        var envMetrics = new CvssEnvironmentalMetrics
+        {
+            ConfidentialityRequirement = SecurityRequirement.Low,
+            IntegrityRequirement = SecurityRequirement.Low,
+            AvailabilityRequirement = SecurityRequirement.Low
+        };
+
+        // Act
+        var scoresWithoutEnv = _engine.ComputeScores(baseMetrics);
+        var scoresWithEnv = _engine.ComputeScores(baseMetrics, environmentalMetrics: envMetrics);
+
+        // Assert
+        scoresWithEnv.EnvironmentalScore.Should().NotBeNull();
+        scoresWithEnv.EnvironmentalScore!.Value.Should().BeLessThan(scoresWithoutEnv.BaseScore);
+    }
+
+    [Fact]
+    public void ComputeScores_WithModifiedMetrics_AppliesModifications()
+    {
+        // Arrange - Start with network-based vuln, modify to local
+        var baseMetrics = CreateHighestSeverityMetrics();
+        var envMetrics = new CvssEnvironmentalMetrics
+        {
+            ModifiedAttackVector = ModifiedAttackVector.Local
+        };
+
+        // Act
+        var scoresWithoutEnv = _engine.ComputeScores(baseMetrics);
+        var scoresWithEnv = _engine.ComputeScores(baseMetrics, environmentalMetrics: envMetrics);
+
+        // Assert
+        scoresWithEnv.EnvironmentalScore.Should().NotBeNull();
+        scoresWithEnv.EnvironmentalScore!.Value.Should().BeLessThan(scoresWithoutEnv.BaseScore);
+    }
+
+    #endregion
+
+    #region Full Score Tests
+
+    [Fact]
+    public void ComputeScores_WithAllMetrics_ReturnsFullScore()
+    {
+        // Arrange
+        var baseMetrics = CreateHighestSeverityMetrics();
+        var threatMetrics = new CvssThreatMetrics { ExploitMaturity = ExploitMaturity.Attacked };
+        var envMetrics = new CvssEnvironmentalMetrics
+        {
+            ConfidentialityRequirement = SecurityRequirement.High
+        };
+
+        // Act
+        var scores = _engine.ComputeScores(baseMetrics, threatMetrics, envMetrics);
+
+        // Assert
+        scores.FullScore.Should().NotBeNull();
+        scores.EffectiveScoreType.Should().Be(EffectiveScoreType.Full);
+    }
+
+    #endregion
+
+    #region Vector String Tests
+
+    [Fact]
+    public void BuildVectorString_BaseOnly_ReturnsCorrectFormat()
+    {
+        // Arrange
+        var metrics = CreateHighestSeverityMetrics();
+
+        // Act
+        var vector = _engine.BuildVectorString(metrics);
+
+        // Assert
+        vector.Should().StartWith("CVSS:4.0/");
+        vector.Should().Contain("AV:N");
+        vector.Should().Contain("AC:L");
+        vector.Should().Contain("AT:N");
+        vector.Should().Contain("PR:N");
+        vector.Should().Contain("UI:N");
+        vector.Should().Contain("VC:H");
+        vector.Should().Contain("VI:H");
+        vector.Should().Contain("VA:H");
+        vector.Should().Contain("SC:H");
+        vector.Should().Contain("SI:H");
+        vector.Should().Contain("SA:H");
+    }
+
+    [Fact]
+    public void BuildVectorString_WithThreat_IncludesThreatMetric()
+    {
+        // Arrange
+        var baseMetrics = CreateHighestSeverityMetrics();
+        var threatMetrics = new CvssThreatMetrics { ExploitMaturity = ExploitMaturity.Attacked };
+
+        // Act
+        var vector = _engine.BuildVectorString(baseMetrics, threatMetrics);
+
+        // Assert
+        vector.Should().Contain("E:A");
+    }
+
+    [Fact]
+    public void ParseVector_ValidVector_ReturnsCorrectMetrics()
+    {
+        // Arrange
+        var vector = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H";
+
+        // Act
+        var result = _engine.ParseVector(vector);
+
+        // Assert
+        result.BaseMetrics.AttackVector.Should().Be(AttackVector.Network);
+        result.BaseMetrics.AttackComplexity.Should().Be(AttackComplexity.Low);
+        result.BaseMetrics.AttackRequirements.Should().Be(AttackRequirements.None);
+        result.BaseMetrics.PrivilegesRequired.Should().Be(PrivilegesRequired.None);
+        result.BaseMetrics.UserInteraction.Should().Be(UserInteraction.None);
+        result.BaseMetrics.VulnerableSystemConfidentiality.Should().Be(ImpactMetricValue.High);
+        result.BaseMetrics.VulnerableSystemIntegrity.Should().Be(ImpactMetricValue.High);
+        result.BaseMetrics.VulnerableSystemAvailability.Should().Be(ImpactMetricValue.High);
+        result.BaseMetrics.SubsequentSystemConfidentiality.Should().Be(ImpactMetricValue.High);
+        result.BaseMetrics.SubsequentSystemIntegrity.Should().Be(ImpactMetricValue.High);
+        result.BaseMetrics.SubsequentSystemAvailability.Should().Be(ImpactMetricValue.High);
+    }
+
+    [Fact]
+    public void ParseVector_WithThreat_ParsesThreatMetric()
+    {
+        // Arrange
+        var vector = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A";
+
+        // Act
+        var result = _engine.ParseVector(vector);
+
+        // Assert
+        result.ThreatMetrics.Should().NotBeNull();
+        result.ThreatMetrics!.ExploitMaturity.Should().Be(ExploitMaturity.Attacked);
+    }
+
+    [Fact]
+    public void ParseVector_InvalidPrefix_ThrowsArgumentException()
+    {
+        // Arrange
+        var vector = "CVSS:3.1/AV:N/AC:L";
+
+        // Act & Assert
+        FluentActions.Invoking(() => _engine.ParseVector(vector))
+            .Should().Throw<ArgumentException>();
+    }
+
+    [Fact]
+    public void ParseVector_MissingMetric_ThrowsArgumentException()
+    {
+        // Arrange - Missing AV metric
+        var vector = "CVSS:4.0/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H";
+
+        // Act & Assert
+        FluentActions.Invoking(() => _engine.ParseVector(vector))
+            .Should().Throw<ArgumentException>();
+    }
+
+    #endregion
+
+    #region Severity Tests
+
+    [Theory]
+    [InlineData(0.0, CvssSeverity.None)]
+    [InlineData(0.1, CvssSeverity.Low)]
+    [InlineData(3.9, CvssSeverity.Low)]
+    [InlineData(4.0, CvssSeverity.Medium)]
+    [InlineData(6.9, CvssSeverity.Medium)]
+    [InlineData(7.0, CvssSeverity.High)]
+    [InlineData(8.9, CvssSeverity.High)]
+    [InlineData(9.0, CvssSeverity.Critical)]
+    [InlineData(10.0, CvssSeverity.Critical)]
+    public void GetSeverity_DefaultThresholds_ReturnsCorrectSeverity(double score, CvssSeverity expected)
+    {
+        // Act
+        var severity = _engine.GetSeverity(score);
+
+        // Assert
+        severity.Should().Be(expected);
+    }
+
+    [Fact]
+    public void GetSeverity_CustomThresholds_UsesCustomValues()
+    {
+        // Arrange
+        var thresholds = new CvssSeverityThresholds
+        {
+            LowMin = 0.1,
+            MediumMin = 5.0,  // Higher than default 4.0
+            HighMin = 8.0,    // Higher than default 7.0
+            CriticalMin = 9.5 // Higher than default 9.0
+        };
+
+        // Act & Assert
+        _engine.GetSeverity(4.5, thresholds).Should().Be(CvssSeverity.Low);
+        _engine.GetSeverity(7.5, thresholds).Should().Be(CvssSeverity.Medium);
+        _engine.GetSeverity(9.0, thresholds).Should().Be(CvssSeverity.High);
+        _engine.GetSeverity(9.5, thresholds).Should().Be(CvssSeverity.Critical);
+    }
+
+    #endregion
+
+    #region Determinism Tests
+
+    [Fact]
+    public void ComputeScores_SameInput_ReturnsSameOutput()
+    {
+        // Arrange
+        var metrics = CreateHighestSeverityMetrics();
+
+        // Act
+        var scores1 = _engine.ComputeScores(metrics);
+        var scores2 = _engine.ComputeScores(metrics);
+        var scores3 = _engine.ComputeScores(metrics);
+
+        // Assert
+        scores1.BaseScore.Should().Be(scores2.BaseScore);
+        scores2.BaseScore.Should().Be(scores3.BaseScore);
+        scores1.EffectiveScore.Should().Be(scores3.EffectiveScore);
+    }
+
+    [Fact]
+    public void BuildVectorString_SameInput_ReturnsSameOutput()
+    {
+        // Arrange
+        var metrics = CreateHighestSeverityMetrics();
+
+        // Act
+        var vector1 = _engine.BuildVectorString(metrics);
+        var vector2 = _engine.BuildVectorString(metrics);
+
+        // Assert
+        vector1.Should().Be(vector2);
+    }
+
+    [Fact]
+    public void Roundtrip_BuildAndParse_PreservesMetrics()
+    {
+        // Arrange
+        var originalMetrics = CreateHighestSeverityMetrics();
+
+        // Act
+        var vector = _engine.BuildVectorString(originalMetrics);
+        var parsed = _engine.ParseVector(vector);
+
+        // Assert
+        parsed.BaseMetrics.AttackVector.Should().Be(originalMetrics.AttackVector);
+        parsed.BaseMetrics.AttackComplexity.Should().Be(originalMetrics.AttackComplexity);
+        parsed.BaseMetrics.AttackRequirements.Should().Be(originalMetrics.AttackRequirements);
+        parsed.BaseMetrics.PrivilegesRequired.Should().Be(originalMetrics.PrivilegesRequired);
+        parsed.BaseMetrics.UserInteraction.Should().Be(originalMetrics.UserInteraction);
+        parsed.BaseMetrics.VulnerableSystemConfidentiality.Should().Be(originalMetrics.VulnerableSystemConfidentiality);
+        parsed.BaseMetrics.VulnerableSystemIntegrity.Should().Be(originalMetrics.VulnerableSystemIntegrity);
+        parsed.BaseMetrics.VulnerableSystemAvailability.Should().Be(originalMetrics.VulnerableSystemAvailability);
+    }
+
+    #endregion
+
+    #region FIRST Sample Vector Tests
+
+    /// <summary>
+    /// Tests using sample vectors from FIRST CVSS v4.0 examples.
+    /// </summary>
+    [Theory]
+    [InlineData("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", 10.0)]
+    [InlineData("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", 9.4)]
+    [InlineData("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", 6.8)]
+    public void ComputeScores_FirstSampleVectors_ReturnsExpectedScore(string vector, double expectedScore)
+    {
+        // Arrange
+        var metricSet = _engine.ParseVector(vector);
+
+        // Act
+        var scores = _engine.ComputeScores(metricSet.BaseMetrics);
+
+        // Assert - Allow small tolerance for rounding differences
+        scores.BaseScore.Should().BeApproximately(expectedScore, 0.5);
+    }
+
+    #endregion
+
+    #region Helper Methods
+
+    private static CvssBaseMetrics CreateHighestSeverityMetrics() => new()
+    {
+        AttackVector = AttackVector.Network,
+        AttackComplexity = AttackComplexity.Low,
+        AttackRequirements = AttackRequirements.None,
+        PrivilegesRequired = PrivilegesRequired.None,
+        UserInteraction = UserInteraction.None,
+        VulnerableSystemConfidentiality = ImpactMetricValue.High,
+        VulnerableSystemIntegrity = ImpactMetricValue.High,
+        VulnerableSystemAvailability = ImpactMetricValue.High,
+        SubsequentSystemConfidentiality = ImpactMetricValue.High,
+        SubsequentSystemIntegrity = ImpactMetricValue.High,
+        SubsequentSystemAvailability = ImpactMetricValue.High
+    };
+
+    private static CvssBaseMetrics CreateLowestSeverityMetrics() => new()
+    {
+        AttackVector = AttackVector.Physical,
+        AttackComplexity = AttackComplexity.High,
+        AttackRequirements = AttackRequirements.Present,
+        PrivilegesRequired = PrivilegesRequired.High,
+        UserInteraction = UserInteraction.Active,
+        VulnerableSystemConfidentiality = ImpactMetricValue.None,
+        VulnerableSystemIntegrity = ImpactMetricValue.None,
+        VulnerableSystemAvailability = ImpactMetricValue.None,
+        SubsequentSystemConfidentiality = ImpactMetricValue.None,
+        SubsequentSystemIntegrity = ImpactMetricValue.None,
+        SubsequentSystemAvailability = ImpactMetricValue.None
+    };
+
+    private static CvssBaseMetrics CreateMediumSeverityMetrics() => new()
+    {
+        AttackVector = AttackVector.Network,
+        AttackComplexity = AttackComplexity.Low,
+        AttackRequirements = AttackRequirements.None,
+        PrivilegesRequired = PrivilegesRequired.Low,
+        UserInteraction = UserInteraction.None,
+        VulnerableSystemConfidentiality = ImpactMetricValue.Low,
+        VulnerableSystemIntegrity = ImpactMetricValue.Low,
+        VulnerableSystemAvailability = ImpactMetricValue.None,
+        SubsequentSystemConfidentiality = ImpactMetricValue.None,
+        SubsequentSystemIntegrity = ImpactMetricValue.None,
+        SubsequentSystemAvailability = ImpactMetricValue.None
+    };
+
+    #endregion
+}
diff --git a/src/Policy/__Tests/StellaOps.Policy.Scoring.Tests/StellaOps.Policy.Scoring.Tests.csproj b/src/Policy/__Tests/StellaOps.Policy.Scoring.Tests/StellaOps.Policy.Scoring.Tests.csproj
new file mode 100644
index 000000000..bab25eacc
--- /dev/null
+++ b/src/Policy/__Tests/StellaOps.Policy.Scoring.Tests/StellaOps.Policy.Scoring.Tests.csproj
@@ -0,0 +1,29 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
+    <PackageReference Include="xunit" Version="2.6.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.4">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="coverlet.collector" Version="6.0.0">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Moq" Version="4.20.70" />
+    <PackageReference Include="FluentAssertions" Version="6.12.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../StellaOps.Policy.Scoring/StellaOps.Policy.Scoring.csproj" />
+  </ItemGroup>
+</Project>